Update the -lite manpages (long overdue)

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/COPYING

@@ -0,0 +1,341 @@
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+                          51 Franklin Street, Fifth Floor,
+			  Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+			    Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+		    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+			    NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+		     END OF TERMS AND CONDITIONS
+
+	    How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) 19yy  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) 19yy name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Library General
+Public License instead of this License.

Shorewall-core/INSTALL

@@ -0,0 +1,24 @@
+Shoreline Firewall (Shorewall) Version 4
+-----         ----
+
+-----------------------------------------------------------------------------
+
+     This program is free software; you can redistribute it and/or modify
+     it under the terms of Version 2 of the GNU General Public License
+     as published by the Free Software Foundation.
+
+     This program is distributed in the hope that it will be useful,
+     but WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+     GNU General Public License for more details.
+
+     You should have received a copy of the GNU General Public License
+     along with this program; if not, write to the Free Software
+     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+---------------------------------------------------------------------------
+
+Please see http://www.shorewall.net/Install.htm for installation
+instructions.
+
+

Shorewall-core/install.sh

@@ -0,0 +1,278 @@
+#!/bin/sh
+#
+# Script to install Shoreline Firewall Core Modules
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+VERSION=xxx #The Build script inserts the actual version
+
+usage() # $1 = exit status
+{
+    ME=$(basename $0)
+    echo "usage: $ME"
+    echo "       $ME -v"
+    echo "       $ME -h"
+    echo "       $ME -s"
+    echo "       $ME -f"
+    exit $1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    echo $dir/$1
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+run_install()
+{
+    if ! install $*; then
+	echo
+	echo "ERROR: Failed to install $*" >&2
+	exit 1
+    fi
+}
+
+cant_autostart()
+{
+    echo
+    echo  "WARNING: Unable to configure shorewall to start automatically at boot" >&2
+}
+
+delete_file() # $1 = file to delete
+{
+    rm -f $1
+}
+
+install_file() # $1 = source $2 = target $3 = mode
+{
+    run_install $T $OWNERSHIP -m $3 $1 ${2}
+}
+
+[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
+
+#
+# Parse the run line
+#
+# ARGS is "yes" if we've already parsed an argument
+#
+T="-T"
+
+[ -n "${LIBEXEC:=/usr/share}" ]
+[ -n "${PERLLIB:=/usr/share/shorewall}" ]
+MACHOST=
+
+case "$LIBEXEC" in
+    /*)
+	;;
+    *)
+	LIBEXEC=/usr/${LIBEXEC}
+	;;
+esac
+
+case "$PERLLIB" in
+    /*)
+	;;
+    *)
+	PERLLIB=/usr/${PERLLIB}
+	;;
+esac
+
+INSTALLD='-D'
+
+case $(uname) in
+    CYGWIN*)
+	if [ -z "$DESTDIR" ]; then
+	    DEST=
+	    INIT=
+	fi
+
+	OWNER=$(id -un)
+	GROUP=$(id -gn)
+	CYGWIN=Yes
+	;;
+    Darwin)
+	if [ -z "$DESTDIR" ]; then
+	    DEST=
+	    INIT=
+	fi
+
+	[ -z "$OWNER" ] && OWNER=root
+	[ -z "$GROUP" ] && GROUP=wheel
+	MAC=Yes
+        MACHOST=Yes
+	INSTALLD=
+	T=
+	;;
+    *)
+	[ -z "$OWNER" ] && OWNER=root
+	[ -z "$GROUP" ] && GROUP=root
+	;;
+esac
+
+OWNERSHIP="-o $OWNER -g $GROUP"
+
+finished=0
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+	    
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "Shorewall Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    a*)
+			ANNOTATED=Yes
+			option=${option#a}
+			;;
+		    p*)
+			ANNOTATED=
+			option=${option#p}
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    [ -n "$option" ] && usage 1
+	    finished=1
+	    ;;
+    esac
+done
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+
+#
+# Determine where to install the firewall script
+#
+
+if [ -n "$DESTDIR" ]; then
+    if [ -z "$CYGWIN" ]; then
+	if [ `id -u` != 0 ] ; then
+	    echo "Not setting file owner/group permissions, not running as root."
+	    OWNERSHIP=""
+	fi
+    fi
+
+    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+
+    CYGWIN=
+    MAC=
+else
+    if [ -n "$CYGWIN" ]; then
+	echo "Installing Cygwin-specific configuration..."
+    elif [ -n "$MAC" ]; then
+	echo "Installing Mac-specific configuration..."
+    else
+	if [ -f /etc/debian_version ]; then
+	    echo "Installing Debian-specific configuration..."
+	    DEBIAN=yes
+	elif [ -f /etc/redhat-release ]; then
+	    echo "Installing Redhat/Fedora-specific configuration..."
+	    FEDORA=yes
+	elif [ -f /etc/slackware-version ] ; then
+	    echo "Installing Slackware-specific configuration..."
+	    DEST="/etc/rc.d"
+	    MANDIR="/usr/man"
+	    SLACKWARE=yes
+	elif [ -f /etc/arch-release ] ; then
+	    echo "Installing ArchLinux-specific configuration..."
+	    DEST="/etc/rc.d"
+	    INIT="shorewall"
+	    ARCHLINUX=yes
+	fi
+    fi
+fi
+
+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
+echo "Installing Shorewall Core Version $VERSION"
+
+#
+# Create /usr/share/shorewall
+#
+mkdir -p ${DESTDIR}${LIBEXEC}/shorewall
+chmod 755 ${DESTDIR}/usr/share/shorewall
+#
+# Install wait4ifup
+#
+install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup 0755
+
+echo
+echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup"
+
+#
+# Install the libraries
+#
+for f in lib.* ; do
+    install_file $f ${DESTDIR}/usr/share/shorewall/$f 0644
+    echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall/$f"
+done
+#
+# Symbolically link 'functions' to lib.base
+#
+ln -sf lib.base ${DESTDIR}/usr/share/shorewall/functions
+#
+# Create the version file
+#
+echo "$VERSION" > ${DESTDIR}/usr/share/shorewall/coreversion
+chmod 644 ${DESTDIR}/usr/share/shorewall/coreversion
+#
+#  Report Success
+#
+echo "Shorewall Core Version $VERSION Installed"

Shorewall-core/lib.base

@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/lib.base
+# Shorewall 4.5 -- /usr/share/shorewall/lib.base
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -23,16 +23,53 @@
 # This library contains the code common to all Shorewall components.
 #
 # - It is loaded by /sbin/shorewall.
-# - It is released as part of Shorewall Lite where it is used by /sbin/shorewall-lite
-#   and /usr/share/shorewall-lite/shorecap.
+# - It is released as part of Shorewall[6] Lite where it is used by /sbin/shorewall[6]-lite
+#   and /usr/share/shorewall[6]-lite/shorecap.
 #
 
-SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40423
+SHOREWALL_LIBVERSION=40500
+SHOREWALL_CAPVERSION=40501
 
-[ -n "${VARDIR:=/var/lib/shorewall}" ]
-[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
-[ -n "${CONFDIR:=/etc/shorewall}" ]
+[ -n "${g_program:=shorewall}" ]
+
+case $g_program in
+    shorewall)
+	SHAREDIR=/usr/share/shorewall
+	CONFDIR=/etc/shorewall
+	g_product="Shorewall"
+	g_family=4
+	g_tool=
+	g_basedir=/usr/share/shorewall
+	g_lite=
+	;;
+    shorewall6)
+	SHAREDIR=/usr/share/shorewall6
+	CONFDIR=/etc/shorewall6
+	g_product="Shorewall6"
+	g_family=6
+	g_tool=
+	g_basedir=/usr/share/shorewall
+	g_lite=
+	;;
+    shorewall-lite)
+	SHAREDIR=/usr/share/shorewall-lite
+	CONFDIR=/etc/shorewall-lite
+	g_product="Shorewall Lite"
+	g_family=4
+	g_tool=iptables
+	g_basedir=/usr/share/shorewall-lite
+	g_lite=Yes
+	;;
+    shorewall6-lite)
+	SHAREDIR=/usr/share/shorewall6-lite
+	CONFDIR=/etc/shorewall6-lite
+	g_product="Shorewall6 Lite"
+	g_family=6
+	g_tool=ip6tables
+	g_basedir=/usr/share/shorewall6-lite
+	g_lite=Yes
+	;;
+esac
 
 #
 # Conditionally produce message
@@ -121,8 +158,10 @@ mutex_on()
 	fi
 
 	if qt mywhich lockfile; then
-	    lockfile -r${MUTEX_TIMEOUT} -s1 ${lockf}
+	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
+	    chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
@@ -147,33 +186,7 @@ mutex_off()
     rm -f ${LOCKFILE:=${VARDIR}/lock}
 }
 
-#
-# Find the interface with the passed MAC address
-#
-
-find_interface_by_mac() {
-    local mac
-    mac=$1
-    local first
-    local second
-    local rest
-    local dev
-
-    $IP link list | while read first second rest; do
-	case $first in
-	    *:)
-                dev=$second
-		;;
-	    *)
-	        if [ "$second" = $mac ]; then
-		    echo ${dev%:}
-		    return
-		fi
-	esac
-    done
-}
-
-[ -z "$LEFTSHIFT" ] && . ${SHAREDIR}/lib.common
+[ -z "$LEFTSHIFT" ] && . /usr/share/shorewall/lib.common
 
 #
 # Validate an IP address
@@ -337,8 +350,8 @@ ensure_config_path() {
 	. $F
     fi
 
-    if [ -n "$SHOREWALL_DIR" ]; then
-	[ "${CONFIG_PATH%%:*}" = "$SHOREWALL_DIR" ] || CONFIG_PATH=$SHOREWALL_DIR:$CONFIG_PATH
+    if [ -n "$g_shorewalldir" ]; then
+	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
     fi
 }
 
@@ -376,9 +389,8 @@ resolve_file() # $1 = file name
     esac
 }
 
-# Function to truncate a string -- It uses 'cut -b -<n>'
-# rather than ${v:first:last} because light-weight shells like ash and
-# dash do not support that form of expansion.
+#
+# Determine how to do "echo -e"
 #
 
 find_echo() {

Shorewall-core/lib.common

@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/lib.common.
+# Shorewall 4.5 -- /usr/share/shorewall/lib.common.
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -24,6 +24,50 @@
 # generated firewall scripts. To avoid versioning issues, it is copied into generated
 # scripts rather than loaded at run-time.
 #
+#########################################################################################
+#
+# Issue a message and stop
+#
+startup_error() # $* = Error Message
+{
+    echo "   ERROR: $@: Firewall state not changed" >&2
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    case $COMMAND in
+        start)
+	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    ;;
+	restart)
+	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    ;;
+	restore)
+	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    ;;
+    esac
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%_b %d %T') "
+
+	case $COMMAND in
+	    start)
+		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restart)
+		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restore)
+		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	esac
+    fi
+
+    kill $$
+    exit 2
+}
 
 #
 # Get the Shorewall version of the passed script
@@ -38,7 +82,7 @@ get_script_version() { # $1 = script
     verbosity="$VERBOSITY"
     VERBOSITY=0
 
-    temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' )
+    temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 | sed 's/-.*//' )
 
     if [ $? -ne 0 ]; then
 	version=0
@@ -88,13 +132,15 @@ run_it() {
 	export TIMESTAMP=$g_timestamp
 	export RECOVERING=$g_recovering
 
-	if [ "$g_product" != Shorewall ]; then
-	    #
-	    # Shorewall Lite
-	    #
-	    export LOGFORMAT
-	    export IPTABLES
-	fi
+	case "$g_program" in
+	    *-lite)
+		#
+		# Shorewall Lite
+		#
+		export LOGFORMAT
+		export IPTABLES
+		;;
+	esac
     else
 	#
 	# 4.4.8 or later -- no additional exports required
@@ -127,6 +173,30 @@ error_message() # $* = Error Message
    echo "   $@" >&2
 }
 
+#
+# Undo the effect of 'split()'
+#
+join()
+{
+    local f
+    local o
+    o=
+
+    for f in $* ; do
+        o="${o:+$o:}$f"
+    done
+
+    echo $o
+}
+
+#
+# Return the number of elements in a list
+#
+list_count() # $* = list
+{
+    return $#
+}
+
 #
 # Split a colon-separated list into a space-separated list
 #
@@ -184,12 +254,20 @@ qt1()
 }
 
 #
-# Determine if Shorewall is "running"
+# Determine if Shorewall[6] is "running"
 #
+product_is_started() {
+    qt1 $g_tool -L shorewall -n
+}
+
 shorewall_is_started() {
     qt1 $IPTABLES -L shorewall -n
 }
 
+shorewall6_is_started() {
+    qt1 $IP6TABLES -L shorewall -n
+}
+
 #
 # Echos the fully-qualified name of the calling shell program
 #
@@ -226,26 +304,28 @@ loadmodule() # $1 = module name, $2 - * arguments
     local suffix
 
     if [ -d /sys/module/ ]; then
-	if [ ! -d /sys/module/$modulename ]; then
-	    shift
+	if ! list_search $modulename $DONT_LOAD; then
+	    if [ ! -d /sys/module/$modulename ]; then
+		shift
 
-	    for suffix in $MODULE_SUFFIX ; do
-		for directory in $moduledirectories; do
-		    modulefile=$directory/${modulename}.${suffix}
+		for suffix in $MODULE_SUFFIX ; do
+		    for directory in $moduledirectories; do
+			modulefile=$directory/${modulename}.${suffix}
 
-		    if [ -f $modulefile ]; then
-			case $moduleloader in
-			    insmod)
-				insmod $modulefile $*
-				;;
-			    *)
-				modprobe $modulename $*
-				;;
-			esac
-			break 2
-		    fi
+			if [ -f $modulefile ]; then
+			    case $moduleloader in
+				insmod)
+				    insmod $modulefile $*
+				    ;;
+				*)
+				    modprobe $modulename $*
+				    ;;
+			    esac
+			    break 2
+			fi
+		    done
 		done
-	    done
+	    fi
 	fi
     elif ! list_search $modulename $DONT_LOAD $MODULES; then
 	shift
@@ -292,7 +372,7 @@ reload_kernel_modules() {
 
     [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
 
     [ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
 
@@ -331,7 +411,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 
     [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
 
     for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -463,38 +543,100 @@ in_network() # $1 = IP address, $2 = CIDR network
     test $(( $(decodeaddr $1) & $netmask)) = $(( $(decodeaddr ${2%/*}) & $netmask ))
 }
 
+#
+# Query NetFilter about the existence of a filter chain
+#
+chain_exists() # $1 = chain name
+{
+    qt1 $g_tool -L $1 -n
+}
+
+#
+# Find the interface with the passed MAC address
+#
+
+find_interface_by_mac() {
+    local mac
+    mac=$1
+    local first
+    local second
+    local rest
+    local dev
+
+    $IP link list | while read first second rest; do
+	case $first in
+	    *:)
+                dev=$second
+		;;
+	    *)
+	        if [ "$second" = $mac ]; then
+		    echo ${dev%:}
+		    return
+		fi
+	esac
+    done
+}
+
 #
 # Find interface address--returns the first IP address assigned to the passed
 # device
 #
 find_first_interface_address() # $1 = interface
 {
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
-    #
-    # If there wasn't one, bail out now
-    #
-    [ -n "$addr" ] || startup_error "Can't determine the IP address of $1"
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
+    if [ $g_family -eq 4 ]; then
+	#
+	# get the line of output containing the first IP address
+	#
+	addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
+	#
+	# If there wasn't one, bail out now
+	#
+	[ -n "$addr" ] || startup_error "Can't determine the IP address of $1"
+	#
+	# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)	
+	# along with everything else on the line
+	#
+	echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
+    else
+	#
+	# get the line of output containing the first IP address
+	#
+	addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1)
+	#
+	# If there wasn't one, bail out now
+	#
+	[ -n "$addr" ] || startup_error "Can't determine the IPv6 address of $1"
+	#
+	# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+	# along with everything else on the line
+	#
+	echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
+    fi
 }
 
 find_first_interface_address_if_any() # $1 = interface
 {
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
+    if [ $g_family -eq 4 ]; then
+	#
+	# get the line of output containing the first IP address
+	#
+	addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
+	#
+	# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+	# along with everything else on the line
+	#
+	[ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
+    else
+	#
+	# get the line of output containing the first IP address
+	#
+	addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1)
+	#
+	# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+	# along with everything else on the line
+	#
+	[ -n "$addr" ] && echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' || echo ::
+    fi
 }
 
 #
@@ -513,14 +655,6 @@ mywhich() {
     return 2
 }
 
-#
-# Query NetFilter about the existence of a filter chain
-#
-chain_exists() # $1 = chain name
-{
-    qt1 $IPTABLES -L $1 -n
-}
-
 #
 # Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
 #
@@ -550,7 +684,7 @@ find_file()
 #
 # Set the Shorewall state
 #
-set_state () # $1 = state $2
+set_state () # $1 = state
 {
     if [ $# -gt 1 ]; then
 	echo "$1 ($(date)) from $2" > ${VARDIR}/state

Shorewall-core/uninstall.sh

@@ -0,0 +1,84 @@
+#!/bin/sh
+#
+# Script to back uninstall Shoreline Firewall
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://www.shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#    Usage:
+#
+#       You may only use this script to uninstall the version
+#       shown below. Simply run this script to remove Shorewall Firewall
+
+VERSION=xxx #The Build script inserts the actual version
+
+usage() # $1 = exit status
+{
+    ME=$(basename $0)
+    echo "usage: $ME"
+    exit $1
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+restore_file() # $1 = file to restore
+{
+    if [ -f ${1}-shorewall.bkout ]; then
+	if (mv -f ${1}-shorewall.bkout $1); then
+	    echo
+	    echo "$1 restored"
+        else
+	    exit 1
+        fi
+    fi
+}
+
+remove_file() # $1 = file to restore
+{
+    if [ -f $1 -o -L $1 ] ; then
+	rm -f $1
+	echo "$1 Removed"
+    fi
+}
+
+if [ -f /usr/share/shorewall/coreversion ]; then
+    INSTALLED_VERSION="$(cat /usr/share/shorewall/coreversion)"
+    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
+	echo "WARNING: Shorewall Core Version $INSTALLED_VERSION is installed"
+	echo "         and this is the $VERSION uninstaller."
+	VERSION="$INSTALLED_VERSION"
+    fi
+else
+    echo "WARNING: Shorewall Core Version $VERSION is not installed"
+    VERSION=""
+fi
+
+[ -n "${LIBEXEC:=/usr/share}" ]
+[ -n "${PERLLIB:=/usr/share/shorewall}" ]
+
+echo "Uninstalling Shorewall Core $VERSION"
+
+rm -rf /usr/share/shorewall
+
+echo "Shorewall Core Uninstalled"
+
+

Shorewall-init/shorewall-init.service

@@ -14,7 +14,6 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-init $OPTIONS start
-ExecReload=/sbin/shorewall-init $OPTIONS restart
 ExecStop=/sbin/shorewall-init $OPTIONS stop
 
 [Install]

Shorewall-lite/default.debian

@@ -18,9 +18,18 @@ startup=0
 #
 # Startup options
 #
-
 OPTIONS=""
 
+#
+# Start options
+#
+STARTOPTIONS=""
+
+#
+# Restart options
+#
+RESTARTOPTIONS=""
+
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #
@@ -30,7 +39,6 @@ INITLOG=/dev/null
 # Set this to 1 to cause '/etc/init.d/shorewall-lite stop' to place the firewall in
 # a safe state rather than to open it
 #
-
 SAFESTOP=0
 
 # EOF

Shorewall-lite/init.debian.sh

@@ -80,7 +80,7 @@ fi
 # start the firewall
 shorewall_start () {
   echo -n "Starting \"Shorewall firewall\": "
-  $SRWL $SRWL_OPTS start >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
@@ -98,7 +98,7 @@ shorewall_stop () {
 # restart the firewall
 shorewall_restart () {
   echo -n "Restarting \"Shorewall firewall\": "
-  $SRWL $SRWL_OPTS restart >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
@@ -109,6 +109,11 @@ shorewall_refresh () {
   return 0
 }
 
+# status of the firewall
+shorewall_status () {
+  $SRWL $SRWL_OPTS status && exit 0 || exit $?
+}
+
 case "$1" in
   start)
      shorewall_start
@@ -122,8 +127,11 @@ case "$1" in
   force-reload|restart)
      shorewall_restart
      ;;
+  status)
+     shorewall_status
+     ;;
   *)
-     echo "Usage: /etc/init.d/shorewall-lite {start|stop|refresh|restart|force-reload}"
+     echo "Usage: /etc/init.d/shorewall-lite {start|stop|refresh|restart|force-reload|status}"
      exit 1
 esac
 

Shorewall-lite/init.sh

@@ -76,14 +76,13 @@ command="$1"
 
 case "$command" in
     start)
-	exec /sbin/shorewall-lite $OPTIONS $@
+	exec /sbin/shorewall-lite $OPTIONS start $STARTOPTIONS $@
 	;;
-    stop|restart|status)
-	exec /sbin/shorewall-lite $@
+    restart|reload)
+	exec /sbin/shorewall-lite $OPTIONS restart $RESTARTOPTIONS $@
 	;;
-    reload)
-	shift
-	exec /sbin/shorewall-lite restart $@
+    status|stop)
+	exec /sbin/shorewall-lite $OPTIONS $command $@
 	;;
     *)
 	usage

Shorewall-lite/install.sh

@@ -72,7 +72,7 @@ run_install()
 cant_autostart()
 {
     echo
-    echo  "WARNING: Unable to configure shorewall to start automatically at boot" >&2
+    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
 }
 
 delete_file() # $1 = file to delete
@@ -85,6 +85,19 @@ install_file() # $1 = source $2 = target $3 = mode
     run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
 
+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
+if [ -f shorewall-lite ]; then
+    PRODUCT=shorewall-lite
+    Product="Shorewall Lite"
+else
+    PRODUCT=shorewall6-lite
+    Product="Shorewall6 Lite"
+fi
+
 [ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
 
 #
@@ -92,16 +105,13 @@ install_file() # $1 = source $2 = target $3 = mode
 #
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
-# ARGS is "yes" if we've already parsed an argument
 #
-ARGS=""
-
 if [ -z "$DEST" ] ; then
 	DEST="/etc/init.d"
 fi
 
 if [ -z "$INIT" ] ; then
-	INIT="shorewall-lite"
+	INIT="$PRODUCT"
 fi
 
 while [ $# -gt 0 ] ; do
@@ -110,7 +120,7 @@ while [ $# -gt 0 ] ; do
 	    usage 0
 	    ;;
         -v)
-	    echo "Shorewall Lite Firewall Installer Version $VERSION"
+	    echo "$Product Firewall Installer Version $VERSION"
 	    exit 0
 	    ;;
 	*)
@@ -118,7 +128,6 @@ while [ $# -gt 0 ] ; do
 	    ;;
     esac
     shift
-    ARGS="yes"
 done
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -179,11 +188,16 @@ elif [ -f /etc/slackware-version ] ; then
     INIT="rc.firewall"
 elif [ -f /etc/arch-release ] ; then
       DEST="/etc/rc.d"
-      INIT="shorewall-lite"
+      INIT="$PRODUCT"
       ARCHLINUX=yes
 fi
 
 if [ -z "$DESTDIR" ]; then
+    if [ ! -f /usr/share/shorewall/coreversion ]; then
+	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
+	exit 1
+    fi
+
     if [ -f /lib/systemd/system ]; then
 	SYSTEMD=Yes
     fi
@@ -191,68 +205,68 @@ elif [ -n "$SYSTEMD" ]; then
     mkdir -p ${DESTDIR}/lib/systemd/system
 fi
 
-#
-# Change to the directory containing this script
-#
-cd "$(dirname $0)"
-
-echo "Installing Shorewall Lite Version $VERSION"
+echo "Installing $Product Version $VERSION"
 
 #
-# Check for /etc/shorewall-lite
+# Check for /etc/$PRODUCT
 #
-if [ -z "$DESTDIR" -a -d /etc/shorewall-lite ]; then
-    [ -f /etc/shorewall-lite/shorewall.conf ] && \
-	mv -f /etc/shorewall-lite/shorewall.conf /etc/shorewall-lite/shorewall-lite.conf
+if [ -z "$DESTDIR" -a -d /etc/$PRODUCT ]; then
+    if [ ! -f /usr/share/shorewall/coreversion ]; then
+	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
+	exit 1
+    fi
+
+    [ -f /etc/$PRODUCT/shorewall.conf ] && \
+	mv -f /etc/$PRODUCT/shorewall.conf /etc/$PRODUCT/$PRODUCT.conf
 else
-    rm -rf ${DESTDIR}/etc/shorewall-lite
-    rm -rf ${DESTDIR}/usr/share/shorewall-lite
-    rm -rf ${DESTDIR}/var/lib/shorewall-lite
-    [ "$LIBEXEC" = share ] || rm -rf /usr/share/shorewall-lite/shorecap /usr/share/shorecap
+    rm -rf ${DESTDIR}/etc/$PRODUCT
+    rm -rf ${DESTDIR}/usr/share/$PRODUCT
+    rm -rf ${DESTDIR}/var/lib/$PRODUCT
+    [ "$LIBEXEC" = /usr/share ] || rm -rf /usr/share/$PRODUCT/wait4ifup /usr/share/$PRODUCT/shorecap
 fi
 
 #
-# Check for /sbin/shorewall-lite
+# Check for /sbin/$PRODUCT
 #
-if [ -f ${DESTDIR}/sbin/shorewall-lite ]; then
+if [ -f ${DESTDIR}/sbin/$PRODUCT ]; then
     first_install=""
 else
     first_install="Yes"
 fi
 
-delete_file ${DESTDIR}/usr/share/shorewall-lite/xmodules
+delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
 
-install_file shorewall-lite ${DESTDIR}/sbin/shorewall-lite 0544
+install_file $PRODUCT ${DESTDIR}/sbin/$PRODUCT 0544
 
-eval sed -i \'``s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall-lite
+eval sed -i \'``s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/$PRODUCT
 
-echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite"
+echo "$Product control program installed in ${DESTDIR}/sbin/$PRODUCT"
 
 #
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-lite 0544
+    install_file init.debian.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
 elif [ -n "$FEDORA" ]; then
-    install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall-lite 0544
+    install_file init.fedora.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
 elif [ -n "$ARCHLINUX" ]; then
     install_file init.archlinux.sh ${DESTDIR}/${DEST}/$INIT 0544
 else
     install_file init.sh ${DESTDIR}/${DEST}/$INIT 0544
 fi
 
-echo  "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
+echo  "$Product script installed in ${DESTDIR}${DEST}/$INIT"
 
 #
-# Create /etc/shorewall-lite, /usr/share/shorewall-lite and /var/lib/shorewall-lite if needed
+# Create /etc/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
-mkdir -p ${DESTDIR}/etc/shorewall-lite
-mkdir -p ${DESTDIR}/usr/share/shorewall-lite
-mkdir -p ${DESTDIR}${LIBEXEC}/shorewall-lite
-mkdir -p ${DESTDIR}/var/lib/shorewall-lite
+mkdir -p ${DESTDIR}/etc/$PRODUCT
+mkdir -p ${DESTDIR}/usr/share/$PRODUCT
+mkdir -p ${DESTDIR}${LIBEXEC}/$PRODUCT
+mkdir -p ${DESTDIR}/var/lib/$PRODUCT
 
-chmod 755 ${DESTDIR}/etc/shorewall-lite
-chmod 755 ${DESTDIR}/usr/share/shorewall-lite
+chmod 755 ${DESTDIR}/etc/$PRODUCT
+chmod 755 ${DESTDIR}/usr/share/$PRODUCT
 
 if [ -n "$DESTDIR" ]; then
     mkdir -p ${DESTDIR}/etc/logrotate.d
@@ -263,85 +277,74 @@ fi
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
-    run_install $OWNERSHIP -m 600 shorewall-lite.service ${DESTDIR}/lib/systemd/system/shorewall-lite.service
-    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-lite.service"
+    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/lib/systemd/system/$PRODUCT.service
+    echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
 fi
 
 #
 # Install the config file
 #
-if [ ! -f ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf ]; then
-   run_install $OWNERSHIP -m 0744 shorewall-lite.conf ${DESTDIR}/etc/shorewall-lite
-   echo "Config file installed as ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf"
+if [ ! -f ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf ]; then
+   install_file $PRODUCT.conf ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf 0744
+   echo "Config file installed as ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf"
 fi
 
 if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall-lite/shorewall.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf
 fi
 
 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall-lite
-echo "Makefile installed as ${DESTDIR}/etc/shorewall-lite/Makefile"
+run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/$PRODUCT
+echo "Makefile installed as ${DESTDIR}/etc/$PRODUCT/Makefile"
 
 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/shorewall-lite/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall-lite/configpath"
+install_file configpath ${DESTDIR}/usr/share/$PRODUCT/configpath 0644
+echo "Default config path file installed as ${DESTDIR}/usr/share/$PRODUCT/configpath"
 
 #
 # Install the libraries
 #
 for f in lib.* ; do
     if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/shorewall-lite/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall-lite/$f"
+	install_file $f ${DESTDIR}/usr/share/$PRODUCT/$f 0644
+	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/$PRODUCT/$f"
     fi
 done
 
-ln -sf lib.base ${DESTDIR}/usr/share/shorewall-lite/functions
+ln -sf lib.base ${DESTDIR}/usr/share/$PRODUCT/functions
 
-echo "Common functions linked through ${DESTDIR}/usr/share/shorewall-lite/functions"
+echo "Common functions linked through ${DESTDIR}/usr/share/$PRODUCT/functions"
 
 #
 # Install Shorecap
 #
 
-install_file shorecap ${DESTDIR}${LIBEXEC}/shorewall-lite/shorecap 0755
+install_file shorecap ${DESTDIR}${LIBEXEC}/$PRODUCT/shorecap 0755
 
 echo
-echo "Capability file builder installed in ${DESTDIR}${LIBEXEC}/shorewall-lite/shorecap"
-
-#
-# Install wait4ifup
-#
-
-if [ -f wait4ifup ]; then
-    install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall-lite/wait4ifup 0755
-
-    echo
-    echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall-lite/wait4ifup"
-fi
+echo "Capability file builder installed in ${DESTDIR}${LIBEXEC}/$PRODUCT/shorecap"
 
 #
 # Install the Modules files
 #
 
 if [ -f modules ]; then
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall-lite
-    echo "Modules file installed as ${DESTDIR}/usr/share/shorewall-lite/modules"
+    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/$PRODUCT
+    echo "Modules file installed as ${DESTDIR}/usr/share/$PRODUCT/modules"
 fi
 
 if [ -f helpers ]; then
-    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/shorewall-lite
-    echo "Helper modules file installed as ${DESTDIR}/usr/share/shorewall-lite/helpers"
+    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/$PRODUCT
+    echo "Helper modules file installed as ${DESTDIR}/usr/share/$PRODUCT/helpers"
 fi
 
 for f in modules.*; do
-    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}/usr/share/shorewall-lite/$f
-    echo "Module file $f installed as ${DESTDIR}/usr/share/shorewall-lite/$f"
+    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}/usr/share/$PRODUCT/$f
+    echo "Module file $f installed as ${DESTDIR}/usr/share/$PRODUCT/$f"
 done
 
 #
@@ -371,62 +374,65 @@ if [ -d manpages ]; then
 fi
 
 if [ -d ${DESTDIR}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/shorewall-lite
-    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/shorewall-lite"
+    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/$PRODUCT
+    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/$PRODUCT"
 fi
 
-
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-lite/version
-chmod 644 ${DESTDIR}/usr/share/shorewall-lite/version
+echo "$VERSION" > ${DESTDIR}/usr/share/$PRODUCT/version
+chmod 644 ${DESTDIR}/usr/share/$PRODUCT/version
 #
 # Remove and create the symbolic link to the init script
 #
 
 if [ -z "$DESTDIR" ]; then
-    rm -f /usr/share/shorewall-lite/init
-    ln -s ${DEST}/${INIT} /usr/share/shorewall-lite/init
+    rm -f /usr/share/$PRODUCT/init
+    ln -s ${DEST}/${INIT} /usr/share/$PRODUCT/init
 fi
 
+delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.common
+delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.cli
+delete_file ${DESTDIR}/usr/share/$PRODUCT/wait4ifup
+
 if [ -z "$DESTDIR" ]; then
-    touch /var/log/shorewall-lite-init.log
+    touch /var/log/$PRODUCT-init.log
 
     if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
-	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
+	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/$PRODUCT
 
-	    update-rc.d shorewall-lite defaults
+	    update-rc.d $PRODUCT defaults
 
 	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/shorewall-lite
+		insserv /etc/init.d/$PRODUCT
 	    else
-		ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
+		ln -s ../init.d/$PRODUCT /etc/rcS.d/S40$PRODUCT
 	    fi
 
-	    echo "Shorewall Lite will start automatically at boot"
+	    echo "$Product will start automatically at boot"
 	else
 	    if [ -n "$SYSTEMD" ]; then
-		if systemctl enable shorewall-lite; then
-		    echo "Shorewall Lite will start automatically at boot"
+		if systemctl enable $PRODUCT; then
+		    echo "$Product will start automatically at boot"
 		fi
 	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-		if insserv /etc/init.d/shorewall-lite ; then
-		    echo "Shorewall Lite will start automatically at boot"
+		if insserv /etc/init.d/$PRODUCT ; then
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-		if chkconfig --add shorewall-lite ; then
-		    echo "Shorewall Lite will start automatically in run levels as follows:"
-		    chkconfig --list shorewall-lite
+		if chkconfig --add $PRODUCT ; then
+		    echo "$Product will start automatically in run levels as follows:"
+		    chkconfig --list $PRODUCT
 		else
 		    cant_autostart
 		fi
 	    elif [ -x /sbin/rc-update ]; then
-		if rc-update add shorewall-lite default; then
-		    echo "Shorewall Lite will start automatically at boot"
+		if rc-update add $PRODUCT default; then
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
@@ -440,4 +446,4 @@ fi
 #
 #  Report Success
 #
-echo "shorewall Lite Version $VERSION Installed"
+echo "$Product Version $VERSION Installed"

Shorewall-lite/lib.base

@@ -0,0 +1,34 @@
+#
+# Shorewall 4.4 -- /usr/share/shorewall-lite/lib.base
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#	This program is free software; you can redisribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# This library contains the code common to all Shorewall components.
+
+g_program=shorewall-lite
+g_family=4
+g_basedir=/usr/share/shorewall
+
+[ -n "${VARDIR:=/var/lib/$g_program}" ]
+[ -n "${SHAREDIR:=/usr/share/$g_program}" ]
+[ -n "${CONFDIR:=/etc/$g_program}" ]
+
+. /usr/share/shorewall/lib.base
+

Shorewall-lite/manpages/shorewall-lite.xml

@@ -11,11 +11,27 @@
   <refnamediv>
     <refname>shorewall-lite</refname>
 
-    <refpurpose>Administration tool for Shoreline Firewall Lite
-    (Shorewall-lite)</refpurpose>
+    <refpurpose>Administration tool for Shoreline Firewall Lite (Shorewall
+    Lite)</refpurpose>
   </refnamediv>
 
   <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg rep="norepeat">-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>add</option></arg>
+
+      <arg choice="plain"
+      rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
+
+      <arg choice="plain"><replaceable>zone</replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall-lite</command>
 
@@ -37,7 +53,38 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>clear</option></arg>
+      <arg
+      choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg rep="norepeat">-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>delete</option></arg>
+
+      <arg choice="plain"
+      rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
+
+      <arg choice="plain"><replaceable>zone</replaceable></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>disable</option></arg>
+
+      <arg choice="plain">{ <replaceable>interface</replaceable> |
+      <replaceable>provider</replaceable> }</arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -64,13 +111,30 @@
 
       <arg><option>-x</option></arg>
 
+      <arg><option>-l</option></arg>
+
       <arg><option>-m</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
       <command>shorewall-lite</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>enable</option></arg>
+
+      <arg choice="plain">{ <replaceable>interface</replaceable> |
+      <replaceable>provider</replaceable> }</arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
 
       <arg>-<replaceable>options</replaceable></arg>
 
@@ -96,7 +160,8 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>hits</option></arg>
+      <arg
+      choice="plain"><option>hits</option><arg><option>-t</option></arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -130,6 +195,19 @@
       choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>iptrace</option></arg>
+
+      <arg choice="plain"><replaceable>iptables match
+      expression</replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall-lite</command>
 
@@ -170,6 +248,19 @@
       <arg choice="plain"><replaceable>address</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>noiptrace</option></arg>
+
+      <arg choice="plain"><replaceable>iptables match
+      expression</replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall-lite</command>
 
@@ -191,8 +282,24 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
+      <arg choice="plain"><option>reset</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
       <arg
-      choice="plain"><option>restart</option><arg><option>-n</option></arg><arg><option>-p</option></arg></arg>
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>restart</option></arg>
+
+      <arg><option>-n</option></arg>
+
+      <arg><option>-p</option></arg>
+
+      <arg><replaceable>directory</replaceable></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -232,8 +339,10 @@
 
       <arg><option>-x</option></arg>
 
+      <arg><option>-l</option></arg>
+
       <arg><option>-t</option>
-      {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>}</arg>
+      {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw|rawpost</option>}</arg>
 
       <arg><arg><option>chain</option></arg><arg choice="plain"
       rep="repeat"><replaceable>chain</replaceable></arg></arg>
@@ -263,7 +372,7 @@
       <arg choice="plain"><option>show</option></arg>
 
       <arg
-      choice="req"><option>actions|classifiers|connections|config|zones</option></arg>
+      choice="req"><option>classifiers|connections|config|filters|ip|ipa|zones|policies|marks</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -277,7 +386,7 @@
 
       <arg><option>-x</option></arg>
 
-      <arg choice="req"><option>mangle|nat</option></arg>
+      <arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -318,7 +427,7 @@
 
       <arg><option>-n</option></arg>
 
-      <arg><option>-f</option><arg><option>-p</option></arg></arg>
+      <arg><option>-p</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -349,7 +458,8 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>version</option></arg>
+      <arg
+      choice="plain"><option>version</option><arg><option>-a</option></arg></arg>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -357,7 +467,7 @@
     <title>Description</title>
 
     <para>The shorewall-lite utility is used to control the Shoreline Firewall
-    (Shorewall) Lite.</para>
+    Lite (Shorewall Lite).</para>
   </refsect1>
 
   <refsect1>
@@ -365,12 +475,12 @@
 
     <para>The <option>trace</option> and <option>debug</option> options are
     used for debugging. See <ulink
-    url="http://www.shorewall.net/starting_and_stopping.htm#Trace">http://www.shorewall.net/starting_and_stopping.htm#Trace</ulink>.</para>
+    url="http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
 
     <para>The nolock <option>option</option> prevents the command from
-    attempting to acquire the Shorewall Lite lockfile. It is useful if you
-    need to include <command>shorewall-lite</command> commands in the
-    <filename>started</filename> extension script.</para>
+    attempting to acquire the Shorewall-lite lockfile. It is useful if you
+    need to include <command>shorewall</command> commands in
+    <filename>/etc/shorewall/started</filename>.</para>
 
     <para>The <emphasis>options</emphasis> control the amount of output that
     the command produces. They consist of a sequence of the letters <emphasis
@@ -407,12 +517,12 @@
           defined in the <ulink
           url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
           file. A <emphasis>host-list</emphasis> is comma-separated list whose
-          elements are a host or network address.<caution>
+          elements are host or network addresses.<caution>
               <para>The <command>add</command> command is not very robust. If
               there are errors in the <replaceable>host-list</replaceable>,
               you may see a large number of error messages yet a subsequent
-              <command>shorewall show zones</command> command will indicate
-              that all hosts were added. If this happens, replace
+              <command>shorewall-lite show zones</command> command will
+              indicate that all hosts were added. If this happens, replace
               <command>add</command> by <command>delete</command> and run the
               same command again. Then enter the correct command.</para>
             </caution></para>
@@ -435,10 +545,16 @@
         <term><emphasis role="bold">clear</emphasis></term>
 
         <listitem>
-          <para>Clear will remove all rules and chains installed by Shorewall
-          Lite. The firewall is then wide open and unprotected. Existing
-          connections are untouched. Clear is often used to see if the
-          firewall is causing connection problems.</para>
+          <para>Clear will remove all rules and chains installed by
+          Shorewall-lite. The firewall is then wide open and unprotected.
+          Existing connections are untouched. Clear is often used to see if
+          the firewall is causing connection problems.</para>
+
+          <para>If <option>-f</option> is given, the command will be processed
+          by the compiled script that executed the last successful <emphasis
+          role="bold">start</emphasis>, <emphasis
+          role="bold">restart</emphasis> or <emphasis
+          role="bold">refresh</emphasis> command if that script exists.</para>
         </listitem>
       </varlistentry>
 
@@ -457,6 +573,18 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">disable</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.4.26. Disables the optional provider
+          associated with the specified <replaceable>interface</replaceable>
+          or <replaceable>provider</replaceable>. Where more than one provider
+          share a single network interface, a
+          <replaceable>provider</replaceable> name must be given.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">drop</emphasis></term>
 
@@ -476,8 +604,23 @@
           <para>The <emphasis role="bold">-x</emphasis> option causes actual
           packet and byte counts to be displayed. Without that option, these
           counts are abbreviated. The <emphasis role="bold">-m</emphasis>
-          option causes any MAC addresses included in Shorewall Lite log
+          option causes any MAC addresses included in Shorewall-lite log
           messages to be displayed.</para>
+
+          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
+          number for each Netfilter rule to be displayed.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">enable</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.4.26. Enables the optional provider
+          associated with the specified <replaceable>interface</replaceable>
+          or <replaceable>provider</replaceable>. Where more than one provider
+          share a single network interface, a
+          <replaceable>provider</replaceable> name must be given.</para>
         </listitem>
       </varlistentry>
 
@@ -489,7 +632,7 @@
           and /var/lib/shorewall-lite/save. If no
           <emphasis>filename</emphasis> is given then the file specified by
           RESTOREFILE in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) is
+          url="shorewall.conf.html">shorewall.conf</ulink>(5) is
           assumed.</para>
         </listitem>
       </varlistentry>
@@ -506,8 +649,9 @@
         <term><emphasis role="bold">hits</emphasis></term>
 
         <listitem>
-          <para>Generates several reports from Shorewall Lite log messages in
-          the current log file.</para>
+          <para>Generates several reports from Shorewall-lite log messages in
+          the current log file. If the <option>-t</option> option is included,
+          the reports are restricted to log messages generated today.</para>
         </listitem>
       </varlistentry>
 
@@ -530,12 +674,33 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">iptrace</emphasis></term>
+
+        <listitem>
+          <para>This is a low-level debugging command that causes iptables
+          TRACE log records to be created. See iptables(8) for details.</para>
+
+          <para>The <replaceable>iptables match expression</replaceable> must
+          be one or more matches that may appear in both the raw table OUTPUT
+          and raw table PREROUTING chains.</para>
+
+          <para>The trace records are written to the kernel's log buffer with
+          faciility = kernel and priority = warning, and they are routed from
+          there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
+          Shorewall-lite has no control over where the messages go; consult
+          your logging daemon's documentation.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">logdrop</emphasis></term>
 
         <listitem>
           <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be logged then discarded.</para>
+          to be logged then discarded. Logging occurs at the log level
+          specified by the BLACKLIST_LOGLEVEL setting in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
         </listitem>
       </varlistentry>
 
@@ -543,9 +708,9 @@
         <term><emphasis role="bold">logwatch</emphasis></term>
 
         <listitem>
-          <para>Monitors the log file specified by theLOGFILE option in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) and
-          produces an audible alarm when new Shorewall Lite messages are
+          <para>Monitors the log file specified by the LOGFILE option in
+          <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5) and
+          produces an audible alarm when new Shorewall-lite messages are
           logged. The <emphasis role="bold">-m</emphasis> option causes the
           MAC address of each packet source to be displayed if that
           information is available. The
@@ -563,7 +728,22 @@
 
         <listitem>
           <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be logged then rejected.</para>
+          to be logged then rejected. Logging occurs at the log level
+          specified by the BLACKLIST_LOGLEVEL setting in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">noiptrace</emphasis></term>
+
+        <listitem>
+          <para>This is a low-level debugging command that cancels a trace
+          started by a preceding <command>iptrace</command> command.</para>
+
+          <para>The <replaceable>iptables match expression</replaceable> must
+          be one given in the <command>iptrace</command> command being
+          cancelled.</para>
         </listitem>
       </varlistentry>
 
@@ -581,10 +761,10 @@
 
         <listitem>
           <para>Restart is similar to <emphasis role="bold">shorewall-lite
-          start</emphasis> but assumes that the firewall is already started.
-          Existing connections are maintained.</para>
+          start</emphasis> except that it assumes that the firewall is already
+          started. Existing connections are maintained.</para>
 
-          <para>The <option>-n</option> option causes Shorewall to avoid
+          <para>The <option>-n</option> option causes Shorewall-lite to avoid
           updating the routing table(s).</para>
 
           <para>The <option>-p</option> option causes the connection tracking
@@ -597,14 +777,14 @@
         <term><emphasis role="bold">restore</emphasis></term>
 
         <listitem>
-          <para>Restore Shorewall Lite to a state saved using the <emphasis
+          <para>Restore Shorewall-lite to a state saved using the <emphasis
           role="bold">shorewall-lite save</emphasis> command. Existing
           connections are maintained. The <emphasis>filename</emphasis> names
           a restore file in /var/lib/shorewall-lite created using <emphasis
           role="bold">shorewall-lite save</emphasis>; if no
-          <emphasis>filename</emphasis> is given then Shorewall Lite will be
+          <emphasis>filename</emphasis> is given then Shorewall-lite will be
           restored from the file specified by the RESTOREFILE option in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5).</para>
+          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
         </listitem>
       </varlistentry>
 
@@ -615,11 +795,10 @@
           <para>The dynamic blacklist is stored in
           /var/lib/shorewall-lite/save. The state of the firewall is stored in
           /var/lib/shorewall-lite/<emphasis>filename</emphasis> for use by the
-          <emphasis role="bold">shorewall-lite restore</emphasis> and
-          <emphasis role="bold">shorewall-lite -f start</emphasis> commands.
-          If <emphasis>filename</emphasis> is not given then the state is
-          saved in the file specified by the RESTOREFILE option in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5).</para>
+          <emphasis role="bold">shorewall-lite restore</emphasis>. If
+          <emphasis>filename</emphasis> is not given then the state is saved
+          in the file specified by the RESTOREFILE option in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
         </listitem>
       </varlistentry>
 
@@ -631,15 +810,6 @@
           arguments:</para>
 
           <variablelist>
-            <varlistentry>
-              <term><emphasis role="bold">actions</emphasis></term>
-
-              <listitem>
-                <para>Produces a report about the available actions (built-in,
-                standard and user-defined).</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">capabilities</emphasis></term>
 
@@ -652,8 +822,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>
-              ... ]</term>
+              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
+              ]</term>
 
               <listitem>
                 <para>The rules in each <emphasis>chain</emphasis> are
@@ -669,20 +839,25 @@
                 Netfilter table to display. The default is <emphasis
                 role="bold">filter</emphasis>.</para>
 
+                <para>The <emphasis role="bold">-l</emphasis> option causes
+                the rule number for each Netfilter rule to be
+                displayed.</para>
+
                 <para>If the <emphasis role="bold">t</emphasis> option and the
                 <option>chain</option> keyword are both omitted and any of the
                 listed <replaceable>chain</replaceable>s do not exist, a usage
-                message will be displayed.</para>
+                message is displayed.</para>
               </listitem>
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">classifiers</emphasis></term>
+              <term><emphasis
+              role="bold">classifiers|filters</emphasis></term>
 
               <listitem>
                 <para>Displays information about the packet classifiers
-                defined on the system 10-080213-8397as a result of traffic
-                shaping configuration.</para>
+                defined on the system as a result of traffic shaping
+                configuration.</para>
               </listitem>
             </varlistentry>
 
@@ -704,15 +879,44 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">mangle</emphasis></term>
+              <term><emphasis role="bold">ip</emphasis></term>
 
               <listitem>
-                <para>Displays the Netfilter mangle table using the command
-                <emphasis role="bold">iptables -t mangle -L -n
-                -v</emphasis>.The <emphasis role="bold">-x</emphasis> option
-                is passed directly through to iptables and causes actual
-                packet and byte counts to be displayed. Without this option,
-                those counts are abbreviated.</para>
+                <para>Displays the system's IPv4 configuration.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">ipa</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.17. Displays the per-IP
+                accounting counters (<ulink
+                url="manpages/shorewall-accounting.html">shorewall-accounting</ulink>
+                (5)).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">log</emphasis></term>
+
+              <listitem>
+                <para>Displays the last 20 Shorewall-lite messages from the
+                log file specified by the LOGFILE option in <ulink
+                url="shorewall.conf.html">shorewall.conf</ulink>(5). The
+                <emphasis role="bold">-m</emphasis> option causes the MAC
+                address of each packet source to be displayed if that
+                information is available.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">marks</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.26. Displays the various fields
+                in packet marks giving the min and max value (in both decimal
+                and hex) and the applicable mask (in hex).</para>
               </listitem>
             </varlistentry>
 
@@ -729,6 +933,39 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">policies</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.4. Displays the applicable policy
+                between each pair of zones. Note that implicit intrazone
+                ACCEPT policies are not displayed for zones associated with a
+                single network where that network doesn't specify
+                <option>routeback</option>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">routing</emphasis></term>
+
+              <listitem>
+                <para>Displays the system's IPv4 routing configuration.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">raw</emphasis></term>
+
+              <listitem>
+                <para>Displays the Netfilter raw table using the command
+                <emphasis role="bold">iptables -t raw -L -n -v</emphasis>.The
+                <emphasis role="bold">-x</emphasis> option is passed directly
+                through to iptables and causes actual packet and byte counts
+                to be displayed. Without this option, those counts are
+                abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">tc</emphasis></term>
 
@@ -742,8 +979,8 @@
               <term><emphasis role="bold">zones</emphasis></term>
 
               <listitem>
-                <para>Displays the current composition of the Shorewall Lite
-                zones on the system.</para>
+                <para>Displays the current composition of the Shorewall zones
+                on the system.</para>
               </listitem>
             </varlistentry>
           </variablelist>
@@ -754,17 +991,10 @@
         <term><emphasis role="bold">start</emphasis></term>
 
         <listitem>
-          <para>Start shorewall Lite. Existing connections through
+          <para>Start Shorewall Lite. Existing connections through
           shorewall-lite managed interfaces are untouched. New connections
           will be allowed only if they are allowed by the firewall rules or
-          policies. If <emphasis role="bold">-f</emphasis> is specified, the
-          saved configuration specified by the RESTOREFILE option in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) will
-          be restored if that saved configuration exists and has been modified
-          more recently than the files in /etc/shorewall.</para>
-
-          <para>The <option>-n</option> option causes Shorewall to avoid
-          updating the routing table(s).</para>
+          policies.</para>
 
           <para>The <option>-p</option> option causes the connection tracking
           table to be flushed; the <command>conntrack</command> utility must
@@ -779,11 +1009,18 @@
           <para>Stops the firewall. All existing connections, except those
           listed in <ulink
           url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
-          or permitted by the ADMINISABSENTMINDED option in shorewall.conf(5),
-          are taken down. The only new traffic permitted through the firewall
-          is from systems listed in <ulink
+          or permitted by the ADMINISABSENTMINDED option in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5), are taken down.
+          The only new traffic permitted through the firewall is from systems
+          listed in <ulink
           url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
           or by ADMINISABSENTMINDED.</para>
+
+          <para>If <option>-f</option> is given, the command will be processed
+          by the compiled script that executed the last successful <emphasis
+          role="bold">start</emphasis>, <emphasis
+          role="bold">restart</emphasis> or <emphasis
+          role="bold">refresh</emphasis> command if that script exists.</para>
         </listitem>
       </varlistentry>
 
@@ -800,7 +1037,9 @@
         <term><emphasis role="bold">version</emphasis></term>
 
         <listitem>
-          <para>Displays Shorewall-lite's version.</para>
+          <para>Displays Shorewall's version. The <option>-a</option> option
+          is included for compatibility with earlier Shorewall releases and is
+          ignored.</para>
         </listitem>
       </varlistentry>
     </variablelist>
@@ -819,13 +1058,13 @@
     url="http://www.shorewall.net/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
 
     <para>shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
-    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
     shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
     shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall-lite/shorecap

@@ -48,10 +48,14 @@
 SHAREDIR=/usr/share/shorewall-lite
 VARDIR=/var/lib/shorewall-lite
 CONFDIR=/etc/shorewall-lite
+g_program=shorewall-lite
 g_product="Shorewall Lite"
+g_family=4
+g_base=shorewall
+g_basedir=/usr/share/shorewall-lite
 
 . /usr/share/shorewall-lite/lib.base
-. /usr/share/shorewall-lite/lib.cli
+. /usr/share/shorewall/lib.cli
 . /usr/share/shorewall-lite/configpath
 
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -60,6 +64,8 @@ SHOREWALL_VERSION=$(cat /usr/share/shorewall-lite/version)
 
 [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
 
+g_tool=$IPTABLES
+
 VERBOSITY=0
 load_kernel_modules No
 determine_capabilities

Shorewall-lite/shorewall-lite

@@ -1,14 +1,13 @@
 #!/bin/sh
 #
-#     Shorewall Lite Packet Filtering Firewall Control Program - V4.4
+#     Shorewall Lite Packet Filtering Firewall Control Program - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 - 
+#         Tom Eastep (teastep@shorewall.net)
 #
-#	This file should be placed in /sbin/shorewall-lite.
-#
-#	Shorewall documentation is available at http://shorewall.net
+#	Shorewall documentation is available at http://www.shorewall.net
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
@@ -23,858 +22,11 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#     If an error occurs while starting or restarting the firewall, the
-#     firewall is automatically stopped.
+#       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
-#     Commands are:
-#
-#     shorewall-lite dump                          Dumps all Shorewall-related information
-#                                                  for problem analysis
-#     shorewall-lite start 			   Starts the firewall
-#     shorewall-lite restart			   Restarts the firewall
-#     shorewall-lite stop			   Stops the firewall
-#     shorewall-lite status			   Displays firewall status
-#     shorewall-lite reset			   Resets iptables packet and
-#						   byte counts
-#     shorewall-lite clear			   Open the floodgates by
-#						   removing all iptables rules
-#						   and setting the three permanent
-#						   chain policies to ACCEPT
-#     shorewall-lite show <chain> [ <chain> ... ]  Display the rules in each <chain> listed
-#     shorewall-lite show log			   Print the last 20 log messages
-#     shorewall-lite show connections		   Show the kernel's connection
-#						   tracking table
-#     shorewall-lite show nat			   Display the rules in the nat table
-#     shorewall-lite show {mangle|tos}		   Display the rules in the mangle table
-#     shorewall-lite show tc			   Display traffic control info
-#     shorewall-lite show classifiers		   Display classifiers
-#     shorewall-lite show capabilities             Display iptables/kernel capabilities
-#     shorewall-lite show vardir                   Display VARDIR setting
-#     shorewall-lite version			   Display the installed version id
-#     shorewall-lite logwatch [ refresh-interval ] Monitor the local log for Shorewall
-#						   messages.
-#     shorewall-lite drop <address> ...		   Temporarily drop all packets from the
-#						   listed address(es)
-#     shorewall-lite reject <address> ...	   Temporarily reject all packets from the
-#						   listed address(es)
-#     shorewall-lite allow <address> ...	   Reenable address(es) previously
-#						   disabled with "drop" or "reject"
-#     shorewall-lite save [ <file> ]		   Save the list of "rejected" and
-#						   "dropped" addresses so that it will
-#						   be automatically reinstated the
-#						   next time that Shorewall starts.
-#                                                  Save the current state so that 'shorewall
-#                                                  restore' can be used.
-#
-#     shorewall-lite forget [ <file> ]             Discard the data saved by 'shorewall save'
-#
-#     shorewall-lite restore [ <file> ]            Restore the state of the firewall from
-#                                                  previously saved information.
-#
-#     shorewall-lite ipaddr { <address>/<cidr> | <address> <netmask> }
-#
-#                                                  Displays information about the network
-#                                                  defined by the argument[s]
-#
-#     shorewall-lite iprange <address>-<address>   Decomposes a range of IP addresses into
-#                                                  a list of network/host addresses.
-#
-#     shorewall-lite ipdecimal { <address> | <integer> }
-#
-#                                                  Displays the decimal equivalent of an IP
-#                                                  address and vice versa.
+################################################################################################
+g_program=shorewall-lite
 
-#
-# Set the configuration variables from shorewall-lite.conf
-#
-get_config() {
+. /usr/share/shorewall/lib.cli
 
-    [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-
-    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
-
-    if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
-	g_logread="logread | tac"
-    elif [ -r $LOGFILE ]; then
-	g_logread="tac $LOGFILE"
-    else
-	echo "LOGFILE ($LOGFILE) does not exist!" >&2
-	exit 2
-    fi
-    #
-    # See if we have a real version of "tail" -- use separate redirection so
-    # that ash (aka /bin/sh on LRP) doesn't crap
-    #
-    if ( tail -n5 /dev/null > /dev/null 2> /dev/null ) ; then
-	realtail="Yes"
-    else
-	realtail=""
-    fi
-
-    [ -n "$FW" ] || FW=fw
-
-    if [ -n "$IPTABLES" ]; then
-	if [ ! -x "$IPTABLES" ]; then
-	    echo "   ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
-	    exit 2
-	fi
-    else
-	IPTABLES=$(mywhich iptables 2> /dev/null)
-	if [ -z "$IPTABLES" ] ; then
-	    echo "   ERROR: Can't find iptables executable" >&2
-	    exit 2
-	fi
-    fi
-
-    if [ -n "$SHOREWALL_SHELL" ]; then
-	if [ ! -x "$SHOREWALL_SHELL" ]; then
-	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
-	    SHOREWALL_SHELL=/bin/sh
-	fi
-    fi
-
-    [ -n "$RESTOREFILE" ] || RESTOREFILE=restore
-
-    validate_restorefile RESTOREFILE
-
-    [ -n "${VERBOSITY:=2}" ]
-
-    [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
-
-    if [ $VERBOSITY -lt -1 ]; then
-	VERBOSITY=-1
-    elif [ $VERBOSITY -gt 2 ]; then
-	VERBOSITY=2
-    fi
-
-    g_hostname=$(hostname 2> /dev/null)
-
-    IP=$(mywhich ip 2> /dev/null)
-    if [ -z "$IP" ] ; then
-	echo "   ERROR: Can't find ip executable" >&2
-	exit 2
-    fi
-
-    IPSET=ipset
-    TC=tc
-
-}
-
-#
-# Verify that we have a compiled firewall script
-#
-verify_firewall_script() {
-    if [ ! -f $g_firewall ]; then
-	echo "   ERROR: Shorewall Lite is not properly installed" >&2
-	if [ -L $g_firewall ]; then
-	    echo "          $g_firewall is a symbolic link to a" >&2
-	    echo "          non-existant file" >&2
-	else
-	    echo "          The file $g_firewall does not exist" >&2
-	fi
-	
-	exit 2
-    fi
-}
-
-#
-# Fatal error
-#
-startup_error() {
-    echo "   ERROR: $@" >&2
-    kill $$
-    exit 1
-}
-
-#
-# Start Command Executor
-#
-start_command() {
-    local finished
-    finished=0
-
-    do_it() {
-	local rc
-	rc=0
-	[ -n "$nolock" ] || mutex_on
-
-	if [ -x ${LITEDIR}/firewall ]; then
-	    run_it ${LITEDIR}/firewall $debugging start
-	    rc=$?
-	else
-	    error_message "${LITEDIR}/firewall is missing or is not executable"
-	    logger -p kern.err "ERROR:Shorewall Lite start failed"
-	    rc=2
-	fi
-
-	[ -n "$nolock" ] || mutex_off
-	exit $rc
-    }
-
-    verify_firewall_script
-
-    if shorewall_is_started; then
-	error_message "Shorewall is already running"
-	exit 0
-    fi
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			f*)
-			    g_fast=Yes
-			    option=${option#f}
-			    ;;
-			p*)
-			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    g_purge=Yes
-			    option=${option%p}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    case $# in
-	0)
-	    ;;
-	*)
-	    usage 1
-	    ;;
-    esac
-
-    if [ -n "$g_fast" ]; then
-	if qt mywhich make; then
-	    export RESTOREFILE
-	    make -qf ${CONFDIR}/Makefile || g_fast=
-	fi
-
-	if [ -n "$g_fast" ]; then
-
-	    g_restorepath=${VARDIR}/$RESTOREFILE
-
-	    if [ -x $g_restorepath ]; then
-		echo Restoring Shorewall Lite...
-		run_it $g_restorepath restore
-		date > ${VARDIR}/restarted
-		progress_message3 Shorewall Lite restored from $g_restorepath
-	    else
-		do_it
-	    fi
-	else
-	    do_it
-	fi
-    else
-	do_it
-    fi
-}
-
-#
-# Restart Command Executor
-#
-restart_command() {
-    local finished
-    finished=0
-    local rc
-    rc=0
-
-    verify_firewall_script
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			n*)
-			    g_noroutes=Yes
-			    option=${option#n}
-			    ;;
-			p*)
-			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    g_purge=Yes
-			    option=${option%p}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    case $# in
-	0)
-	    ;;
-	*)
-	    usage 1
-	    ;;
-    esac
-
-    [ -n "$nolock" ] || mutex_on
-
-    if [ -x ${LITEDIR}/firewall ]; then
-	run_it ${LITEDIR}/firewall $debugging restart
-	rc=$?
-    else
-	error_message "${LITEDIR}/firewall is missing or is not executable"
-	logger -p kern.err "ERROR:Shorewall Lite restart failed"
-	rc=2
-    fi
-
-    [ -n "$nolock" ] || mutex_off
-    return $rc
-}
-
-#
-# Give Usage Information
-#
-usage() # $1 = exit status
-{
-    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
-    echo "where <command> is one of:"
-    echo "   add <interface>[:<host-list>] ... <zone>"
-    echo "   allow <address> ..."
-    echo "   clear"
-    echo "   delete <interface>[:<host-list>] ... <zone>"
-    echo "   drop <address> ..."
-    echo "   dump [ -x ]"
-    echo "   forget [ <file name> ]"
-    echo "   help"
-    echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
-    echo "   ipdecimal { <address> | <integer> }"
-    echo "   iprange <address>-<address>"
-    echo "   logdrop <address> ..."
-    echo "   logreject <address> ..."
-    echo "   logwatch [<refresh interval>]"
-    echo "   reject <address> ..."
-    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
-    echo "   restore [ -n ] [ <file name> ]"
-    echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
-    echo "   show [ -f ] capabilities"
-    echo "   show classifiers"
-    echo "   show config"
-    echo "   show connections"
-    echo "   show filters"
-    echo "   show ip"
-    echo "   show [ -m ] log [<regex>]"
-    echo "   show [ -x ] mangle|nat|raw|routing"
-    echo "   show policies"
-    echo "   show tc [ device ]"
-    echo "   show vardir"
-    echo "   show zones"
-    echo "   start [ -f ] [ -p ] [ <directory> ]"
-    echo "   stop"
-    echo "   status"
-    echo "   version [ -a ]"
-    echo
-    exit $1
-}
-
-version_command() {
-    local finished
-    finished=0
-    local all
-    all=
-    local product
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			a*)
-			    all=Yes
-			    option=${option#a}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    [ $# -gt 0 ] && usage 1
-
-    echo $SHOREWALL_VERSION
-    
-    if [ -n "$all" ]; then
-	for product in shorewall shorewall6 shorewall6-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
-	    fi
-	done
-    fi
-}
-
-#
-# Execution begins here
-#
-debugging=
-
-if [ $# -gt 0 ] && [ "$1" = "debug" -o "$1" = "trace" ]; then
-    debugging=$1
-    shift
-fi
-
-nolock=
-
-if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
-    nolock=nolock
-    shift
-fi
-
-g_ipt_options="-nv"
-g_fast=
-g_verbose_offset=0
-g_use_verbosity=
-g_noroutes=
-g_timestamp=
-g_recovering=
-g_logread=
-
-#
-# Make sure that these variables are cleared
-#
-VERBOSE=
-VERBOSITY=
-
-finished=0
-
-while [ $finished -eq 0 ]; do
-    [ $# -eq 0 ] && usage 1
-    option=$1
-    case $option in
-	-)
-	    finished=1
-	    ;;
-	-*)
-	    option=${option#-}
-
-	    [ -z "$option" ] && usage 1
-
-	    while [ -n "$option" ]; do
-		case $option in
-		    x*)
-			g_ipt_options="-xnv"
-			option=${option#x}
-			;;
-		    q*)
-			g_verbose_offset=$(($g_verbose_offset - 1 ))
-			option=${option#q}
-			;;
-		    f*)
-			g_fast=Yes
-			option=${option#f}
-			;;
-		    v*)
-			option=${option#v}
-			case $option in 
-			    -1*)
-				g_use_verbosity=-1
-				option=${option#-1}
-				;;
-			    0*)
-				g_use_verbosity=0
-				option=${option#0}
-				;;
-			    1*)
-				g_use_verbosity=1
-				option=${option#1}
-				;;
-			    2*)
-				g_use_verbosity=2
-				option=${option#2}
-				;;
-			    *)
-				g_verbose_offset=$(($g_verbose_offset + 1 ))
-				g_use_verbosity=
-				;;
-			esac
-			;;
-		    n*)
-			g_noroutes=Yes
-			option=${option#n}
-			;;
-		    t*)
-			g_timestamp=Yes
-			option=${option#t}
-			;;
-		    -)
-			finished=1
-			option=
-			;;
-		    *)
-			usage 1
-			;;
-		esac
-	    done
-	    shift
-	    ;;
-	*)
-	    finished=1
-            ;;
-    esac
-done
-
-if [ $# -eq 0 ]; then
-    usage 1
-fi
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-MUTEX_TIMEOUT=
-
-SHAREDIR=/usr/share/shorewall-lite
-CONFDIR=/etc/shorewall-lite
-g_product="Shorewall Lite"
-g_libexec=share
-
-[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]
-
-[ -n "${VARDIR:=/var/lib/shorewall-lite}" ]
-
-[ -d $VARDIR ] || mkdir -p $VARDIR || fatal_error "Unable to create $VARDIR"
-
-version_file=$SHAREDIR/version
-
-for library in base cli; do
-    . ${SHAREDIR}/lib.$library
-done
-
-ensure_config_path
-
-config=$(find_file shorewall-lite.conf)
-
-if [ -f $config ]; then
-    if [ -r $config ]; then
-	. $config
-    else
-	echo "Cannot read $config! (Hint: Are you root?)" >&2
-	exit 1
-    fi
-else
-    echo "$config does not exist!" >&2
-    exit 2
-fi
-
-ensure_config_path
-
-LITEDIR=${VARDIR}
-
-[ -f ${LITEDIR}/firewall.conf ] && . ${LITEDIR}/firewall.conf
-
-get_config
-
-g_firewall=$LITEDIR/firewall
-
-if [ -f $version_file ]; then
-    SHOREWALL_VERSION=$(cat $version_file)
-else
-    echo "   ERROR: Shorewall Lite is not properly installed" >&2
-    echo "          The file $version_file does not exist" >&2
-    exit 1
-fi
-
-banner="Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname -"
-
-case $(echo -e) in
-    -e*)
-	RING_BELL="echo \a"
-	ECHO_E="echo"
-	;;
-    *)
-	RING_BELL="echo -e \a"
-	ECHO_E="echo -e"
-	;;
-esac
-
-case $(echo -n "Testing") in
-    -n*)
-	ECHO_N=
-	;;
-    *)
-	ECHO_N=-n
-	;;
-esac
-
-COMMAND=$1
-
-case "$COMMAND" in
-    start)
-	shift
-	start_command $@
-	;;
-    stop|reset|clear)
-	[ $# -ne 1 ] && usage 1
-	verify_firewall_script
-	[ -n "$nolock" ] || mutex_on
-	run_it $g_firewall $debugging $COMMAND
-	[ -n "$nolock" ] || mutex_off
-	;;
-    restart)
-	shift
-	restart_command
-	;;
-    show|list)
-    	shift
-    	show_command $@
-	;;
-    status)
-	[ $# -eq 1 ] || usage 1
-	[ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root"
-	echo "Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname - $(date)"
-	echo
-	if shorewall_is_started ; then
-	    echo "Shorewall Lite is running"
-	    status=0
-	else
-	    echo "Shorewall Lite is stopped"
-	    status=4
-	fi
-
-	if [ -f ${VARDIR}/state ]; then
-	    state="$(cat ${VARDIR}/state)"
-	    case $state in
-		Stopped*|Closed*|Clear*)
-		    status=3
-		    ;;
-	    esac
-	else
-	    state=Unknown
-	fi
-	echo "State:$state"
-	echo
-	exit $status
-	;;
-    dump)
-    	shift
-    	dump_command $@
-	;;
-    hits)
-	[ -n "$debugging" ] && set -x
-	shift
-	hits_command $@
-	;;
-    version)
-	shift
-	version_command $@
-	;;
-    logwatch)
-	logwatch_command $@
-	;;
-    drop)
-	[ -n "$debugging" ] && set -x
-	[ $# -eq 1 ] && usage 1
-	if shorewall_is_started ; then
-	    [ -n "$nolock" ] || mutex_on
-	    block DROP Dropped $*
-	    [ -n "$nolock" ] || mutex_off
-	else
-	    error_message "ERROR: Shorewall Lite is not started"
-	    exit 2
-	fi
-	;;
-    logdrop)
-	[ -n "$debugging" ] && set -x
-	[ $# -eq 1 ] && usage 1
-	if shorewall_is_started ; then
-	    [ -n "$nolock" ] || mutex_on
-	    block logdrop Dropped $*
-	    [ -n "$nolock" ] || mutex_off
-	else
-	    error_message "ERROR: Shorewall Lite is not started"
-	    exit 2
-	fi
-	;;
-    reject|logreject)
-	[ -n "$debugging" ] && set -x
-	[ $# -eq 1 ] && usage 1
-	if shorewall_is_started ; then
-	    [ -n "$nolock" ] || mutex_on
-	    block $COMMAND Rejected $*
-	    [ -n "$nolock" ] || mutex_off
-	else
-	    error_message "ERROR: Shorewall Lite is not started"
-	    exit 2
-	fi
-	;;
-    allow)
-	allow_command $@
-	;;
-    add)
-	get_config
-	shift
-	add_command $@
-	;;
-    delete)
-	get_config
-	shift
-	add_command $@
-	;;
-    save)
-	[ -n "$debugging" ] && set -x
-
-	case $# in
-	1)
-	    ;;
-	2)
-	    RESTOREFILE="$2"
-	    validate_restorefile '<restore file>'
-	    ;;
-	*)
-	    usage 1
-	    ;;
-	esac
-
-	g_restorepath=${VARDIR}/$RESTOREFILE
-
-	[ "$nolock" ] || mutex_on
-
-	save_config
-
-	[ "$nolock" ] || mutex_off
-	;;
-    forget)
-	case $# in
-	1)
-	    ;;
-	2)
-	    RESTOREFILE="$2"
-	    validate_restorefile '<restore file>'
-	    ;;
-	*)
-	    usage 1
-	    ;;
-	esac
-
-
-	g_restorepath=${VARDIR}/$RESTOREFILE
-
-	if [ -x $g_restorepath ]; then
-	    rm -f $g_restorepath
-	    rm -f ${g_restorepath}-iptables
-	    rm -f ${g_restorepath}-ipsets
-	    echo "    $g_restorepath removed"
-	elif [ -f $g_restorepath ]; then
-	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"
-	fi
-	rm -f ${VARDIR}/save
-	;;
-    ipcalc)
-    	[ -n "$debugging" ] && set -x
-	if [ $# -eq 2 ]; then
-	    address=${2%/*}
-	    vlsm=${2#*/}
-	elif [ $# -eq 3 ]; then
-	    address=$2
-	    vlsm=$(ip_vlsm $3)
-	else
-	    usage 1
-	fi
-
-	valid_address $address || fatal_error "Invalid IP address: $address"
-	[ -z "$vlsm" ] && exit 2
-	[ "x$address" = "x$vlsm" ] && usage 2
-	[ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2
-
-	address=$address/$vlsm
-
-	                                   echo "   CIDR=$address"
-	temp=$(ip_netmask $address);       echo "   NETMASK=$(encodeaddr $temp)"
-	temp=$(ip_network $address);       echo "   NETWORK=$temp"
-	temp=$(broadcastaddress $address); echo "   BROADCAST=$temp"
-	;;
-
-    iprange)
-	[ -n "$debugging" ] && set -x
-	case $2 in
-	    *.*.*.*-*.*.*.*)
-		for address in ${2%-*} ${2#*-}; do
-		    valid_address $address || fatal_error "Invalid IP address: $address"
-		done
-
-		ip_range $2
-		;;
-	    *)
-		usage 1
-		;;
-	esac
-	;;
-    ipdecimal)
-	[ -n "$debugging" ] && set -x
-	[ $# -eq 2 ] || usage 1
-	case $2 in
-	    *.*.*.*)
-		valid_address $2 || fatal_error "Invalid IP address: $2"
-		echo "   $(decodeaddr $2)"
-		;;
-	    *)
-		echo "   $(encodeaddr $2)"
-		;;
-	esac
-	;;
-    restore)
-	shift
-	STARTUP_ENABLED=Yes
-	restore_command $@
-        ;;
-    call)
-	[ -n "$debugging" ] && set -x
-	#
-	# Undocumented way to call functions in ${SHAREDIR}/functions directly
-	#
-	shift
-	$@
-	;;
-    help)
-	shift
-	usage
-	;;
-    *)
-	usage 1
-	;;
-
-esac
+shorewall_cli $@

Shorewall-lite/shorewall-lite.service

@@ -14,7 +14,6 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start
-ExecReload=/sbin/shorewall-lite $OPTIONS restart
 ExecStop=/sbin/shorewall-lite $OPTIONS stop
 
 [Install]

Shorewall/Macros/macro.MSNP

@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - MSNP Macro
+#
+# /usr/share/shorewall/macro.MSNP
+#
+#	This macro handles MSNP (MicroSoft Notification Protocol)
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	tcp	1863

Shorewall/Macros/macro.Syslog

@@ -3,9 +3,10 @@
 #
 # /usr/share/shorewall/macro.Syslog
 #
-#	This macro handles syslog UDP traffic.
+#	This macro handles syslog traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	514
+PARAM	-	-	tcp	514

Shorewall/Perl/Shorewall/Accounting.pm

@@ -141,7 +141,10 @@ sub process_accounting_rule( ) {
 
     $jumpchainref = 0;
 
-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = split_line1 1, 11, 'Accounting File', $accounting_commands;
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) =
+	split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 }, $accounting_commands;
+
+    fatal_error 'ACTION must be specified' if $action eq '-';
 
     if ( $action eq 'COMMENT' ) {
 	process_comment;

Shorewall/Perl/Shorewall/Compiler.pm

@@ -1,10 +1,10 @@
 #! /usr/bin/perl -w
 #
-#     The Shoreline Firewall Packet Filtering Firewall Compiler - V4.4
+#     The Shoreline Firewall Packet Filtering Firewall Compiler - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -54,10 +54,10 @@ my $family;
 #
 # Initilize the package-globals in the other modules
 #
-sub initialize_package_globals() {
+sub initialize_package_globals( $ ) {
     Shorewall::Config::initialize($family);
     Shorewall::Chains::initialize ($family, 1, $export );
-    Shorewall::Zones::initialize ($family);
+    Shorewall::Zones::initialize ($family, shift);
     Shorewall::Nat::initialize;
     Shorewall::Providers::initialize($family);
     Shorewall::Tc::initialize($family);
@@ -71,7 +71,7 @@ sub initialize_package_globals() {
 #
 # First stage of script generation.
 #
-#    Copy prog.header and lib.common to the generated script.
+#    Copy prog.header, lib.core and lib.common to the generated script.
 #    Generate the various user-exit jacket functions.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
@@ -95,7 +95,8 @@ sub generate_script_1( $ ) {
 		copy $globals{SHAREDIRPL} . 'prog.header6';
 	    }
 
-	    copy2 $globals{SHAREDIR} . '/lib.common', 0;
+	    copy2 $globals{SHAREDIRPL} . '/lib.core', 0;
+	    copy2 $globals{SHAREDIRPL} . '/lib.common', 0;
 	}
 
     }
@@ -162,27 +163,39 @@ sub generate_script_2() {
     push_indent;
 
     if ( $family == F_IPV4 ) {
+	emit( 'g_family=4' );
+
 	if ( $export ) {
 	    emit ( 'SHAREDIR=/usr/share/shorewall-lite',
 		   'CONFDIR=/etc/shorewall-lite',
-		   'g_product="Shorewall Lite"'
+		   'g_product="Shorewall Lite"',
+		   'g_program=shorewall-lite',
+		   'g_basedir=/usr/share/shorewall-lite',
 		 );
 	} else {
 	    emit ( 'SHAREDIR=/usr/share/shorewall',
 		   'CONFDIR=/etc/shorewall',
-		   'g_product=\'Shorewall\'',
+		   'g_product=Shorewall',
+		   'g_program=shorewall',
+		   'g_basedir=/usr/share/shorewall',
 		 );
 	}
     } else {
+	emit( 'g_family=6' );
+
 	if ( $export ) {
 	    emit ( 'SHAREDIR=/usr/share/shorewall6-lite',
 		   'CONFDIR=/etc/shorewall6-lite',
-		   'g_product="Shorewall6 Lite"'
+		   'g_product="Shorewall6 Lite"',
+		   'g_program=shorewall6-lite',
+		   'g_basedir=/usr/share/shorewall6',
 		 );
 	} else {
 	    emit ( 'SHAREDIR=/usr/share/shorewall6',
 		   'CONFDIR=/etc/shorewall6',
-		   'g_product=\'Shorewall6\'',
+		   'g_product=Shorewall6',
+		   'g_program=shorewall6',
+		   'g_basedir=/usr/share/shorewall'
 		 );
 	}
     }
@@ -432,6 +445,10 @@ sub generate_script_3($) {
     save_policies;
     emit_unindented '__EOF__';
 
+    emit 'cat > ${VARDIR}/marks << __EOF__';
+    dump_mark_layout;
+    emit_unindented '__EOF__';
+
     pop_indent;
 
     emit "fi\n";
@@ -457,6 +474,7 @@ sub generate_script_3($) {
     fi
 EOF
     pop_indent;
+    setup_load_distribution;
     setup_forwarding( $family , 1 );
     push_indent;
 
@@ -469,14 +487,18 @@ else
     if [ \$COMMAND = refresh ]; then
         chainlist_reload
 EOF
+    setup_load_distribution;
     setup_forwarding( $family , 0 );
 
+    emit( '        run_refreshed_exit' ,
+	  '        do_iptables -N shorewall' ,
+	  "        set_state Started $config_dir" ,
+	  '    else' ,
+	  '        setup_netfilter' );
+    
+    setup_load_distribution;
+
     emit<<"EOF";
-        run_refreshed_exit
-        do_iptables -N shorewall
-        set_state Started $config_dir
-    else
-        setup_netfilter
         conditionally_flush_conntrack
 EOF
     setup_forwarding( $family , 0 );
@@ -518,15 +540,15 @@ EOF
 
 }
 
-#1
+#
 #  The Compiler.
 #
 #     Arguments are named -- see %parms below.
 #
 sub compiler {
 
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , '');
 
     $export = 0;
     $test   = 0;
@@ -561,7 +583,9 @@ sub compiler {
 		  preview       => { store => \$preview,       validate=> \&validate_boolean    } ,    
 		  confess       => { store => \$confess,       validate=> \&validate_boolean    } ,
 		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
-		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,		  
+		  convert       => { store => \$convert,       validate=> \&validate_boolean    } ,
+		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
+		  config_path   => { store => \$config_path } ,
 		);
     #
     #                               P A R A M E T E R    P R O C E S S I N G
@@ -579,7 +603,9 @@ sub compiler {
     #
     # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
     #
-    initialize_package_globals;
+    initialize_package_globals( $update );
+
+    set_config_path( $config_path ) if $config_path;
 
     if ( $directory ne '' ) {
 	fatal_error "$directory is not an existing directory" unless -d $directory;
@@ -596,14 +622,9 @@ sub compiler {
     #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
     #
     get_configuration( $export , $update , $annotate );
-
-    report_capabilities unless $config{LOAD_HELPERS_ONLY};
-
-    require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
-    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
-    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
-    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
-
+    #
+    # Create a temp file to hold the script
+    #
     if ( $scriptfilename ) {
 	set_command( 'compile', 'Compiling', 'Compiled' );
 	create_temp_script( $scriptfilename , $export );
@@ -612,7 +633,7 @@ sub compiler {
     }
     #
     # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
-    # shorewall.conf has been processed and the capabilities have been determined.
+    # now when shorewall.conf has been processed and the capabilities have been determined.
     #
     initialize_chain_table(1);
     #
@@ -673,7 +694,7 @@ sub compiler {
     #
     # Do all of the zone-independent stuff (mostly /proc)
     #
-    add_common_rules;
+    add_common_rules( $convert );
     #
     # More /proc
     #
@@ -757,12 +778,12 @@ sub compiler {
 	# Setup Nat
 	#
 	setup_nat;
-	#
-	# Setup NETMAP
-	#
-	setup_netmap;
     }
 
+    #
+    # Setup NETMAP
+    #
+    setup_netmap;
     #
     # MACLIST Filtration
     #
@@ -770,7 +791,7 @@ sub compiler {
     #
     # Process the rules file.
     #
-    process_rules;
+    process_rules( $convert );
     #
     # Add Tunnel rules.
     #
@@ -794,7 +815,9 @@ sub compiler {
 	#
 	generate_matrix;
 
-	if ( $config{OPTIMIZE} & 0xE ) {
+	optimize_level0;
+
+	if ( $config{OPTIMIZE} & 0x1E ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains
@@ -803,7 +826,7 @@ sub compiler {
 	    #
 	    # More Optimization
 	    #
-	    optimize_ruleset if $config{OPTIMIZE} & 0xC;
+	    optimize_ruleset if $config{OPTIMIZE} & 0x1C;
 	}
 
 	enable_script;
@@ -836,13 +859,7 @@ sub compiler {
 	#
 	# Copy the footer to the script
 	#
-	unless ( $test ) {
-	    if ( $family == F_IPV4 ) {
-		copy $globals{SHAREDIRPL} . 'prog.footer';
-	    } else {
-		copy $globals{SHAREDIRPL} . 'prog.footer6';
-	    }
-	}
+	copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;
 
 	disable_script;
 	#
@@ -863,16 +880,18 @@ sub compiler {
 	    #
 	    generate_matrix;
 
-	    if ( $config{OPTIMIZE} & 0xE ) {
+	    optimize_level0;
+
+	    if ( $config{OPTIMIZE} & OPTIMIZE_MASK ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
 		# Optimize Policy Chains
 		#
-		optimize_policy_chains if $config{OPTIMIZE} & 2;
+		optimize_policy_chains if $config{OPTIMIZE} & OPTIMIZE_POLICY_MASK;
 		#
 		# Ruleset Optimization
 		#
-		optimize_ruleset if $config{OPTIMIZE} & 0xC;
+		optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
 	    }
 
 	    enable_script if $debug;

Shorewall/Perl/Shorewall/Config.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -63,7 +63,7 @@ our @EXPORT = qw(
 		 require_capability
                 );
 
-our @EXPORT_OK = qw( $shorewall_dir initialize set_config_path shorewall);
+our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
 
 our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       finalize_script
@@ -87,6 +87,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       set_timestamp
 				       set_verbosity
 				       set_log
+				       set_config_path
 				       close_log
 				       set_command
 				       push_indent
@@ -126,6 +127,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       run_user_exit1
 				       run_user_exit2
 				       generate_aux_config
+				       dump_mark_layout
 
 				       $product
 				       $Product
@@ -134,6 +136,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $doing
 				       $done
 				       $currentline
+				       $currentfilename
 				       $debug
 				       %config
 				       %globals
@@ -268,6 +271,8 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 TIME_MATCH      => 'Time Match',
 		 GOTO_TARGET     => 'Goto Support',
 		 LOG_TARGET      => 'LOG Target',
+		 ULOG_TARGET     => 'ULOG Target',
+		 NFLOG_TARGET    => 'NFLOG Target',
 		 LOGMARK_TARGET  => 'LOGMARK Target',
 		 IPMARK_TARGET   => 'IPMARK Target',
 		 PERSISTENT_SNAT => 'Persistent SNAT',
@@ -280,6 +285,13 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 ACCOUNT_TARGET  => 'ACCOUNT Target',
 		 AUDIT_TARGET    => 'AUDIT Target',
 		 RAWPOST_TABLE   => 'Rawpost Table',
+		 CONDITION_MATCH => 'Condition Match',
+		 IPTABLES_S      => 'iptables -S',
+		 BASIC_FILTER    => 'Basic Filter',
+		 CT_TARGET       => 'CT Target',
+		 STATISTIC_MATCH => 
+		                    'Statistics Match',
+		 IMQ_TARGET      => 'IMQ Target',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -359,7 +371,7 @@ my @actparms;
 
 our $currentline;            # Current config file line image
 my  $currentfile;            # File handle reference
-my  $currentfilename;        # File NAME
+our $currentfilename;        # File NAME
 my  $currentlinenumber;      # Line number
 my  $perlscript;             # File Handle Reference to current temporary file being written by an in-line Perl script
 my  $perlscriptname;         # Name of that file.
@@ -383,6 +395,12 @@ my $iptables;                # Path to iptables/ip6tables
 my $tc;                      # Path to tc
 my $ip;                      # Path to ip
 
+my $shell;                   # Type of shell that processed the params file
+
+use constant { BASH    => 1,
+	       OLDBASH => 2,
+	       ASH     => 3 };
+
 use constant { MIN_VERBOSITY => -1,
 	       MAX_VERBOSITY => 2 ,
 	       F_IPV4 => 4,
@@ -391,6 +409,15 @@ use constant { MIN_VERBOSITY => -1,
 
 my %validlevels;             # Valid log levels.
 
+#
+# Deprecated options with their default values
+#
+my %deprecated = ( LOGRATE            => '' ,
+		   LOGBURST           => '' ,
+		   EXPORTPARAMS       => 'no',
+		   WIDE_TC_MARKS      => 'no',
+		   HIGH_ROUTE_MARKS   => 'no'
+		 );
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -438,7 +465,7 @@ sub initialize( $ ) {
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED  => 0,
 		    VERSION    => "4.4.22.1",
-		    CAPVERSION => 40423 ,
+		    CAPVERSION => 40501 ,
 		  );
     #
     # From shorewall.conf file
@@ -457,6 +484,7 @@ sub initialize( $ ) {
 	  LOGBURST => undef,
 	  LOGALLNEW => undef,
 	  BLACKLIST_LOGLEVEL => undef,
+	  RELATED_LOG_LEVEL => undef,
 	  RFC1918_LOG_LEVEL => undef,
 	  MACLIST_LOG_LEVEL => undef,
 	  TCP_FLAGS_LOG_LEVEL => undef,
@@ -472,16 +500,10 @@ sub initialize( $ ) {
 	  TC => undef,
 	  IPSET => undef,
 	  PERL => undef,
-	  #
-	  #PATH is inherited
-	  #
 	  PATH => undef,
 	  SHOREWALL_SHELL => undef,
 	  SUBSYSLOCK => undef,
 	  MODULESDIR => undef,
-	  #
-	  #CONFIG_PATH is inherited
-	  #
 	  CONFIG_PATH => undef,
 	  RESTOREFILE => undef,
 	  IPSECFILE => undef,
@@ -560,6 +582,7 @@ sub initialize( $ ) {
 	  COMPLETE => undef,
 	  EXPORTMODULES => undef,
 	  LEGACY_FASTSTART => undef,
+	  USE_PHYSICAL_NAMES => undef,
 	  #
 	  # Packet Disposition
 	  #
@@ -568,13 +591,15 @@ sub initialize( $ ) {
 	  BLACKLIST_DISPOSITION => undef,
 	  SMURF_DISPOSITION => undef,
 	  SFILTER_DISPOSITION => undef,
+	  RELATED_DISPOSITION => undef,
 	  #
 	  # Mark Geometry
 	  #
 	  TC_BITS => undef,
 	  PROVIDER_BITS => undef,
 	  PROVIDER_OFFSET => undef,
-	  MASK_BITS => undef
+	  MASK_BITS => undef,
+	  ZONE_BITS => undef,
 	);
 
 
@@ -597,6 +622,7 @@ sub initialize( $ ) {
 		     PANIC   => 0,
 		     NONE    => '',
 		     NFLOG   => 'NFLOG',
+		     LOGMARK => 'LOGMARK',
 		   );
 
     #
@@ -647,6 +673,8 @@ sub initialize( $ ) {
 	       TIME_MATCH => undef,
 	       GOTO_TARGET => undef,
 	       LOG_TARGET => 1,         # Assume that we have it.
+	       ULOG_TARGET => undef,
+	       NFLOG_TARGET => undef,
 	       LOGMARK_TARGET => undef,
 	       IPMARK_TARGET => undef,
 	       TPROXY_TARGET => undef,
@@ -658,6 +686,12 @@ sub initialize( $ ) {
 	       HEADER_MATCH => undef,
 	       ACCOUNT_TARGET => undef,
 	       AUDIT_TARGET => undef,
+	       CONDITION_MATCH => undef,
+	       IPTABLES_S => undef,
+	       BASIC_FILTER => undef,
+	       CT_TARGET => undef,
+	       STATISTIC_MATCH => undef,
+	       IMQ_TARGET => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@@ -952,10 +986,10 @@ sub emitstd {
 #
 # Write passed message to the script with newline but no indentation.
 #
-sub emit_unindented( $ ) {
+sub emit_unindented( $;$ ) {
     assert( $script_enabled );
 
-    print $script "$_[0]\n" if $script;
+    print $script $_[1] ? "$_[0]" : "$_[0]\n" if $script;
 }
 
 #
@@ -1256,7 +1290,7 @@ sub set_debug( $$ ) {
 #
 sub find_file($)
 {
-    my $filename=$_[0];
+    my ( $filename, $nosearch ) = @_;
 
     return $filename if $filename =~ '/';
 
@@ -1267,7 +1301,7 @@ sub find_file($)
 	return $file if -f $file;
     }
 
-    "$globals{CONFDIR}/$filename";
+    "$config_path[0]$filename";
 }
 
 sub split_list( $$ ) {
@@ -1329,46 +1363,45 @@ sub supplied( $ ) {
 
 #    ensure that it has an appropriate number of columns.
 #    supply '-' in omitted trailing columns.
+#    Handles all of the supported forms of column/pair specification
 #
-sub split_line( $$$ ) {
-    my ( $mincolumns, $maxcolumns, $description ) = @_;
+sub split_line1( $$;$ ) {
+    my ( $description, $columnsref, $nopad) = @_;
 
-    fatal_error "Shorewall Configuration file entries may not contain single quotes, double quotes, single back quotes or backslashes" if $currentline =~ /["'`\\]/;
-    fatal_error "Non-ASCII gunk in file" if $currentline =~ /[^\s[:print:]]/;
+    my @maxcolumns = ( keys %$columnsref );
+    my $maxcolumns = @maxcolumns;
+    #
+    # First see if there is a semicolon on the line; what follows will be column/value paris
+    #
+    my ( $columns, $pairs, $rest ) = split( ';', $currentline );
 
-    my @line = split( ' ', $currentline );
+    if ( supplied $pairs ) {
+	#
+	# Found it -- be sure there wasn't more than one.
+	#
+	fatal_error "Only one semicolon (';') allowed on a line" if defined $rest;
+    } elsif ( $currentline =~ /(.*){(.*)}$/ ) {
+	#
+	# Pairs are enclosed in curly brackets.
+	#
+	$columns = $1;
+	$pairs   = $2;
+    } else {
+	$pairs = '';
+    }
 
-    my $line = @line;
+    fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
+    fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
 
-    fatal_error "Invalid $description entry (too many columns)" if $line > $maxcolumns;
-
-    $line-- while $line > 0 && $line[$line-1] eq '-';
-
-    fatal_error "Invalid $description entry (too few columns)"  if $line < $mincolumns;
-
-    push @line, '-' while @line < $maxcolumns;
-
-    @line;
-}
-
-#
-# Version of 'split_line' used on files with exceptions
-#
-sub split_line1( $$$;$ ) {
-    my ( $mincolumns, $maxcolumns, $description, $nopad) = @_;
-
-    fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $currentline =~ /["`\\]/;
-    fatal_error "Non-ASCII gunk in file" if $currentline =~ /[^\s[:print:]]/;
-
-    my @line = split( ' ', $currentline );
+    my @line = split( ' ', $columns );
 
     $nopad = { COMMENT => 0 } unless $nopad;
 
-    my $first   = $line[0];
-    my $columns = $nopad->{$first};
+    my $first     = supplied $line[0] ? $line[0] : '-';
+    my $npcolumns = $nopad->{$first};
 
-    if ( defined $columns ) {
-	fatal_error "Invalid $first entry" if $columns && @line != $columns;
+    if ( defined $npcolumns ) {
+	fatal_error "Invalid $first entry" if $npcolumns && @line != $npcolumns;
 	return @line
     }
 
@@ -1380,13 +1413,34 @@ sub split_line1( $$$;$ ) {
 
     $line-- while $line > 0 && $line[$line-1] eq '-';
 
-    fatal_error "Invalid $description entry (too few columns)"  if $line < $mincolumns;
-
     push @line, '-' while @line < $maxcolumns;
 
+    if ( supplied $pairs ) {
+	$pairs =~ s/^\s*//;
+	$pairs =~ s/\s*$//;
+
+	my @pairs = split( /,?\s+/, $pairs );
+
+	for ( @pairs ) {
+	    fatal_error "Invalid column/value pair ($_)" unless /^(\w+)(?:=>?|:)(.+)$/;
+	    my ( $column, $value ) = ( lc $1, $2 );
+	    fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
+	    $column = $columnsref->{$column};
+	    fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
+	    $value = $1 if $value =~ /^"([^"]+)"$/;
+	    fatal_error "Column values may not contain embedded double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
+	    fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
+	    $line[$column] = $value;
+	}
+    }   
+
     @line;
 }
 
+sub split_line($$) {
+    &split_line1( @_, {} );
+}
+
 #
 # Open a file, setting $currentfile. Returns the file's absolute pathname if the file
 # exists, is non-empty  and was successfully opened. Terminates with a fatal error
@@ -1538,6 +1592,8 @@ sub copy1( $ ) {
 
 			my $filename = find_file $line[1];
 
+			warning_message "Reserved filename ($1) in INCLUDE directive" if $filename =~ '/(.*)' && $config_files{$1};
+
 			fatal_error "INCLUDE file $filename not found" unless -f $filename;
 			fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
 
@@ -1754,7 +1810,7 @@ sub embedded_shell( $ ) {
 sub embedded_perl( $ ) {
     my $multiline = shift;
 
-    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config qw/shorewall/;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
+    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config (qw/shorewall/);\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
 
     if ( $multiline ) {
 	#
@@ -1893,9 +1949,11 @@ sub expand_variables( \$ ) {
 	if ( $var =~ /^\d+$/ ) {
 	    fatal_error "Undefined parameter (\$$var)" unless $var > 0 && defined $actparms[$var];
 	    $val = $actparms[$var];
-	} else {
-	    fatal_error "Undefined shell variable (\$$var)" unless exists $params{$var};
+	} elsif ( exists $params{$var} ) {
 	    $val = $params{$var};
+	} else {
+	    fatal_error "Undefined shell variable (\$$var)" unless exists $config{$var};
+	    $val = $config{$var};
 	}
 
 	$val = '' unless defined $val;
@@ -1915,9 +1973,10 @@ sub expand_variables( \$ ) {
 #   - Handle INCLUDE <filename>
 #
 
-sub read_a_line(;$$) {
+sub read_a_line(;$$$) {
     my $embedded_enabled = defined $_[0] ? shift : 1;
     my $expand_variables = defined $_[0] ? shift : 1;
+    my $strip_comments   = defined $_[0] ? shift : 1;
 
     while ( $currentfile ) {
 
@@ -1937,7 +1996,7 @@ sub read_a_line(;$$) {
 	    # If this isn't a continued line, remove trailing comments. Note that
 	    # the result may now end in '\'.
 	    #
-	    s/\s*#.*$// unless /\\$/;
+	    s/\s*#.*$// if $strip_comments && ! /\\$/;
 	    #
 	    # Continuation
 	    #
@@ -1945,7 +2004,7 @@ sub read_a_line(;$$) {
 	    #
 	    # Now remove concatinated comments
 	    #
-	    $currentline =~ s/#.*$//;
+	    $currentline =~ s/#.*$// if $strip_comments;
 	    #
 	    # Ignore ( concatenated ) Blank Lines
 	    #
@@ -2105,65 +2164,77 @@ sub validate_level( $ ) {
 
     if ( supplied ( $level ) ) {
 	$level =~ s/!$//;
-	my $value = $validlevels{$level};
+	my $value = $level;
+	my $qualifier;
 
-	if ( defined $value ) {
-	    require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' ) unless $value eq '';
+	unless ( $value =~ /^[0-7]$/ ) {
+	    level_error( $level ) unless $level =~ /^([A-Za-z0-7]+)(.*)$/ && defined( $value = $validlevels{$1} );
+	    $qualifier = $2;
+	}
+
+	if ( $value =~ /^[0-7]$/ ) {
+	    #
+	    # Syslog Level
+	    #
+	    level_error( $rawlevel ) if supplied $qualifier;
+
+	    require_capability ( 'LOG_TARGET' , "Log level $level", 's' );
 	    return $value;
 	}
 
-	if ( $level =~ /^[0-7]$/ ) {
-	    require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
-	    return $level;
-	}
+	return '' unless $value;
 
-	if ( $level =~ /^(NFLOG|ULOG)[(](.*)[)]$/ ) {
-	    my $olevel  = $1;
-	    my @options = split /,/, $2;
-	    my $prefix  = lc $olevel;
-	    my $index   = $prefix eq 'ulog' ? 3 : 0;
+	require_capability( "${value}_TARGET", "Log level $level", 's' );
 
-	    level_error( $level ) if @options > 3;
+	if ( $value =~ /^(NFLOG|ULOG)$/ ) {
+	    my $olevel  = $value;
 
-	    for ( @options ) {
-		if ( supplied( $_ ) ) {
-		    level_error( $level ) unless /^\d+/;
-		    $olevel .= " --${prefix}-$suffixes[$index] $_";
+	    if ( $qualifier =~ /^[(](.*)[)]$/ ) {
+		my @options = split /,/, $1;
+		my $prefix  = lc $olevel;
+		my $index   = $prefix eq 'ulog' ? 3 : 0;
+
+		level_error( $rawlevel ) if @options > 3;
+
+		for ( @options ) {
+		    if ( supplied( $_ ) ) {
+			level_error( $rawlevel ) unless /^\d+/;
+			$olevel .= " --${prefix}-$suffixes[$index] $_";
+		    }
+
+		    $index++;
 		}
 
-		$index++;
+	    } elsif ( $qualifier =~ /^ --/ ) {
+		return $rawlevel;
+	    } else {
+		level_error( $rawlevel ) if $qualifier;
 	    }
 
-	    require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
 	    return $olevel;
 	}
 
-	if ( $level =~ /^NFLOG --/ or $level =~ /^ULOG --/ ) {
-	    require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
-	    return $rawlevel;
-	}
+	#
+	# Must be LOGMARK
+	#
+	my $sublevel;
 
-	if ( $level =~ /^LOGMARK --/ ) {
-	    require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
-	    return $rawlevel;
-	}
+	if ( supplied $qualifier ) {
+	    return $rawlevel if $qualifier =~ /^ --/;
 
-	if ( $level =~ /LOGMARK([(](.+)[)])?$/ ) {
-	    my $sublevel = $2;
+	    if ( $qualifier =~ /[(](.+)[)]$/ ) {
+		$sublevel = $1;
 
-	    if ( $1 ) {	    
 		$sublevel = $validlevels{$sublevel} unless $sublevel =~ /^[0-7]$/;
-		level_error( $level ) unless defined $sublevel && $sublevel  =~ /^[0-7]$/;
+		level_error( $rawlevel ) unless defined $sublevel && $sublevel  =~ /^[0-7]$/;
 	    } else {
-		$sublevel = 6; # info
+		level_error( $rawlevel );
 	    }
-	    
-	    require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
-	    require_capability( 'LOGMARK_TARGET' , 'LOGMARK', 's' );
-	    return "LOGMARK --log-level $sublevel";
+	} else {
+	    $sublevel = 6; # info
 	}
 
-	level_error( $rawlevel );
+	return "LOGMARK --log-level $sublevel";
     }
 
     '';
@@ -2637,12 +2708,24 @@ sub Log_Target() {
     qt1( "$iptables -A $sillyname -j LOG" );
 }
 
+sub Ulog_Target() {
+    qt1( "$iptables -A $sillyname -j ULOG" );
+}
+
+sub NFLog_Target() {
+    qt1( "$iptables -A $sillyname -j NFLOG" );
+}
+
 sub Logmark_Target() {
     qt1( "$iptables -A $sillyname -j LOGMARK" );
 }
 
 sub Flow_Filter() {
-    $tc && system( "$tc filter add flow add help 2>&1 | grep -q ^Usage" ) == 0;
+    $tc && system( "$tc filter add flow help 2>&1 | grep -q ^Usage" ) == 0;
+}
+
+sub Basic_Filter() {
+    $tc && system( "$tc filter add basic help 2>&1 | grep -q ^Usage" ) == 0;
 }
 
 sub Fwmark_Rt_Mask() {
@@ -2665,20 +2748,52 @@ sub Account_Target() {
     }
 }
 
+sub Condition_Match() {
+    qt1( "$iptables -A $sillyname -m condition --condition foo" );
+}
+
 sub Audit_Target() {
     qt1( "$iptables -A $sillyname -j AUDIT --type drop" );
 }
 
+sub Iptables_S() {
+    qt1( "$iptables -S INPUT" )
+}
+
+sub Ct_Target() {
+    my $ct_target;
+
+    if ( have_capability 'RAW_TABLE' ) {
+	qt1( "$iptables -t raw -N $sillyname" );
+	$ct_target = qt1( "$iptables -t raw -A $sillyname -j CT --notrack" );
+	qt1( "$iptables -t raw -F $sillyname" );
+	qt1( "$iptables -t raw -X $sillyname" );
+    }
+
+    $ct_target;
+}
+
+sub Statistic_Match() {
+    qt1( "$iptables -A $sillyname -m statistic --mode nth --every 2 --packet 1" );
+}
+
+sub Imq_Target() {
+    qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" );
+}
+
 our %detect_capability =
     ( ACCOUNT_TARGET =>\&Account_Target,
       AUDIT_TARGET => \&Audit_Target,
       ADDRTYPE => \&Addrtype,
+      BASIC_FILTER => \&Basic_Filter,
       CLASSIFY_TARGET => \&Classify_Target,
+      CONDITION_MATCH => \&Condition_Match,
       COMMENTS => \&Comments,
       CONNLIMIT_MATCH => \&Connlimit_Match,
       CONNMARK => \&Connmark,
       CONNMARK_MATCH => \&Connmark_Match,
       CONNTRACK_MATCH => \&Conntrack_Match,
+      CT_TARGET => \&Ct_Target,
       ENHANCED_REJECT => \&Enhanced_Reject,
       EXMARK => \&Exmark,
       FLOW_FILTER => \&Flow_Filter,
@@ -2687,16 +2802,20 @@ our %detect_capability =
       HASHLIMIT_MATCH => \&Hashlimit_Match,
       HEADER_MATCH => \&Header_Match,
       HELPER_MATCH => \&Helper_Match,
+      IMQ_TARGET => \&Imq_Target,
       IPMARK_TARGET => \&IPMark_Target,
       IPP2P_MATCH => \&Ipp2p_Match,
       IPRANGE_MATCH => \&IPRange_Match,
       IPSET_MATCH => \&IPSet_Match,
       OLD_IPSET_MATCH => \&Old_IPSet_Match,
       IPSET_V5 => \&IPSET_V5,
+      IPTABLES_S => \&Iptables_S,
       KLUDGEFREE => \&Kludgefree,
       LENGTH_MATCH => \&Length_Match,
       LOGMARK_TARGET => \&Logmark_Target,
       LOG_TARGET => \&Log_Target,
+      ULOG_TARGET => \&Ulog_Target,
+      NFLOG_TARGET => \&NFLog_Target,
       MANGLE_ENABLED => \&Mangle_Enabled,
       MANGLE_FORWARD => \&Mangle_Forward,
       MARK => \&Mark,
@@ -2717,6 +2836,7 @@ our %detect_capability =
       RAWPOST_TABLE => \&Rawpost_Table,
       REALM_MATCH => \&Realm_Match,
       RECENT_MATCH => \&Recent_Match,
+      STATISTIC_MATCH => \&Statistic_Match,
       TCPMSS_MATCH => \&Tcpmss_Match,
       TIME_MATCH => \&Time_Match,
       TPROXY_TARGET => \&Tproxy_Target,
@@ -2840,6 +2960,8 @@ sub determine_capabilities() {
 	$capabilities{TIME_MATCH}      = detect_capability( 'TIME_MATCH' );
 	$capabilities{GOTO_TARGET}     = detect_capability( 'GOTO_TARGET' );
 	$capabilities{LOG_TARGET}      = detect_capability( 'LOG_TARGET' );
+	$capabilities{ULOG_TARGET}     = detect_capability( 'ULOG_TARGET' );
+	$capabilities{NFLOG_TARGET}    = detect_capability( 'NFLOG_TARGET' );
 	$capabilities{LOGMARK_TARGET}  = detect_capability( 'LOGMARK_TARGET' );
 	$capabilities{FLOW_FILTER}     = detect_capability( 'FLOW_FILTER' );
 	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
@@ -2847,6 +2969,12 @@ sub determine_capabilities() {
 	$capabilities{ACCOUNT_TARGET}  = detect_capability( 'ACCOUNT_TARGET' );
 	$capabilities{AUDIT_TARGET}    = detect_capability( 'AUDIT_TARGET' );
 	$capabilities{IPSET_V5}        = detect_capability( 'IPSET_V5' );
+	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
+	$capabilities{IPTABLES_S}      = detect_capability( 'IPTABLES_S' );
+	$capabilities{BASIC_FILTER}    = detect_capability( 'BASIC_FILTER' );
+	$capabilities{CT_TARGET}       = detect_capability( 'CT_TARGET' );
+	$capabilities{STATISTIC_MATCH} = detect_capability( 'STATISTIC_MATCH' );
+	$capabilities{IMQ_TARGET}      = detect_capability( 'IMQ_TARGET' );
 
 
 	qt1( "$iptables -F $sillyname" );
@@ -2940,6 +3068,22 @@ sub conditional_quote( $ ) {
 sub update_config_file( $ ) {
     my $annotate = shift;
 
+    sub is_set( $ ) {
+	my $value = $_[0];
+	defined( $value ) && lc( $value ) eq 'yes';
+    }
+
+    my $wide = is_set $config{WIDE_TC_MARKS};
+    my $high = is_set $config{HIGH_ROUTE_MARKS};
+
+    #
+    # Establish default values for the mark layout items
+    #
+    $config{TC_BITS}         = ( $wide ? 14 : 8 )             unless supplied $config{TC_BITS};
+    $config{MASK_BITS}       = ( $wide ? 16 : 8 )             unless supplied $config{MASK_BITS};
+    $config{PROVIDER_OFFSET} = ( $high ? $wide ? 16 : 8 : 0 ) unless supplied $config{PROVIDER_OFFSET};
+    $config{PROVIDER_BITS}   = 8                              unless supplied $config{PROVIDER_BITS};
+
     my $fn;
 
     unless ( -d "$globals{SHAREDIR}/configfiles/" ) {
@@ -2953,18 +3097,7 @@ sub update_config_file( $ ) {
 	#
 	$fn = $annotate ? "$globals{SHAREDIR}/configfiles/${product}.conf.annotated" : "$globals{SHAREDIR}/configfiles/${product}.conf";
     }
-    #
-    # Deprecated options with their default values
-    #
-    my %deprecated = ( LOGRATE            => '' ,
-		       LOGBURST           => '' ,
-		       EXPORTPARAMS       => 'no' );
-    #
-    # Undocumented options -- won't be listed in the template
-    #
-    my @undocumented = ( qw( TC_BITS PROVIDER_BITS PROVIDER_OFFSET MASK_BITS ) );
-
-    if ( -f $fn ) {
+   if ( -f $fn ) {
 	my ( $template, $output );
 
 	open $template, '<' , $fn or fatal_error "Unable to open $fn: $!";
@@ -3012,29 +3145,6 @@ sub update_config_file( $ ) {
 
 	my $heading_printed;
 
-	for ( @undocumented ) {
-	    if ( defined ( my $val = $config{$_} ) ) {
-
-		unless ( $heading_printed ) {
-		    print $output <<'EOF';
-
-#################################################################################
-#                          U N D O C U M E N T E D
-#                               O P T I O N S
-#################################################################################
-
-EOF
-		    $heading_printed = 1;
-		}
-
-		$val = conditional_quote $val;
-
-		print $output "$_=$val\n\n";
-	    }
-	}
-
-	$heading_printed = 0;
-
 	for ( keys %deprecated ) {
 	    if ( supplied( my $val = $config{$_} ) ) {
 		if ( lc $val ne $deprecated{$_} ) {
@@ -3074,7 +3184,7 @@ EOF
 		progress_message3 "No update required to configuration file $configfile; $configfile.b";
 	    }
 
-	    exit 0;
+	    exit 0 unless -f find_file 'blacklist';
 	}
     } else {
 	fatal_error "$fn does not exist";
@@ -3106,6 +3216,9 @@ sub process_shorewall_conf( $$ ) {
 		    warning_message "Unknown configuration option ($var) ignored", next unless exists $config{$var};
 
 		    $config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val );
+		    
+		    warning_message "Option $var=$val is deprecated"
+			if $deprecated{$var} && supplied $val && lc $config{$var} ne $deprecated{$var};
 		} else {
 		    fatal_error "Unrecognized $product.conf entry";
 		}
@@ -3269,6 +3382,8 @@ sub get_params() {
 	    # - Embedded double quotes are escaped with '\\'
 	    # - Valueless variables are supported (e.g., 'declare -x foo')
 	    #
+	    $shell = BASH;
+
 	    for ( @params ) {
 		if ( /^declare -x (.*?)="(.*[^\\])"$/ ) {
 		    $params{$1} = $2 unless $1 eq '_';
@@ -3277,11 +3392,11 @@ sub get_params() {
 		} elsif ( /^declare -x (.*)\s+$/ || /^declare -x (.*)=""$/ ) {
 		    $params{$1} = '';
 		} else {
+		    chomp;
 		    if ($variable) {
 			s/"$//;
 			$params{$variable} .= $_;
 		    } else {
-			chomp;
 			warning_message "Param line ($_) ignored" unless $bug++;
 		    }
 		}	
@@ -3295,6 +3410,8 @@ sub get_params() {
 	    # - Embedded single quotes are escaped with '\'
 	    # - Valueless variables ( e.g., 'export foo') are supported
 	    #
+	    $shell = OLDBASH;
+
 	    for ( @params ) {
 		if ( /^export (.*?)="(.*[^\\])"$/ ) {
 		    $params{$1} = $2 unless $1 eq '_';
@@ -3303,11 +3420,11 @@ sub get_params() {
 		} elsif ( /^export ([^\s=]+)\s*$/ || /^export (.*)=""$/ ) {
 		    $params{$1} = '';
 		} else {
+		    chomp;
 		    if ($variable) {
 			s/"$//;
 			$params{$variable} .= $_;
 		    } else {
-			chomp;
 			warning_message "Param line ($_) ignored" unless $bug++;
 		    }
 		}	
@@ -3320,6 +3437,8 @@ sub get_params() {
 	    # - Param values are delimited by single quotes.
 	    # - Embedded single quotes are transformed to the five characters '"'"'
 	    #
+	    $shell = ASH;
+
 	    for ( @params ) {
 		if ( /^export (.*?)='(.*'"'"')$/ ) {
 		    $params{$variable=$1}="${2}\n";		    
@@ -3328,11 +3447,11 @@ sub get_params() {
 		} elsif ( /^export (.*?)='(.*)$/ ) {
 		    $params{$variable=$1}="${2}\n";
 		} else {
+		    chomp;
 		    if ($variable) {
 			s/'$//;
 			$params{$variable} .= $_;
 		    } else {
-			chomp;
 			warning_message "Param line ($_) ignored" unless $bug++;
 		    }				
 		}
@@ -3365,21 +3484,37 @@ sub add_param( $$ ) {
 sub export_params() {
     my $count = 0;
 
-    while ( my ( $param, $value ) = each %params ) {
+    for my $param ( sort keys %params ) {
 	#
 	# Don't export params added by the compiler
 	#
 	next if exists $compiler_params{$param};
+
+	my $value = $params{$param};
+	#
+	# Values in %params are generated from the output of 'export -p'.
+	# The different shells have different conventions for delimiting
+	# the value and for escaping embedded instances of the delimiter.
+	# The following logic removes the escape characters.
+	#
+	if ( $shell == BASH ) {
+	    $value =~ s/\\"/"/g;
+	} elsif ( $shell == OLDBASH ) {
+	    $value =~ s/\\'/'/g;
+	} else {
+	    $value =~ s/'"'"'/'/g;
+	}
 	#
 	# Don't export pairs from %ENV
 	#
-	if ( exists $ENV{$param} && defined $ENV{$param} ) {
-	    next if $value eq $ENV{$param};
-	}
+	next if defined $ENV{$param} && $value eq $ENV{$param};
 
 	emit "#\n# From the params file\n#" unless $count++;
-
-	if ( $value =~ /[\s()[]/ ) {
+	#
+	# We will use double quotes and escape embedded quotes with \.
+	#
+	if ( $value =~ /[\s()['"]/ ) {
+	    $value =~ s/"/\\"/g;
 	    emit "$param='$value'";
 	} else {
 	    emit "$param=$value";
@@ -3388,9 +3523,10 @@ sub export_params() {
 }
 
 #
+# - Process the params file
 # - Read the shorewall.conf file
 # - Read the capabilities file, if any
-# - establish global hashes %config , %globals and %capabilities
+# - establish global hashes %params, %config , %globals and %capabilities
 #
 sub get_configuration( $$$ ) {
 
@@ -3423,7 +3559,6 @@ sub get_configuration( $$$ ) {
 
     get_capabilities( $export );
 
-
     $globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';
 
     if ( my $rate = $config{LOGLIMIT} ) {
@@ -3622,6 +3757,7 @@ sub get_configuration( $$$ ) {
     default_yes_no 'COMPLETE'                   , '';
     default_yes_no 'EXPORTMODULES'              , '';
     default_yes_no 'LEGACY_FASTSTART'           , 'Yes';
+    default_yes_no 'USE_PHYSICAL_NAMES'         , '';
 
     require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
 
@@ -3629,23 +3765,36 @@ sub get_configuration( $$$ ) {
     numeric_option 'MASK_BITS',        $config{WIDE_TC_MARKS} ? 16 : 8,  $config{TC_BITS};
     numeric_option 'PROVIDER_BITS' ,   8, 0;
     numeric_option 'PROVIDER_OFFSET' , $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? 16 : 8 : 0, 0;
+    numeric_option 'ZONE_BITS'       , 0, 0;
+
+    require_capability 'MARK_ANYWHERE', 'A non-zero ZONE_BITS setting', 's' if $config{ZONE_BITS};
 
     if ( $config{PROVIDER_OFFSET} ) {
-	$config{PROVIDER_OFFSET} = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS};
-	fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 31' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 31;
-	$globals{EXCLUSION_MASK} = 1 << ( $config{PROVIDER_OFFSET} + $config{PROVIDER_BITS} );
+	$config{PROVIDER_OFFSET}  = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS};
+	$globals{ZONE_OFFSET}     = $config{PROVIDER_OFFSET} + $config{PROVIDER_BITS};
     } elsif ( $config{MASK_BITS} >= $config{PROVIDER_BITS} ) {
-	$globals{EXCLUSION_MASK} = 1 << $config{MASK_BITS};
+	$globals{ZONE_OFFSET}     = $config{MASK_BITS};
     } else {
-	$globals{EXCLUSION_MASK} = 1 << $config{PROVIDER_BITS};
+	$globals{ZONE_OFFSET}     = $config{PROVIDER_BITS};
     }
 
-    $globals{TC_MAX}                 = make_mask( $config{TC_BITS} );
-    $globals{TC_MASK}                = make_mask( $config{MASK_BITS} );
-    $globals{PROVIDER_MIN}           = 1 << $config{PROVIDER_OFFSET};
-    $globals{PROVIDER_MASK}          = make_mask( $config{PROVIDER_BITS} ) << $config{PROVIDER_OFFSET};
+    fatal_error 'Invalid Packet Mark layout' if $config{ZONE_BITS} + $globals{ZONE_OFFSET} > 31;
+    
+    $globals{EXCLUSION_MASK} = 1 << ( $globals{ZONE_OFFSET} + $config{ZONE_BITS} );
+    $globals{PROVIDER_MIN}   = 1 << $config{PROVIDER_OFFSET};
+
+    $globals{TC_MAX}         = make_mask( $config{TC_BITS} );
+    $globals{TC_MASK}        = make_mask( $config{MASK_BITS} );
+    $globals{PROVIDER_MASK}  = make_mask( $config{PROVIDER_BITS} ) << $config{PROVIDER_OFFSET};
+
+    if ( $config{ZONE_BITS} ) {
+	$globals{ZONE_MASK} = make_mask( $config{ZONE_BITS} ) << $globals{ZONE_OFFSET};
+    } else {
+	$globals{ZONE_MASK} = 0;
+    }
 
     if ( ( my $userbits = $config{PROVIDER_OFFSET} - $config{TC_BITS} ) > 0 ) {
+	
 	$globals{USER_MASK} = make_mask( $userbits ) << $config{TC_BITS};
     } else {
 	$globals{USER_MASK} = 0;
@@ -3677,6 +3826,7 @@ sub get_configuration( $$$ ) {
     default_log_level 'MACLIST_LOG_LEVEL',   '';
     default_log_level 'TCP_FLAGS_LOG_LEVEL', '';
     default_log_level 'RFC1918_LOG_LEVEL',   '';
+    default_log_level 'RELATED_LOG_LEVEL',   '';
 
     warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
 
@@ -3711,6 +3861,23 @@ sub get_configuration( $$$ ) {
 	$globals{MACLIST_TARGET}      = 'reject';
     }
 
+    if ( $val = $config{RELATED_DISPOSITION} ) {
+	if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
+	    $globals{RELATED_TARGET} = $val;
+	} elsif ( $val eq 'REJECT' ) {
+	    $globals{RELATED_TARGET} = 'reject';
+	} elsif ( $val eq 'A_REJECT' ) {
+	    $globals{RELATED_TARGET} = $val;
+	} else {
+	    fatal_error "Invalid value ($config{RELATED_DISPOSITION}) for RELATED_DISPOSITION"
+	}
+
+	require_capability 'AUDIT_TARGET' , "MACLIST_DISPOSITION=$val", 's' if $val =~ /^A_/;
+    } else {
+	$config{RELATED_DISPOSITION}  =
+	$globals{RELATED_TARGET}      = 'ACCEPT';
+    }
+
     if ( $val = $config{MACLIST_TABLE} ) {
 	if ( $val eq 'mangle' ) {
 	    fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
@@ -3784,7 +3951,9 @@ sub get_configuration( $$$ ) {
 
     $val = numeric_value $config{OPTIMIZE};
 
-    fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless supplied( $val ) && $val >= 0 && ( $val & ( 4096 ^ -1 ) ) <= 15;
+    fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless supplied( $val ) && $val >= 0 && ( $val & ( 4096 ^ -1 ) ) <= 31;
+
+    require_capability 'XMULTIPORT', 'OPTIMIZE level 16', 's' if $val & 16;
 
     $globals{MARKING_CHAIN} = $config{MARK_IN_FORWARD_CHAIN} ? 'tcfor' : 'tcpre';
 
@@ -3823,6 +3992,13 @@ sub get_configuration( $$$ ) {
     } else {
 	$config{LOCKFILE} = '';
     }
+
+    report_capabilities unless $config{LOAD_HELPERS_ONLY};
+
+    require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
+    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
+    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
+    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
 }
 
 #
@@ -4014,6 +4190,52 @@ sub generate_aux_config() {
     finalize_aux_config;
 }
 
+sub dump_mark_layout() {
+    sub dumpout( $$$$$ ) {
+	my ( $name, $bits, $min, $max, $mask ) = @_;
+
+	if ( $bits ) {
+	    if ( $min == $max ) {
+		emit_unindented "$name:" . $min . ' mask ' . in_hex( $mask );
+	    } else {
+		emit_unindented "$name:" . join('-', $min, $max ) . ' (' . join( '-', in_hex( $min ), in_hex( $max ) ) . ') mask ' . in_hex( $mask );
+	    }
+	} else {
+	    emit_unindented "$name: Not Enabled";
+	}
+    }
+
+    dumpout( "Traffic Shaping",
+	     $config{TC_BITS},
+	     0,
+	     $globals{TC_MAX},
+	     $globals{TC_MASK} );
+
+    dumpout( "User",
+	     $globals{USER_MASK},
+	     $globals{TC_MAX} + 1,
+	     $globals{USER_MASK},
+	     $globals{USER_MASK} );
+    
+    dumpout( "Provider",
+	     $config{PROVIDER_BITS},
+	     $globals{PROVIDER_MIN},
+	     $globals{PROVIDER_MASK},
+	     $globals{PROVIDER_MASK} );
+
+    dumpout( "Zone",
+	     $config{ZONE_BITS},
+	     1 << $globals{ZONE_OFFSET},
+	     $globals{ZONE_MASK},
+	     $globals{ZONE_MASK} );
+
+    dumpout( "Exclusion",
+	     1,
+	     $globals{EXCLUSION_MASK},
+	     $globals{EXCLUSION_MASK},
+	     $globals{EXCLUSION_MASK} );
+}	
+
 END {
     cleanup;
 }

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -55,6 +55,7 @@ our @EXPORT = qw( ALLIPv4
 		  DCCP
 		  IPv6_ICMP
 		  SCTP
+		  GRE
 
 		  validate_address
 		  validate_net
@@ -117,6 +118,7 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       TCP                 => 6,
 	       UDP                 => 17,
 	       DCCP                => 33,
+	       GRE                 => 47,
 	       IPv6_ICMP           => 58,
 	       SCTP                => 132,
 	       UDPLITE             => 136 };
@@ -530,13 +532,13 @@ sub valid_6address( $ ) {
 	return 0 unless valid_4address pop @address;
 	$max = 6;
 	$address = join ':', @address;
-	return 1 if @address eq ':';
+	return 1 if $address eq ':';
     } else {
 	$max = 8;
     }
 
     return 0 if @address > $max;
-    return 0 unless $address =~ /^[a-f:\d]+$/;
+    return 0 unless $address =~ /^[a-fA-F:\d]+$/;
     return 0 unless ( @address == $max ) || $address =~ /::/;
     return 0 if $address =~ /:::/ || $address =~ /::.*::/;
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Misc.pm
+# Shorewall 4.5 -- /usr/share/shorewall/Shorewall/Misc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -82,7 +82,7 @@ sub process_tos() {
 
 	while ( read_a_line ) {
 
-	    my ($src, $dst, $proto, $sports, $ports , $tos, $mark ) = split_line 6, 7, 'tos file entry';
+	    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) = split_line 'tos file entry', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } ;
 
 	    $first_entry = 0;
 
@@ -159,8 +159,9 @@ sub setup_ecn()
 
 	while ( read_a_line ) {
 
-	    my ($interface, $hosts ) = split_line 1, 2, 'ecn file entry';
+	    my ($interface, $hosts ) = split_line 'ecn file entry', { interface => 0, hosts => 1 };
 
+	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
 	    fatal_error "Unknown interface ($interface)" unless known_interface $interface;
 
 	    $interfaces{$interface} = 1;
@@ -219,17 +220,7 @@ sub setup_blacklist() {
 	$chainref1 = dont_delete new_standard_chain 'blackout' if @$zones1;
 
 	if ( supplied $level ) {
-	    my $logchainref = new_standard_chain 'blacklog';
-
-	    $target =~ s/A_//;
-	    $target = 'reject' if $target eq 'REJECT';
-
-	    log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add',	'' );
-
-	    add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
-	    add_ijump( $logchainref, g => $target );
-
-	    $target = 'blacklog';
+	    $target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
 	} elsif ( $audit ) {
 	    require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
 	    $target = verify_audit( $disposition );
@@ -256,7 +247,7 @@ sub setup_blacklist() {
 		    $first_entry = 0;
 		}
 
-		my ( $networks, $protocol, $ports, $options ) = split_line 1, 4, 'blacklist file';
+		my ( $networks, $protocol, $ports, $options ) = split_line 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 };
 
 		if ( $options eq '-' ) {
 		    $options = 'src';
@@ -347,6 +338,221 @@ sub setup_blacklist() {
     }
 }
 
+#
+# Remove instances of 'blacklist' from the passed file. 
+#
+sub remove_blacklist( $ ) {
+    my $file = shift;
+
+    my $fn = find_file $file;
+
+    return 1 unless -f $file;
+
+    my $oldfile = open_file $fn;
+    my $newfile;
+    my $changed;
+	
+    open $newfile, '>', "$fn.new" or fatal_error "Unable to open $fn.new for output: $!";
+
+    while ( read_a_line(1,1,0) ) {
+	my ( $rule, $comment ) = split '#', $currentline, 2;
+
+	if ( $rule =~ /blacklist/ ) {
+	    $changed = 1;
+
+	    if ( $comment ) {
+		$comment =~ s/^/          / while $rule =~ s/blacklist,//;
+		$rule =~ s/blacklist/         /g;
+		$currentline = join( '#', $rule, $comment );
+	    } else {
+		$currentline =~ s/blacklist/         /g;
+	    }	    
+	}
+   
+	print $newfile "$currentline\n";
+    }
+	
+    close $newfile;
+
+    if ( $changed ) {
+	rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
+	rename "$fn.new", $fn or fatal_error "Unable to rename $fn.new to $fn: $!";
+	progress_message2 "\u$file file $fn saved in $fn.bak"
+    }
+}
+
+#
+# Convert a pre-4.4.25 blacklist to a 4.4.25 blacklist
+#
+sub convert_blacklist() {
+    my $zones  = find_zones_by_option 'blacklist', 'in';
+    my $zones1 = find_zones_by_option 'blacklist', 'out';
+    my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
+    my $audit       = $disposition =~ /^A_/;
+    my $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
+    my $orig_target = $target;
+    my @rules;
+    
+    if ( @$zones || @$zones1 ) {
+	if ( supplied $level ) {
+	    $target = 'blacklog';
+	} elsif ( $audit ) {
+	    $target = verify_audit( $disposition );
+	}
+
+	my $fn = open_file 'blacklist';
+
+	first_entry "Converting $fn...";
+
+	while ( read_a_line ) {
+	    my ( $networks, $protocol, $ports, $options ) = split_line 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 };
+
+	    if ( $options eq '-' ) {
+		$options = 'src';
+	    } elsif ( $options eq 'audit' ) {
+		$options = 'audit,src';
+	    }
+
+	    my ( $to, $from, $whitelist, $auditone ) = ( 0, 0, 0, 0 );
+
+	    my @options = split_list $options, 'option';
+
+	    for ( @options ) {
+		$whitelist++ if $_ eq 'whitelist';
+		$auditone++  if $_ eq 'audit'; 
+	    }
+
+	    warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1;
+
+	    my $tgt = $whitelist ? 'WHITELIST' : $target;
+
+	    if ( $auditone ) {
+		fatal_error "'audit' not allowed in whitelist entries" if $whitelist;
+
+		if ( $audit ) {
+		    warning_message "Superfluous 'audit' option ignored";
+		} else {
+		    warning_message "Duplicate 'audit' option ignored" if $auditone > 1;
+		}
+
+		$tgt = verify_audit( 'A_' . $target, $orig_target, $target );
+	    }
+
+	    for ( @options ) {
+		if ( $_ =~ /^(?:src|from)$/ ) {
+		    if ( $from++ ) {
+			warning_message "Duplicate 'src' ignored";
+		    } else {
+			if ( @$zones ) {
+			    push @rules, [ 'src', $tgt, $networks, $protocol, $ports ];
+			} else {
+			    warning_message '"src" entry ignored because there are no "blacklist in" zones';
+			}
+		    }
+		} elsif ( $_ =~ /^(?:dst|to)$/ ) {
+		    if ( $to++ ) {
+			warning_message "Duplicate 'dst' ignored";
+		    } else {
+			if ( @$zones1 ) {
+			    push @rules, [ 'dst', $tgt, $networks, $protocol, $ports ];
+			} else {
+			    warning_message '"dst" entry ignored because there are no "blacklist out" zones';
+			}
+		    }
+		} else {
+		    fatal_error "Invalid blacklist option($_)" unless $_ eq 'whitelist' || $_ eq 'audit';
+		}
+	    }
+	}
+
+	if ( @rules ) {
+	    my $fn1 = find_file( 'blrules' );
+	    my $blrules;
+	    my $date = localtime;
+
+	    if ( -f $fn1 ) {
+		open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
+	    } else {
+		open $blrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
+		print $blrules <<'EOF';
+#
+# Shorewall version 5 - Blacklist Rules File
+#
+# For information about entries in this file, type "man shorewall-blrules"
+#
+# Please see http://shorewall.net/blacklisting_support.htm for additional
+# information.
+#
+###################################################################################################################################################################################################
+#ACTION		SOURCE		        DEST		        PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#							                PORT	PORT(S)		DEST		LIMIT		GROUP
+EOF
+	    }
+
+	    print( $blrules 
+		   "#\n" ,
+		   "# Rules generated from blacklist file $fn by Shorewall $globals{VERSION} - $date\n" ,
+		   "#\n" );
+
+	    for ( @rules ) {
+		my ( $srcdst, $tgt, $networks, $protocols, $ports ) = @$_;
+
+		$tgt .= "\t\t";
+
+		my $list = $srcdst eq 'src' ? $zones : $zones1;
+
+		for my $zone ( @$list ) {
+		    my $rule = $tgt;
+
+		    if ( $srcdst eq 'src' ) {
+			if ( $networks ne '-' ) {
+			    $rule .= "$zone:$networks\tall\t\t";
+			} else {
+			    $rule .= "$zone\t\t\tall\t\t";
+			}
+		    } else {
+			if ( $networks ne '-' ) {
+			    $rule .= "all\t\t\t$zone:$networks\t";
+			} else {
+			    $rule .= "all\t\t\t$zone\t\t\t";
+			}
+		    }
+		
+		    $rule .= "\t$protocols" if $protocols ne '-';
+		    $rule .= "\t$ports"     if $ports     ne '-';
+		
+		    print $blrules "$rule\n";
+		}
+	    }
+
+	    close $blrules;
+	} else {
+	    warning_message q(There are interfaces or zones with the 'blacklist' option but the 'blacklist' file is empty or does not exist) unless @rules;
+	}
+	
+	if ( -f $fn ) {
+	    rename $fn, "$fn.bak";
+	    progress_message2 "Blacklist file $fn saved in $fn.bak";
+	}
+	
+	for my $file ( qw(zones interfaces hosts) ) {
+	    remove_blacklist $file;
+	}
+
+	progress_message2 "Blacklist successfully converted";
+
+	return 1;	    
+    } else {
+	my $fn = find_file 'blacklist';
+	if ( -f $fn ) {
+	    rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
+	    warning_message "No zones have the blacklist option - the blacklist file was saved in $fn.bak";
+	}
+
+	return 0;
+    }
+}
+
 sub process_routestopped() {
 
     if ( my $fn = open_file 'routestopped' ) {
@@ -358,10 +564,12 @@ sub process_routestopped() {
 
 	while ( read_a_line ) {
 
-	    my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file';
+	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
+		split_line 'routestopped file', { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 };
 
 	    my $interfaceref;
 
+	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
 	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
 	    $hosts = ALLIP unless $hosts && $hosts ne '-';
 
@@ -470,7 +678,8 @@ sub process_routestopped() {
 
 sub setup_mss();
 
-sub add_common_rules() {
+sub add_common_rules ( $ ) {
+    my $upgrade = shift;
     my $interface;
     my $chainref;
     my $target;
@@ -481,6 +690,7 @@ sub add_common_rules() {
     my $dynamicref;
 
     my @state     = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
+    my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED';
     my $level     = $config{BLACKLIST_LOGLEVEL};
     my $rejectref = $filter_table->{reject};
 
@@ -488,13 +698,14 @@ sub add_common_rules() {
 	add_rule_pair dont_delete( new_standard_chain( 'logdrop' ) ),   '' , 'DROP'   , $level ;
 	add_rule_pair dont_delete( new_standard_chain( 'logreject' ) ), '' , 'reject' , $level ;
 	$dynamicref = dont_optimize( new_standard_chain( 'dynamic' ) );
-	add_ijump $filter_table->{INPUT}, j => $dynamicref, @state;
 	add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
     }
 
     setup_mss;
 
-    add_ijump( $filter_table->{OUTPUT} , j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' ) if ( $config{FASTACCEPT} );
+    if ( $config{FASTACCEPT} ) {
+	add_ijump( $filter_table->{OUTPUT} , j => 'ACCEPT', state_imatch $faststate )
+    } 
 
     my $policy   = $config{SFILTER_DISPOSITION};
     $level       = $config{SFILTER_LOG_LEVEL};
@@ -541,8 +752,8 @@ sub add_common_rules() {
 	$target1 = $target;
     }
 
-    for $interface ( grep $_ ne '%vserver%', all_interfaces ) {
-	ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface );
+    for $interface ( all_real_interfaces ) {
+	ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface ), option_chains( $interface ), output_option_chain( $interface );
 
 	my $interfaceref = find_interface $interface;
 
@@ -550,33 +761,28 @@ sub add_common_rules() {
 
 	    my @filters = @{$interfaceref->{filter}};
 	
-	    $chainref = $filter_table->{forward_chain $interface};
+	    $chainref = $filter_table->{forward_option_chain $interface};
 	
 	    if ( @filters ) {
 		add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
-		$interfaceref->{options}{use_forward_chain} = 1;
 	    } elsif ( $interfaceref->{bridge} eq $interface ) {
 		add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_dest_dev( $interface ), @ipsec ), $chainref->{filtered}++
 		    unless( $config{ROUTE_FILTER} eq 'on' ||
 			    $interfaceref->{options}{routeback} ||
 			    $interfaceref->{options}{routefilter} ||
 			    $interfaceref->{physical} eq '+' );
-
-		$interfaceref->{options}{use_forward_chain} = 1;
 	    }
 
-	    add_ijump( $chainref, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' ), $chainref->{filtered}++ if $config{FASTACCEPT};
-	    add_ijump( $chainref, j => $dynamicref, @state ), $chainref->{filtered}++ if $dynamicref;
-
-	    $chainref = $filter_table->{input_chain $interface};
 	
 	    if ( @filters ) {
+		$chainref = $filter_table->{input_option_chain $interface};
 		add_ijump( $chainref , g => $target, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
-		$interfaceref->{options}{use_input_chain} = 1;
 	    }
 	
-	    add_ijump( $chainref, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' ), $chainref->{filtered}++ if $config{FASTACCEPT};
-	    add_ijump( $chainref, j => $dynamicref, @state ), $chainref->{filtered}++ if $dynamicref;
+	    for ( option_chains( $interface ) ) {
+		add_ijump( $filter_table->{$_}, j => $dynamicref, @state ) if $dynamicref;
+		add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate ) if $config{FASTACCEPT};
+	    }
 	}
     }
 
@@ -591,7 +797,11 @@ sub add_common_rules() {
 
     run_user_exit1 'initdone';
 
-    setup_blacklist;
+    if ( $upgrade ) {
+	exit 0 unless convert_blacklist;
+    } else {
+	setup_blacklist;
+    }
 
     $list = find_hosts_by_option 'nosmurfs';
 
@@ -656,12 +866,9 @@ sub add_common_rules() {
 	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
 
-	    for $chain ( first_chains $interface ) {
+	    for $chain ( option_chains $interface ) {
 		add_ijump( $filter_table->{$chain} , j => $target, @state, imatch_source_net( $hostref->[2] ), @policy );
 	    }
-
-	    set_interface_option $interface, 'use_input_chain', 1;
-	    set_interface_option $interface, 'use_forward_chain', 1;
 	}
     }
 
@@ -711,14 +918,11 @@ sub add_common_rules() {
 	my $ports = $family == F_IPV4 ? '67:68' : '546:547';
 
 	for $interface ( @$list ) {
-	    set_interface_option $interface, 'use_input_chain', 1;
-	    set_interface_option $interface, 'use_forward_chain', 1;
-	    
 	    set_rule_option( add_ijump( $filter_table->{$_} , j => 'ACCEPT', p => "udp --dport $ports" ) ,
 			     'dhcp',
-			     1 ) for input_chain( $interface ), output_chain( $interface );
+			     1 ) for input_option_chain( $interface ), output_option_chain( $interface );
 
-	    add_ijump( $filter_table->{forward_chain $interface} ,
+	    add_ijump( $filter_table->{forward_option_chain $interface} ,
 		       j => 'ACCEPT', 
 		       p =>  "udp --dport $ports" ,
 		       imatch_dest_dev( $interface ) )
@@ -776,11 +980,9 @@ sub add_common_rules() {
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
 	    my @policy     = have_ipsec ? ( policy => "--pol $hostref->[1] --dir in" ) : ();
 
-	    for $chain ( first_chains $interface ) {
+	    for $chain ( option_chains $interface ) {
 		add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
 	    }
-	    set_interface_option $interface, 'use_input_chain', 1;
-	    set_interface_option $interface, 'use_forward_chain', 1;
 	}
     }
 
@@ -809,7 +1011,7 @@ sub add_common_rules() {
 	    progress_message2 "$doing UPnP" unless $announced;
 
 	    for $interface ( @$list ) {
-		my $chainref = $filter_table->{input_chain $interface};
+		my $chainref = $filter_table->{input_option_chain $interface};
 		my $base     = uc chain_base get_physical $interface;
 		my $variable = get_interface_gateway $interface;
 
@@ -897,7 +1099,7 @@ sub setup_mac_lists( $ ) {
 
 	    while ( read_a_line ) {
 
-		my ( $original_disposition, $interface, $mac, $addresses  ) = split_line1 3, 4, 'maclist file';
+		my ( $original_disposition, $interface, $mac, $addresses  ) = split_line1 'maclist file', { disposition => 0, interface => 1, mac => 2, addresses => 3 };
 
 		if ( $original_disposition eq 'COMMENT' ) {
 		    process_comment;
@@ -958,12 +1160,9 @@ sub setup_mac_lists( $ ) {
 	    if ( $table eq 'filter' ) {
 		my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} );
 
-		for my $chain ( first_chains $interface ) {
+		for my $chain ( option_chains $interface ) {
 		    add_ijump $filter_table->{$chain} , j => $chainref, @source, @state, @policy;
 		}
-
-		set_interface_option $interface, 'use_input_chain', 1;
-		set_interface_option $interface, 'use_forward_chain', 1;
 	    } else {
 		my $chainref = source_exclusion( $hostref->[3], $mangle_table->{mac_chain $interface} );
 		add_ijump $mangle_table->{PREROUTING}, j => $chainref, imatch_source_dev( $interface ), @source, @state, @policy;
@@ -1061,7 +1260,7 @@ sub generate_dest_rules( $$$;@ ) {
     my $z2ref            = find_zone( $z2 );
     my $type2            = $z2ref->{type};
 
-    if ( $type2 == VSERVER ) {
+    if ( $type2 & VSERVER ) {
 	for my $hostref ( @{$z2ref->{hosts}{ip}{'%vserver%'}} ) {
 	    my $exclusion = dest_exclusion( $hostref->{exclusions}, $chain);
 
@@ -1158,8 +1357,6 @@ sub handle_loopback_traffic() {
 	    }
 	}
     }
-
-    add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => 'lo';
 }
 
 #
@@ -1169,6 +1366,8 @@ sub add_interface_jumps {
     our %input_jump_added;
     our %output_jump_added;
     our %forward_jump_added;
+    my  $lo_jump_added = 0;
+    my @interfaces = grep $_ ne '%vserver%', @_;
     #
     # Add Nat jumps
     #
@@ -1180,7 +1379,7 @@ sub add_interface_jumps {
     addnatjump 'POSTROUTING' , 'nat_out';
     addnatjump 'PREROUTING', 'dnat';
 
-    for my $interface ( grep $_ ne '%vserver%', @_ ) {
+    for my $interface ( @interfaces  ) {
 	addnatjump 'PREROUTING'  , input_chain( $interface )  , imatch_source_dev( $interface );
 	addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
 	addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface );
@@ -1194,12 +1393,14 @@ sub add_interface_jumps {
     #
     # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
     #
-    for my $interface ( grep $_ ne '%vserver%', @_ ) {
+    for my $interface ( @interfaces ) {
 	my $forwardref   = $filter_table->{forward_chain $interface};
 	my $inputref     = $filter_table->{input_chain $interface};
 	my $outputref    = $filter_table->{output_chain $interface};
 	my $interfaceref = find_interface($interface);
 
+	add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => 'lo' if $interfaceref->{physical} eq '+' && ! $lo_jump_added++;
+
 	if ( $interfaceref->{options}{port} ) {
 	    my $bridge = $interfaceref->{bridge};
 	    add_ijump ( $filter_table->{forward_chain $bridge},
@@ -1227,15 +1428,17 @@ sub add_interface_jumps {
 	} else {
 	    add_ijump ( $filter_table->{FORWARD}, j => 'ACCEPT', imatch_source_dev( $interface) , imatch_dest_dev( $interface) ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
 
-	    add_ijump( $filter_table->{FORWARD} , j => $forwardref , imatch_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref;
-	    add_ijump( $filter_table->{INPUT}   , j => $inputref ,   imatch_source_dev( $interface ) ) unless $input_jump_added{$interface}   || ! use_input_chain $interface, $inputref;
+	    add_ijump( $filter_table->{FORWARD} , j => $forwardref , imatch_source_dev( $interface ) ) if use_forward_chain( $interface, $forwardref ) && ! $forward_jump_added{$interface}++;
+	    add_ijump( $filter_table->{INPUT}   , j => $inputref ,   imatch_source_dev( $interface ) ) if use_input_chain( $interface, $inputref )     && ! $input_jump_added{$interface}++;
 
-	    unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) {
-		add_ijump $filter_table->{OUTPUT} , j => $outputref , imatch_dest_dev( $interface ) unless get_interface_option( $interface, 'port' );
+	    if ( use_output_chain $interface, $outputref ) {
+		add_ijump $filter_table->{OUTPUT} , j => $outputref , imatch_dest_dev( $interface ) unless get_interface_option( $interface, 'port' ) || $output_jump_added{$interface}++;
 	    }
 	}
     }
 
+    add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => 'lo' unless $lo_jump_added++;
+
     handle_loopback_traffic;
 }
 
@@ -1270,58 +1473,21 @@ sub generate_matrix() {
     my  %ipsec_jump_added   = ();
 
     progress_message2 'Generating Rule Matrix...';
-    progress_message  '  Handling blacklisting and complex zones...';
+    progress_message  '  Handling complex zones...';
 
     #
-    # Special processing for complex and/or blacklisting configurations
+    # Special processing for complex configurations
     #
     for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
-	my $simple  =  @zones <= 2 && ! $zoneref->{options}{complex};
+	
+	next if  @zones <= 2 && ! $zoneref->{options}{complex};
 	#
-	# Handle blacklisting first
+	# Complex zone or we have more than one non-firewall zone -- process_rules created a zone forwarding chain
 	#
-	if ( $zoneref->{options}{in}{blacklist} ) {
-	    my $blackref = $filter_table->{blacklst};
-	    insert_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , -1, @state for firewall_zone, @vservers;
+	my $frwd_ref = $filter_table->{zone_forward_chain( $zone )};
 
-	    if ( $simple ) {
-		#
-		# We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
-		#
-		for my $zone1 ( @zones ) {
-		    my $ruleschain    = rules_chain( $zone, $zone1 );
-		    my $ruleschainref = $filter_table->{$ruleschain};
-
-		    if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
-			insert_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, -1, @state );
-		    }
-		}
-	    }
-	}
-
-	if ( $zoneref->{options}{out}{blacklist} ) {
-	    my $blackref = $filter_table->{blackout};
-	    insert_ijump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , j => $blackref , -1, @state;
-
-	    for my $zone1 ( @zones, @vservers ) {
-		my $ruleschain    = rules_chain( $zone1, $zone );
-		my $ruleschainref = $filter_table->{$ruleschain};
-
-		if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
-		    insert_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, -1, @state );
-		}
-	    }
-	}
-
-	next if $simple;
-
-	#
-	# Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
-	#
-	my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
-
-	insert_ijump $frwd_ref , j => $filter_table->{blacklst}, -1, @state if $zoneref->{options}{in}{blacklist};
+	add_ijump( $frwd_ref , j => 'MARK --set-mark ' . in_hex( $zoneref->{mark} ) . '/' . in_hex( $globals{ZONE_MASK} ) ) if $zoneref->{mark};
 
 	if ( have_ipsec ) {
 	    #
@@ -1465,7 +1631,7 @@ sub generate_matrix() {
 		    for my $net ( @{$hostref->{hosts}} ) {
 			my @dest   = imatch_dest_net $net;
 
-			if ( $chain1 && zone_type ( $zone) != BPORT ) {
+			if ( $chain1 && ! ( zone_type( $zone) & BPORT ) ) {
 			    my $chain1ref = $filter_table->{$chain1};
 			    my $nextchain = dest_exclusion( $exclusions, $chain1 );
 			    my $outputref;
@@ -1557,7 +1723,6 @@ sub generate_matrix() {
 			my $interfacechainref = $filter_table->{input_chain $interface};
 			my @interfacematch;
 			my $use_input;
-			my $blacklist = $zoneref->{options}{in}{blacklist};
 
 			if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
 			    $inputchainref = $interfacechainref;
@@ -1649,7 +1814,7 @@ sub generate_matrix() {
 		    next if ( scalar ( keys( %{ $zoneref->{interfaces}} ) ) < 2 ) && ! $zoneref->{options}{in_out}{routeback};
 		}
 
-		if ( $zone1ref->{type} == BPORT ) {
+		if ( $zone1ref->{type} & BPORT ) {
 		    next unless $zoneref->{bridge} eq $zone1ref->{bridge};
 		}
 
@@ -1699,7 +1864,7 @@ sub generate_matrix() {
 		next if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! $zoneref->{options}{in_out}{routeback};
 	    }
 
-	    if ( $zone1ref->{type} == BPORT ) {
+	    if ( $zone1ref->{type} & BPORT ) {
 		next unless $zoneref->{bridge} eq $zone1ref->{bridge};
 	    }
 
@@ -1811,8 +1976,6 @@ sub generate_matrix() {
 
     add_interface_jumps @interfaces unless $interface_jumps_added;
 
-    promote_blacklist_rules;
-
     my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,
 		     nat=>     [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
 		     filter=>  [ qw/INPUT FORWARD OUTPUT/ ] );

Shorewall/Perl/Shorewall/Nat.pm

@@ -54,13 +54,16 @@ sub initialize() {
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = split_line1 2, 8, 'masq file';
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = 
+	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7 };
 
     if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
 	return 1;
     }
 
+    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+
     my $pre_nat;
     my $add_snat_aliases = $config{ADD_SNAT_ALIASES};
     my $destnets = '';
@@ -374,7 +377,7 @@ sub setup_nat() {
 
 	while ( read_a_line ) {
 
-	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';
+	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 0, interface => 1, internal => 2, allints => 3, local => 4 };
 
 	    if ( $external eq 'COMMENT' ) {
 		process_comment;
@@ -383,6 +386,9 @@ sub setup_nat() {
 
 		$digit = defined $digit ? ":$digit" : '';
 
+		fatal_error 'EXTERNAL must be specified' if $external eq '-';
+		fatal_error 'INTERNAL must be specified' if $interfacelist eq '-';
+
 		for my $interface ( split_list $interfacelist , 'interface' ) {
 		    fatal_error "Invalid Interface List ($interfacelist)" unless supplied $interface;
 		    do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
@@ -403,14 +409,11 @@ sub setup_netmap() {
 
     if ( my $fn = open_file 'netmap' ) {
 
-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } );
+	first_entry "$doing $fn...";
 
 	while ( read_a_line ) {
 
-	    my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
-
-	    validate_net $net1, 0;
-	    validate_net $net2, 0;
+	    my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 'netmap file', { type => 0, net1 => 1, interface => 2, net2 => 3, net3 => 4, proto => 5, dport => 6, sport => 7 };
 
 	    $net3 = ALLIP if $net3 eq '-';
 
@@ -420,30 +423,49 @@ sub setup_netmap() {
 
 		fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
+		my @rule = do_iproto( $proto, $dport, $sport );
+
 		unless ( $type =~ /:/ ) {
 		    my @rulein;
 		    my @ruleout;
 		    
+		    validate_net $net1, 0;
+		    validate_net $net2, 0;
+
 		    unless ( $interfaceref->{root} ) {
 			@rulein  = imatch_source_dev( $interface );
 			@ruleout = imatch_dest_dev( $interface );
 			$interface = $interfaceref->{name};
 		    }
 
+		    require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';
+
 		    if ( $type eq 'DNAT' ) {
-			add_ijump ensure_chain( 'nat' , input_chain $interface ) ,  j => "NETMAP --to $net2", @rulein  , imatch_source_net( $net3 ), d => $net1;
+			dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) , 
+					  j => 'NETMAP' ,
+					  "--to $net2",
+					  $net1 ,
+					  @rulein  ,
+					  imatch_source_net( $net3 ) );
 		    } elsif ( $type eq 'SNAT' ) {
-			add_ijump ensure_chain( 'nat' , output_chain $interface ) , j => "NETMAP --to $net2", @ruleout , imatch_dest_net( $net3 ) ,  s => $net1;
+			source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
+					   j => 'NETMAP' ,
+					   "--to $net2" ,
+					   $net1 ,
+					   @ruleout ,
+					   imatch_dest_net( $net3 ) );
 		    } else {
 			fatal_error "Invalid type ($type)";
 		    }
 		} elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
 		    my ( $target , $chain ) = ( $1, $2 );
 		    my $table = 'raw';
-		    my @match = ();
+		    my @match;
 
 		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
 
+		    validate_net $net2, 0;
+
 		    unless ( $interfaceref->{root} ) {
 			@match = imatch_dest_dev(  $interface ); 
 			$interface = $interfaceref->{name};
@@ -458,24 +480,31 @@ sub setup_netmap() {
 			$chain = postrouting_chain $interface;
 			$table = 'rawpost';
 		    }
+
+		    my $chainref = ensure_chain( $table, $chain );
+
 		    
-		    if ( $target eq 'DNAT' ) { 
-			add_ijump( ensure_chain( $table, $chain ) ,
-				   j          => 'RAWDNAT',
-				   targetopts => "--to-dest $net2",
-				   imatch_source_net( $net3 ) ,
-				   imatch_dest_net( $net1 ) ,
-				   @match );
+		    if ( $target eq 'DNAT' ) {
+			dest_iexclusion( $chainref ,
+					 j => 'RAWDNAT' ,
+					 "--to-dest $net2" ,
+					 $net1 ,
+					 imatch_source_net( $net3 ) ,
+					 @rule ,
+					 @match
+				       );
 		    } else {
-			add_ijump( ensure_chain( $table, $chain ) ,
-				   j          => 'RAWSNAT',
-				   targetopts => "--to-source $net2",
-				   imatch_dest_net( $net3 ) ,
-				   imatch_source_net( $net1 ) ,
-				   @match );
+			source_iexclusion( $chainref ,
+					   j  => 'RAWSNAT' ,
+					   "--to-source $net2" ,
+					   $net1 ,
+					   imatch_dest_net( $net3 ) ,
+					   @rule ,
+					   @match );
 		    }
 		} else {
-		    fatal_error "Invalid type ($type)";
+		    fatal_error 'TYPE must be specified' if $type eq '-';
+		    fatal_error "Invalid TYPE ($type)";
 		}
 		
 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";

Shorewall/Perl/Shorewall/Proc.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -308,8 +308,7 @@ sub setup_interface_proc( $ ) {
     }
 
     if ( @emitted ) {
-	emit( '',
-	      'if [ $COMMAND = enable ]; then' );
+	emit( 'if [ $COMMAND = enable ]; then' );
 	push_indent;
 	emit "$_" for @emitted;
 	pop_indent;

Shorewall/Perl/Shorewall/Providers.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010.2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010.2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -21,7 +21,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MAS 02110-1301 USA.
 #
 #   This module deals with the /etc/shorewall/providers,
-#   /etc/shorewall/route_rules and /etc/shorewall/routes files.
+#   /etc/shorewall/rtrules and /etc/shorewall/routes files.
 #
 package Shorewall::Providers;
 require Exporter;
@@ -38,13 +38,16 @@ our @EXPORT = qw( process_providers
 		  setup_providers
 		  @routemarked_interfaces
 		  handle_stickiness
-		  handle_optional_interfaces );
+		  handle_optional_interfaces
+		  setup_load_distribution
+	       );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_24';
 
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
 	       DEFAULT_TABLE => 253,
+	       BALANCE_TABLE => 250,
 	       UNSPEC_TABLE  => 0
 	       };
 
@@ -52,11 +55,14 @@ my  @routemarked_providers;
 my  %routemarked_interfaces;
 our @routemarked_interfaces;
 my  %provider_interfaces;
+my  @load_providers;
+my  @load_interfaces;
 
 my $balancing;
 my $fallback;
 my $first_default_route;
 my $first_fallback_route;
+my $maxload;
 
 my %providers;
 
@@ -81,18 +87,22 @@ use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 sub initialize( $ ) {
     $family = shift;
 
-    @routemarked_providers = ();
+    @routemarked_providers  = ();
     %routemarked_interfaces = ();
     @routemarked_interfaces = ();
     %provider_interfaces    = ();
-    $balancing           = 0;
-    $fallback            = 0;
-    $first_default_route  = 1;
-    $first_fallback_route = 1;
+    @load_providers         = ();
+    @load_interfaces        = ();
+    $balancing              = 0;
+    $fallback               = 0;
+    $first_default_route    = 1;
+    $first_fallback_route   = 1;
+    $maxload                = 0;
 
     %providers  = ( local   => { number => LOCAL_TABLE   , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
 		    main    => { number => MAIN_TABLE    , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
 		    default => { number => DEFAULT_TABLE , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
+		    balance => { number => BALANCE_TABLE , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
 		    unspec  => { number => UNSPEC_TABLE  , mark => 0 , optional => 0 ,routes => [], rules => [] } );
     @providers = ();
 }
@@ -108,46 +118,68 @@ sub setup_route_marking() {
     add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;
 
     my $chainref  = new_chain 'mangle', 'routemark';
-    my $chainref1 = new_chain 'mangle', 'setsticky';
-    my $chainref2 = new_chain 'mangle', 'setsticko';
 
-    my %marked_interfaces;
+    if ( @routemarked_providers ) {
+	my $chainref1 = new_chain 'mangle', 'setsticky';
+	my $chainref2 = new_chain 'mangle', 'setsticko';
 
-    for my $providerref ( @routemarked_providers ) {
-	my $interface = $providerref->{interface};
-	my $physical  = $providerref->{physical};
-	my $mark      = $providerref->{mark};
+	my %marked_interfaces;
 
-	unless ( $marked_interfaces{$interface} ) {
-	    add_ijump $mangle_table->{PREROUTING} , j => $chainref,  i => $physical,     mark => "--mark 0/$mask";
-	    add_ijump $mangle_table->{PREROUTING} , j => $chainref1, i => "! $physical", mark => "--mark  $mark/$mask";
-	    add_ijump $mangle_table->{OUTPUT}     , j => $chainref2,                     mark => "--mark  $mark/$mask";
-	    $marked_interfaces{$interface} = 1;
+	for my $providerref ( @routemarked_providers ) {
+	    my $interface = $providerref->{interface};
+	    my $physical  = $providerref->{physical};
+	    my $mark      = $providerref->{mark};
+
+	    unless ( $marked_interfaces{$interface} ) {
+		add_ijump $mangle_table->{PREROUTING} , j => $chainref,  i => $physical,     mark => "--mark 0/$mask";
+		add_ijump $mangle_table->{PREROUTING} , j => $chainref1, i => "! $physical", mark => "--mark  $mark/$mask";
+		add_ijump $mangle_table->{OUTPUT}     , j => $chainref2,                     mark => "--mark  $mark/$mask";
+		$marked_interfaces{$interface} = 1;
+	    }
+
+	    if ( $providerref->{shared} ) {
+		add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
+		decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
+	    } else {
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface );
+	    }
 	}
 
-	if ( $providerref->{shared} ) {
-	    add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-	    add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
-	    decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
-	} else {
-	    add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface );
-	}
+	add_ijump $chainref, j => 'CONNMARK', targetopts => "--save-mark --mask $mask", mark => "! --mark 0/$mask";
     }
 
-    add_ijump $chainref, j => 'CONNMARK', targetopts => "--save-mark --mask $mask", mark => "! --mark 0/$mask";
+    if ( @load_interfaces ) {
+	my $chainref1 = new_chain 'mangle', 'balance';
+	my @match;
+
+	add_ijump $chainref,               g => $chainref1, mark => "--mark 0/$mask";
+	add_ijump $mangle_table->{OUTPUT}, j => $chainref1, state_imatch( 'NEW,RELATED' ), mark => "--mark 0/$mask";
+
+	for my $physical ( @load_interfaces ) {
+
+	    my $chainref2 = new_chain( 'mangle', load_chain( $physical ) );
+
+	    dont_optimize $chainref2;
+	    dont_move     $chainref2;
+	    dont_delete   $chainref2;
+	
+  	    add_ijump ( $chainref1,
+			j => $chainref2 ,
+		        mark => "--mark 0/$mask" );
+	}
+    }
 }
 
 sub copy_table( $$$ ) {
     my ( $duplicate, $number, $realm ) = @_;
-    #
-    # Hack to work around problem in iproute
-    #
-    my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
+    
+    my $filter = $family == F_IPV6 ? q(fgrep -v ' cache ' | sed 's/ via :: / /' | ) : '';
 
     emit '';
 
     if ( $realm ) {
-	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
+	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | ${filter}while read net route; do" )
     } else {
 	emit  ( "\$IP -$family -o route show table $duplicate | ${filter}while read net route; do" )
     }
@@ -155,9 +187,22 @@ sub copy_table( $$$ ) {
     emit ( '    case $net in',
 	   '        default)',
 	   '            ;;',
-	   '        *)',
-	   "            run_ip route add table $number \$net \$route $realm",
-	   '            ;;',
+	   '        *)' );
+	   
+    if ( $family == F_IPV4 ) {
+	emit ( '            case $net in',
+	       '                255.255.255.255*)',
+	       '                    ;;',
+	       '                *)',
+	       "                    run_ip route add table $number \$net \$route $realm",
+	       '                    ;;',
+	       '            esac',
+	     );
+    } else {
+	emit ( "            run_ip route add table $number \$net \$route $realm" );
+    }
+
+    emit ( '            ;;',
 	   '    esac',
 	   "done\n"
 	 );
@@ -165,10 +210,8 @@ sub copy_table( $$$ ) {
 
 sub copy_and_edit_table( $$$$ ) {
     my ( $duplicate, $number, $copy, $realm) = @_;
-    #
-    # Hack to work around problem in iproute
-    #
-    my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
+
+    my $filter = $family == F_IPV6 ? q(fgrep -v ' cache ' | sed 's/ via :: / /' | ) : '';
     #
     # Map physical names in $copy to logical names
     #
@@ -176,12 +219,12 @@ sub copy_and_edit_table( $$$$ ) {
     #
     # Shell and iptables use a different wildcard character
     #
-    $copy =~ s/\+/*/;
+    $copy =~ s/\+/*/g;
     
     emit '';
 
     if ( $realm ) {
-	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | while read net route; do" )
+	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | ${filter}while read net route; do" )
     } else {
 	emit  ( "\$IP -$family -o route show table $duplicate | ${filter}while read net route; do" )
     }
@@ -191,9 +234,21 @@ sub copy_and_edit_table( $$$$ ) {
 	    '            ;;',
 	    '        *)',
 	    '            case $(find_device $route) in',
-	    "                $copy)",
-	    "                    run_ip route add table $number \$net \$route $realm",
-	    '                    ;;',
+	    "                $copy)" );
+    if ( $family == F_IPV4 ) {
+	emit (  '                    case $net in',
+		'                        255.255.255.255*)',
+		'                            ;;',
+		'                        *)',
+		"                            run_ip route add table $number \$net \$route $realm",
+		'                            ;;',
+		'                    esac',
+	     );
+    } else {
+	emit (  "                    run_ip route add table $number \$net \$route $realm" );
+    } 
+
+    emit (  '                    ;;',
 	    '            esac',
 	    '            ;;',
 	    '    esac',
@@ -208,14 +263,27 @@ sub balance_default_route( $$$$ ) {
     emit '';
 
     if ( $first_default_route ) {
-	if ( $gateway ) {
-	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	if ( $family == F_IPV4 ) {
+	    if ( $gateway ) {
+		emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	    } else {
+		emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    }
 	} else {
-	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    #
+	    # IPv6 doesn't support multi-hop routes
+	    #
+	    if ( $gateway ) {
+		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
+	    } else {
+		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
+	    }
 	}
 
 	$first_default_route = 0;
     } else {
+	fatal_error "Only one 'balance' provider is allowed with IPv6" if $family == F_IPV6;
+
 	if ( $gateway ) {
 	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -232,14 +300,27 @@ sub balance_fallback_route( $$$$ ) {
     emit '';
 
     if ( $first_fallback_route ) {
-	if ( $gateway ) {
-	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	if ( $family == F_IPV4 ) {
+	    if ( $gateway ) {
+		emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	    } else {
+		emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    }
 	} else {
-	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    #
+	    # IPv6 doesn't support multi-hop routes
+	    #
+	    if ( $gateway ) {
+		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
+	    } else {
+		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
+	    }
 	}
 
 	$first_fallback_route = 0;
     } else {
+	fatal_error "Only one 'fallback' provider is allowed with IPv6" if $family == F_IPV6;
+
 	if ( $gateway ) {
 	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -267,14 +348,17 @@ sub start_provider( $$$ ) {
 #
 sub process_a_provider() {
 
-    my ($table, $number, $mark, $duplicate, $interface, $gateway,  $options, $copy ) = split_line 6, 8, 'providers file';
+    my ($table, $number, $mark, $duplicate, $interface, $gateway,  $options, $copy ) =
+	split_line 'providers file', { table => 0, number => 1, mark => 2, duplicate => 3, interface => 4, gateway => 5, options => 6, copy => 7 };
 
     fatal_error "Duplicate provider ($table)" if $providers{$table};
 
+    fatal_error 'NAME must be specified' if $table eq '-';
     fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;
 
     my $num = numeric_value $number;
 
+    fatal_error 'NUMBER must be specified' if $number eq '-';
     fatal_error "Invalid Provider number ($number)" unless defined $num;
 
     $number = $num;
@@ -283,6 +367,8 @@ sub process_a_provider() {
 	fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
     }
 
+    fatal_error 'INTERFACE must be specified' if $interface eq '-';
+
     ( $interface, my $address ) = split /:/, $interface;
 
     my $shared = 0;
@@ -312,8 +398,8 @@ sub process_a_provider() {
 	$gateway = '';
     }
 
-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local ) =
-	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0 );
+    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local , $load ) =
+	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0      , 0 );
 
     unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
@@ -323,17 +409,19 @@ sub process_a_provider() {
 	    } elsif ( $option eq 'notrack' ) {
 		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
-		fatal_error q('balance' is not available in IPv6) if $family == F_IPV6;
+		fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
 		$balance = $1;
 	    } elsif ( $option eq 'balance' ) {
-		fatal_error q('balance' is not available in IPv6) if $family == F_IPV6;
 		$balance = 1;
 	    } elsif ( $option eq 'loose' ) {
 		$loose   = 1;
 		$default_balance = 0;
 	    } elsif ( $option eq 'optional' ) {
-		warning_message q(The 'optional' provider option is deprecated - use the 'optional' interface option instead);
-		set_interface_option $interface, 'optional', 1;
+		unless ( $shared ) {
+		    warning_message q(The 'optional' provider option is deprecated - use the 'optional' interface option instead);
+		    set_interface_option $interface, 'optional', 1;
+		}
+
 		$optional = 1;
 	    } elsif ( $option =~ /^src=(.*)$/ ) {
 		fatal_error "OPTION 'src' not allowed on shared interface" if $shared;
@@ -341,24 +429,20 @@ sub process_a_provider() {
 	    } elsif ( $option =~ /^mtu=(\d+)$/ ) {
 		$mtu = "mtu $1 ";
 	    } elsif ( $option =~ /^fallback=(\d+)$/ ) {
-		fatal_error q('fallback' is not available in IPv6) if $family == F_IPV6;
-		if ( $config{USE_DEFAULT_RT} ) {
-		    warning_message "'fallback' is ignored when USE_DEFAULT_RT=Yes";
-		} else {
-		    $default = $1;
-		    fatal_error 'fallback must be non-zero' unless $default;
-		}
+		fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6;
+		$default = $1;
+		$default_balance = 0;
+		fatal_error 'fallback must be non-zero' unless $default;
 	    } elsif ( $option eq 'fallback' ) {
-		fatal_error q('fallback' is not available in IPv6) if $family == F_IPV6;
-		if ( $config{USE_DEFAULT_RT} ) {
-		    warning_message "'fallback' is ignored when USE_DEFAULT_RT=Yes";
-		} else {
-		    $default = -1;
-		}
+		$default = -1;
+		$default_balance = 0;
 	    } elsif ( $option eq 'local' ) {
 		$local = 1;
 		$track = 0           if $config{TRACK_PROVIDERS};
-		$default_balance = 0 if$config{USE_DEFAULT_RT};
+		$default_balance = 0 if $config{USE_DEFAULT_RT};
+	    } elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
+		$load = $1;
+		require_capability 'STATISTIC_MATCH', "load=$load", 's';
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
@@ -367,6 +451,12 @@ sub process_a_provider() {
 
     fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $balance && $default;
 
+    if ( $load ) {
+	fatal_error q(The 'balance=<weight>' and 'load=<load-factor>' options are mutually exclusive) if $balance > 1;
+	fatal_error q(The 'fallback=<weight>' and 'load=<load-factor>' options are mutually exclusive) if $default > 1;
+	$maxload += $load;
+    }
+
     if ( $local ) {
 	fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
 	fatal_error "'track' not valid with 'local'"          if $track;
@@ -439,6 +529,7 @@ sub process_a_provider() {
 			   duplicate   => $duplicate ,
 			   address     => $address ,
 			   local       => $local ,
+			   load        => $load ,
 			   rules       => [] ,
 			   routes      => [] ,
 			 };
@@ -457,8 +548,11 @@ sub process_a_provider() {
 	push @routemarked_providers, $providers{$table};
     }
 
+    push @load_interfaces, $physical if $load;
+
     push @providers, $table;
 
+    progress_message "   Provider \"$currentline\" $done";
 }
 
 #
@@ -487,6 +581,8 @@ sub add_a_provider( $$ ) {
     my $duplicate   = $providerref->{duplicate};
     my $address     = $providerref->{address};
     my $local       = $providerref->{local};
+    my $load        = $providerref->{load};
+
     my $dev         = chain_base $physical;
     my $base        = uc $dev;
     my $realm = '';
@@ -513,7 +609,23 @@ sub add_a_provider( $$ ) {
 	    }
 	}
     }
+
+    emit( qq(echo $load > \${VARDIR}/${physical}_load) ) if $load;
+
+    emit( '', 
+	  "cat <<EOF >> \${VARDIR}/undo_${table}_routing" );
     
+    emit_unindented 'case \$COMMAND in';
+    emit_unindented '    enable|disable)';
+    emit_unindented '        ;;';
+    emit_unindented '    *)';
+    emit_unindented "        rm -f \${VARDIR}/${physical}_load" if $load;
+    emit_unindented <<"CEOF", 1;
+        rm -f \${VARDIR}/${physical}.status
+        ;;
+esac
+EOF
+CEOF
     #
     # /proc for this interface
     #
@@ -549,23 +661,23 @@ sub add_a_provider( $$ ) {
 	    emit "run_ip route replace $gateway src $address dev $physical ${mtu}";
 	    emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $number $realm";
 	} else {
-	    emit "qt \$IP -6 route del $gateway src $address dev $physical ${mtu}";
-	    emit "run_ip route add $gateway src $address dev $physical ${mtu}";
+	    emit "qt \$IP -6 route add $gateway src $address dev $physical ${mtu}";
 	    emit "qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $number $realm";
 	    emit "run_ip route add $gateway src $address dev $physical ${mtu}table $number $realm";
 	}
-   	
+
 	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $number $realm";
     }
 
-    balance_default_route( $balance , $gateway, $physical, $realm ) if $balance;
-
-    if ( $default > 0 ) {
+    if ( $balance ) {
+	balance_default_route( $balance , $gateway, $physical, $realm );
+    } elsif ( $default > 0 ) {
 	balance_fallback_route( $default , $gateway, $physical, $realm );
     } elsif ( $default ) {
 	emit '';
 	if ( $gateway ) {
 	    if ( $family == F_IPV4 ) {
+		emit qq(run_ip route replace $gateway dev $physical table ) . DEFAULT_TABLE;
 		emit qq(run_ip route replace default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 	    } else {
 		emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
@@ -576,12 +688,21 @@ sub add_a_provider( $$ ) {
 	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
 	    emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
 	}
+	
+	$fallback = 1;
     }
 
+    emit( qq(\n) ,
+	  qq(if ! \$IP -6 rule ls | egrep -q "32767:[[:space:]]+from all lookup (default|253)"; then) ,
+	  qq(    qt \$IP -6 rule add from all table ) . DEFAULT_TABLE . qq( prio 32767\n) ,
+	  qq(fi) ) if $family == F_IPV6;
+
     unless ( $local ) {
+	emit '';
+
 	if ( $loose ) {
 	    if ( $config{DELETE_THEN_ADD} ) {
-		emit ( "\nfind_interface_addresses $physical | while read address; do",
+		emit ( "find_interface_addresses $physical | while read address; do",
 		       "    qt \$IP -$family rule del from \$address",
 		       'done'
 		     );
@@ -591,13 +712,9 @@ sub add_a_provider( $$ ) {
 	    emit( "run_ip rule add from $address pref 20000 table $number" ,
 		  "echo \"qt \$IP -$family rule del from $address\" >> \${VARDIR}/undo_${table}_routing" );
 	} else {
-	    my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
-
-	    emit "\nrulenum=$rulebase\n";
-
 	    emit  ( "find_interface_addresses $physical | while read address; do" );
 	    emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
-	    emit  ( "    run_ip rule add from \$address pref \$rulenum table $number",
+	    emit  ( "    run_ip rule add from \$address pref 20000 table $number",
 		    "    echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_${table}_routing",
 		    '    rulenum=$(($rulenum + 1))',
 		    'done'
@@ -615,43 +732,69 @@ sub add_a_provider( $$ ) {
 	emit $_ for @{$providers{$table}->{routes}};
     }
 
-    emit( '',
-	  'if [ $COMMAND = enable ]; then'
-	);
-
-    push_indent;
-
-    my ( $tbl, $weight ); 
+    emit( '' );
     
-    if ( $balance || $default ) {
-	$tbl    = $default || $config{USE_DEFAULT_RT} ? DEFAULT_TABLE : MAIN_TABLE;
-	$weight = $balance ? $balance : $default;
+    my ( $tbl, $weight );
 
-	if ( $gateway ) {
-	    emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
-	} else {
-	    emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
+    emit( qq(echo 0 > \${VARDIR}/${physical}.status) );
+
+    if ( $optional ) {	
+	emit( '',
+	      'if [ $COMMAND = enable ]; then' );
+
+	push_indent;
+
+	if ( $balance || $default > 0 ) {
+	    $tbl    = $default ? DEFAULT_TABLE : $config{USE_DEFAULT_RT} ? BALANCE_TABLE : MAIN_TABLE;
+	    $weight = $balance ? $balance : $default;
+
+	    if ( $family == F_IPV4 ) {
+		if ( $gateway ) {
+		    emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
+		} else {
+		    emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
+		}
+	    } else {
+		#
+		# IPv6 doesn't support multi-hop routes
+		#
+		if ( $gateway ) {
+		    emit qq(add_gateway "via $gateway dev $physical $realm" ) . $tbl;
+		} else {
+		    emit qq(add_gateway "nexthop dev $physical $realm" ) . $tbl;
+		}
+	    }
+	    	} else {
+	    $weight = 1;
 	}
 
+	emit ( "distribute_load $maxload @load_interfaces" ) if $load;
+
+	unless ( $shared ) {
+	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
+	}
+
+	emit ( qq(progress_message2 "   Provider $table ($number) Started") );
+
+	pop_indent;
+ 
+	emit( 'else' );
+	emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) ,
+	      qq(    progress_message "   Provider $table ($number) Started"),
+	      qq(fi\n)
+	    );
+    } else {
+	emit( qq(echo 0 > \${VARDIR}/${physical}.status) );
+	emit( qq(progress_message "Provider $table ($number) Started") );
     }
-
-    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
-
-    emit ( qq(progress_message2 "   Provider $table ($number) Started") );
-
-    pop_indent;
-	  
-    emit( 'else',
-	  qq(    echo $weight > \${VARDIR}/${physical}_weight),
-	  qq(    progress_message "   Provider $table ($number) Started"),
-	  "fi\n"
-	);
-
+    
     pop_indent;
 
     emit 'else';
 
     push_indent;
+    
+    emit( qq(echo 1 > \${VARDIR}/${physical}.status) );
 
     if ( $optional ) {
 	if ( $shared ) {
@@ -686,30 +829,45 @@ sub add_a_provider( $$ ) {
 
 	my $undo = "\${VARDIR}/undo_${table}_routing";
 
-	emit( "if [ -f $undo ]; then",
-	      "    . $undo",
-	      "    > $undo" );
+	emit( "if [ -f $undo ]; then" );
 
-	if ( $balance || $default ) {
-	    $tbl    = $fallback || ( $config{USE_DEFAULT_RT} ? DEFAULT_TABLE : MAIN_TABLE );
+	push_indent;
+
+	if ( $balance || $default > 0 ) {
+	    $tbl    = $default ? DEFAULT_TABLE : $config{USE_DEFAULT_RT} ? BALANCE_TABLE : MAIN_TABLE;
 	    $weight = $balance ? $balance : $default;
 
-	    my $via = 'via';
+	    my $via;
 
-	    $via .= " $gateway"       if $gateway;
-	    $via .= " dev $physical";
-	    $via .= " weight $weight";
+	    if ( $gateway ) {
+		$via = "via $gateway dev $physical";
+	    } else {    
+		$via = "dev $physical";
+	    }
+
+	    $via .= " weight $weight" unless $weight < 0 or $family == F_IPV6; # IPv6 doesn't support route weights
 	    $via .= " $realm"         if $realm;
 
-	    emit( qq(    delete_gateway "$via" $tbl $physical) );
+	    emit( qq(delete_gateway "$via" $tbl $physical) );
 	}
-	
-	emit( '', 
-	      "    qt \$TC qdisc del dev $physical root",
-	      "    qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 
-	emit( "    progress_message2 \"Provider $table stopped\"",
-              'else',
+	emit (". $undo",
+	      "> $undo" );
+
+	emit ( '',
+	       "distribute_load $maxload @load_interfaces" ) if $load;
+
+	unless ( $shared ) {
+	    emit( '', 
+		  "qt \$TC qdisc del dev $physical root",
+		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
+	}
+
+	emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
+
+	pop_indent;
+
+	emit( 'else',
 	      "    startup_error \"$undo does not exist\"",
 	      'fi'
 	    );
@@ -718,12 +876,10 @@ sub add_a_provider( $$ ) {
 
 	emit '}';
     }
-
-    progress_message "   Provider \"$currentline\" $done";
 }
 
 sub add_an_rtrule( ) {
-    my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file';
+    my ( $source, $dest, $provider, $priority, $originalmark ) = split_line 'rtrules file', { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 };
 
     our $current_if;
 
@@ -750,7 +906,7 @@ sub add_an_rtrule( ) {
     my $number = $providerref->{number};
 
     fatal_error "You may not add rules for the $provider provider" if $number == LOCAL_TABLE || $number == UNSPEC_TABLE;
-    fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-';
+    fatal_error "You must specify either the source or destination in a rtrules entry" if $source eq '-' && $dest eq '-';
 
     if ( $dest eq '-' ) {
 	$dest = 'to ' . ALLIP;
@@ -761,6 +917,8 @@ sub add_an_rtrule( ) {
 
     if ( $source eq '-' ) {
 	$source = 'from ' . ALLIP;
+    } elsif ( $source =~ s/^&// ) {
+	$source = 'from ' . record_runtime_address $source;
     } elsif ( $family == F_IPV4 ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
@@ -786,22 +944,36 @@ sub add_an_rtrule( ) {
 	$source = "iif $source";
     }
 
+    my $mark = '';
+    my $mask;
+
+    if ( $originalmark ne '-' ) {
+	validate_mark( $originalmark );
+
+	( $mark, $mask ) = split '/' , $originalmark;
+	$mask = $globals{PROVIDER_MASK} unless supplied $mask;
+
+	$mark = ' fwmark ' . in_hex( $mark ) . '/' . in_hex( $mask );
+    }
+
     fatal_error "Invalid priority ($priority)" unless $priority && $priority =~ /^\d{1,5}$/;
 
     $priority = "priority $priority";
 
-    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source $dest $priority" if $config{DELETE_THEN_ADD};
-    push @{$providerref->{rules}}, "run_ip rule add $source $dest $priority table $number";
-    push @{$providerref->{rules}}, "echo \"qt \$IP -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_${provider}_routing";
+    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $config{DELETE_THEN_ADD};
+    push @{$providerref->{rules}}, "run_ip rule add $source ${dest}${mark} $priority table $number";
+    push @{$providerref->{rules}}, "echo \"qt \$IP -$family rule del $source ${dest}${mark} $priority\" >> \${VARDIR}/undo_${provider}_routing";
 
     progress_message "   Routing rule \"$currentline\" $done";
 }
 
 sub add_a_route( ) {
-    my ( $provider, $dest, $gateway, $device ) = split_line 2, 4, 'routes file';
+    my ( $provider, $dest, $gateway, $device ) = split_line 'routes file', { provider => 0, dest => 1, gateway => 2, device => 3 };
 
     our $current_if;
 
+    fatal_error 'PROVIDER must be specified' if $provider eq '-';
+
     unless ( $providers{$provider} ) {
 	my $found = 0;
 
@@ -820,6 +992,7 @@ sub add_a_route( ) {
 	fatal_error "Unknown provider ($provider)" unless $found;
     }
 
+    fatal_error 'DEST must be specified' if $dest eq '-';
     validate_net ( $dest, 1 );
 
     validate_address ( $gateway, 1 ) if $gateway ne '-';
@@ -896,18 +1069,20 @@ sub start_providers() {
 }
 
 sub finish_providers() {
+    my $table = MAIN_TABLE;
+    
+    if ( $config{USE_DEFAULT_RT} ) {
+	emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE .    ' pref 999',
+	       'run_ip rule add from ' . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765',
+	       "\$IP -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766',
+	       qq(echo "qt \$IP -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE .    ' pref 32766" >> ${VARDIR}/undo_main_routing',
+	       qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE .    ' pref 999" >> ${VARDIR}/undo_main_routing',
+	       qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765" >> ${VARDIR}/undo_balance_routing',
+	       '' );
+	$table = BALANCE_TABLE;
+    }
+
     if ( $balancing ) {
-	my $table = MAIN_TABLE;
-
-	if ( $config{USE_DEFAULT_RT} ) {
-	    emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE . ' pref 999',
-		   "\$IP -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766',
-		   qq(echo "qt \$IP -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_main_routing',
-		   qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_main_routing',
-		   '' );
-	    $table = DEFAULT_TABLE;
-	}
-
 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
 	if ( $family == F_IPV4 ) {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
@@ -956,6 +1131,8 @@ sub finish_providers() {
 	emit( "    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
 	      'fi',
 	      '' );
+    } elsif ( $config{USE_DEFAULT_RT} ) {
+	emit "qt \$IP -$family route del default table " . DEFAULT_TABLE;
     }
 
     unless ( $config{KEEP_RT_TABLES} ) {
@@ -968,7 +1145,7 @@ sub finish_providers() {
 			      '#',
 			      LOCAL_TABLE   . "\tlocal",
 			      MAIN_TABLE    . "\tmain",
-			      DEFAULT_TABLE . "\tdefault",
+			      $config{USE_DEFAULT_RT} ? ( DEFAULT_TABLE . "\tdefault\n" . BALANCE_TABLE . "\tbalance" ) : DEFAULT_TABLE . "\tdefault",
 			      "0\tunspec",
 			      '#',
 			      '# local',
@@ -993,7 +1170,15 @@ sub process_providers( $ ) {
     }
 
     if ( $providers ) {
-	my $fn = open_file 'route_rules';
+	my $fn = open_file( 'route_rules' );
+
+	if ( $fn ){
+	    if ( -f ( my $fn1 = find_file 'rtrules' ) ) {
+		warning_message "Both $fn and $fn1 exists: $fn1 will be ignored";
+	    }
+	} else {
+	    $fn = open_file( 'rtrules' );
+	}
 
 	if ( $fn ) {
 	    first_entry "$doing $fn...";
@@ -1031,14 +1216,21 @@ EOF
     for my $provider (@providers ) {
 	my $providerref = $providers{$provider};
 
-	emit( "$providerref->{physical})",
-	      "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then", 
-	      "        start_provider_$provider",
-	      '    else',
-	      '        startup_error "Interface $g_interface is already enabled"',
-	      '    fi',
-	      '    ;;'
-	    ) if $providerref->{optional};
+	if ( $providerref->{optional} ) {
+	    if ( $providerref->{shared} || $providerref->{physical} eq $provider) {
+		emit "$provider})";
+	    } else {
+		emit( "$providerref->{physical}|$provider)" );
+	    }
+
+	    emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then", 
+		   "        start_provider_$provider",
+		   '    else',
+		   "        startup_error \"Interface $providerref->{physical} is already enabled\"",
+		   '    fi',
+		   '    ;;'
+		 );
+	}
     }
 
     pop_indent;
@@ -1046,7 +1238,7 @@ EOF
 
     emit << 'EOF';;
         *)
-            startup_error "$g_interface is not an optional provider interface"
+            startup_error "$g_interface is not an optional provider or provider interface"
             ;;
     esac
 }
@@ -1066,11 +1258,11 @@ EOF
     for my $provider (@providers ) {
 	my $providerref = $providers{$provider};
 
-	emit( "$providerref->{physical})",
+	emit( "$providerref->{physical}|$provider)",
 	      "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then", 
 	      "        stop_provider_$provider",
 	      '    else',
-	      '        startup_error "Interface $g_interface is already disabled"',
+	      "        startup_error \"Interface $providerref->{physical} is already disabled\"",
 	      '    fi',
 	      '    ;;'
 	    ) if $providerref->{optional};
@@ -1113,7 +1305,7 @@ sub setup_providers() {
 	pop_indent;
 	emit "fi\n";
 
-	setup_route_marking if @routemarked_interfaces;
+	setup_route_marking if @routemarked_interfaces || @load_interfaces;
     } else {
 	emit "\nif [ -z \"\$g_noroutes\" ]; then";
 
@@ -1312,17 +1504,17 @@ sub handle_stickiness( $ ) {
 
 		for my $chainref ( $stickyref, $setstickyref ) {
 		    if ( $chainref->{name} eq 'sticky' ) {
-			$rule1 = $_;
+			$rule1 = clone_rule( $_ );
 
 			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
 			set_rule_option( $rule1, 'recent', "--name $list --update --seconds 300" );
 
-			$rule2 = $_;
+			$rule2 = clone_rule( $_ );
 
 			clear_rule_target( $rule2 );
 			set_rule_option( $rule2, 'mark', "--mark 0/$mask -m recent --name $list --remove" );
 		    } else {
-			$rule1 = $_;
+			$rule1 = clone_rule( $_ );
 
 			clear_rule_target( $rule1 );
 			set_rule_option( $rule1, 'mark', "--mark $mark\/$mask -m recent --name $list --set" ); 
@@ -1345,17 +1537,29 @@ sub handle_stickiness( $ ) {
 
 		for my $chainref ( $stickoref, $setstickoref ) {
 		    if ( $chainref->{name} eq 'sticko' ) {
-			$rule1 = $_;
+			$rule1 = {};
+
+			while ( my ( $key, $value ) = each %$_ ) {
+			    $rule1->{$key} = $value;
+			}
 
 			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
-			set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds 300 -j MARK --set-mark $mark" );
+			set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds 300" );
 
-			$rule2 = $_;
+			$rule2 = {};
+
+			while ( my ( $key, $value ) = each %$_ ) {
+			    $rule2->{$key} = $value;
+			}
 			
 			clear_rule_target( $rule2 );
 			set_rule_option  ( $rule2, 'mark', "--mark 0\/$mask -m recent --name $list --rdest --remove" );
 		    } else {
-			$rule1 = $_;
+			$rule1 = {};
+
+			while ( my ( $key, $value ) = each %$_ ) {
+			    $rule1->{$key} = $value;
+			}
 
 			clear_rule_target( $rule1 );
 			set_rule_option  ( $rule1, 'mark', "--mark $mark -m recent --name $list --rdest --set" );
@@ -1373,10 +1577,17 @@ sub handle_stickiness( $ ) {
 	}
     }
 
-    if ( @routemarked_providers ) {
+    if ( @routemarked_providers || @load_interfaces ) {
 	delete_jumps $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
 	delete_jumps $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};
     }
 }
 
+sub setup_load_distribution() {
+    emit ( '',
+	   "        distribute_load $maxload @load_interfaces" ,
+	   '' 
+	 ) if @load_interfaces;
+}
+
 1;

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -84,7 +84,7 @@ sub setup_one_proxy_arp( $$$$$$$ ) {
 	    emit "[ -n \"\$g_noroutes\" ] || run_ip route replace $address/32 dev $physical";
 	} else {
 	    emit( 'if [ -z "$g_noroutes" ]; then',
-		  "    qt \$IP -6 route del $address/128 dev $physical".
+		  "    qt \$IP -6 route del $address/128 dev $physical",
 		  "    run_ip route add $address/128 dev $physical",
 		  'fi'
 		);
@@ -122,13 +122,15 @@ sub setup_proxy_arp() {
 
 	while ( read_a_line ) {
 
-	    my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 3, 5, $file_opt;
+	    my ( $address, $interface, $external, $haveroute, $persistent ) =
+		split_line $file_opt . 'file ', { address => 0, interface => 1, external => 2, haveroute => 3, persistent => 4 };
 
 	    if ( $first_entry ) {
 		progress_message2 "$doing $fn...";
 		$first_entry = 0;
 	    }
 
+	    fatal_error 'EXTERNAL must be specified' if $external eq '-';
 	    fatal_error "Unknown interface ($external)" unless known_interface $external;
 	    fatal_error "Wildcard interface ($external) not allowed" if $external =~ /\+$/;
 	    $reset{$external} = 1 unless $set{$external};

Shorewall/Perl/Shorewall/Raw.pm

@@ -36,12 +36,14 @@ our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
 our $VERSION = 'MODULEVERSION';
 
+my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured => 1, protoinfo => 1, helper => 1, mark => 1, natseqinfo => 1, secmark => 1 );
+
 #
 # Notrack
 #
-sub process_notrack_rule( $$$$$$ ) {
+sub process_notrack_rule( $$$$$$$ ) {
 
-    my ($source, $dest, $proto, $ports, $sports, $user ) = @_;
+    my ($action, $source, $dest, $proto, $ports, $sports, $user ) = @_;
 
     $proto  = ''    if $proto  eq 'any';
     $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
@@ -55,42 +57,110 @@ sub process_notrack_rule( $$$$$$ ) {
     fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
     require_capability 'RAW_TABLE', 'Notrack rules', '';
 
+    my $target = $action;
+    my $exception_rule = '';
     my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );
 
-    expand_rule
-	$chainref ,
-	$restriction ,
-	$rule ,
-	$source ,
-	$dest ,
-	'' ,
-	'NOTRACK' ,
-	'' ,
-	'NOTRACK' ,
-	'' ;
+    unless ( $action eq 'NOTRACK' ) {
+	(  $target, my ( $option, $args, $junk ) ) = split ':', $action, 4;
 
+	fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT';
+
+	require_capability 'CT_TARGET', 'CT entries in the notrack file', '';
+
+	if ( $option eq 'notrack' ) {
+	    fatal_error "Invalid notrack ACTION ( $action )" if supplied $args;
+	    $action = 'CT --notrack';
+	} else {
+	    fatal_error "Invalid or missing CT option and arguments" unless supplied $option && supplied $args;
+
+	    if ( $option eq 'helper' ) {
+		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
+		validate_helper( $args, $proto );
+		$action = "CT --helper $args";
+		$exception_rule = do_proto( $proto, '-', '-' );
+	    } elsif ( $option eq 'ctevents' ) {
+		for ( split ',', $args ) {
+		    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
+		}
+
+		$action = "CT --ctevents $args";
+	    } elsif ( $option eq 'expevent' ) {
+		fatal_error "Invalid expevent argument ($args)" unless $args eq 'new';
+	    } elsif ( $option eq 'zone' ) {
+		fatal_error "Invalid zone id ($args)" unless $args =~ /^\d+$/;
+	    } else {
+		fatal_error "Invalid CT option ($option)";
+	    }
+	}
+    }
+
+    expand_rule( $chainref ,
+		 $restriction ,
+		 $rule,
+		 $source ,
+		 $dest ,
+		 '' ,
+		 $action ,
+		 '' ,
+		 $target ,
+		 $exception_rule );
+    
     progress_message "  Notrack rule \"$currentline\" $done";
 
     $globals{UNTRACKED} = 1;
 }
 
+sub process_format( $ ) {
+    my $format = shift;
+
+    fatal_error q(FORMAT must be '1' or '2') unless $format =~ /^[12]$/;
+
+    $format;
+}
+
 sub setup_notrack() {
 
+    my $format = 1;
+    my $action = 'NOTRACK';
+
     if ( my $fn = open_file 'notrack' ) {
 
 	first_entry "$doing $fn...";
 
 	my $nonEmpty = 0;
 
-	while ( read_a_line ) {
+	while ( read_a_line ) {	    
+	    my ( $source, $dest, $proto, $ports, $sports, $user );
 
-	    my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 1, 6, 'Notrack File';
-
-	    if ( $source eq 'COMMENT' ) {
-		process_comment;
+	    if ( $format == 1 ) {
+		( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
+		
+		if ( $source eq 'FORMAT' ) {
+		    $format = process_format( $dest );
+		    next;
+		}
+		
+		if ( $source eq 'COMMENT' ) {
+		    process_comment;
+		    next;
+		}	    
 	    } else {
-		process_notrack_rule $source, $dest, $proto, $ports, $sports, $user;
+		( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
+		
+		if ( $action eq 'FORMAT' ) {
+		    $format = process_format( $source );
+		    $action = 'NOTRACK';
+		    next;
+		}
+		
+		if ( $action eq 'COMMENT' ) {
+		    process_comment;
+		    next;
+		}	    
 	    }
+	    
+	    process_notrack_rule $action, $source, $dest, $proto, $ports, $sports, $user;
 	}
 
 	clear_comment;

Shorewall/Perl/Shorewall/Rules.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -77,6 +77,21 @@ my $rule_commands   = { COMMENT => 0, FORMAT => 2, SECTION => 2 };
 my $action_commands = { COMMENT => 0, FORMAT => 2, SECTION => 2, DEFAULTS => 2 };
 my $macro_commands  = { COMMENT => 0, FORMAT => 2, SECTION => 2, DEFAULT => 2 };
 
+my %rulecolumns = ( action    =>   0,
+		    source    =>   1,
+		    dest      =>   2,
+		    proto     =>   3,
+		    dport     =>   4,
+		    sport     =>   5,
+		    origdest  =>   6,
+		    rate      =>   7,
+		    user      =>   8,
+		    mark      =>   9,
+		    connlimit =>  10,
+		    time      =>  11,
+		    headers   =>  12,
+		    switch    =>  13 );
+
 use constant { MAX_MACRO_NEST_LEVEL => 5 };
 
 my $macro_nest_level;
@@ -101,7 +116,6 @@ my %auditpolicies = ( ACCEPT => 1,
 		      DROP   => 1,
 		      REJECT => 1
 		    );
-
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -297,12 +311,17 @@ sub process_a_policy() {
     our %validpolicies;
     our @zonelist;
 
-    my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) = split_line 3, 6, 'policy file';
+    my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) =
+	split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
 
     $loglevel  = '' if $loglevel  eq '-';
     $synparams = '' if $synparams eq '-';
     $connlimit = '' if $connlimit eq '-';
 
+    fatal_error 'SOURCE must be specified' if $client eq '-';
+    fatal_error 'DEST must be specified'   if $server eq '-';
+    fatal_error 'POLICY must be specified' if $originalpolicy eq '-';
+
     my $clientwild = ( "\L$client" eq 'all' );
 
     fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
@@ -358,7 +377,7 @@ sub process_a_policy() {
     }
 
     unless ( $clientwild || $serverwild ) {
-	if ( zone_type( $server ) == BPORT ) {
+	if ( zone_type( $server ) & BPORT ) {
 	    fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge"
 		unless find_zone( $client )->{bridge} eq find_zone( $server)->{bridge} || single_interface( $client ) eq find_zone( $server )->{bridge};
 	}
@@ -494,11 +513,11 @@ sub process_policies()
 
     for $zone ( all_zones ) {
 	push @policy_chains, ( new_policy_chain $zone,         $zone, 'ACCEPT', PROVISIONAL, 0 );
-	push @policy_chains, ( new_policy_chain firewall_zone, $zone, 'NONE',   PROVISIONAL, 0 ) if zone_type( $zone ) == BPORT;
+	push @policy_chains, ( new_policy_chain firewall_zone, $zone, 'NONE',   PROVISIONAL, 0 ) if zone_type( $zone ) & BPORT;
 
 	my $zoneref = find_zone( $zone );
 
-	if ( $config{IMPLICIT_CONTINUE} && ( @{$zoneref->{parents}} || $zoneref->{type} == VSERVER ) ) {
+	if ( $config{IMPLICIT_CONTINUE} && ( @{$zoneref->{parents}} || $zoneref->{type} & VSERVER ) ) {
 	    for my $zone1 ( all_zones ) {
 		unless( $zone eq $zone1 ) {
 		    add_or_modify_policy_chain( $zone, $zone1, 0 );
@@ -657,8 +676,6 @@ sub complete_standard_chain ( $$$$ ) {
     policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
 }
 
-sub require_audit($$;$);
-
 #
 # Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
 #
@@ -721,10 +738,12 @@ sub ensure_rules_chain( $ )
 {
     my ($chain) = @_;
 
-    my $chainref = ensure_chain 'filter', $chain;
+    my $chainref = $filter_table->{$chain};
+
+    $chainref = new_chain( 'filter', $chain ) unless $chainref;
 
     unless ( $chainref->{referenced} ) {
-	if ( $section eq 'NEW' or $section eq 'DONE' ) {
+	if ( $section =~/^(NEW|DONE)$/ ) {
 	    finish_chain_section $chainref , 'ESTABLISHED,RELATED';
 	} elsif ( $section eq 'RELATED' ) {
 	    finish_chain_section $chainref , 'ESTABLISHED';
@@ -741,11 +760,33 @@ sub ensure_rules_chain( $ )
 #
 sub finish_chain_section ($$) {
     my ($chainref, $state ) = @_;
-    my $chain = $chainref->{name};
+    my $chain               = $chainref->{name};
+    my $related_level       = $config{RELATED_LOG_LEVEL};
+    my $related_target      = $globals{RELATED_TARGET};
     
     push_comment(''); #These rules should not have comments
 
-    add_ijump $chainref, j => 'ACCEPT', state_imatch $state unless $config{FASTACCEPT};
+    if ( $state =~ /RELATED/ && ( $related_level || $related_target ne 'ACCEPT' ) ) {
+
+	if ( $related_level ) {
+	    my $relatedref = new_chain( 'filter', "+$chainref->{name}" );
+	    log_rule( $related_level,
+		      $relatedref,
+		      $config{RELATED_DISPOSITION},
+		      '' );
+	    add_ijump( $relatedref, g => $related_target );
+		    
+	    $related_target = $relatedref->{name};
+	}
+
+	add_ijump $chainref, g => $related_target, state_imatch 'RELATED';
+
+	$state =~ s/,?RELATED//;
+    }
+
+    if ( $state ) {
+	add_ijump $chainref, j => 'ACCEPT', state_imatch $state unless $config{FASTACCEPT};
+    }
 
     if ($sections{NEW} ) {
 	if ( $chainref->{is_policy} ) {
@@ -1354,7 +1395,7 @@ sub process_actions() {
 	open_file $file;
 
 	while ( read_a_line ) {
-	    my ( $action ) = split_line 1, 1, 'action file';
+	    my ( $action ) = split_line 'action file' , { action => 0 };
 
 	    if ( $action =~ /:/ ) {
 		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -1382,11 +1423,11 @@ sub process_actions() {
 
 }
 
-sub process_rule1 ( $$$$$$$$$$$$$$$$ );
+sub process_rule1 ( $$$$$$$$$$$$$$$$$ );
 
 #
 # Populate an action invocation chain. As new action tuples are encountered,
-# the function will be called recursively by process_rules_common().
+# the function will be called recursively by process_rule1().
 #
 sub process_action( $) {
     my $chainref = shift;
@@ -1415,16 +1456,19 @@ sub process_action( $) {
 
 	while ( read_a_line ) {
 
-	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers );
+	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition );
 
 	    if ( $format == 1 ) {
-		($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = split_line1 1, 9, 'action file', $rule_commands;
-		$origdest = $connlimit = $time = $headers = '-';
+		($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) =
+		    split_line1 'action file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, rate => 6, user => 7, mark => 8 }, $rule_commands;
+		$origdest = $connlimit = $time = $headers = $condition = '-';
 	    } else {
-		($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers )
-		    = split_line1 1, 13, 'action file', $action_commands;
+		($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition )
+		    = split_line1 'action file', \%rulecolumns, $action_commands;
 	    }
 
+	    fatal_error 'TARGET must be specified' if $target eq '-';
+
 	    if ( $target eq 'COMMENT' ) {
 		process_comment;
 		next;
@@ -1456,6 +1500,7 @@ sub process_action( $) {
 			   $connlimit,
 			   $time,
 			   $headers,
+			   $condition,
 			   0 );
 	}
 
@@ -1485,8 +1530,8 @@ sub use_policy_action( $ ) {
 #
 # Expand a macro rule from the rules file
 #
-sub process_macro ( $$$$$$$$$$$$$$$$$ ) {
-    my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $wildcard ) = @_;
+sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
+    my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $wildcard ) = @_;
 
     my $nocomment = no_comment;
 
@@ -1504,15 +1549,17 @@ sub process_macro ( $$$$$$$$$$$$$$$$$ ) {
 
     while ( read_a_line ) {
 
-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders );
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition );
 
 	if ( $format == 1 ) {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $rule_commands;
-	    ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders ) = qw/- - - - -/;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
+	    ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = qw/- - - - - -/;
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders ) = split_line1 1, 13, 'macro file', $rule_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
 	}
 
+	fatal_error 'TARGET must be specified' if $mtarget eq '-';
+	
 	if ( $mtarget eq 'COMMENT' ) {
 	    process_comment unless $nocomment;
 	    next;
@@ -1586,6 +1633,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$ ) {
 				    merge_macro_column( $mconnlimit, $connlimit) ,
 				    merge_macro_column( $mtime,      $time ),
 				    merge_macro_column( $mheaders,   $headers ),
+				    merge_macro_column( $mcondition, $condition ),
 				    $wildcard
 				   );
 
@@ -1618,7 +1666,7 @@ sub verify_audit($;$$) {
 # Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action 
 # body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument.
 #
-sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
+sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
     my ( $chainref,   #reference to Action Chain if we are being called from process_action(); undef otherwise
 	 $target, 
 	 $current_param,
@@ -1634,6 +1682,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	 $connlimit,
 	 $time,
 	 $headers,
+	 $condition,
 	 $wildcard ) = @_;
 
     my ( $action, $loglevel) = split_action $target;
@@ -1643,6 +1692,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
     my $inaction = '';
     my $normalized_target;
     my $normalized_action;
+    my $blacklist = ( $section eq 'BLACKLIST' );
  
     ( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if defined $chainref;
 
@@ -1665,9 +1715,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	#
 	fatal_error "Macro invocations nested too deeply" if ++$macro_nest_level > MAX_MACRO_NEST_LEVEL;
 
-	if ( $param ne '' ) {
-	    $current_param = $param unless $param eq 'PARAM';
-	}
+	$current_param = $param unless $param eq '' || $param eq 'PARAM';
 
 	my $generated = process_macro( $basictarget,
 				       $chainref,
@@ -1685,6 +1733,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 				       $connlimit,
 				       $time,
 				       $headers,
+				       $condition,
 				       $wildcard );
 
 	$macro_nest_level--;
@@ -1708,7 +1757,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
     #
     # We can now dispense with the postfix character
     #
-    $action =~ s/[\+\-!]$//;
+    fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[\+\-!]$// && $blacklist;
     #
     # Handle actions
     #
@@ -1742,8 +1791,9 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	fatal_error "The $basictarget TARGET does not accept parameters" if $action =~ s/\(\)$//;
     }
 
-    if ( $inaction ) {
-	$targets{$inaction} |= NATRULE if $actiontype & (NATRULE | NONAT | NATONLY ) 
+    if ( $actiontype & (NATRULE | NONAT | NATONLY ) ) {
+	$targets{$inaction} |= NATRULE if $inaction;
+	fatal_error "NAT rules are only allowed in the NEW section" unless $section eq 'NEW';
     }
     #
     # Take care of irregular syntax and targets
@@ -1755,7 +1805,9 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 
 	$bt =~ s/[-+!]$//;
 
-	my %functions = ( REDIRECT => sub () {
+	my %functions = ( ACCEPT => sub() { $action = 'RETURN' if $blacklist; } ,
+
+			  REDIRECT => sub () {
 			      my $z = $actiontype & NATONLY ? '' : firewall_zone;
 			      if ( $dest eq '-' ) {
 				  $dest = $inaction ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
@@ -1765,9 +1817,18 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 				  $dest = join( '', $z, '::', $dest ) unless $dest =~ /^[^\d].*:/;
 			      }
 			  } ,
+
 			  REJECT => sub { $action = 'reject'; } ,
+
 			  CONTINUE => sub { $action = 'RETURN'; } ,
+
+			  WHITELIST => sub { 
+			      fatal_error "'WHITELIST' may only be used in the blrules file" unless $blacklist; 
+			      $action = 'RETURN';
+			  } ,
+
 			  COUNT => sub { $action = ''; } ,
+
 			  LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,
 		     );
 
@@ -1844,10 +1905,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
     my $restriction = NO_RESTRICT;
 
     unless ( $inaction ) {
-	if ( $sourceref && ( $sourceref->{type} == FIREWALL || $sourceref->{type} == VSERVER ) ) {
-	    $restriction = $destref && ( $destref->{type} == FIREWALL || $destref->{type} == VSERVER ) ? ALL_RESTRICT : OUTPUT_RESTRICT;
+	if ( $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) ) ) {
+	    $restriction = $destref && ( $destref->{type} & ( FIREWALL | VSERVER ) ) ? ALL_RESTRICT : OUTPUT_RESTRICT;
 	} else {
-	    $restriction = INPUT_RESTRICT if $destref && ( $destref->{type} == FIREWALL || $destref->{type} == VSERVER );
+	    $restriction = INPUT_RESTRICT if $destref && ( $destref->{type} & ( FIREWALL | VSERVER ) );
 	}
     }
 
@@ -1871,7 +1932,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	    #
 	    # Check for illegal bridge port rule
 	    #
-	    if ( $destref->{type} == BPORT ) {
+	    if ( $destref->{type} & BPORT ) {
 		unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
 		    return 0 if $wildcard;
 		    fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
@@ -1892,7 +1953,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	    #
 	    # Handle Optimization
 	    #
-	    if ( $optimize > 0 ) {
+	    if ( $optimize > 0 && $section eq 'NEW' ) {
 		my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
 		if ( $loglevel ne '' ) {
 		    return 0 if $target eq "${policy}:$loglevel}";
@@ -1905,9 +1966,23 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	    #
 	    $chainref = ensure_rules_chain $chain;
 	    #
-	    # Don't let the rules in this chain be moved elsewhere
+	    # Handle use of the blacklist chain
 	    #
-	    dont_move $chainref;
+	    if ( $blacklist ) {
+		my $blacklistchain = blacklist_chain( ${sourcezone}, ${destzone} );
+		my $blacklistref = $filter_table->{$blacklistchain};
+		
+		unless ( $blacklistref  ) {
+		    my @state;
+		    $blacklistref = new_chain 'filter', $blacklistchain;
+		    $blacklistref->{blacklistsection} = 1;
+		    @state = state_imatch( 'NEW,INVALID' ) if $config{BLACKLISTNEWONLY};
+		    add_ijump( $chainref, j => $blacklistref, @state );
+		}
+		    
+		$chain = $blacklistchain;
+		$chainref = $blacklistref;
+	    }
 	}
     }
     #
@@ -1925,6 +2000,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 		      do_connlimit( $connlimit ),
 		      do_time( $time ) ,
 		      do_headers( $headers ) ,
+		      do_condition( $condition ) ,
 		    );
     } else {
 	$rule = join( '',
@@ -1934,14 +2010,20 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 		      do_test( $mark , $globals{TC_MASK} ) ,
 		      do_connlimit( $connlimit ),
 		      do_time( $time ) ,
-		      do_headers( $headers )
+		      do_headers( $headers ) ,
+		      do_condition( $condition ) ,
 		    );
     }
 
     unless ( $section eq 'NEW' || $inaction ) {
-	fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
+	if ( $config{FASTACCEPT} ) {
+	    fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless 
+		$section eq 'BLACKLIST' ||
+		( $section eq 'RELATED' && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} ) )
+	}
+
 	fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
-	$rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL';
+	$rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL' || $blacklist;
     }
 
     #
@@ -2081,8 +2163,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	    $rule = join( '',
 			  do_proto( $proto, $ports, $sports ),
 			  do_ratelimit( $ratelimit, 'ACCEPT' ),
-			  do_user $user ,
-			  do_test( $mark , $globals{TC_MASK} ) );
+			  do_user $user,
+			  do_test( $mark , $globals{TC_MASK} ),
+			  do_condition( $condition )
+			);
 	    $loglevel = '';
 	    $dest     = $server;
 	    $action   = 'ACCEPT';
@@ -2109,11 +2193,11 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	my $chn;
 
 	if ( $inaction ) {
-	    $nonat_chain = ensure_chain 'nat', $chain;
+	    $nonat_chain = ensure_chain( 'nat', $chain );
 	} elsif ( $sourceref->{type} == FIREWALL ) {
 	    $nonat_chain = $nat_table->{OUTPUT};
 	} else {
-	    $nonat_chain = ensure_chain 'nat', dnat_chain $sourcezone;
+	    $nonat_chain = ensure_chain( 'nat', dnat_chain( $sourcezone ) );
 
 	    my @interfaces = keys %{zone_interfaces $sourcezone};
 
@@ -2154,6 +2238,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	    }
 	}
 
+	dont_move( dont_optimize( $nonat_chain ) ) if $tgt eq 'RETURN';
+
 	expand_rule( $nonat_chain ,
 		     PREROUTE_RESTRICT ,
 		     $rule ,
@@ -2165,19 +2251,6 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 		     $log_action ,
 		     '',
 		   );
-	#
-	# Possible optimization if the rule just generated was a simple jump to the nonat chain
-	#
-	if ( $chn && ${$nonat_chain->{rules}}[-1] eq "-A -j $tgt" ) {
-	    #
-	    # It was -- delete that rule
-	    #
-	    pop @{$nonat_chain->{rules}};
-	    #
-	    # And move the rules from the nonat chain to the zone dnat chain
-	    #
-	    move_rules ( $chn, $nonat_chain );
-	}
     }
 
     #
@@ -2188,6 +2261,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	if ( $actiontype & ACTION ) {
 	    $action = $usedactions{$normalized_target}{name};
 	    $loglevel = '';
+	} else {
+	    dont_move( dont_optimize ( $chainref ) ) if $action eq 'RETURN';
 	}
 
 	if ( $origdest ) {
@@ -2202,7 +2277,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 
 	verify_audit( $action ) if $actiontype & AUDIT;
 
-	expand_rule( ensure_chain( 'filter', $chain ) ,
+	expand_rule( $chainref ,
 		     $restriction ,
 		     $rule ,
 		     $source ,
@@ -2231,7 +2306,9 @@ sub process_section ($) {
     fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
     $sections{$sect} = 1;
 
-    if ( $sect eq 'ESTABLISHED' ) {
+    if ( $sect eq 'BLACKLIST' ) {
+	fatal_error "The BLACKLIST section has been eliminated. Please move your BLACKLIST rules to the 'blrules' file";
+    } elsif ( $sect eq 'ESTABLISHED' ) {
 	$sections{ALL} = 1;
     } elsif ( $sect eq 'RELATED' ) {
 	@sections{'ALL','ESTABLISHED'} = ( 1, 1);
@@ -2313,8 +2390,10 @@ sub build_zone_list( $$$\$\$ ) {
 # Process a Record in the rules file
 #
 sub process_rule ( ) {
-    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers )
-	= split_line1 1, 13, 'rules file', $rule_commands;
+    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition )
+	= split_line1 'rules file', \%rulecolumns, $rule_commands;
+
+    fatal_error 'ACTION must be specified' if $target eq '-';
 
     process_comment,            return 1 if $target eq 'COMMENT';
     process_section( $source ), return 1 if $target eq 'SECTION';
@@ -2367,6 +2446,7 @@ sub process_rule ( ) {
 						 $connlimit,
 						 $time,
 						 $headers,
+						 $condition,
 						 $wild );
 		}
 	    }
@@ -2379,11 +2459,116 @@ sub process_rule ( ) {
 }
 
 #
-# Process the Rules File
+# Add jumps to the blacklst and blackout chains
 #
-sub process_rules() {
+sub classic_blacklist() {
+    my $fw       = firewall_zone;
+    my @zones    = off_firewall_zones;
+    my @vservers = vserver_zones;
+    my @state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
+    my $result;
+    
+    for my $zone ( @zones ) {
+	my $zoneref = find_zone( $zone );
+	my $simple  =  @zones <= 2 && ! $zoneref->{options}{complex};
+	
+	if ( $zoneref->{options}{in}{blacklist} ) {
+	    my $blackref = $filter_table->{blacklst};
+	    add_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , @state for firewall_zone, @vservers;
 
-    my $fn = open_file 'rules';
+	    if ( $simple ) {
+		#
+		# We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
+		#
+		for my $zone1 ( @zones ) {
+		    my $ruleschain    = rules_chain( $zone, $zone1 );
+		    my $ruleschainref = $filter_table->{$ruleschain};
+
+		    if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
+			add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
+		    }
+		}
+	    }
+
+	    $result = 1;
+	}
+
+	if ( $zoneref->{options}{out}{blacklist} ) {
+	    my $blackref = $filter_table->{blackout};
+	    add_ijump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , j => $blackref , @state;
+
+	    for my $zone1 ( @zones, @vservers ) {
+		my $ruleschain    = rules_chain( $zone1, $zone );
+		my $ruleschainref = $filter_table->{$ruleschain};
+
+		if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
+		    add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
+		}
+	    }
+
+	    $result = 1;
+	}
+
+	unless ( $simple ) {
+	    #
+	    # Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
+	    #
+	    my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
+
+	    add_ijump( $frwd_ref , j => $filter_table->{blacklst}, @state ) if $zoneref->{options}{in}{blacklist};
+	}
+    }
+
+    $result;
+}
+
+#
+# Process the BLRules and Rules Files
+#
+sub process_rules( $ ) {
+    my $convert = shift;
+    my $blrules = 0;
+    #
+    # Generate jumps to the classic blacklist chains
+    #
+    $blrules = classic_blacklist unless $convert;
+    #
+    # Process the blrules file
+    #
+    $section = 'BLACKLIST';
+
+    my $fn = open_file 'blrules';
+
+    if ( $fn ) {
+	first_entry( sub () {
+			 my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
+			 my  $audit       = $disposition =~ /^A_/;
+			 my  $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
+
+			 progress_message2 "$doing $currentfilename...";
+
+			 if ( supplied $level ) {
+			     ensure_blacklog_chain( $target, $disposition, $level, $audit );
+			     ensure_audit_blacklog_chain( $target, $disposition, $level ) if have_capability 'AUDIT_TARGET';
+			 } elsif ( $audit ) {
+			     require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
+			     verify_audit( $disposition );
+			 } elsif ( have_capability 'AUDIT_TARGET' ) {
+			     verify_audit( 'A_' . $disposition );
+			 }
+
+			 $blrules = 1;
+		     }
+		   );
+
+	process_rule while read_a_line;
+    }
+
+    $section = '';
+
+    add_interface_options( $blrules );
+
+    $fn = open_file 'rules';
 
     if ( $fn ) {
 

Shorewall/Perl/Shorewall/Tc.pm

@@ -104,6 +104,9 @@ my  %flow_keys = ( 'src'            => 1,
 		   'sk-gid'         => 1,
 		   'vlan-tag'       => 1 );
 
+my %designator = ( F => 'tcfor' ,
+		   T => 'tcpost' );
+
 my  %tosoptions = ( 'tos-minimize-delay'       => '0x10/0x10' ,
 		    'tos-maximize-throughput'  => '0x08/0x08' ,
 		    'tos-maximize-reliability' => '0x04/0x04' ,
@@ -191,10 +194,20 @@ sub initialize( $ ) {
 }
 
 sub process_tc_rule( ) {
-    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers ) = split_line1 2, 13, 'tcrules file';
+    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability );
+    if ( $family == F_IPV4 ) {
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability ) =
+	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 };
+	$headers = '-';
+    } else {
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability ) = 
+	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 };
+    }
 
     our @tccmd;
 
+    fatal_error 'MARK must be specified' if $originalmark eq '-';
+
     if ( $originalmark eq 'COMMENT' ) {
 	process_comment;
 	return;
@@ -204,38 +217,52 @@ sub process_tc_rule( ) {
 
     fatal_error "Invalid MARK ($originalmark)" unless supplied $mark;
 
+    my $chain    = $globals{MARKING_CHAIN};
+    my $classid  = 0;
+
     if ( $remainder ) { 
 	if ( $originalmark =~ /^\w+\(?.*\)$/ ) {
 	    $mark = $originalmark; # Most likely, an IPv6 address is included in the parameter list
 	} else {
-	    fatal_error "Invalid MARK ($originalmark)";
+	    fatal_error "Invalid MARK ($originalmark)" 
+		unless ( $mark =~ /^([0-9a-fA-F]+)$/ &&
+			 $designator =~ /^([0-9a-fA-F]+)$/ && 
+			 ( $chain = $designator{$remainder} ) );
+	    $mark    = join( ':', $mark, $designator );
+	    $classid = 1;
 	}
     }
 
-    my $chain  = $globals{MARKING_CHAIN};
     my $target = 'MARK --set-mark';
     my $tcsref;
     my $connmark = 0;
-    my $classid  = 0;
     my $device   = '';
     my $fw       = firewall_zone;
     my $list;
 
     if ( $source ) {
 	if ( $source eq $fw ) {
-	    $chain = 'tcout';
+	    if ( $classid ) {
+		fatal_error ":F is not allowed when the SOURCE is the firewall" if $chain eq 'tcfor';
+	    } else {
+		$chain = 'tcout';
+	    }
+
 	    $source = '';
-	} else {
-	    $chain = 'tcout' if $source =~ s/^($fw)://;
+	} elsif ( $source =~ s/^($fw):// ) {
+	    fatal_error ":F is not allowed when the SOURCE is the firewall" if ( $designator || '' ) eq 'F';
+	    $chain = 'tcout';
 	}
     }
 
     if ( $dest ) {
 	if ( $dest eq $fw ) {
+	    fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $classid;
 	    $chain = 'tcin';
 	    $dest  = '';
-	} else {
-	    $chain = 'tcin' if $dest =~ s/^($fw)://;
+	} elsif ( $dest =~ s/^($fw):// ) {
+	    fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $classid;
+	    $chain = 'tcin';
 	}
     }
 
@@ -256,11 +283,16 @@ sub process_tc_rule( ) {
 	    require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
 
 	} else {
-	    fatal_error "Invalid MARK ($originalmark)"   unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
+	    unless ( $classid ) {
+		fatal_error "Invalid MARK ($originalmark)" unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
+		fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $chain eq 'tcin';
+		$chain = 'tcpost';
+		$mark  = $originalmark;
+	    }
 
 	    if ( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' ) {
 		$originalmark = join( ':', normalize_hex( $mark ), normalize_hex( $designator ) );
-		fatal_error "Unknown Class ($originalmark)}" unless ( $device = $classids{$originalmark} );
+		fatal_error "Unknown Class ($mark)}" unless ( $device = $classids{$mark} );
 		fatal_error "IFB Classes may not be specified in tcrules" if @{$tcdevices{$device}{redirected}};
 
 		unless ( $tcclasses{$device}{hex_value $designator}{leaf} ) {
@@ -275,9 +307,7 @@ sub process_tc_rule( ) {
 		}
 	    }
 
-	    $chain   = 'tcpost';
 	    $classid = 1;
-	    $mark    = $originalmark;
 	    $target  = 'CLASSIFY --set-class';
 	}
     }
@@ -349,7 +379,7 @@ sub process_tc_rule( ) {
 				$val = numeric_value ($s);
 				fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val >= 0 && $val < 128;
 				$shift = $s;
-			    }
+			    }			    
 			} else {
 			    fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
 			}
@@ -390,8 +420,51 @@ sub process_tc_rule( ) {
 			}
 
 			$target .= ' --tproxy-mark';
-		    }
+		    } elsif ( $target eq 'TTL' ) {
+			fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
+			fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest;
+			fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' );
 
+			$chain = 'tcfor';
+
+			$cmd =~ /^TTL\(([-+]?\d+)\)$/;
+
+			my $param =  $1;
+
+			fatal_error "Invalid TTL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+
+			if ( $1 =~ /^\+/ ) {
+			    $target .= " --ttl-inc $param";
+			} elsif ( $1 =~ /\-/ ) {
+			    $target .= " --ttl-dec $param";
+			} else {
+			    $target .= " --ttl-set $param";
+			}
+		    } elsif ( $target eq 'HL' ) {
+			fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4;
+			fatal_error "Invalid HL specification( $cmd/$rest )" if $rest;
+			fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' );
+
+			$chain = 'tcfor';
+
+			$cmd =~ /^HL\(([-+]?\d+)\)$/;
+
+			my $param =  $1;
+
+			fatal_error "Invalid HL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+
+			if ( $1 =~ /^\+/ ) {
+			    $target .= " --hl-inc $param";
+			} elsif ( $1 =~ /\-/ ) {
+			    $target .= " --hl-dec $param";
+			} else {
+			    $target .= " --hl-set $param";
+			}
+		    } elsif ( $target eq 'IMQ' ) {
+			assert( $cmd =~ /^IMQ\((\d+)\)$/ );
+			require_capability 'IMQ_TARGET', 'IMQ', 's';
+			$target .= " --todev $1";
+		    }
 
 		    if ( $rest ) {
 			fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK;
@@ -436,7 +509,8 @@ sub process_tc_rule( ) {
 				     do_tos( $tos ) .
 				     do_connbytes( $connbytes ) .
 				     do_helper( $helper ) .
-				     do_headers( $headers ) ,
+				     do_headers( $headers ) .
+				     do_probability( $probability ) ,
 				     $source ,
 				     $dest ,
 				     '' ,
@@ -479,6 +553,88 @@ sub calculate_quantum( $$ ) {
     int( ( $rate * 125 ) / $r2q );
 }
 
+#
+# The next two function implement handling of the IN-BANDWIDTH column in both tcdevices and tcinterfaces
+#
+sub process_in_bandwidth( $ ) {
+    my $in_rate     = shift;
+    
+    return 0 if $in_rate eq '-' or $in_rate eq '0';
+
+    my $in_burst    = '10kb';
+    my $in_avrate   = 0;
+    my $in_band     = $in_rate;
+    my $burst;
+    my $in_interval = '250ms';
+    my $in_decay    = '4sec';
+
+    if ( $in_rate =~ s/^~// ) {
+	require_capability 'BASIC_FILTER', 'An estimated policing filter', 's';
+
+	if ( $in_rate =~ /:/ ) {
+	    ( $in_rate, $in_interval, $in_decay ) = split /:/, $in_rate, 3;
+	    fatal_error "Invalid IN-BANDWIDTH ($in_band)" unless supplied( $in_interval ) && supplied( $in_decay );
+	    fatal_error "Invalid Interval ($in_interval)" unless $in_interval =~ /^(?:(?:250|500)ms|(?:1|2|4|8)sec)$/;
+	    fatal_error "Invalid Decay ($in_decay)"       unless $in_decay    =~ /^(?:500ms|(?:1|2|4|8|16|32|64)sec)$/;
+	    
+	    if ( $in_decay =~ /ms/ ) {
+		fatal_error "Decay must be at least twice the interval" unless $in_interval eq '250ms';
+	    } else {
+		unless ( $in_interval =~ /ms/ ) {
+		    my ( $interval, $decay ) = ( $in_interval, $in_decay );
+		    $interval =~ s/sec//;
+		    $decay    =~ s/sec//;
+
+		    fatal_error "Decay must be at least twice the interval" unless $decay > $interval;
+		} 
+	    }
+	}
+	    
+	$in_avrate = rate_to_kbit( $in_rate );
+	$in_rate = 0; 
+    } else {
+	if ( $in_band =~ /:/ ) {
+	    ( $in_band, $burst ) = split /:/, $in_rate, 2;
+	    fatal_error "Invalid burst ($burst)" unless $burst  =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
+	    $in_burst = $burst;
+	}
+
+	$in_rate = rate_to_kbit( $in_band );
+	
+    }
+
+    [ $in_rate, $in_burst, $in_avrate, $in_interval, $in_decay ];
+}
+
+sub handle_in_bandwidth( $$ ) {
+    my ($physical, $arrayref ) = @_;
+
+    return 1 unless $arrayref;
+
+    my ($in_rate, $in_burst, $in_avrate, $in_interval, $in_decay ) = @$arrayref;
+
+    emit ( "run_tc qdisc add dev $physical handle ffff: ingress" );
+    
+    if ( have_capability 'BASIC_FILTER' ) {
+	if ( $in_rate ) {
+	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 basic \\",
+		  "    police mpu 64 rate ${in_rate}kbit burst $in_burst action drop\n" );
+	} else {
+	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\",
+		  "    estimator $in_interval $in_decay basic \\",
+		  "    police avrate ${in_avrate}kbit action drop\n" );
+	}
+    } else {
+	emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\" ,
+	      "    u32 match ip src "  . ALLIPv4 . ' \\' ,
+	      "    police rate ${in_rate}kbit burst $in_burst drop flowid :1",
+	      '',
+	      "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\" ,
+	      "    u32 match ip6 src " . ALLIPv6 . ' \\' ,
+	      "    police rate ${in_rate}kbit burst $in_burst drop flowid :1\n" );
+    }
+}
+	
 sub process_flow($) {
     my $flow = shift;
 
@@ -492,8 +648,9 @@ sub process_flow($) {
 }
 
 sub process_simple_device() {
-    my ( $device , $type , $in_bandwidth , $out_part ) = split_line 1, 4, 'tcinterfaces';
+    my ( $device , $type , $in_rate , $out_part ) = split_line 'tcinterfaces', { interface => 0, type => 1, in_bandwidth => 2, out_bandwidth => 3 };
 
+    fatal_error 'INTERFACE must be specified'      if $device eq '-';
     fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
     fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
 
@@ -516,21 +673,8 @@ sub process_simple_device() {
 	}
     }
 
-    my $in_burst = '10kb';
+    $in_rate = process_in_bandwidth( $in_rate );
 
-    if ( $in_bandwidth =~ /:/ ) {
-	my ( $in_band, $burst ) = split /:/, $in_bandwidth, 2;
-
-	if ( supplied $burst ) {
-	    fatal_error "Invalid IN-BANDWIDTH" if $burst =~ /:/;
-	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
-	    $in_burst = $burst;
-	}
-
-	$in_bandwidth = rate_to_kbit( $in_band );
-    } else {
-	$in_bandwidth = rate_to_kbit( $in_bandwidth );
-    }
 
     emit( '',
 	  '#',
@@ -545,15 +689,11 @@ sub process_simple_device() {
 
     push_indent;
 
-    emit ( "${dev}_exists=Yes",
-	   "qt \$TC qdisc del dev $physical root",
+    emit ( "qt \$TC qdisc del dev $physical root",
 	   "qt \$TC qdisc del dev $physical ingress\n"
 	 );
 
-    emit ( "run_tc qdisc add dev $physical handle ffff: ingress",
-	   "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src "  . ALLIPv4 . " police rate ${in_bandwidth}kbit burst $in_burst drop flowid :1\n",
-	   "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip6 src " . ALLIPv6 . " police rate ${in_bandwidth}kbit burst $in_burst drop flowid :1\n"
-	 ) if $in_bandwidth;
+    handle_in_bandwidth( $physical, $in_rate );
 
     if ( $out_part ne '-' ) {
 	my ( $out_bandwidth, $burst, $latency, $peak, $minburst ) = split ':', $out_part;
@@ -606,8 +746,17 @@ sub process_simple_device() {
 	emit '';
     }
     
-    emit "run_tc filter add dev $physical parent $number:0 protocol all prio 1 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $number:1\n";
-    emit "run_tc filter add dev $physical parent $number:0 protocol all prio 1 u32 match ip6 protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $number:1\n";
+    emit( "run_tc filter add dev $physical parent $number:0 protocol all prio 1 u32" .
+	  "\\\n    match ip protocol 6 0xff" .
+	  "\\\n    match u8 0x05 0x0f at 0" .
+	  "\\\n    match u16 0x0000 0xffc0 at 2" .
+	  "\\\n    match u8 0x10 0xff at 33 flowid $number:1\n" );
+
+    emit( "run_tc filter add dev $physical parent $number:0 protocol all prio 1 u32" .
+	  "\\\n    match ip6 protocol 6 0xff" .
+	  "\\\n    match u8 0x05 0x0f at 0" .
+	  "\\\n    match u16 0x0000 0xffc0 at 2" .
+	  "\\\n    match u8 0x10 0xff at 33 flowid $number:1\n" );
 
     save_progress_message_short qq("   TC Device $physical defined.");
 
@@ -616,7 +765,6 @@ sub process_simple_device() {
     push_indent;
 
     emit qq(error_message "WARNING: Device $physical is not in the UP state -- traffic-shaping configuration skipped");
-    emit "${dev}_exists=";
     pop_indent;
     emit 'fi';
     pop_indent;
@@ -626,9 +774,10 @@ sub process_simple_device() {
 }
 
 sub validate_tc_device( ) {
-    my ( $device, $inband, $outband , $options , $redirected ) = split_line 3, 5, 'tcdevices';
+    my ( $device, $inband, $outband , $options , $redirected ) = split_line 'tcdevices', { interface => 0, in_bandwidth => 1, out_bandwidth => 2, options => 3, redirect => 4 };
 
-    fatal_error "Invalid tcdevices entry" if $outband eq '-';
+    fatal_error 'INTERFACE must be specified' if $device eq '-';
+    fatal_error "Invalid tcdevices entry"     if $outband eq '-';
 
     my $devnumber;
 
@@ -696,22 +845,9 @@ sub validate_tc_device( ) {
 	}
     }
 
-    my $in_burst = '10kb';
+    $inband = process_in_bandwidth( $inband );
 
-    if ( $inband =~ /:/ ) {
-	my ( $in_band, $burst ) = split /:/, $inband, 2;
-
-	if ( supplied $burst ) {
-	    fatal_error "Invalid IN-BANDWIDTH" if $burst =~ /:/;
-	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
-	    $in_burst = $burst;
-	}
-
-	$inband = $in_band;
-    }
-
-    $tcdevices{$device} = { in_bandwidth  => rate_to_kbit( $inband ),
-			    in_burst      => $in_burst,
+    $tcdevices{$device} = { in_bandwidth  => $inband,
 			    out_bandwidth => rate_to_kbit( $outband ) . 'kbit',
 			    number        => $devnumber,
 			    classify      => $classify,
@@ -789,7 +925,8 @@ sub dev_by_number( $ ) {
 }
 
 sub validate_tc_class( ) {
-    my ( $devclass, $mark, $rate, $ceil, $prio, $options ) = split_line 4, 6, 'tcclasses file';
+    my ( $devclass, $mark, $rate, $ceil, $prio, $options ) =
+	split_line 'tcclasses file', { interface => 0, mark => 1, rate => 2, ceil => 3, prio => 4, options => 5 };
     my $classnumber = 0;
     my $devref;
     my $device = $devclass;
@@ -797,6 +934,9 @@ sub validate_tc_class( ) {
     my $parentclass = 1;
     my $parentref;
 
+    fatal_error 'INTERFACE must be specified' if $devclass eq '-';
+    fatal_error 'CEIL must be specified'      if $ceil eq '-';
+
     if ( $devclass =~ /:/ ) {
 	( $device, my ($number, $subnumber, $rest ) )  = split /:/, $device, 4;
 	fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest;
@@ -852,7 +992,7 @@ sub validate_tc_class( ) {
 	    if ( $classnumber ) {
 		fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
 	    } else {
-		$classnumber = $config{WIDE_TC_MARKS} ? $devref->{nextclass}++ : hex_value( $devnum . $markval );
+		$classnumber = $config{TC_BITS} >= 14 ? $devref->{nextclass}++ : hex_value( $devnum . $markval );
 		fatal_error "Duplicate MARK ($mark)" if $tcref->{$classnumber};
 	    }
 	}
@@ -1010,7 +1150,9 @@ my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0x
 #
 sub process_tc_filter() {
 
-    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 2, 8, 'tcfilters file';
+    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 };
+
+    fatal_error 'CLASS must be specified' if $devclass eq '-';
 
     my ($device, $class, $rest ) = split /:/, $devclass, 3;
 
@@ -1310,7 +1452,9 @@ sub process_tcfilters() {
 # Process a tcpri record
 #
 sub process_tc_priority() {
-    my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 1, 6, 'tcpri';
+    my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 'tcpri', { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 };
+
+    fatal_error 'BAND must be specified' if $band eq '-';
 
     if ( $band eq 'COMMENT' ) {
 	process_comment;
@@ -1446,34 +1590,33 @@ sub process_traffic_shaping() {
     my $sfq = 0;
     my $sfqinhex;
 
-    for my $device ( @tcdevices ) {
-	my $devref  = $tcdevices{$device};
+    for my $devname ( @tcdevices ) {
+	my $devref  = $tcdevices{$devname};
 	my $defmark = in_hexp ( $devref->{default} || 0 );
 	my $devnum  = in_hexp $devref->{number};
 	my $r2q     = int calculate_r2q $devref->{out_bandwidth};
 
-	fatal_error "No default class defined for device $device" unless $devref->{default};
+	fatal_error "No default class defined for device $devname" unless $devref->{default};
 
-	$device = physical_name $device;
-
-	my $dev = chain_base( $device );
-
-	emit( '',
-	      '#',
-	      "# Configure Traffic Shaping for $device",
-	      '#',
-	      "setup_${dev}_tc() {" );
-
-	push_indent;
+	my $device = physical_name $devname;
 
 	unless ( $config{TC_ENABLED} eq 'Shared' ) {
 
+	    my $dev = chain_base( $device );
+
+	    emit( '',
+		  '#',
+		  "# Configure Traffic Shaping for $device",
+		  '#',
+		  "setup_${dev}_tc() {" );
+
+	    push_indent;
+
 	    emit "if interface_is_up $device; then";
 
 	    push_indent;
 
-	    emit ( "${dev}_exists=Yes",
-		   "qt \$TC qdisc del dev $device root",
+	    emit ( "qt \$TC qdisc del dev $device root",
 		   "qt \$TC qdisc del dev $device ingress",
 		   "${dev}_mtu=\$(get_device_mtu $device)",
 		   "${dev}_mtu1=\$(get_device_mtu1 $device)"
@@ -1504,11 +1647,7 @@ sub process_traffic_shaping() {
 		      qq(fi) );
 	    }
 
-	    if ( $devref->{in_bandwidth} ) {
-		emit ( "run_tc qdisc add dev $device handle ffff: ingress",
-		       "run_tc filter add dev $device parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate $devref->{in_bandwidth}kbit burst $devref->{in_burst} drop flowid :1"
-		     );
-	    }
+	    handle_in_bandwidth( $device, $devref->{in_bandwidth} );
 
 	    for my $rdev ( @{$devref->{redirected}} ) {
 		emit ( "run_tc qdisc add dev $rdev handle ffff: ingress" );
@@ -1521,7 +1660,7 @@ sub process_traffic_shaping() {
 		#
 		my ( $d, $decimalclassnum ) = split /:/, $class;
 
-		next unless $d eq $device;
+		next unless $d eq $devname;
 		#
 		# For inclusion in 'tc' commands, we also need the hex representation
 		#
@@ -1529,7 +1668,7 @@ sub process_traffic_shaping() {
 		#
 		# The decimal value of the class number is also used as the key for the hash at $tcclasses{$device}
 		#
-		my $tcref    = $tcclasses{$device}{$decimalclassnum};
+		my $tcref    = $tcclasses{$devname}{$decimalclassnum};
 		my $mark     = $tcref->{mark};
 		my $devicenumber  = in_hexp $devref->{number};
 		my $classid  = join( ':', $devicenumber, $classnum);
@@ -1537,7 +1676,6 @@ sub process_traffic_shaping() {
 		my $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
 
 		$classids{$classid}=$device;
-		$device = physical_name $device;
 
 		my $priority = $tcref->{priority} << 8;
 		my $parent   = in_hexp $tcref->{parent};
@@ -1578,7 +1716,11 @@ sub process_traffic_shaping() {
 		#
 		# options
 		#
-		emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) ." u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid" if $tcref->{tcp_ack};
+		emit( "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . ' u32' .
+		      "\\\n    match ip protocol 6 0xff" .
+		      "\\\n    match u8 0x05 0x0f at 0" .
+		      "\\\n    match u16 0x0000 0xffc0 at 2" .
+		      "\\\n    match u8 0x10 0xff at 33 flowid $classid" ) if $tcref->{tcp_ack};
 
 		for my $tospair ( @{$tcref->{tos}} ) {
 		    my ( $tos, $mask ) = split q(/), $tospair;
@@ -1589,25 +1731,44 @@ sub process_traffic_shaping() {
 		emit '';
 
 	    }
-	}
 
-	emit '';
+	    emit '';
 
-	emit "$_" for @{$devref->{filters}};
+	    emit "$_" for @{$devref->{filters}};
 	
-	save_progress_message_short qq("   TC Device $device defined.");
+	    save_progress_message_short qq("   TC Device $device defined.");
 
-	pop_indent;
-	emit 'else';
-	push_indent;
+	    pop_indent;
+	    emit 'else';
+	    push_indent;
 
-	emit qq(error_message "WARNING: Device $device is not in the UP state -- traffic-shaping configuration skipped");
-	emit "${dev}_exists=";
-	pop_indent;
-	emit "fi\n";
+	    emit qq(error_message "WARNING: Device $device is not in the UP state -- traffic-shaping configuration skipped");
+	    pop_indent;
+	    emit "fi\n";
 
-	pop_indent;
-	emit "}\n";
+	    pop_indent;
+	    emit "}\n";
+	} else {
+	    for my $class ( @tcclasses ) {
+		#
+		# The class number in the tcclasses array is expressed in decimal.
+		#
+		my ( $d, $decimalclassnum ) = split /:/, $class;
+
+		next unless $d eq $devname;
+		#
+		# For inclusion in 'tc' commands, we also need the hex representation
+		#
+		my $classnum = in_hexp $decimalclassnum;
+		#
+		# The decimal value of the class number is also used as the key for the hash at $tcclasses{$device}
+		#
+		my $devicenumber  = in_hexp $devref->{number};
+		my $classid  = join( ':', $devicenumber, $classnum);
+
+		$classids{$classid}=$device;
+	    }
+	}
     }
 }
 
@@ -1625,7 +1786,9 @@ sub process_tc() {
     # it can call the appropriate 'setup_x_tc" function when the device is
     # enabled.
 
-    \%tcdevices;
+    my %empty;
+    
+    $config{TC_ENABLED} eq 'Shared' ? \%empty : \%tcdevices;
 }
 
 #
@@ -1640,14 +1803,16 @@ sub setup_traffic_shaping() {
 
 	emit "setup_${dev}_tc";
     }
-
 }
 
 #
 # Process a record in the secmarks file
 #
 sub process_secmark_rule() {
-    my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) = split_line1( 2, 9 , 'Secmarks file' );
+    my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) =
+	split_line1( 'Secmarks file' , { secmark => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8 } );
+
+    fatal_error 'SECMARK must be specified' if $secmark eq '-';
 
     if ( $secmark eq 'COMMENT' ) {
 	process_comment;
@@ -1756,7 +1921,7 @@ sub setup_tc() {
 	append_file $globals{TC_SCRIPT};
     } else {
 	process_tcpri if $config{TC_ENABLED} eq 'Simple';
-	setup_traffic_shaping;
+	setup_traffic_shaping unless $config{TC_ENABLED} eq 'Shared';
     }
 
     if ( $config{TC_ENABLED} ) {
@@ -1805,6 +1970,24 @@ sub setup_tc() {
 			  mark      => HIGHMARK,
 			  mask      => '',
 			  connmark  => '' },
+			{ match     => sub( $ ) { $_[0] =~ /^TTL/ },
+			  target    => 'TTL',
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			},
+			{ match     => sub( $ ) { $_[0] =~ /^HL/ },
+			  target    => 'HL',
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			},
+			{ match     => sub( $ ) { $_[0] =~ /^IMQ\(\d+\)$/ },
+			  target    => 'IMQ',
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			},
 		      );
 
 	if ( my $fn = open_file 'tcrules' ) {

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -238,7 +238,7 @@ sub setup_tunnels() {
 
 	my $zonetype = zone_type( $zone );
 
-	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;
+	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype & ( FIREWALL | BPORT );
 
 	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
 	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
@@ -253,6 +253,7 @@ sub setup_tunnels() {
 			    'ipip'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 4 ] } ,
 			    'gre'           => { function => \&setup_one_other,          params   => [ \@source, \@dest , 47 ] } ,
 			    '6to4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
+			    '6in4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
 			    'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, \@source, \@dest ] } ,
 			    'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, \@source, \@dest ] } ,
 			    'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, \@source, \@dest ] } ,
@@ -284,7 +285,10 @@ sub setup_tunnels() {
 
 	while ( read_a_line ) {
 
-	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file';
+	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateway_zone => 3 };
+
+	    fatal_error 'TYPE must be specified' if $kind eq '-';
+	    fatal_error 'ZONE must be specified' if $zone eq '-';
 
 	    if ( $kind eq 'COMMENT' ) {
 		process_comment;

Shorewall/Perl/Shorewall/Zones.pm

@@ -50,6 +50,7 @@ our @EXPORT = qw( NOTHING
 		  defined_zone
 		  zone_type
 		  zone_interfaces
+		  zone_mark
 		  all_zones
 		  all_parent_zones
 		  complex_zones
@@ -60,6 +61,7 @@ our @EXPORT = qw( NOTHING
 		  chain_base
 		  validate_interfaces_file
 		  all_interfaces
+		  all_real_interfaces
 		  all_bridges
 		  interface_number
 		  find_interface
@@ -75,6 +77,7 @@ our @EXPORT = qw( NOTHING
 		  get_interface_option
 		  interface_has_option
 		  set_interface_option
+		  set_interface_provider
 		  interface_zones
 		  verify_required_interfaces
 		  compile_updown
@@ -97,6 +100,14 @@ use constant { NOTHING    => 'NOTHING',
 	       IPSECPROTO => 'ah|esp|ipcomp',
 	       IPSECMODE  => 'tunnel|transport'
 	       };
+
+#
+# Option columns
+#
+use constant { IN_OUT     => 1,
+	       IN         => 2,
+	       OUT        => 3 };
+
 #
 # Zone Table.
 #
@@ -132,6 +143,7 @@ use constant { NOTHING    => 'NOTHING',
 #
 my @zones;
 my %zones;
+my %zonetypes;
 my $firewall_zone;
 
 my  %reservedName = ( all => 1,
@@ -177,15 +189,19 @@ my %physical;
 my %basemap;
 my %mapbase;
 my $family;
+my $upgrade;
 my $have_ipsec;
 my $baseseq;
 my $minroot;
+my $zonemark;
+my $zonemarkincr;
+my $zonemarklimit;
 
 use constant { FIREWALL => 1,
 	       IP       => 2,
-	       BPORT    => 3,
-	       IPSEC    => 4,
-	       VSERVER  => 5 };
+	       BPORT    => 4,
+	       IPSEC    => 8,
+	       VSERVER  => 16 };
 
 use constant { SIMPLE_IF_OPTION   => 1,
 	       BINARY_IF_OPTION   => 2,
@@ -221,8 +237,8 @@ my %validhostoptions;
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
 #
-sub initialize( $ ) {
-    $family = shift;
+sub initialize( $$ ) {
+    ( $family , $upgrade ) = @_;
     @zones = ();
     %zones = ();
     $firewall_zone = '';
@@ -275,6 +291,7 @@ sub initialize( $ ) {
 			     destonly => 1,
 			     sourceonly => 1,
 			    );
+	%zonetypes = ( 1 => 'firewall', 2 => 'ipv4', 4 => 'bport4', 8 => 'ipsec4', 16 => 'vserver' );
     } else {
 	%validinterfaceoptions = (  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
@@ -300,6 +317,7 @@ sub initialize( $ ) {
 			     routeback => 1,
 			     tcpflags => 1,
 			    );
+	%zonetypes = ( 1 => 'firewall', 2 => 'ipv6', 4 => 'bport6', 8 => 'ipsec4', 16 => 'vserver' );
     }
 }
 
@@ -309,9 +327,10 @@ sub initialize( $ ) {
 # => mss   = <MSS setting>
 # => ipsec = <-m policy arguments to match options>
 #
-sub parse_zone_option_list($$\$)
+sub parse_zone_option_list($$\$$)
 {
     my %validoptions = ( mss          => NUMERIC,
+			 nomark       => NOTHING,
 			 blacklist    => NOTHING,
 			 strict       => NOTHING,
 			 next         => NOTHING,
@@ -323,13 +342,13 @@ sub parse_zone_option_list($$\$)
 			 "tunnel-dst" => NETWORK,
 		       );
 
-    use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8 };
+    use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
     #
     # Hash of options that have their own key in the returned hash.
     #
-    my %key = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW );
+    my %key = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );
 
-    my ( $list, $zonetype, $complexref ) = @_;
+    my ( $list, $zonetype, $complexref, $column ) = @_;
     my %h;
     my $options = '';
     my $fmt;
@@ -362,11 +381,12 @@ sub parse_zone_option_list($$\$)
 	    my $key = $key{$e};
 
 	    if ( $key ) {
-		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype == FIREWALL || $zonetype == VSERVER);
+		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype & ( FIREWALL | VSERVER) );
+		fatal_error "Opeion '$e' is only permitted in the OPTIONS columns" if $key & IN_OUT_ONLY && $column != IN_OUT;
 		$$complexref = 1 if $key & COMPLEX;
 		$h{$e} = $val || 1;
 	    } else {
-		fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype == IPSEC;
+		fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype & IPSEC;
 		$options .= $invert;
 		$options .= "--$e ";
 		$options .= "$val "if defined $val;
@@ -402,19 +422,14 @@ sub process_zone( \$ ) {
 
     my @parents;
 
-    my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file';
+    my ($zone, $type, $options, $in_options, $out_options ) =
+	split_line 'zones file', { zone => 0, type => 1, options => 2, in_options => 3, out_options => 4 };
+
+    fatal_error 'ZONE must be specified' if $zone eq '-';
 
     if ( $zone =~ /(\w+):([\w,]+)/ ) {
 	$zone = $1;
 	@parents = split_list $2, 'zone';
-
-	for my $p ( @parents ) {
-	    fatal_error "Invalid Parent List ($2)" unless $p;
-	    fatal_error "Unknown parent zone ($p)" unless $zones{$p};
-	    fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} == FIREWALL;
-	    fatal_error 'Subzones of a Vserver zone not allowed' if $zones{$p}{type} == VSERVER;
-	    push @{$zones{$p}{children}}, $zone;
-	}
     }
 
     fatal_error "Invalid zone name ($zone)"      unless $zone =~ /^[a-z]\w*$/i && length $zone <= $globals{MAXZONENAMELENGTH};
@@ -427,10 +442,11 @@ sub process_zone( \$ ) {
 	$$ip = 1;
     } elsif ( $type =~ /^ipsec([46])?$/i ) {
 	fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
+	require_capability 'POLICY_MATCH' , 'IPSEC zones', '';
 	$type = IPSEC;
     } elsif ( $type =~ /^bport([46])?$/i ) {
 	fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
-	warning_message "Bridge Port zones should have a parent zone" unless @parents;
+	warning_message "Bridge Port zones should have a parent zone" unless @parents || $config{ZONE_BITS};
 	$type = BPORT;
 	push @bport_zones, $zone;
     } elsif ( $type eq 'firewall' ) {
@@ -449,11 +465,18 @@ sub process_zone( \$ ) {
 	fatal_error "Invalid zone type ($type)";
     }
 
-    if ( $type eq IPSEC ) {
-	require_capability 'POLICY_MATCH' , 'IPSEC zones', '';
-	for ( @parents ) {
-	    set_super( $zones{$_} ) unless $zones{$_}{type} == IPSEC;
-	}
+    for my $p ( @parents ) {
+	fatal_error "Invalid Parent List ($2)" unless $p;
+	fatal_error "Unknown parent zone ($p)" unless $zones{$p};
+
+	my $ptype = $zones{$p}{type};
+
+	fatal_error 'Subzones of a Vserver zone not allowed' if $ptype & VSERVER;
+	fatal_error 'Subzones of firewall zone not allowed'  if $ptype & FIREWALL;
+
+	set_super( $zones{$p} ) if $type & IPSEC && ! ( $ptype & IPSEC );
+
+	push @{$zones{$p}{children}}, $zone;
     }
 
     my $complex = 0;
@@ -461,10 +484,10 @@ sub process_zone( \$ ) {
     my $zoneref = $zones{$zone} = { type       => $type,
 				    parents    => \@parents,
 				    bridge     => '',
-				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex ) ,
-						    in      => parse_zone_option_list( $in_options , $type , $complex ) ,
-						    out     => parse_zone_option_list( $out_options , $type , $complex ) ,
-						    complex => ( $type == IPSEC || $complex ) ,
+				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex , IN_OUT ) ,
+						    in      => parse_zone_option_list( $in_options , $type , $complex , IN ) ,
+						    out     => parse_zone_option_list( $out_options , $type , $complex , OUT ) ,
+						    complex => ( $type & IPSEC || $complex ) ,
 						    nested  => @parents > 0 ,
 						    super   => 0 ,
 						  } ,
@@ -473,6 +496,28 @@ sub process_zone( \$ ) {
 				    hosts      => {}
 				  };
 
+    if ( $config{ZONE_BITS} ) {
+	my $mark;
+
+	if ( $type == FIREWALL ) {
+	    $mark = 0;
+	} else {
+	    unless ( $zoneref->{options}{in_out}{nomark} ) {
+		fatal_error "Zone mark overflow - please increase the setting of ZONE_BITS" if $zonemark >= $zonemarklimit;
+		$mark      = $zonemark;
+		$zonemark += $zonemarkincr;
+		$zoneref->{options}{complex} = 1;
+	    }
+	}
+
+	if ( $zoneref->{options}{in_out}{nomark} ) {
+	    progress_message_nocompress "   Zone $zone:\tmark value not assigned";
+	} else {
+	    progress_message_nocompress "   Zone $zone:\tmark value " . in_hex( $zoneref->{mark} = $mark );
+	}
+    }
+	
+
     if ( $zoneref->{options}{in_out}{blacklist} ) {
 	for ( qw/in out/ ) {
 	    unless ( $zoneref->{options}{$_}{blacklist} ) {
@@ -494,6 +539,10 @@ sub determine_zones()
     my @z;
     my $ip = 0;
 
+    $zonemark      = 1 << $globals{ZONE_OFFSET};
+    $zonemarkincr  = $zonemark;
+    $zonemarklimit = $zonemark << $config{ZONE_BITS};
+
     if ( my $fn = open_file 'zones' ) {
 	first_entry "$doing $fn...";
 	push @z, process_zone( $ip ) while read_a_line;
@@ -532,7 +581,7 @@ sub determine_zones()
 #
 sub haveipseczones() {
     for my $zoneref ( values %zones ) {
-	return 1 if $zoneref->{type} == IPSEC;
+	return 1 if $zoneref->{type} & IPSEC;
     }
 
     0;
@@ -545,22 +594,13 @@ sub zone_report()
 {
     progress_message2 "Determining Hosts in Zones...";
 
-    my @translate;
-
-    if ( $family == F_IPV4 ) {
-	@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'vserver' );
-    } else {
-	@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'vserver' );
-    }
-
-    for my $zone ( @zones )
-    {
+    for my $zone ( @zones ) {
 	my $zoneref   = $zones{$zone};
 	my $hostref   = $zoneref->{hosts};
 	my $type      = $zoneref->{type};
 	my $optionref = $zoneref->{options};
 
-	progress_message_nocompress "   $zone ($translate[$type])";
+	progress_message_nocompress "   $zone ($zonetypes{$type})";
 
 	my $printed = 0;
 
@@ -571,11 +611,14 @@ sub zone_report()
 		for my $interface ( sort keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
+
 		    for my $groupref ( @$arrayref ) {
 			my $hosts      = $groupref->{hosts};
+
 			if ( $hosts ) {
 			    my $grouplist  = join ',', ( @$hosts );
 			    my $exclusions = join ',', @{$groupref->{exclusions}};
+
 			    $grouplist = join '!', ( $grouplist, $exclusions) if $exclusions;
 
 			    if ( $family == F_IPV4 ) {
@@ -586,13 +629,12 @@ sub zone_report()
 			    $printed = 1;
 			}
 		    }
-
 		}
 	    }
 	}
 
 	unless ( $printed ) {
-	    fatal_error "No bridge has been associated with zone $zone" if $type == BPORT && ! $zoneref->{bridge};
+	    fatal_error "No bridge has been associated with zone $zone" if $type & BPORT && ! $zoneref->{bridge};
 	    warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL;
 	}
 
@@ -602,16 +644,7 @@ sub zone_report()
 #
 # This function is called to create the contents of the ${VARDIR}/zones file
 #
-sub dump_zone_contents()
-{
-    my @xlate;
-
-    if ( $family == F_IPV4 ) {
-	@xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'vserver' );
-    } else {
-	@xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'vserver' );
-    }
-
+sub dump_zone_contents() {
     for my $zone ( @zones )
     {
 	my $zoneref    = $zones{$zone};
@@ -619,9 +652,10 @@ sub dump_zone_contents()
 	my $type       = $zoneref->{type};
 	my $optionref  = $zoneref->{options};
 
-	my $entry      =  "$zone $xlate[$type]";
+	my $entry      =  "$zone $zonetypes{$type}";
 
-	$entry .= ":$zoneref->{bridge}" if $type == BPORT;
+	$entry .= ":$zoneref->{bridge}" if $type & BPORT;
+	$entry .= ( " mark=" . in_hex( $zoneref->{mark} ) ) if exists $zoneref->{mark};
 
 	if ( $hostref ) {
 	    for my $type ( sort keys %$hostref ) {
@@ -630,6 +664,7 @@ sub dump_zone_contents()
 		for my $interface ( sort keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
+
 		    for my $groupref ( @$arrayref ) {
 			my $hosts     = $groupref->{hosts};
 
@@ -732,7 +767,7 @@ sub add_group_to_zone($$$$$)
 
     $zoneref->{options}{in_out}{routeback} = 1 if $options->{routeback};
 
-    my $gtype = $type == IPSEC ? 'ipsec' : 'ip';
+    my $gtype = $type & IPSEC ? 'ipsec' : 'ip';
 
     $hostsref     = ( $zoneref->{hosts}           || ( $zoneref->{hosts} = {} ) );
     $typeref      = ( $hostsref->{$gtype}         || ( $hostsref->{$gtype} = {} ) );
@@ -744,7 +779,7 @@ sub add_group_to_zone($$$$$)
 
     push @{$interfaceref}, { options => $options,
 			     hosts   => \@newnetworks,
-			     ipsec   => $type == IPSEC ? 'ipsec' : 'none' ,
+			     ipsec   => $type & IPSEC ? 'ipsec' : 'none' ,
 			     exclusions => \@exclusions };
 
     $interfaces{$interface}{options}{routeback} ||= ( $type != IPSEC && $options->{routeback} );
@@ -772,6 +807,12 @@ sub zone_interfaces( $ ) {
     find_zone( $_[0] )->{interfaces};
 }
 
+sub zone_mark( $ ) {
+    my $zoneref = find_zone( $_[0] );
+    fatal_error "Zone $_[0] has no assigned mark" unless exists $zoneref->{mark};
+    $zoneref->{mark};
+}
+
 sub defined_zone( $ ) {
     $zones{$_[0]};
 }
@@ -781,11 +822,11 @@ sub all_zones() {
 }
 
 sub off_firewall_zones() {
-   grep ( ! ( $zones{$_}{type} == FIREWALL || $zones{$_}{type} == VSERVER )  ,  @zones );
+   grep ( ! ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
 }
 
 sub non_firewall_zones() {
-   grep ( $zones{$_}{type} != FIREWALL  ,  @zones );
+   grep ( ! ( $zones{$_}{type} & FIREWALL ) ,  @zones );
 }
 
 sub all_parent_zones() {
@@ -801,7 +842,7 @@ sub complex_zones() {
 }
 
 sub vserver_zones() {
-    grep ( $zones{$_}{type} == VSERVER, @zones );
+    grep ( $zones{$_}{type} & VSERVER, @zones );
 }
 
 sub firewall_zone() {
@@ -871,7 +912,7 @@ sub process_interface( $$ ) {
     my ( $nextinum, $export ) = @_;
     my $netsref   = '';
     my $filterref = [];
-    my ($zone, $originalinterface, $bcasts, $options ) = split_line 2, 4, 'interfaces file';
+    my ($zone, $originalinterface, $bcasts, $options ) = split_line 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 };
     my $zoneref;
     my $bridge = '';
 
@@ -884,6 +925,8 @@ sub process_interface( $$ ) {
 	fatal_error "Firewall zone not allowed in ZONE column of interface record" if $zoneref->{type} == FIREWALL;
     }
 
+    fatal_error 'INTERFACE must be specified' if $originalinterface eq '-';
+
     my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;
 
     fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;
@@ -898,7 +941,7 @@ sub process_interface( $$ ) {
 
 	fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
 	$interfaces{$interface}{ports}++;
-	fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT;
+	fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && ! ( $zoneref->{type} & BPORT );
 
 	if ( $zone ) {
 	    if ( $zoneref->{bridge} ) {
@@ -907,15 +950,15 @@ sub process_interface( $$ ) {
 		$zoneref->{bridge} = $interface;
 	    }
 
-	    fatal_error "Vserver zones may not be associated with bridge ports" if $zoneref->{type} == VSERVER;
+	    fatal_error "Vserver zones may not be associated with bridge ports" if $zoneref->{type} & VSERVER;
 	}
 
 	$bridge = $interface;
 	$interface = $port;
     } else {
 	fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface};
-	fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} == BPORT;
-	fatal_error "Vserver zones may not be associated with interfaces" if $zone && $zoneref->{type} == VSERVER;
+	fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} & BPORT;
+	fatal_error "Vserver zones may not be associated with interfaces" if $zone && $zoneref->{type} & VSERVER;
 
 	$bridge = $interface;
     }
@@ -981,7 +1024,7 @@ sub process_interface( $$ ) {
 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};
 
 	    if ( $zone ) {
-		fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} == VSERVER && ! ( $type & IF_OPTION_VSERVER );
+		fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} & VSERVER && ! ( $type & IF_OPTION_VSERVER );
 	    } else {
 		fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
 	    }
@@ -1266,6 +1309,13 @@ sub all_interfaces() {
     @interfaces;
 }
 
+#
+# Return all non-vserver interfaces
+#
+sub all_real_interfaces() {
+    grep $_ ne '%vserver%', @interfaces;
+}
+
 #
 # Return a list of bridges
 #
@@ -1301,7 +1351,7 @@ sub physical_name( $ ) {
 
     $devref ? $devref->{physical} : $device;
 }
-
+    
 #
 # Returns true if there are bridge port zones defined in the config
 #
@@ -1618,7 +1668,7 @@ sub compile_updown() {
     if ( @$ignore ) {
 	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$ignore;
 
-	$interfaces =~ s/\+/*/;
+	$interfaces =~ s/\+/*/g;
 
 	emit( "$interfaces)",
 	      '    progress_message3 "$COMMAND on interface $1 ignored"',
@@ -1630,7 +1680,7 @@ sub compile_updown() {
     if ( @$required ) {
 	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$required;
 
-	my $wildcard = ( $interfaces =~ s/\+/*/ );
+	my $wildcard = ( $interfaces =~ s/\+/*/g );
 
 	emit( "$interfaces)",
 	      '    if [ "$COMMAND" = up ]; then' );
@@ -1669,17 +1719,26 @@ sub compile_updown() {
     }
 
     if ( @$optional ) {
-	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$optional;
+	my @interfaces = map $interfaces{$_}->{physical}, @$optional;
+	my $interfaces = join '|', @interfaces; 
 
-	$interfaces =~ s/\+/*/;
+	if ( $interfaces =~ s/\+/*/g || @interfaces > 1 ) {
+	    emit( "$interfaces)",
+		  '    if [ "$COMMAND" = up ]; then',
+		  '        echo 0 > ${VARDIR}/${1}.state',
+		  '    else',
+		  '        echo 1 > ${VARDIR}/${1}.state',
+		  '    fi' );
+	} else {
+	    emit( "$interfaces)",
+		  '    if [ "$COMMAND" = up ]; then',
+		  "        echo 0 > \${VARDIR}/$interfaces.state",
+		  '    else',
+		  "        echo 1 > \${VARDIR}/$interfaces.state",
+		  '    fi' );
+	}
 
-	emit( "$interfaces)",
-	      '    if [ "$COMMAND" = up ]; then',
-	      '        echo 0 > ${VARDIR}/${1}.state',
-	      '    else',
-	      '        echo 1 > ${VARDIR}/${1}.state',
-	      '    fi',
-	      '',
+	emit( '',
 	      '    if [ "$state" = started ]; then',
 	      '        COMMAND=restart',
 	      '        progress_message3 "$g_product attempting restart"',
@@ -1727,7 +1786,10 @@ sub compile_updown() {
 #
 sub process_host( ) {
     my $ipsec = 0;
-    my ($zone, $hosts, $options ) = split_line 2, 3, 'hosts file';
+    my ($zone, $hosts, $options ) = split_line 'hosts file', { zone => 0, hosts => 1, options => 2 };
+
+    fatal_error 'ZONE must be specified'  if $zone eq '-';
+    fatal_error 'HOSTS must be specified' if $hosts eq '-';
 
     my $zoneref = $zones{$zone};
     my $type    = $zoneref->{type};
@@ -1763,7 +1825,7 @@ sub process_host( ) {
 	fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
     }
 
-    if ( $type == BPORT ) {
+    if ( $type & BPORT ) {
 	if ( $zoneref->{bridge} eq '' ) {
 	    fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaceref->{options}{port};
 	    $zoneref->{bridge} = $interfaces{$interface}{bridge};
@@ -1789,14 +1851,14 @@ sub process_host( ) {
 	    } elsif ( $option eq 'blacklist' ) {
 		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $validhostoptions{$option}) {
-		fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type == VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
+		fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type & VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
 		$options{$option} = 1;
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
 	}
 
-	fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} == VSERVER;
+	fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} & VSERVER;
 
 	$optionsref = \%options;
     }
@@ -1817,7 +1879,7 @@ sub process_host( ) {
     $hosts = join( '', ALLIP , $hosts ) if substr($hosts, 0, 2 ) eq ',!';
 
     if ( $hosts eq 'dynamic' ) {
-	fatal_error "Vserver zones may not be dynamic" if $type == VSERVER;
+	fatal_error "Vserver zones may not be dynamic" if $type & VSERVER;
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
 	my $physical = chain_base( physical_name $interface );
 	my $set      = $family == F_IPV4 ? "${zone}_${physical}" : "6_${zone}_${physical}";
@@ -1829,7 +1891,7 @@ sub process_host( ) {
     #
     # We ignore the user's notion of what interface vserver addresses are on and simply invent one for all of the vservers.
     #
-    $interface = '%vserver%' if $type == VSERVER;
+    $interface = '%vserver%' if $type & VSERVER;
 
     add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref);
 
@@ -1871,7 +1933,7 @@ sub find_hosts_by_option( $ ) {
     my $option = $_[0];
     my @hosts;
 
-    for my $zone ( grep $zones{$_}{type} != FIREWALL , @zones ) {
+    for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
 	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
 	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 		for my $host ( @{$arrayref} ) {

Shorewall/Perl/compiler.pl

@@ -37,6 +37,7 @@
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
 #         --preview                   # Preview the ruleset.
+#         --config_path=<path-list>   # Search path for config files
 #
 use strict;
 use FindBin;
@@ -62,7 +63,9 @@ sub usage( $ ) {
     [ --preview ]
     [ --family={4|6} ]
     [ --annotate ]
-    [ --updatee ]
+    [ --update ]
+    [ --convert ]
+    [ --config_path=<path-list> ]
 ';
 
     exit shift @_;
@@ -86,6 +89,8 @@ my $family        = 4; # F_IPV4
 my $preview       = 0;
 my $annotate      = 0;
 my $update        = 0;
+my $convert       = 0;
+my $config_path   = '';
 
 Getopt::Long::Configure ('bundling');
 
@@ -115,6 +120,8 @@ my $result = GetOptions('h'               => \$help,
 			'annotate'        => \$annotate,
 			'u'               => \$update,
 			'update'          => \$update,
+			'convert'         => \$convert,
+			'config_path=s'   => \$config_path,
 		       );
 
 usage(1) unless $result && @ARGV < 2;
@@ -134,5 +141,7 @@ compiler( script          => $ARGV[0] || '',
 	  family          => $family,
 	  confess         => $confess,
 	  update          => $update,
+	  convert         => $convert,
 	  annotate        => $annotate,
+	  config_path     => $config_path,
 	);

Shorewall/Perl/getparams

@@ -20,15 +20,21 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
+#
+#  Parameters:
+#
+#      $1 = Path name of params file
+#      $2 = $CONFIG_PATH
+#      $3 = Address family (4 o4 6)
+#
 if [ "$3" = 6 ]; then
-    . /usr/share/shorewall6/lib.base
-    . /usr/share/shorewall6/lib.cli
+    g_program=shorewall6
 else
-    . /usr/share/shorewall/lib.base
-    . /usr/share/shorewall/lib.cli
+    g_program=shorewall
 fi
 
+. /usr/share/shorewall/lib.cli
+
 CONFIG_PATH="$2"
 
 set -a

Shorewall/Perl/prog.footer

@@ -6,7 +6,7 @@
 #
 usage() {
     echo "Usage: $0 [ options ] <command>"
-    echo 
+    echo
     echo "<command> is one of:"
     echo "   start"
     echo "   stop"
@@ -31,6 +31,31 @@ usage() {
     echo "   -R <file>        Override RESTOREFILE setting"
     exit $1
 }
+
+checkkernelversion() {
+    local kernel
+
+    if [ $g_family -eq 6 ]; then
+	kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
+
+	case "$kernel" in 
+	    *.*.*)
+		kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+		;;
+	    *)
+		kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
+		;;
+	esac
+
+	if [ $kernel -lt 20624 ]; then
+	    error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
+	    return 1
+	fi
+    fi
+
+    return 0
+}
+
 ################################################################################
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
@@ -47,7 +72,7 @@ if [ $# -gt 1 ]; then
     fi
 fi
 #
-# Map VERBOSE to VERBOSITY for compatibility with old Shorewall-lite installations
+# Map VERBOSE to VERBOSITY for compatibility with old Shorewall[6]-lite installations
 #
 [ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
 #
@@ -175,61 +200,66 @@ COMMAND="$1"
 case "$COMMAND" in
     start)
 	[ $# -ne 1 ] && usage 2
-	if shorewall_is_started; then
+	if product_is_started; then
 	    error_message "$g_product is already Running"
 	    status=0
 	else
 	    progress_message3 "Starting $g_product...."
-	    detect_configuration
-	    define_firewall
-	    status=$?
-	    if [ $status -eq 0 ]; then
-		[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
-		progress_message3 "done."
+	    if checkkernelversion; then
+		detect_configuration
+		define_firewall
+		status=$?
+		if [ $status -eq 0 ]; then
+		    [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
+		    progress_message3 "done."
+		fi
 	    fi
 	fi
 	;;
     stop)
 	[ $# -ne 1 ] && usage 2
-	progress_message3 "Stopping $g_product...."
-	detect_configuration
-	stop_firewall
-	status=0
-	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
-	progress_message3 "done."
+	if checkkernelversion; then
+	    progress_message3 "Stopping $g_product...."
+	    detect_configuration
+	    stop_firewall
+	    status=0
+	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+	    progress_message3 "done."
+	fi
 	;;
     reset)
-	if ! shorewall_is_started ; then
+	if ! product_is_started ; then
 	    error_message "$g_product is not running"
 	    status=2
-	elif [ $# -eq 1 ]; then
-	    $IPTABLES -Z
-	    $IPTABLES -t nat -Z
-	    $IPTABLES -t mangle -Z
-	    date > ${VARDIR}/restarted
-	    status=0
-	    progress_message3 "$g_product Counters Reset"
-	else
-	    shift
-	    status=0
-	    for chain in $@; do
-		if chain_exists $chain; then
-		    if qt $IPTABLES -Z $chain; then
-			progress_message3 "Filter $chain Counters Reset"
+	elif checkkernelversion; then
+	    if [ $# -eq 1 ]; then
+		$IP6TABLES -Z
+		$IP6TABLES -t mangle -Z
+		date > ${VARDIR}/restarted
+		status=0
+		progress_message3 "$g_product Counters Reset"
+	    else
+		shift
+		status=0
+		for chain in $@; do
+		    if chain_exists $chain; then
+			if qt $IP6TABLES -Z $chain; then
+			    progress_message3 "Filter $chain Counters Reset"
+			else
+			    error_message "ERROR: Reset of chain $chain failed"
+			    status=2
+			    break
+			fi
 		    else
-			error_message "ERROR: Reset of chain $chain failed"
-			status=2
-			break
+			error_message "WARNING: Filter Chain $chain does not exist"
 		    fi
-		else
-		    error_message "WARNING: Filter Chain $chain does not exist"
-		fi
-	    done
+		done
+	    fi
 	fi
 	;;
     restart)
 	[ $# -ne 1 ] && usage 2
-	if shorewall_is_started; then
+	if product_is_started; then
 	    progress_message3 "Restarting $g_product...."
 	else
 	    error_message "$g_product is not running"
@@ -237,22 +267,27 @@ case "$COMMAND" in
 	    COMMAND=start
 	fi
 
-	detect_configuration
-	define_firewall
-	status=$?
-	if [ -n "$SUBSYSLOCK" ]; then
-	    [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
-	fi
-	[ $status -eq 0 ] && progress_message3 "done."
-	;;
-    refresh)
-	[ $# -ne 1 ] && usage 2
-	if shorewall_is_started; then
-	    progress_message3 "Refreshing $g_product...."
+	if checkkernelversion; then
 	    detect_configuration
 	    define_firewall
 	    status=$?
+	    if [ -n "$SUBSYSLOCK" ]; then
+ 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
+            fi
+
 	    [ $status -eq 0 ] && progress_message3 "done."
+	fi
+	;;
+    refresh)
+	[ $# -ne 1 ] && usage 2
+	if product_is_started; then
+	    progress_message3 "Refreshing $g_product...."
+	    if checkkernelversion; then
+		detect_configuration
+		define_firewall
+		status=$?
+		[ $status -eq 0 ] && progress_message3 "done."
+	    fi
 	else
 	    echo "$g_product is not running" >&2
 	    status=2
@@ -260,20 +295,25 @@ case "$COMMAND" in
 	;;
     restore)
 	[ $# -ne 1 ] && usage 2
-	detect_configuration
-	define_firewall
-	status=$?
-	if [ -n "$SUBSYSLOCK" ]; then
- 	    [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
-        fi
+	if checkkernelversion; then
+	    detect_configuration
+	    define_firewall
+	    status=$?
+	    if [ -n "$SUBSYSLOCK" ]; then
+ 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
+            fi
+	    [ $status -eq 0 ] && progress_message3 "done."
+	fi
 	;;
     clear)
 	[ $# -ne 1 ] && usage 2
 	progress_message3 "Clearing $g_product...."
-	clear_firewall
-	status=0
-	if [ $status -eq 0 ]; then
-	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+	if checkkernelversion; then
+	    clear_firewall
+	    status=0
+	    if [ -n "$SUBSYSLOCK" ]; then
+		rm -f $SUBSYSLOCK
+	    fi
 	    progress_message3 "done."
 	fi
 	;;
@@ -281,7 +321,7 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
 	echo
-	if shorewall_is_started; then
+	if product_is_started; then
 	    echo "$g_product is running"
 	    status=0
 	else
@@ -292,7 +332,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|lClear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -306,14 +346,14 @@ case "$COMMAND" in
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	updown $@
-	status=0;
+	updown $1
+	status=0
 	;;
     enable)
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	if shorewall_is_started; then
+	if product_is_started; then
 	    detect_configuration
 	    enable_provider $1
 	fi
@@ -323,7 +363,7 @@ case "$COMMAND" in
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	if shorewall_is_started; then
+	if product_is_started; then
 	    detect_configuration
 	    disable_provider $1
 	fi

Shorewall/Perl/prog.footer6

@@ -1,347 +0,0 @@
-###############################################################################
-# Code imported from /usr/share/shorewall/prog.footer6
-###############################################################################
-#
-# Give Usage Information
-#
-usage() {
-    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
-    echo
-    echo "Options are:"
-    echo
-    echo "   -v and -q        Standard Shorewall verbosity controls"
-    echo "   -n               Don't unpdate routing configuration"
-    echo "   -p               Purge Conntrack Table"
-    echo "   -t               Timestamp progress Messages"
-    echo "   -V <verbosity>   Set verbosity explicitly"
-    echo "   -R <file>        Override RESTOREFILE setting"
-    exit $1
-}
-
-checkkernelversion() {
-    local kernel
-
-    kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
-
-    case "$kernel" in 
-	*.*.*)
-	    kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
-	    ;;
-	*)
-	    kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
-	    ;;
-    esac
-
-    if [ $kernel -lt 20624 ]; then
-	error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
-	return 1
-    else
-	return 0
-    fi
-}
-################################################################################
-# E X E C U T I O N    B E G I N S   H E R E				       #
-################################################################################
-#
-# Start trace if first arg is "debug" or "trace"
-#
-if [ $# -gt 1 ]; then
-    if [ "x$1" = "xtrace" ]; then
-	set -x
-	shift
-    elif [ "x$1" = "xdebug" ]; then
-	DEBUG=Yes
-	shift
-    fi
-fi
-#
-# Map VERBOSE to VERBOSITY for compatibility with old Shorewall6-lite installations
-#
-[ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
-#
-# Map other old exported variables
-#
-g_purge=$PURGE
-g_noroutes=$NOROUTES
-g_timestamp=$TIMESTAMP
-g_recovering=$RECOVERING
-
-initialize
-
-if [ -n "$STARTUP_LOG" ]; then
-    touch $STARTUP_LOG
-    chmod 0600 $STARTUP_LOG
-    if [ ${SHOREWALL_INIT_SCRIPT:-0} -eq 1 ]; then
-	#
-	# We're being run by a startup script that isn't redirecting STDOUT
-	# Redirect it to the log
-	#
-	exec 2>>$STARTUP_LOG
-    fi
-fi
-
-finished=0
-
-while [ $finished -eq 0 -a $# -gt 0 ]; do
-    option=$1
-    case $option in
-	-*)
-	    option=${option#-}
-
-	    [ -z "$option" ] && usage 1
-
-	    while [ -n "$option" ]; do
-		case $option in
-		    v*)
-			[ $VERBOSITY -lt 2 ] && VERBOSITY=$(($VERBOSITY + 1 ))
-			option=${option#v}
-			;;
-		    q*)
-			[ $VERBOSITY -gt -1 ] && VERBOSITY=$(($VERBOSITY - 1 ))
-			option=${option#q}
-			;;
-		    n*)
-			g_noroutes=Yes
-			option=${option#n}
-			;;
-		    t*)
-			g_timestamp=Yes
-			option=${option#t}
-			;;
-		    p*)
-			g_purge=Yes
-			option=${option#p}
-			;;
-		    r*)
-			g_recovering=Yes
-			option=${option#r}
-			;;
-		    V*)
-			option=${option#V}
-
-			if [ -z "$option" -a $# -gt 0 ]; then
-			    shift
-			    option=$1
-			fi
-
-			if [ -n "$option" ]; then
-			    case $option in
-				-1|0|1|2)
-				    VERBOSITY=$option
-				    option=
-				    ;;
-				*)
-				    startup_error "Invalid -V option value ($option)"
-				    ;;
-			    esac
-			else
-			    startup_error "Missing -V option value"
-			fi
-			;;
-		    R*)
-			option=${option#R}
-
-			if [ -z "$option" -a $# -gt 0 ]; then
-			    shift
-			    option=$1
-			fi
-
-			if [ -n "$option" ]; then
-			    case $option in
-				*/*)
-	    			    startup_error "-R must specify a simple file name: $option"
-				    ;;
-				.safe|.try|NONE)
-				    ;;
-				.*)
-				    error_message "ERROR: Reserved File Name: $RESTOREFILE"
-				    exit 2
-				    ;;
-			    esac
-			else
-			    startup_error "Missing -R option value"
-			fi
-
-			RESTOREFILE=$option
-			option=
-			;;
-		esac
-	    done
-	    shift
-	    ;;
-	*)
-	    finished=1
-            ;;
-    esac
-done
-
-COMMAND="$1"
-
-
-case "$COMMAND" in
-    start)
-	[ $# -ne 1 ] && usage 2
-	if shorewall6_is_started; then
-	    error_message "$g_product is already Running"
-	    status=0
-	else
-	    progress_message3 "Starting $g_product...."
-	    if checkkernelversion; then
-		detect_configuration
-		define_firewall
-		status=$?
-		if [ $status -eq 0 ]; then
-		    [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
-		    progress_message3 "done."
-		fi
-	    fi
-	fi
-	;;
-    stop)
-	[ $# -ne 1 ] && usage 2
-	if checkkernelversion; then
-	    progress_message3 "Stopping $g_product...."
-	    detect_configuration
-	    stop_firewall
-	    status=0
-	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
-	    progress_message3 "done."
-	fi
-	;;
-    reset)
-	if ! shorewall6_is_started ; then
-	    error_message "$g_product is not running"
-	    status=2
-	elif checkkernelversion; then
-	    if [ $# -eq 1 ]; then
-		$IP6TABLES -Z
-		$IP6TABLES -t mangle -Z
-		date > ${VARDIR}/restarted
-		status=0
-		progress_message3 "$g_product Counters Reset"
-	    else
-		shift
-		status=0
-		for chain in $@; do
-		    if chain_exists $chain; then
-			if qt $IP6TABLES -Z $chain; then
-			    progress_message3 "Filter $chain Counters Reset"
-			else
-			    error_message "ERROR: Reset of chain $chain failed"
-			    status=2
-			    break
-			fi
-		    else
-			error_message "WARNING: Filter Chain $chain does not exist"
-		    fi
-		done
-	    fi
-	fi
-	;;
-    restart)
-	[ $# -ne 1 ] && usage 2
-	if shorewall6_is_started; then
-	    progress_message3 "Restarting $g_product...."
-	else
-	    error_message "$g_product is not running"
-	    progress_message3 "Starting $g_product...."
-	    COMMAND=start
-	fi
-
-	if checkkernelversion; then
-	    detect_configuration
-	    define_firewall
-	    status=$?
-	    if [ -n "$SUBSYSLOCK" ]; then
- 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
-            fi
-
-	    [ $status -eq 0 ] && progress_message3 "done."
-	fi
-	;;
-    refresh)
-	[ $# -ne 1 ] && usage 2
-	if shorewall6_is_started; then
-	    progress_message3 "Refreshing $g_product...."
-	    if checkkernelversion; then
-		detect_configuration
-		define_firewall
-		status=$?
-		[ $status -eq 0 ] && progress_message3 "done."
-	    fi
-	else
-	    echo "$g_product is not running" >&2
-	    status=2
-	fi
-	;;
-    restore)
-	[ $# -ne 1 ] && usage 2
-	if checkkernelversion; then
-	    detect_configuration
-	    define_firewall
-	    status=$?
-	    if [ -n "$SUBSYSLOCK" ]; then
- 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
-            fi
-	    [ $status -eq 0 ] && progress_message3 "done."
-	fi
-	;;
-    clear)
-	[ $# -ne 1 ] && usage 2
-	progress_message3 "Clearing $g_product...."
-	if checkkernelversion; then
-	    clear_firewall
-	    status=0
-	    if [ -n "$SUBSYSLOCK" ]; then
-		rm -f $SUBSYSLOCK
-	    fi
-	    progress_message3 "done."
-	fi
-	;;
-    status)
-	[ $# -ne 1 ] && usage 2
-	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
-	echo
-	if shorewall6_is_started; then
-	    echo "$g_product is running"
-	    status=0
-	else
-	    echo "$g_product is stopped"
-	    status=4
-	fi
-
-	if [ -f ${VARDIR}/state ]; then
-	    state="$(cat ${VARDIR}/state)"
-	    case $state in
-		Stopped*|Clear*)
-		    status=3
-		    ;;
-	    esac
-	else
-	    state=Unknown
-	fi
-	echo "State:$state"
-	echo
-	;;
-    up|down)
-	[ $# -eq 1 ] && exit 0
-	shift
-	[ $# -ne 1 ] && usage 2
-	updown $1
-	status=0
-	;;
-    version)
-	[ $# -ne 1 ] && usage 2
-	echo $SHOREWALL_VERSION
-	status=0
-	;;
-    help)
-	[ $# -ne 1 ] && usage 2
-	usage 0
-	;;
-    *)
-	usage 2
-	;;
-esac
-
-exit $status

Shorewall/Perl/prog.header

@@ -27,90 +27,6 @@
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header
 ################################################################################
-#
-# Conditionally produce message
-#
-progress_message() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -gt 1 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-progress_message2() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -gt 0 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-progress_message3() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-#
-# Set a standard chain's policy
-#
-setpolicy() # $1 = name of chain, $2 = policy
-{
-    run_iptables -P $1 $2
-}
-
-#
-# Generate a list of all network interfaces on the system
-#
-find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
-}
-
-#
-# Generate a list of all network interfaces on the system that have an ipv4 address
-#
-find_all_interfaces1() {
-    ${IP:-ip} -4 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
-}
-
-#
-# Find the value 'dev' in the passed arguments then echo the next value
-#
-
-find_device() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xdev ] && echo $2 && return
-	shift
-    done
-}
-
 #
 # Find the value 'weight' in the passed arguments then echo the next value
 #
@@ -122,40 +38,6 @@ find_weight() {
     done
 }
 
-#
-# Find the value 'via' in the passed arguments then echo the next value
-#
-
-find_gateway() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xvia ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the value 'mtu' in the passed arguments then echo the next value
-#
-
-find_mtu() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xmtu ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the value 'peer' in the passed arguments then echo the next value up to
-# "/"
-#
-
-find_peer() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xpeer ] && echo ${2%/*} && return
-	shift
-    done
-}
-
 #
 # Find the interfaces that have a route to the passed address - the default
 # route is not used.
@@ -178,23 +60,6 @@ find_rt_interface() {
     done
 }
 
-#
-# Try to find the gateway through an interface looking for 'nexthop'
-
-find_nexthop() # $1 = interface
-{
-    echo $(find_gateway `$IP -4 route list | grep "[[:space:]]nexthop.* $1"`)
-}
-
-#
-# Find the default route's interface
-#
-find_default_interface() {
-    $IP -4 route list | while read first rest; do
-	[ "$first" = default ] && echo $(find_device $rest) && return
-    done
-}
-
 #
 # Echo the name of the interface(s) that will be used to send to the
 # passed address
@@ -211,31 +76,6 @@ find_interface_by_address() {
     [ -n "$dev" ] && echo $dev
 }
 
-#
-# Determine if Interface is up
-#
-interface_is_up() {
-    [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
-}
-
-#
-# Determine if interface is usable from a Netfilter prespective
-#
-interface_is_usable() # $1 = interface
-{
-    [ "$1" = lo ] && return 0
-    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && run_isusable_exit $1
-}
-
-#
-# Find interface addresses--returns the set of addresses assigned to the passed
-# device
-#
-find_interface_addresses() # $1 = interface
-{
-    $IP -f inet addr show $1 2> /dev/null | grep inet\  | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
-}
-
 #
 #  echo the list of networks routed out of a given interface
 #
@@ -428,178 +268,6 @@ disable_ipv6() {
     fi
 }
 
-#
-# Clear the current traffic shaping configuration
-#
-
-delete_tc1()
-{
-    clear_one_tc() {
-        $TC qdisc del dev $1 root 2> /dev/null
-        $TC qdisc del dev $1 ingress 2> /dev/null
-
-    }
-
-    run_tcclear_exit
-
-    run_ip link list | \
-    while read inx interface details; do
-        case $inx in
-            [0-9]*)
-                clear_one_tc ${interface%:}
-                ;;
-            *)
-                ;;
-        esac
-    done
-}
-
-#
-# Detect a device's MTU -- echos the passed device's MTU
-#
-get_device_mtu() # $1 = device
-{
-    local output
-    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
-
-    if [ -n "$output" ]; then
-	echo $(find_mtu $output)
-    else
-	echo 1500
-    fi
-}
-
-#
-# Version of the above that doesn't generate any output for MTU 1500.
-# Generates 'mtu <mtu+>' otherwise, where <mtu+> is the device's MTU + 100
-#
-get_device_mtu1() # $1 = device
-{
-    local output
-    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
-    local mtu
-
-    if [ -n "$output" ]; then
-	mtu=$(find_mtu $output)
-	if [ -n "$mtu" ]; then
-	    [ $mtu = 1500 ] || echo mtu $(($mtu + 100))
-	fi
-    fi
-
-}
-
-#
-# Undo changes to routing
-#
-undo_routing() {
-    local undofiles
-    local f
-
-    if [ -z "$g_noroutes"  ]; then
-	#
-	# Restore rt_tables database
-	#
-	if [ -f ${VARDIR}/rt_tables ]; then
-	    [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
-	    rm -f ${VARDIR}/rt_tables
-	fi
-	#
-	# Restore the rest of the routing table
-	#
-	undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
-
-	if [ -n "$undofiles" ]; then
-	    for f in $undofiles; do
-		. $f
-	    done
-
-	    rm -f $undofiles
-
-            progress_message "Shorewall-generated routing tables and routing rules removed"
-	fi
-    fi
-
-}
-
-#
-# Save the default route
-#
-save_default_route() {
-    awk \
-    'BEGIN        {defroute=0;};
-     /^default /  {deroute=1; print; next};
-     /nexthop/    {if (defroute == 1 ) {print ; next} };
-                  { defroute=0; };'
-}
-
-#
-# Restore the default route that was in place before the initial 'shorewall start'
-#
-replace_default_route() # $1 = USE_DEFAULT_RT
-{
-    #
-    # default_route and result are inherited from the caller
-    #
-    if [ -n "$default_route" ]; then
-	case "$default_route" in
-	    *metric*)
-	        #
-	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
-	        #
-		[ -n "$1" ] && qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
-		default_route=
-		;;
-	    *)
-		qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
-		result=0
-		default_route=
-		;;
-	esac
-    fi
-}
-
-restore_default_route() # $1 = USE_DEFAULT_RT
-{
-    local result
-    result=1
-
-    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
-	local default_route
-	default_route=
-	local route
-
-	while read route ; do
-	    case $route in
-		default*)
-		    replace_default_route $1
-		    default_route="$default_route $route"
-		    ;;
-		*)
-		    default_route="$default_route $route"
-		    ;;
-	    esac
-	done < ${VARDIR}/default_route
-
-	replace_default_route $1
-	
-	if [ $result = 1 ]; then
-	    #
-	    # We didn't restore a default route with metric 0
-	    #
-	    if $IP -4 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
-	       #
-	       # But we added a default route with metric 0
-	       #
-	       qt $IP -4 route del default metric 0 && progress_message "Default route with metric 0 deleted"
-	    fi
-	fi
-
-	rm -f ${VARDIR}/default_route
-    fi
-
-    return $result
-}
-
 #
 # Add an additional gateway to the default route
 #
@@ -675,20 +343,6 @@ find_mac() # $1 = IP address, $2 = interface
     fi
 }
 
-#
-# Flush the conntrack table if $g_purge is non-empty
-#
-conditionally_flush_conntrack() {
-
-    if [ -n "$g_purge" ]; then
-	if [ -n $(mywhich conntrack) ]; then
-            conntrack -F
-	else
-            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-	fi
-    fi
-}
-
 #
 # Clear Proxy Arp
 #
@@ -735,124 +389,6 @@ clear_firewall() {
     logger -p kern.info "$g_product Cleared"
 }
 
-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IPTABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -4 $@; then
-	error_message "ERROR: Command \"$IP -4 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
 #
 # Get a list of all configured broadcast addresses on the system
 #
@@ -861,97 +397,6 @@ get_all_bcasts()
     $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
 
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset
-    #
-    qt1 $IPTABLES -t mangle -F
-    qt1 $IPTABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IPTABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t raw     -F
-    qt1 $IPTABLES -t raw     -X
-    qt1 $IPTABLES -t rawpost -F
-    qt1 $IPTABLES -t rawpost -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IPTABLES -t raw -P $chain ACCEPT
-    done
-
-    qt1 $iptables -T rawpost -P POSTROUTING ACCEPT
-
-    run_iptables -t nat -F
-    run_iptables -t nat -X
-
-    for chain in PREROUTING POSTROUTING OUTPUT; do
-	qt1 $IPTABLES -t nat -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t filter -F
-    qt1 $IPTABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IPTABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IPTABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'rawpost)
-		table=rawpost
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 ################################################################################
 # End of functions in /usr/share/shorewall/prog.header
 ################################################################################

Shorewall/Perl/prog.header6

@@ -27,166 +27,6 @@
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header6
 ################################################################################
-#
-# Conditionally produce message
-#
-progress_message() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -gt 1 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-progress_message2() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -gt 0 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-progress_message3() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-#
-# Set a standard chain's policy
-#
-setpolicy() # $1 = name of chain, $2 = policy
-{
-    run_iptables -P $1 $2
-}
-
-#
-# Generate a list of all network interfaces on the system
-#
-find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
-}
-
-#
-# Generate a list of all network interfaces on the system that have an ipv6 address
-#
-find_all_interfaces1() {
-    ${IP:-ip} -6 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
-}
-
-#
-# Find the value 'dev' in the passed arguments then echo the next value
-#
-
-find_device() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xdev ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the value 'via' in the passed arguments then echo the next value
-#
-
-find_gateway() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xvia ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the value 'mtu' in the passed arguments then echo the next value
-#
-
-find_mtu() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xmtu ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the value 'peer' in the passed arguments then echo the next value up to
-# "/"
-#
-
-find_peer() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xpeer ] && echo ${2%/*} && return
-	shift
-    done
-}
-
-#
-# Try to find the gateway through an interface looking for 'nexthop'
-
-find_nexthop() # $1 = interface
-{
-    echo $(find_gateway `$IP -6 route list | grep "[[:space:]]nexthop.* $1"`)
-}
-
-#
-# Find the default route's interface
-#
-find_default_interface() {
-    $IP -6 route list | while read first rest; do
-	[ "$first" = default ] && echo $(find_device $rest) && return
-    done
-}
-
-#
-# Determine if Interface is up
-#
-interface_is_up() {
-    [ -n "$($IP -6 link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
-}
-
-#
-# Determine if interface is usable from a Netfilter prespective
-#
-interface_is_usable() # $1 = interface
-{
-    [ "$1" = lo ] && return 0
-    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
-}
-
-#
-# Find interface addresses--returns the set of addresses assigned to the passed
-# device
-#
-find_interface_addresses() # $1 = interface
-{
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
-}
-
 #
 # Get all interface addresses with VLSMs
 #
@@ -196,35 +36,6 @@ find_interface_full_addresses() # $1 = interface
     $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
 }
 
-#
-#  echo the list of networks routed out of a given interface
-#
-get_routed_networks() # $1 = interface name, $2-n = Fatal error message
-{
-    local address
-    local rest
-
-    $IP -6 route show dev $1 2> /dev/null |
-	while read address rest; do
-	    case "$address" in
-		default)
-		    if [ $# -gt 1 ]; then
-			shift
-			fatal_error "$@"
-		    else
-			echo "WARNING: default route ignored on interface $1" >&2
-		    fi
-		    ;;
-		multicast|broadcast|prohibit|nat|throw|nexthop)
-		    ;;
-		2*)
-		    [ "$address" = "${address%/*}" ] && address="${address}/128"
-		    echo $address
-		    ;;
-	    esac
-        done
-}
-
 #
 # Normalize an IPv6 Address by compressing out consecutive zero elements
 #
@@ -409,164 +220,33 @@ detect_gateway() # $1 = interface
     [ -n "$gateway" ] && echo $gateway
 }
 
-delete_tc1()
+#
+# Add an additional gateway to the default route
+#
+add_gateway() # $1 = Delta $2 = Table Number
 {
-    clear_one_tc() {
-        $TC qdisc del dev $1 root 2> /dev/null
-        $TC qdisc del dev $1 ingress 2> /dev/null
-
-    }
-
-    run_tcclear_exit
-
-    run_ip link list | \
-    while read inx interface details; do
-        case $inx in
-            [0-9]*)
-                clear_one_tc ${interface%:}
-                ;;
-            *)
-                ;;
-        esac
-    done
+    local route
+    local weight
+    local delta
+    local dev
+    
+    run_ip route add default scope global table $2 $1
 }
 
 #
-# Detect a device's MTU -- echos the passed device's MTU
+# Remove a gateway from the default route
 #
-get_device_mtu() # $1 = device
+delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
 {
-    local output
-    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
+    local route
+    local gateway
+    local dev
 
-    if [ -n "$output" ]; then
-	echo $(find_mtu $output)
-    else
-	echo 1500
-    fi
-}
-
-#
-# Version of the above that doesn't generate any output for MTU 1500.
-# Generates 'mtu <mtu+>' otherwise, where <mtu+> is the device's MTU + 100
-#
-get_device_mtu1() # $1 = device
-{
-    local output
-    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
-    local mtu
-
-    if [ -n "$output" ]; then
-	mtu=$(find_mtu $output)
-	if [ -n "$mtu" ]; then
-	    [ $mtu = 1500 ] || echo mtu $(($mtu + 100))
-	fi
-    fi
-
-}
-
-#
-# Undo changes to routing
-#
-undo_routing() {
-
-    if [ -z "$g_noroutes"  ]; then
-	#
-	# Restore rt_tables database
-	#
-	if [ -f ${VARDIR}/rt_tables ]; then
-	    [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
-	    rm -f ${VARDIR}/rt_tables
-	fi
-	#
-	# Restore the rest of the routing table
-	#
-	if [ -f ${VARDIR}/undo_routing ]; then
-	    . ${VARDIR}/undo_routing
-	    progress_message "Shorewall-generated routing tables and routing rules removed"
-	    rm -f ${VARDIR}/undo_*routing
-	fi
-    fi
-
-}
-
-#
-# Save the default route
-#
-save_default_route() {
-    awk \
-    'BEGIN        {defroute=0;};
-     /^default /  {defroute=1; print; next};
-     /nexthop/    {if (defroute == 1 ) {print ; next} };
-                  { defroute=0; };'
-}
-
-#
-# Restore the default route that was in place before the initial 'shorewall start'
-#
-replace_default_route() # $1 = USE_DEFAULT_RT
-{
-    #
-    # default_route and result are inherited from the caller
-    #
-    if [ -n "$default_route" ]; then
-	case "$default_route" in
-	    *metric*)
-	        #
-	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
-	        #
-		[ -n "$1" ] && qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
-		default_route=
-		;;
-	    *)
-		qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
-		result=0
-		default_route=
-		;;
-	esac
-    fi
-}
-
-restore_default_route() # $1 = USE_DEFAULT_RT
-{
-    local result
-    result=1
-
-    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
-	local default_route
-	default_route=
-	local route
-
-	while read route ; do
-	    case $route in
-		default*)
-		    replace_default_route $1
-		    default_route="$default_route $route"
-		    ;;
-		*)
-		    default_route="$default_route $route"
-		    ;;
-	    esac
-	done < ${VARDIR}/default_route
-
-	replace_default_route $1
-	
-	if [ $result = 1 ]; then
-	    #
-	    # We didn't restore a default route with metric 0
-	    #
-	    if $IP -6 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
-	       #
-	       # But we added a default route with metric 0
-	       #
-	       qt $IP -6 route del default metric 0 && progress_message "Default route with metric 0 deleted"
-	    fi
-	fi
-
-	rm -f ${VARDIR}/default_route
-    fi
-
-    return $result
+    route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
+    gateway=$1
+  
+    dev=$(find_device $route)
+    [ "$dev" = "$3" ] && run_ip route delete default table $2
 }
 
 #
@@ -588,20 +268,6 @@ find_echo() {
     echo echo
 }
 
-#
-# Flush the conntrack table if $g_purge is non-empty
-#
-conditionally_flush_conntrack() {
-
-    if [ -n "$g_purge" ]; then
-	if [ -n $(which conntrack) ]; then
-            conntrack -F
-	else
-            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-	fi
-    fi
-}
-
 #
 # Clear Proxy NDP
 #
@@ -640,204 +306,6 @@ clear_firewall() {
     logger -p kern.info "$g_product Cleared"
 }
 
-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSITY -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSITY -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -6 $@; then
-	error_message "ERROR: Command \"$IP -6 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset
-    #
-    qt1 $IP6TABLES -t mangle -F
-    qt1 $IP6TABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IP6TABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t raw    -F
-    qt1 $IP6TABLES -t raw    -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IP6TABLES -t raw -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t filter -F
-    qt1 $IP6TABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IP6TABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'rawpost)
-		table=rawpost
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 ################################################################################
 # End of functions imported from /usr/share/shorewall/prog.header6
 ################################################################################

Shorewall/Samples/Universal/rules

@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
+###################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED

Shorewall/Samples/Universal/shorewall.conf

@@ -39,6 +39,8 @@ LOGLIMIT=
 
 MACLIST_LOG_LEVEL=info
 
+RELATED_LOG_LEVEL=
+
 SFILTER_LOG_LEVEL=info
 
 SMURF_LOG_LEVEL=info
@@ -136,8 +138,6 @@ FORWARD_CLEAR_MARK=
 
 IMPLICIT_CONTINUE=No
 
-HIGH_ROUTE_MARKS=No
-
 IP_FORWARDING=On
 
 KEEP_RT_TABLES=No
@@ -188,7 +188,7 @@ TRACK_PROVIDERS=Yes
 
 USE_DEFAULT_RT=No
 
-WIDE_TC_MARKS=Yes
+USE_PHYSICAL_NAMES=No
 
 ZONE2ZONE=2
 
@@ -200,12 +200,28 @@ BLACKLIST_DISPOSITION=DROP
 
 MACLIST_DISPOSITION=REJECT
 
+RELATED_DISPOSITION=ACCEPT
+
 SMURF_DISPOSITION=DROP
 
 SFILTER_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R

Shorewall/Samples/one-interface/rules

@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED

Shorewall/Samples/one-interface/shorewall.conf

@@ -50,6 +50,8 @@ LOGLIMIT=
 
 MACLIST_LOG_LEVEL=info
 
+RELATED_LOG_LEVEL=
+
 SFILTER_LOG_LEVEL=info
 
 SMURF_LOG_LEVEL=info
@@ -147,8 +149,6 @@ FORWARD_CLEAR_MARK=
 
 IMPLICIT_CONTINUE=No
 
-HIGH_ROUTE_MARKS=No
-
 IP_FORWARDING=Off
 
 KEEP_RT_TABLES=No
@@ -199,7 +199,7 @@ TRACK_PROVIDERS=Yes
 
 USE_DEFAULT_RT=No
 
-WIDE_TC_MARKS=Yes
+USE_PHYSICAL_NAMES=No
 
 ZONE2ZONE=2
 
@@ -211,12 +211,28 @@ BLACKLIST_DISPOSITION=DROP
 
 MACLIST_DISPOSITION=REJECT
 
+RELATED_DISPOSITION=ACCEPT
+
 SMURF_DISPOSITION=DROP
 
 SFILTER_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R

Shorewall/Samples/three-interfaces/rules

@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -48,6 +48,8 @@ LOGLIMIT=
 
 MACLIST_LOG_LEVEL=info
 
+RELATED_LOG_LEVEL=
+
 SFILTER_LOG_LEVEL=info
 
 SMURF_LOG_LEVEL=info
@@ -145,8 +147,6 @@ FORWARD_CLEAR_MARK=
 
 IMPLICIT_CONTINUE=No
 
-HIGH_ROUTE_MARKS=No
-
 IP_FORWARDING=On
 
 KEEP_RT_TABLES=No
@@ -197,7 +197,7 @@ TRACK_PROVIDERS=Yes
 
 USE_DEFAULT_RT=No
 
-WIDE_TC_MARKS=Yes
+USE_PHYSICAL_NAMES=No
 
 ZONE2ZONE=2
 
@@ -209,12 +209,28 @@ BLACKLIST_DISPOSITION=DROP
 
 MACLIST_DISPOSITION=REJECT
 
+RELATED_DISPOSITION=ACCEPT
+
 SMURF_DISPOSITION=DROP
 
 SFILTER_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R

Shorewall/Samples/two-interfaces/rules

@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -51,6 +51,8 @@ LOGLIMIT=
 
 MACLIST_LOG_LEVEL=info
 
+RELATED_LOG_LEVEL=
+
 SFILTER_LOG_LEVEL=info
 
 SMURF_LOG_LEVEL=info
@@ -148,8 +150,6 @@ FORWARD_CLEAR_MARK=
 
 IMPLICIT_CONTINUE=No
 
-HIGH_ROUTE_MARKS=No
-
 IP_FORWARDING=On
 
 KEEP_RT_TABLES=No
@@ -200,7 +200,7 @@ TRACK_PROVIDERS=Yes
 
 USE_DEFAULT_RT=No
 
-WIDE_TC_MARKS=Yes
+USE_PHYSICAL_NAMES=No
 
 ZONE2ZONE=2
 
@@ -212,12 +212,28 @@ BLACKLIST_DISPOSITION=DROP
 
 MACLIST_DISPOSITION=REJECT
 
+RELATED_DISPOSITION=ACCEPT
+
 SMURF_DISPOSITION=DROP
 
 SFILTER_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R

Shorewall/action.DropSmurfs

@@ -0,0 +1,85 @@
+#
+# Shorewall version 4 - Drop Smurfs Action
+#
+# /usr/share/shorewall/action.DropSmurfs
+#
+#   Accepts a single optional parameter:
+#
+#          -     = Do not Audit
+#          audit = Audit dropped packets.
+#
+#################################################################################
+FORMAT 2
+
+DEFAULTS -
+
+BEGIN PERL;
+use strict;
+use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $audit ) = get_action_params( 1 );
+
+my $chainref        = get_action_chain;
+my ( $level, $tag ) = get_action_logging;
+my $target;
+
+if ( $level ne '-' || $audit ne '-' ) {
+    my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
+
+    log_rule_limit( $level,
+		    $logchainref,
+		    $chainref->{name},
+		    'DROP',
+		    '',
+		    $tag,
+		    'add',
+		    '' );
+
+    if ( supplied $audit ) {
+	fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit';
+	require_capability 'AUDIT_TARGET', q(Passing 'audit' to the DropSmurfs action), 's';
+	add_ijump( $logchainref, j => 'AUDIT --type DROP' );
+    } 
+	
+    add_ijump( $logchainref, j => 'DROP' );
+
+    $target = $logchainref;
+} else {
+    $target = 'DROP';
+}
+		    
+if ( have_capability( 'ADDRTYPE' ) ) {
+    if ( $family == F_IPV4 ) {
+	add_ijump $chainref , j => 'RETURN', s => '0.0.0.0';         ;
+    } else {
+	add_ijump $chainref , j => 'RETURN', s => '::';
+    }
+
+    add_ijump( $chainref, g => $target, addrtype => '--src-type BROADCAST' ) ;
+} else {
+    if ( $family == F_IPV4 ) {
+	add_commands $chainref, 'for address in $ALL_BCASTS; do';
+    } else {
+	add_commands $chainref, 'for address in $ALL_ACASTS; do';
+    }
+    
+    incr_cmd_level $chainref;
+    add_ijump( $chainref, g => $target, s => '$address' );
+    decr_cmd_level $chainref;
+    add_commands $chainref, 'done';
+}
+
+if ( $family == F_IPV4 ) {
+    add_ijump( $chainref, g => $target, s => '224.0.0.0/4' );
+} else {
+    add_ijump( $chainref, g => $target, s => IPv6_MULTICAST );
+}
+
+END PERL;
+
+
+    
+
+

Shorewall/action.TCPFlags

@@ -0,0 +1,63 @@
+#
+# Shorewall version 4 - Drop Smurfs Action
+#
+# /usr/share/shorewall/action.DropSmurfs
+#
+#   Accepts a single optional parameter:
+#
+#          -     = Do not Audit
+#          audit = Audit dropped packets.
+#
+#################################################################################
+FORMAT 2
+
+DEFAULTS DROP,-
+
+BEGIN PERL;
+use strict;
+use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
+use Shorewall::Chains;
+
+
+my ( $disposition, $audit ) = get_action_params( 2 );
+
+my $chainref        = get_action_chain;
+my ( $level, $tag ) = get_action_logging;
+
+fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/; 
+
+if ( $level ne '-' || $audit ne '-' ) {
+    my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
+
+    log_rule_limit( $level,
+		    $logchainref,
+		    $chainref->{name},
+		    $disposition,
+		    '',
+		    $tag,
+		    'add',
+		    '' ) if $level;
+
+    if ( supplied $audit ) {
+	fatal_error "Invalid argument ($audit) to TCPFlags" if $audit ne 'audit';
+	require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's';
+	add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition );
+    } 
+
+    add_ijump( $logchainref, g => $disposition );
+
+    $disposition = $logchainref;
+}
+		    
+add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL FIN,URG,PSH';
+add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL NONE';
+add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST';
+add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,FIN SYN,FIN';
+add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0';
+
+END PERL;
+
+
+    
+
+

Shorewall/actions.std

@@ -37,6 +37,8 @@ A_Drop 		    # Audited Default Action for DROP policy
 A_Reject	    # Audited Default action for REJECT policy
 Broadcast	    # Handles Broadcast/Multicast/Anycast
 Drop		    # Default Action for DROP policy
+DropSmurfs          # Drop smurf packets
 Invalid             # Handles packets in the INVALID conntrack state
 NotSyn              # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject		    # Default Action for REJECT policy
+TCPFlags            # Handle bad flag combinations.

Shorewall/configfiles/blrules

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - Blacklist Rules File
+#
+# For information about entries in this file, type "man shorewall-blrules"
+#
+# Please see http://shorewall.net/blacklisting_support.htm for additional
+# information.
+#
+###################################################################################################################################################################################################
+#ACTION		SOURCE			DEST			PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#									PORT	PORT(S)		DEST		LIMIT		GROUP
+

Shorewall/configfiles/netmap

@@ -6,5 +6,6 @@
 # See http://shorewall.net/netmap.html for an example and usage
 # information.
 #
-###############################################################################
-#TYPE	NET1			INTERFACE	NET2		NET3
+##############################################################################################
+#TYPE	NET1		INTERFACE	NET2		NET3		PROTO	DEST	SOURCE
+#										PORT(S)	PORT(S)

Shorewall/configfiles/notrack

@@ -4,5 +4,6 @@
 # For information about entries in this file, type "man shorewall-notrack"
 #
 #####################################################################################
-#SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
-#					PORT(S)		PORT(S)	GROUP
+FORMAT 2
+#ACTION		SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
+#							PORT(S)		PORT(S)	GROUP

Shorewall/configfiles/rtrules

@@ -1,8 +1,8 @@
 #
-# Shorewall version 4 - route_rules File
+# Shorewall version 4 - route rules File
 #
-# For information about entries in this file, type "man shorewall-route_rules"
+# For information about entries in this file, type "man shorewall-rtrules"
 #
 # For additional information, see http://www.shorewall.net/MultiISP.html
-##############################################################################
-#SOURCE			DEST			PROVIDER	PRIORITY
+####################################################################################
+#SOURCE			DEST			PROVIDER	PRIORITY	MASK

Shorewall/configfiles/rules

@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-####################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED

Shorewall/configfiles/shorewall.conf

@@ -39,6 +39,8 @@ LOGLIMIT=
 
 MACLIST_LOG_LEVEL=info
 
+RELATED_LOG_LEVEL=
+
 SFILTER_LOG_LEVEL=info
 
 SMURF_LOG_LEVEL=info
@@ -136,8 +138,6 @@ FORWARD_CLEAR_MARK=
 
 IMPLICIT_CONTINUE=No
 
-HIGH_ROUTE_MARKS=No
-
 IP_FORWARDING=On
 
 KEEP_RT_TABLES=No
@@ -188,7 +188,7 @@ TRACK_PROVIDERS=No
 
 USE_DEFAULT_RT=No
 
-WIDE_TC_MARKS=No
+USE_PHYSICAL_NAMES=No
 
 ZONE2ZONE=2
 
@@ -200,12 +200,28 @@ BLACKLIST_DISPOSITION=DROP
 
 MACLIST_DISPOSITION=REJECT
 
+RELATED_DISPOSITION=ACCEPT
+
 SMURF_DISPOSITION=DROP
 
 SFILTER_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R

Shorewall/configfiles/tcrules

@@ -9,6 +9,7 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-######################################################################################################################
-#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER
+######################################################################################################################################
+#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY
 #						PORT(S)	PORT(S)
+

Shorewall/default.debian

@@ -16,11 +16,20 @@ startup=0
 #    wait_interface=
 
 #
-# Startup options
+# Global start/restart/stop options
 #
-
 OPTIONS=""
 
+#
+# Start options
+#
+STARTOPTIONS=""
+
+#
+# Restart options
+#
+RESTARTOPTIONS=""
+
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #
@@ -30,7 +39,6 @@ INITLOG=/dev/null
 # Set this to 1 to cause '/etc/init.d/shorewall stop' to place the firewall in
 # a safe state rather than to open it
 #
-
 SAFESTOP=0
 
 # EOF

Shorewall/helpers

@@ -48,6 +48,7 @@ loadmodule nf_conntrack_netlink
 loadmodule nf_conntrack_pptp
 loadmodule nf_conntrack_proto_gre
 loadmodule nf_conntrack_proto_sctp
+loadmodule nf_conntrack_proto_udplite
 loadmodule nf_conntrack_sip         sip_direct_media=0
 loadmodule nf_conntrack_tftp
 loadmodule nf_conntrack_sane

Shorewall/init.debian.sh

@@ -86,7 +86,7 @@ wait_for_pppd () {
 shorewall_start () {
   echo -n "Starting \"Shorewall firewall\": "
   wait_for_pppd
-  $SRWL $SRWL_OPTS start >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
@@ -104,7 +104,7 @@ shorewall_stop () {
 # restart the firewall
 shorewall_restart () {
   echo -n "Restarting \"Shorewall firewall\": "
-  $SRWL $SRWL_OPTS restart >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
@@ -115,6 +115,11 @@ shorewall_refresh () {
   return 0
 }
 
+# status of the firewall
+shorewall_status () {
+  $SRWL $SRWL_OPTS status && exit 0 || exit $?
+}
+
 case "$1" in
   start)
      shorewall_start
@@ -128,8 +133,11 @@ case "$1" in
   force-reload|restart)
      shorewall_restart
      ;;
+  status)
+     shorewall_status
+     ;;
   *)
-     echo "Usage: /etc/init.d/shorewall {start|stop|refresh|restart|force-reload}"
+     echo "Usage: /etc/init.d/shorewall {start|stop|refresh|restart|force-reload|status}"
      exit 1
 esac
 

Shorewall/init.sh

@@ -74,17 +74,17 @@ export SHOREWALL_INIT_SCRIPT=1
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
 command="$1"
+shift
 
 case "$command" in
-    start|restart|stop)
-	exec /sbin/shorewall $OPTIONS $@
+    start)
+	exec /sbin/shorewall $OPTIONS start $STARTOPTIONS $@
 	;;
-    stop|restart|status)
-	exec /sbin/shorewall $@
+    restart|reload)
+	exec /sbin/shorewall $OPTIONS restart $RESTARTOPTIONS $@
 	;;
-    reload)
-	shift
-	exec /sbin/shorewall $OPTIONS restart $@
+    status|stop)
+	exec /sbin/shorewall $OPTIONS $command $@
 	;;
     *)
 	usage

Shorewall/lib.core

@@ -0,0 +1,618 @@
+#
+# Shorewall 4.5 -- /usr/share/shorewall/lib.core.
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2010-2012 - Tom Eastep (teastep@shorewall.net)
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# The purpose of this library is to hold those functions used by the generated
+# scripts (both IPv4 and IPv6 -- the functions that are specific to one or the other
+# are found in prog.header and prog.header6).
+#
+#########################################################################################
+#
+# Conditionally produce message
+#
+progress_message() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 1 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+
+    if [ $LOG_VERBOSITY -gt 1 ]; then
+        timestamp="$(date +'%b %_d %T') "
+        echo "${timestamp}$@" >> $STARTUP_LOG
+    fi
+}
+
+progress_message2() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+
+    if [ $LOG_VERBOSITY -gt 0 ]; then
+        timestamp="$(date +'%b %_d %T') "
+        echo "${timestamp}$@" >> $STARTUP_LOG
+    fi
+}
+
+progress_message3() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -ge 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%b %_d %T') "
+        echo "${timestamp}$@" >> $STARTUP_LOG
+    fi
+}
+
+#
+# Set a standard chain's policy
+#
+setpolicy() # $1 = name of chain, $2 = policy
+{
+    run_iptables -P $1 $2
+}
+
+#
+# Generate a list of all network interfaces on the system
+#
+find_all_interfaces() {
+    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+}
+
+#
+# Generate a list of all network interfaces on the system that have an ipvX address
+#
+find_all_interfaces1() {
+    ${IP:-ip} -$g_family addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+}
+
+#
+# Find the value 'dev' in the passed arguments then echo the next value
+#
+
+find_device() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xdev ] && echo $2 && return
+	shift
+    done
+}
+
+#
+# Find the value 'via' in the passed arguments then echo the next value
+#
+
+find_gateway() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xvia ] && echo $2 && return
+	shift
+    done
+}
+
+#
+# Find the value 'mtu' in the passed arguments then echo the next value
+#
+
+find_mtu() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xmtu ] && echo $2 && return
+	shift
+    done
+}
+
+#
+# Find the value 'peer' in the passed arguments then echo the next value up to
+# "/"
+#
+
+find_peer() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xpeer ] && echo ${2%/*} && return
+	shift
+    done
+}
+
+#
+# Try to find the gateway through an interface looking for 'nexthop'
+
+find_nexthop() # $1 = interface
+{
+    echo $(find_gateway `$IP -$g_family route list | grep "[[:space:]]nexthop.* $1"`)
+}
+
+#
+# Find the default route's interface
+#
+find_default_interface() {
+    $IP -$g_family route list | while read first rest; do
+	[ "$first" = default ] && echo $(find_device $rest) && return
+    done
+}
+
+#
+# Determine if Interface is up
+#
+interface_is_up() {
+    [ -n "$($IP -$g_family link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
+}
+
+#
+# Determine if interface is usable from a Netfilter perspective
+#
+interface_is_usable() # $1 = interface
+{
+    [ "$1" = lo ] && return 0
+    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
+}
+
+#
+# Find interface addresses--returns the set of addresses assigned to the passed
+# device
+#
+find_interface_addresses() # $1 = interface
+{
+    if [ $g_family -eq 4 ]; then
+	$IP -f inet addr show $1 2> /dev/null | grep inet\  | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
+    else
+	$IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
+    fi
+}
+
+#
+#  echo the list of networks routed out of a given interface
+#
+get_routed_networks() # $1 = interface name, $2-n = Fatal error message
+{
+    local address
+    local rest
+    local mask
+
+    [ $g_family -eq 4 ] && mask=32 || mask=128
+    
+
+    $IP -$g_family route show dev $1 2> /dev/null |
+	while read address rest; do
+	    case "$address" in
+		default)
+		    if [ $# -gt 1 ]; then
+			shift
+			fatal_error "$@"
+		    else
+			echo "WARNING: default route ignored on interface $1" >&2
+		    fi
+		    ;;
+		multicast|broadcast|prohibit|nat|throw|nexthop)
+		    ;;
+		[2-3]*)
+		    [ "$address" = "${address%/*}" ] && address="${address}/${mask}"
+		    echo $address
+		    ;;
+		*)
+		    if [ $g_family -eq 4 ]; then
+			[ "$address" = "${address%/*}" ] && address="${address}/${mask}"
+			echo $address
+		    fi
+		    ;;
+	    esac
+        done
+}
+
+#
+# Clear the current traffic shaping configuration
+#
+
+delete_tc1()
+{
+    clear_one_tc() {
+        $TC qdisc del dev $1 root 2> /dev/null
+        $TC qdisc del dev $1 ingress 2> /dev/null
+
+    }
+
+    run_tcclear_exit
+
+    run_ip link list | \
+    while read inx interface details; do
+        case $inx in
+            [0-9]*)
+                clear_one_tc ${interface%:}
+                ;;
+            *)
+                ;;
+        esac
+    done
+}
+
+#
+# Detect a device's MTU -- echos the passed device's MTU
+#
+get_device_mtu() # $1 = device
+{
+    local output
+    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
+
+    if [ -n "$output" ]; then
+	echo $(find_mtu $output)
+    else
+	echo 1500
+    fi
+}
+
+#
+# Version of the above that doesn't generate any output for MTU 1500.
+# Generates 'mtu <mtu+>' otherwise, where <mtu+> is the device's MTU + 100
+#
+get_device_mtu1() # $1 = device
+{
+    local output
+    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
+    local mtu
+
+    if [ -n "$output" ]; then
+	mtu=$(find_mtu $output)
+	if [ -n "$mtu" ]; then
+	    [ $mtu = 1500 ] || echo mtu $(($mtu + 100))
+	fi
+    fi
+
+}
+
+#
+# Undo changes to routing
+#
+undo_routing() {
+    local undofiles
+    local f
+
+    if [ -z "$g_noroutes"  ]; then
+	#
+	# Restore rt_tables database
+	#
+	if [ -f ${VARDIR}/rt_tables ]; then
+	    [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
+	    rm -f ${VARDIR}/rt_tables
+	fi
+	#
+	# Restore the rest of the routing table
+	#
+	undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
+
+	if [ -n "$undofiles" ]; then
+	    for f in $undofiles; do
+		. $f
+	    done
+
+	    rm -f $undofiles
+
+            progress_message "Shorewall-generated routing tables and routing rules removed"
+	fi
+    fi
+
+}
+
+#
+# Save the default route
+#
+save_default_route() {
+    awk \
+    'BEGIN        {defroute=0;};
+     /^default /  {defroute=1; print; next};
+     /nexthop/    {if (defroute == 1 ) {print ; next} };
+                  { defroute=0; };'
+}
+
+#
+# Restore the default route that was in place before the initial 'shorewall start'
+#
+replace_default_route() # $1 = USE_DEFAULT_RT
+{
+    #
+    # default_route and result are inherited from the caller
+    #
+    if [ -n "$default_route" ]; then
+	case "$default_route" in
+	    *metric*)
+	        #
+	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
+	        #
+		[ -n "$1" ] && qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
+		default_route=
+		;;
+	    *)
+		qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
+		result=0
+		default_route=
+		;;
+	esac
+    fi
+}
+
+restore_default_route() # $1 = USE_DEFAULT_RT
+{
+    local result
+    result=1
+
+    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
+	local default_route
+	default_route=
+	local route
+
+	while read route ; do
+	    case $route in
+		default*)
+		    replace_default_route $1
+		    default_route="$default_route $route"
+		    ;;
+		*)
+		    default_route="$default_route $route"
+		    ;;
+	    esac
+	done < ${VARDIR}/default_route
+
+	replace_default_route $1
+	
+	if [ $result = 1 ]; then
+	    #
+	    # We didn't restore a default route with metric 0
+	    #
+	    if $IP -$g_family -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
+	       #
+	       # But we added a default route with metric 0
+	       #
+	       qt $IP -$g_family route del default metric 0 && progress_message "Default route with metric 0 deleted"
+	    fi
+	fi
+
+	rm -f ${VARDIR}/default_route
+    fi
+
+    return $result
+}
+
+#
+# Flush the conntrack table if $g_purge is non-empty
+#
+conditionally_flush_conntrack() {
+
+    if [ -n "$g_purge" ]; then
+	if [ -n $(mywhich conntrack) ]; then
+            conntrack -F
+	else
+            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
+	fi
+    fi
+}
+
+#
+# Issue a message and stop/restore the firewall.
+#
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    stop_firewall
+    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+    exit 2
+}
+
+#
+# Run iptables/ip6tables and if an error occurs, stop/restore the firewall
+#
+run_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$g_tool $@
+	status=$?
+	[ $status -ne 4 ] && break
+    done
+
+    if [ $status -ne 0 ]; then
+        error_message "ERROR: Command \"$g_tool $@\" Failed"
+	stop_firewall
+        exit 2
+    fi
+}
+
+#
+# Run iptables/ip6tables retrying exit status 4
+#
+do_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$g_tool $@
+	status=$?
+	[ $status -ne 4 ] && return $status;
+    done
+}
+
+#
+# Run ip and if an error occurs, stop/restore the firewall
+#
+run_ip()
+{
+    if ! $IP -$g_family $@; then
+	error_message "ERROR: Command \"$IP -$g_family $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run tc and if an error occurs, stop/restore the firewall
+#
+run_tc() {
+    if ! $TC $@ ; then
+	error_message "ERROR: Command \"$TC $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run the .iptables_restore_input as a set of discrete iptables commands
+#
+debug_restore_input() {
+    local first second rest table chain
+    #
+    # Clear the ruleset
+    #
+    qt1 $g_tool -t mangle -F
+    qt1 $g_tool -t mangle -X
+
+    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	qt1 $g_tool -t mangle -P $chain ACCEPT
+    done
+
+    qt1 $g_tool -t raw    -F
+    qt1 $g_tool -t raw    -X
+
+    for chain in PREROUTING OUTPUT; do
+	qt1 $g_tool -t raw -P $chain ACCEPT
+    done
+
+    qt1 $g_tool -t filter -F
+    qt1 $g_tool -t filter -X
+
+    for chain in INPUT FORWARD OUTPUT; do
+	qt1 $g_tool -t filter -P $chain -P ACCEPT
+    done
+
+    while read first second rest; do
+	case $first in
+	    -*)
+		#
+		# We can't call run_iptables() here because the rules may contain quoted strings
+		#
+		eval $g_tool -t $table $first $second $rest
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$g_tool $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    :*)
+		chain=${first#:}
+
+		if [ "x$second" = x- ]; then
+		    do_iptables -t $table -N $chain
+		else
+		    do_iptables -t $table -P $chain $second
+		fi
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$g_tool $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    #
+	    # This grotesque hack with the table names works around a bug/feature with ash
+	    #
+	    '*'raw)
+		table=raw
+		;;
+	    '*'rawpost)
+		table=rawpost
+		;;
+	    '*'mangle)
+		table=mangle
+		;;
+	    '*'nat)
+		table=nat
+		;;
+	    '*'filter)
+		table=filter
+		;;
+	esac
+    done
+}
+
+interface_up() {
+    return $(cat ${VARDIR}/$1.status)
+}
+
+distribute_load() {
+    local interface
+    local totalload
+    local load
+    local maxload
+
+    maxload=$1
+    shift
+
+    totalload=0
+
+    for interface in $@; do
+	if interface_up $interface; then
+	    load=$(cat ${VARDIR}/${interface}_load)
+	    eval ${interface}_load=$load
+	    totalload=$( bc <<EOF
+scale=8
+$totalload + $load
+EOF
+)
+	fi
+    done
+
+    if [ $totalload ]; then
+	for interface in $@; do
+	    qt $g_tool -t mangle -F ~$interface
+	    eval load=\$${interface}_load
+	
+	    if [ -n "$load" ]; then
+		load=$(bc <<EOF
+scale=8
+( $load / $totalload ) * $maxload
+EOF
+)
+		totalload=$(bc <<EOF
+scale=8
+$totalload - $load
+EOF
+)
+		run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $load
+	    fi
+	done
+    fi
+}

Shorewall/manpages/shorewall-accounting.xml

@@ -165,7 +165,9 @@
       </listitem>
     </itemizedlist>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax):</para>
 
     <variablelist>
       <varlistentry>
@@ -343,7 +345,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DESTINATION</emphasis> - {<emphasis
+        <term><emphasis role="bold">DESTINATION</emphasis> (dest) - {<emphasis
         role="bold">-</emphasis>|<emphasis
         role="bold">any</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><emphasis
@@ -358,7 +360,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PROTOCOL</emphasis> - {<emphasis
+        <term><emphasis role="bold">PROTOCOL (proto)</emphasis> - {<emphasis
         role="bold">-</emphasis>|<emphasis
         role="bold">any</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis
@@ -377,8 +379,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DEST PORT(S)</emphasis> - {<emphasis
-        role="bold">-</emphasis>|<emphasis
+        <term><emphasis role="bold">DEST PORT(S)</emphasis> (dport) -
+        {<emphasis role="bold">-</emphasis>|<emphasis
         role="bold">any</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis>ipp2p-option</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
 
@@ -401,8 +403,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> - {<emphasis
-        role="bold">-</emphasis>|<emphasis
+        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport)-
+        {<emphasis role="bold">-</emphasis>|<emphasis
         role="bold">any</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
 
@@ -418,7 +420,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">USER/GROUP</emphasis> - [<emphasis
+        <term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
         role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
         role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
         role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
@@ -674,7 +676,7 @@
     the values <emphasis role="bold">-</emphasis>, <emphasis
     role="bold">any</emphasis> and <emphasis role="bold">all</emphasis> may be
     used as wildcards. Omitted trailing columns are also treated as
-    wildcards.</para>
+    wildcard.</para>
   </refsect1>
 
   <refsect1>
@@ -693,11 +695,14 @@
     <para><ulink
     url="http://shorewall.net/shorewall_logging.html">http://shorewall.net/shorewall_logging.html</ulink></para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
     shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
     shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
     shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
     shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),

Shorewall/manpages/shorewall-actions.xml

@@ -51,7 +51,7 @@
     shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
     shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
     shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
     shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),

Shorewall/manpages/shorewall-blacklist.xml

@@ -26,12 +26,14 @@
     <para>The blacklist file is used to perform static blacklisting. You can
     blacklist by source address (IP or MAC), or by application.</para>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
-        <term><emphasis role="bold">ADDRESS/SUBNET</emphasis> - {<emphasis
-        role="bold">-</emphasis>|<emphasis
+        <term><emphasis role="bold">ADDRESS/SUBNET</emphasis> (networks) -
+        {<emphasis role="bold">-</emphasis>|<emphasis
         role="bold">~</emphasis><emphasis>mac-address</emphasis>|<emphasis>ip-address</emphasis>|<emphasis>address-range</emphasis>|<emphasis
         role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>
 
@@ -55,34 +57,32 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PROTOCOL</emphasis> (Optional) -
-        {<emphasis
+        <term><emphasis role="bold">PROTOCOL</emphasis> (proto) - {<emphasis
         role="bold">-</emphasis>|[!]<emphasis>protocol-number</emphasis>|[!]<emphasis>protocol-name</emphasis>}</term>
 
         <listitem>
-          <para>If specified, must be a protocol number or a protocol name
-          from protocols(5).</para>
+          <para>Optional - If specified, must be a protocol number or a
+          protocol name from protocols(5).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PORTS</emphasis> (Optional) - {<emphasis
+        <term><emphasis role="bold">PORTS</emphasis> - {<emphasis
         role="bold">-</emphasis>|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
 
         <listitem>
-          <para>May only be specified if the protocol is TCP (6) or UDP (17).
-          A comma-separated list of destination port numbers or service names
-          from services(5).</para>
+          <para>Optional - may only be specified if the protocol is TCP (6) or
+          UDP (17). A comma-separated list of destination port numbers or
+          service names from services(5).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>OPTIONS (Optional - Added in 4.4.12) -
-        {-|{dst|src|whitelist|audit}[,...]}</term>
+        <term>OPTIONS - {-|{dst|src|whitelist|audit}[,...]}</term>
 
         <listitem>
-          <para>If specified, indicates whether traffic
-          <emphasis>from</emphasis> ADDRESS/SUBNET (<emphasis
+          <para>Optional - added in 4.4.12. If specified, indicates whether
+          traffic <emphasis>from</emphasis> ADDRESS/SUBNET (<emphasis
           role="bold">src</emphasis>) or traffic <emphasis>to</emphasis>
           ADDRESS/SUBNET (<emphasis role="bold">dst</emphasis>) should be
           blacklisted. The default is <emphasis role="bold">src</emphasis>. If
@@ -182,11 +182,14 @@
     <para><ulink
     url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
     shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
     shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
     shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),

Shorewall/manpages/shorewall-blrules.xml

@@ -0,0 +1,301 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-blrules</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>blrules</refname>
+
+    <refpurpose>shorewall Blacklist file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall/blrules</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file is used to perform blacklisting and whitelisting.</para>
+
+    <para>Rules in this file are applied depending on the setting of
+    BLACKLISTNEWONLY in <ulink
+    url="shorewall.conf.html">shorewall.conf</ulink>(5). If
+    BLACKLISTNEWONLY=No, then they are applied regardless of the connection
+    tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
+    connections in the NEW and INVALID states.</para>
+
+    <para>The format of rules in this file is the same as the format of rules
+    in <ulink url="shorewall-rules.html">shorewall-rules (5)</ulink>. The
+    differece in the two files lies in the ACTION (first) column.</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">ACTION- {<emphasis
+        role="bold">ACCEPT</emphasis>|CONTINUE|DROP|A_DROP|REJECT|A_REJECT|<emphasis
+        role="bold">WHITELIES</emphasis>|<emphasis
+        role="bold">LOG</emphasis>|<emphasis
+        role="bold">QUEUE</emphasis>|<emphasis
+        role="bold">NFQUEUE</emphasis>[<emphasis
+        role="bold">(</emphasis><emphasis>queuenumber</emphasis><emphasis
+        role="bold">)</emphasis>]<emphasis
+        role="bold">|COMMENT</emphasis>|<emphasis>action</emphasis>|<emphasis>macro</emphasis>[<emphasis
+        role="bold">(</emphasis><emphasis>target</emphasis><emphasis
+        role="bold">)</emphasis>]}<emphasis
+        role="bold">[:</emphasis>{<emphasis>log-level</emphasis>|<emphasis
+        role="bold">none</emphasis>}[<emphasis role="bold"><emphasis
+        role="bold">!</emphasis></emphasis>][<emphasis
+        role="bold">:</emphasis><emphasis>tag</emphasis>]]</emphasis></term>
+
+        <listitem>
+          <para>Specifies the action to be taken if the packet matches the
+          rule. Must be one of the following.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>blacklog</term>
+
+              <listitem>
+                <para>May only be used if BLACKLIST_LOGLEVEL is specified in
+                <ulink url="shorewall.conf.html">shorewall.conf </ulink>(5).
+                Logs, audits (if specified) and applies the
+                BLACKLIST_DISPOSITION specified in <ulink
+                url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">ACCEPT|CONTINUE|WHITELIST</emphasis></term>
+
+              <listitem>
+                <para>Exempt the packet from the remaining rules in this
+                file.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">DROP</emphasis></term>
+
+              <listitem>
+                <para>Ignore the packet.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>A_DROP and A_DROP!</term>
+
+              <listitem>
+                <para>Audited versions of DROP. Requires AUDIT_TARGET support
+                in the kernel and ip6tables.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">REJECT</emphasis></term>
+
+              <listitem>
+                <para>disallow the packet and return an icmp-unreachable or an
+                RST packet.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>A_REJECT</term>
+
+              <listitem>
+                <para>Audited versions of REJECT. Require AUDIT_TARGET support
+                in the kernel and ip6tables.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">LOG</emphasis></term>
+
+              <listitem>
+                <para>Simply log the packet and continue with the next
+                rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">QUEUE</emphasis></term>
+
+              <listitem>
+                <para>Queue the packet to a user-space application such as
+                ftwall (http://p2pwall.sf.net). The application may reinsert
+                the packet for further processing.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
+
+              <listitem>
+                <para>queues matching packets to a backend logging daemon via
+                a netlink socket then continues to the next rule. See <ulink
+                url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">NFQUEUE</emphasis></term>
+
+              <listitem>
+                <para>Queues the packet to a user-space application using the
+                nfnetlink_queue mechanism. If a
+                <replaceable>queuenumber</replaceable> is not specified, queue
+                zero (0) is assumed.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">COMMENT</emphasis></term>
+
+              <listitem>
+                <para>the rest of the line will be attached as a comment to
+                the Netfilter rule(s) generated by the following entries. The
+                comment will appear delimited by "/* ... */" in the output of
+                "shorewall show &lt;chain&gt;". To stop the comment from being
+                attached to further rules, simply include COMMENT on a line by
+                itself.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis>action</emphasis></term>
+
+              <listitem>
+                <para>The name of an <emphasis>action</emphasis> declared in
+                <ulink
+                url="shorewall-actions.html">shorewall-actions</ulink>(5) or
+                in /usr/share/shorewall/actions.std.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis>macro</emphasis></term>
+
+              <listitem>
+                <para>The name of a macro defined in a file named
+                macro.<emphasis>macro</emphasis>. If the macro accepts an
+                action parameter (Look at the macro source to see if it has
+                PARAM in the TARGET column) then the
+                <emphasis>macro</emphasis> name is followed by the
+                parenthesized <emphasis>target</emphasis> (<emphasis
+                role="bold">ACCEPT</emphasis>, <emphasis
+                role="bold">DROP</emphasis>, <emphasis
+                role="bold">REJECT</emphasis>, ...) to be substituted for the
+                parameter.</para>
+
+                <para>Example: FTP(ACCEPT).</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>The <emphasis role="bold">ACTION</emphasis> may optionally be
+          followed by ":" and a syslog log level (e.g, REJECT:info or
+          Web(ACCEPT):debug). This causes the packet to be logged at the
+          specified level.</para>
+
+          <para>If the <emphasis role="bold">ACTION</emphasis> names an
+          <emphasis>action</emphasis> declared in <ulink
+          url="shorewall-actions.html">shorewall-actions</ulink>(5) or in
+          /usr/share/shorewall/actions.std then:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>If the log level is followed by "!' then all rules in the
+              action are logged at the log level.</para>
+            </listitem>
+
+            <listitem>
+              <para>If the log level is not followed by "!" then only those
+              rules in the action that do not specify logging are logged at
+              the specified level.</para>
+            </listitem>
+
+            <listitem>
+              <para>The special log level <emphasis
+              role="bold">none!</emphasis> suppresses logging by the
+              action.</para>
+            </listitem>
+          </itemizedlist>
+
+          <para>You may also specify <emphasis role="bold">NFLOG</emphasis>
+          (must be in upper case) as a log level.This will log to the NFLOG
+          target for routing to a separate log through use of ulogd (<ulink
+          url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
+
+          <para>Actions specifying logging may be followed by a log tag (a
+          string of alphanumeric characters) which is appended to the string
+          generated by the LOGPREFIX (in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>For the remaining columns, see <ulink
+    url="shorewall-rules.html">shorewall-rules (5)</ulink>.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Example</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>Example 1:</term>
+
+        <listitem>
+          <para>Drop Teredo packets from the net.</para>
+
+          <programlisting>DROP          net:[2001::/32]            all</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Example 2:</term>
+
+        <listitem>
+          <para>Don't subject packets from 2001:DB8::/64 to the remaining
+          rules in the file.</para>
+
+          <programlisting>WHITELIST     net:[2001:DB8::/64]        all</programlisting>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall/blrules</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para><ulink
+    url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>
+
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
+    shoewall6-netmap(5),shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
+  </refsect1>
+</refentry>

Shorewall/manpages/shorewall-ecn.xml

@@ -67,7 +67,7 @@
     shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
     shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
     shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
     shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>

Shorewall/manpages/shorewall-exclusion.xml

@@ -180,7 +180,7 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
     shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
     shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
     shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
     shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
     shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
     shorewall-tunnels(5), shorewall-zones(5)</para>

Shorewall/manpages/shorewall-hosts.xml

@@ -148,16 +148,6 @@
               <term><emphasis role="bold">blacklist</emphasis></term>
 
               <listitem>
-                <para>This option only makes sense for ports on a bridge. As
-                of Shoreawall 4.4.13, the option is no longer supported and is
-                ignored with a warning:</para>
-
-                <blockquote>
-                  <para><emphasis role="bold">WARNING: The "blacklist" host
-                  option is no longer supported and will be
-                  ignored.</emphasis></para>
-                </blockquote>
-
                 <para>Check packets arriving on this port against the <ulink
                 url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
                 file.</para>
@@ -271,12 +261,15 @@ vpn         ppp+:192.168.3.0/24</programlisting></para>
   <refsect1>
     <title>See ALSO</title>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
     shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
     shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
     shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
     shorewall-tunnels(5), shorewall-zones(5)</para>

Shorewall/manpages/shorewall-init.xml

@@ -166,7 +166,7 @@
     shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
     shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
     shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
     shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>

Shorewall/manpages/shorewall-interfaces.xml

@@ -228,9 +228,9 @@ loc     eth2            -</programlisting>
               <term><emphasis role="bold">blacklist</emphasis></term>
 
               <listitem>
-                <para>Check packets arriving on this interface against the
+                <para>Checks packets arriving on this interface against the
                 <ulink
-                url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
+                url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
                 file.</para>
 
                 <para>Beginning with Shorewall 4.4.13:</para>
@@ -312,6 +312,17 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">ignore</emphasis></term>
+
+              <listitem>
+                <para>When specified, causes the generated script to ignore
+                up/down events from Shorewall-init for this device.
+                Additionally, the option exempts the interface from hairpin
+                filtering.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis
               role="bold">logmartians[={0|1}]</emphasis></term>
@@ -754,11 +765,14 @@ net     ppp0      -</programlisting>
   <refsect1>
     <title>See ALSO</title>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-proxyarp(5), shorewall-rtrules(5),
     shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
     shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
     shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),

Shorewall/manpages/shorewall-ipsets.xml

@@ -120,7 +120,7 @@
     shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
     shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
     shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
     shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),