Fix formatting error

Samples/one-interface/interfaces

@@ -10,6 +10,10 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
+#
+# For additional information, see
+# http://shorewall.net/Documentation.htm#Interfaces
+#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          dhcp,tcpflags,logmartians,nosmurfs

Samples/one-interface/policy

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
+#
+# See http://shorewall.net/Documentation.htm#Policy for additional information.
+#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 $FW		net		ACCEPT

Samples/one-interface/rules

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
+#
+# For more information, see http://www.shorewall.net/Documentation.htm#Zones
+#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Samples/one-interface/shorewall.conf

@@ -193,8 +193,6 @@ WIDE_TC_MARKS=Yes
 
 TRACK_PROVIDERS=Yes
 
-ZONE2ZONE=2
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/one-interface/zones

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
+#
+# For more information, see http://www.shorewall.net/Documentation.htm#Zones
+#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS

Samples/three-interfaces/interfaces

@@ -10,6 +10,10 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
+#
+# For additional information, see
+# http://shorewall.net/Documentation.htm#Interfaces
+#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          tcpflags,dhcp,nosmurfs,routefilter,logmartians

Samples/three-interfaces/masq

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
+#
+# For additional information, see http://shorewall.net/Documentation.htm#Masq
+#
 ##############################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
 eth0			10.0.0.0/8,\

Samples/three-interfaces/policy

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
+#
+# See http://shorewall.net/Documentation.htm#Policy for additional information.
+#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 

Samples/three-interfaces/routestopped

@@ -10,6 +10,11 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-routestopped"
+#
+# See http://shorewall.net/Documentation.htm#Routestopped and
+# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
+# information.
+#
 ##############################################################################
 #INTERFACE	HOST(S)
 eth1		-

Samples/three-interfaces/rules

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
+#
+# For additional information, see http://shorewall.net/Documentation.htm#Rules
+#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Samples/three-interfaces/shorewall.conf

@@ -193,8 +193,6 @@ WIDE_TC_MARKS=Yes
 
 TRACK_PROVIDERS=Yes
 
-ZONE2ZONE=2
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/three-interfaces/zones

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
+#
+# For more information, see http://www.shorewall.net/Documentation.htm#Zones
+#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS

Samples/two-interfaces/interfaces

@@ -10,6 +10,10 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
+#
+# For additional information, see
+# http://shorewall.net/Documentation.htm#Interfaces
+#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians

Samples/two-interfaces/masq

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
+#
+# For additional information, see http://shorewall.net/Documentation.htm#Masq
+#
 ###############################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
 eth0			10.0.0.0/8,\

Samples/two-interfaces/policy

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
+#
+# See http://shorewall.net/Documentation.htm#Policy for additional information.
+#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 

Samples/two-interfaces/routestopped

@@ -10,6 +10,11 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-routestopped"
+#
+# See http://shorewall.net/Documentation.htm#Routestopped and
+# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
+# information.
+#
 ##############################################################################
 #INTERFACE	HOST(S)                  OPTIONS
 eth1		-

Samples/two-interfaces/rules

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
+#
+# For more information, see http://www.shorewall.net/Documentation.htm#Rules
+#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Samples/two-interfaces/shorewall.conf

@@ -200,8 +200,6 @@ WIDE_TC_MARKS=Yes
 
 TRACK_PROVIDERS=Yes
 
-ZONE2ZONE=2
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/two-interfaces/zones

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
+#
+# For more information, see http://www.shorewall.net/Documentation.htm#Zones
+#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS

Samples6/one-interface/shorewall6.conf

@@ -141,8 +141,6 @@ WIDE_TC_MARKS=Yes
 
 TRACK_PROVIDERS=Yes
 
-ZONE2ZONE=2
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/three-interfaces/shorewall6.conf

@@ -141,8 +141,6 @@ WIDE_TC_MARKS=Yes
 
 TRACK_PROVIDERS=Yes
 
-ZONE2ZONE=2
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/two-interfaces/shorewall6.conf

@@ -141,8 +141,6 @@ WIDE_TC_MARKS=Yes
 
 TRACK_PROVIDERS=Yes
 
-ZONE2ZONE=2
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.4.1
+VERSION=4.4.3.1
 
 usage() # $1 = exit status
 {

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.4.1
+VERSION=4.4.3.1
 
 usage() # $1 = exit status
 {
@@ -220,11 +220,6 @@ mkdir -p ${PREFIX}/var/lib/shorewall-lite
 chmod 755 ${PREFIX}/etc/shorewall-lite
 chmod 755 ${PREFIX}/usr/share/shorewall-lite
 
-if [ -n "$PREFIX" ]; then
-    mkdir -p ${PREFIX}/etc/logrotate.d
-    chmod 755 ${PREFIX}/etc/logrotate.d
-fi
-
 #
 # Install the config file
 #
@@ -309,12 +304,6 @@ cd ..
 
 echo "Man Pages Installed"
 
-if [ -d ${PREFIX}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall-lite
-    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall-lite"
-fi
-
-
 #
 # Create the version file
 #

Shorewall-lite/logrotate

@@ -1,5 +0,0 @@
-/var/log/shorewall-init.log {
-  missingok
-  notifempty
-  create 0600 root root
-}

Shorewall-lite/shorewall-lite.spec

@@ -1,5 +1,5 @@
 %define name shorewall-lite
-%define version 4.4.4
+%define version 4.4.3
 %define release 1
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@@ -79,8 +79,6 @@ fi
 %attr(0755,root,root) %dir /usr/share/shorewall-lite
 %attr(0700,root,root) %dir /var/lib/shorewall-lite
 
-%attr(0644,root,root) /etc/logrotate.d/shorewall-lite
-
 %attr(0755,root,root) /sbin/shorewall-lite
 
 %attr(0644,root,root) /usr/share/shorewall-lite/version
@@ -100,15 +98,9 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-1
-* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0base
-* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta2
-* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta1
-* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
+* Sun Nov 01 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.3-1
+* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.3-0base
 * Sun Sep 06 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.2-0base

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.4.1
+VERSION=4.4.3.1
 
 usage() # $1 = exit status
 {

Shorewall/Perl/Shorewall/Chains.pm

@@ -85,7 +85,6 @@ our %EXPORT_TAGS = (
 				       decr_cmd_level
 				       chain_base
 				       forward_chain
-				       rules_chain
 				       zone_forward_chain
 				       use_forward_chain
 				       input_chain
@@ -147,7 +146,6 @@ our %EXPORT_TAGS = (
 				       addnatjump
 				       set_chain_variables
 				       mark_firewall_not_started
-				       mark_firewall6_not_started
 				       get_interface_address
 				       get_interface_addresses
 				       get_interface_bcasts
@@ -167,7 +165,7 @@ our %EXPORT_TAGS = (
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.4_4';
+our $VERSION = '4.4_2';
 
 #
 # Chain Table
@@ -249,7 +247,6 @@ our $iprangematch;
 our $chainseq;
 our $idiotcount;
 our $idiotcount1;
-our $warningcount;
 
 our $global_variables;
 
@@ -360,7 +357,6 @@ sub initialize( $ ) {
     $global_variables   = 0;
     $idiotcount         = 0;
     $idiotcount1        = 0;
-    $warningcount       = 0;
 
 }
 
@@ -372,7 +368,7 @@ sub process_comment() {
 	( $comment = $currentline ) =~ s/^\s*COMMENT\s*//;
 	$comment =~ s/\s*$//;
     } else {
-	warning_message "COMMENTs ignored -- require comment support in iptables/Netfilter" unless $warningcount++;
+	warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
     }
 }
 
@@ -643,15 +639,16 @@ sub move_rules( $$ ) {
     my ($chain1, $chain2 ) = @_;
 
     if ( $chain1->{referenced} ) {
+	my @rules = @{$chain1->{rules}};
 	my $name  = $chain1->{name};
 	#
 	# We allow '+' in chain names and '+' is an RE meta-character. Escape it.
 	#
 	$name =~ s/\+/\\+/;
 
-	( s/\-([AI]) $name /-$1 $chain2->{name} / ) for @{$chain1->{rules}};
+	( s/\-([AI]) $name /-$1 $chain2->{name} / ) for @rules;
 
-	splice @{$chain2->{rules}}, 0, 0, @{$chain1->{rules}};
+	splice @{$chain2->{rules}}, 0, 0, @rules;
 
 	$chain2->{referenced} = 1;
 	$chain1->{referenced} = 0;
@@ -671,13 +668,6 @@ sub chain_base($) {
     $chain;
 }
 
-#
-# Name of canonical chain
-#
-sub rules_chain ($$) {
-    join "$config{ZONE2ZONE}", @_;
-}
-
 #
 # Forward Chain for an interface
 #
@@ -767,7 +757,7 @@ sub use_input_chain($) {
     #
     # Use the '<zone>2fw' chain if it is referenced.
     #
-    $chainref = $filter_table->{rules_chain( $zone, firewall_zone )};
+    $chainref = $filter_table->{join( '' , $zone , '2' , firewall_zone )};
 
     ! ( $chainref->{referenced} || $chainref->{is_policy} )
 }
@@ -811,7 +801,7 @@ sub use_output_chain($) {
     #
     # Use the 'fw2<zone>' chain if it is referenced.
     #
-    $chainref = $filter_table->{rules_chain( firewall_zone , $interfaceref->{zone} )};
+    $chainref = $filter_table->{join( '', firewall_zone , '2', $interfaceref->{zone} )};
 
     ! ( $chainref->{referenced} || $chainref->{is_policy} )
 }
@@ -821,7 +811,7 @@ sub use_output_chain($) {
 #
 sub masq_chain($)
 {
-    $_[0] . '_masq';
+     $_[0] . '_masq';
 }
 
 #
@@ -1183,7 +1173,7 @@ sub finish_section ( $ ) {
 
     for my $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )};
+	    my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"};
 	    finish_chain_section $chainref, $sections if $chainref->{referenced};
 	}
     }
@@ -1210,12 +1200,12 @@ sub set_mss( $$$ ) {
 
     for my $z ( all_zones ) {
 	if ( $direction eq '_in' ) {
-	    set_mss1 rules_chain( ${zone}, ${z} ) , $mss;
+	    set_mss1 "${zone}2${z}" , $mss;
 	} elsif ( $direction eq '_out' ) {
-	    set_mss1 rules_chain( ${z}, ${zone} ) , $mss;
+	    set_mss1 "${z}2${zone}", $mss;
 	} else {
-	    set_mss1 rules_chain( ${z}, ${zone} ) , $mss;
-	    set_mss1 rules_chain( ${zone}, ${z} ) , $mss;
+	    set_mss1 "${z}2${zone}", $mss;
+	    set_mss1 "${zone}2${z}", $mss;
 	}
     }
 }
@@ -1735,7 +1725,6 @@ sub match_source_dev( $ ) {
     my $interface = shift;
     return '' if $interface eq '+';
     my $interfaceref =  known_interface( $interface );
-    $interface = $interfaceref->{physical} if $interfaceref;
     if ( $interfaceref && $interfaceref->{options}{port} ) {
 	"-i $interfaceref->{bridge} -m physdev --physdev-in $interface ";
     } else {
@@ -1750,7 +1739,6 @@ sub match_dest_dev( $ ) {
     my $interface = shift;
     return '' if $interface eq '+';
     my $interfaceref =  known_interface( $interface );
-    $interface = $interfaceref->{physical} if $interfaceref;
     if ( $interfaceref && $interfaceref->{options}{port} ) {
 	if ( $capabilities{PHYSDEV_BRIDGE} ) {
 	    "-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $interface ";
@@ -2126,11 +2114,7 @@ sub set_chain_variables() {
 # Emit code that marks the firewall as not started.
 #
 sub mark_firewall_not_started() {
-    if ( $family == F_IPV4 ) {
-	emit ( 'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall' );
-    } else {
-	emit ( 'qt1 $IPTABLES6 -L shorewall -n && qt1 $IPTABLES6 -F shorewall && qt1 $IPTABLES6 -X shorewall' );
-    }
+    emit ( 'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall' );
 }
 
 ####################################################################################################################
@@ -2150,11 +2134,10 @@ sub interface_address( $ ) {
 # Record that the ruleset requires the first IP address on the passed interface
 #
 sub get_interface_address ( $ ) {
-    my ( $logical ) = $_[0];
+    my ( $interface ) = $_[0];
 
-    my $interface = get_physical( $logical );
     my $variable = interface_address( $interface );
-    my $function = interface_is_optional( $logical ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address';
+    my $function = interface_is_optional( $interface ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address';
 
     $global_variables |= ALL_COMMANDS;
 
@@ -2175,7 +2158,7 @@ sub interface_bcasts( $ ) {
 # Record that the ruleset requires the broadcast addresses on the passed interface
 #
 sub get_interface_bcasts ( $ ) {
-    my ( $interface ) = get_physical $_[0];
+    my ( $interface ) = $_[0];
 
     my $variable = interface_bcasts( $interface );
 
@@ -2198,7 +2181,7 @@ sub interface_acasts( $ ) {
 # Record that the ruleset requires the anycast addresses on the passed interface
 #
 sub get_interface_acasts ( $ ) {
-    my ( $interface ) = get_physical $_[0];
+    my ( $interface ) = $_[0];
 
     $global_variables |= NOT_RESTORE;
 
@@ -2221,16 +2204,15 @@ sub interface_gateway( $ ) {
 # Record that the ruleset requires the gateway address on the passed interface
 #
 sub get_interface_gateway ( $ ) {
-    my ( $logical ) = $_[0];
+    my ( $interface ) = $_[0];
 
-    my $interface = get_physical $logical;
     my $variable = interface_gateway( $interface );
 
     my $routine = $config{USE_DEFAULT_RT} ? 'detect_dynamic_gateway' : 'detect_gateway';
 
     $global_variables |= ALL_COMMANDS;
 
-    if ( interface_is_optional $logical ) {
+    if ( interface_is_optional $interface ) {
 	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)\n);
     } else {
 	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)
@@ -2253,14 +2235,13 @@ sub interface_addresses( $ ) {
 # Record that the ruleset requires the IP addresses on the passed interface
 #
 sub get_interface_addresses ( $ ) {
-    my ( $logical ) = $_[0];
+    my ( $interface ) = $_[0];
 
-    my $interface = get_physical( $logical );
     my $variable = interface_addresses( $interface );
 
     $global_variables |= NOT_RESTORE;
 
-    if ( interface_is_optional $logical ) {
+    if ( interface_is_optional $interface ) {
 	$interfaceaddrs{$interface} = qq($variable=\$(find_interface_addresses $interface)\n);
     } else {
 	$interfaceaddrs{$interface} = qq($variable=\$(find_interface_addresses $interface)
@@ -2283,14 +2264,13 @@ sub interface_nets( $ ) {
 # Record that the ruleset requires the networks routed out of the passed interface
 #
 sub get_interface_nets ( $ ) {
-    my ( $logical ) = $_[0];
+    my ( $interface ) = $_[0];
 
-    my $interface = get_physical( $logical );
     my $variable = interface_nets( $interface );
 
     $global_variables |= ALL_COMMANDS;
 
-    if ( interface_is_optional $logical ) {
+    if ( interface_is_optional $interface ) {
 	$interfacenets{$interface} = qq($variable=\$(get_routed_networks $interface)\n);
     } else {
 	$interfacenets{$interface} = qq($variable=\$(get_routed_networks $interface)
@@ -2314,14 +2294,13 @@ sub interface_mac( $$ ) {
 # Record the fact that the ruleset requires MAC address of the passed gateway IP routed out of the passed interface for the passed provider number
 #
 sub get_interface_mac( $$$ ) {
-    my ( $ipaddr, $logical , $table ) = @_;
+    my ( $ipaddr, $interface , $table ) = @_;
 
-    my $interface = get_physical( $logical );
     my $variable = interface_mac( $interface , $table );
 
     $global_variables |= NOT_RESTORE;
 
-    if ( interface_is_optional $logical ) {
+    if ( interface_is_optional $interface ) {
 	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
     } else {
 	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
@@ -2893,6 +2872,15 @@ sub emitr( $ ) {
     }
 }
 
+#
+# Simple version that only handles rules
+#
+sub emitr1( $ ) {
+    my $rule = $_[0];
+
+    emit_unindented $rule;
+}
+
 #
 # Generate the netfilter input
 #
@@ -3180,7 +3168,7 @@ sub create_stop_load( $ ) {
 	# Then emit the rules
 	#
 	for my $chainref ( @chains ) {
-	    emit_unindented $_ for @{$chainref->{rules}};
+	    emitr1 $_ for @{$chainref->{rules}};
 	}
 	#
 	# Commit the changes to the table

Shorewall/Perl/Shorewall/Compiler.pm

@@ -43,7 +43,7 @@ use Shorewall::Raw;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_4';
+our $VERSION = '4.4_3';
 
 our $export;
 
@@ -421,10 +421,23 @@ sub generate_script_3($) {
 	emit "disable_ipv6\n" if $config{DISABLE_IPV6};
 
     } else {
-	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', 
+	emit ( '#',
+	       '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
+	       '#',
+	       'qt1 $IP6TABLES -N foox1234',
+	       'qt1 $IP6TABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT',
+	       'result=$?',
+	       'qt1 $IP6TABLES -F foox1234',
+	       'qt1 $IP6TABLES -X foox1234',
+	       '[ $result = 0 ] || startup_error "Your kernel/ip6tables do not include state match support. No version of Shorewall6 will run on this system"',
 	       '' );
-	mark_firewall_not_started;
-	emit '';
+
+	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
+		   '',
+	       'qt1 $IP6TABLES -L shorewall -n && qt1 $IP6TABLES -F shorewall && qt1 $IP6TABLES -X shorewall',
+	       ''
+	     );
+
     }
 
     emit qq(delete_tc1\n) if $config{CLEAR_TC};
@@ -446,10 +459,6 @@ sub generate_script_3($) {
     dump_zone_contents;
     emit_unindented '__EOF__';
 
-    emit 'cat > ${VARDIR}/policies << __EOF__';
-    save_policies;
-    emit_unindented '__EOF__';
-
     pop_indent;
 
     emit "fi\n";
@@ -695,7 +704,7 @@ sub compiler {
     #
     setup_proxy_arp;
     #
-    # Handle MSS settings in the zones file
+    # Handle MSS setings in the zones file
     #
     setup_zone_mss;
 

Shorewall/Perl/Shorewall/Config.pm

@@ -127,7 +127,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.4_4';
+our $VERSION = '4.4_3';
 
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -327,7 +327,7 @@ sub initialize( $ ) {
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
-		    VERSION => "4.4.4.1",
+		    VERSION => "4.4.3.1",
 		    CAPVERSION => 40402 ,
 		  );
 
@@ -440,7 +440,6 @@ sub initialize( $ ) {
 	      AUTOMAKE => undef ,
 	      WIDE_TC_MARKS => undef,
 	      TRACK_PROVIDERS => undef,
-	      ZONE2ZONE => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -548,7 +547,6 @@ sub initialize( $ ) {
 	      AUTOMAKE => undef ,
 	      WIDE_TC_MARKS => undef,
 	      TRACK_PROVIDERS => undef,
-	      ZONE2ZONE => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -2410,17 +2408,9 @@ sub get_configuration( $ ) {
     default_yes_no 'WIDE_TC_MARKS'              , '';
     default_yes_no 'TRACK_PROVIDERS'            , '';
 
-    my $val;
-
-    if ( defined ( $val = $config{ZONE2ZONE} ) ) {
-	fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
-    } else {
-	$config{ZONE2ZONE} = '2';
-    }
-
     $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
 
-    default 'BLACKLIST_DISPOSITION'    , 'DROP';
+    default 'BLACKLIST_DISPOSITION'             , 'DROP';
 
     default_log_level 'BLACKLIST_LOGLEVEL',  '';
     default_log_level 'MACLIST_LOG_LEVEL',   '';
@@ -2432,6 +2422,8 @@ sub get_configuration( $ ) {
     default_log_level 'SMURF_LOG_LEVEL',     '';
     default_log_level 'LOGALLNEW',           '';
 
+    my $val;
+
     $globals{MACLIST_TARGET} = 'reject';
 
     if ( $val = $config{MACLIST_DISPOSITION} ) {

Shorewall/Perl/Shorewall/Nat.pm

@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_4';
+our $VERSION = '4.4_3';
 
 our @addresses_to_add;
 our %addresses_to_add;
@@ -195,7 +195,7 @@ sub process_one_masq( )
 	fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
 	unless ( $interfaceref->{root} ) {
-	    $rule .= match_dest_dev( $interface );
+	    $rule .= "-o $interface ";
 	    $interface = $interfaceref->{name};
 	}
 
@@ -367,8 +367,8 @@ sub do_one_nat( $$$$$ )
     fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
     unless ( $interfaceref->{root} ) {
-	$rulein  = match_source_dev $interface;
-	$ruleout = match_dest_dev $interface;
+	$rulein  = "-i $interface ";
+	$ruleout = "-o $interface ";
 	$interface = $interfaceref->{name};
     }
 
@@ -460,8 +460,8 @@ sub setup_netmap() {
 	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = find_interface( $interface );
 
 	    unless ( $interfaceref->{root} ) {
-		$rulein  = match_source_dev $interface;
-		$ruleout = match_dest_dev $interface;
+		$rulein  = "-i $interface ";
+		$ruleout = "-o $interface ";
 		$interface = $interfaceref->{name};
 	    }
 

Shorewall/Perl/Shorewall/Policy.pm

@@ -32,9 +32,9 @@ use Shorewall::Actions;
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies );
+our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains );
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.4_4';
+our $VERSION = '4.4_1';
 
 # @policy_chains is a list of references to policy chains in the filter table
 
@@ -68,7 +68,7 @@ sub new_policy_chain($$$$)
 {
     my ($source, $dest, $policy, $optional) = @_;
 
-    my $chainref = new_chain( 'filter', rules_chain( ${source}, ${dest} ) );
+    my $chainref = new_chain( 'filter', "${source}2${dest}" );
 
     convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional );
 
@@ -119,7 +119,7 @@ use constant { OPTIONAL => 1 };
 
 sub add_or_modify_policy_chain( $$ ) {
     my ( $zone, $zone1 ) = @_;
-    my $chain    = rules_chain( ${zone}, ${zone1} );
+    my $chain    = "${zone}2${zone1}";
     my $chainref = $filter_table->{$chain};
 
     if ( $chainref ) {
@@ -211,7 +211,7 @@ sub process_a_policy() {
 	}
     }
 
-    my $chain = rules_chain( ${client}, ${server} );
+    my $chain = "${client}2${server}";
     my $chainref;
 
     if ( defined $filter_table->{$chain} ) {
@@ -252,19 +252,19 @@ sub process_a_policy() {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy;
+		    set_policy_chain $client, $server, "${zone}2${zone1}", $chainref, $policy;
 		    print_policy $zone, $zone1, $policy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy;
+		set_policy_chain $client, $server, "${zone}2${server}", $chainref, $policy;
 		print_policy $zone, $server, $policy, $chain;
 	    }
 	}
     } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy;
+	    set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy;
 	    print_policy $client, $zone, $policy, $chain;
 	}
 
@@ -273,21 +273,6 @@ sub process_a_policy() {
     }
 }
 
-sub save_policies() {
-    for my $zone1 ( all_zones ) {
-	for my $zone2 ( all_zones ) {
-	    my $chainref  = $filter_table->{ rules_chain( $zone1, $zone2 ) };
-	    my $policyref = $filter_table->{ $chainref->{policychain} };
-
-	    if ( $policyref->{referenced} ) {
-		emit_unindented "$zone1 \t=>\t$zone2\t" . $policyref->{policy} . ' using chain ' . $policyref->{name};
-	    } elsif ( $zone1 ne $zone2 ) {
-		emit_unindented "$zone1 \t=>\t$zone2\t" . $policyref->{policy};
-	    }
-	}
-    }
-}	    
-
 sub validate_policy()
 {
     our %validpolicies = (
@@ -349,7 +334,7 @@ sub validate_policy()
 
     for $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{rules_chain( ${zone}, ${zone1} )}{policy};
+	    fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{"${zone}2${zone1}"}{policy};
 	}
     }
 }
@@ -424,7 +409,7 @@ sub apply_policy_rules() {
 		ensure_filter_chain $name, 1;
 	    }
 
-	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
+	    if ( $name =~ /^all2|2all$/ ) {
 		run_user_exit $chainref;
 		policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
 	    }
@@ -433,7 +418,7 @@ sub apply_policy_rules() {
 
     for my $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    my $chainref = $filter_table->{rules_chain( ${zone}, ${zone1} )};
+	    my $chainref = $filter_table->{"${zone}2${zone1}"};
 
 	    if ( $chainref->{referenced} ) {
 		run_user_exit $chainref;
@@ -459,7 +444,7 @@ sub complete_standard_chain ( $$$$ ) {
 
     run_user_exit $stdchainref;
 
-    my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
+    my $ruleschainref = $filter_table->{"${zone}2${zone2}"} || $filter_table->{all2all};
     my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
     my $policychainref;
 

Shorewall/Perl/Shorewall/Proc.pm

@@ -41,7 +41,7 @@ our @EXPORT = qw(
 		 setup_forwarding
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_4';
+our $VERSION = '4.3_12';
 
 #
 # ARP Filtering
@@ -56,35 +56,27 @@ sub setup_arp_filtering() {
 	save_progress_message "Setting up ARP filtering...";
 
 	for my $interface ( @$interfaces ) {
-	    my $value = get_interface_option $interface, 'arp_filter';
-	    my $optional = interface_is_optional $interface;
-                           
-	    $interface = get_physical $interface;
-
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter";
+	    my $value = get_interface_option $interface, 'arp_filter';
 
 	    emit ( '',
 		   "if [ -f $file ]; then",
 		   "    echo $value > $file");
 	    emit ( 'else',
-		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless $optional;
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
 	    emit   "fi\n";
 	}
 
 	for my $interface ( @$interfaces1 ) {
-	    my $value = get_interface_option $interface, 'arp_ignore';
-	    my $optional = interface_is_optional $interface;
-                           
-	    $interface = get_physical $interface;
-
 	    my $file  = "/proc/sys/net/ipv4/conf/$interface/arp_ignore";
+	    my $value = get_interface_option $interface, 'arp_ignore';
 
 	    assert( defined $value );
 
 	    emit ( "if [ -f $file ]; then",
 		   "    echo $value > $file");
 	    emit ( 'else',
-		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless $optional;
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
 	    emit   "fi\n";
 	}
     }
@@ -114,17 +106,13 @@ sub setup_route_filtering() {
 	}
 
 	for my $interface ( @$interfaces ) {
-	    my $value = get_interface_option $interface, 'routefilter';
-	    my $optional = interface_is_optional $interface;
-                           
-	    $interface = get_physical $interface;
-
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter";
+	    my $value = get_interface_option $interface, 'routefilter';
 
 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless $optional;
+		   "    error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless interface_is_optional( $interface);
 	    emit   "fi\n";
 	}
 
@@ -165,18 +153,14 @@ sub setup_martian_logging() {
 	}
 
 	for my $interface ( @$interfaces ) {
-	    my $value = get_interface_option $interface, 'logmartians';
-	    my $optional = interface_is_optional $interface;
-                           
-	    $interface = get_physical $interface;
-
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians";
+	    my $value = get_interface_option $interface, 'logmartians';
 
 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set Martian logging on $interface\"") unless $optional;
+		   "    error_message \"WARNING: Cannot set Martian logging on $interface\"") unless interface_is_optional( $interface);
 	    emit   "fi\n";
 	}
     }
@@ -196,17 +180,13 @@ sub setup_source_routing( $ ) {
 	save_progress_message 'Setting up Accept Source Routing...';
 
 	for my $interface ( @$interfaces ) {
-	    my $value = get_interface_option $interface, 'sourceroute';
-	    my $optional = interface_is_optional $interface;
-
-	    $interface = get_physical $interface;
-
 	    my $file = "/proc/sys/net/ipv$family/conf/$interface/accept_source_route";
+	    my $value = get_interface_option $interface, 'sourceroute';
 
 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless $optional;
+		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless interface_is_optional( $interface);
 	    emit   "fi\n";
 	}
     }
@@ -247,17 +227,13 @@ sub setup_forwarding( $$ ) {
 	    save_progress_message 'Setting up IPv6 Interface Forwarding...';
 
 	    for my $interface ( @$interfaces ) {
-		my $value = get_interface_option $interface, 'forward';
-		my $optional = interface_is_optional $interface;
-
-		$interface = get_physical $interface;
-
 		my $file = "/proc/sys/net/ipv6/conf/$interface/forwarding";
+		my $value = get_interface_option $interface, 'forward';
 
 		emit ( "if [ -f $file ]; then" ,
 		       "    echo $value > $file" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless $optional;
+		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless interface_is_optional( $interface);
 		emit   "fi\n";
 	    }
 

Shorewall/Perl/Shorewall/Providers.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_4';
+our $VERSION = '4.4_2';
 
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -96,7 +96,7 @@ sub initialize( $ ) {
 sub setup_route_marking() {
     my $mask = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';
 
-    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
+    require_capability( $_ , 'the provider \'track\' option' , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
 
     add_rule $mangle_table->{$_} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
 
@@ -108,21 +108,33 @@ sub setup_route_marking() {
 
     for my $providerref ( @routemarked_providers ) {
 	my $interface = $providerref->{interface};
-	my $physical  = $providerref->{physical};
 	my $mark      = $providerref->{mark};
+	my $base      = uc chain_base $interface;
+
+	if ( $providerref->{optional} ) {
+	    if ( $providerref->{shared} ) {
+		add_commands( $chainref, qq(if [ interface_is_usable $interface -a -n "$providerref->{mac}" ]; then) );
+	    } else {
+		add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
+	    }
+
+	    incr_cmd_level( $chainref );
+	}
 
 	unless ( $marked_interfaces{$interface} ) {
-	    add_rule $mangle_table->{PREROUTING} , "-i $physical -m mark --mark 0/$mask -j routemark";
-	    add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "! -i $physical -m mark --mark  $mark/$mask ";
+	    add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
+	    add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "! -i $interface -m mark --mark  $mark/$mask ";
 	    add_jump $mangle_table->{OUTPUT}     , $chainref2, 0, "-m mark --mark  $mark/$mask ";
 	    $marked_interfaces{$interface} = 1;
 	}
 
 	if ( $providerref->{shared} ) {
-	    add_rule $chainref, match_source_dev( $interface ) . "-m mac --mac-source $providerref->{mac} -j MARK --set-mark $providerref->{mark}";
+	    add_rule $chainref, " -i $interface -m mac --mac-source $providerref->{mac} -j MARK --set-mark $providerref->{mark}";
 	} else {
-	    add_rule $chainref, match_source_dev( $interface ) . "-j MARK --set-mark $providerref->{mark}";
+	    add_rule $chainref, " -i $interface -j MARK --set-mark $providerref->{mark}";
 	}
+
+	decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
     }
 
     add_rule $chainref, "-m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask";
@@ -136,7 +148,7 @@ sub copy_table( $$$ ) {
     my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
 
     if ( $realm ) {
-	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | while read net route; do" )
     } else {
 	emit  ( "\$IP -$family route show table $duplicate | ${filter}while read net route; do" )
     }
@@ -158,17 +170,9 @@ sub copy_and_edit_table( $$$$ ) {
     # Hack to work around problem in iproute
     #    
     my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
-    #
-    # Map physical names in $copy to logical names
-    #
-    $copy = join( '|' , map( physical_name($_) , split( ',' , $copy ) ) );
-    #
-    # Shell and iptables use a different wildcard character
-    #
-    $copy =~ s/\+/*/;
 
     if ( $realm ) {
-	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
     } else {
 	emit  ( "\$IP -$family route show table $duplicate | ${filter}while read net route; do" )
     }
@@ -274,10 +278,9 @@ sub add_a_provider( ) {
     }
 
     fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
-    fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
 
-    my $physical    = get_physical $interface;
-    my $base        = uc chain_base $physical;
+    my $provider    = chain_base $table;
+    my $base        = uc chain_base $interface;
     my $gatewaycase = '';
 
     if ( $gateway eq 'detect' ) {
@@ -380,7 +383,6 @@ sub add_a_provider( ) {
 			   number      => $number ,
 			   mark        => $val ? in_hex($val) : $val ,
 			   interface   => $interface ,
-			   physical    => $physical ,
 			   optional    => $optional ,
 			   gateway     => $gateway ,
 			   gatewaycase => $gatewaycase ,
@@ -408,19 +410,19 @@ sub add_a_provider( ) {
     if ( $shared ) {
 	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
 	$realm = "realm $number";
-	start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
+	start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$variable" ]; then) );
     } else {
 	if ( $optional ) {
 	    start_provider( $table, $number, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
 	} elsif ( $gatewaycase eq 'detect' ) {
-	    start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
+	    start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) );
 	} else {
-	    start_provider( $table, $number, "if interface_is_usable $physical; then" );
+	    start_provider( $table, $number, "if interface_is_usable $interface; then" );
 	}
 
 	$provider_interfaces{$interface} = $table;
 
-	emit "run_ip route add default dev $physical table $number" if $gatewaycase eq 'none';
+	emit "run_ip route add default dev $interface table $number" if $gatewaycase eq 'none';
     }
 
     if ( $mark ne '-' ) {
@@ -439,7 +441,8 @@ sub add_a_provider( ) {
 	    if ( $copy eq 'none' ) {
 		$copy = $interface;
 	    } else {
-		$copy = "$interface,$copy";
+		$copy =~ tr/,/|/;
+		$copy = "$interface|$copy";
 	    }
 
 	    copy_and_edit_table( $duplicate, $number ,$copy , $realm);
@@ -451,28 +454,28 @@ sub add_a_provider( ) {
 
     if ( $gateway ) {
 	$address = get_interface_address $interface unless $address;
-	emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $number $realm";
-	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $number $realm";
+	emit "run_ip route replace $gateway src $address dev $interface ${mtu}table $number $realm";
+	emit "run_ip route add default via $gateway src $address dev $interface ${mtu}table $number $realm";
     }
 
-    balance_default_route $balance , $gateway, $physical, $realm if $balance;
+    balance_default_route $balance , $gateway, $interface, $realm if $balance;
 
     if ( $default > 0 ) {
-	balance_fallback_route $default , $gateway, $physical, $realm;
+	balance_fallback_route $default , $gateway, $interface, $realm;
     } elsif ( $default ) {
 	emit '';
 	if ( $gateway ) {
-	    emit qq(run_ip route replace default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
+	    emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
 	    emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	} else {
-	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
-	    emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
+	    emit qq(echo "qt \$IP -$family route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	}
     }
 
     if ( $loose ) {
 	if ( $config{DELETE_THEN_ADD} ) {
-	    emit ( "\nfind_interface_addresses $physical | while read address; do",
+	    emit ( "\nfind_interface_addresses $interface | while read address; do",
 		   "    qt \$IP -$family rule del from \$address",
 		   'done'
 		 );
@@ -486,7 +489,7 @@ sub add_a_provider( ) {
 
 	emit "\nrulenum=0\n";
 
-	emit  ( "find_interface_addresses $physical | while read address; do" );
+	emit  ( "find_interface_addresses $interface | while read address; do" );
 	emit  (	"    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
 	emit  (	"    run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
 		"    echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_routing",
@@ -504,13 +507,13 @@ sub add_a_provider( ) {
 	if ( $shared ) {
 	    emit ( "    error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Added\"" );
 	} else {
-	    emit ( "    error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Added\"" );
+	    emit ( "    error_message \"WARNING: Interface $interface is not usable -- Provider $table ($number) not Added\"" );
 	}
     } else {
 	if ( $shared ) {
 	    emit( "    fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Added\"" );
 	} else {
-	    emit( "    fatal_error \"Interface $physical is not usable -- Provider $table ($number) Cannot be Added\"" );
+	    emit( "    fatal_error \"Interface $interface is not usable -- Provider $table ($number) Cannot be Added\"" );
 	}
     }
 
@@ -521,32 +524,9 @@ sub add_a_provider( ) {
     progress_message "   Provider \"$currentline\" $done";
 }
 
-#
-# Begin an 'if' statement testing whether the passed interface is available
-#
-sub start_new_if( $ ) {
-    our $current_if = shift;
-
-    emit ( '', qq(if [ -n "\$${current_if}_IS_USABLE" ]; then) );
-    push_indent;
-}
-  
-#
-# Complete any current 'if' statement in the output script
-#
-sub finish_current_if() {
-    if ( our $current_if ) {
-	pop_indent;
-	emit ( "fi\n" );
-	$current_if = '';
-    }
-}
-
 sub add_an_rtrule( ) {
     my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file';
 
-    our $current_if;
-
     unless ( $providers{$provider} ) {
 	my $found = 0;
 
@@ -581,7 +561,6 @@ sub add_an_rtrule( ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
 	    fatal_error "Invalid SOURCE" if defined $remainder;
 	    validate_net ( $source, 0 );
-	    $interface = physical_name $interface;
 	    $source = "iif $interface from $source";
 	} elsif ( $source =~ /\..*\..*/ ) {
 	    validate_net ( $source, 0 );
@@ -592,7 +571,6 @@ sub add_an_rtrule( ) {
     } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ) {
 	my ($interface, $source ) = ($1, $2);
 	validate_net ($source, 0);
-	$interface = physical_name $interface;
 	$source = "iif $interface from $source";
     } elsif (  $source =~ /:.*:/ || $source =~ /\..*\..*/ ) {
 	validate_net ( $source, 0 );
@@ -605,21 +583,21 @@ sub add_an_rtrule( ) {
 
     $priority = "priority $priority";
 
-    finish_current_if, emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
+    emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
 
     my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} );
 
     if ( $optional ) {
-	my $base = uc chain_base( $providers{$provider}{physical} );
-	finish_current_if if $base ne $current_if;
-	start_new_if( $base ) unless $current_if;
-  } else {
-	finish_current_if;
+	my $base = uc chain_base( $providers{$provider}{interface} );
+	emit ( '', qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
+	push_indent;
     }
 
     emit ( "run_ip rule add $source $dest $priority table $number",
 	   "echo \"qt \$IP -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" );
 
+    pop_indent, emit ( "fi\n" ) if $optional;
+
     progress_message "   Routing rule \"$currentline\" $done";
 }
 
@@ -753,15 +731,12 @@ sub setup_providers() {
 	my $fn = open_file 'route_rules';
 
 	if ( $fn ) {
-	    our $current_if = '';
 
 	    first_entry "$doing $fn...";
 
 	    emit '';
 
 	    add_an_rtrule while read_a_line;
-
-	    finish_current_if;
 	}
 
 	setup_null_routing if $config{NULL_ROUTE_RFC1918};
@@ -829,9 +804,8 @@ sub handle_optional_interfaces() {
 
     if ( @$interfaces ) {
 	for my $interface ( @$interfaces ) {
+	    my $base  = uc chain_base( $interface );
 	    my $provider = $provider_interfaces{$interface};
-	    my $physical = get_physical $interface;
-	    my $base     = uc chain_base( $physical );
 
 	    emit '';
 
@@ -842,15 +816,15 @@ sub handle_optional_interfaces() {
 		my $providerref = $providers{$provider};
 
 		if ( $providerref->{gatewaycase} eq 'detect' ) {
-		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
+		    emit qq(if interface_is_usable $interface && [ -n "$providerref->{gateway}" ]; then);
 		} else {
-		    emit qq(if interface_is_usable $physical; then);
+		    emit qq(if interface_is_usable $interface; then);
 		}
 	    } else {
 		#
 		# Not a provider interface
 		#
-		emit qq(if interface_is_usable $physical; then);
+		emit qq(if interface_is_usable $interface; then);
 	    }
 
 	    emit( "    ${base}_IS_USABLE=Yes" ,
@@ -880,8 +854,9 @@ sub handle_stickiness( $ ) {
     if ( $havesticky ) {
 	fatal_error "There are SAME tcrules but no 'track' providers" unless @routemarked_providers;
 
+
 	for my $providerref ( @routemarked_providers ) {
-	    my $interface = $providerref->{physical};
+	    my $interface = $providerref->{interface};
 	    my $base      = uc chain_base $interface;
 	    my $mark      = $providerref->{mark};
 
@@ -891,6 +866,9 @@ sub handle_stickiness( $ ) {
 		my $list = sprintf "sticky%03d" , $sticky++;
 
 		for my $chainref ( $stickyref, $setstickyref ) {
+
+		    add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
+
 		    if ( $chainref->{name} eq 'sticky' ) {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticky/-m recent --name $list --update --seconds 300 -j MARK --set-mark $mark/;
@@ -909,6 +887,9 @@ sub handle_stickiness( $ ) {
 			$rule2 =~ s/-A tcpre //;
 			add_rule $chainref, $rule2;
 		    }
+
+		    decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
+
 		}
 	    }
 
@@ -918,6 +899,8 @@ sub handle_stickiness( $ ) {
 		my $stickoref = ensure_mangle_chain 'sticko';
 
 		for my $chainref ( $stickoref, $setstickoref ) {
+		    add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
+
 		    if ( $chainref->{name} eq 'sticko' ) {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticko/-m recent --name $list --rdest --update --seconds 300 -j MARK --set-mark $mark/;
@@ -936,6 +919,8 @@ sub handle_stickiness( $ ) {
 			$rule2 =~ s/-A tcout //;
 			add_rule $chainref, $rule2;
 		    }
+
+		    decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
 		}
 	    }
 	}

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -35,7 +35,7 @@ our @EXPORT = qw(
 		  );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_4';
+our $VERSION = '4.4_1';
 
 our @proxyarp;
 
@@ -117,8 +117,6 @@ sub setup_proxy_arp() {
 		    $first_entry = 0;
 		}
 
-		$interface = get_physical $interface;
-
 		$set{$interface}  = 1;
 		$reset{$external} = 1 unless $set{$external};
 
@@ -145,14 +143,10 @@ sub setup_proxy_arp() {
 
 	    for my $interface ( @$interfaces ) {
 		my $value = get_interface_option $interface, 'proxyarp';
-		my $optional = interface_is_optional $interface;
-
-		$interface = get_physical $interface;
-
 		emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" ,
 		       "    echo $value > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless $optional;
+		       "    error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless interface_is_optional( $interface );
 		emit   "fi\n";
 	    }
 	}
@@ -164,14 +158,10 @@ sub setup_proxy_arp() {
 
 	    for my $interface ( @$interfaces ) {
 		my $value = get_interface_option $interface, 'proxyndp';
-		my $optional = interface_is_optional $interface;
-
-		$interface = get_physical $interface;
-
 		emit ( "if [ -f /proc/sys/net/ipv6/conf/$interface/proxy_ndp ] ; then" ,
 		   "    echo $value > /proc/sys/net/ipv6/conf/$interface/proxy_ndp" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Unable to set/reset Proxy NDP on $interface\"" ) unless $optional;
+		       "    error_message \"WARNING: Unable to set/reset Proxy NDP on $interface\"" ) unless interface_is_optional( $interface );
 		emit   "fi\n";
 	    }
 	}

Shorewall/Perl/Shorewall/Rules.pm

@@ -24,7 +24,6 @@
 #
 package Shorewall::Rules;
 require Exporter;
-
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
@@ -46,7 +45,7 @@ our @EXPORT = qw( process_tos
 		  compile_stop_firewall
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.4_4';
+our $VERSION = '4.4_3';
 
 #
 # Set to one if we find a SECTION
@@ -199,8 +198,8 @@ sub setup_ecn()
 	    for my $interface ( @interfaces ) {
 		my $chainref = ensure_chain 'mangle', ecn_chain( $interface );
 
-		add_jump $mangle_table->{POSTROUTING} , $chainref, 0, "-p tcp " . match_dest_dev( $interface );
-		add_jump $mangle_table->{OUTPUT},       $chainref, 0, "-p tcp " . match_dest_dev( $interface );
+		add_jump $mangle_table->{POSTROUTING} , $chainref, 0, "-p tcp -o $interface ";
+		add_jump $mangle_table->{OUTPUT},       $chainref, 0, "-p tcp -o $interface ";
 	    }
 
 	    for my $host ( @hosts ) {
@@ -322,7 +321,7 @@ sub process_routestopped() {
 
 	$seq++;
 
-	my $rule = do_proto( $proto, $ports, $sports, 0 );
+	my $rule = do_proto( $proto, $ports, $sports, 1 );
 
 	for my $host ( split /,/, $hosts ) {
 	    validate_host $host, 1;
@@ -342,11 +341,10 @@ sub process_routestopped() {
 			$routeback = 1;
 
 			for my $host ( split /,/, $hosts ) {
-			    add_rule( $chainref , 
-				      match_source_dev( $interface ) . 
-				      match_dest_dev( $interface ) .
-				      match_source_net( $host ) .
-				      match_dest_net( $host ) );
+			    my $source = match_source_net $host;
+			    my $dest   = match_dest_net   $host;
+
+			    add_rule $chainref , "-i $interface -o $interface $source $dest -j ACCEPT";
 			    clearrule;
 			}
 		    }
@@ -380,24 +378,24 @@ sub process_routestopped() {
 	my $desti   = match_dest_dev $interface;
 	my $rule    = shift @rule;
 
-	add_rule $filter_table->{INPUT},  "$sourcei $source $rule -j ACCEPT", 1;
-	add_rule $filter_table->{OUTPUT}, "$desti $dest $rule -j ACCEPT", 1 unless $config{ADMINISABSENTMINDED};
+	add_rule $filter_table->{INPUT},  "$sourcei $source $rule -j ACCEPT";
+	add_rule $filter_table->{OUTPUT}, "$desti $dest $rule -j ACCEPT" unless $config{ADMINISABSENTMINDED};
 
 	my $matched = 0;
 
 	if ( $source{$host} ) {
-	    add_rule $filter_table->{FORWARD}, "$sourcei $source $rule -j ACCEPT", 1;
+	    add_rule $filter_table->{FORWARD}, "$sourcei $source $rule -j ACCEPT";
 	    $matched = 1;
 	}
 
 	if ( $dest{$host} ) {
-	    add_rule $filter_table->{FORWARD}, "$desti $dest $rule -j ACCEPT", 1;
+	    add_rule $filter_table->{FORWARD}, "$desti $dest $rule -j ACCEPT";
 	    $matched = 1;
 	}
 
 	if ( $notrack{$host} ) {
-	    add_rule $raw_table->{PREROUTING}, "$sourcei $source $rule -j NOTRACK", 1;
-	    add_rule $raw_table->{OUTPUT},     "$desti $dest $rule -j NOTRACK", 1;
+	    add_rule $raw_table->{PREROUTING}, "$sourcei $source $rule -j NOTRACK";
+	    add_rule $raw_table->{OUTPUT},     "$desti $dest $rule -j NOTRACK";
 	}
 
 	unless ( $matched ) {
@@ -406,7 +404,7 @@ sub process_routestopped() {
 		    my ( $interface1, $h1 , $seq1 ) = split /\|/, $host1;
 		    my $dest1 = match_dest_net $h1;
 		    my $desti1 = match_dest_dev $interface1;
-		    add_rule $filter_table->{FORWARD}, "$sourcei $desti1 $source $dest1 $rule -j ACCEPT", 1;
+		    add_rule $filter_table->{FORWARD}, "$sourcei $desti1 $source $dest1 $rule -j ACCEPT";
 		    clearrule;
 		}
 	    }
@@ -552,11 +550,7 @@ sub add_common_rules() {
 		add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT";
 	    }
 
-	    add_rule( $filter_table->{forward_chain $interface} , 
-		      "-p udp " .
-		      match_dest_dev( $interface ) .
-		      "--dport $ports -j ACCEPT" )
-		if get_interface_option( $interface, 'bridge' );
+	    add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport $ports -j ACCEPT" if get_interface_option( $interface, 'bridge' );
 	}
     }
 
@@ -640,10 +634,10 @@ sub add_common_rules() {
 		if ( interface_is_optional $interface ) {
 		    add_commands( $chainref,
 				  qq(if [ -n "\$${base}_IS_USABLE" -a -n "$variable" ]; then) ,
-				  qq(    echo -A $chainref->{name} ) . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT >&3) ,
+				  qq(    echo -A $chainref->{name} -i $interface -s $variable -p udp -j ACCEPT >&3) ,
 				  qq(fi) );
 		} else {
-		    add_commands( $chainref, qq(echo -A $chainref->{name} ) . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT >&3) );
+		    add_commands( $chainref, qq(echo -A $chainref->{name} -i $interface -s $variable -p udp -j ACCEPT >&3) );
 		}
 	    }
 	}
@@ -1132,7 +1126,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    }
 	}
 
-	$chain    = rules_chain( ${sourcezone}, ${destzone} );
+	$chain    = "${sourcezone}2${destzone}";
 	$chainref = ensure_chain 'filter', $chain;
 	$policy   = $chainref->{policy};
 
@@ -1329,7 +1323,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 		    # Static NAT is defined on this interface
 		    #
 		    $chn = new_chain( 'nat', newnonatchain ) unless $chn;
-		    add_jump $chn, $nat_table->{$ichain}, 0, @interfaces > 1 ? match_source_dev( $_ )  : '';
+		    add_jump $chn, $nat_table->{$ichain}, 0, @interfaces > 1 ? "-i $_ " : '';
 		}
 	    }
 
@@ -1380,7 +1374,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    #
 	    # And move the rules from the nonat chain to the zone dnat chain
 	    #
-	    move_rules ( $chn, $nonat_chain );
+	    add_rule( $nonat_chain, "-j $tgt" ) unless move_rules ( $chn, $nonat_chain );
 	}
     }
 
@@ -1619,7 +1613,7 @@ sub add_interface_jumps {
     # Loopback
     #
     my $fw = firewall_zone;
-    my $chainref = $filter_table->{rules_chain( ${fw}, ${fw} )};
+    my $chainref = $filter_table->{"${fw}2${fw}"};
 
     add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );
     add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT';
@@ -1643,7 +1637,7 @@ sub generate_matrix() {
     #
     sub rules_target( $$ ) {
 	my ( $zone, $zone1 ) = @_;
-	my $chain = rules_chain( ${zone}, ${zone1} );
+	my $chain = "${zone}2${zone1}";
 	my $chainref = $filter_table->{$chain};
 
 	return $chain   if $chainref && $chainref->{referenced};
@@ -1776,7 +1770,7 @@ sub generate_matrix() {
 
 	    if ( $parenthasnat || $parenthasnotrack ) {
 		for my $zone1 ( all_zones ) {
-		    if ( $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy} eq 'CONTINUE' ) {
+		    if ( $filter_table->{"${zone}2${zone1}"}->{policy} eq 'CONTINUE' ) {
 			#
 			# This zone has a continue policy to another zone. We must
 			# send packets from this zone through the parent's DNAT/REDIRECT/NOTRACK chain.
@@ -1908,9 +1902,9 @@ sub generate_matrix() {
 
 	    for my $zone1 ( @zones )  {
 		my $zone1ref = find_zone( $zone1 );
-		my $policy = $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy};
+		my $policy = $filter_table->{"${zone}2${zone1}"}->{policy};
 
-		next if $policy eq 'NONE';
+		next if $policy  eq 'NONE';
 
 		my $chain = rules_target $zone, $zone1;
 
@@ -1924,7 +1918,7 @@ sub generate_matrix() {
 		    next unless $zoneref->{bridge} eq $zone1ref->{bridge};
 		}
 
-		if ( $chain =~ /(2all|-all)$/ ) {
+		if ( $chain =~ /2all$/ ) {
 		    if ( $chain ne $last_chain ) {
 			$last_chain = $chain;
 			push @dest_zones, @temp_zones;
@@ -1957,8 +1951,9 @@ sub generate_matrix() {
 	#
 	for my $zone1 ( @dest_zones ) {
 	    my $zone1ref = find_zone( $zone1 );
+	    my $policy   = $filter_table->{"${zone}2${zone1}"}->{policy};
 
-	    next if $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy}  eq 'NONE';
+	    next if $policy  eq 'NONE';
 
 	    my $chain = rules_target $zone, $zone1;
 
@@ -1974,15 +1969,15 @@ sub generate_matrix() {
 		next unless $zoneref->{bridge} eq $zone1ref->{bridge};
 	    }
 
-	    my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT
+	    my $chainref    = $filter_table->{$chain};
+
+	    my $dest_hosts_ref = $zone1ref->{hosts};
 
 	    if ( $frwd_ref ) {
-		#
-		# Simple case -- the source zone has it's own forwarding chain
-		#
-		for my $typeref ( values %{$zone1ref->{hosts}} ) {
+		for my $typeref ( values %$dest_hosts_ref ) {
 		    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
-			for my $hostref ( @{$typeref->{$interface}} ) {
+			my $arrayref = $typeref->{$interface};
+			for my $hostref ( @$arrayref ) {
 			    next if $hostref->{options}{sourceonly};
 			    if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
 				my $ipsec_out_match = match_ipsec_out $zone1 , $hostref;
@@ -1994,35 +1989,26 @@ sub generate_matrix() {
 		    }
 		}
 	    } else {
-		#
-		# More compilcated case. If the interface is associated with a single simple zone, we try to combine the interface's forwarding chain with the rules chain
-		#
 		for my $typeref ( values %$source_hosts_ref ) {
 		    for my $interface ( keys %$typeref ) {
+			my $arrayref = $typeref->{$interface};
 			my $chain3ref;
 			my $match_source_dev = '';
-			my $forwardchainref = $filter_table->{forward_chain $interface};
 
-			if ( use_forward_chain $interface || ( @{$forwardchainref->{rules} } && ! $chainref ) ) {
-			    #
-			    # Either we must use the interface's forwarding chain or that chain has rules and we have nowhere to move them
-			    #
-			    $chain3ref = $forwardchainref;
+			if ( use_forward_chain $interface ) {
+			    $chain3ref = $filter_table->{forward_chain $interface};
 			    add_jump $filter_table->{FORWARD} , $chain3ref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
 			} else {
-			    #
-			    # Don't use the interface's forward chain -- move any rules in that chain to this rules chain
-			    #
 			    $chain3ref  = $filter_table->{FORWARD};
 			    $match_source_dev = match_source_dev $interface;
-			    move_rules $forwardchainref, $chainref;
+			    move_rules $filter_table->{forward_chain $interface}, $chainref;
 			}
 
-			for my $hostref ( @{$typeref->{$interface}} ) {
+			for my $hostref ( @$arrayref ) {
 			    next if $hostref->{options}{destonly};
 			    my $excl3ref = source_exclusion( $hostref->{exclusions}, $chain3ref );
 			    for my $net ( @{$hostref->{hosts}} ) {
-				for my $type1ref ( values %{$zone1ref->{hosts}} ) {
+				for my $type1ref ( values %$dest_hosts_ref ) {
 				    for my $interface1 ( keys %$type1ref ) {
 					my $array1ref = $type1ref->{$interface1};
 					for my $host1ref ( @$array1ref ) {
@@ -2054,13 +2040,13 @@ sub generate_matrix() {
 		    }
 		}
 	    }
+	    #
+	    #                                      E N D   F O R W A R D I N G
+	    #
+	    # Now add an unconditional jump to the last unique policy-only chain determined above, if any
+	    #
+	    add_jump $frwd_ref , $last_chain, 1 if $last_chain;
 	}
-	#
-	#                                      E N D   F O R W A R D I N G
-	#
-	# Now add an unconditional jump to the last unique policy-only chain determined above, if any
-	#
-	add_jump $frwd_ref , $last_chain, 1 if $frwd_ref && $last_chain;
     }
 
     add_interface_jumps @interfaces unless $interface_jumps_added;
@@ -2130,12 +2116,10 @@ sub setup_mss( ) {
 	for ( @$interfaces ) {
 	    my $mss      = get_interface_option( $_, 'mss' );
 	    my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : '';
-	    my $source   = match_source_dev $_;
-	    my $dest     = match_dest_dev $_;
-	    add_rule $chainref, "${dest}-p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss";
-	    add_rule $chainref, "${dest}-j RETURN" if $clampmss;
-	    add_rule $chainref, "${source}-p tcp --tcp-flags SYN,RST SYN ${mssmatch}${in_match}-j TCPMSS --set-mss $mss";
-	    add_rule $chainref, "${source}-j RETURN" if $clampmss;
+	    add_rule $chainref, "-o $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss";
+	    add_rule $chainref, "-o $_ -j RETURN" if $clampmss;
+	    add_rule $chainref, "-i $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${in_match}-j TCPMSS --set-mss $mss";
+	    add_rule $chainref, "-i $_ -j RETURN" if $clampmss;
 	}
     }
 
@@ -2292,12 +2276,12 @@ EOF
 	my $ports = $family == F_IPV4 ? '67:68' : '546:547';
 
 	for my $interface ( @$interfaces ) {
-	    add_rule $input,  "-p udp " . match_source_dev( $interface ) . "--dport $ports -j ACCEPT";
-	    add_rule $output, "-p udp " . match_dest_dev( $interface )   . "--dport $ports -j ACCEPT" unless $config{ADMINISABSENTMINDED};
+	    add_rule $input,  "-p udp -i $interface --dport $ports -j ACCEPT";
+	    add_rule $output, "-p udp -o $interface --dport $ports -j ACCEPT" unless $config{ADMINISABSENTMINDED};
 	    #
 	    # This might be a bridge
 	    #
-	    add_rule $forward, "-p udp " . match_source_dev( $interface ) . match_dest_dev( $interface ) . "--dport $ports -j ACCEPT";
+	    add_rule $forward, "-p udp -i $interface -o $interface --dport $ports -j ACCEPT";
 	}
     }
 
@@ -2316,7 +2300,7 @@ EOF
 	}
     } else {
 	for my $interface ( all_bridges ) {
-	    emit "do_iptables -A FORWARD -p 58 " . match_source_dev( $interface ) . match_dest_dev( $interface ) . "-j ACCEPT";
+	    emit "do_iptables -A FORWARD -p 58 -i $interface -o $interface -j ACCEPT";
 	}
 
 	if ( $config{IP_FORWARDING} eq 'on' ) {

Shorewall/Perl/Shorewall/Tc.pm

@@ -40,7 +40,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.4_4';
+our $VERSION = '4.4_1';
 
 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
@@ -531,7 +531,6 @@ sub validate_tc_device( ) {
 			    qdisc         => $qdisc,
 			    guarantee     => 0,
 			    name          => $device,
-			    physical      => physical_name $device
 			  } ,
 
     push @tcdevices, $device;
@@ -648,11 +647,11 @@ sub validate_tc_class( ) {
 	if ( $devref->{classify} ) {
 	    warning_message "INTERFACE $device has the 'classify' option - MARK value ($mark) ignored";
 	} else {
+	    fatal_error "Invalid Mark ($mark)" unless $mark =~ /^([0-9]+|0x[0-9a-fA-F]+)$/ && numeric_value( $mark ) <= 0xff;
+
 	    $markval = numeric_value( $mark );
 	    fatal_error "Invalid MARK ($markval)" unless defined $markval;
 
-	    fatal_error "Invalid Mark ($mark)" unless $markval <= ( $config{WIDE_TC_MARKS} ? 0xffff : 0xff );
-
 	    if ( $classnumber ) {
 		fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
 	    } else {
@@ -832,7 +831,7 @@ sub process_tc_filter( ) {
     fatal_error "Unknown CLASS ($devclass)"                  unless $tcref && $tcref->{occurs};
     fatal_error "Filters may not specify an occurring CLASS" if $tcref->{occurs} > 1;
 
-    my $rule = "filter add dev $devref->{physical} protocol ip parent $devnum:0 prio 10 u32";
+    my $rule = "filter add dev $device protocol ip parent $devnum:0 prio 10 u32";
 
     if ( $source ne '-' ) {
 	my ( $net , $mask ) = decompose_net( $source );
@@ -903,7 +902,7 @@ sub process_tc_filter( ) {
 	    $lasttnum = $tnum;
 	    $lastrule = $rule;
 
-	    emit( "\nrun_tc filter add dev $devref->{physical} parent $devnum:0 protocol ip prio 10 handle $tnum: u32 divisor 1" );
+	    emit( "\nrun_tc filter add dev $device parent $devnum:0 protocol ip prio 10 handle $tnum: u32 divisor 1" );
 	}
 	#
 	# And link to it using the current contents of $rule
@@ -913,7 +912,7 @@ sub process_tc_filter( ) {
 	#
 	# The rule to match the port(s) will be inserted into the new table
 	#
-	$rule     = "filter add dev $devref->{physical} protocol ip parent $devnum:0 prio 10 u32 ht $tnum:0";
+	$rule     = "filter add dev $device protocol ip parent $devnum:0 prio 10 u32 ht $tnum:0";
 
 	if ( $portlist eq '-' ) {
 	    fatal_error "Only TCP, UDP and SCTP may specify SOURCE PORT"
@@ -1040,15 +1039,12 @@ sub setup_traffic_shaping() {
     }
 
     for my $device ( @tcdevices ) {
+	my $dev     = chain_base( $device );
 	my $devref  = $tcdevices{$device};
 	my $defmark = in_hexp ( $devref->{default} || 0 );
 	my $devnum  = in_hexp $devref->{number};
 	my $r2q     = int calculate_r2q $devref->{out_bandwidth};
 
-	$device = physical_name $device;
-
-	my $dev = chain_base( $device );
-
 	emit "if interface_is_up $device; then";
 
 	push_indent;
@@ -1131,14 +1127,12 @@ sub setup_traffic_shaping() {
 	my $classid  = join( ':', in_hexp $devicenumber, $classnum);
 	my $rate     = "$tcref->{rate}kbit";
 	my $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
-
-	$classids{$classid}=$device;
-	$device = physical_name $device;
-
 	my $dev      = chain_base $device;
 	my $priority = $tcref->{priority} << 8;
 	my $parent   = in_hexp $tcref->{parent};
 
+	$classids{$classid}=$device;
+
 	if ( $lastdevice ne $device ) {
 	    if ( $lastdevice ) {
 		pop_indent;
@@ -1226,7 +1220,7 @@ sub setup_tc() {
 	    $mark_part = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFF0000' : '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF';
 
 	    for my $interface ( @routemarked_interfaces ) {
-		add_rule $mangle_table->{PREROUTING} , match_source_dev( $interface ) . "-j tcpre";
+		add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre";
 	    }
 	}
 

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -83,8 +83,8 @@ sub setup_tunnels() {
 	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
-		$inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
-		$outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
+		$inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
+		$outchainref = ensure_filter_chain "${fw}2${zone}", 1;
 
 		unless ( $capabilities{POLICY_MATCH} ) {
 		    add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
@@ -239,8 +239,8 @@ sub setup_tunnels() {
 
 	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;
 
-	my $inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
-	my $outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
+	my $inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
+	my $outchainref = ensure_filter_chain "${fw}2${zone}", 1;
 
 	$gateway = ALLIP if $gateway eq '-';
 

Shorewall/Perl/Shorewall/Zones.pm

@@ -60,8 +60,6 @@ our @EXPORT = qw( NOTHING
 		  interface_number
 		  find_interface
 		  known_interface
-		  get_physical
-		  physical_name
 		  have_bridges
 		  port_to_bridge
 		  source_port_to_bridge
@@ -75,7 +73,7 @@ our @EXPORT = qw( NOTHING
 		 );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_4';
+our $VERSION = '4.4_1';
 
 #
 # IPSEC Option types
@@ -137,8 +135,7 @@ our %reservedName = ( all => 1,
 #
 #     %interfaces { <interface1> => { name        => <name of interface>
 #                                     root        => <name without trailing '+'>
-#                                     options     => { port => undef|1
-#                                                      <option1> = <val1> ,          #See %validinterfaceoptions
+#                                     options     => { <option1> = <val1> ,
 #                                                      ...
 #                                                    }
 #                                     zone        => <zone name>
@@ -146,7 +143,6 @@ our %reservedName = ( all => 1,
 #                                     bridge      => <bridge>
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
 #                                     number      => <ordinal position in the interfaces file>
-#                                     physical    => <physical interface name>
 #                                   }
 #                 }
 #
@@ -154,7 +150,6 @@ our @interfaces;
 our %interfaces;
 our @bport_zones;
 our %ipsets;
-our %physical;
 our $family;
 
 use constant { FIREWALL => 1,
@@ -168,8 +163,6 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       NUMERIC_IF_OPTION  => 4,
 	       OBSOLETE_IF_OPTION => 5,
 	       IPLIST_IF_OPTION   => 6,
-	       STRING_IF_OPTION   => 7,
-
 	       MASK_IF_OPTION     => 7,
 
 	       IF_OPTION_ZONEONLY => 8,
@@ -200,7 +193,6 @@ sub initialize( $ ) {
     %interfaces = ();
     @bport_zones = ();
     %ipsets = ();
-    %physical = ();
 
     if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
@@ -223,7 +215,6 @@ sub initialize( $ ) {
 				  upnp        => SIMPLE_IF_OPTION,
 				  upnpclient  => SIMPLE_IF_OPTION,
 				  mss         => NUMERIC_IF_OPTION,
-				  physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -249,7 +240,6 @@ sub initialize( $ ) {
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION,
 				    forward     => NUMERIC_IF_OPTION,
-				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -506,19 +496,17 @@ sub zone_report()
 		my $interfaceref = $hostref->{$type};
 
 		for my $interface ( sort keys %$interfaceref ) {
-		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
 		    for my $groupref ( @$arrayref ) {
 			my $hosts      = $groupref->{hosts};
+			my $exclusions = join ',', @{$groupref->{exclusions}};
 			if ( $hosts ) {
-			    my $grouplist  = join ',', ( @$hosts );
-			    my $exclusions = join ',', @{$groupref->{exclusions}};
+			    my $grouplist = join ',', ( @$hosts );
 			    $grouplist = join '!', ( $grouplist, $exclusions) if $exclusions;
-		
 			    if ( $family == F_IPV4 ) {
-				progress_message_nocompress "      $iref->{physical}:$grouplist";
+				progress_message_nocompress "      $interface:$grouplist";
 			    } else {
-				progress_message_nocompress "      $iref->{physical}:<$grouplist>";
+				progress_message_nocompress "      $interface:<$grouplist>";
 			    }
 			    $printed = 1;
 			}
@@ -536,9 +524,6 @@ sub zone_report()
     }
 }
 
-#
-# This function is called to create the contents of the ${VARDIR}/zones file
-#
 sub dump_zone_contents()
 {
     my @xlate;
@@ -565,21 +550,20 @@ sub dump_zone_contents()
 		my $interfaceref = $hostref->{$type};
 
 		for my $interface ( sort keys %$interfaceref ) {
-		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
 		    for my $groupref ( @$arrayref ) {
 			my $hosts     = $groupref->{hosts};
+			my $exclusions = join ',', @{$groupref->{exclusions}};
 
 			if ( $hosts ) {
-			    my $grouplist  = join ',', ( @$hosts );
-			    my $exclusions = join ',', @{$groupref->{exclusions}};
+			    my $grouplist = join ',', ( @$hosts );
 
 			    $grouplist = join '!', ( $grouplist, $exclusions ) if $exclusions;
 
 			    if ( $family == F_IPV4 ) {
-				$entry .= " $iref->{physical}:$grouplist";
+				$entry .= " $interface:$grouplist";
 			    } else {
-				$entry .= " $iref->{physical}:<$grouplist>";
+				$entry .= " $interface:<$grouplist>";
 			    }
 			}
 		    }
@@ -724,8 +708,8 @@ sub firewall_zone() {
 #
 sub process_interface( $ ) {
     my $nextinum = $_[0];
-    my $netsref = '';
-    my ($zone, $originalinterface, $bcasts, $options ) = split_line 2, 4, 'interfaces file';
+    my $nets;
+    my ($zone, $originalinterface, $networks, $options ) = split_line 2, 4, 'interfaces file';
     my $zoneref;
     my $bridge = '';
 
@@ -738,21 +722,18 @@ sub process_interface( $ ) {
 	fatal_error "Firewall zone not allowed in ZONE column of interface record" if $zoneref->{type} == FIREWALL;
     }
 
-    $bcasts = '' if $bcasts eq '-';
+    $networks = '' if $networks eq '-';
     $options  = '' if $options  eq '-';
 
     my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;
 
     fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;
 
-    if ( defined $port && $port ne '' ) {
+    if ( defined $port ) {
 	fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
 	require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', '');
 	fatal_error "Your iptables is not recent enough to support bridge ports" unless $capabilities{KLUDGEFREE};
-
-	fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
 	fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
-
 	fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
 	fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT;
 
@@ -764,6 +745,10 @@ sub process_interface( $ ) {
 	    }
 	}
 
+	next if $port eq '';
+
+	fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
+
 	$bridge = $interface;
 	$interface = $port;
     } else {
@@ -782,11 +767,10 @@ sub process_interface( $ ) {
 	$root = $interface;
     }
 
-    my $physical = $interface;
     my $broadcasts;
 
-    unless ( $bcasts eq '' || $bcasts eq 'detect' ) {
-	my @broadcasts = split_list $bcasts, 'address';
+    unless ( $networks eq '' || $networks eq 'detect' ) {
+	my @broadcasts = split_list $networks, 'address';
 
 	for my $address ( @broadcasts ) {
 	    fatal_error 'Invalid BROADCAST address' unless $address =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
@@ -830,12 +814,12 @@ sub process_interface( $ ) {
 		$hostoptions{$option} = 1 if $hostopt;
 	    } elsif ( $type == BINARY_IF_OPTION ) {
 		$value = 1 unless defined $value;
-		fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
-		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard;
+		fatal_error "Option value for $option must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
+		fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard;
 		$options{$option} = $value;
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
-		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard;
+		fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard;
 		if ( $option eq 'arp_ignore' ) {
 		    if ( defined $value ) {
 			if ( $value =~ /^[1-3,8]$/ ) {
@@ -850,13 +834,15 @@ sub process_interface( $ ) {
 		    assert( 0 );
 		}
 	    } elsif ( $type == NUMERIC_IF_OPTION ) {
-		fatal_error "The '$option' option requires a value" unless defined $value;
+		fatal_error "The $option option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
 		fatal_error "Invalid value ($value) for option $option" unless defined $numval;
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
-		fatal_error "The '$option' option requires a value" unless defined $value;
+		fatal_error "The $option option requires a value" unless defined $value;
+		fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone;
+		fatal_error "Duplicate $option option" if $nets;
 		#
 		# Remove parentheses from address list if present
 		#
@@ -866,54 +852,27 @@ sub process_interface( $ ) {
 		#
 		$value = join ',' , ALLIP , $value if $value =~ /^!/;
 
-		if ( $option eq 'nets' ) {
-		    fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone;
-		    fatal_error "Duplicate $option option" if $netsref;
-		    if ( $value eq 'dynamic' ) {
-			require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
-			$hostoptions{dynamic} = 1;
-			#
-			# Defer remaining processing until we have the final physical interface name
-			#
-			$netsref = 'dynamic';
-		    } else {
-			$hostoptions{multicast} = 1;
-			#
-			# Convert into a Perl array reference
-			#
-			$netsref = [ split_list $value, 'address' ];
-		    }
-		    #
-		    # Assume 'broadcast'
-		    #
-		    $hostoptions{broadcast} = 1;
+		if ( $value eq 'dynamic' ) {
+		    require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
+		    $value = "+${zone}_${interface}";
+		    $hostoptions{dynamic} = 1;
+		    $ipsets{"${zone}_${interface}"} = 1;
 		} else {
-		    assert(0);
-		}
-	    } elsif ( $type == STRING_IF_OPTION ) {
-		fatal_error "The '$option' option requires a value" unless defined $value;
-
-		if ( $option eq 'physical' ) {
-		    fatal_error "Invalid Physical interface name ($value)" unless $value =~ /^[\w.@%-]+\+?$/;
-
-		    fatal_error "Duplicate physical interface name ($value)" if ( $physical{$value} && ! $port );
-
-		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
-		    $physical = $value;
-		} else {
-		    assert(0);
+		    $hostoptions{multicast} = 1;
 		}
+		#
+		# Convert into a Perl array reference
+		#
+		$nets = [ split_list $value, 'address' ];
+		#
+		# Assume 'broadcast'
+		#
+		$hostoptions{broadcast} = 1;
 	    } else {
 		warning_message "Support for the $option interface option has been removed from Shorewall";
 	    }
 	}
 
-	if ( $netsref eq 'dynamic' ) {
-	    my $ipset = "${zone}_" . chain_base $physical;
-	    $netsref = [ "+$ipset" ];
-	    $ipsets{$ipset} = 1;
-	}
-
 	$zoneref->{options}{in_out}{routeback} = 1 if $zoneref && $options{routeback};
 
 	if ( $options{bridge} ) {
@@ -925,20 +884,19 @@ sub process_interface( $ ) {
 
     }
 
-    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
-						       bridge     => $bridge ,
-						       nets       => 0 ,
-						       number     => $nextinum ,
-						       root       => $root ,
-						       broadcasts => $broadcasts ,
-						       options    => \%options ,
-						       zone       => '',
-						       physical   => $physical
-						     };
+    $interfaces{$interface} = { name       => $interface ,
+				bridge     => $bridge ,
+				nets       => 0 ,
+				number     => $nextinum ,
+				root       => $root ,
+				broadcasts => $broadcasts ,
+				options    => \%options ,
+			        zone       => ''
+			      };
 
     if ( $zone ) {
-	$netsref ||= [ allip ];
-	add_group_to_zone( $zone, $zoneref->{type}, $interface, $netsref, $hostoptionsref );
+	$nets ||= [ allip ];
+	add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref );
 	add_group_to_zone( $zone, 
 			   $zoneref->{type}, 
 			   $interface, 
@@ -991,20 +949,6 @@ sub validate_interfaces_file( $ ) {
     fatal_error "No network interfaces defined" unless @interfaces;
 }
 
-#
-# Map the passed name to the corresponding physical name in the passed interface
-#
-sub map_physical( $$ ) {
-    my ( $name, $interfaceref ) = @_;
-    my $physical = $interfaceref->{physical};
-    
-    return $physical if $name eq $interfaceref->{name};
-
-    $physical =~ s/\+$//;
-
-    $physical . substr( $name, length  $interfaceref->{root} );
-}  
-
 #
 # Returns true if passed interface matches an entry in /etc/shorewall/interfaces
 #
@@ -1019,17 +963,13 @@ sub known_interface($)
 
     for my $i ( @interfaces ) {
 	$interfaceref = $interfaces{$i};
-	my $root = $interfaceref->{root};
-	if ( $i ne $root && substr( $interface, 0, length $root ) eq $root ) {
+	my $val = $interfaceref->{root};
+	next if $val eq $i;
+	if ( substr( $interface, 0, length $val ) eq $val ) {
 	    #
-	    # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces and we do not set the root;
+	    # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces.
 	    #
-	    return $interfaces{$interface} = { options  => $interfaceref->{options}, 
-					       bridge   => $interfaceref->{bridge} , 
-					       name     => $i , 
-					       number   => $interfaceref->{number} ,
-					       physical => map_physical( $interface, $interfaceref )
-					     };
+	    return $interfaces{$interface} = { options => $interfaceref->{options}, bridge => $interfaceref->{bridge} , name => $i , number => $interfaceref->{number} };
 	}
     }
 
@@ -1069,23 +1009,6 @@ sub find_interface( $ ) {
     $interfaceref;
 }
 
-#
-# Returns the physical interface associated with the passed logical name
-#
-sub get_physical( $ ) {
-    $interfaces{ $_[0] }->{physical};
-}
-
-#
-# This one doesn't insist that the passed name be the name of a configured interface
-#
-sub physical_name( $ ) {
-    my $device = shift;
-    my $devref = known_interface $device;
-
-    $devref ? $devref->{physical} : $device;
-}
-
 #
 # Returns true if there are bridge port zones defined in the config
 #
@@ -1126,11 +1049,7 @@ sub find_interfaces_by_option( $ ) {
     my @ints = ();
 
     for my $interface ( @interfaces ) {
-	my $interfaceref = $interfaces{$interface};
-	
-	next unless $interfaceref->{root};
-
-	my $optionsref = $interfaceref->{options};
+	my $optionsref = $interfaces{$interface}{options};
 	if ( $optionsref && defined $optionsref->{$option} ) {
 	    push @ints , $interface
 	}
@@ -1241,10 +1160,9 @@ sub process_host( ) {
 
     if ( $hosts eq 'dynamic' ) {
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
-	my $physical = physical_name $interface;
-	$hosts = "+${zone}_${physical}";
+	$hosts = "+${zone}_${interface}";
 	$optionsref->{dynamic} = 1;
-	$ipsets{"${zone}_${physical}"} = 1;
+	$ipsets{"${zone}_${interface}"} = 1;
 
     }
 

Shorewall/Perl/prog.footer

@@ -27,8 +27,6 @@ fi
 initialize
 
 if [ -n "$STARTUP_LOG" ]; then
-    touch $STARTUP_LOG
-    chmod 0600 $STARTUP_LOG
     if [ ${SHOREWALL_INIT_SCRIPT:-0} -eq 1 ]; then
 	#
 	# We're being run by a startup script that isn't redirecting STDOUT

Shorewall/Perl/prog.footer6

@@ -27,8 +27,6 @@ fi
 initialize
 
 if [ -n "$STARTUP_LOG" ]; then
-    touch $STARTUP_LOG
-    chmod 0600 $STARTUP_LOG
     if [ ${SHOREWALL_INIT_SCRIPT:-0} -eq 1 ]; then
 	#
 	# We're being run by a startup script that isn't redirecting STDOUT

Shorewall/changelog.txt

@@ -1,37 +1,6 @@
-Changes in Shorewall 4.4.4.1
+Changes in Shorewall 4.4.3.1
 
-1)  Fix 15-port change.
-
-2)  Fix handling of interfaces with the 'bridge' option.
-
-Changes in Shorewall 4.4.4
-
-1)  Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.
-
-2)  Fix access to uninitialized variable.
-
-3)  Add logrotate scripts.
-
-4)  Allow long port lists in /etc/shorewall/routestopped.
-
-5)  Implement 'physical' interface option.
-
-6)  Implement ZONE2ZONE option.
-
-7)  Suppress duplicate COMMENT warnings.
-
-8)  Implement 'show policies' command.
-
-9)  Fix route_rule suppression for down provider.
-
-10) Suppress redundant tests for provider availability in route rules
-    processing.
-
-11) Implement the '-l' option to the 'show' command.
-
-12) Fix class number assignment when WIDE_TC_MARKS=Yes
-
-13) Allow wide marks in tcclasses when WIDE_TC_MARKS=Yes
+1)  Fix COPY handling in shared-provider case.
 
 Changes in Shorewall 4.4.3
 

Shorewall/configfiles/shorewall.conf

@@ -191,8 +191,6 @@ WIDE_TC_MARKS=No
 
 TRACK_PROVIDERS=No
 
-ZONE2ZONE=2
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.4.1
+VERSION=4.4.3.1
 
 usage() # $1 = exit status
 {
@@ -242,12 +242,6 @@ mkdir -p ${PREFIX}/var/lib/shorewall
 chmod 755 ${PREFIX}/etc/shorewall
 chmod 755 ${PREFIX}/usr/share/shorewall
 chmod 755 ${PREFIX}/usr/share/shorewall/configfiles
-
-if [ -n "$PREFIX" ]; then
-    mkdir -p ${PREFIX}/etc/logrotate.d
-    chmod 755 ${PREFIX}/etc/logrotate.d
-fi
-    
 #
 # Install the config file
 #
@@ -798,11 +792,6 @@ cd ..
 
 echo "Man Pages Installed"
 
-if [ -d ${PREFIX}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall
-    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall"
-fi
-
 if [ -z "$PREFIX" ]; then
     rm -rf /usr/share/shorewall-perl
     rm -rf /usr/share/shorewall-shell

Shorewall/known_problems.txt

@@ -1,13 +1,41 @@
-1)  The change which removed the 15 port limitation on
-    /etc/shorewall/routestopped was incomplete. The result is that if
-    more than 15 ports are listed, an error is generated.
+1)  In some simple one-interface configurations, the following Perl
+    run-time error messages is issued:
 
-    This problem is corrected in Shorewall 4.4.4.1.
+      Generating Rule Matrix...
+      Use of uninitialized value in concatenation (.) or string at
+      /usr/share/shorewall/Shorewall/Chains.pm line 649.
+      Use of uninitialized value in concatenation (.) or string at
+      /usr/share/shorewall/Shorewall/Chains.pm line 649.
+      Creating iptables-restore input...
 
-2)  If any interfaces have the 'bridge' option specified, compilation
-    fails with the error:
+    The messages are harmless and can be ignored.
 
-    Undefined subroutine &Shorewall::Rules::match_source_interface called 
-    at /usr/share/shorewall/Shorewall/Rules.pm line 2319.
+2)  The Shorewall operations log (specified by STARTUP_LOG) is not
+    secured 0600.
+
+    To work around the this issue, simply use chmod to change the
+    file's permissions.
+
+3)  The compiler generates an incorrect test for interface
+    availability in the generated code for adding route rules. The
+    result is that the rules are always added, regardless of the
+    state of the provider's interface.
+
+    Will be corrected in Shorewall 4.4.4.
+
+4)  When TC_WIDE_MARKS=Yes and class numbers are not explicitly
+    specified in /etc/shorewall/tcclasses, duplicate class numbers
+    result. A typical error message is:
+
+    	    ERROR: Command "tc class add dev eth3 parent 1:1 classid
+    	    1:1 htb rate 1024kbit ceil 100000kbit prio 1 quantum 1500"
+    	    Failed
+
+    Note that the class ID of the class being added is a duplicate of
+    the parent's class ID.
+
+    You can work around this problem by explicitly specifying class
+    numbers in the INTERFACE column (e.g., 'eth0:2' or '1:2').
+
+    Will be corrected in Shorewall 4.4.4.
 
-    This problem is corrected in Shorewall 4.4.4.1.

Shorewall/lib.cli

@@ -430,10 +430,6 @@ show_command() {
 			    option=
 			    shift
 			    ;;
-			l*)
-			    IPT_OPTIONS1="--line-numbers"
-			    option=${option#l}
-			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -447,8 +443,6 @@ show_command() {
 	esac
     done
 
-    IPT_OPTIONS="$IPT_OPTIONS $IPT_OPTIONS1"
-
     [ -n "$debugging" ] && set -x
     case "$1" in
 	connections)
@@ -566,12 +560,6 @@ show_command() {
 	vardir)
 	    echo $VARDIR;
 	    ;;
-	policies)
-	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version Policies at $HOSTNAME - $(date)"
-	    echo
-	    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
-	    ;;
 	*)
 	    if [ "$PRODUCT" = Shorewall ]; then
 		case $1 in
@@ -685,10 +673,6 @@ dump_command() {
 			    SHOWMACS=Yes
 			    option=${option#m}
 			    ;;
-			l*)
-			    IPT_OPTIONS1="--line-numbers"
-			    option=${option#l}
-			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -702,8 +686,6 @@ dump_command() {
 	esac
     done
 
-    IPT_OPTIONS="$IPT_OPTIONS $IPT_OPTIONS1"
-
     [ $VERBOSE -lt 2 ] && VERBOSE=2
 
     [ -n "$debugging" ] && set -x

Shorewall/logrotate

@@ -1,5 +0,0 @@
-/var/log/shorewall-init.log {
-  missingok
-  notifempty
-  create 0600 root root
-}

Shorewall/releasenotes.txt

@@ -1,4 +1,4 @@
-Shorewall 4.4.4 Patch Release 1
+Shorewall 4.4.3 Patch release 1.
 
 ----------------------------------------------------------------------------
                R E L E A S E  4 . 4  H I G H L I G H T S
@@ -174,43 +174,16 @@ Shorewall 4.4.4 Patch Release 1
     'notrack' for the provider.
 
 ----------------------------------------------------------------------------
-        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 4 . 1
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 3 . 1
 ----------------------------------------------------------------------------
 
-1)  The change which removed the 15 port limitation on
-    /etc/shorewall/routestopped was incomplete. The result was that if
-    more than 15 ports are listed, an error was generated.
-
-2)  If any interfaces have the 'bridge' option specified, compilation
-    fails with the error:
-
-    Undefined subroutine &Shorewall::Rules::match_source_interface called 
-    at /usr/share/shorewall/Shorewall/Rules.pm line 2319.
-
-----------------------------------------------------------------------------
-          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 4
-----------------------------------------------------------------------------
-
-1)  In some simple one-interface configurations, the following Perl
-    run-time error messages were issued:
-
-      Generating Rule Matrix...
-      Use of uninitialized value in concatenation (.) or string at
-      /usr/share/shorewall/Shorewall/Chains.pm line 649.
-      Use of uninitialized value in concatenation (.) or string at
-      /usr/share/shorewall/Shorewall/Chains.pm line 649.
-      Creating iptables-restore input...
-
-2)  The Shorewall operations log (specified by STARTUP_LOG) is now
-    secured 0600.
-
-3)  Previously, the compiler generated an incorrect test for interface
+1)  Previously, the compiler generated an incorrect test for interface
     availability in the generated code for adding route rules. The
     result was that the rules were always added, regardless of the
     state of the provider's interface. Now, the rules are only added
     when the interface is available.
 
-4)  When TC_WIDE_MARKS=Yes and class numbers are not explicitly
+2)  When TC_WIDE_MARKS=Yes and class numbers are not explicitly
     specified in /etc/shorewall/tcclasses, duplicate class numbers
     result. A typical error message is:
 
@@ -221,8 +194,42 @@ Shorewall 4.4.4 Patch Release 1
     Note that the class ID of the class being added is a duplicate of
     the parent's class ID.
 
-    Also, when TC_WIDE_MARKS=Yes, values > 255 in the MARK column of
-    /etc/shorewall/tcclasses were rejected.
+----------------------------------------------------------------------------
+          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 3
+----------------------------------------------------------------------------
+
+1.  Previously, if 'routeback' was specified in /etc/shorewall/routestopped:
+
+    a) 'shorewall check' produced an internal error
+    b) The 'routeback' option didn't work
+
+2)  If an alias IP address was added and RETAIN_ALIASES=No in
+    shorewall.conf, then a compiler internal error resulted.
+
+3)  Previously, the generated script would try to detect the values
+    for all run-time variables (such as IP addresses), regardless of
+    what command was being executed. Now, this information is only
+    detected when it is needed.
+
+4)  Nested zones where the parent zone was defined by a wildcard
+    interface (name ends with +) in /etc/shorewall/interfaces did
+    not work correctly in some cases.
+
+5)  IPv4 addresses embedded in IPv6 (e.g., ::192.168.1.5) were
+    incorrectly reported as invalid.
+
+6)  Under certain circumstances, optional providers were not detected
+    as being usable.
+
+    Additionally, the messages issued when an optional provider was not
+    usable were confusing; the message intended to be issued when the
+    provider shared an interface ("WARNING: Gateway <gateway> is not
+    reachable -- Provider <name> (<number>) not Added") was being
+    issued when the provider did not share an interface. Similarly, the
+    message intended to be issued when the provider did not share an
+    interface ("WARNING: Interface <interface> is not usable --
+    Provider <name> (<number>) not Added") was being issued when the
+    provider did share an interface.
 
 ----------------------------------------------------------------------------
              K N O W N   P R O B L E M S   R E M A I N I N G
@@ -231,103 +238,37 @@ Shorewall 4.4.4 Patch Release 1
 None.
 
 ----------------------------------------------------------------------------
-                N E W   F E A T U R E S   I N   4 . 4 . 4
+                N E W   F E A T U R E S   I N   4 . 4 . 3
 ----------------------------------------------------------------------------
 
-1)  The Shorewall packages now include a logrotate configuration file.
+1)  On Debian systems, a default installation will now set
+    INITLOG=/dev/null in /etc/default/shorewall. In all configurations,
+    the default values for the log variables are changed to:
 
-2)  The limit of 15 entries in a port list has been relaxed in
-    /etc/shorewall/routestopped.
+    	STARTUP_LOG=/var/log/shorewall-init.log
+	LOG_VERBOSITY=2
 
-3)  The following seemingly valid configuration produces a fatal
-    error reporting "Duplicate interface name (p+)"
+    The effect is much the same as the old defaults, with the exception 
+    that:
 
-    /etc/shorewall/zones:
+	a) Start, stop, etc. commands issued through /sbin/shorewall
+	   will be logged.
+	b) Logging will occur at maximum verbosity.
+	c) Log entries will be date/time stamped.
 
-       #ZONE		TYPE	
-       fw		firewall
-       world		ipv4
-       z1:world		bport4
-       z2:world		bport4
+    On non-Debian systems, new installs will now log all Shorewall 
+    commands to /var/log/shorewall-init.log.
 
-    /etc/shorewall/interfaces:
+2)  A new TRACK_PROVIDERS option has been added in shorewall.conf.
+    The value of this option becomes the default for the 'track'
+    provider option in /etc/shorewall/providers.
 
-       #ZONE		INTERFACE	BROADCAST	OPTIONS
-       world		br0		-		bridge
-       world		br1		-		bridge
-       z1		br0:p+
-       z2		br1:p+
-
-    This error occurs because the Shorewall implementation requires
-    that each bridge port must have a unique name.
-
-    To work around this problem, a new 'physical' interface option has
-    been created. The above configuration may be defined using the
-    following in /etc/shorewall/interfaces:
-
-       #ZONE		INTERFACE	BROADCAST	OPTIONS
-       world		br0		-		bridge
-       world		br1		-		bridge
-       z1		br0:x+		-		physical=p+
-       z2		br1:y+		-		physical=p+
-
-    In this configuration, 'x+' is the logical name for ports p+ on
-    bridge br0 while 'y+' is the logical name for ports p+ on bridge
-    br1.
-
-    If you need to refer to a particular port on br1 (for example
-    p1023), you write it as y1023; Shorewall will translate that name
-    to p1023 when needed.
-
-    It is allowed to have a physical name ending in '+' with a logical
-    name that does not end with '+'. The reverse is not allowed; if the
-    logical name ends in '+' then the physical name must also end in
-    '+'.
-
-    This feature is not restricted to bridge ports. Beginning with this
-    release, the interface name in the INTERFACE column can be
-    considered a logical name for the interface, and the actual
-    interface name is specified using the 'physical' option. If no
-    'physical' option is present, then the physical name is assumed to
-    be the same as the logical name. As before, the logical interface
-    name is used throughout the rest of the configuration to refer to
-    the interface.
-
-4)  Previously, Shorewall has used the character '2' to form the name
-    of chains involving zones and/or the word 'all' (e.g., fw2net,
-    all2all). When zones names are given numeric suffixes, these
-    generated names are hard to read (e.g., foo1232bar). To make these
-    names clearer, a ZONE2ZONE option has been added.
-
-    ZONE2ZONE has a default value of "2" but can also be given the
-    value "-" (e.g., ZONE2ZONE="-") which causes Shorewall to separate
-    the two parts of the name with a hyphen (e.g., foo123-bar).
-
-5)  Only one instance of the following warning is now generated;
-    previously, one instance of a similar warning was generated for
-    each COMMENT encountered.
-
-	COMMENTs ignored -- require comment support in iptables/Netfilter
-
-6)  The shorewall and shorewall6 utilities now support a 'show
-    policies' command. Once Shorewall or Shorewall6 has been restarted
-    using a script generated by this version, the 'show policies'
-    command will list each pair of zones and give the applicable
-    policy. If the policy is enforced in a chain, the name of the chain
-    is given.
-
-    Example:
-
-	net 	=>	loc	DROP using chain net2all
-
-    Note that implicit intrazone ACCEPT policies are not displayed for
-    zones associated with a single network where that network
-    doesn't specify 'routeback'.
-
-7)  The 'show' and 'dump' commands now support an '-l' option which
-    causes chain displays to include the rule number of each rule.
-
-    (Type 'iptables -h' and look for '--line-number')
+3)  A new 'limit' option has been added to
+    /etc/shorewall/tcclasses. This option specifies the number of
+    packets that are allowed to be queued within the class. Packets
+    exceeding this limit are dropped. The default value is 127 which is
+    the value that earlier versions of Shorewall used.  The option is
+    ignored with a warning if the 'pfifo' option has been specified.
 
 ----------------------------------------------------------------------------
                 N E W   F E A T U R E S   I N   4 . 4 . 0
@@ -339,7 +280,7 @@ None.
     The new packages are:
 
     - Shorewall.   Includes the former Shorewall-common and
-                   Shorewall-perl packages. Includes everything needed
+                   Shorewall-perl packages. Has everything needed
                    to create an IPv4 firewall.
 
 		   Shorewall-shell is no longer available.
@@ -1159,73 +1100,3 @@ None.
 
     As usual, the variable $chainref will contain a reference to the
     chain's table entry.
-
-----------------------------------------------------------------------------
-          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 3
-----------------------------------------------------------------------------
-
-1.  Previously, if 'routeback' was specified in /etc/shorewall/routestopped:
-
-    a) 'shorewall check' produced an internal error
-    b) The 'routeback' option didn't work
-
-2)  If an alias IP address was added and RETAIN_ALIASES=No in
-    shorewall.conf, then a compiler internal error resulted.
-
-3)  Previously, the generated script would try to detect the values
-    for all run-time variables (such as IP addresses), regardless of
-    what command was being executed. Now, this information is only
-    detected when it is needed.
-
-4)  Nested zones where the parent zone was defined by a wildcard
-    interface (name ends with +) in /etc/shorewall/interfaces did
-    not work correctly in some cases.
-
-5)  IPv4 addresses embedded in IPv6 (e.g., ::192.168.1.5) were
-    incorrectly reported as invalid.
-
-6)  Under certain circumstances, optional providers were not detected
-    as being usable.
-
-    Additionally, the messages issued when an optional provider was not
-    usable were confusing; the message intended to be issued when the
-    provider shared an interface ("WARNING: Gateway <gateway> is not
-    reachable -- Provider <name> (<number>) not Added") was being
-    issued when the provider did not share an interface. Similarly, the
-    message intended to be issued when the provider did not share an
-    interface ("WARNING: Interface <interface> is not usable --
-    Provider <name> (<number>) not Added") was being issued when the
-    provider did share an interface.
-
-----------------------------------------------------------------------------
-                N E W   F E A T U R E S   I N   4 . 4 . 3
-----------------------------------------------------------------------------
-
-1)  On Debian systems, a default installation will now set
-    INITLOG=/dev/null in /etc/default/shorewall. In all configurations,
-    the default values for the log variables are changed to:
-
-    	STARTUP_LOG=/var/log/shorewall-init.log
-	LOG_VERBOSITY=2
-
-    The effect is much the same as the old defaults, with the exception 
-    that:
-
-	a) Start, stop, etc. commands issued through /sbin/shorewall
-	   will be logged.
-	b) Logging will occur at maximum verbosity.
-	c) Log entries will be date/time stamped.
-
-    On non-Debian systems, new installs will now log all Shorewall 
-    commands to /var/log/shorewall-init.log.
-
-2)  A new TRACK_PROVIDERS option has been added in shorewall.conf.
-    The value of this option becomes the default for the 'track'
-    provider option in /etc/shorewall/providers.
-
-3)  A new 'limit' option has been added to
-    /etc/shorewall/tcclasses. This option specifies the number of
-    packets that are allowed to be queued within the class. Packets
-    exceeding this limit are dropped. The default value is 127 which is
-    the value that earlier versions of Shorewall used.  The option is
-    ignored with a warning if the 'pfifo' option has been specified.

Shorewall/shorewall

@@ -1387,7 +1387,6 @@ usage() # $1 = exit status
     echo "   show [ -m ] log"
     echo "   show macros"
     echo "   show [ -x ] mangle|nat|raw|routing"
-    echo "   show policies"
     echo "   show tc"
     echo "   show vardir"
     echo "   show zones"

Shorewall/shorewall.spec

@@ -1,5 +1,5 @@
 %define name shorewall
-%define version 4.4.4
+%define version 4.4.3
 %define release 1
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -77,8 +77,6 @@ fi
 %attr(0644,root,root) %config(noreplace) /etc/shorewall/*
 %attr(0600,root,root) /etc/shorewall/Makefile
 
-%attr(0644,root,root) /etc/logrotate.d/shorewall
-
 %attr(0755,root,root) /sbin/shorewall
 
 %attr(0644,root,root) /usr/share/shorewall/version
@@ -106,15 +104,9 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 
 %changelog
-* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-1
-* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0base
-* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta2
-* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta1
-* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
+* Sun Nov 01 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.3-1
+* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.3-0base
 * Sun Sep 06 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.2-0base

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.4.1
+VERSION=4.4.3.1
 
 usage() # $1 = exit status
 {

Shorewall6-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.4.1
+VERSION=4.4.3.1
 
 usage() # $1 = exit status
 {

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.4.1
+VERSION=4.4.3.1
 
 usage() # $1 = exit status
 {
@@ -219,11 +219,6 @@ mkdir -p ${PREFIX}/var/lib/shorewall6-lite
 chmod 755 ${PREFIX}/etc/shorewall6-lite
 chmod 755 ${PREFIX}/usr/share/shorewall6-lite
 
-if [ -n "$PREFIX" ]; then
-    mkdir -p ${PREFIX}/etc/logrotate.d
-    chmod 755 ${PREFIX}/etc/logrotate.d
-fi
-
 #
 # Install the config file
 #
@@ -308,11 +303,6 @@ cd ..
 
 echo "Man Pages Installed"
 
-if [ -d ${PREFIX}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall6-lite
-    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall6-lite"
-fi
-
 #
 # Create the version file
 #

Shorewall6-lite/logrotate

@@ -1,5 +0,0 @@
-/var/log/shorewall6-init.log {
-  missingok
-  notifempty
-  create 0600 root root
-}

Shorewall6-lite/shorewall6-lite.spec

@@ -1,5 +1,5 @@
 %define name shorewall6-lite
-%define version 4.4.4
+%define version 4.4.3
 %define release 1
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
@@ -70,8 +70,6 @@ fi
 %attr(0755,root,root) %dir /usr/share/shorewall6-lite
 %attr(0700,root,root) %dir /var/lib/shorewall6-lite
 
-%attr(0644,root,root) /etc/logrotate.d/shorewall6-lite
-
 %attr(0755,root,root) /sbin/shorewall6-lite
 
 %attr(0644,root,root) /usr/share/shorewall6-lite/version
@@ -91,15 +89,9 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-1
-* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0base
-* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta2
-* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta1
-* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
+* Sun Nov 01 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.3-1
+* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.3-0base
 * Sun Sep 06 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.2-0base

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.4.1
+VERSION=4.4.3.1
 
 usage() # $1 = exit status
 {

Shorewall6/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.4.1
+VERSION=4.4.3.1
 
 usage() # $1 = exit status
 {

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.4.1
+VERSION=4.4.3.1
 
 usage() # $1 = exit status
 {
@@ -234,12 +234,6 @@ mkdir -p ${PREFIX}/var/lib/shorewall6
 chmod 755 ${PREFIX}/etc/shorewall6
 chmod 755 ${PREFIX}/usr/share/shorewall6
 chmod 755 ${PREFIX}/usr/share/shorewall6/configfiles
-
-if [ -n "$PREFIX" ]; then
-    mkdir -p ${PREFIX}/etc/logrotate.d
-    chmod 755 ${PREFIX}/etc/logrotate.d
-fi
-
 #
 # Install the config file
 #
@@ -648,11 +642,6 @@ cd ..
 
 echo "Man Pages Installed"
 
-if [ -d ${PREFIX}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall6
-    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall6"
-fi
-
 if [ -z "$PREFIX" -a -n "$first_install" -a -z "$CYGWIN" ]; then
     if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6

Shorewall6/lib.cli

@@ -383,10 +383,6 @@ show_command() {
 			    option=
 			    shift
 			    ;;
-			l*)
-			    IPT_OPTIONS1="--line-numbers"
-			    option=${option#l}
-			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -400,8 +396,6 @@ show_command() {
 	esac
     done
 
-    IPT_OPTIONS="$IPT_OPTIONS $IPT_OPTIONS1"
-
     [ -n "$debugging" ] && set -x
     case "$1" in
 	connections)
@@ -608,10 +602,6 @@ dump_command() {
 			    SHOWMACS=Yes
 			    option=${option#m}
 			    ;;
-			l*)
-			    IPT_OPTIONS1="--line-numbers"
-			    option=${option#l}
-			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -625,8 +615,6 @@ dump_command() {
 	esac
     done
 
-    IPT_OPTIONS="$IPT_OPTIONS $IPT_OPTIONS1"
-
     [ $VERBOSE -lt 2 ] && VERBOSE=2
 
     [ -n "$debugging" ] && set -x

Shorewall6/logrotate

@@ -1,5 +0,0 @@
-/var/log/shorewall6-init.log {
-  missingok
-  notifempty
-  create 0600 root root
-}

Shorewall6/shorewall6

@@ -1289,7 +1289,7 @@ usage() # $1 = exit status
     echo "   restart [ -n ] [ -f ] [ <directory> ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|policies|raw|routing|tc|vardir|zones} ]"
+    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|raw|routing|tc|vardir|zones} ]"
     echo "   start [ -f ] [ -n ] [ <directory> ]"
     echo "   stop [ -f ]"
     echo "   status"

Shorewall6/shorewall6.conf

@@ -32,9 +32,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=/var/log/shorewall6-init.log
+STARTUP_LOG=
 
-LOG_VERBOSITY=2
+LOG_VERBOSITY=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -147,8 +147,6 @@ WIDE_TC_MARKS=No
 
 TRACK_PROVIDERS=No
 
-ZONE2ZONE=2
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall6/shorewall6.spec

@@ -1,5 +1,5 @@
 %define name shorewall6
-%define version 4.4.4
+%define version 4.4.3
 %define release 1
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
@@ -69,8 +69,6 @@ fi
 %attr(0644,root,root) %config(noreplace) /etc/shorewall6/*
 %attr(0600,root,root) /etc/shorewall6/Makefile
 
-%attr(0644,root,root) /etc/logrotate.d/shorewall6
-
 %attr(0755,root,root) /sbin/shorewall6
 
 %attr(0644,root,root) /usr/share/shorewall6/version
@@ -95,14 +93,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
-* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-1
-* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0base
-* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta2
-* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta1
+* Sun Nov 01 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.3-1
 * Fri Oct 02 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.3-0base
 * Sun Sep 06 2009 Tom Eastep tom@shorewall.net

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.4.1
+VERSION=4.4.3.1
 
 usage() # $1 = exit status
 {

docs/ConnectionRate.xml

@@ -20,8 +20,6 @@
     <copyright>
       <year>2008</year>
 
-      <year>2009</year>
-
       <holder>Thomas M. Eastep</holder>
     </copyright>
 

docs/Introduction.xml

@@ -167,7 +167,8 @@ dmz                    Demilitarized Zone</programlisting>
 fw      firewall
 net     ipv4
 loc     ipv4
-dmz     ipv4</programlisting>
+dmz     ipv4
+#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
 
     <para>Note that Shorewall recognizes the firewall system as its own zone.
     The name of the zone designating the firewall itself (usually 'fw' as

docs/Macros.xml

@@ -433,7 +433,46 @@ ACCEPT           fw       loc             tcp      135,139,445</programlisting>
         non-comment line in your macro file.</para>
 
         <para>If ACTION is DNAT[-] or REDIRECT[-] then if this column is
-        included and is different from the IP address given in the DEST
+        included and is different from the IP address given in the SERVER
+        column, then connections destined for that address will be forwarded
+        to the IP and port specified in the DEST column.</para>
+
+        <para>A comma-separated list of addresses may also be used. This is
+        most useful with the REDIRECT target where you want to redirect
+        traffic destined for particular set of hosts. Finally, if the list of
+        addresses begins with "!" (exclusion) then the rule will be followed
+        only if the original destination address in the connection request
+        does not match any of the addresses listed.</para>
+
+        <para>For other actions, this column may be included and may contain
+        one or more addresses (host or network) separated by commas. Address
+        ranges are not allowed. When this column is supplied, rules are
+        generated that require that the original destination address matches
+        one of the listed addresses. This feature is most useful when you want
+        to generate a filter rule that corresponds to a DNAT- or REDIRECT-
+        rule. In this usage, the list of addresses should not begin with
+        "!".</para>
+
+        <para>It is also possible to specify a set of addresses then exclude
+        part of those addresses. For example, 192.168.1.0/24!192.168.1.16/28
+        specifies the addresses 192.168.1.0-182.168.1.15 and
+        192.168.1.32-192.168.1.255. See <ulink
+        url="manpages/shorewall_exclusion.html">shorewall-exclusion</ulink>(5).</para>
+
+        <para>See <ulink
+        url="http://shorewall.net/PortKnocking.html">http://shorewall.net/PortKnocking.html</ulink>
+        for an example of using an entry in this column with a user-defined
+        action rule.</para>
+      </listitem>
+
+      <listitem>
+        <para>ORIGINAL DEST (Shorewall-perl 4.2.0 and later)</para>
+
+        <para>To use this column, you must include 'FORMAT 2' as the first
+        non-comment line in your macro file.</para>
+
+        <para>If ACTION is DNAT[-] or REDIRECT[-] then if this column is
+        included and is different from the IP address given in the SERVER
         column, then connections destined for that address will be forwarded
         to the IP and port specified in the DEST column.</para>
 
@@ -578,7 +617,7 @@ ACCEPT           fw       loc             tcp      135,139,445</programlisting>
         connections is then taken over all hosts in the subnet
         <replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.
         When ! is specified, the rule matches when the number of connection
-        exceeds the limit.</para>
+        exceeds the limit. </para>
       </listitem>
 
       <listitem>

docs/bridge-Shorewall-perl.xml

@@ -619,60 +619,6 @@ br0             192.168.1.0/24  routeback
     firewall rules.</para>
   </section>
 
-  <section id="Multiple">
-    <title>Multiple Bridges with Wildcard Ports</title>
-
-    <para>It is sometimes required to configure multiple bridges on a single
-    firewall/gateway. The following seemingly valid configuration results in a
-    compile-time error</para>
-
-    <simplelist>
-      <member>ERROR: Duplicate Interface Name (p+)</member>
-    </simplelist>
-
-    <para><filename>/etc/shorewall/zones</filename>:</para>
-
-    <programlisting>       #ZONE            TYPE    
-       fw               firewall
-       world            ipv4
-       z1:world         bport4
-       z2:world         bport4</programlisting>
-
-    <para><filename>/etc/shorewall/interfaces</filename>:</para>
-
-    <programlisting>       #ZONE            INTERFACE       BROADCAST       OPTIONS
-       world            br0             -               bridge
-       world            br1             -               bridge
-       z1               br0:p+
-       z2               br1:p+</programlisting>
-
-    <para>The reason is that the Shorewall implementation requires each bridge
-    port to have a unique name. The <option>physical</option> interface option
-    was added in Shorewall 4.4.4 to work around this problem. The above
-    configuration may be defined using the following in
-    <filename>/etc/shorewall/interfaces</filename>: </para>
-
-    <programlisting>       #ZONE            INTERFACE       BROADCAST       OPTIONS
-       world            br0             -               bridge
-       world            br1             -               bridge
-       z1               br0:x+          -               physical=p+
-       z2               br1:y+          -               physical=p+</programlisting>
-
-    <para>In this configuration, 'x+' is the logical name for ports p+ on
-    bridge br0 while 'y+' is the logical name for ports p+ on bridge
-    br1.</para>
-
-    <para>If you need to refer to a particular port on br1 (for example
-    p1023), you write it as y1023; Shorewall will translate that name to p1023
-    when needed.</para>
-
-    <para>Example from /etc/shorewall/rules:</para>
-
-    <programlisting>       #ACTION    SOURCE    DEST       PROTO    DEST
-       #                                        PORT(S)
-       REJECT     z1:x1023  z1:x1024   tcp      1234</programlisting>
-  </section>
-
   <section id="bridge-router">
     <title>Combination Router/Bridge</title>
 

docs/configuration_file_basics.xml

@@ -1007,7 +1007,8 @@ Shorewall has detected the following iptables/netfilter capabilities:
    Packet Type Match: Not available
    Policy Match: Available
    Physdev Match: Available
-   <emphasis role="bold">IP range Match: Available &lt;--------------</emphasis></programlisting>
+   <emphasis role="bold">IP range Match: Available &lt;-------------- 
+</emphasis></programlisting>
   </section>
 
   <section id="Ports">
@@ -1027,79 +1028,6 @@ Shorewall has detected the following iptables/netfilter capabilities:
     "!tcp").</para>
   </section>
 
-  <section id="ICMP">
-    <title>ICMP and ICMP6 Types and Codes</title>
-
-    <para>When dealing with ICMP, the DEST PORT specifies the type or type and
-    code. You may specify the numeric type, the numeric type and code
-    separated by a slash (e.g., 3/4) or you may use a type name.</para>
-
-    <para>Type names for IPv4 and their corresponding type or type/code
-    are:</para>
-
-    <programlisting>echo-reply'                  =&gt; 0
-destination-unreachable      =&gt; 3
-    network-unreachable      =&gt; 3/0
-    host-unreachable         =&gt; 3/1
-protocol-unreachable         =&gt; 3/2
-port-unreachable             =&gt; 3/3
-fragmentation-needed         =&gt; 3/4
-source-route-failed          =&gt; 3/5
-network-unknown              =&gt; 3/6
-host-unknown                 =&gt; 3/7
-network-prohibited           =&gt; 3/9
-host-prohibited              =&gt; 3/10
-TOS-network-unreachable      =&gt; 3/11
-TOS-host-unreachable         =&gt; 3/12
-communication-prohibited     =&gt; 3/13
-host-precedence-violation    =&gt; 3/14
-precedence-cutoff            =&gt; 3/15
-source-quench                =&gt; 4
-redirect                     =&gt; 5
-   network-redirect          =&gt; 5/0
-   host-redirect             =&gt; 5/1
-   TOS-network-redirect      =&gt; 5/2
-   TOS-host-redirect         =&gt; 5/3
-echo-request                 =&gt; 8
-router-advertisement         =&gt; 9
-router-solicitation          =&gt; 10
-time-exceeded                =&gt; 11
-   ttl-zero-during-transit   =&gt; 11/0
-   ttl-zero-during-reassembly=&gt; 11/1
-parameter-problem            =&gt; 12
-   ip-header-bad             =&gt; 12/0
-   required-option-missing   =&gt; 12/1
-timestamp-request            =&gt; 13
-timestamp-reply              =&gt; 14
-address-mask-request         =&gt; 17
-address-mask-reply           =&gt; 18</programlisting>
-
-    <para>Type names for IPv6 and their corresponding type or type/code
-    are:</para>
-
-    <programlisting>destination-unreachable       =&gt; 1
-   no-route'                  =&gt; 1/0
-   communication-prohibited   =&gt; 1/1
-   address-unreachable'       =&gt; 1/2
-   port-unreachable'          =&gt; 1/3
-packet-too-big                =&gt;  2
-time-exceeded'                =&gt;  3
-ttl-exceeded'                 =&gt;  3
-   ttl-zero-during-transit    =&gt; 3/0
-   ttl-zero-during-reassembly =&gt; 3/1
-parameter-problem             =&gt;  4
-   bad-header                 =&gt; 4/0
-   unknown-header-type        =&gt; 4/1
-   unknown-option             =&gt; 4/2
-echo-request                  =&gt; 128
-echo-reply                    =&gt; 129
-router-solicitation           =&gt; 133
-router-advertisement          =&gt; 134
-neighbour-solicitation        =&gt; 135
-neighbour-advertisement       =&gt; 136
-redirect                      =&gt; 137</programlisting>
-  </section>
-
   <section id="Ranges">
     <title>Port Ranges</title>
 
@@ -1132,7 +1060,7 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
     <para>Also, unless otherwise documented, a port list can be preceded by
     '!' to specify "All ports except these" (e.g., "!80,443").</para>
 
-    <para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
+    <para>Port lists appearing in the <ulink
     url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink>
     file may specify no more than 15 ports; port ranges appearing in a list
     count as two ports each.</para>
@@ -1179,66 +1107,6 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
     </note>
   </section>
 
-  <section id="Logical">
-    <title>Logical Interface Names</title>
-
-    <para>When dealing with a complex configuration, it is often awkward to
-    use physical interface names in the Shorewall configuration.</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>You need to remember which interface is which.</para>
-      </listitem>
-
-      <listitem>
-        <para>If you move the configuration to another firewall, the interface
-        names might not be the same.</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>Beginning with Shorewall 4.4.4, you can use logical interface names
-    which are mapped to the actual interface using the
-    <option>physical</option> option in <ulink
-    url="manpages/shorewall-interfaces.html">shorewall-interfraces</ulink>
-    (5).</para>
-
-    <para>Here is an example:</para>
-
-    <programlisting>#ZONE  INTERFACE  BROADCAST OPTIONS
-net    COM_IF     detect    dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,physical=eth0
-net    EXT_IF     detect    dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,physical=eth2
-loc    INT_IF     detect    dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,physical=eth1
-dmz    VPS_IF     detect    logmartians=1,routefilter=0,routeback,physical=venet0
-loc    TUN_IF     detect    physical=tun+</programlisting>
-
-    <para>In this example, COM_IF is a logical interface name that refers to
-    Ethernet interface <filename class="devicefile">eth0</filename>, EXT_IF is
-    a logical interface name that refers to Ethernet interface <filename
-    class="devicefile">eth2</filename>, and so on.</para>
-
-    <para>Here are a couple of more files from the same configuration:</para>
-
-    <para><ulink url="manpages/shorewall-masq.html">shorewall-masq</ulink>
-    (5):</para>
-
-    <programlisting>#INTERFACE SOURCE                    ADDRESS
-
-COMMENT Masquerade Local Network
-COM_IF     0.0.0.0/0
-EXT_IF     !206.124.146.0/24         206.124.146.179:persistent</programlisting>
-
-    <para><ulink
-    url="manpages/shorewall-providers.html">shorewall-providers</ulink>
-    (5)</para>
-
-    <programlisting>#NAME   NUMBER   MARK    DUPLICATE  INTERFACE  GATEWAY         OPTIONS               COPY
-Avvanta 1        0x10000 main       EXT_IF     206.124.146.254 loose,fallback        INT_IF,VPS_IF,TUN_IF
-Comcast 2        0x20000 main       COM_IF     detect          balance               INT_IF,VPS_IF,TUN_IF</programlisting>
-
-    <para>Note in particular that Shorewall translates TUN_IF to <filename
-    class="devicefile">tun*</filename> in the COPY column.</para>
-  </section>
-
   <section id="Levels">
     <title>Shorewall Configurations</title>
 

docs/shorewall_logging.xml

@@ -278,11 +278,11 @@ ACCEPT:NFLOG(1,0,1) vpn        fw       tcp       ssh,time,631,8080 </programlis
 
   <section id="Contents">
     <title>Understanding the Contents of Shorewall Log Messages</title>
-	<!--
+
     <para>For general information on the contents of Netfilter log messages,
     see <ulink
 		url="http://moser-willi.at/doc/howto/docs/iptables_netfilter_howto_de/docs/netfilter_log_format/index.html">http://moser-willi.at/doc/howto/docs/iptables_netfilter_howto_de/docs/netfilter_log_format/index.html</ulink>.</para>
--->
+
     <para>For Shorewall-specific information, see <ulink
     url="FAQ.htm#faq17">FAQ #17</ulink>.</para>
   </section>

docs/traffic_shaping.xml

@@ -1195,188 +1195,6 @@ SAVE     0.0.0.0/0      0.0.0.0/0       all        -             -        -
 /sbin/shorewall refresh</programlisting>
     </section>
 
-    <section id="perIP">
-      <title>Per-IP Traffic Shaping</title>
-
-      <para>Some network administrators feel that they have to divy up their
-      available bandwidth by IP address rather than by prioritizing the
-      traffic based on the type of traffic. This gets really awkward when
-      there are a large number of local IP addresses.</para>
-
-      <para>This section describes the Shorewall facility for making this
-      configuration less tedious (and a lot more efficient). Note that it
-      requires that you <ulink url="Dynamic.html#xtables-addons">install
-      xtables-addons</ulink>. So before you try this facility, we suggest that
-      first you add the following OPTION to each external interface described
-      in /etc/shorewall/tcdevices:</para>
-
-      <programlisting>flow=nfct-src</programlisting>
-
-      <para>If you shape traffic on your internal interface(s), then add this
-      to their entries:</para>
-
-      <programlisting>flow=dst</programlisting>
-
-      <para>You may find that this simple change is all that is needed to
-      control bandwidth hogs like Bit Torrent. If it doesn't, then proceed as
-      described in this section.</para>
-
-      <para>The facility has two components:</para>
-
-      <orderedlist>
-        <listitem>
-          <para>An IPMARK MARKing command in
-          <filename>/etc/shorewall/tcrules</filename>.</para>
-        </listitem>
-
-        <listitem>
-          <para>An <emphasis role="bold">occurs</emphasis> OPTION in
-          /etc/shorewall/tcclasses.</para>
-        </listitem>
-      </orderedlist>
-
-      <para>The facility is currently only available with IPv4.</para>
-
-      <para>In a sense, the IPMARK target is more like an IPCLASSIFY target in
-      that the mark value is later interpreted as a class ID. A packet mark is
-      32 bits wide; so is a class ID. The <emphasis>major</emphasis> class
-      occupies the high-order 16 bits and the <emphasis>minor</emphasis> class
-      occupies the low-order 16 bits. So the class ID 1:4ff (remember that
-      class IDs are always in hex) is equivalent to a mark value of 0x104ff.
-      Remember that Shorewall uses the interface number as the
-      <emphasis>major</emphasis> number where the first interface in tcdevices
-      has <emphasis>major</emphasis> number 1, the second has
-      <emphasis>major</emphasis> number 2, and so on.</para>
-
-      <para>The IPMARK target assigns a mark to each matching packet based on
-      the either the source or destination IP address. By default, it assigns
-      a mark value equal to the low-order 8 bits of the source address.</para>
-
-      <para>The syntax is as follows:</para>
-
-      <blockquote>
-        <para><emphasis role="bold">IPMARK</emphasis>[<emphasis
-        role="bold">(</emphasis>[{<emphasis
-        role="bold">src</emphasis>|<emphasis
-        role="bold">dst</emphasis>}][<emphasis
-        role="bold">,</emphasis>[<emphasis>mask1</emphasis>][,[<emphasis>mask2</emphasis>][<emphasis
-        role="bold">,</emphasis>[<emphasis>shift</emphasis>]]]]<emphasis
-        role="bold">)</emphasis>]</para>
-      </blockquote>
-
-      <para>Default values are:</para>
-
-      <simplelist>
-        <member>src</member>
-
-        <member>mask1 = 0xFF</member>
-
-        <member>mask2 = 0x00</member>
-
-        <member>shift = 0</member>
-      </simplelist>
-
-      <para><emphasis role="bold">src</emphasis> and <emphasis
-      role="bold">dst</emphasis> specify whether the mark is to be based on
-      the source or destination address respectively. The selected address is
-      first shifted right by <emphasis>shift</emphasis>, then LANDed with
-      <emphasis>mask1</emphasis> and then LORed with
-      <emphasis>mask2</emphasis>. The <emphasis>shift</emphasis> argument is
-      intended to be used primarily with IPv6 addresses.</para>
-
-      <para>Example:</para>
-
-      <programlisting>IPMARK(src,0xff,0x10100)
-
-Source IP address is 192.168.4.3 = 0xc0a80403
-
-        0xc0a80403 &gt;&gt; 0         = 0xc0a80403
-        0xc0a80403 LAND 0xFF    = 0x03
-        0x03       LOR  0x10100 = 0x10103
-
-        So the mark value is 0x10103 which corresponds to class id 1:103.</programlisting>
-
-      <para>It is important to realize that, while class IDs are composed of a
-      <emphasis>major</emphasis> and a <emphasis>minor</emphasis> value, the
-      set of <emphasis>minor</emphasis> values must be unique. You must keep
-      this in mind when deciding how to map IP addresses to class IDs. For
-      example, suppose that your internal network is 192.168.1.0/29 (host IP
-      addresses 192.168.1.1 - 192.168.1.6). Your first notion might be to use
-      IPMARK(src,0xFF,0x10000) so as to produce class IDs 1:1 through 1:6. But
-      1:1 is the class ID of the base HTB class on interface 1. So you might
-      chose instead to use IPMARK(src,0xFF,0x10100) as shown in the example
-      above so as to avoid minor class 1.</para>
-
-      <para>The <emphasis role="bold">occurs</emphasis> option in
-      <filename>/etc/shorewall/tcclasses</filename> causes the class
-      definition to be replicated many times.</para>
-
-      <para>The synax is:</para>
-
-      <blockquote>
-        <para><emphasis
-        role="bold">occurs=</emphasis><emphasis>number</emphasis></para>
-      </blockquote>
-
-      <para>When <emphasis role="bold">occurs</emphasis> is used:</para>
-
-      <orderedlist numeration="loweralpha">
-        <listitem>
-          <para>The associated device may not have the <emphasis
-          role="bold">classify</emphasis> option.</para>
-        </listitem>
-
-        <listitem>
-          <para>The class may not be the default class.</para>
-        </listitem>
-
-        <listitem>
-          <para>The class may not have any <emphasis
-          role="bold">tos=</emphasis> options (including <emphasis
-          role="bold">tcp-ack</emphasis>).</para>
-        </listitem>
-      </orderedlist>
-
-      <para>The class should not specify a MARK value. Any MARK value given is
-      ignored with a warning. The RATE and CEIL parameters apply to each
-      instance of the class. So the total RATE represented by an entry with
-      <emphasis role="bold">occurs</emphasis> will be the listed RATE
-      multiplied by <emphasis>number</emphasis>.</para>
-
-      <para>Example:</para>
-
-      <para><filename>/etc/shorewall/tcdevices</filename>:</para>
-
-      <programlisting>#INTERFACE IN-BANDWIDTH OUT-BANDWIDTH
-eth0       100mbit      100mbit</programlisting>
-
-      <para><filename>/etc/shorewall/tcclasses</filename>:</para>
-
-      <programlisting>#DEVICE   MARK RATE     CEIL PRIORITY    OPTIONS
-eth0:101     - 1kbit 230kbit        4    occurs=6</programlisting>
-
-      <para>The above defines 6 classes with class IDs 0x101-0x106. Each class
-      has a guaranteed rate of 1kbit/second and a ceiling of 230kbit.</para>
-
-      <para><filename>/etc/shoreall/tcrules</filename>:</para>
-
-      <programlisting>#MARK                      SOURCE         DEST
-IPMARK(src,0xff,0x10100):F 192.168.1.0/29 eth0</programlisting>
-
-      <para>This facility also alters the way in which Shorewall generates a
-      class number when none is given. Prior to the implementation of this
-      facility, the class number was constructed by concatinating the MARK
-      value with the either '1' or '10'. '10' was used when there were more
-      than 10 devices defined in
-      <filename>/etc/shorewall/tcdevices</filename>.</para>
-
-      <para>With this facility, a new method is added; class numbers are
-      assigned sequentially beginning with 2. The WIDE_TC_MARKS option in
-      <filename>shorewall.conf</filename> selects which construction to use.
-      WIDE_TC_MARKS=No (the default) produces pre-Shorewall 4.4 behavior.
-      WIDE_TC_MARKS=Yes produces the new behavior.</para>
-    </section>
-
     <section id="Real">
       <title>Real life examples</title>
 

manpages/shorewall-interfaces.xml

@@ -63,12 +63,10 @@ loc     eth2            -</programlisting>
         role="bold">]</emphasis></term>
 
         <listitem>
-          <para>Logical name of interface. Each interface may be listed only
-          once in this file. You may NOT specify the name of a "virtual"
-          interface (e.g., eth0:0) here; see <ulink
-          url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink>.
-          If the <option>physical</option> option is not specified, then the
-          logical name is also the name of the actual interface.</para>
+          <para>Name of interface. Each interface may be listed only once in
+          this file. You may NOT specify the name of a "virtual" interface
+          (e.g., eth0:0) here; see <ulink
+          url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink></para>
 
           <para>You may use wildcards here by specifying a prefix followed by
           the plus sign ("+"). For example, if you want to make an entry that
@@ -125,7 +123,7 @@ loc     eth2            -</programlisting>
           <para>If you use the special value <emphasis
           role="bold">detect</emphasis>, Shorewall will detect the broadcast
           address(es) for you if your iptables and kernel include Address Type
-          Match support.</para>
+          Match support. </para>
 
           <para>If your iptables and/or kernel lack Address Type Match support
           then you may list the broadcast address(es) for the network(s) to
@@ -190,8 +188,7 @@ loc     eth2            -</programlisting>
 
                 <para>2 - reply only if the target IP address is local address
                 configured on the incoming interface and the sender's IP
-                address is part from same subnet on this interface's
-                address</para>
+                address is part from same subnet on this interface's address</para>
 
                 <para>3 - do not reply for local addresses configured with
                 scope host, only resolutions for global and link</para>
@@ -293,8 +290,7 @@ loc     eth2            -</programlisting>
                 role="bold">logmartians</emphasis>. Even if you do not specify
                 the <option>routefilter</option> option, it is a good idea to
                 specify <option>logmartians</option> because your distribution
-                may have enabled route filtering without you knowing
-                it.</para>
+                may have enabled route filtering without you knowing it.</para>
 
                 <para>Only those interfaces with the
                 <option>logmartians</option> option will have their setting
@@ -437,28 +433,6 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term>physical=<emphasis
-              role="bold"><emphasis>name</emphasis></emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.4.4. When specified, the interface
-                or port name in the INTERFACE column is a logical name that
-                refers to the name given in this option. It is useful when you
-                want to specify the same wildcard port name on two or more
-                bridges. See <ulink
-                url="http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple">http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple</ulink>.</para>
-
-                <para>If the <emphasis>interface</emphasis> name is a wildcard
-                name (ends with '+'), then the physical
-                <emphasis>name</emphasis> must also end in '+'.</para>
-
-                <para>If <option>physical</option> is not specified, then it's
-                value defaults to the <emphasis>interface</emphasis>
-                name.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">proxyarp[={0|1}]</emphasis></term>
 

manpages/shorewall-rules.xml

@@ -752,10 +752,7 @@
           <para>Destination Ports. A comma-separated list of Port names (from
           services(5)), port numbers or port ranges; if the protocol is
           <emphasis role="bold">icmp</emphasis>, this column is interpreted as
-          the destination icmp-type(s). ICMP types may be specified as a
-          numeric type, a numberic type and code separated by a slash (e.g.,
-          3/4), or a typename. See <ulink
-          url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
+          the destination icmp-type(s).</para>
 
           <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
           this column is interpreted as an ipp2p option without the leading
@@ -828,7 +825,7 @@
           role="bold">-</emphasis>] or <emphasis
           role="bold">REDIRECT</emphasis>[<emphasis role="bold">-</emphasis>]
           then if this column is included and is different from the IP address
-          given in the <emphasis role="bold">DEST</emphasis> column, then
+          given in the <emphasis role="bold">SERVER</emphasis> column, then
           connections destined for that address will be forwarded to the IP
           and port specified in the <emphasis role="bold">DEST</emphasis>
           column.</para>

manpages/shorewall-tcrules.xml

@@ -363,11 +363,11 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               composed of a <replaceable>major</replaceable> and a
               <replaceable>minor</replaceable> value, the set of values must
               be unique. That is, the same numeric value cannot be used as
-              both a <replaceable>major</replaceable> and a
-              <replaceable>minor</replaceable> number for the same interface
-              unless class nesting occurs (which is not currently possible
-              with Shorewall). You should keep this in mind when deciding how
-              to map IP addresses to class IDs.</para>
+              both a <replaceable>major</replaceable> and a &lt;minor&gt;
+              number for the same interface unless class nesting occurs (which
+              is not currently possible with Shorewall). You should keep this
+              in mind when deciding how to map IP addresses to class
+              IDs.</para>
 
               <para>For example, suppose that your internal network is
               192.168.1.0/29 (host IP addresses 192.168.1.1 - 192.168.1.6).
@@ -498,10 +498,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
           services(5)), <emphasis>port number</emphasis>s or <emphasis>port
           range</emphasis>s; if the protocol is <emphasis
           role="bold">icmp</emphasis>, this column is interpreted as the
-          destination icmp-type(s). ICMP types may be specified as a numeric
-          type, a numberic type and code separated by a slash (e.g., 3/4), or
-          a typename. See <ulink
-          url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
+          destination icmp-type(s).</para>
 
           <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
           this column is interpreted as an ipp2p option without the leading

manpages/shorewall.conf.xml

@@ -1574,17 +1574,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
           option (see above).</para>
         </listitem>
       </varlistentry>
-
-      <varlistentry>
-        <term><emphasis
-        role="bold">ZONE2ZONE</emphasis>={<option>2</option>|<option>-</option>}</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.4.4. This option determines how Shorewall
-          constructs chain names involving zone names and/or 'all'. The
-          default is '2' (e.g., fw2net).</para>
-        </listitem>
-      </varlistentry>
     </variablelist>
   </refsect1>
 

manpages/shorewall.xml

@@ -135,8 +135,6 @@
 
       <arg><option>-x</option></arg>
 
-      <arg><option>-l</option></arg>
-
       <arg><option>-m</option></arg>
     </cmdsynopsis>
 
@@ -452,8 +450,6 @@
 
       <arg><option>-x</option></arg>
 
-      <arg><option>-l</option></arg>
-
       <arg><option>-t</option>
       {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>}</arg>
 
@@ -502,18 +498,6 @@
       <arg choice="req"><option>mangle|nat|raw</option></arg>
     </cmdsynopsis>
 
-    <cmdsynopsis>
-      <command>shorewall</command>
-
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>show</option></arg>
-
-      <arg choice="plain"><option>policies</option></arg>
-    </cmdsynopsis>
-
     <cmdsynopsis>
       <command>shorewall</command>
 
@@ -798,9 +782,6 @@
           counts are abbreviated. The <emphasis role="bold">-m</emphasis>
           option causes any MAC addresses included in Shorewall log messages
           to be displayed.</para>
-
-          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
-          number for each Netfilter rule to be displayed.</para>
         </listitem>
       </varlistentry>
 
@@ -1208,10 +1189,6 @@
                 Netfilter table to display. The default is <emphasis
                 role="bold">filter</emphasis>.</para>
 
-                <para>The <emphasis role="bold">-l</emphasis> option causes
-                the rule number for each Netfilter rule to be
-                displayed.</para>
-
                 <para>If the <emphasis role="bold">t</emphasis> option and the
                 <option>chain</option> keyword are both omitted and any of the
                 listed <replaceable>chain</replaceable>s do not exist, a usage
@@ -1295,18 +1272,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis role="bold">policies</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.4.4. Displays the applicable policy
-                between each pair of zones. Note that implicit intrazone
-                ACCEPT policies are not displayed for zones associated with a
-                single network where that network doesn't specify
-                <option>routeback</option>.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">raw</emphasis></term>
 

manpages6/shorewall6-interfaces.xml

@@ -63,12 +63,10 @@ loc     eth2            -</programlisting>
         role="bold">]</emphasis></term>
 
         <listitem>
-          <para>Logical name of interface. Each interface may be listed only
-          once in this file. You may NOT specify the name of a "virtual"
-          interface (e.g., eth0:0) here; see <ulink
-          url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink>.
-          If the <option>physical</option> option is not specified, then the
-          logical name is also the name of the actual interface.</para>
+          <para>Name of interface. Each interface may be listed only once in
+          this file. You may NOT specify the name of a "virtual" interface
+          (e.g., eth0:0) here; see <ulink
+          url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink></para>
 
           <para>You may use wildcards here by specifying a prefix followed by
           the plus sign ("+"). For example, if you want to make an entry that
@@ -174,28 +172,8 @@ loc     eth2            -</programlisting>
                     cannot be obtained.</para>
                   </listitem>
                 </itemizedlist>
-              </listitem>
-            </varlistentry>
 
-            <varlistentry>
-              <term>physical=<emphasis
-              role="bold"><emphasis>name</emphasis></emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.4.4. When specified, the interface
-                or port name in the INTERFACE column is a logical name that
-                refers to the name given in this option. It is useful when you
-                want to specify the same wildcard port name on two or more
-                bridges. See <ulink
-                url="http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple">http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple</ulink>.</para>
-
-                <para>If the <emphasis>interface</emphasis> name is a wildcard
-                name (ends with '+'), then the physical
-                <emphasis>name</emphasis> must also end in '+'.</para>
-
-                <para>If <option>physical</option> is not specified, then it's
-                value defaults to the <emphasis>interface</emphasis>
-                name.</para>
+                <para></para>
               </listitem>
             </varlistentry>
 
@@ -220,7 +198,7 @@ loc     eth2            -</programlisting>
                 <para>If this option is not specified for an interface, then
                 source-routed packets will not be accepted from that interface
                 (sets
-                /proc/sys/net/ipv6/conf/<emphasis></emphasis>/accept_source_route
+                /proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/accept_source_route
                 to 1). Only set this option if you know what you are doing.
                 This might represent a security risk and is not usually
                 needed.</para>

manpages6/shorewall6-rules.xml

@@ -591,10 +591,7 @@
           <para>Destination Ports. A comma-separated list of Port names (from
           services(5)), port numbers or port ranges; if the protocol is
           <emphasis role="bold">icmp</emphasis>, this column is interpreted as
-          the destination icmp-type(s). ICMP types may be specified as a
-          numeric type, a numberic type and code separated by a slash (e.g.,
-          3/4), or a typename. See <ulink
-          url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
+          the destination icmp-type(s).</para>
 
           <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
           this column is interpreted as an ipp2p option without the leading

manpages6/shorewall6-tcrules.xml

@@ -367,10 +367,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
           services(5)), <emphasis>port number</emphasis>s or <emphasis>port
           range</emphasis>s; if the protocol is <emphasis
           role="bold">icmp</emphasis>, this column is interpreted as the
-          destination icmp-type(s). ICMP types may be specified as a numeric
-          type, a numberic type and code separated by a slash (e.g., 3/4), or
-          a typename. See <ulink
-          url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
+          destination icmp-type(s).</para>
 
           <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
           this column is interpreted as an ipp2p option without the leading

manpages6/shorewall6.conf.xml

@@ -1218,17 +1218,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
           option (see above).</para>
         </listitem>
       </varlistentry>
-
-      <varlistentry>
-        <term><emphasis
-        role="bold">ZONE2ZONE</emphasis>={<option>2</option>|<option>-</option>}</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.4.4. This option determines how Shorewall
-          constructs chain names involving zone names and/or 'all'. The
-          default is '2' (e.g., fw2net).</para>
-        </listitem>
-      </varlistentry>
     </variablelist>
   </refsect1>
 

manpages6/shorewall6.xml

@@ -100,8 +100,6 @@
 
       <arg><option>-x</option></arg>
 
-      <arg><option>-l</option></arg>
-
       <arg><option>-m</option></arg>
     </cmdsynopsis>
 
@@ -369,8 +367,6 @@
 
       <arg><option>-x</option></arg>
 
-      <arg><option>-l</option></arg>
-
       <arg><option>-t</option>
       {<option>filter</option>|<option>mangle</option>|<option>raw</option>}</arg>
 
@@ -405,18 +401,6 @@
       choice="req"><option>actions|classifiers|connections|config|filters|macros|zones</option></arg>
     </cmdsynopsis>
 
-    <cmdsynopsis>
-      <command>shorewall6</command>
-
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="plain"><option>show</option></arg>
-
-      <arg choice="plain"><option>policies</option></arg>
-    </cmdsynopsis>
-
     <cmdsynopsis>
       <command>shorewall6</command>
 
@@ -654,9 +638,6 @@
           counts are abbreviated. The <emphasis role="bold">-m</emphasis>
           option causes any MAC addresses included in Shorewall6 log messages
           to be displayed.</para>
-
-          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
-          number for each Netfilter rule to be displayed.</para>
         </listitem>
       </varlistentry>
 
@@ -1029,14 +1010,10 @@
                 Netfilter table to display. The default is <emphasis
                 role="bold">filter</emphasis>.</para>
 
-                <para>The <emphasis role="bold">-l</emphasis> option causes
-                the rule number for each Netfilter rule to be
-                displayed.</para>
-
-                <para>If the <emphasis role="bold">-t</emphasis> option and
-                the <option>chain</option> keyword are both omitted and any of
-                the listed <replaceable>chain</replaceable>s do not exist, a
-                usage message is displayed.</para>
+                <para>If the <emphasis role="bold">t</emphasis> option and the
+                <option>chain</option> keyword are both omitted and any of the
+                listed <replaceable>chain</replaceable>s do not exist, a usage
+                message is displayed.</para>
               </listitem>
             </varlistentry>
 
@@ -1104,14 +1081,15 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">policies</emphasis></term>
+              <term><emphasis role="bold">nat</emphasis></term>
 
               <listitem>
-                <para>Added in Shorewall 4.4.4. Displays the applicable policy
-                between each pair of zones. Note that implicit intrazone
-                ACCEPT policies are not displayed for zones associated with a
-                single network where that network doesn't specify
-                <option>routeback</option>.</para>
+                <para>Displays the Netfilter nat table using the command
+                <emphasis role="bold">ip6tables -t nat -L -n -v</emphasis>.The
+                <emphasis role="bold">-x</emphasis> option is passed directly
+                through to ip6tables and causes actual packet and byte counts
+                to be displayed. Without this option, those counts are
+                abbreviated.</para>
               </listitem>
             </varlistentry>