Revert "Remove tools and web"

This reverts commit 966f162c87.

Samples/one-interface/interfaces

@@ -10,6 +10,10 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
+#
+# For additional information, see
+# http://shorewall.net/Documentation.htm#Interfaces
+#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          dhcp,tcpflags,logmartians,nosmurfs

Samples/one-interface/policy

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
+#
+# See http://shorewall.net/Documentation.htm#Policy for additional information.
+#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 $FW		net		ACCEPT

Samples/one-interface/rules

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
+#
+# For more information, see http://www.shorewall.net/Documentation.htm#Zones
+#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Samples/one-interface/shorewall.conf

@@ -34,9 +34,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=/var/log/shorewall-init.log
+STARTUP_LOG=
 
-LOG_VERBOSITY=2
+LOG_VERBOSITY=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -107,7 +107,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 
-IP_FORWARDING=Off
+IP_FORWARDING=On
 
 ADD_IP_ALIASES=Yes
 
@@ -191,10 +191,6 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/one-interface/zones

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
+#
+# For more information, see http://www.shorewall.net/Documentation.htm#Zones
+#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS

Samples/three-interfaces/interfaces

@@ -10,6 +10,10 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
+#
+# For additional information, see
+# http://shorewall.net/Documentation.htm#Interfaces
+#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          tcpflags,dhcp,nosmurfs,routefilter,logmartians

Samples/three-interfaces/masq

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
+#
+# For additional information, see http://shorewall.net/Documentation.htm#Masq
+#
 ##############################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
 eth0			10.0.0.0/8,\

Samples/three-interfaces/policy

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
+#
+# See http://shorewall.net/Documentation.htm#Policy for additional information.
+#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 

Samples/three-interfaces/routestopped

@@ -10,6 +10,11 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-routestopped"
+#
+# See http://shorewall.net/Documentation.htm#Routestopped and
+# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
+# information.
+#
 ##############################################################################
 #INTERFACE	HOST(S)
 eth1		-

Samples/three-interfaces/rules

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
+#
+# For additional information, see http://shorewall.net/Documentation.htm#Rules
+#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Samples/three-interfaces/shorewall.conf

@@ -34,9 +34,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=/var/log/shorewall-init.log
+STARTUP_LOG=
 
-LOG_VERBOSITY=2
+LOG_VERBOSITY=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -191,10 +191,6 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/three-interfaces/zones

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
+#
+# For more information, see http://www.shorewall.net/Documentation.htm#Zones
+#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS

Samples/two-interfaces/interfaces

@@ -10,6 +10,10 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
+#
+# For additional information, see
+# http://shorewall.net/Documentation.htm#Interfaces
+#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians

Samples/two-interfaces/masq

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
+#
+# For additional information, see http://shorewall.net/Documentation.htm#Masq
+#
 ###############################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
 eth0			10.0.0.0/8,\

Samples/two-interfaces/policy

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
+#
+# See http://shorewall.net/Documentation.htm#Policy for additional information.
+#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 

Samples/two-interfaces/routestopped

@@ -10,6 +10,11 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-routestopped"
+#
+# See http://shorewall.net/Documentation.htm#Routestopped and
+# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
+# information.
+#
 ##############################################################################
 #INTERFACE	HOST(S)                  OPTIONS
 eth1		-

Samples/two-interfaces/rules

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
+#
+# For more information, see http://www.shorewall.net/Documentation.htm#Rules
+#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Samples/two-interfaces/shorewall.conf

@@ -41,9 +41,9 @@ SHOREWALL_COMPILER=
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=/var/log/shorewall-init.log
+STARTUP_LOG=
 
-LOG_VERBOSITY=2
+LOG_VERBOSITY=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -198,10 +198,6 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/two-interfaces/zones

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
+#
+# For more information, see http://www.shorewall.net/Documentation.htm#Zones
+#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS

Samples6/one-interface/shorewall6.conf

@@ -32,9 +32,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=/var/log/shorewall6-init.log
+STARTUP_LOG=
 
-LOG_VERBOSITY=2
+LOG_VERBOSITY=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -139,10 +139,6 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/three-interfaces/shorewall6.conf

@@ -32,9 +32,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=/var/log/shorewall6-init.log
+STARTUP_LOG=
 
-LOG_VERBOSITY=2
+LOG_VERBOSITY=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -139,10 +139,6 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/two-interfaces/shorewall6.conf

@@ -32,9 +32,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=/var/log/shorewall6-init.log
+STARTUP_LOG=
 
-LOG_VERBOSITY=2
+LOG_VERBOSITY=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -139,10 +139,6 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall-lite/default.debian

@@ -21,9 +21,4 @@ startup=0
 
 OPTIONS=""
 
-#
-# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
-#
-INITLOG=/dev/null
-
 # EOF

Shorewall-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.5.1
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {

Shorewall-lite/init.debian.sh

@@ -15,7 +15,9 @@
 
 SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
-test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
+# Note, set INITLOG to /dev/null if you do not want to
+# keep logs of the firewall (not recommended)
+INITLOG=/var/log/shorewall-lite-init.log
 
 [ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
 
@@ -23,7 +25,7 @@ export SHOREWALL_INIT_SCRIPT
 
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n "$INITLOG" || {
+test -n $INITLOG || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.5.1
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {
@@ -220,11 +220,6 @@ mkdir -p ${PREFIX}/var/lib/shorewall-lite
 chmod 755 ${PREFIX}/etc/shorewall-lite
 chmod 755 ${PREFIX}/usr/share/shorewall-lite
 
-if [ -n "$PREFIX" ]; then
-    mkdir -p ${PREFIX}/etc/logrotate.d
-    chmod 755 ${PREFIX}/etc/logrotate.d
-fi
-
 #
 # Install the config file
 #
@@ -309,12 +304,6 @@ cd ..
 
 echo "Man Pages Installed"
 
-if [ -d ${PREFIX}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall-lite
-    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall-lite"
-fi
-
-
 #
 # Create the version file
 #

Shorewall-lite/logrotate

@@ -1,5 +0,0 @@
-/var/log/shorewall-init.log {
-  missingok
-  notifempty
-  create 0600 root root
-}

Shorewall-lite/shorewall-lite

@@ -95,7 +95,7 @@ get_config() {
 
     if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
 	LOGREAD="logread | tac"
-    elif [ -r $LOGFILE ]; then
+    elif [ -f $LOGFILE ]; then
 	LOGREAD="tac $LOGFILE"
     else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2

Shorewall-lite/shorewall-lite.spec

@@ -1,5 +1,5 @@
 %define name shorewall-lite
-%define version 4.4.5
+%define version 4.4.0
 %define release 1
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@@ -79,8 +79,6 @@ fi
 %attr(0755,root,root) %dir /usr/share/shorewall-lite
 %attr(0700,root,root) %dir /var/lib/shorewall-lite
 
-%attr(0644,root,root) /etc/logrotate.d/shorewall-lite
-
 %attr(0755,root,root) /sbin/shorewall-lite
 
 %attr(0644,root,root) /usr/share/shorewall-lite/version
@@ -100,24 +98,8 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sat Dec 19 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.5-1
-* Fri Nov 27 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.5-0base
-* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0base
-* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta2
-* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta1
-* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.3-0base
-* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.1-0base
+* Thu Aug 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-1
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0base
 * Tue Jul 28 2009 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.5.1
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {

Shorewall/Macros/macro.template

@@ -269,7 +269,7 @@
 #                       an action. See 'man shorewall-rules'.
 #
 #	RATE LIMIT	You may rate-limit the rule by placing a value in
-#			this column:
+#			this colume:
 #
 #				<rate>/<interval>[:<burst>]
 #
@@ -304,100 +304,6 @@
 #					#removed from Netfilter in kernel
 #					#version 2.6.14).
 #
-#	MARK		Specifies a MARK value to match. Must be empty or 
-#			'-' if the macro is to be used within an action.
-#			
-#				[!]value[/mask][:C]
-#
-#    			Defines a test on the existing packet or connection
-#			mark. The rule will match only if the test returns
-#			true.
-#
-#    			If you don't want to define a test but need to
-#			specify anything in the following columns,
-#			place a "-" in this field.
-#
-#    			!
-#
-#				Inverts the test (not equal)
-#
-#    			value
-#
-#				Value of the packet or connection mark.
-#
-#  			mask
-#
-#				A mask to be applied to the mark before
-#				testing.
-#
-#    			:C
-#
-#				Designates a connection mark. If omitted, the
-#				packet mark's value is tested.
-#
-#	CONNLIMIT	Must be empty or '-' if the macro is to be used within
-#			an action.
-#
-#				[!]limit[:mask]
-#
-#			May be used to limit the number of simultaneous
-#			connections from each individual host to limit 
-#			connections. Requires connlimit match in your kernel
-#			and iptables. While the limit is only checked on rules
-#			specifying CONNLIMIT, the number of current connections
-#			is calculated over all current connections from the
-#			SOURCE host. By default, the limit is applied to each
-#			host but can be made to apply to networks of hosts by
-#			specifying a mask. The mask specifies the width of a
-#			VLSM mask to be applied to the source address; the
-#			number of current connections is then taken over all
-#			hosts in the subnet source-address/mask. When ! is
-#			specified, the rule matches when the number of
-#			connection exceeds the limit.
-#
-#	TIME		Must be empty or '-' if the macro is to be used within
-#			an action.
-#
-#
-#				<timeelement>[&...]
-#
-#			timeelement may be:
-#
-#    				timestart=hh:mm[:ss]
-#
-#					Defines the starting time of day.
-#
-#    				timestop=hh:mm[:ss]
-#
-#					Defines the ending time of day.
-#
-#    				utc
-#
-#					Times are expressed in Greenwich Mean
-#					Time.
-#
-#    				localtz
-#
-#					Times are expressed in Local Civil Time
-#					(default).
-#
-#    				weekdays=ddd[,ddd]...
-#
-#					where ddd is one of Mon, Tue, Wed, Thu,
-#					Fri, Sat or Sun
-#
-#    				monthdays=dd[,dd],...
-#
-#					where dd is an ordinal day of the month#
-#
-#    				datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
-#
-#					Defines the starting date and time.
-#
-#    				datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
-#
-#					Defines the ending date and time.
-#
 # A few examples should help show how Macros work.
 #
 # /etc/shorewall/macro.FwdFTP:

Shorewall/Makefile

@@ -14,8 +14,4 @@ $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
 	    /sbin/shorewall -q restart 2>&1 | tail >&2; \
 	fi
 
-clean:
-	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
-.PHONY: clean
-
 # EOF

Shorewall/Perl/Shorewall/Accounting.pm

@@ -35,16 +35,27 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_1';
+our $VERSION = '4.3_7';
 
 #
-# Called by the compiler to [re-]initialize this module's state
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function or when compiling
+#                       for IPv6.
 #
+
 sub initialize() {
     our $jumpchainref;
     $jumpchainref = undef;
 }
 
+INIT {
+    initialize;
+}
+
 #
 # Accounting
 #

Shorewall/Perl/Shorewall/Actions.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -47,7 +47,6 @@ our @EXPORT = qw( merge_levels
 		  substitute_param
 		  merge_macro_source_dest
 		  merge_macro_column
-		  map_old_actions
 
 		  %usedactions
 		  %default_actions
@@ -57,7 +56,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_5';
+our $VERSION = '4.3_7';
 
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -86,23 +85,21 @@ our %macros;
 
 our $family;
 
-our @builtins;
-
 #
 # Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited).
 #
 our $macro_commands = { COMMENT => 0, FORMAT => 2 };
 
 #
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function or when compiling
+#                       for IPv6.
 #
+
 sub initialize( $ ) {
 
     $family          = shift;
@@ -114,12 +111,10 @@ sub initialize( $ ) {
     %actions         = ();
     %logactionchains = ();
     %macros          = ();
+}
 
-    if ( $family == F_IPV4 ) {
-	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit/;
-    } else {
-	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/;
-    }
+INIT {
+    initialize( F_IPV4 );
 }
 
 #
@@ -213,7 +208,7 @@ sub merge_macro_source_dest( $$ ) {
     if ( $invocation ) {
 	if ( $body ) {
 	    return $body if $invocation eq '-';
-	    return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^!+|^~|^!~|~</;
+	    return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^~|^!~/;
 	    return "$invocation:$body";
 	}
 
@@ -273,34 +268,6 @@ sub add_requiredby ( $$ ) {
     $actions{$requires}{requires}{$requiredby} = 1;
 }
 
-#
-# Map pre-3.0 actions to the corresponding Macro invocation
-#
-
-sub find_old_action ( $$$ ) {
-    my ( $target, $macro, $param ) = @_;
-
-    if ( my $actiontype = find_macro( $macro ) ) {
-	( $macro, $actiontype , $param );
-    } else {
-	( $target, 0, '' );
-    }
-}
-
-sub map_old_actions( $ ) {
-    my $target = shift;
-
-    if ( $target =~ /^Allow(.*)$/ ) {
-	find_old_action( $target, $1, 'ACCEPT' );
-    } elsif ( $target =~ /^Drop(.*)$/ ) {
-	find_old_action( $target, $1, 'DROP' );
-    } elsif ( $target = /^Reject(.*)$/ ) {
-	find_old_action( $target, $1, 'REJECT' );
-    } else {
-	( $target, 0, '' );
-    }
-}
-
 #
 # Create and record a log action chain -- Log action chains have names
 # that are formed from the action name by prepending a "%" and appending
@@ -339,7 +306,7 @@ sub createlogactionchain( $$ ) {
 
     fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99;
 
-    unless ( $targets{$action} & BUILTIN ) {
+    unless ( $targets{$action} & STANDARD ) {
 
 	my $file = find_file $chain;
 
@@ -365,7 +332,7 @@ sub createsimpleactionchain( $ ) {
 
     $logactionchains{"$action:none"} = $chainref;
 
-    unless ( $targets{$action} & BUILTIN ) {
+    unless ( $targets{$action} & STANDARD ) {
 
 	my $file = find_file $action;
 
@@ -450,9 +417,8 @@ sub process_macro1 ( $$ ) {
 #
 # The functions process_actions1-3() implement the three phases of action processing.
 #
-# The first phase (process_actions1) occurs before the rules file is processed. The builtin-actions are added
-# to the target table (%Shorewall::Chains::targets) and actions table, then ${SHAREDIR}/actions.std and
-# ${CONFDIR}/actions are scanned (in that order). For each action:
+# The first phase (process_actions1) occurs before the rules file is processed. ${SHAREDIR}/actions.std
+# and ${CONFDIR}/actions are scanned (in that order) and for each action:
 #
 #      a) The related action definition file is located and scanned.
 #      b) Forward and unresolved action references are trapped as errors.
@@ -514,10 +480,10 @@ sub process_action1 ( $$ ) {
 sub process_actions1() {
 
     progress_message2 "Preprocessing Action Files...";
-    #
-    # Add built-in actions to the target table and create those actions
-    #
-    $targets{$_} = ACTION + BUILTIN, new_action( $_ ) for @builtins;
+
+    for my $act ( grep $targets{$_} & ACTION , keys %targets ) {
+	new_action $act;
+    }
 
     for my $file ( qw/actions.std actions/ ) {
 	open_file $file;
@@ -553,7 +519,7 @@ sub process_actions1() {
 
 	    while ( read_a_line ) {
 
-		my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users, $mark ) = split_line 1, 9, 'action file';
+		my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) = split_line 1, 8, 'action file';
 
 		process_action1( $action, $wholetarget );
 
@@ -590,8 +556,8 @@ sub process_actions2 () {
 #
 # This function is called to process each rule generated from an action file.
 #
-sub process_action( $$$$$$$$$$$ ) {
-    my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = @_;
+sub process_action( $$$$$$$$$$ ) {
+    my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
 
     my ( $action , $level ) = split_action $target;
 
@@ -609,7 +575,7 @@ sub process_action( $$$$$$$$$$$ ) {
 
     expand_rule ( $chainref ,
 		  NO_RESTRICT ,
-		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user . do_test( $mark, 0xFF ) ,
+		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user ,
 		  $source ,
 		  $dest ,
 		  '', #Original Dest
@@ -622,8 +588,8 @@ sub process_action( $$$$$$$$$$$ ) {
 #
 # Expand Macro in action files.
 #
-sub process_macro3( $$$$$$$$$$$$ ) {
-    my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = @_;
+sub process_macro3( $$$$$$$$$$$ ) {
+    my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
 
     my $nocomment = no_comment;
 
@@ -639,14 +605,12 @@ sub process_macro3( $$$$$$$$$$$$ ) {
 
     while ( read_a_line ) {
 
-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark );
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser );
 
 	if ( $format == 1 ) {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands;
-	    $morigdest = '-';
-	    $mmark     = '-';
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', $macro_commands;
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark ) = split_line1 1, 10, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands;
 	}
 
 	if ( $mtarget eq 'COMMENT' ) {
@@ -660,6 +624,8 @@ sub process_macro3( $$$$$$$$$$$$ ) {
 	    next;
 	}
 
+	fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1;
+
 	if ( $mtarget =~ /^PARAM:?/ ) {
 	    fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
 	    $mtarget = substitute_param $param,  $mtarget;
@@ -700,9 +666,8 @@ sub process_macro3( $$$$$$$$$$$$ ) {
 	$msports = merge_macro_column $msports, $sports;
 	$mrate   = merge_macro_column $mrate,   $rate;
 	$muser   = merge_macro_column $muser,   $user;
-	$mmark   = merge_macro_column $mmark,   $mark;
 
-	process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $mark;
+	process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser;
     }
 
     pop_open;
@@ -727,7 +692,7 @@ sub process_action3( $$$$$ ) {
 
     while ( read_a_line ) {
 
-	my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = split_line1 1, 9, 'action file';
+	my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line1 1, 8, 'action file';
 
 	if ( $target eq 'COMMENT' ) {
 	    process_comment;
@@ -751,9 +716,9 @@ sub process_action3( $$$$$ ) {
 	}
 
 	if ( $action2type == MACRO ) {
-	    process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark );
+	    process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user );
 	} else {
-	    process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark;
+	    process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user;
 	}
     }
 

Shorewall/Perl/Shorewall/Chains.pm

@@ -71,9 +71,9 @@ our %EXPORT_TAGS = (
 				       ALL_COMMANDS
 				       NOT_RESTORE
 
-				       initialize_chain_table
 				       add_commands
 				       move_rules
+				       move_rules1
 				       insert_rule1
 				       purge_jump
 				       add_tunnel_rule
@@ -85,7 +85,6 @@ our %EXPORT_TAGS = (
 				       decr_cmd_level
 				       chain_base 
 				       forward_chain
-				       rules_chain
 				       zone_forward_chain
 				       use_forward_chain
 				       input_chain
@@ -112,6 +111,7 @@ our %EXPORT_TAGS = (
 				       new_builtin_chain
 				       new_nat_chain
 				       ensure_filter_chain
+				       initialize_chain_table
 				       finish_section
 				       setup_zone_mss
 				       newexclusionchain
@@ -147,7 +147,6 @@ our %EXPORT_TAGS = (
 				       addnatjump
 				       set_chain_variables
 				       mark_firewall_not_started
-				       mark_firewall6_not_started
 				       get_interface_address
 				       get_interface_addresses
 				       get_interface_bcasts
@@ -167,7 +166,7 @@ our %EXPORT_TAGS = (
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.4_5';
+our $VERSION = '4.4_0';
 
 #
 # Chain Table
@@ -248,8 +247,6 @@ use constant { NO_RESTRICT        => 0,   # FORWARD chain rule     - Both -i and
 our $iprangematch;
 our $chainseq;
 our $idiotcount;
-our $idiotcount1;
-our $warningcount;
 
 our $global_variables;
 
@@ -275,11 +272,11 @@ our %interfacegateways;     # Gateway of default route out of the interface
 our @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING);
 
 #
-# Mode of the emitter.
+# Mode of the generator.
 #
-use constant { NULL_MODE => 0 ,   # Emitting neither shell commands nor iptables-restore input
-	       CAT_MODE  => 1 ,   # Emitting iptables-restore input
-	       CMD_MODE  => 2 };  # Emitting shell commands.
+use constant { NULL_MODE => 0 ,   # Generating neither shell commands nor iptables-restore input
+	       CAT_MODE  => 1 ,   # Generating iptables-restore input
+	       CMD_MODE  => 2 };  # Generating shell commands.
 
 our $mode;
 
@@ -301,15 +298,15 @@ our %builtin_target = ( ACCEPT   => 1,
 			REDIRECT => 1 );
 
 #
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function or when compiling
+#                       for IPv6.
 #
+
 sub initialize( $ ) {
     $family = shift;
 
@@ -359,11 +356,13 @@ sub initialize( $ ) {
 
     $global_variables   = 0;
     $idiotcount         = 0;
-    $idiotcount1        = 0;
-    $warningcount       = 0;
 
 }
 
+INIT {
+    initialize( F_IPV4 );
+}
+
 #
 # Process a COMMENT line (in $currentline)
 #
@@ -372,7 +371,7 @@ sub process_comment() {
 	( $comment = $currentline ) =~ s/^\s*COMMENT\s*//;
 	$comment =~ s/\s*$//;
     } else {
-	warning_message "COMMENTs ignored -- require comment support in iptables/Netfilter" unless $warningcount++;
+	warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
     }
 }
 
@@ -418,45 +417,82 @@ sub decr_cmd_level( $ ) {
 
 sub add_commands ( $$;@ ) {
     my $chainref = shift @_;
-    my $indentation = '    ' x $chainref->{cmdlevel};
 
-    push @{$chainref->{rules}}, join ('', $indentation , $_ ) for @_;
+    for ( @_ ) {
+	push @{$chainref->{rules}}, join ('', '    ' x $chainref->{cmdlevel} , $_ );
+    }
 
     $chainref->{referenced} = 1;
 }
 
 sub push_rule( $$ ) {
-    my $chainref = $_[0];
-    my $rule     = join( ' ',  '-A',  $chainref->{name} , $_[1]);
+    my ($chainref, $rule) = @_;
 
     $rule .= qq( -m comment --comment "$comment") if $comment;
 
     if ( $chainref->{cmdlevel} ) {
 	$rule =~ s/"/\\"/g; #Must preserve quotes in the rule
-	add_commands $chainref , qq(echo "$rule" >&3);
+	add_commands $chainref , qq(echo "-A $chainref->{name} $rule" >&3);
     } else {
-	push @{$chainref->{rules}}, $rule;
+	#
+	# We omit the chain name for now -- this makes it easier to move rules from one 
+	# chain to another
+	#
+	push @{$chainref->{rules}}, join( ' ', '-A' , $rule );
 	$chainref->{referenced} = 1;
     }
 }
 
 #
-# Post-process a rule having a port list. Split the rule into multiple rules if necessary
+# Post-process a rule having an sport list. Split the rule into multiple rules if necessary
 # to work within the 15-element limit imposed by iptables/Netfilter.
 #
-# The third argument ($dport) indicates what type of list we are spltting:
-#
-#      $dport == 1     Destination port list
-#      $dport == 0     Source port list
-#
-# When expanding a Destination port list, each resulting rule is checked for the presence
-# of a Source port list; if one is present, the function calls itself recursively with
-# $dport == 0.
-#
-sub handle_port_list( $$$$$$ );
 
-sub handle_port_list( $$$$$$ ) {
-    my ($chainref, $rule, $dport, $first, $ports, $rest) = @_;
+sub handle_sport_list( $$$$$ ) {
+    my ($chainref, $rule, $first, $ports, $rest) = @_;
+
+    if ( port_count( $ports ) > 15 ) {
+	#
+	# More than 15 ports specified
+	#
+	my @ports = split '([,:])', $ports;
+
+	while ( @ports ) {
+	    my $count = 0;
+	    my $newports = '';
+
+	    while ( @ports && $count < 15 ) {
+		my ($port, $separator) = ( shift @ports, shift @ports );
+
+		$separator ||= '';
+
+		if ( ++$count == 15 ) {
+		    if ( $separator eq ':' ) {
+			unshift @ports, $port, ':';
+			chop $newports;
+			last;
+		    } else {
+			$newports .= $port;
+		    }	
+		} else {
+		    $newports .= "${port}${separator}";
+		}
+	    }
+
+	    push_rule ( $chainref, join( '', $first, $newports, $rest ) );
+	}
+    } else {
+	push_rule ( $chainref, $rule );
+    }
+}
+
+#
+# Post-process a rule having an dport list. Split the rule into multiple rules if necessary
+# to work within the 15-element limit imposed by iptables/Netfilter.
+#
+
+sub handle_dport_list( $$$$$ ) {
+    my ($chainref, $rule, $first, $ports, $rest) = @_;
 
     if ( port_count( $ports ) > 15 ) {
 	#
@@ -488,14 +524,14 @@ sub handle_port_list( $$$$$$ ) {
 
 	    my $newrule = join( '', $first, $newports, $rest );
 
-	    if ( $dport && $newrule =~  /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
-		handle_port_list( $chainref, $newrule, 0, $1, $2, $3 );
+	    if ( $newrule =~  /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
+		handle_sport_list( $chainref, $newrule, $1, $2, $3 );
 	    } else {
 		push_rule ( $chainref, $newrule );
 	    }
 	}
-    } elsif ( $dport && $rule =~  /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
-	handle_port_list( $chainref, $rule, 0, $1, $2, $3 );
+    } elsif ( $rule =~  /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
+	handle_sport_list( $chainref, $rule, $1, $2, $3 );
     } else {
 	push_rule ( $chainref, $rule );
     }
@@ -525,12 +561,12 @@ sub add_rule($$;$)
 	    #
 	    # Rule has a --dports specification
 	    #
-	    handle_port_list( $chainref, $rule, 1, $1, $2, $3 )
+	    handle_dport_list( $chainref, $rule, $1, $2, $3 )
 	} elsif ( $rule =~  /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
 	    #
 	    # Rule has a --sports specification
 	    #
-	    handle_port_list( $chainref, $rule, 0, $1, $2, $3 )
+	    handle_sport_list( $chainref, $rule, $1, $2, $3 )
 	} else {
 	    push_rule ( $chainref, $rule );
 	}
@@ -607,7 +643,7 @@ sub insert_rule1($$$)
 
     $rule .= "-m comment --comment \"$comment\"" if $comment;
 
-    splice( @{$chainref->{rules}}, $number, 0,  join( ' ', '-A', $chainref->{name}, $rule ) );
+    splice( @{$chainref->{rules}}, $number, 0,  join( ' ', '-A', $rule ) );
 
     $iprangematch = 0;
 
@@ -637,19 +673,17 @@ sub add_tunnel_rule( $$ ) {
 # forward chain. Shorewall::Rules::generate_matrix() may decide to move those rules to
 # a zone-oriented chain, hence this function.
 #
+# The source chain must not have any run-time code included in its rules. 
+#
 sub move_rules( $$ ) {
     my ($chain1, $chain2 ) = @_;
 
     if ( $chain1->{referenced} ) {
-	my $name  = $chain1->{name};
-	#
-	# We allow '+' in chain names and '+' is an RE meta-character. Escape it.
-	#
-	$name =~ s/\+/\\+/;
+	my @rules = @{$chain1->{rules}};
 
-	( s/\-([AI]) $name /-$1 $chain2->{name} / ) for @{$chain1->{rules}};
+	assert( /^-A/ ) for @rules;
 
-	splice @{$chain2->{rules}}, 0, 0, @{$chain1->{rules}};
+	splice @{$chain2->{rules}}, 0, 0, @rules;
 
 	$chain2->{referenced} = 1;
 	$chain1->{referenced} = 0;
@@ -657,6 +691,29 @@ sub move_rules( $$ ) {
     }
 }
 
+#
+# Like above except it returns 0 if it can't move the rules
+#
+sub move_rules1( $$ ) {
+    my ($chain1, $chain2 ) = @_;
+
+    if ( $chain1->{referenced} ) {
+	my @rules = @{$chain1->{rules}};
+
+	for ( @rules ) {
+	    return 0 unless /^-A/;
+	}
+
+	splice @{$chain2->{rules}}, 0, 0, @rules;
+
+	$chain2->{referenced} = 1;
+	$chain1->{referenced} = 0;
+	$chain1->{rules}      = [];
+    }
+
+    1;
+}
+
 #
 # Transform the passed interface name into a legal shell variable name.
 #
@@ -669,13 +726,6 @@ sub chain_base($) {
     $chain;
 }
 
-#
-# Name of canonical chain
-#
-sub rules_chain ($$) {
-    join "$config{ZONE2ZONE}", @_;
-}
-
 #
 # Forward Chain for an interface
 #
@@ -735,12 +785,9 @@ sub use_input_chain($) {
     my $interfaceref = find_interface($interface);
     my $nets = $interfaceref->{nets};
     #
-    # We must use the interfaces's chain if:
-    #
-    # - the interface is associated with multiple zone nets; or
-    # - the interface has the 'upnpclient' option.
-    #
-    # In the latter case, the chain's rules will contain run-time code which cannot currently be transferred to a zone-oriented chain by move_rules().
+    # We must use the interfaces's chain if the interface is associated with multiple zone nets or
+    # if the interface has the 'upnpclient' option. In the latter case, the chain's rules will contain
+    # run-time code which cannot currently be transferred to a zone-oriented chain by move_rules().
     #    
     return 1 if $nets > 1 || $interfaceref->{options}{upnpclient};
     #
@@ -765,7 +812,7 @@ sub use_input_chain($) {
     #
     # Use the '<zone>2fw' chain if it is referenced.
     #
-    $chainref = $filter_table->{rules_chain( $zone, firewall_zone )};
+    $chainref = $filter_table->{join( '' , $zone , '2' , firewall_zone )};
 
     ! ( $chainref->{referenced} || $chainref->{is_policy} )
 }   
@@ -809,7 +856,7 @@ sub use_output_chain($) {
     #
     # Use the 'fw2<zone>' chain if it is referenced.
     #
-    $chainref = $filter_table->{rules_chain( firewall_zone , $interfaceref->{zone} )};
+    $chainref = $filter_table->{join( '', firewall_zone , '2', $interfaceref->{zone} )};
 
     ! ( $chainref->{referenced} || $chainref->{is_policy} )
 }
@@ -926,8 +973,7 @@ sub ensure_filter_chain( $$ )
 
     my $chainref = ensure_chain 'filter', $chain;
 
-    unless ( $chainref->{referenced} ) {
-	if ( $populate ) {
+    if ( $populate and ! $chainref->{referenced} ) {
 	if ( $section eq 'NEW' or $section eq 'DONE' ) {
 	    finish_chain_section $chainref , 'ESTABLISHED,RELATED';
 	} elsif ( $section eq 'RELATED' ) {
@@ -936,7 +982,6 @@ sub ensure_filter_chain( $$ )
     }
 
     $chainref->{referenced} = 1;
-    }
 
     $chainref;
 }
@@ -953,25 +998,9 @@ sub ensure_accounting_chain( $  )
     if ( $chainref ) {
 	fatal_error "Non-accounting chain ($chain) used in accounting rule" unless $chainref->{accounting};
     } else {
-	$chainref = new_chain 'filter' , $chain;
+	$chainref = new_chain 'filter' , $chain unless $chainref;
 	$chainref->{accounting} = 1;
 	$chainref->{referenced} = 1;
-
-	if ( $chain ne 'accounting' ) {
-	    my $file = find_file $chain;
-
-	    if ( -f $file ) {
-		progress_message "Processing $file...";
-
-		my ( $level, $tag ) = ( '', '' );
-
-		unless ( my $return = eval `cat $file` ) {
-		    fatal_error "Couldn't parse $file: $@" if $@;
-		    fatal_error "Couldn't do $file: $!"    unless defined $return;
-		    fatal_error "Couldn't run $file"       unless $return;
-		}
-	    }
-	}
     }
 
     $chainref;
@@ -981,7 +1010,9 @@ sub ensure_mangle_chain($) {
     my $chain = $_[0];
 
     my $chainref = ensure_chain 'mangle', $chain;
+
     $chainref->{referenced} = 1;
+
     $chainref;
 }
 
@@ -989,7 +1020,9 @@ sub ensure_nat_chain($) {
     my $chain = $_[0];
 
     my $chainref = ensure_chain 'nat', $chain;
+
     $chainref->{referenced} = 1;
+
     $chainref;
 }
 
@@ -1043,8 +1076,8 @@ sub ensure_manual_chain($) {
 }
 
 #
-# Add all builtin chains to the chain table -- it is separate from initialize() because it depends on capabilities and configuration.
-# The function also initializes the target table with the pre-defined targets available for the specfied address family.
+# Add all builtin chains to the chain table
+#
 #
 sub initialize_chain_table()
 {
@@ -1072,6 +1105,15 @@ sub initialize_chain_table()
 		    'QUEUE!'          => STANDARD,
 		    'NFQUEUE'         => STANDARD + NFQ,
 		    'NFQUEUE!'        => STANDARD + NFQ,
+		    'dropBcast'       => BUILTIN  + ACTION,
+		    'allowBcast'      => BUILTIN  + ACTION,
+		    'dropNotSyn'      => BUILTIN  + ACTION,
+		    'rejNotSyn'       => BUILTIN  + ACTION,
+		    'dropInvalid'     => BUILTIN  + ACTION,
+		    'allowInvalid'    => BUILTIN  + ACTION,
+		    'allowinUPnP'     => BUILTIN  + ACTION,
+		    'forwardUPnP'     => BUILTIN  + ACTION,
+		    'Limit'           => BUILTIN  + ACTION,
 		   );
 
 	for my $chain qw(OUTPUT PREROUTING) {
@@ -1113,6 +1155,12 @@ sub initialize_chain_table()
 		    'QUEUE!'          => STANDARD,
 		    'NFQUEUE'         => STANDARD + NFQ,
 		    'NFQUEUE!'        => STANDARD + NFQ,
+		    'dropBcast'       => BUILTIN  + ACTION,
+		    'allowBcast'      => BUILTIN  + ACTION,
+		    'dropNotSyn'      => BUILTIN  + ACTION,
+		    'rejNotSyn'       => BUILTIN  + ACTION,
+		    'dropInvalid'     => BUILTIN  + ACTION,
+		    'allowInvalid'    => BUILTIN  + ACTION,
 		   );
 
 	for my $chain qw(OUTPUT PREROUTING) {
@@ -1166,6 +1214,7 @@ sub finish_chain_section ($$) {
 	}
 
 	$chainref->{new} = @{$chainref->{rules}};
+
     }
 
     $comment = $savecomment;
@@ -1181,7 +1230,7 @@ sub finish_section ( $ ) {
 
     for my $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )};
+	    my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"};
 	    finish_chain_section $chainref, $sections if $chainref->{referenced};
 	}
     }
@@ -1208,12 +1257,12 @@ sub set_mss( $$$ ) {
 
     for my $z ( all_zones ) {
 	if ( $direction eq '_in' ) {
-	    set_mss1 rules_chain( ${zone}, ${z} ) , $mss;
+	    set_mss1 "${zone}2${z}" , $mss;
 	} elsif ( $direction eq '_out' ) {
-	    set_mss1 rules_chain( ${z}, ${zone} ) , $mss;
+	    set_mss1 "${z}2${zone}", $mss;
 	} else {
-	    set_mss1 rules_chain( ${z}, ${zone} ) , $mss;
-	    set_mss1 rules_chain( ${zone}, ${z} ) , $mss;
+	    set_mss1 "${z}2${zone}", $mss;
+	    set_mss1 "${zone}2${z}", $mss;
 	}
     }
 }
@@ -1309,8 +1358,6 @@ sub port_count( $ ) {
 #
 # Handle parsing of PROTO, DEST PORT(S) , SOURCE PORTS(S). Returns the appropriate match string.
 #
-# If the optional argument is true, port lists > 15 result in a fatal error.
-#
 sub do_proto( $$$;$ )
 {
     my ($proto, $ports, $sports, $restricted ) = @_;
@@ -1539,14 +1586,12 @@ sub do_ratelimit( $$ ) {
 	require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
 
 	my $limit = "-m hashlimit ";
-	my $match = $capabilities{OLD_HL_MATCH} ? 'hashlimit' : 'hashlimit-upto';
-
 	if ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
-	    $limit .= "--hashlimit $3 --hashlimit-burst $6 --hashlimit-name ";
+	    $limit .= "--hashlimit-upto $3 --hashlimit-burst $6 --hashlimit-name ";
 	    $limit .= $2 ? $2 : 'shorewall';
 	    $limit .= ' --hashlimit-mode ';
 	} elsif ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?)$/ ) {
-	    $limit .= "--$match $3 --hashlimit-name ";
+	    $limit .= "--hashlimit-upto $3 --hashlimit-name ";
 	    $limit .= $2 ? $2 : 'shorewall';
 	    $limit .= ' --hashlimit-mode ';
 	} else {
@@ -1733,7 +1778,6 @@ sub match_source_dev( $ ) {
     my $interface = shift;
     return '' if $interface eq '+';
     my $interfaceref =  known_interface( $interface );
-    $interface = $interfaceref->{physical} if $interfaceref;
     if ( $interfaceref && $interfaceref->{options}{port} ) {
 	"-i $interfaceref->{bridge} -m physdev --physdev-in $interface ";
     } else {
@@ -1748,7 +1792,6 @@ sub match_dest_dev( $ ) {
     my $interface = shift;
     return '' if $interface eq '+';
     my $interfaceref =  known_interface( $interface );
-    $interface = $interfaceref->{physical} if $interfaceref;
     if ( $interfaceref && $interfaceref->{options}{port} ) {
 	if ( $capabilities{PHYSDEV_BRIDGE} ) {
 	    "-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $interface ";
@@ -1808,8 +1851,8 @@ sub match_source_net( $;$ ) {
 
     $restriction |= NO_RESTRICT;
 
-    if ( ( $family == F_IPV4 && $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) ||
-	 ( $family == F_IPV6 && $net =~  /^(!?)(.*:.*)-(.*:.*)$/ ) ) {
+    if ( $family == F_IPV4 && $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ||
+	 $family == F_IPV6 && $net =~  /^(!?)(.*:.*)-(.*:.*)$/ ) {
 	my ($addr1, $addr2) = ( $2, $3 );
 	$net =~ s/!// if my $invert = $1 ? '! ' : '';
 	validate_range $addr1, $addr2;
@@ -1835,8 +1878,8 @@ sub match_source_net( $;$ ) {
 sub match_dest_net( $ ) {
     my $net = $_[0];
 
-    if ( ( $family == F_IPV4 && $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) ||
-	 ( $family == F_IPV6 && $net =~  /^(!?)(.*:.*)-(.*:.*)$/ ) ) {
+    if ( $family == F_IPV4 && $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ||
+	 $family == F_IPV6 && $net =~  /^(!?)(.*:.*)-(.*:.*)$/ ) {
 	my ($addr1, $addr2) = ( $2, $3 );
 	$net =~ s/!// if my $invert = $1 ? '! ' : '';
 	validate_range $addr1, $addr2;
@@ -2124,11 +2167,7 @@ sub set_chain_variables() {
 # Emit code that marks the firewall as not started.
 #
 sub mark_firewall_not_started() {
-    if ( $family == F_IPV4 ) {
     emit ( 'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall' );
-    } else {
-	emit ( 'qt1 $IPTABLES6 -L shorewall -n && qt1 $IPTABLES6 -F shorewall && qt1 $IPTABLES6 -X shorewall' );
-    }
 }
 
 ####################################################################################################################
@@ -2148,11 +2187,10 @@ sub interface_address( $ ) {
 # Record that the ruleset requires the first IP address on the passed interface
 #
 sub get_interface_address ( $ ) {
-    my ( $logical ) = $_[0];
+    my ( $interface ) = $_[0];
 
-    my $interface = get_physical( $logical );
     my $variable = interface_address( $interface );
-    my $function = interface_is_optional( $logical ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address';
+    my $function = interface_is_optional( $interface ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address';
 
     $global_variables |= ALL_COMMANDS;
 
@@ -2173,7 +2211,7 @@ sub interface_bcasts( $ ) {
 # Record that the ruleset requires the broadcast addresses on the passed interface
 #
 sub get_interface_bcasts ( $ ) {
-    my ( $interface ) = get_physical $_[0];
+    my ( $interface ) = $_[0];
 
     my $variable = interface_bcasts( $interface );
 
@@ -2196,7 +2234,7 @@ sub interface_acasts( $ ) {
 # Record that the ruleset requires the anycast addresses on the passed interface
 #
 sub get_interface_acasts ( $ ) {
-    my ( $interface ) = get_physical $_[0];
+    my ( $interface ) = $_[0];
 
     $global_variables |= NOT_RESTORE;
 
@@ -2219,16 +2257,15 @@ sub interface_gateway( $ ) {
 # Record that the ruleset requires the gateway address on the passed interface
 #
 sub get_interface_gateway ( $ ) {
-    my ( $logical ) = $_[0];
+    my ( $interface ) = $_[0];
 
-    my $interface = get_physical $logical;
     my $variable = interface_gateway( $interface );
 
     my $routine = $config{USE_DEFAULT_RT} ? 'detect_dynamic_gateway' : 'detect_gateway';
 
     $global_variables |= ALL_COMMANDS;
 
-    if ( interface_is_optional $logical ) {
+    if ( interface_is_optional $interface ) {
 	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)\n);
     } else {
 	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)
@@ -2251,14 +2288,13 @@ sub interface_addresses( $ ) {
 # Record that the ruleset requires the IP addresses on the passed interface
 #
 sub get_interface_addresses ( $ ) {
-    my ( $logical ) = $_[0];
+    my ( $interface ) = $_[0];
 
-    my $interface = get_physical( $logical );
     my $variable = interface_addresses( $interface );
 
     $global_variables |= NOT_RESTORE;
 
-    if ( interface_is_optional $logical ) {
+    if ( interface_is_optional $interface ) {
 	$interfaceaddrs{$interface} = qq($variable=\$(find_interface_addresses $interface)\n);
     } else {
 	$interfaceaddrs{$interface} = qq($variable=\$(find_interface_addresses $interface)
@@ -2281,14 +2317,13 @@ sub interface_nets( $ ) {
 # Record that the ruleset requires the networks routed out of the passed interface
 #
 sub get_interface_nets ( $ ) {
-    my ( $logical ) = $_[0];
+    my ( $interface ) = $_[0];
 
-    my $interface = get_physical( $logical );
     my $variable = interface_nets( $interface );
 
     $global_variables |= ALL_COMMANDS;
 
-    if ( interface_is_optional $logical ) {
+    if ( interface_is_optional $interface ) {
 	$interfacenets{$interface} = qq($variable=\$(get_routed_networks $interface)\n);
     } else {
 	$interfacenets{$interface} = qq($variable=\$(get_routed_networks $interface)
@@ -2312,14 +2347,13 @@ sub interface_mac( $$ ) {
 # Record the fact that the ruleset requires MAC address of the passed gateway IP routed out of the passed interface for the passed provider number
 #
 sub get_interface_mac( $$$ ) {
-    my ( $ipaddr, $logical , $table ) = @_;
+    my ( $ipaddr, $interface , $table ) = @_;
 
-    my $interface = get_physical( $logical );
     my $variable = interface_mac( $interface , $table );
 
     $global_variables |= NOT_RESTORE;
 
-    if ( interface_is_optional $logical ) {
+    if ( interface_is_optional $interface ) {
 	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
     } else {
 	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
@@ -2482,12 +2516,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    # An interface in the SOURCE column of a masq file
 	    #
 	    fatal_error "Bridge ports may not appear in the SOURCE column of this file" if port_to_bridge( $iiface );
-
-	    if ( $chainref->{table} eq 'nat' ) {
 	    warning_message qq(Using an interface as the masq SOURCE requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount++;
-	    } else {
-		warning_message qq(Using an interface as the SOURCE in a T: rule requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount1++;
-	    }
 
 	    push_command $chainref, join( '', 'for source in ', get_interface_nets( $iiface) , '; do' ), 'done';
 
@@ -2751,8 +2780,10 @@ sub expand_rule( $$$$$$$$$$;$ )
 	add_rule( $echainref, $exceptionrule . $target, 1 ) unless $disposition eq 'LOG';
     } else {
 	#
-	# No exclusions
+	# No exclusions -- save original chain
 	#
+	my $savechainref = $chainref;
+
 	for my $onet ( mysplit $onets ) {
 	    $onet = match_orig_dest $onet;
 	    for my $inet ( mysplit $inets ) {
@@ -2761,6 +2792,11 @@ sub expand_rule( $$$$$$$$$$;$ )
 		$source_match = match_source_net( $inet, $restriction ) if $capabilities{KLUDGEFREE};
 
 		for my $dnet ( mysplit $dnets ) {
+		    #
+		    # Restore original Chain
+		    #
+		    $chainref = $savechainref;
+
 		    $source_match  = match_source_net( $inet, $restriction ) unless $capabilities{KLUDGEFREE};
 		    my $dest_match = match_dest_net( $dnet );
 		    my $predicates = join( '', $rule, $source_match, $dest_match, $onet );
@@ -2781,7 +2817,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 				#
 				log_rule_limit( 
 					       $loglevel ,
-					       $logchainref ,
+					       $chainref = $logchainref ,
 					       $chain ,
 					       $disposition ,
 					       '',
@@ -2789,7 +2825,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 					       'add',
 					       '' );
 
-				add_rule( $logchainref, $exceptionrule . $target );
+				add_rule( $chainref, $exceptionrule . $target );
 			    } else {
 				log_rule_limit( 
 					       $loglevel ,
@@ -2838,15 +2874,14 @@ sub expand_rule( $$$$$$$$$$;$ )
 }
 
 #
-# The following code generates the input to iptables-restore from the contents of the
-# @rules arrays in the chain table entries.
+# The following code generates the input to iptables-restore
 #
 # We always write the iptables-restore input into a file then pass the
 # file to iptables-restore. That way, if things go wrong, the user (and Shorewall support)
 # has (have) something to look at to determine the error
 #
 # We may have to generate part of the input at run-time. The rules array in each chain
-# table entry may contain both rules (begin with '-A') or shell source. We alternate between
+# table entry may contain rules (begin with '-A') or shell source. We alternate between
 # writing the rules ('-A') into the temporary file to be passed to iptables-restore
 # (CAT_MODE) and and writing shell source into the generated script (CMD_MODE).
 #
@@ -2866,14 +2901,15 @@ sub enter_cmd_mode() {
 #
 # Emits the passed rule (input to iptables-restore) or command
 #
-sub emitr( $ ) {
-    if ( my $rule = $_[0] ) {
-	if ( substr( $rule, 0, 2 ) eq '-A' ) {
+sub emitr( $$ ) {
+    my ( $name, $rule ) = @_;
+
+    if ( $rule && substr( $rule, 0, 2 ) eq '-A' ) {
 	#
 	# A rule
 	#
 	enter_cat_mode unless $mode == CAT_MODE;
-	    emit_unindented $rule;
+	emit_unindented join( ' ', '-A', $name, substr( $rule, 3 ) );
     } else {
 	#
 	# A command
@@ -2881,7 +2917,17 @@ sub emitr( $ ) {
 	enter_cmd_mode unless $mode == CMD_MODE;
 	emit $rule;
     }
-    }
+}
+
+#
+# Simple version that only handles rules
+#
+sub emitr1( $$ ) {
+    my ( $name, $rule ) = @_;
+
+    assert( substr( $rule, 0, 2 ) eq '-A' );
+
+    emit_unindented join( ' ', '-A', $name, substr( $rule, 3 ) );
 }
 
 #
@@ -2892,10 +2938,14 @@ sub create_netfilter_load( $ ) {
 
     my @table_list;
 
+    if ( $family == F_IPV4 ) {
 	push @table_list, 'raw'    if $capabilities{RAW_TABLE};
 	push @table_list, 'nat'    if $capabilities{NAT_ENABLED};
 	push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
 	push @table_list, 'filter';
+    } else {
+	@table_list = qw( raw mangle filter );
+    }
 
     $mode = NULL_MODE;
 
@@ -2957,7 +3007,7 @@ sub create_netfilter_load( $ ) {
 	# Then emit the rules
 	#
 	for my $chainref ( @chains ) {
-	    emitr $_ for ( grep defined $_, @{$chainref->{rules}} );
+	    emitr $chainref->{name}, $_ for ( grep defined $_, @{$chainref->{rules}} );
 	}
 	#
 	# Commit the changes to the table
@@ -3066,7 +3116,7 @@ sub create_chainlist_reload($) {
 		#
 		# Emit the chain rules
 		#
-		emitr $_ for ( grep defined $_, @rules );
+		emitr $chain, $_ for ( grep defined $_, @rules );
 	    }
 	    #
 	    # Commit the changes to the table
@@ -3118,10 +3168,14 @@ sub create_stop_load( $ ) {
 
     my @table_list;
 
+    if ( $family == F_IPV4 ) {
 	push @table_list, 'raw'    if $capabilities{RAW_TABLE};
 	push @table_list, 'nat'    if $capabilities{NAT_ENABLED};
 	push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
 	push @table_list, 'filter';
+    } else {
+	@table_list = qw( raw mangle filter );
+    }
 
     my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
     my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';
@@ -3171,7 +3225,7 @@ sub create_stop_load( $ ) {
 	# Then emit the rules
 	#
 	for my $chainref ( @chains ) {
-	    emit_unindented $_ for @{$chainref->{rules}};
+	    emitr1 $chainref->{name}, $_ for @{$chainref->{rules}};
 	}
 	#
 	# Commit the changes to the table

Shorewall/Perl/Shorewall/Compiler.pm

@@ -43,18 +43,20 @@ use Shorewall::Raw;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_4';
+our $VERSION = '4.4_0';
 
 our $export;
 
 our $test;
 
-our $family;
+our $reused = 0;
+
+our $family = F_IPV4;
 
 #
-# Initilize the package-globals in the other modules
+# Reinitilize the package-globals in the other modules
 #
-sub initialize_package_globals() {
+sub reinitialize() {
     Shorewall::Config::initialize($family);
     Shorewall::Chains::initialize ($family);
     Shorewall::Zones::initialize ($family);
@@ -77,11 +79,11 @@ sub initialize_package_globals() {
 #
 sub generate_script_1() {
 
+    my $date = localtime;
+
     if ( $test ) {
 	emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
     } else {
-	my $date = localtime;
-
 	emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
 	if ( $family == F_IPV4 ) {
 	    copy $globals{SHAREDIRPL} . 'prog.header';
@@ -90,24 +92,14 @@ sub generate_script_1() {
 	}
     }
 
-    my $lib = find_file 'lib.private';
-
-    if ( -f $lib ) {
-	emit <<'EOF';
-################################################################################
-# Functions imported from lib.private
-################################################################################
-EOF
-
-	copy1 $lib;
-	emit "\n";
-    }
-
     emit <<'EOF';
 ################################################################################
 # Functions to execute the various user exits (extension scripts)
 ################################################################################
 EOF
+    my $lib = find_file 'lib.private';
+
+    copy1 $lib, emit "\n" if -f $lib;
 
     for my $exit qw/init start tcclear started stop stopped clear refresh refreshed restored/ {
 	emit "\nrun_${exit}_exit() {";
@@ -139,7 +131,7 @@ EOF
 #    Generate the 'initialize()' function.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
-#          than those related to writing to the output script file.
+#          than those related to writing to the object file.
 
 sub generate_script_2() {
 
@@ -214,7 +206,8 @@ sub generate_script_2() {
 
     emit ( '[ -n "${COMMAND:=restart}" ]',
 	   '[ -n "${VERBOSE:=0}" ]',
-	   qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]) );
+	   qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]),
+	   '[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"' );
 
     emit ( qq(VERSION="$globals{VERSION}") ) unless $test;
 
@@ -239,24 +232,14 @@ sub generate_script_2() {
 	   '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
 	   );
 
-    pop_indent;
-
-    emit "\n}\n"; # End of initialize()
+    my $global_variables = have_global_variables;
 
+    if ( $global_variables ) {
 	emit( '' ,
 	      '#' ,
 	      '# Set global variables holding detected IP information' ,
 	      '#' ,
-	  'detect_configuration()',
-	  '{' );
-
-    my $global_variables = have_global_variables;
-
-    push_indent;
-
-    if ( $global_variables ) {
-	
-	emit( 'case $COMMAND in' );
+	      'case $COMMAND in' );
 
 	push_indent;
 
@@ -292,13 +275,11 @@ sub generate_script_2() {
 	pop_indent;
 
 	emit ( 'esac' ) ,
-    } else {
-	emit( 'true' ) unless handle_optional_interfaces;
     }
 
     pop_indent;
 
-    emit "\n}\n"; # End of detect_configuration()
+    emit "\n}\n"; # End of initialize()
 
 }
 
@@ -312,7 +293,7 @@ sub generate_script_2() {
 #    Generate the 'define_firewall()' function.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
-#          than those related to writing to the output script file.
+#          than those related to writing to the object file.
 #
 sub generate_script_3($) {
 
@@ -421,10 +402,23 @@ sub generate_script_3($) {
 	emit "disable_ipv6\n" if $config{DISABLE_IPV6};
 
     } else {
-	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', 
+	emit ( '#',
+	       '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
+	       '#',
+	       'qt1 $IP6TABLES -N foox1234',
+	       'qt1 $IP6TABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT',
+	       'result=$?',
+	       'qt1 $IP6TABLES -F foox1234',
+	       'qt1 $IP6TABLES -X foox1234',
+	       '[ $result = 0 ] || startup_error "Your kernel/ip6tables do not include state match support. No version of Shorewall6 will run on this system"',
 	       '' );
-	mark_firewall_not_started;
-	emit '';
+
+	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
+		   '',
+	       'qt1 $IP6TABLES -L shorewall -n && qt1 $IP6TABLES -F shorewall && qt1 $IP6TABLES -X shorewall',
+	       ''
+	     );
+
     }
 
     emit qq(delete_tc1\n) if $config{CLEAR_TC};
@@ -446,10 +440,6 @@ sub generate_script_3($) {
     dump_zone_contents;
     emit_unindented '__EOF__';
 
-    emit 'cat > ${VARDIR}/policies << __EOF__';
-    save_policies;
-    emit_unindented '__EOF__';
-
     pop_indent;
 
     emit "fi\n";
@@ -536,7 +526,7 @@ EOF
 #
 sub compiler {
 
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) =
+    my ( $objectfile, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) = 
        ( '',          '',         -1,          '',          0,      '',       '',   -1 );
 
     $export = 0;
@@ -557,8 +547,7 @@ sub compiler {
 	defined($val) && ($val == F_IPV4 || $val == F_IPV6);
     }
 
-    my %parms = ( object        => { store => \$scriptfilename },    #Deprecated
-		  script        => { store => \$scriptfilename },
+    my %parms = ( object        => { store => \$objectfile },
 		  directory     => { store => \$directory  },
 		  family        => { store => \$family    ,    validate => \&validate_family    } ,
 		  verbosity     => { store => \$verbosity ,    validate => \&validate_verbosity } ,
@@ -583,17 +572,14 @@ sub compiler {
 	${$ref->{store}} = $val;
     }
 
-    #
-    # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
-    #
-    initialize_package_globals;
+    reinitialize if $reused++ || $family == F_IPV6;
 
     if ( $directory ne '' ) {
 	fatal_error "$directory is not an existing directory" unless -d $directory;
 	set_shorewall_dir( $directory );
     }
 
-    set_verbosity( $verbosity );
+    set_verbose( $verbosity );
     set_log($log, $log_verbosity) if $log;
     set_timestamp( $timestamp );
     set_debug( $debug );
@@ -609,18 +595,14 @@ sub compiler {
     require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{HIGH_ROUTE_MARKS};
     require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
 
-    if ( $scriptfilename ) {
-	set_command( 'compile', 'Compiling', 'Compiled' );
-	create_temp_script( $scriptfilename , $export );
-    } else {
-	set_command( 'check', 'Checking', 'Checked' );
-    }
-    #
-    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
-    # shorewall.conf has been processed and the capabilities have been determined.
-    #
+    set_command( 'check', 'Checking', 'Checked' ) unless $objectfile;
+
     initialize_chain_table;
 
+    unless ( $command eq 'check' ) {
+	create_temp_object( $objectfile , $export );
+    }
+
     #
     # Allow user to load Perl modules
     #
@@ -657,11 +639,11 @@ sub compiler {
     #
     setup_notrack;
 
-    enable_script;
+    enable_object;
     
-    if ( $scriptfilename ) {
+    unless ( $command eq 'check' ) {
 	#
-	# Place Header in the script
+	# Place Header in the object
 	#
 	generate_script_1;
 	#
@@ -695,24 +677,25 @@ sub compiler {
     #
     setup_proxy_arp;
     #
-    # Handle MSS settings in the zones file
+    # Handle MSS setings in the zones file
     #
     setup_zone_mss;
 
-    if ( $scriptfilename ) {
+    unless ( $command eq 'check' ) {
 	emit 'return 0';
 	pop_indent;
 	emit '}';
     }
 
-    disable_script;
+    disable_object;
     #
     #                      R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
     #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
     #
-    enable_script;
+    enable_object;
+    
+    unless ( $command eq 'check' ) {
 
-    if ( $scriptfilename ) {
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
 	       '#',
@@ -730,12 +713,12 @@ sub compiler {
     #
     setup_tc;
 
-    if ( $scriptfilename ) {
+    unless ( $command eq 'check' ) {
 	pop_indent;
 	emit "}\n";
     }
 
-    disable_script;
+    disable_object;
     #
     #                                       N E T F I L T E R
     #       (Produces no output to the compiled script -- rules are stored in the chain table)
@@ -791,13 +774,19 @@ sub compiler {
     #
     setup_accounting;
 
-    if ( $scriptfilename ) {
+    if ( $command eq 'check' ) {
+	if ( $family == F_IPV4 ) {
+	    progress_message3 "Shorewall configuration verified";
+	} else {
+	    progress_message3 "Shorewall6 configuration verified";
+	}
+    } else {
 	#
-	# Generate the zone by zone matrix
+	# Generate the zone x zone matrix
 	#
 	generate_matrix;
 
-	enable_script;
+	enable_object;
 	#
 	#                                    I N I T I A L I Z E
 	#                  (Writes the initialize() function to the compiled script)
@@ -808,19 +797,17 @@ sub compiler {
 	#    (Produces setup_netfilter(), chainlist_reload() and define_firewall() )
 	#
 	generate_script_3( $chains );
+	#                               S T O P _ F I R E W A L L
+	#             (Writes the stop_firewall() function to the compiled script)
 	#
 	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
 	# for stopping the firewall
 	#
 	Shorewall::Chains::initialize( $family );
 	initialize_chain_table;
-	#
-	#                           S T O P _ F I R E W A L L
-	#         (Writes the stop_firewall() function to the compiled script)
-	#
 	compile_stop_firewall( $test ); 
 	#
-	# Copy the footer to the script
+	# Copy the footer to the object
 	#
 	unless ( $test ) {
 	    if ( $family == F_IPV4 ) {
@@ -830,33 +817,15 @@ sub compiler {
 	    }
 	}
 	
-	disable_script;
+	disable_object;
 	#
-	# Close, rename and secure the script
+	# Close, rename and secure the object
 	#
-	finalize_script ( $export );
+	finalize_object ( $export );
 	#
 	# And generate the auxilary config file
 	#
-	enable_script, generate_aux_config if $export;
-    } else {
-	#
-	# Re-initialize the chain table so that process_routestopped() has the same
-	# environment that it would when called by compile_stop_firewall().
-	#
-	Shorewall::Chains::initialize( $family );
-	initialize_chain_table;
-	#
-	# compile_stop_firewall() also validates the routestopped file. Since we don't
-	# call that function during 'check', we must validate routestopped here.
-	#
-	process_routestopped;
-
-	if ( $family == F_IPV4 ) {
-	    progress_message3 "Shorewall configuration verified";
-	} else {
-	    progress_message3 "Shorewall6 configuration verified";
-	}
+	enable_object, generate_aux_config if $export;
     }
 
     close_log if $log;

Shorewall/Perl/Shorewall/Config.pm

@@ -24,7 +24,7 @@
 #   It also exports functions for generating warning and error messages.
 #   The get_configuration function parses the shorewall.conf, capabilities and
 #   modules files during compiler startup. The module also provides the basic
-#   output file services such as creation of temporary 'script' files, writing
+#   output file services such as creation of temporary 'object' files, writing
 #   into those files (emitters) and finalizing those files (renaming
 #   them to their final name and setting their mode appropriately).
 #
@@ -54,10 +54,10 @@ our @EXPORT = qw(
 
 our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path shorewall);
 
-our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
-				       finalize_script
-				       enable_script
-				       disable_script
+our %EXPORT_TAGS = ( internal => [ qw( create_temp_object 
+				       finalize_object
+				       enable_object
+				       disable_object
 		                       numeric_value
 		                       numeric_value1
 		                       hex_value
@@ -72,7 +72,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       save_progress_message
 				       save_progress_message_short
 				       set_timestamp
-				       set_verbosity
+				       set_verbose
 				       set_log
 				       close_log
 				       set_command
@@ -127,7 +127,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.4_5';
+our $VERSION = '4.3_12';
 
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -136,23 +136,23 @@ our ($command, $doing, $done );
 #
 # VERBOSITY
 #
-our $verbosity;
+our $verbose;
 #
 # Logging
 #
-our ( $log, $log_verbosity );
+our ( $log, $log_verbose );
 #
 # Timestamp each progress message, if true.
 #
 our $timestamp;
 #
-# Script (output) file handle
+# Object file handle
 #
-our $script;
+our $object;
 #
-# When 'true', writes to the script are enabled. Used to catch code emission between functions
+# When 'true', writes to the object are enabled. Used to catch code emission between functions
 #
-our $script_enabled;
+our $object_enabled;
 #
 # True, if last line emitted is blank
 #
@@ -170,7 +170,7 @@ our $indent2;
 #
 our $indent;
 #
-# Script's Directory and File
+# Object's Directory and File
 #
 our ( $dir, $file );
 #
@@ -186,9 +186,10 @@ our %globals;
 #
 our %config;
 #
-# Config options and global settings that are to be copied to output script
+# Config options and global settings that are to be copied to object script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX SUBSYSLOCK /;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOGFORMAT SUBSYSLOCK LOCKFILE /;
+our @propagateenv    = qw/ LOGLIMIT LOGTAGONLY LOGRULENUMBERS /;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -240,10 +241,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 LOG_TARGET      => 'LOG Target',
 		 LOGMARK_TARGET  => 'LOGMARK Target',
 		 IPMARK_TARGET   => 'IPMARK Target',
-		 PERSISTENT_SNAT => 'Persistent SNAT',
-		 OLD_HL_MATCH    => 'Old Hash Limit Match',
 		 CAPVERSION      => 'Capability Version',
-		 KERNELVERSION   => 'Kernel Version',
 	       );
 #
 # Directories to search for configuration files
@@ -262,8 +260,8 @@ our $currentline;             # Current config file line image
 our $currentfile;             # File handle reference
 our $currentfilename;         # File NAME
 our $currentlinenumber;       # Line number
-our $perlscript;              # File Handle Reference to current temporary file being written by an in-line Perl script
-our $perlscriptname;          # Name of that file.
+our $scriptfile;              # File Handle Reference to current temporary file being written by an in-line Perl script
+our $scriptfilename;          # Name of that file.
 our @tempfiles;               # Files that need unlinking at END
 our $first_entry;             # Message to output or function to call on first non-blank line of a file
 
@@ -286,14 +284,13 @@ use constant { MIN_VERBOSITY => -1,
 our %validlevels;             # Valid log levels.
 
 #
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function and when compiling
+#                       for IPv6.
 #
 sub initialize( $ ) {
     $family = shift;
@@ -304,17 +301,19 @@ sub initialize( $ ) {
 	( $product, $Product, $toolname, $toolNAME ) = qw( shorewall6 Shorewall6 ip6tables IP6TABLES );
     }	
 
-    $verbosity = 0;            # Verbosity setting. -1 = silent, 0 = almost silent, 1 = major progress messages only, 2 = all progress messages (very noisy)
+    ( $command, $doing, $done ) = qw/compile Compiling Compiled/; #describe the current command, it's present progressive, and it's completion.
+
+    $verbose = 0;              # Verbosity setting. 0 = almost silent, 1 = major progress messages only, 2 = all progress messages (very noisy)
     $log = undef;              # File reference for log file
-    $log_verbosity = -1;       # Verbosity of log.
+    $log_verbose = -1;         # Verbosity of log.
     $timestamp = '';           # If true, we are to timestamp each progress message
-    $script = 0;               # Script (output) file Handle Reference
-    $script_enabled = 0;       # Writing to output file is disabled initially
+    $object = 0;               # Object (script) file Handle Reference
+    $object_enabled = 0;       # Object (script) file Handle Reference
     $lastlineblank = 0;        # Avoid extra blank lines in the output
     $indent1       = '';       # Current indentation tabs
     $indent2       = '';       # Current indentation spaces
     $indent        = '';       # Current total indentation
-    ( $dir, $file ) = ('',''); # Script's Directory and Filename
+    ( $dir, $file ) = ('',''); # Object's Directory and File
     $tempfile = '';            # Temporary File Name
 
     #
@@ -328,8 +327,8 @@ sub initialize( $ ) {
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
-		    VERSION => "4.4.5.1",
-		    CAPVERSION => 40406 ,
+		    VERSION => "4.4.0.1",
+		    CAPVERSION => 40310 ,
 		  );
 
     #
@@ -440,8 +439,6 @@ sub initialize( $ ) {
 	      FAST_STOP => undef ,
 	      AUTOMAKE => undef ,
 	      WIDE_TC_MARKS => undef,
-	      TRACK_PROVIDERS => undef,
-	      ZONE2ZONE => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -548,8 +545,6 @@ sub initialize( $ ) {
 	      MANGLE_ENABLED => undef ,
 	      AUTOMAKE => undef ,
 	      WIDE_TC_MARKS => undef,
-	      TRACK_PROVIDERS => undef,
-	      ZONE2ZONE => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -618,8 +613,6 @@ sub initialize( $ ) {
 	       LOGMARK_TARGET => undef,
 	       IPMARK_TARGET => undef,
 	       LOG_TARGET => 1,         # Assume that we have it.
-	       PERSISTENT_SNAT => undef,
-	       OLD_HL_MATCH => undef,
 	       CAPVERSION => undef,
 	       );
     #
@@ -647,6 +640,7 @@ sub initialize( $ ) {
 }
 
 INIT {
+    initialize( F_IPV4 );
     #
     # These variables appear within single quotes in shorewall.conf -- add them to ENV
     # so that read_a_line doesn't have to be smart enough to parse that usage.
@@ -667,7 +661,7 @@ sub warning_message
     my $currentlineinfo = $currentfile ?  " : $currentfilename (line $linenumber)" : '';
     our @localtime;
 
-    $| = 1; #Reset output buffering (flush any partially filled buffers).
+    $| = 1;
 
     if ( $log ) {
 	@localtime = localtime;
@@ -682,22 +676,7 @@ sub warning_message
 	print $log   "   WARNING: @_$currentlineinfo\n" if $log;
     }
 
-    $| = 0; #Re-allow output buffering
-}
-
-sub cleanup() {
-    #
-    # Close files first in case we're running under Cygwin
-    #
-    close  $script, $script = undef         if $script;
-    close  $perlscript, $perlscript = undef if $perlscript;
-    close  $log, $log = undef               if $log;
-    #
-    # Unlink temporary files
-    #
-    unlink ( $tempfile ), $tempfile = undef             if $tempfile;
-    unlink ( $perlscriptname ), $perlscriptname = undef if $perlscriptname;
-    unlink ( @tempfiles ), @tempfiles = ()              if @tempfiles;
+    $| = 0;
 }
 
 #
@@ -707,7 +686,7 @@ sub fatal_error	{
     my $linenumber = $currentlinenumber || 1;
     my $currentlineinfo = $currentfile ?  " : $currentfilename (line $linenumber)" : '';
 
-    $| = 1; #Reset output buffering (flush any partially filled buffers).
+    $| = 1;
 
     if ( $log ) {
 	our @localtime = localtime;
@@ -723,7 +702,6 @@ sub fatal_error	{
 	$log = undef;
     }
 
-    cleanup;
     confess "   ERROR: @_$currentlineinfo" if $debug;
     die "   ERROR: @_$currentlineinfo\n";
 }
@@ -745,7 +723,6 @@ sub fatal_error1	{
 	$log = undef;
     }
 
-    cleanup;
     confess "   ERROR: @_" if $debug;
     die "   ERROR: @_\n";
 }
@@ -819,14 +796,14 @@ sub in_hexp( $ ) {
 }
 
 #
-# Write the arguments to the script file (if any) with the current indentation.
+# Write the arguments to the object file (if any) with the current indentation.
 #
 # Replaces leading spaces with tabs as appropriate and suppresses consecutive blank lines.
 #
 sub emit {
-    assert( $script_enabled );
+    assert( $object_enabled );
 
-    if ( $script ) {
+    if ( $object ) {
 	#
 	# 'compile' as opposed to 'check'
 	#
@@ -836,10 +813,10 @@ sub emit {
 		$line =~ s/^\n// if $lastlineblank;
 		$line =~ s/^/$indent/gm if $indent;
 		$line =~ s/        /\t/gm;
-		print $script "$line\n";
+		print $object "$line\n";
 		$lastlineblank = ( substr( $line, -1, 1 ) eq "\n" );
 	    } else {
-		print $script "\n" unless $lastlineblank;
+		print $object "\n" unless $lastlineblank;
 		$lastlineblank = 1;
 	    }
 	}
@@ -847,26 +824,26 @@ sub emit {
 }
 
 #
-# Write passed message to the script with newline but no indentation.
+# Write passed message to the object with newline but no indentation.
 #
 sub emit_unindented( $ ) {
-    assert( $script_enabled );
+    assert( $object_enabled );
 
-    print $script "$_[0]\n" if $script;
+    print $object "$_[0]\n" if $object;
 }
 
 #
 # Write a progress_message2 command with surrounding blank lines to the output file.
 #
 sub save_progress_message( $ ) {
-    emit "\nprogress_message2 @_\n" if $script;
+    emit "\nprogress_message2 @_\n" if $object;
 }
 
 #
 # Write a progress_message command to the output file.
 #
 sub save_progress_message_short( $ ) {
-    emit "progress_message $_[0]" if $script;
+    emit "progress_message $_[0]" if $object;
 }
 
 #
@@ -877,14 +854,14 @@ sub set_timestamp( $ ) {
 }
 
 #
-# Set $verbosity
+# Set $verbose
 #
-sub set_verbosity( $ ) {
-    $verbosity = shift;
+sub set_verbose( $ ) {
+    $verbose = shift;
 }
 
 #
-# Set $log and $log_verbosity
+# Set $log and $log_verbose
 #
 sub set_log ( $$ ) {
     my ( $l, $v ) = @_;
@@ -892,16 +869,16 @@ sub set_log ( $$ ) {
     if ( defined $v ) {
 	my $value = numeric_value( $v );
 	fatal_error "Invalid Log Verbosity ( $v )" unless defined($value) && ( $value >= -1 ) && ( $value <= 2);
-	$log_verbosity = $value;
+	$log_verbose = $value;
     }
 
-    if ( $l && $log_verbosity >= 0 ) {
+    if ( $l && $log_verbose >= 0 ) {	
 	unless ( open $log , '>>' , $l ) {
 	    $log = undef; 
 	    fatal_error "Unable to open STARTUP_LOG ($l) for writing: $!";
 	}
     } else {
-	$log_verbosity = -1;
+	$log_verbose = -1;
     }
 }
 
@@ -925,17 +902,17 @@ sub timestamp() {
 }
 
 #
-# Write a message if $verbosity >= 2
+# Write a message if $verbose >= 2
 #
 sub progress_message {
     my $havelocaltime = 0;
 
-    if ( $verbosity > 1 || $log_verbosity > 1 ) {
+    if ( $verbose > 1 || $log_verbose > 1 ) {
 	my $line = "@_";
 	my $leading = $line =~ /^(\s+)/ ? $1 : '';
 	$line =~ s/\s+/ /g;
 
-	if ( $verbosity > 1 ) {
+	if ( $verbose > 1 ) {
 	    timestamp, $havelocaltime = 1 if $timestamp;
 	    #
 	    # We use this function to display messages containing raw config file images which may contains tabs (including multiple tabs in succession).
@@ -944,7 +921,7 @@ sub progress_message {
 	    print "${leading}${line}\n";
 	}
 
-	if ( $log_verbosity > 1 ) {
+	if ( $log_verbose > 1 ) {
 	    our @localtime;
 
 	    @localtime = localtime unless $havelocaltime; 
@@ -958,12 +935,12 @@ sub progress_message {
 sub progress_message_nocompress {
     my $havelocaltime = 0;
 
-    if ( $verbosity > 1 ) {
+    if ( $verbose > 1 ) {
 	timestamp, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
     }
 
-    if ( $log_verbosity > 1 ) {
+    if ( $log_verbose > 1 ) {
 	our @localtime;
 
 	@localtime = localtime unless $havelocaltime; 
@@ -974,17 +951,17 @@ sub progress_message_nocompress {
 }
 
 #
-# Write a message if $verbosity >= 1
+# Write a message if $verbose >= 1
 #
 sub progress_message2 {
     my $havelocaltime = 0;
 
-    if ( $verbosity > 0 ) {
+    if ( $verbose > 0 ) {
 	timestamp, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
     }
 
-    if ( $log_verbosity > 0 ) {
+    if ( $log_verbose > 0 ) {
 	our @localtime;
 
 	@localtime = localtime unless $havelocaltime; 
@@ -995,17 +972,17 @@ sub progress_message2 {
 }
 
 #
-# Write a message if $verbosity >= 0
+# Write a message if $verbose >= 0
 #
 sub progress_message3 {
     my $havelocaltime = 0;
 
-    if ( $verbosity >= 0 ) {
+    if ( $verbose >= 0 ) {
 	timestamp, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
     }
 
-    if ( $log_verbosity >= 0 ) {
+    if ( $log_verbose >= 0 ) {
 	our @localtime;
 
 	@localtime = localtime unless $havelocaltime;
@@ -1040,12 +1017,12 @@ sub pop_indent() {
 }
 
 #
-# Functions for copying files into the script
+# Functions for copying files into the object
 #
 sub copy( $ ) {
-    assert( $script_enabled );
+    assert( $object_enabled );
 
-    if ( $script ) {
+    if ( $object ) {
 	my $file = $_[0];
 
 	open IF , $file or fatal_error "Unable to open $file: $!";
@@ -1053,7 +1030,7 @@ sub copy( $ ) {
 	while ( <IF> ) {
 	    chomp;
 	    if ( /^\s*$/ ) {
-		print $script "\n" unless $lastlineblank;
+		print $object "\n" unless $lastlineblank;
 		$lastlineblank = 1;
 	    } else {
 		if  ( $indent ) {
@@ -1061,8 +1038,8 @@ sub copy( $ ) {
 		    s/        /\t/ if $indent2;
 		}
 
-		print $script $_;
-		print $script "\n";
+		print $object $_;
+		print $object "\n";
 		$lastlineblank = 0;
 	    }
 	}
@@ -1075,11 +1052,11 @@ sub copy( $ ) {
 # This one handles line continuation and 'here documents'
 
 sub copy1( $ ) {
-    assert( $script_enabled );
+    assert( $object_enabled );
 
     my $result = 0;
 
-    if ( $script ) {
+    if ( $object ) {
 	my $file = $_[0];
 
 	open IF , $file or fatal_error "Unable to open $file: $!";
@@ -1090,8 +1067,8 @@ sub copy1( $ ) {
 	    chomp;
 
 	    if ( /^${here_documents}\s*$/ ) {
-		print $script $here_documents if $here_documents;
-		print $script "\n";
+		print $object $here_documents if $here_documents;
+		print $object "\n";
 		$do_indent = 1;
 		$here_documents = '';
 		next;
@@ -1102,8 +1079,8 @@ sub copy1( $ ) {
 		s/^(\s*)/$indent1$1$indent2/;
 		s/        /\t/ if $indent2;
 		$do_indent = 0;
-		print $script $_;
-		print $script "\n";
+		print $object $_;
+		print $object "\n";
 		$result = 1;
 		next;
 	    }
@@ -1113,8 +1090,8 @@ sub copy1( $ ) {
 		s/        /\t/ if $indent2;
 	    }
 
-	    print $script $_;
-	    print $script "\n";
+	    print $object $_;
+	    print $object "\n";
 	    $do_indent = ! ( $here_documents || /\\$/ );
 
 	    $result = 1 unless $result || /^\s*$/ || /^\s*#/;
@@ -1129,38 +1106,38 @@ sub copy1( $ ) {
 }
 
 #
-# Create the temporary script file -- the passed file name is the name of the final file.
+# Create the temporary object file -- the passed file name is the name of the final file.
 # We create a temporary file in the same directory so that we can use rename to finalize it.
 #
-sub create_temp_script( $$ ) {
-    my ( $scriptfile, $export ) = @_;
+sub create_temp_object( $$ ) {
+    my ( $objectfile, $export ) = @_;
     my $suffix;
 
-    if ( $scriptfile eq '-' ) {
-	$verbosity = -1;
-	$script = undef;
-	open( $script, '>&STDOUT' ) or fatal_error "Open of STDOUT failed";
+    if ( $objectfile eq '-' ) {
+	$verbose = -1;
+	$object = undef;
+	open( $object, '>&STDOUT' ) or fatal_error "Open of STDOUT failed";
 	$file = '-';
 	return 1;
     }
 
     eval {
-	( $file, $dir, $suffix ) = fileparse( $scriptfile );
+	( $file, $dir, $suffix ) = fileparse( $objectfile );
     };
 
-    cleanup, die if $@;
+    die if $@;
 
     fatal_error "$dir is a Symbolic Link"        if -l $dir;
     fatal_error "Directory $dir does not exist"  unless -d _;
     fatal_error "Directory $dir is not writable" unless -w _;
-    fatal_error "$scriptfile is a Symbolic Link" if -l $scriptfile;
-    fatal_error "$scriptfile is a Directory"     if -d _;
-    fatal_error "$scriptfile exists and is not a compiled script" if -e _ && ! -x _;
+    fatal_error "$objectfile is a Symbolic Link" if -l $objectfile;
+    fatal_error "$objectfile is a Directory"     if -d _;
+    fatal_error "$objectfile exists and is not a compiled script" if -e _ && ! -x _;
     fatal_error "An exported \u$globals{PRODUCT} compiled script may not be named '$globals{PRODUCT}'" if $export && "$file" eq $globals{PRODUCT} && $suffix eq '';
 
     eval {
 	$dir = abs_path $dir unless $dir =~ m|^/|; # Work around http://rt.cpan.org/Public/Bug/Display.html?id=13851
-	( $script, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
+	( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
     };
 
     fatal_error "Unable to create temporary file in directory $dir" if $@;
@@ -1172,12 +1149,12 @@ sub create_temp_script( $$ ) {
 }
 
 #
-# Finalize the script file
+# Finalize the object file
 #
-sub finalize_script( $ ) {
+sub finalize_object( $ ) {
     my $export = $_[0];
-    close $script;
-    $script = 0;
+    close $object;
+    $object = 0;
 
     if ( $file ne '-' ) {
 	rename $tempfile, $file or fatal_error "Cannot Rename $tempfile to $file: $!";
@@ -1191,34 +1168,34 @@ sub finalize_script( $ ) {
 #
 sub create_temp_aux_config() {
     eval {
-	( $script, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
+	( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
     };
 
-    cleanup, die if $@;
+    die if $@;
 }
 
 #
 # Finalize the aux config file.
 #
 sub finalize_aux_config() {
-    close $script;
-    $script = 0;
+    close $object;
+    $object = 0;
     rename $tempfile, "$file.conf" or fatal_error "Cannot Rename $tempfile to $file.conf: $!";
     progress_message3 "Shorewall configuration compiled to $file";
 }
 
 #
-# Enable writes to the script file
+# Enable writes to the object file
 #
-sub enable_script() {
-    $script_enabled = 1;
+sub enable_object() {
+    $object_enabled = 1;
 }
 
 #
-# Disable writes to the script file
+# Disable writes to the object file
 #
-sub disable_script() {
-    $script_enabled = 0;
+sub disable_object() {
+    $object_enabled = 0;
 }
 
 #
@@ -1429,25 +1406,20 @@ sub pop_open() {
     pop_include;
 }
 
-#
-# This function is called by in-line PERL to generate a line of input for the current file.
-# If the in-line PERL returns an indication of success, then the generated lines will be
-# processed as regular file input.
-#
 sub shorewall {
-    unless ( $perlscript ) {
+    unless ( $scriptfile ) {
 	fatal_error "shorewall() may not be called in this context" unless $currentfile;
 
 	$dir ||= '/tmp/';
 
 	eval {
-	    ( $perlscript, $perlscriptname ) = tempfile ( 'perlscriptXXXX' , DIR => $dir );
+	    ( $scriptfile, $scriptfilename ) = tempfile ( 'scriptfileXXXX' , DIR => $dir );
 	};
 
 	fatal_error "Unable to create temporary file in directory $dir" if $@;
     }
 
-    print $perlscript "@_\n";
+    print $scriptfile "@_\n";
 }
 
 #
@@ -1549,21 +1521,21 @@ sub embedded_perl( $ ) {
 	fatal_error "Perl Script Returned False";
     }
 
-    if ( $perlscript ) {
+    if ( $scriptfile ) {
 	fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
 
-	close $perlscript or assert(0);
+	close $scriptfile or assert(0);
 
-	$perlscript = undef;
+	$scriptfile = undef;
 
 	push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
 	$currentfile = undef;
 
-	open $currentfile, '<', $perlscriptname or fatal_error "Unable to open Perl Script $perlscriptname";
+	open $currentfile, '<', $scriptfilename or fatal_error "Unable to open Perl Script $scriptfilename";
 
-	push @tempfiles, $perlscriptname unless unlink $perlscriptname; #unlink fails on Cygwin
+	push @tempfiles, $scriptfilename unless unlink $scriptfilename; #unlink fails on Cygwin
 
-	$perlscriptname = '';
+	$scriptfilename = '';
 
 	$currentfilename = "PERL\@$currentfilename:$linenumber";
 	$currentline = '';
@@ -1598,16 +1570,11 @@ sub read_a_line() {
 	    #
 	    s/^\s*// if $currentline =~ /[,:]$/;
 	    #
-	    # If this isn't a continued line, remove trailing comments. Note that
-	    # the result may now end in '\'.
-	    #
-	    s/\s*#.*$// unless /\\$/;
-	    #
 	    # Continuation
 	    #
 	    chop $currentline, next if substr( ( $currentline .= $_ ), -1, 1 ) eq '\\';
 	    #
-	    # Now remove concatinated comments
+	    # Remove Trailing Comments -- result might be a blank line
 	    #
 	    $currentline =~ s/#.*$//;
 	    #
@@ -1618,10 +1585,6 @@ sub read_a_line() {
 	    # Line not blank -- Handle any first-entry message/capabilities check
 	    #
 	    if ( $first_entry ) {
-		#
-		# $first_entry can contain either a function reference or a message. If it
-		# contains a reference, call the function -- otherwise issue the message
-		#
 		reftype( $first_entry ) ? $first_entry->() : progress_message2( $first_entry );
 		$first_entry = 0;
 	    }
@@ -1845,8 +1808,8 @@ sub check_trivalue( $$ ) {
 sub report_capability( $ ) {
     my $cap = $_[0];
     print "   $capdesc{$cap}: ";
-    if ( $cap eq 'CAPVERSION' || $cap eq 'KERNELVERSION') {
-	my $version = $capabilities{$cap};
+    if ( $cap eq 'CAPVERSION' ) {
+	my $version = $capabilities{CAPVERSION};
 	printf "%d.%d.%d\n", int( $version / 10000 ) , int ( ( $version % 10000 ) / 100 ) , int ( $version % 100 );
     } else {
 	print $capabilities{$cap} ? "Available\n" : "Not Available\n";
@@ -1854,7 +1817,7 @@ sub report_capability( $ ) {
 }
 
 sub report_capabilities() {
-    if ( $verbosity > 1 ) {
+    if ( $verbose > 1 ) {
 	print "Shorewall has detected the following capabilities:\n";
 
 	for my $cap ( sort { $capdesc{$a} cmp $capdesc{$b} } keys %capabilities ) {
@@ -1909,7 +1872,7 @@ sub load_kernel_modules( ) {
 
 	close LSMOD;
 
-	$config{MODULE_SUFFIX} = 'o gz ko o.gz ko.gz' unless $config{MODULE_SUFFIX};
+	$config{MODULE_SUFFIX} = 'o gz ko o.gz ko.gz' unless $config{MODULES_SUFFIX};
 
 	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};
 
@@ -1948,19 +1911,6 @@ sub qt1( $ ) {
     $? == 0;
 }
 
-#
-# Get the current kernel version
-#
-sub determine_kernelversion() {
-    my $kernelversion=`uname -r`;
-
-    if ( $kernelversion =~ /^(\d+)\.(\d+).(\d+)/ ) {
-	$capabilities{KERNELVERSION} = sprintf "%d%02d%02d", $1 , $2 , $3;
-    } else {
-	fatal_error "Inrecognized Kernel Version Format ($kernelversion)";
-    }
-}
-
 #
 # Determine which optional facilities are supported by iptables/netfilter
 #
@@ -1973,14 +1923,6 @@ sub determine_capabilities( $ ) {
 
     $capabilities{NAT_ENABLED}    = qt1( "$iptables -t nat -L -n" ) if $family == F_IPV4;
 
-    if ( $capabilities{NAT_ENABLED} ) {
-	if ( qt1( "$iptables -t nat -N $sillyname" ) ) {
-	    $capabilities{PERSISTENT_SNAT} = qt1( "$iptables -t nat -A $sillyname -j SNAT --to-source 1.2.3.4 --persistent" );
-	    qt1( "$iptables -t NAT -F $sillyname" );
-	    qt1( "$iptables -t NAT -X $sillyname" );
-	}
-    }
-
     $capabilities{MANGLE_ENABLED} = qt1( "$iptables -t mangle -L -n" );
 
     qt1( "$iptables -N $sillyname" );
@@ -2043,24 +1985,9 @@ sub determine_capabilities( $ ) {
     $capabilities{IPP2P_MATCH}     = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --edk -j ACCEPT" );
     $capabilities{OLD_IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --ipp2p -j ACCEPT" ) if $capabilities{IPP2P_MATCH};
     $capabilities{LENGTH_MATCH}    = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" );
-    
-    if ( $family == F_IPV6 ) {
-	$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-adm-prohibited" );
-    } else {
-	$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp-host-prohibited" );
-    }
-
+    $capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" );
     $capabilities{COMMENTS}        = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
 
-    $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
-
-    if ( $capabilities{HASHLIMIT_MATCH} ) {
-	$capabilities{OLD_HL_MATCH} = '';
-    } else {
-	$capabilities{OLD_HL_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
-	$capabilities{HASHLIMIT_MATCH} = $capabilities{OLD_HL_MATCH};
-    }
-
     if  ( $capabilities{MANGLE_ENABLED} ) {
 	qt1( "$iptables -t mangle -N $sillyname" );
 
@@ -2105,6 +2032,7 @@ sub determine_capabilities( $ ) {
     $capabilities{USEPKTTYPE}      = qt1( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
     $capabilities{ADDRTYPE}        = qt1( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
     $capabilities{TCPMSS_MATCH}    = qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
+    $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT" );
     $capabilities{NFQUEUE_TARGET}  = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
     $capabilities{REALM_MATCH}     = qt1( "$iptables -A $sillyname -m realm --realm 1" );
     $capabilities{HELPER_MATCH}    = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
@@ -2120,8 +2048,6 @@ sub determine_capabilities( $ ) {
     qt1( "$iptables -X $sillyname1" );
 
     $capabilities{CAPVERSION} = $globals{CAPVERSION};
-
-    determine_kernelversion;
 }
 
 #
@@ -2237,11 +2163,6 @@ sub read_capabilities() {
     } else {
 	warning_message "Your capabilities file may not contain all of the capabilities defined by $Product version $globals{VERSION}";
     }
-
-    unless ( $capabilities{KERNELVERSION} ) {
-	warning_message "Your capabilities file does not contain a Kernel Version -- using 2.6.30";
-	$capabilities{KERNELVERSION} = 20630;
-    }
 }
 
 #
@@ -2291,14 +2212,6 @@ sub unsupported_yes_no( $ ) {
     fatal_error "$option=Yes is not supported by Shorewall $globals{VERSION}" if $config{$option};
 }
 
-sub unsupported_yes_no_warning( $ ) {
-    my $option = shift;
-
-    default_yes_no $option, '';
-
-    warning_message "$option=Yes is not supported by Shorewall $globals{VERSION}" if $config{$option};
-}
-
 #
 # - Read the shorewall.conf file
 # - Read the capabilities file, if any
@@ -2349,26 +2262,7 @@ sub get_configuration( $ ) {
     }
 
     check_trivalue ( 'IP_FORWARDING', 'on' );
-    
-    my $val;
-
-    if ( $capabilities{KERNELVERSION} < 20631 ) {
-	check_trivalue ( 'ROUTE_FILTER',  '' );
-    } else {
-	$val = $capabilities{ROUTE_FILTER};
-	if ( defined $val ) {
-	    if ( $val =~ /\d+/ ) {
-		fatal_error "Invalid value ($val) for ROUTE_FILTER" unless $val < 3;
-	    } else {
-		check_trivalue( 'ROUTE_FILTER', '' );
-	    }
-	}
-    }
-
-    if ( $family == F_IPV6 ) {
-	$val = $capabilities{ROUTE_FILTER};	
-	fatal_error "ROUTE_FILTER=$val is not supported in IPv6" unless $val eq 'off' || $val eq '';
-    }
+    check_trivalue ( 'ROUTE_FILTER',  '' );    fatal_error "ROUTE_FILTER=On is not supported in IPv6" if $config{ROUTE_FILTER} eq 'on' && $family == F_IPV6; 
 
     if ( $family == F_IPV4 ) {
 	check_trivalue ( 'LOG_MARTIANS',  'on' );
@@ -2417,14 +2311,14 @@ sub get_configuration( $ ) {
     default_yes_no 'BLACKLISTNEWONLY'           , '';
     default_yes_no 'DISABLE_IPV6'               , '';
 
-    unsupported_yes_no_warning 'DYNAMIC_ZONES';
+    unsupported_yes_no 'DYNAMIC_ZONES';
     unsupported_yes_no 'BRIDGING';
-    unsupported_yes_no_warning 'SAVE_IPSETS';
-    unsupported_yes_no_warning 'RFC1918_STRICT';
+    unsupported_yes_no 'SAVE_IPSETS';
+    unsupported_yes_no 'MAPOLDACTIONS';
+    unsupported_yes_no 'RFC1918_STRICT';
 
     default_yes_no 'STARTUP_ENABLED'            , 'Yes';
     default_yes_no 'DELAYBLACKLISTLOAD'         , '';
-    default_yes_no 'MAPOLDACTIONS'              , 'Yes';
 
     warning_message 'DELAYBLACKLISTLOAD=Yes is not supported by Shorewall ' . $globals{VERSION} if $config{DELAYBLACKLISTLOAD};
 
@@ -2454,13 +2348,6 @@ sub get_configuration( $ ) {
     default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
     default_yes_no 'AUTOMAKE'                   , '';
     default_yes_no 'WIDE_TC_MARKS'              , '';
-    default_yes_no 'TRACK_PROVIDERS'            , '';
-
-    if ( defined ( $val = $config{ZONE2ZONE} ) ) {
-	fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
-    } else {
-	$config{ZONE2ZONE} = '2';
-    }
 
     $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
 
@@ -2476,6 +2363,8 @@ sub get_configuration( $ ) {
     default_log_level 'SMURF_LOG_LEVEL',     '';
     default_log_level 'LOGALLNEW',           '';
 
+    my $val;
+
     $globals{MACLIST_TARGET} = 'reject';
 
     if ( $val = $config{MACLIST_DISPOSITION} ) {
@@ -2534,8 +2423,7 @@ sub get_configuration( $ ) {
     default 'ACCEPT_DEFAULT'        , 'none';
     default 'OPTIMIZE'              , 0;
 
-    fatal_error 'IPSECFILE=ipsec is not supported by Shorewall ' . $globals{VERSION} if $config{IPSECFILE} eq 'ipsec';
-    fatal_error "Invalid IPSECFILE value ($config{IPSECFILE}"                    unless $config{IPSECFILE} eq 'zones';
+    fatal_error 'IPSECFILE=ipsec is not supported by Shorewall ' . $globals{VERSION} unless $config{IPSECFILE} eq 'zones';
 
     for my $default qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
@@ -2545,6 +2433,7 @@ sub get_configuration( $ ) {
 
     fatal_error "Invalid OPTIMIZE value ($val)" unless ( $val eq '0' ) || ( $val eq '1' );
 
+    fatal_error "Invalid IPSECFILE value ($config{IPSECFILE}" unless $config{IPSECFILE} eq 'zones';
 
     $globals{MARKING_CHAIN} = $config{MARK_IN_FORWARD_CHAIN} ? 'tcfor' : 'tcpre';
 
@@ -2577,7 +2466,7 @@ sub get_configuration( $ ) {
 	    ( $file, $dir, $suffix ) = fileparse( $config{LOCKFILE} );
 	};
 
-	cleanup, die $@ if $@;
+	die $@ if $@;
 
 	fatal_error "LOCKFILE=$config{LOCKFILE}: Directory $dir does not exist" unless $export or -d $dir;
     } else {
@@ -2586,13 +2475,18 @@ sub get_configuration( $ ) {
 }
 
 #
-# The values of the options in @propagateconfig are copied to the script file in OPTION=<value> format.
+# The values of the options in @propagateconfig are copied to the object file in OPTION=<value> format.
 #
 sub propagateconfig() {
     for my $option ( @propagateconfig ) {
 	my $value = $config{$option} || '';
 	emit "$option=\"$value\"";
     }
+
+    for my $option ( @propagateenv ) {
+	my $value = $globals{$option} || '';
+	emit "$option=\"$value\"";
+    }
 }
 
 #
@@ -2747,7 +2641,18 @@ sub generate_aux_config() {
 }
 
 END {
-    cleanup;
+    #
+    # Close files first in case we're running under Cygwin
+    #
+    close  $object         if $object;
+    close  $scriptfile     if $scriptfile;
+    close  $log            if $log;
+    #
+    # Unlink temporary files
+    #
+    unlink $tempfile       if $tempfile;
+    unlink $scriptfilename if $scriptfilename;
+    unlink $_ for @tempfiles; 
 }
 
 1;

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -34,10 +34,10 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( ALLIPv4
                   ALLIPv6
-	          IPv4_MULTICAST
 	          IPv6_MULTICAST
 	          IPv6_LINKLOCAL
 	          IPv6_SITELOCAL
+	          IPv6_LINKLOCAL
 	          IPv6_LOOPBACK
 	          IPv6_LINK_ALLNODES
 	          IPv6_LINK_ALLRTRS
@@ -72,27 +72,21 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_5';
+our $VERSION = '4.3_7';
 
 #
 # Some IPv4/6 useful stuff
 #
 our @allipv4 = ( '0.0.0.0/0' );
 our @allipv6 = ( '::/0' );
-our $allip;
-our @allip;
-our $valid_address;
-our $validate_address;
-our $validate_net;
-our $validate_range;
-our $validate_host;
+our $family;
 
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
-	       IPv4_MULTICAST      => '224.0.0.0/4' ,
 	       IPv6_MULTICAST      => 'FF00::/10' ,
 	       IPv6_LINKLOCAL      => 'FF80::/10' ,
 	       IPv6_SITELOCAL      => 'FFC0::/10' ,
+	       IPv6_LINKLOCAL      => 'FF80::/10' ,
 	       IPv6_LOOPBACK       => '::1' ,
 	       IPv6_LINK_ALLNODES  => 'FF01::1' ,
 	       IPv6_LINK_ALLRTRS   => 'FF01::2' ,
@@ -107,10 +101,23 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 
 our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
 
+#
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function.
+#
+
+sub initialize( $ ) {
+    $family = shift;
+}
+
+INIT {
+    initialize( F_IPV4 );
+}
 
-#
-# Note: initialize() is declared at the bottom of the file
-#
 sub vlsm_to_mask( $ ) {
     my $vlsm = $_[0];
 
@@ -302,7 +309,7 @@ sub validate_port( $$ ) {
     my $value;
 
     if ( $port =~ /^(\d+)$/ ) {
-	return $port if $port && $port <= 65535;
+	return $port if $port <= 65535;
     } else {
 	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
 	$value = getservbyname( $port, $proto );
@@ -391,6 +398,7 @@ my %icmp_types = ( any                          => 'any',
 		   'address-mask-reply'         => 18 );
 
 sub validate_icmp( $ ) {
+    fatal_error "IPv4 ICMP not allowed in an IPv6 Rule" unless $family == F_IPV4;
 
     my $type = $_[0];
 
@@ -476,7 +484,6 @@ sub valid_6address( $ ) {
 	return 0 unless valid_4address pop @address;
 	$max = 6;
 	$address = join ':', @address;
-	return 1 if @address eq ':';
     } else {
 	$max = 8;
     }
@@ -485,16 +492,16 @@ sub valid_6address( $ ) {
     return 0 unless ( @address == $max ) || $address =~ /::/;
     return 0 if $address =~ /:::/ || $address =~ /::.*::/;
 
-    unless ( $address =~ /^::/ ) {
-	return 0 if $address =~ /^:/;
+    if ( $address =~ /^:/ ) {
+	unless ( $address eq '::' ) {
+	    return 0 if $address =~ /:$/ || $address =~ /^:.*::/;
 	}
-
-    unless ( $address =~ /::$/  ) {
-	return 0 if $address =~ /:$/;
+    } elsif ( $address =~ /:$/ ) {
+	return 0 if $address =~ /::.*:$/;
     }
 
     for my $a ( @address ) {
-	return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && length $a < 5 );
+	return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && oct "0x$a" < 65536 );
     }
 
     1;
@@ -543,27 +550,13 @@ sub validate_6net( $$ ) {
 sub normalize_6addr( $ ) {
     my $addr = shift;
 
-    if ( $addr eq '::' ) {
-	'0:0:0:0:0:0:0:0';
-    } else {
-	#
-	# Suppress leading zeros
-	#
-	$addr =~ s/^0+//;
-	$addr =~ s/:0+/:/g;
-	$addr =~ s/^:/0:/;
-	$addr =~ s/:$/:0/;
+    while ( $addr =~ tr/:/:/ < 6 ) {
+	$addr =~ s/::/:0::/;
+    }
 
-	$addr =~ s/::/:0::/ while $addr =~ tr/:/:/ < 7;
-	#
-	# Note: "s/::/:0:/g" doesn't work here
-	#
-	1 while $addr =~ s/::/:0:/;
-
-	$addr =~ s/^0+:/0:/;
+    $addr =~ s/::/:0:/;
 
     $addr;
-    }
 }
 
 sub validate_6range( $$ ) {
@@ -587,7 +580,7 @@ sub validate_6range( $$ ) {
 }
 
 sub validate_6host( $$ ) {
-    my ( $host, $allow_name )  = @_;
+    my ( $host, $allow_name )  = $_[0];
 
     if ( $host =~ /^(.*:.*)-(.*:.*)$/ ) {
 	validate_6range $1, $2;
@@ -621,6 +614,7 @@ my %ipv6_icmp_types = ( any                          => 'any',
 
 
 sub validate_icmp6( $ ) {
+    fatal_error "IPv6 ICMP not allowed in an IPv4 Rule" unless $family == F_IPV6;
     my $type = $_[0];
 
     my $value = $ipv6_icmp_types{$type};
@@ -635,63 +629,31 @@ sub validate_icmp6( $ ) {
 }
 
 sub ALLIP() {
-    $allip;
+    $family == F_IPV4 ? ALLIPv4 : ALLIPv6;
 }
 
 sub allip() {
-    @allip;
+    $family == F_IPV4 ? ALLIPv4 : ALLIPv6;
 }    
 
 sub valid_address ( $ ) {
-    $valid_address->(@_);
+    $family == F_IPV4 ? valid_4address( $_[0] ) :  valid_6address( $_[0] );
 }
 
 sub validate_address ( $$ ) {
-    $validate_address->(@_);
+    $family == F_IPV4 ? validate_4address( $_[0], $_[1] ) :  validate_6address( $_[0], $_[1] );
 }
 
 sub validate_net ( $$ ) {
-    $validate_net->(@_);
+    $family == F_IPV4 ? validate_4net( $_[0], $_[1] ) :  validate_6net( $_[0], $_[1] );
 }
 
 sub validate_range ($$ ) { 
-    $validate_range->(@_);
+    $family == F_IPV4 ? validate_4range( $_[0], $_[1] ) :  validate_6range( $_[0], $_[1] );
 }
 
 sub validate_host ($$ ) { 
-    $validate_host->(@_);
-}
-
-#
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
-#
-sub initialize( $ ) {
-    my $family = shift;
-
-    if ( $family == F_IPV4 ) {
-	$allip            = ALLIPv4;
-	@allip            = @allipv4;
-	$valid_address    = \&valid_4address;
-	$validate_address = \&validate_4address;
-	$validate_net     = \&validate_4net;
-	$validate_range   = \&validate_4range;
-	$validate_host    = \&validate_4host;
-    } else {
-	$allip            = ALLIPv6;
-	@allip            = @allipv6;
-	$valid_address    = \&valid_6address;
-	$validate_address = \&validate_6address;
-	$validate_net     = \&validate_6net;
-	$validate_range   = \&validate_6range;
-	$validate_host    = \&validate_6host;
-    }
+    $family == F_IPV4 ? validate_4host( $_[0], $_[1] ) :  validate_6host( $_[0], $_[1] );
 }
 
 1;

Shorewall/Perl/Shorewall/Nat.pm

@@ -29,6 +29,7 @@ use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
+use Shorewall::IPAddrs;
 use Shorewall::Providers qw( lookup_provider );
 
 use strict;
@@ -36,19 +37,29 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_4';
+our $VERSION = '4.3_7';
 
 our @addresses_to_add;
 our %addresses_to_add;
 
 #
-# Called by the compiler
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function.
 #
+
 sub initialize() {
     @addresses_to_add = ();
     %addresses_to_add = ();
 }
 
+INIT {
+    initialize;
+}
+
 #
 # Handle IPSEC Options in a masq record
 #
@@ -167,6 +178,7 @@ sub process_one_masq( )
     # Handle Protocol and Ports
     #
     $baserule .= do_proto $proto, $ports, '';
+
     #
     # Handle Mark
     #
@@ -195,7 +207,7 @@ sub process_one_masq( )
 	fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
 	unless ( $interfaceref->{root} ) {
-	    $rule .= match_dest_dev( $interface );
+	    $rule .= "-o $interface ";
 	    $interface = $interfaceref->{name};
 	}
 
@@ -204,7 +216,6 @@ sub process_one_masq( )
 	my $detectaddress = 0;
 	my $exceptionrule = '';
 	my $randomize     = '';
-	my $persistent    = '';
 	#
 	# Parse the ADDRESSES column
 	#
@@ -212,11 +223,8 @@ sub process_one_masq( )
 	    if ( $addresses eq 'random' ) {
 		$randomize = '--random ';
 	    } else {
-		$addresses =~ s/:persistent$// and $persistent = '--persistent ';
 		$addresses =~ s/:random$// and $randomize = '--random ';
 
-		require_capability 'PERSISTENT_SNAT', ':persistent', 's' if $persistent;
-
 		if ( $addresses =~ /^SAME/ ) {
 		    fatal_error "The SAME target is no longer supported";
 		} elsif ( $addresses eq 'detect' ) {
@@ -239,11 +247,7 @@ sub process_one_masq( )
 			if ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = '-j SNAT ';
 			    my ($ipaddr, $rest) = split ':', $addr;
-			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
-				validate_range( $1, $2 );
-			    } else {
 			    validate_address $ipaddr, 0;
-			    }
 			    $addrlist .= "--to-source $addr ";
 			    $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			} else {
@@ -258,7 +262,6 @@ sub process_one_masq( )
 	    }
 
 	    $target .= $randomize;
-	    $target .= $persistent;
 	} else {
 	    $add_snat_aliases = 0;
 	}
@@ -290,6 +293,7 @@ sub process_one_masq( )
 		next if $addrs eq 'detect';
 		for my $addr ( ip_range_explicit $addrs ) {
 		    unless ( $addresses_to_add{$addr} ) {
+			emit "del_ip_addr $addr $interface" unless $config{RETAIN_ALIASES};
 			$addresses_to_add{$addr} = 1;
 			if ( defined $alias ) {
 			    push @addresses_to_add, $addr, "$interface:$alias";
@@ -367,8 +371,8 @@ sub do_one_nat( $$$$$ )
     fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
     unless ( $interfaceref->{root} ) {
-	$rulein  = match_source_dev $interface;
-	$ruleout = match_dest_dev $interface;
+	$rulein  = "-i $interface ";
+	$ruleout = "-o $interface ";
 	$interface = $interfaceref->{name};
     }
 
@@ -460,8 +464,8 @@ sub setup_netmap() {
 	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = find_interface( $interface );
 
 	    unless ( $interfaceref->{root} ) {
-		$rulein  = match_source_dev $interface;
-		$ruleout = match_dest_dev $interface;
+		$rulein  = "-i $interface ";
+		$ruleout = "-o $interface ";
 		$interface = $interfaceref->{name};
 	    }
 
@@ -481,13 +485,12 @@ sub setup_netmap() {
 
 sub add_addresses () {
     if ( @addresses_to_add ) {
-	my @addrs = @addresses_to_add;
 	my $arg = '';
 	my $addresses = 0;
 
-	while ( @addrs ) {
-	    my $addr      = shift @addrs;
-	    my $interface = shift @addrs;
+	while ( @addresses_to_add ) {
+	    my $addr      = shift @addresses_to_add;
+	    my $interface = shift @addresses_to_add;
 	    $arg = "$arg $addr $interface";
 	    unless ( $config{RETAIN_ALIASES} ) {
 		emit '' unless $addresses++;

Shorewall/Perl/Shorewall/Policy.pm

@@ -32,21 +32,31 @@ use Shorewall::Actions;
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies );
+our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains );
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.4_4';
+our $VERSION = '4.3_7';
 
 # @policy_chains is a list of references to policy chains in the filter table
 
 our @policy_chains;
 
 #
-# Called by the compiler
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function.
 #
+
 sub initialize() {
     @policy_chains = ();
 }
 
+INIT {
+    initialize;
+}
+
 #
 # Convert a chain into a policy chain.
 #
@@ -68,7 +78,7 @@ sub new_policy_chain($$$$)
 {
     my ($source, $dest, $policy, $optional) = @_;
 
-    my $chainref = new_chain( 'filter', rules_chain( ${source}, ${dest} ) );
+    my $chainref = new_chain( 'filter', "${source}2${dest}" );
 
     convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional );
 
@@ -119,7 +129,7 @@ use constant { OPTIONAL => 1 };
 
 sub add_or_modify_policy_chain( $$ ) {
     my ( $zone, $zone1 ) = @_;
-    my $chain    = rules_chain( ${zone}, ${zone1} );
+    my $chain    = "${zone}2${zone1}";
     my $chainref = $filter_table->{$chain};
 
     if ( $chainref ) {
@@ -211,7 +221,7 @@ sub process_a_policy() {
 	}
     }
 
-    my $chain = rules_chain( ${client}, ${server} );
+    my $chain = "${client}2${server}";
     my $chainref;
 
     if ( defined $filter_table->{$chain} ) {
@@ -252,19 +262,19 @@ sub process_a_policy() {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy;
+		    set_policy_chain $client, $server, "${zone}2${zone1}", $chainref, $policy;
 		    print_policy $zone, $zone1, $policy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy;
+		set_policy_chain $client, $server, "${zone}2${server}", $chainref, $policy;
 		print_policy $zone, $server, $policy, $chain;
 	    }
 	}
     } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy;
+	    set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy;
 	    print_policy $client, $zone, $policy, $chain;
 	}
 	
@@ -273,21 +283,6 @@ sub process_a_policy() {
     }
 }
 
-sub save_policies() {
-    for my $zone1 ( all_zones ) {
-	for my $zone2 ( all_zones ) {
-	    my $chainref  = $filter_table->{ rules_chain( $zone1, $zone2 ) };
-	    my $policyref = $filter_table->{ $chainref->{policychain} };
-
-	    if ( $policyref->{referenced} ) {
-		emit_unindented "$zone1 \t=>\t$zone2\t" . $policyref->{policy} . ' using chain ' . $policyref->{name};
-	    } elsif ( $zone1 ne $zone2 ) {
-		emit_unindented "$zone1 \t=>\t$zone2\t" . $policyref->{policy};
-	    }
-	}
-    }
-}	    
-
 sub validate_policy()
 {
     our %validpolicies = (
@@ -349,7 +344,7 @@ sub validate_policy()
 
     for $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{rules_chain( ${zone}, ${zone1} )}{policy};
+	    fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{"${zone}2${zone1}"}{policy};
 	}
     }
 }
@@ -361,7 +356,7 @@ sub policy_rules( $$$$$ ) {
     my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
 
     unless ( $target eq 'NONE' ) {
-	add_rule $chainref, "-d 224.0.0.0/4 -j RETURN" if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
+	add_rule $chainref, "-d 224.0.0.0/24 -j RETURN" if $dropmulticast && $target ne 'CONTINUE';
 	add_rule $chainref, "-j $default" if $default && $default ne 'none';
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
@@ -424,7 +419,7 @@ sub apply_policy_rules() {
 		ensure_filter_chain $name, 1;
 	    }
 
-	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
+	    if ( $name =~ /^all2|2all$/ ) {
 		run_user_exit $chainref;
 		policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
 	    }
@@ -433,7 +428,7 @@ sub apply_policy_rules() {
 
     for my $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    my $chainref = $filter_table->{rules_chain( ${zone}, ${zone1} )};
+	    my $chainref = $filter_table->{"${zone}2${zone1}"};
 
 	    if ( $chainref->{referenced} ) {
 		run_user_exit $chainref;
@@ -459,7 +454,7 @@ sub complete_standard_chain ( $$$$ ) {
 
     run_user_exit $stdchainref;
 
-    my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
+    my $ruleschainref = $filter_table->{"${zone}2${zone2}"} || $filter_table->{all2all};
     my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
     my $policychainref;
 

Shorewall/Perl/Shorewall/Proc.pm

@@ -41,7 +41,7 @@ our @EXPORT = qw(
 		 setup_forwarding
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_4';
+our $VERSION = '4.3_12';
 
 #
 # ARP Filtering
@@ -56,35 +56,27 @@ sub setup_arp_filtering() {
 	save_progress_message "Setting up ARP filtering...";
 
 	for my $interface ( @$interfaces ) {
-	    my $value = get_interface_option $interface, 'arp_filter';
-	    my $optional = interface_is_optional $interface;
-                           
-	    $interface = get_physical $interface;
-
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter";
+	    my $value = get_interface_option $interface, 'arp_filter';
 
 	    emit ( '',
 		   "if [ -f $file ]; then",
 		   "    echo $value > $file");
 	    emit ( 'else',
-		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless $optional;
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
 	    emit   "fi\n";
 	}
 
 	for my $interface ( @$interfaces1 ) {
-	    my $value = get_interface_option $interface, 'arp_ignore';
-	    my $optional = interface_is_optional $interface;
-                           
-	    $interface = get_physical $interface;
-
 	    my $file  = "/proc/sys/net/ipv4/conf/$interface/arp_ignore";
+	    my $value = get_interface_option $interface, 'arp_ignore';
 
 	    assert( defined $value );
 
 	    emit ( "if [ -f $file ]; then",
 		   "    echo $value > $file");
 	    emit ( 'else',
-		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless $optional;
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
 	    emit   "fi\n";
 	}
     }
@@ -96,18 +88,16 @@ sub setup_arp_filtering() {
 sub setup_route_filtering() {
 
     my $interfaces = find_interfaces_by_option 'routefilter';
-    my $config     = $config{ROUTE_FILTER};
 
-    if ( @$interfaces || $config ) {
+    if ( @$interfaces || $config{ROUTE_FILTER} ) {
 
 	progress_message2 "$doing Kernel Route Filtering...";
 
 	save_progress_message "Setting up Route Filtering...";
 
-	my $val = '';
 
-	if ( $config{ROUTE_FILTER} ne '' ) {
-	    $val = $config eq 'on' ? 1 : $config eq 'off' ? 0 : $config;
+	if ( $config{ROUTE_FILTER} ) {
+	    my $val = $config{ROUTE_FILTER} eq 'on' ? 1 : 0;
 
 	    emit ( 'for file in /proc/sys/net/ipv4/conf/*; do',
 		   "    [ -f \$file/rp_filter ] && echo $val > \$file/rp_filter",
@@ -116,27 +106,23 @@ sub setup_route_filtering() {
 	}
 
 	for my $interface ( @$interfaces ) {
-	    my $value = get_interface_option $interface, 'routefilter';
-	    my $optional = interface_is_optional $interface;
-                           
-	    $interface = get_physical $interface;
-
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter";
+	    my $value = get_interface_option $interface, 'routefilter';
 
 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless $optional;
+		   "    error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless interface_is_optional( $interface);
 	    emit   "fi\n";
 	}
 
-	if ( $capabilities{KERNELVERSION} < 20631 ) {
 	emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
-	} elsif ( $val ne '' ) {
-	    emit "echo $val > /proc/sys/net/ipv4/conf/all/rp_filter";
-	}
 
-	emit "echo $val > /proc/sys/net/ipv4/conf/default/rp_filter" if $val ne '';
+	if ( $config{ROUTE_FILTER} eq 'on' ) {
+	    emit 'echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter';
+	} elsif (  $config{ROUTE_FILTER} eq 'off' ) {
+	    emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
+	}
 
 	emit "[ -n \"\$NOROUTES\" ] || \$IP -4 route flush cache";
     }
@@ -167,18 +153,14 @@ sub setup_martian_logging() {
 	}
 
 	for my $interface ( @$interfaces ) {
-	    my $value = get_interface_option $interface, 'logmartians';
-	    my $optional = interface_is_optional $interface;
-                           
-	    $interface = get_physical $interface;
-
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians";
+	    my $value = get_interface_option $interface, 'logmartians';
 
 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set Martian logging on $interface\"") unless $optional;
+		   "    error_message \"WARNING: Cannot set Martian logging on $interface\"") unless interface_is_optional( $interface);
 	    emit   "fi\n";
 	}
     }
@@ -198,17 +180,13 @@ sub setup_source_routing( $ ) {
 	save_progress_message 'Setting up Accept Source Routing...';
 
 	for my $interface ( @$interfaces ) {
-	    my $value = get_interface_option $interface, 'sourceroute';
-	    my $optional = interface_is_optional $interface;
-
-	    $interface = get_physical $interface;
-
 	    my $file = "/proc/sys/net/ipv$family/conf/$interface/accept_source_route";
+	    my $value = get_interface_option $interface, 'sourceroute';
 
 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless $optional;
+		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless interface_is_optional( $interface);
 	    emit   "fi\n";
 	}
     }
@@ -249,17 +227,13 @@ sub setup_forwarding( $$ ) {
 	    save_progress_message 'Setting up IPv6 Interface Forwarding...';
 
 	    for my $interface ( @$interfaces ) {
-		my $value = get_interface_option $interface, 'forward';
-		my $optional = interface_is_optional $interface;
-
-		$interface = get_physical $interface;
-
 		my $file = "/proc/sys/net/ipv6/conf/$interface/forwarding";
+		my $value = get_interface_option $interface, 'forward';
 
 		emit ( "if [ -f $file ]; then" ,
 		       "    echo $value > $file" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless $optional;
+		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless interface_is_optional( $interface);
 		emit   "fi\n";
 	    }
 

Shorewall/Perl/Shorewall/Providers.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_4';
+our $VERSION = '4.4_0';
 
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -62,15 +62,14 @@ our $family;
 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 
 #
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function.
 #
+
 sub initialize( $ ) {
     $family = shift;
 
@@ -90,13 +89,17 @@ sub initialize( $ ) {
     @providers = ();
 }
 
+INIT {
+    initialize( F_IPV4 );
+}
+
 #
 # Set up marking for 'tracked' interfaces.
 #
 sub setup_route_marking() {
     my $mask = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';
 
-    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
+    require_capability( $_ , 'the provider \'track\' option' , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
 
     add_rule $mangle_table->{$_} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
 
@@ -108,21 +111,33 @@ sub setup_route_marking() {
 
     for my $providerref ( @routemarked_providers ) {
 	my $interface = $providerref->{interface};
-	my $physical  = $providerref->{physical};
 	my $mark      = $providerref->{mark};
+	my $base      = uc chain_base $interface;
+
+	if ( $providerref->{optional} ) {
+	    if ( $providerref->{shared} ) {
+		add_commands( $chainref, qq(if [ interface_is_usable $interface -a -n "$providerref->{mac}" ]; then) );
+	    } else {
+		add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
+	    }
+		
+	    incr_cmd_level( $chainref );
+	}
 
 	unless ( $marked_interfaces{$interface} ) {
-	    add_rule $mangle_table->{PREROUTING} , "-i $physical -m mark --mark 0/$mask -j routemark";
-	    add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "! -i $physical -m mark --mark  $mark/$mask ";
+	    add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
+	    add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "! -i $interface -m mark --mark  $mark/$mask ";
 	    add_jump $mangle_table->{OUTPUT}     , $chainref2, 0, "-m mark --mark  $mark/$mask ";
 	    $marked_interfaces{$interface} = 1;
 	}
 
 	if ( $providerref->{shared} ) {
-	    add_rule $chainref, match_source_dev( $interface ) . "-m mac --mac-source $providerref->{mac} -j MARK --set-mark $providerref->{mark}";
+	    add_rule $chainref, " -i $interface -m mac --mac-source $providerref->{mac} -j MARK --set-mark $providerref->{mark}";
 	} else {
-	    add_rule $chainref, match_source_dev( $interface ) . "-j MARK --set-mark $providerref->{mark}";
+	    add_rule $chainref, " -i $interface -j MARK --set-mark $providerref->{mark}";
 	}
+
+	decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
     }
 
     add_rule $chainref, "-m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask";
@@ -130,15 +145,11 @@ sub setup_route_marking() {
 
 sub copy_table( $$$ ) {
     my ( $duplicate, $number, $realm ) = @_;
-    #
-    # Hack to work around problem in iproute
-    #
-    my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
 
     if ( $realm ) {
 	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
     } else {
-	emit  ( "\$IP -$family route show table $duplicate | ${filter}while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | while read net route; do" )
     }
 
     emit ( '    case $net in',
@@ -154,23 +165,11 @@ sub copy_table( $$$ ) {
 
 sub copy_and_edit_table( $$$$ ) {
     my ( $duplicate, $number, $copy, $realm) = @_;
-    #
-    # Hack to work around problem in iproute
-    #    
-    my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
-    #
-    # Map physical names in $copy to logical names
-    #
-    $copy = join( '|' , map( physical_name($_) , split( ',' , $copy ) ) );
-    #
-    # Shell and iptables use a different wildcard character
-    #
-    $copy =~ s/\+/*/;
 
     if ( $realm ) {
-	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
     } else {
-	emit  ( "\$IP -$family route show table $duplicate | ${filter}while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | while read net route; do" )
     }
 
     emit (  '    case $net in',
@@ -274,10 +273,9 @@ sub add_a_provider( ) {
     }
 
     fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
-    fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
     
-    my $physical    = get_physical $interface;
-    my $base        = uc chain_base $physical;
+    my $provider    = chain_base $table;
+    my $base        = uc chain_base $interface;
     my $gatewaycase = '';
 
     if ( $gateway eq 'detect' ) {
@@ -321,15 +319,12 @@ sub add_a_provider( ) {
 
     }
 
-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu ) = 
-	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), '' );
+    my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu ) = (0,0,0,0,$config{USE_DEFAULT_RT} ? 1 : 0,interface_is_optional( $interface ), '' );
 
     unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
 	    if ( $option eq 'track' ) {
 		$track = 1;
-	    } elsif ( $option eq 'notrack' ) {
-		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance' is not available in IPv6) if $family == F_IPV6;
 		$balance = $1;
@@ -380,7 +375,6 @@ sub add_a_provider( ) {
 			   number      => $number ,
 			   mark        => $val ? in_hex($val) : $val ,
 			   interface   => $interface ,
-			   physical    => $physical ,
 			   optional    => $optional ,
 			   gateway     => $gateway ,
 			   gatewaycase => $gatewaycase ,
@@ -408,19 +402,19 @@ sub add_a_provider( ) {
     if ( $shared ) {
 	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
 	$realm = "realm $number";
-	start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
+	start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$variable" ]; then) );
     } else {
 	if ( $optional ) {
 	    start_provider( $table, $number, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
 	} elsif ( $gatewaycase eq 'detect' ) {
-	    start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
+	    start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) );
 	} else {
-	    start_provider( $table, $number, "if interface_is_usable $physical; then" );
+	    start_provider( $table, $number, "if interface_is_usable $interface; then" );
 	}
 	
 	$provider_interfaces{$interface} = $table;
 
-	emit "run_ip route add default dev $physical table $number" if $gatewaycase eq 'none';
+	emit "run_ip route add default dev $interface table $number" if $gatewaycase eq 'none';
     }
 
     if ( $mark ne '-' ) {
@@ -439,7 +433,8 @@ sub add_a_provider( ) {
 	    if ( $copy eq 'none' ) {
 		$copy = $interface;
 	    } else {
-		$copy = "$interface,$copy";
+		$copy =~ tr/,/|/;
+		$copy = "$interface|$copy";
 	    }
 
 	    copy_and_edit_table( $duplicate, $number ,$copy , $realm);
@@ -451,28 +446,28 @@ sub add_a_provider( ) {
 
     if ( $gateway ) {
 	$address = get_interface_address $interface unless $address;
-	emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $number $realm";
-	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $number $realm";
+	emit "run_ip route replace $gateway src $address dev $interface ${mtu}table $number $realm";
+	emit "run_ip route add default via $gateway src $address dev $interface ${mtu}table $number $realm";
     }
 
-    balance_default_route $balance , $gateway, $physical, $realm if $balance;
+    balance_default_route $balance , $gateway, $interface, $realm if $balance;
 
     if ( $default > 0 ) {
-	balance_fallback_route $default , $gateway, $physical, $realm;
+	balance_fallback_route $default , $gateway, $interface, $realm;
     } elsif ( $default ) {
 	emit '';
 	if ( $gateway ) {
-	    emit qq(run_ip route replace default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
-	    emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	    emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
+	    emit qq(echo "qt \$IP route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	} else {
-	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
-	    emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
+	    emit qq(echo "qt \$IP route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	}
     }
 
     if ( $loose ) {
 	if ( $config{DELETE_THEN_ADD} ) {
-	    emit ( "\nfind_interface_addresses $physical | while read address; do",
+	    emit ( "\nfind_interface_addresses $interface | while read address; do",
 		   "    qt \$IP -$family rule del from \$address",
 		   'done'
 		 );
@@ -486,7 +481,7 @@ sub add_a_provider( ) {
 
 	emit "\nrulenum=0\n";
 
-	emit  ( "find_interface_addresses $physical | while read address; do" );
+	emit  ( "find_interface_addresses $interface | while read address; do" );
 	emit  (	"    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
 	emit  (	"    run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
 		"    echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_routing",
@@ -502,15 +497,15 @@ sub add_a_provider( ) {
 
     if ( $optional ) {
 	if ( $shared ) {
-	    emit ( "    error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Added\"" );
+	    emit ( "    error_message \"WARNING: Interface $interface is not usable -- Provider $table ($number) not Added\"" );
 	} else {
-	    emit ( "    error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Added\"" );
+	    emit ( "    error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Added\"" );
 	}
     } else {
 	if ( $shared ) {
 	    emit( "    fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Added\"" );
 	} else {
-	    emit( "    fatal_error \"Interface $physical is not usable -- Provider $table ($number) Cannot be Added\"" );
+	    emit( "    fatal_error \"Interface $interface is not usable -- Provider $table ($number) Cannot be Added\"" );
 	}
     }
 
@@ -521,32 +516,9 @@ sub add_a_provider( ) {
     progress_message "   Provider \"$currentline\" $done";
 }
 
-#
-# Begin an 'if' statement testing whether the passed interface is available
-#
-sub start_new_if( $ ) {
-    our $current_if = shift;
-
-    emit ( '', qq(if [ -n "\$${current_if}_IS_USABLE" ]; then) );
-    push_indent;
-}
-  
-#
-# Complete any current 'if' statement in the output script
-#
-sub finish_current_if() {
-    if ( our $current_if ) {
-	pop_indent;
-	emit ( "fi\n" );
-	$current_if = '';
-    }
-}
-
 sub add_an_rtrule( ) {
     my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file';
 
-    our $current_if;
-
     unless ( $providers{$provider} ) {
 	my $found = 0;
 
@@ -581,7 +553,6 @@ sub add_an_rtrule( ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
 	    fatal_error "Invalid SOURCE" if defined $remainder;
 	    validate_net ( $source, 0 );
-	    $interface = physical_name $interface;
 	    $source = "iif $interface from $source";
 	} elsif ( $source =~ /\..*\..*/ ) {
 	    validate_net ( $source, 0 );
@@ -592,7 +563,6 @@ sub add_an_rtrule( ) {
     } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ) {
 	my ($interface, $source ) = ($1, $2);
 	validate_net ($source, 0);
-	$interface = physical_name $interface;
 	$source = "iif $interface from $source";
     } elsif (  $source =~ /:.*:/ || $source =~ /\..*\..*/ ) {
 	validate_net ( $source, 0 );
@@ -605,21 +575,21 @@ sub add_an_rtrule( ) {
 
     $priority = "priority $priority";
 
-    finish_current_if, emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
+    emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
 
     my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} );
 
     if ( $optional ) {
-	my $base = uc chain_base( $providers{$provider}{physical} );
-	finish_current_if if $base ne $current_if;
-	start_new_if( $base ) unless $current_if;
-  } else {
-	finish_current_if;
+	my $base = uc chain_base( $providers{$provider}{interface} );
+	emit ( '', "if [ -n \$${base}_IS_USABLE ]; then" );
+	push_indent;
     }
 
     emit ( "run_ip rule add $source $dest $priority table $number",
 	   "echo \"qt \$IP -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" );
 
+    pop_indent, emit ( "fi\n" ) if $optional;
+
     progress_message "   Routing rule \"$currentline\" $done";
 }
 
@@ -753,15 +723,12 @@ sub setup_providers() {
 	my $fn = open_file 'route_rules';
 
 	if ( $fn ) {
-	    our $current_if = '';
 
 	    first_entry "$doing $fn...";
 
 	    emit '';
 	    
 	    add_an_rtrule while read_a_line;
-
-	    finish_current_if;
 	}
 
 	setup_null_routing if $config{NULL_ROUTE_RFC1918};
@@ -817,21 +784,18 @@ sub lookup_provider( $ ) {
 }
 
 #
-# This function is called by the compiler when it is generating the detect_configuration() function.
+# This function is called by the compiler when it is generating the initialize() function.
 # The function emits code to set the ..._IS_USABLE interface variables appropriately for the
 # optional interfaces
 #
-# Returns true if there were optional interfaces
-#
 sub handle_optional_interfaces() {
 
     my $interfaces = find_interfaces_by_option 'optional';
 
     if ( @$interfaces ) {
 	for my $interface ( @$interfaces ) {
+	    my $base  = uc chain_base( $interface );
 	    my $provider = $provider_interfaces{$interface};
-	    my $physical = get_physical $interface;
-	    my $base     = uc chain_base( $physical );
 
 	    emit '';
 
@@ -842,15 +806,15 @@ sub handle_optional_interfaces() {
 		my $providerref = $providers{$provider};
 
 		if ( $providerref->{gatewaycase} eq 'detect' ) {
-		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
+		    emit qq(if interface_is_usable $interface && [ -n "$providerref->{gateway}" ]; then);
 		} else {
-		    emit qq(if interface_is_usable $physical; then);
+		    emit qq(if interface_is_usable $interface; then);
 		}
 	    } else {
 		#
 		# Not a provider interface
 		#
-		emit qq(if interface_is_usable $physical; then);
+		emit qq(if interface_is_usable $interface; then);
 	    }
 
 	    emit( "    ${base}_IS_USABLE=Yes" ,
@@ -858,8 +822,6 @@ sub handle_optional_interfaces() {
 		  "    ${base}_IS_USABLE=" ,
 		  'fi' );
 	}
-
-	1;
     }
 }
 
@@ -880,8 +842,9 @@ sub handle_stickiness( $ ) {
     if ( $havesticky ) {
 	fatal_error "There are SAME tcrules but no 'track' providers" unless @routemarked_providers;
 	
+
 	for my $providerref ( @routemarked_providers ) {
-	    my $interface = $providerref->{physical};
+	    my $interface = $providerref->{interface};
 	    my $base      = uc chain_base $interface;
 	    my $mark      = $providerref->{mark};
 	
@@ -891,6 +854,9 @@ sub handle_stickiness( $ ) {
 		my $list = sprintf "sticky%03d" , $sticky++;
 		
 		for my $chainref ( $stickyref, $setstickyref ) {
+
+		    add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
+
 		    if ( $chainref->{name} eq 'sticky' ) {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticky/-m recent --name $list --update --seconds 300 -j MARK --set-mark $mark/;
@@ -901,14 +867,17 @@ sub handle_stickiness( $ ) {
 			$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
 		    }
 		
-		    $rule1 =~ s/-A tcpre //;
+		    $rule1 =~ s/-A //;
 
 		    add_rule $chainref, $rule1;
 
 		    if ( $rule2 ) {
-			$rule2 =~ s/-A tcpre //;
+			$rule2 =~ s/-A //;
 			add_rule $chainref, $rule2;
 		    }
+
+		    decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
+		    
 		}
 	    }
 
@@ -918,6 +887,8 @@ sub handle_stickiness( $ ) {
 		my $stickoref = ensure_mangle_chain 'sticko';
 
 		for my $chainref ( $stickoref, $setstickoref ) {
+		    add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
+
 		    if ( $chainref->{name} eq 'sticko' ) {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticko/-m recent --name $list --rdest --update --seconds 300 -j MARK --set-mark $mark/;
@@ -928,14 +899,16 @@ sub handle_stickiness( $ ) {
 			$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
 		    }
 		
-		    $rule1 =~ s/-A tcout //;
+		    $rule1 =~ s/-A //;
 
 		    add_rule $chainref, $rule1;
 
 		    if ( $rule2 ) {
-			$rule2 =~ s/-A tcout //;
+			$rule2 =~ s/-A //;
 			add_rule $chainref, $rule2;
 		    }
+
+		    decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
 		}
 	    }
 	}

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -35,27 +35,30 @@ our @EXPORT = qw(
 		  );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_4';
+our $VERSION = '4.3_7';
 
 our @proxyarp;
 
 our $family;
 
 #
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function.
 #
+
 sub initialize( $ ) {
     $family = shift;
     @proxyarp = ();
 }
 
+INIT {
+    initialize( F_IPV4 );
+}
+
 sub setup_one_proxy_arp( $$$$$ ) {
     my ( $address, $interface, $external, $haveroute, $persistent) = @_;
 
@@ -117,8 +120,6 @@ sub setup_proxy_arp() {
 		    $first_entry = 0;
 		}
 
-		$interface = get_physical $interface;
-
 		$set{$interface}  = 1;
 		$reset{$external} = 1 unless $set{$external};
 
@@ -145,14 +146,10 @@ sub setup_proxy_arp() {
 
 	    for my $interface ( @$interfaces ) {
 		my $value = get_interface_option $interface, 'proxyarp';
-		my $optional = interface_is_optional $interface;
-
-		$interface = get_physical $interface;
-
 		emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" ,
 		       "    echo $value > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless $optional;
+		       "    error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless interface_is_optional( $interface );
 		emit   "fi\n";
 	    }
 	}
@@ -164,14 +161,10 @@ sub setup_proxy_arp() {
 
 	    for my $interface ( @$interfaces ) {
 		my $value = get_interface_option $interface, 'proxyndp';
-		my $optional = interface_is_optional $interface;
-
-		$interface = get_physical $interface;
-
 		emit ( "if [ -f /proc/sys/net/ipv6/conf/$interface/proxy_ndp ] ; then" ,
 		   "    echo $value > /proc/sys/net/ipv6/conf/$interface/proxy_ndp" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Unable to set/reset Proxy NDP on $interface\"" ) unless $optional;
+		       "    error_message \"WARNING: Unable to set/reset Proxy NDP on $interface\"" ) unless interface_is_optional( $interface );
 		emit   "fi\n";
 	    }
 	}

Shorewall/Perl/Shorewall/Rules.pm

@@ -24,7 +24,6 @@
 #
 package Shorewall::Rules;
 require Exporter;
-
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
@@ -41,12 +40,12 @@ our @EXPORT = qw( process_tos
 		  add_common_rules
 		  setup_mac_lists
 		  process_rules
-		  process_routestopped
 		  generate_matrix
+		  setup_mss
 		  compile_stop_firewall
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.4_5';
+our $VERSION = '4.4_0';
 
 #
 # Set to one if we find a SECTION
@@ -65,15 +64,14 @@ my %rules_commands = ( COMMENT => 0,
 		       SECTION => 2 );
 
 #
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function.
 #
+
 sub initialize( $ ) {
     $family = shift;
     $sectioned = 0;
@@ -82,6 +80,10 @@ sub initialize( $ ) {
     @param_stack = ();
 }
 
+INIT {
+    initialize( F_IPV4 );
+}
+
 use constant { MAX_MACRO_NEST_LEVEL => 5 };
 
 sub process_tos() {
@@ -199,8 +201,8 @@ sub setup_ecn()
 	    for my $interface ( @interfaces ) {
 		my $chainref = ensure_chain 'mangle', ecn_chain( $interface );
 
-		add_jump $mangle_table->{POSTROUTING} , $chainref, 0, "-p tcp " . match_dest_dev( $interface );
-		add_jump $mangle_table->{OUTPUT},       $chainref, 0, "-p tcp " . match_dest_dev( $interface );
+		add_jump $mangle_table->{POSTROUTING} , $chainref, 0, "-p tcp -o $interface ";
+		add_jump $mangle_table->{OUTPUT},       $chainref, 0, "-p tcp -o $interface ";
 	    }
 
 	    for my $host ( @hosts ) {
@@ -322,7 +324,7 @@ sub process_routestopped() {
 
 	$seq++;
 
-	my $rule = do_proto( $proto, $ports, $sports, 0 );
+	my $rule = do_proto( $proto, $ports, $sports, 1 );
 
 	for my $host ( split /,/, $hosts ) {
 	    validate_host $host, 1;
@@ -331,22 +333,18 @@ sub process_routestopped() {
 	}
 
 	unless ( $options eq '-' ) {
-
 	    for my $option (split /,/, $options ) {
 		if ( $option eq 'routeback' ) {
 		    if ( $routeback ) {
 			warning_message "Duplicate 'routeback' option ignored";
 		    } else {
-			my $chainref = $filter_table->{FORWARD};
-
 			$routeback = 1;
 
 			for my $host ( split /,/, $hosts ) {
-			    add_rule( $chainref , 
-				      match_source_dev( $interface ) . 
-				      match_dest_dev( $interface ) .
-				      match_source_net( $host ) .
-				      match_dest_net( $host ) );
+			    my $source = match_source_net $host;
+			    my $dest   = match_dest_net   $host;
+
+			    emit "run_iptables -A FORWARD -i $interface -o $interface $source $dest -j ACCEPT";
 			    clearrule;
 			}
 		    }
@@ -380,24 +378,24 @@ sub process_routestopped() {
 	my $desti   = match_dest_dev $interface;
 	my $rule    = shift @rule;
 
-	add_rule $filter_table->{INPUT},  "$sourcei $source $rule -j ACCEPT", 1;
-	add_rule $filter_table->{OUTPUT}, "$desti $dest $rule -j ACCEPT", 1 unless $config{ADMINISABSENTMINDED};
+	add_rule $filter_table->{INPUT},  "$sourcei $source $rule -j ACCEPT";
+	add_rule $filter_table->{OUTPUT}, "$desti $dest $rule -j ACCEPT" unless $config{ADMINISABSENTMINDED};
 
 	my $matched = 0;
 
 	if ( $source{$host} ) {
-	    add_rule $filter_table->{FORWARD}, "$sourcei $source $rule -j ACCEPT", 1;
+	    add_rule $filter_table->{FORWARD}, "$sourcei $source $rule -j ACCEPT";
 	    $matched = 1;
 	}
 
 	if ( $dest{$host} ) {
-	    add_rule $filter_table->{FORWARD}, "$desti $dest $rule -j ACCEPT", 1;
+	    add_rule $filter_table->{FORWARD}, "$desti $dest $rule -j ACCEPT";
 	    $matched = 1;
 	}
 
 	if ( $notrack{$host} ) {
-	    add_rule $raw_table->{PREROUTING}, "$sourcei $source $rule -j NOTRACK", 1;
-	    add_rule $raw_table->{OUTPUT},     "$desti $dest $rule -j NOTRACK", 1;
+	    add_rule $raw_table->{PREROUTING}, "$sourcei $source $rule -j NOTRACK";
+	    add_rule $raw_table->{OUTPUT},     "$desti $dest $rule -j NOTRACK";
 	}
 
 	unless ( $matched ) {
@@ -406,7 +404,7 @@ sub process_routestopped() {
 		    my ( $interface1, $h1 , $seq1 ) = split /\|/, $host1;
 		    my $dest1 = match_dest_net $h1;
 		    my $desti1 = match_dest_dev $interface1;
-		    add_rule $filter_table->{FORWARD}, "$sourcei $desti1 $source $dest1 $rule -j ACCEPT", 1;
+		    add_rule $filter_table->{FORWARD}, "$sourcei $desti1 $source $dest1 $rule -j ACCEPT";
 		    clearrule;
 		}
 	    }
@@ -552,11 +550,7 @@ sub add_common_rules() {
 		add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT";
 	    }
 
-	    add_rule( $filter_table->{forward_chain $interface} , 
-		      "-p udp " .
-		      match_dest_dev( $interface ) .
-		      "--dport $ports -j ACCEPT" )
-		if get_interface_option( $interface, 'bridge' );
+	    add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport $ports -j ACCEPT" if get_interface_option( $interface, 'bridge' );
 	}
     }
 
@@ -640,10 +634,10 @@ sub add_common_rules() {
 		if ( interface_is_optional $interface ) {
 		    add_commands( $chainref, 
 				  qq(if [ -n "\$${base}_IS_USABLE" -a -n "$variable" ]; then) ,
-				  qq(    echo -A $chainref->{name} ) . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT >&3) ,
+				  qq(    echo -A $chainref->{name} -i $interface -s $variable -p udp -j ACCEPT >&3) ,
 				  qq(fi) );
 		} else {
-		    add_commands( $chainref, qq(echo -A $chainref->{name} ) . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT >&3) );
+		    add_commands( $chainref, qq(echo -A $chainref->{name} -i $interface -s $variable -p udp -j ACCEPT >&3) );
 		}
 	    }
 	}
@@ -786,9 +780,6 @@ sub setup_mac_lists( $ ) {
 	    }
 	}
     } else {
-	#
-	# Phase II
-	#
 	for my $interface ( @maclist_interfaces ) {
 	    my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
 	    my $chain    = $chainref->{name};
@@ -861,13 +852,12 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 
     while ( read_a_line ) {
 
-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime);
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser );
 
 	if ( $format == 1 ) {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands;
-	    ( $morigdest, $mmark, $mconnlimit, $mtime ) = qw/- - - -/;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', $macro_commands;
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime ) = split_line1 1, 12, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands;
 	}
 
 	if ( $mtarget eq 'COMMENT' ) {
@@ -881,6 +871,8 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 	    next;
 	}
 
+	fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1;
+
 	$mtarget = merge_levels $target, $mtarget;
 
 	if ( $mtarget =~ /^PARAM(:.*)?$/ ) {
@@ -932,9 +924,9 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 		      merge_macro_column( $morigdest, $origdest ) , 
 		      merge_macro_column( $mrate,     $rate ) ,
 		      merge_macro_column( $muser,     $user ) ,
-		      merge_macro_column( $mmark,      $mark ) ,
-		      merge_macro_column( $mconnlimit, $connlimit) ,
-		      merge_macro_column( $mtime,      $time ),
+		      $mark, 
+		      $connlimit,
+		      $time,
 		      $wildcard
 		     );
 
@@ -949,7 +941,7 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 
 }
 #
-# Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If
+# Once a rule has been expanded via wildcards (source and/or dest zone == 'all'), it is processed by this function. If
 # the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion.
 #
 sub process_rule1 ( $$$$$$$$$$$$$ ) {
@@ -960,6 +952,10 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
     my $actionchainref;
     my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} ) : 0;
 
+    unless ( defined $param ) {
+	( $basictarget, $param ) = ( $1, $2 ) if $action =~ /^(\w+)[(](.*)[)]$/;
+    }
+
     $param = '' unless defined $param;
 
     #
@@ -967,10 +963,6 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
     #
     my $actiontype = $targets{$basictarget} || find_macro( $basictarget );
 
-    if ( $config{ MAPOLDACTIONS } ) {
-	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || $param;
-    }
-
     fatal_error "Unknown action ($action)" unless $actiontype;
 
     if ( $actiontype == MACRO ) {
@@ -1088,7 +1080,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    $destref = defined_zone( $destzone );
 	    
 	    if ( $destref ) {
-		warning_message "The destination zone ($destzone) is ignored in $log_action rules";
+		warning_message "Destination zone ($destzone) ignored";
 	    } else {
 		$dest = join ':', $destzone, $dest;
 		$destzone = '';
@@ -1128,10 +1120,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    }
 	}
 
-	$chain    = rules_chain( ${sourcezone}, ${destzone} );
-	#
-	# Ensure that the chain exists but don't mark it as referenced until after optimization is checked
-	#
+	$chain    = "${sourcezone}2${destzone}";
 	$chainref = ensure_chain 'filter', $chain;
 	$policy   = $chainref->{policy};
 
@@ -1237,9 +1226,9 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 		}
 	    }
 	} else {
-	    if ( $server eq '' ) {
-		fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport;
-	    } elsif ( $server =~ /^(.+)-(.+)$/ ) {
+	    fatal_error "A server must be specified in the DEST column in $action rules" if $server eq '';
+
+	    if ( $server =~ /^(.+)-(.+)$/ ) {
 		validate_range( $1, $2 );
 	    } else {
 		my @servers = validate_address $server, 1;
@@ -1248,14 +1237,10 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 
 	    if ( $action eq 'DNAT' ) {
 		$target = '-j DNAT ';
-		if ( $server ) {
 		$serverport = ":$serverport" if $serverport;
 		for my $serv ( split /,/, $server ) {
 		    $target .= "--to-destination ${serv}${serverport} ";
 		}
-		} else {
-		    $target .= "--to-destination :$serverport ";
-		}
 	    }
 
 	    unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) {
@@ -1332,7 +1317,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 		    # Static NAT is defined on this interface
 		    #
 		    $chn = new_chain( 'nat', newnonatchain ) unless $chn;
-		    add_jump $chn, $nat_table->{$ichain}, 0, @interfaces > 1 ? match_source_dev( $_ )  : '';
+		    add_jump $chn, $nat_table->{$ichain}, 0, @interfaces > 1 ? "-i $_ " : '';
 		}
 	    }
 
@@ -1383,7 +1368,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    #
 	    # And move the rules from the nonat chain to the zone dnat chain
 	    #
-	    move_rules ( $chn, $nonat_chain );
+	    add_rule( $nonat_chain, "-j $tgt" ) unless move_rules ( $chn, $nonat_chain );
 	}
     }
 
@@ -1588,9 +1573,6 @@ sub process_rules() {
 # Add jumps from the builtin chains to the interface-chains that are used by this configuration
 #
 sub add_interface_jumps {
-    our %input_jump_added;
-    our %output_jump_added;
-    our %forward_jump_added;
     #
     # Add Nat jumps
     #
@@ -1611,10 +1593,10 @@ sub add_interface_jumps {
     # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
     #
     for my $interface ( @_ ) {
-	add_jump( $filter_table->{FORWARD} , forward_chain $interface , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface;
-	add_jump( $filter_table->{INPUT}   , input_chain $interface ,   0, match_source_dev( $interface ) ) unless $input_jump_added{$interface}   || ! use_input_chain $interface;
+	add_jump( $filter_table->{FORWARD} , forward_chain $interface , 0, match_source_dev( $interface ) ) if use_forward_chain $interface;
+	add_jump( $filter_table->{INPUT}   , input_chain $interface ,   0, match_source_dev( $interface ) ) if use_input_chain $interface;
 
-	unless ( $output_jump_added{$interface} || ! use_output_chain $interface ) {
+	if ( use_output_chain $interface ) {
 	    add_jump $filter_table->{OUTPUT} , output_chain $interface , 0, match_dest_dev( $interface ) unless get_interface_option( $interface, 'port' );
 	}
     }
@@ -1622,7 +1604,7 @@ sub add_interface_jumps {
     # Loopback
     #
     my $fw = firewall_zone;
-    my $chainref = $filter_table->{rules_chain( ${fw}, ${fw} )};
+    my $chainref = $filter_table->{"${fw}2${fw}"};
 
     add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );
     add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT';
@@ -1630,7 +1612,7 @@ sub add_interface_jumps {
 
 # Generate the rules matrix.
 #
-# Stealing a comment from the Burroughs B6700 MCP Operating System source, "generate_matrix makes a sow's ear out of a silk purse".
+# Stealing a comment from the Burroughs B6700 MCP Operating System source, generate_matrix makes a sow's ear out of a silk purse.
 #
 # The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
 # A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
@@ -1646,7 +1628,7 @@ sub generate_matrix() {
     #
     sub rules_target( $$ ) {
 	my ( $zone, $zone1 ) = @_;
-	my $chain = rules_chain( ${zone}, ${zone1} );
+	my $chain = "${zone}2${zone1}";
 	my $chainref = $filter_table->{$chain};
 
 	return $chain   if $chainref && $chainref->{referenced};
@@ -1681,9 +1663,6 @@ sub generate_matrix() {
     my $notrackref = $raw_table->{notrack_chain $fw};
     my @zones = non_firewall_zones;
     my $interface_jumps_added = 0;
-    our %input_jump_added   = ();
-    our %output_jump_added  = ();
-    our %forward_jump_added = ();
 
     #
     # Special processing for complex configurations
@@ -1692,17 +1671,10 @@ sub generate_matrix() {
 	my $zoneref    = find_zone( $zone );
 
 	next if @zones <= 2 && ! $zoneref->{options}{complex};
-	#
-	# Complex zone and we have more than one non-firewall zone -- create a zone forwarding chain
-	#
+
 	my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
 
 	if ( $capabilities{POLICY_MATCH} ) {
-	    #
-	    # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
-	    # '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
-	    # can match '--pol none --dir out' rules and send the packets down the wrong rules chain.
-	    #
 	    my $type       = $zoneref->{type};
 	    my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};
 
@@ -1712,7 +1684,6 @@ sub generate_matrix() {
 
 		if ( use_forward_chain( $interface ) ) {
 		    $sourcechainref = $filter_table->{forward_chain $interface};
-		    add_jump $filter_table->{FORWARD} , $sourcechainref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
 		} else {
 		    $sourcechainref = $filter_table->{FORWARD};
 		    $interfacematch = match_source_dev $interface;
@@ -1779,7 +1750,7 @@ sub generate_matrix() {
 
 	    if ( $parenthasnat || $parenthasnotrack ) {
 		for my $zone1 ( all_zones ) {
-		    if ( $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy} eq 'CONTINUE' ) {
+		    if ( $filter_table->{"${zone}2${zone1}"}->{policy} eq 'CONTINUE' ) {
 			#
 			# This zone has a continue policy to another zone. We must
 			# send packets from this zone through the parent's DNAT/REDIRECT/NOTRACK chain.
@@ -1824,7 +1795,6 @@ sub generate_matrix() {
 
 			    if ( use_output_chain $interface ) {
 				$outputref = $filter_table->{output_chain $interface};
-				add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
 			    } else {
 				$outputref = $filter_table->{OUTPUT};
 				$interfacematch = match_dest_dev $interface;
@@ -1873,7 +1843,6 @@ sub generate_matrix() {
 
 			if ( use_input_chain $interface ) {
 			    $inputchainref = $filter_table->{input_chain $interface};
-			    add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++;
 			} else {
 			    $inputchainref = $filter_table->{INPUT};
 			    $interfacematch = match_source_dev $interface;
@@ -1887,9 +1856,7 @@ sub generate_matrix() {
 			if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) {
 			    my $ref = source_exclusion( $exclusions, $frwd_ref );
 			    if ( use_forward_chain $interface ) {
-				my $forwardref = $filter_table->{forward_chain $interface};
-				add_jump $forwardref , $ref, 0, join( '', $source, $ipsec_in_match );
-				add_jump $filter_table->{FORWARD} , $forwardref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
+				add_jump $filter_table->{forward_chain $interface} , $ref, 0, join( '', $source, $ipsec_in_match );
 			    } else {
 				add_jump $filter_table->{FORWARD} , $ref, 0, join( '', match_source_dev( $interface ) , $source, $ipsec_in_match );
 				move_rules ( $filter_table->{forward_chain $interface} , $frwd_ref );
@@ -1909,9 +1876,10 @@ sub generate_matrix() {
 	if ( $config{OPTIMIZE} > 0 ) {
 	    my @temp_zones;
 
+	  ZONE1:
 	    for my $zone1 ( @zones )  {
 		my $zone1ref = find_zone( $zone1 );
-		my $policy = $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy};
+		my $policy = $filter_table->{"${zone}2${zone1}"}->{policy};
 
 		next if $policy  eq 'NONE';
 
@@ -1927,7 +1895,7 @@ sub generate_matrix() {
 		    next unless $zoneref->{bridge} eq $zone1ref->{bridge};
 		}
 
-		if ( $chain =~ /(2all|-all)$/ ) {
+		if ( $chain =~ /2all$/ ) {
 		    if ( $chain ne $last_chain ) {
 			$last_chain = $chain;
 			push @dest_zones, @temp_zones;
@@ -1958,10 +1926,12 @@ sub generate_matrix() {
 	# We now loop through the destination zones creating jumps to the rules chain for each source/dest combination.
 	# @dest_zones is the list of destination zones that we need to handle from this source zone
 	#
+      ZONE1:
 	for my $zone1 ( @dest_zones ) {
 	    my $zone1ref = find_zone( $zone1 );
+	    my $policy   = $filter_table->{"${zone}2${zone1}"}->{policy};
 
-	    next if $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy}  eq 'NONE';
+	    next if $policy  eq 'NONE';
 
 	    my $chain = rules_target $zone, $zone1;
 
@@ -1970,69 +1940,57 @@ sub generate_matrix() {
 	    my $num_ifaces = 0;
 
 	    if ( $zone eq $zone1 ) {
-		next if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! $zoneref->{options}{in_out}{routeback};
+		next ZONE1 if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! $zoneref->{options}{in_out}{routeback};
 	    }
 
 	    if ( $zone1ref->{type} == BPORT ) {
-		next unless $zoneref->{bridge} eq $zone1ref->{bridge};
+		next ZONE1 unless $zoneref->{bridge} eq $zone1ref->{bridge};
 	    }
 
-	    my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT
+	    my $chainref    = $filter_table->{$chain};
+
+	    my $dest_hosts_ref = $zone1ref->{hosts};
 
 	    if ( $frwd_ref ) {
-		#
-		# Simple case -- the source zone has it's own forwarding chain
-		#
-		for my $typeref ( values %{$zone1ref->{hosts}} ) {
+		for my $typeref ( values %$dest_hosts_ref ) {
 		    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
-			for my $hostref ( @{$typeref->{$interface}} ) {
+			my $arrayref = $typeref->{$interface};
+			for my $hostref ( @$arrayref ) {
 			    next if $hostref->{options}{sourceonly};
 			    if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
 				my $ipsec_out_match = match_ipsec_out $zone1 , $hostref;
-				my $dest_exclusion = dest_exclusion( $hostref->{exclusions}, $chain);
 				for my $net ( @{$hostref->{hosts}} ) {
-				    add_jump $frwd_ref, $dest_exclusion, 0, join( '', match_dest_dev( $interface) , match_dest_net($net), $ipsec_out_match );
+				    add_jump $frwd_ref, dest_exclusion( $hostref->{exclusions}, $chain), 0, join( '', match_dest_dev( $interface) , match_dest_net($net), $ipsec_out_match );
 				}
 			    }
 			}
 		    }
 		}
 	    } else {
-		#
-		# More compilcated case. If the interface is associated with a single simple zone, we try to combine the interface's forwarding chain with the rules chain
-		#
 		for my $typeref ( values %$source_hosts_ref ) {
 		    for my $interface ( keys %$typeref ) {
+			my $arrayref = $typeref->{$interface};
 			my $chain3ref;
 			my $match_source_dev = '';
-			my $forwardchainref = $filter_table->{forward_chain $interface};
 
-			if ( use_forward_chain $interface || ( @{$forwardchainref->{rules} } && ! $chainref ) ) {
-			    #
-			    # Either we must use the interface's forwarding chain or that chain has rules and we have nowhere to move them
-			    #
-			    $chain3ref = $forwardchainref;
-			    add_jump $filter_table->{FORWARD} , $chain3ref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
+			if ( use_forward_chain $interface ) {
+			    $chain3ref = $filter_table->{forward_chain $interface};
 			} else {
-			    #
-			    # Don't use the interface's forward chain -- move any rules in that chain to this rules chain
-			    #
 			    $chain3ref  = $filter_table->{FORWARD};
 			    $match_source_dev = match_source_dev $interface;
-			    move_rules $forwardchainref, $chainref;
+			    move_rules $filter_table->{forward_chain $interface}, $chainref;
 			}
 
-			for my $hostref ( @{$typeref->{$interface}} ) {
+			for my $hostref ( @$arrayref ) {
 			    next if $hostref->{options}{destonly};
 			    my $excl3ref = source_exclusion( $hostref->{exclusions}, $chain3ref );
 			    for my $net ( @{$hostref->{hosts}} ) {
-				for my $type1ref ( values %{$zone1ref->{hosts}} ) {
+				for my $type1ref ( values %$dest_hosts_ref ) {
 				    for my $interface1 ( keys %$type1ref ) {
 					my $array1ref = $type1ref->{$interface1};
 					for my $host1ref ( @$array1ref ) {
 					    next if $host1ref->{options}{sourceonly};
 					    my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref;
-					    my $dest_exclusion  = dest_exclusion( $host1ref->{exclusions}, $chain );
 					    for my $net1 ( @{$host1ref->{hosts}} ) {
 						unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) {
 						    #
@@ -2040,7 +1998,7 @@ sub generate_matrix() {
 						    #
 						    add_jump(
 							     $excl3ref ,
-							     $dest_exclusion,
+							     dest_exclusion( $host1ref->{exclusions}, $chain ),
 							     0,
 							     join( '', 
 								   $match_source_dev, 
@@ -2059,13 +2017,13 @@ sub generate_matrix() {
 		    }
 		}
 	    }
-	}
 	    #
 	    #                                      E N D   F O R W A R D I N G
 	    #
 	    # Now add an unconditional jump to the last unique policy-only chain determined above, if any
 	    #
-	add_jump $frwd_ref , $last_chain, 1 if $frwd_ref && $last_chain;
+	    add_jump $frwd_ref , $last_chain, 1 if $last_chain;
+	}
     }
 
     add_interface_jumps @interfaces unless $interface_jumps_added;
@@ -2135,12 +2093,10 @@ sub setup_mss( ) {
 	for ( @$interfaces ) {
 	    my $mss      = get_interface_option( $_, 'mss' );
 	    my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : ''; 
-	    my $source   = match_source_dev $_;
-	    my $dest     = match_dest_dev $_;
-	    add_rule $chainref, "${dest}-p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss";
-	    add_rule $chainref, "${dest}-j RETURN" if $clampmss;
-	    add_rule $chainref, "${source}-p tcp --tcp-flags SYN,RST SYN ${mssmatch}${in_match}-j TCPMSS --set-mss $mss";
-	    add_rule $chainref, "${source}-j RETURN" if $clampmss;
+	    add_rule $chainref, "-o $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss";
+	    add_rule $chainref, "-o $_ -j RETURN" if $clampmss;
+	    add_rule $chainref, "-i $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${in_match}-j TCPMSS --set-mss $mss";
+	    add_rule $chainref, "-i $_ -j RETURN" if $clampmss;
 	}
     }
 
@@ -2297,12 +2253,12 @@ EOF
 	my $ports = $family == F_IPV4 ? '67:68' : '546:547';
 
 	for my $interface ( @$interfaces ) {
-	    add_rule $input,  "-p udp " . match_source_dev( $interface ) . "--dport $ports -j ACCEPT";
-	    add_rule $output, "-p udp " . match_dest_dev( $interface )   . "--dport $ports -j ACCEPT" unless $config{ADMINISABSENTMINDED};
+	    add_rule $input,  "-p udp -i $interface --dport $ports -j ACCEPT";
+	    add_rule $output, "-p udp -o $interface --dport $ports -j ACCEPT" unless $config{ADMINISABSENTMINDED};
 	    #
 	    # This might be a bridge
 	    #
-	    add_rule $forward, "-p udp " . match_source_dev( $interface ) . match_dest_dev( $interface ) . "--dport $ports -j ACCEPT";
+	    add_rule $forward, "-p udp -i $interface -o $interface --dport $ports -j ACCEPT";
 	}
     }
 
@@ -2321,7 +2277,7 @@ EOF
 	}
     } else {
 	for my $interface ( all_bridges ) {
-	    emit "do_iptables -A FORWARD -p 58 " . match_source_dev( $interface ) . match_dest_dev( $interface ) . "-j ACCEPT";
+	    emit "do_iptables -A FORWARD -p 58 -i $interface -o $interface -j ACCEPT";
 	}	    
 
 	if ( $config{IP_FORWARDING} eq 'on' ) {

Shorewall/Perl/Shorewall/Tc.pm

@@ -40,7 +40,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.4_5';
+our $VERSION = '4.3_12';
 
 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
@@ -153,7 +153,7 @@ our @deferred_rules;
 #
 # TCDevices Table
 #
-# %tcdevices { <interface> => {in_bandwidth  => <value> ,
+# %tcdevices { <interface> -> {in_bandwidth  => <value> ,
 #                              out_bandwidth => <value> ,
 #                              number        => <number>,
 #                              classify      => 0|1
@@ -163,8 +163,6 @@ our @deferred_rules;
 #                              nextclass     => <number>
 #                              occurs        => Has one or more occurring classes
 #                              qdisc         => htb|hfsc
-#                              guarantee     => <total RATE of classes seen so far>
-#                              name          => <interface>
 #                                               }
 #
 our @tcdevices;
@@ -188,7 +186,6 @@ our $sticky;
 #              occurs    => <number> # 0 means that this is a class generated by another class with occurs > 1
 #              parent    => <class number>
 #              leaf      => 0|1
-#              guarantee => <sum of rates of sub-classes>
 #              options   => { tos  => [ <value1> , <value2> , ... ];
 #                             tcp_ack => 1 ,
 #                             ...
@@ -205,15 +202,14 @@ our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 our $family;
 
 #
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function.
 #
+
 sub initialize( $ ) {
     $family   = shift;
     %classids = ();
@@ -227,6 +223,10 @@ sub initialize( $ ) {
     $sticky = 0;
 }
 
+INIT {
+    initialize( F_IPV4 );
+}
+
 sub process_tc_rule( ) {
     my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules file';
 
@@ -529,9 +529,6 @@ sub validate_tc_device( ) {
 			    default       => 0,
 			    nextclass     => 2,
 			    qdisc         => $qdisc,
-			    guarantee     => 0,
-			    name          => $device,
-			    physical      => physical_name $device
 			  } ,
 
     push @tcdevices, $device;
@@ -541,8 +538,8 @@ sub validate_tc_device( ) {
     progress_message "  Tcdevice \"$currentline\" $done.";
 }
 
-sub convert_rate( $$$$ ) {
-    my ($full, $rate, $column, $max) = @_;
+sub convert_rate( $$$ ) {
+    my ($full, $rate, $column) = @_;
 
     if ( $rate =~ /\bfull\b/ ) {
 	$rate =~ s/\bfull\b/$full/g;
@@ -556,7 +553,7 @@ sub convert_rate( $$$$ ) {
     }
 
     fatal_error "$column may not be zero" unless $rate;
-    fatal_error "$column ($_[1]) exceeds $max (${full}kbit)" if $rate > $full;
+    fatal_error "$column ($_[1]) exceeds OUT-BANDWIDTH" if $rate > $full;
 
     $rate;
 }
@@ -602,7 +599,6 @@ sub validate_tc_class( ) {
     my $device = $devclass;
     my $occurs = 1;
     my $parentclass = 1;
-    my $parentref;
 
     if ( $devclass =~ /:/ ) {
 	( $device, my ($number, $subnumber, $rest ) )  = split /:/, $device, 4;
@@ -635,10 +631,6 @@ sub validate_tc_class( ) {
     }
 
     my $full  = rate_to_kbit $devref->{out_bandwidth};
-    my $ratemax = $full;
-    my $ceilmax = $full;
-    my $ratename = 'OUT-BANDWIDTH';
-    my $ceilname = 'OUT-BANDWIDTH';
 
     my $tcref = $tcclasses{$device};
 
@@ -648,15 +640,15 @@ sub validate_tc_class( ) {
 	if ( $devref->{classify} ) {
 	    warning_message "INTERFACE $device has the 'classify' option - MARK value ($mark) ignored";
 	} else {
+	    fatal_error "Invalid Mark ($mark)" unless $mark =~ /^([0-9]+|0x[0-9a-fA-F]+)$/ && numeric_value( $mark ) <= 0xff;
+
 	    $markval = numeric_value( $mark );
 	    fatal_error "Invalid MARK ($markval)" unless defined $markval;
 
-	    fatal_error "Invalid Mark ($mark)" unless $markval <= ( $config{WIDE_TC_MARKS} ? 0x3fff : 0xff );
-
 	    if ( $classnumber ) {
 		fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
 	    } else {
-		$classnumber = $config{WIDE_TC_MARKS} ? $devref->{nextclass}++ : hex_value( $devnum . $markval );
+		$classnumber = $config{WIDE_TC_MARKS} ? $tcref->{nextclass}++ : hex_value( $devnum . $markval );
 		fatal_error "Duplicate MARK ($mark)" if $tcref->{$classnumber};
 	    }
 	}
@@ -668,14 +660,10 @@ sub validate_tc_class( ) {
 	#
 	# Nested Class
 	#
-	$parentref = $tcref->{$parentclass};
+	my $parentref = $tcref->{$parentclass};
 	fatal_error "Unknown Parent class ($parentclass)" unless $parentref && $parentref->{occurs} == 1;
 	fatal_error "The parent class ($parentclass) specifies UMAX and/or DMAX; it cannot serve as a parent" if $parentref->{dmax};
 	$parentref->{leaf} = 0;
-	$ratemax  = $parentref->{rate};
-	$ratename = q(the parent class's RATE);
-	$ceilmax = $parentref->{ceiling};
-	$ceilname = q(the parent class's CEIL);
     }
 
     my ( $umax, $dmax ) = ( '', '' );
@@ -685,27 +673,19 @@ sub validate_tc_class( ) {
 	
 	fatal_error "Invalid RATE ($rate)" if defined $rest;
 
-	$rate = convert_rate ( $ratemax, $trate, 'RATE', $ratename );
+	$rate = convert_rate ( $full, $trate, 'RATE' );
 	$dmax = convert_delay( $dmax );
 	$umax = convert_size( $umax );
 	fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax; 
     } else {
-	$rate = convert_rate ( $ratemax, $rate, 'RATE' , $ratename );
+	$rate = convert_rate ( $full, $rate, 'RATE' );
     }
 
-    if ( $parentref ) {
-	warning_message "Total RATE of sub classes ($parentref->{guarantee}kbits) exceeds RATE of parent class ($parentref->{rate}kbits)" if ( $parentref->{guarantee} += $rate ) > $parentref->{rate};
-    } else {
-	warning_message "Total RATE of classes ($devref->{guarantee}kbits) exceeds OUT-BANDWIDTH (${full}kbits)" if ( $devref->{guarantee} += $rate ) > $full;
-    }
-
-    fatal_error "Invalid PRIO ($prio)" unless defined numeric_value $prio;
-
     $tcref->{$classnumber} = { tos      => [] ,
 			       rate     => $rate ,
 			       umax     => $umax ,
 			       dmax     => $dmax ,
-			       ceiling   => convert_rate( $ceilmax, $ceil, 'CEIL' , $ceilname ) ,
+			       ceiling  => convert_rate( $full, $ceil, 'CEIL' ) ,
 			       priority => $prio eq '-' ? 1 : $prio ,
 			       mark     => $markval ,
 			       flow     => '' ,
@@ -713,8 +693,6 @@ sub validate_tc_class( ) {
 			       occurs   => 1,
 			       parent   => $parentclass,
 			       leaf     => 1,
-			       guarantee => 0,
-			       limit     => 127,
 			     };
 
     $tcref = $tcref->{$classnumber};
@@ -763,10 +741,6 @@ sub validate_tc_class( ) {
 
 		$tcref->{occurs} = $occurs;
 		$devref->{occurs} = 1;
-	    } elsif ( $option =~ /^limit=(\d+)$/ ) {
-		warning_message "limit ignored with pfifo queuing" if $tcref->{pfifo};
-		fatal_error "Invalid limit ($1)" if $1 < 3 || $1 > 128;
-		$tcref->{limit} = $1;
 	    } else {
 		fatal_error "Unknown option ($option)";
 	    }
@@ -795,7 +769,6 @@ sub validate_tc_class( ) {
 					       pfifo    => $tcref->{pfifo},
 					       occurs   => 0,
 					       parent   => $parentclass,
-					       limit    => $tcref->{limit},
 					     };
 	push @tcclasses, "$device:$classnumber";
     };
@@ -832,7 +805,7 @@ sub process_tc_filter( ) {
     fatal_error "Unknown CLASS ($devclass)"                  unless $tcref && $tcref->{occurs};
     fatal_error "Filters may not specify an occurring CLASS" if $tcref->{occurs} > 1;
 
-    my $rule = "filter add dev $devref->{physical} protocol ip parent $devnum:0 prio 10 u32";
+    my $rule = "filter add dev $device protocol ip parent $devnum:0 prio 10 u32";
 
     if ( $source ne '-' ) {
 	my ( $net , $mask ) = decompose_net( $source );
@@ -903,7 +876,7 @@ sub process_tc_filter( ) {
 	    $lasttnum = $tnum;
 	    $lastrule = $rule;
 
-	    emit( "\nrun_tc filter add dev $devref->{physical} parent $devnum:0 protocol ip prio 10 handle $tnum: u32 divisor 1" );
+	    emit( "\nrun_tc filter add dev $device parent $devnum:0 protocol ip prio 10 handle $tnum: u32 divisor 1" );
 	}
 	#
 	# And link to it using the current contents of $rule
@@ -913,7 +886,7 @@ sub process_tc_filter( ) {
 	#
 	# The rule to match the port(s) will be inserted into the new table
 	#
-	$rule     = "filter add dev $devref->{physical} protocol ip parent $devnum:0 prio 10 u32 ht $tnum:0";
+	$rule     = "filter add dev $device protocol ip parent $devnum:0 prio 10 u32 ht $tnum:0";
 
 	if ( $portlist eq '-' ) {
 	    fatal_error "Only TCP, UDP and SCTP may specify SOURCE PORT" 
@@ -1040,15 +1013,12 @@ sub setup_traffic_shaping() {
     }
 
     for my $device ( @tcdevices ) {
+	my $dev     = chain_base( $device );
 	my $devref  = $tcdevices{$device};
 	my $defmark = in_hexp ( $devref->{default} || 0 );
 	my $devnum  = in_hexp $devref->{number};
 	my $r2q     = int calculate_r2q $devref->{out_bandwidth};
 
-	$device = physical_name $device;
-
-	my $dev = chain_base( $device );
-
 	emit "if interface_is_up $device; then";
 
 	push_indent;
@@ -1131,14 +1101,12 @@ sub setup_traffic_shaping() {
 	my $classid  = join( ':', in_hexp $devicenumber, $classnum);
 	my $rate     = "$tcref->{rate}kbit";
 	my $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
-
-	$classids{$classid}=$device;
-	$device = physical_name $device;
-
 	my $dev      = chain_base $device;
 	my $priority = $tcref->{priority} << 8;
 	my $parent   = in_hexp $tcref->{parent};
 
+	$classids{$classid}=$device;
+
 	if ( $lastdevice ne $device ) {
 	    if ( $lastdevice ) {
 		pop_indent;
@@ -1165,7 +1133,7 @@ sub setup_traffic_shaping() {
 	    }
 	}
 	    
-	emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit $tcref->{limit} perturb 10" ) if $tcref->{leaf} && ! $tcref->{pfifo};
+	emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit 127 perturb 10" ) if $tcref->{leaf} && ! $tcref->{pfifo};
 	#
 	# add filters
 	#
@@ -1226,7 +1194,7 @@ sub setup_tc() {
 	    $mark_part = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFF0000' : '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF';
 
 	    for my $interface ( @routemarked_interfaces ) {
-		add_rule $mangle_table->{PREROUTING} , match_source_dev( $interface ) . "-j tcpre";
+		add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre";
 	    }
 	}
 

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -83,8 +83,8 @@ sub setup_tunnels() {
 	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
-		$inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
-		$outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
+		$inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
+		$outchainref = ensure_filter_chain "${fw}2${zone}", 1;
 
 		unless ( $capabilities{POLICY_MATCH} ) {
 		    add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
@@ -239,8 +239,8 @@ sub setup_tunnels() {
 
 	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;
 
-	my $inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
-	my $outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
+	my $inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
+	my $outchainref = ensure_filter_chain "${fw}2${zone}", 1;
 
 	$gateway = ALLIP if $gateway eq '-';
 

Shorewall/Perl/Shorewall/Zones.pm

@@ -60,8 +60,6 @@ our @EXPORT = qw( NOTHING
 		  interface_number
 		  find_interface
 		  known_interface
-		  get_physical
-		  physical_name
 		  have_bridges
 		  port_to_bridge
 		  source_port_to_bridge
@@ -75,7 +73,7 @@ our @EXPORT = qw( NOTHING
 		 );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_4';
+our $VERSION = '4.4_0';
 
 #
 # IPSEC Option types
@@ -137,8 +135,7 @@ our %reservedName = ( all => 1,
 #
 #     %interfaces { <interface1> => { name        => <name of interface>
 #                                     root        => <name without trailing '+'>
-#                                     options     => { port => undef|1
-#                                                      <option1> = <val1> ,          #See %validinterfaceoptions
+#                                     options     => { <option1> = <val1> ,
 #                                                      ...
 #                                                    }
 #                                     zone        => <zone name>
@@ -146,7 +143,6 @@ our %reservedName = ( all => 1,
 #                                     bridge      => <bridge>
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
 #                                     number      => <ordinal position in the interfaces file>
-#                                     physical    => <physical interface name>
 #                                   }
 #                 }
 #
@@ -154,7 +150,6 @@ our @interfaces;
 our %interfaces;
 our @bport_zones;
 our %ipsets;
-our %physical;
 our $family;
 
 use constant { FIREWALL => 1,
@@ -168,8 +163,6 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       NUMERIC_IF_OPTION  => 4,
 	       OBSOLETE_IF_OPTION => 5,
 	       IPLIST_IF_OPTION   => 6,
-	       STRING_IF_OPTION   => 7,
-
 	       MASK_IF_OPTION     => 7,
 	       
 	       IF_OPTION_ZONEONLY => 8,
@@ -178,22 +171,18 @@ use constant { SIMPLE_IF_OPTION   => 1,
 
 our %validinterfaceoptions;
 
-our %defaultinterfaceoptions = ( routefilter => 1 );
-
-our %maxoptionvalue = ( routefilter => 2, mss => 100000 );
-
 our %validhostoptions;
 
 #
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function or when compiling
+#                       for IPv6.
 #
+
 sub initialize( $ ) {
     $family = shift;
     @zones = ();
@@ -204,7 +193,6 @@ sub initialize( $ ) {
     %interfaces = ();
     @bport_zones = ();
     %ipsets = ();
-    %physical = ();
 
     if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
@@ -221,13 +209,12 @@ sub initialize( $ ) {
 				  optional    => SIMPLE_IF_OPTION,
 				  proxyarp    => BINARY_IF_OPTION,
 				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
-				  routefilter => NUMERIC_IF_OPTION ,
+				  routefilter => BINARY_IF_OPTION ,
 				  sourceroute => BINARY_IF_OPTION,
 				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  upnp        => SIMPLE_IF_OPTION,
 				  upnpclient  => SIMPLE_IF_OPTION,
 				  mss         => NUMERIC_IF_OPTION,
-				  physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -253,7 +240,6 @@ sub initialize( $ ) {
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION,
 				    forward     => NUMERIC_IF_OPTION,
-				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -264,6 +250,10 @@ sub initialize( $ ) {
     }
 }
 
+INIT {
+    initialize( F_IPV4 );
+}
+
 #
 # Parse the passed option list and return a reference to a hash as follows:
 #
@@ -373,8 +363,8 @@ sub process_zone( \$ ) {
     fatal_error "Invalid zone name ($zone)"      if $reservedName{$zone} || $zone =~ /^all2|2all$/;
     fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone};
     
-    if ( $type =~ /^ip(v([46]))?$/i ) {
-	fatal_error "Invalid zone type ($type)" if $1 && $2 != $family;
+    if ( $type =~ /ipv([46])?/i ) {
+	fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
 	$type = IP;
 	$$ip = 1;
     } elsif ( $type =~ /^ipsec([46])?$/i ) {
@@ -510,19 +500,17 @@ sub zone_report()
 		my $interfaceref = $hostref->{$type};
 
 		for my $interface ( sort keys %$interfaceref ) {
-		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
 		    for my $groupref ( @$arrayref ) {
 			my $hosts      = $groupref->{hosts};
+			my $exclusions = join ',', @{$groupref->{exclusions}};
 			if ( $hosts ) {
 			    my $grouplist = join ',', ( @$hosts );
-			    my $exclusions = join ',', @{$groupref->{exclusions}};
 			    $grouplist = join '!', ( $grouplist, $exclusions) if $exclusions;
-		
 			    if ( $family == F_IPV4 ) {
-				progress_message_nocompress "      $iref->{physical}:$grouplist";
+				progress_message_nocompress "      $interface:$grouplist";
 			    } else {
-				progress_message_nocompress "      $iref->{physical}:<$grouplist>";
+				progress_message_nocompress "      $interface:<$grouplist>";
 			    }
 			    $printed = 1;
 			}
@@ -540,9 +528,6 @@ sub zone_report()
     }
 }
 
-#
-# This function is called to create the contents of the ${VARDIR}/zones file
-#
 sub dump_zone_contents()
 {
     my @xlate;
@@ -569,21 +554,20 @@ sub dump_zone_contents()
 		my $interfaceref = $hostref->{$type};
 
 		for my $interface ( sort keys %$interfaceref ) {
-		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
 		    for my $groupref ( @$arrayref ) {
 			my $hosts     = $groupref->{hosts};
+			my $exclusions = join ',', @{$groupref->{exclusions}};
 
 			if ( $hosts ) {
 			    my $grouplist = join ',', ( @$hosts );
-			    my $exclusions = join ',', @{$groupref->{exclusions}};
 
 			    $grouplist = join '!', ( $grouplist, $exclusions ) if $exclusions;
 
 			    if ( $family == F_IPV4 ) {
-				$entry .= " $iref->{physical}:$grouplist";
+				$entry .= " $interface:$grouplist";
 			    } else {
-				$entry .= " $iref->{physical}:<$grouplist>";
+				$entry .= " $interface:<$grouplist>";
 			    }
 			}
 		    }
@@ -617,6 +601,7 @@ sub add_group_to_zone($$$$$)
     my $interfaceref;
     my $zoneref  = $zones{$zone};
     my $zonetype = $zoneref->{type};
+    my $ifacezone = $interfaces{$interface}{zone};
 
     $zoneref->{interfaces}{$interface} = 1;
 
@@ -624,7 +609,8 @@ sub add_group_to_zone($$$$$)
     my @exclusions = ();
     my $new = \@newnetworks;
     my $switched = 0;
-    my $allip    = 0;
+
+    $ifacezone = '' unless defined $ifacezone;
 
     for my $host ( @$networks ) {
 	$interfaces{$interface}{nets}++;
@@ -640,12 +626,8 @@ sub add_group_to_zone($$$$$)
 
 	unless ( $switched ) {
 	    if ( $type == $zonetype ) {
-		fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $interfaces{$interface}{zone} eq $zone;
-		if ( $host eq ALLIP ) {
-		    fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if @newnetworks;
-		    $interfaces{$interface}{zone} = $zone;
-		    $allip = 1;
-		}
+		fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $ifacezone eq $zone;
+		$ifacezone = $zone if $host eq ALLIP;
 	    }
 	}
 
@@ -667,8 +649,6 @@ sub add_group_to_zone($$$$$)
     $typeref      = ( $hostsref->{$gtype}         || ( $hostsref->{$gtype} = {} ) );
     $interfaceref = ( $typeref->{$interface}      || ( $typeref->{$interface} = [] ) );
 
-    fatal_error "Duplicate Host Group ($interface:" . ALLIP . ") in zone $zone" if $allip && @$interfaceref;
-
     $zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions );
 
     push @{$interfaceref}, { options => $options,
@@ -728,8 +708,8 @@ sub firewall_zone() {
 #
 sub process_interface( $ ) {
     my $nextinum = $_[0];
-    my $netsref = '';
-    my ($zone, $originalinterface, $bcasts, $options ) = split_line 2, 4, 'interfaces file';
+    my $nets;
+    my ($zone, $originalinterface, $networks, $options ) = split_line 2, 4, 'interfaces file';
     my $zoneref;
     my $bridge = '';
 
@@ -742,21 +722,18 @@ sub process_interface( $ ) {
 	fatal_error "Firewall zone not allowed in ZONE column of interface record" if $zoneref->{type} == FIREWALL;
     }
 
-    $bcasts = '' if $bcasts eq '-';
+    $networks = '' if $networks eq '-';
     $options  = '' if $options  eq '-';
 
     my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;
 
     fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;
 
-    if ( defined $port && $port ne '' ) {
+    if ( defined $port ) {
 	fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
 	require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', '');
 	fatal_error "Your iptables is not recent enough to support bridge ports" unless $capabilities{KLUDGEFREE};
-
-	fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
 	fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
-
 	fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
 	fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT;
 
@@ -768,6 +745,10 @@ sub process_interface( $ ) {
 	    }
 	}
 
+	next if $port eq '';
+
+	fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
+
 	$bridge = $interface;
 	$interface = $port;
     } else {
@@ -786,11 +767,10 @@ sub process_interface( $ ) {
 	$root = $interface;
     }
 
-    my $physical = $interface;
     my $broadcasts;
 
-    unless ( $bcasts eq '' || $bcasts eq 'detect' ) {
-	my @broadcasts = split_list $bcasts, 'address';
+    unless ( $networks eq '' || $networks eq 'detect' ) {
+	my @broadcasts = split_list $networks, 'address';
 	
 	for my $address ( @broadcasts ) {
 	    fatal_error 'Invalid BROADCAST address' unless $address =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
@@ -834,12 +814,12 @@ sub process_interface( $ ) {
 		$hostoptions{$option} = 1 if $hostopt;
 	    } elsif ( $type == BINARY_IF_OPTION ) {
 		$value = 1 unless defined $value;
-		fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
-		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard;
+		fatal_error "Option value for $option must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
+		fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard;
 		$options{$option} = $value;
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
-		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard;
+		fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard;
 		if ( $option eq 'arp_ignore' ) {
 		    if ( defined $value ) {
 			if ( $value =~ /^[1-3,8]$/ ) {
@@ -854,14 +834,14 @@ sub process_interface( $ ) {
 		    assert( 0 );
 		}
 	    } elsif ( $type == NUMERIC_IF_OPTION ) {
-		$value = $defaultinterfaceoptions{$option} unless defined $value;
-		fatal_error "The '$option' option requires a value" unless defined $value;
+		fatal_error "The $option option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
-		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
+		fatal_error "Invalid value ($value) for option $option" unless defined $numval;
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
-		fatal_error "The '$option' option requires a value" unless defined $value;
+		fatal_error "The $option option requires a value" unless defined $value;
+		fatal_error "Duplicate $option option" if $nets;
 		#
 		# Remove parentheses from address list if present
 		#
@@ -871,54 +851,25 @@ sub process_interface( $ ) {
 		#
 		$value = join ',' , ALLIP , $value if $value =~ /^!/;
 		
-		if ( $option eq 'nets' ) {
-		    fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone;
-		    fatal_error "Duplicate $option option" if $netsref;
 		if ( $value eq 'dynamic' ) {
 		    require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
+		    $value = "+${zone}_${interface}";
 		    $hostoptions{dynamic} = 1;
-			#
-			# Defer remaining processing until we have the final physical interface name
-			#
-			$netsref = 'dynamic';
-		    } else {
-			$hostoptions{multicast} = 1;
+		    $ipsets{"${zone}_${interface}"} = 1;
+		}   
 		#
 		# Convert into a Perl array reference
 		#
-			$netsref = [ split_list $value, 'address' ];
-		    }
+		$nets = [ split_list $value, 'address' ];
 		#
 		# Assume 'broadcast'
 		#
 		$hostoptions{broadcast} = 1;
-		} else {
-		    assert(0);
-		}
-	    } elsif ( $type == STRING_IF_OPTION ) {
-		fatal_error "The '$option' option requires a value" unless defined $value;
-
-		if ( $option eq 'physical' ) {
-		    fatal_error "Invalid Physical interface name ($value)" unless $value =~ /^[\w.@%-]+\+?$/;
-
-		    fatal_error "Duplicate physical interface name ($value)" if ( $physical{$value} && ! $port );
-
-		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
-		    $physical = $value;
-		} else {
-		    assert(0);
-		}
 	    } else {
 		warning_message "Support for the $option interface option has been removed from Shorewall";
 	    }
 	}
 
-	if ( $netsref eq 'dynamic' ) {
-	    my $ipset = "${zone}_" . chain_base $physical;
-	    $netsref = [ "+$ipset" ];
-	    $ipsets{$ipset} = 1;
-	}
-
 	$zoneref->{options}{in_out}{routeback} = 1 if $zoneref && $options{routeback};
 
 	if ( $options{bridge} ) {
@@ -930,26 +881,19 @@ sub process_interface( $ ) {
 
     }
 
-    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
+    $interfaces{$interface} = { name       => $interface ,
 				bridge     => $bridge ,
 				nets       => 0 ,
 				number     => $nextinum ,
 				root       => $root ,
 				broadcasts => $broadcasts ,
-						       options    => \%options ,
-						       zone       => '',
-						       physical   => $physical
-						     };
+				options    => \%options };
 
-    if ( $zone ) {
-	$netsref ||= [ allip ];
-	add_group_to_zone( $zone, $zoneref->{type}, $interface, $netsref, $hostoptionsref );
-	add_group_to_zone( $zone, 
-			   $zoneref->{type}, 
-			   $interface, 
-			   [ IPv4_MULTICAST ], 
-			   { destonly => 1 } ) if $hostoptionsref->{multicast} && $interfaces{$interface}{zone} ne $zone;
-    } 
+    $nets = [ allip ] unless $nets; 
+
+    add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref ) if $zone;
+
+    $interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()
 
     progress_message "  Interface \"$currentline\" Validated";
 
@@ -996,20 +940,6 @@ sub validate_interfaces_file( $ ) {
     fatal_error "No network interfaces defined" unless @interfaces;
 }
 
-#
-# Map the passed name to the corresponding physical name in the passed interface
-#
-sub map_physical( $$ ) {
-    my ( $name, $interfaceref ) = @_;
-    my $physical = $interfaceref->{physical};
-    
-    return $physical if $name eq $interfaceref->{name};
-
-    $physical =~ s/\+$//;
-
-    $physical . substr( $name, length  $interfaceref->{root} );
-}  
-
 #
 # Returns true if passed interface matches an entry in /etc/shorewall/interfaces
 #
@@ -1024,17 +954,13 @@ sub known_interface($)
 
     for my $i ( @interfaces ) {
 	$interfaceref = $interfaces{$i};
-	my $root = $interfaceref->{root};
-	if ( $i ne $root && substr( $interface, 0, length $root ) eq $root ) {
+	my $val = $interfaceref->{root};
+	next if $val eq $i;
+	if ( substr( $interface, 0, length $val ) eq $val ) {
 	    #
-	    # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces and we do not set the root;
+	    # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces.
 	    #
-	    return $interfaces{$interface} = { options  => $interfaceref->{options}, 
-					       bridge   => $interfaceref->{bridge} , 
-					       name     => $i , 
-					       number   => $interfaceref->{number} ,
-					       physical => map_physical( $interface, $interfaceref )
-					     };
+	    return $interfaces{$interface} = { options => $interfaceref->{options}, bridge => $interfaceref->{bridge} , name => $i , number => $interfaceref->{number} };
 	}
     }
 
@@ -1074,23 +1000,6 @@ sub find_interface( $ ) {
     $interfaceref;
 }
 
-#
-# Returns the physical interface associated with the passed logical name
-#
-sub get_physical( $ ) {
-    $interfaces{ $_[0] }->{physical};
-}
-
-#
-# This one doesn't insist that the passed name be the name of a configured interface
-#
-sub physical_name( $ ) {
-    my $device = shift;
-    my $devref = known_interface $device;
-
-    $devref ? $devref->{physical} : $device;
-}
-
 #
 # Returns true if there are bridge port zones defined in the config
 #
@@ -1131,11 +1040,7 @@ sub find_interfaces_by_option( $ ) {
     my @ints = ();
 
     for my $interface ( @interfaces ) {
-	my $interfaceref = $interfaces{$interface};
-	
-	next unless $interfaceref->{root};
-
-	my $optionsref = $interfaceref->{options};
+	my $optionsref = $interfaces{$interface}{options};
 	if ( $optionsref && defined $optionsref->{$option} ) {
 	    push @ints , $interface
 	}
@@ -1246,10 +1151,9 @@ sub process_host( ) {
 
     if ( $hosts eq 'dynamic' ) {
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
-	my $physical = physical_name $interface;
-	$hosts = "+${zone}_${physical}";
+	$hosts = "+${zone}_${interface}";
 	$optionsref->{dynamic} = 1;
-	$ipsets{"${zone}_${physical}"} = 1;
+	$ipsets{"${zone}_${interface}"} = 1;
 	
     }
    
@@ -1269,7 +1173,7 @@ sub validate_hosts_file()
 
     my $fn = open_file 'hosts';
 
-    first_entry "$doing $fn...";
+    first_entry "doing $fn...";
 
     $ipsec |= process_host while read_a_line;
 

Shorewall/Perl/compiler.pl

@@ -61,7 +61,7 @@ sub usage( $ ) {
     [ --family={4|6} ]
 ';
 
-    exit $returnval;
+    $returnval;
 }
 
 #
@@ -105,7 +105,7 @@ my $result = GetOptions('h'               => \$help,
 usage(1) unless $result && @ARGV < 2;
 usage(0) if $help;
 
-compiler( script          => defined $ARGV[0] ? $ARGV[0] : '',
+compiler( object          => defined $ARGV[0] ? $ARGV[0] : '', 
 	  directory       => $shorewall_dir, 
 	  verbosity       => $verbose, 
 	  timestamp       => $timestamp,

Shorewall/Perl/prog.footer

@@ -1,6 +1,283 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer
 ###############################################################################
+#
+# Clear Proxy Arp
+#
+delete_proxyarp() {
+    if [ -f ${VARDIR}/proxyarp ]; then
+	while read address interface external haveroute; do
+	    qt arp -i $external -d $address pub
+	    [ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
+	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
+	    [ -f $f ] && echo 0 > $f
+	done < ${VARDIR}/proxyarp
+    fi
+
+    rm -f ${VARDIR}/proxyarp
+}
+
+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+
+    echo 1 > /proc/sys/net/ipv4/ip_forward
+
+    if [ -n "$DISABLE_IPV6" ]; then
+	if [ -x $IPTABLES ]; then
+    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
+	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
+	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
+	fi
+    fi
+
+    run_clear_exit
+
+    set_state "Cleared"
+
+    logger -p kern.info "$PRODUCT Cleared"
+}
+
+#
+# Issue a message and stop/restore the firewall
+#
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    stop_firewall
+    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+    exit 2
+}
+
+#
+# Issue a message and stop
+#
+startup_error() # $* = Error Message
+{
+    echo "   ERROR: $@: Firewall state not changed" >&2
+    case $COMMAND in
+        start)
+	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
+	    ;;
+	restart)
+	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
+	    ;;
+	restore)
+	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
+	    ;;
+    esac
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+
+	case $COMMAND in
+	    start)
+		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restart)
+		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restore)
+		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	esac
+    fi
+
+    kill $$
+    exit 2
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IPTABLES $@
+	status=$?
+	[ $status -ne 4 ] && break
+    done
+
+    if [ $status -ne 0 ]; then
+        error_message "ERROR: Command \"$IPTABLES $@\" Failed"
+	stop_firewall
+        exit 2
+    fi
+}
+
+#
+# Run iptables retrying exit status 4
+#
+do_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IPTABLES $@
+	status=$?
+	[ $status -ne 4 ] && return $status;
+    done
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_ip()
+{
+    if ! $IP -4 $@; then
+	error_message "ERROR: Command \"$IP -4 $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run tc and if an error occurs, stop/restore the firewall
+#
+run_tc() {
+    if ! $TC $@ ; then
+	error_message "ERROR: Command \"$TC $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Restore the rules generated by 'drop','reject','logdrop', etc.
+#
+restore_dynamic_rules() {
+    if [ -f ${VARDIR}/save ]; then
+	progress_message2 "Setting up dynamic rules..."
+	rangematch='source IP range'
+	while read target ignore1 ignore2 address ignore3 rest; do
+	    case $target in
+		DROP|reject|logdrop|logreject)
+		    case $rest in
+			$rangematch*)
+			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
+			    ;;
+			*)
+			    if [ -z "$rest" ]; then
+				run_iptables -A dynamic -s $address -j $target
+			    else
+				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
+			    fi
+			    ;;
+		    esac
+		    ;;
+	    esac
+	done < ${VARDIR}/save
+    fi
+}
+
+#
+# Get a list of all configured broadcast addresses on the system
+#
+get_all_bcasts()
+{
+    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
+}
+
+#
+# Run the .iptables_restore_input as a set of discrete iptables commands
+#
+debug_restore_input() {
+    local first second rest table chain
+    #
+    # Clear the ruleset 
+    #
+    qt1 $IPTABLES -t mangle -F
+    qt1 $IPTABLES -t mangle -X
+
+    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	qt1 $IPTABLES -t mangle -P $chain ACCEPT
+    done
+
+    qt1 $IPTABLES -t raw    -F
+    qt1 $IPTABLES -t raw    -X
+
+    for chain in PREROUTING OUTPUT; do
+	qt1 $IPTABLES -t raw -P $chain ACCEPT
+    done
+
+    run_iptables -t nat -F
+    run_iptables -t nat -X
+
+    for chain in PREROUTING POSTROUTING OUTPUT; do
+	qt1 $IPTABLES -t nat -P $chain ACCEPT
+    done
+
+    qt1 $IPTABLES -t filter -F
+    qt1 $IPTABLES -t filter -X
+
+    for chain in INPUT FORWARD OUTPUT; do
+	qt1 $IPTABLES -t filter -P $chain -P ACCEPT
+    done
+
+    while read first second rest; do
+	case $first in
+	    -*)
+		#
+		# We can't call run_iptables() here because the rules may contain quoted strings
+		#
+		eval $IPTABLES -t $table $first $second $rest
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    :*)
+		chain=${first#:}
+
+		if [ "x$second" = x- ]; then
+		    do_iptables -t $table -N $chain
+		else
+		    do_iptables -t $table -P $chain $second
+		fi
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    #
+	    # This grotesque hack with the table names works around a bug/feature with ash
+	    #
+	    '*'raw)
+		table=raw
+		;;
+	    '*'mangle)
+		table=mangle
+		;;
+	    '*'nat)
+		table=nat
+		;;
+	    '*'filter)
+		table=filter
+		;;
+	esac
+    done
+}
+
 #
 # Give Usage Information
 #
@@ -27,8 +304,6 @@ fi
 initialize
 
 if [ -n "$STARTUP_LOG" ]; then
-    touch $STARTUP_LOG
-    chmod 0600 $STARTUP_LOG
     if [ ${SHOREWALL_INIT_SCRIPT:-0} -eq 1 ]; then
 	#
 	# We're being run by a startup script that isn't redirecting STDOUT
@@ -87,7 +362,6 @@ case "$COMMAND" in
 	    status=0
 	else
 	    progress_message3 "Starting $PRODUCT...."
-	    detect_configuration
 	    define_firewall
 	    status=$?
 	    [ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
@@ -97,7 +371,6 @@ case "$COMMAND" in
     stop)
 	[ $# -ne 1 ] && usage 2
 	progress_message3 "Stopping $PRODUCT...."
-	detect_configuration
 	stop_firewall
 	status=0
 	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
@@ -141,7 +414,6 @@ case "$COMMAND" in
 	    progress_message3 "Starting $PRODUCT...."
 	fi
 
-	detect_configuration
 	define_firewall
 	status=$?
 	if [ -n "$SUBSYSLOCK" ]; then
@@ -153,7 +425,6 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	if shorewall_is_started; then
 	    progress_message3 "Refreshing $PRODUCT...."
-	    detect_configuration
 	    define_firewall
 	    status=$?
 	    progress_message3 "done."
@@ -164,7 +435,6 @@ case "$COMMAND" in
 	;;
     restore)
 	[ $# -ne 1 ] && usage 2
-	detect_configuration
 	define_firewall
 	status=$?
 	if [ -n "$SUBSYSLOCK" ]; then

Shorewall/Perl/prog.footer6

@@ -1,6 +1,244 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer6
 ###############################################################################
+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+
+    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+
+    run_clear_exit
+
+    set_state "Cleared"
+
+    logger -p kern.info "$PRODUCT Cleared"
+}
+
+#
+# Issue a message and stop/restore the firewall
+#
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    stop_firewall
+    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+    exit 2
+}
+
+#
+# Issue a message and stop
+#
+startup_error() # $* = Error Message
+{
+    echo "   ERROR: $@: Firewall state not changed" >&2
+    case $COMMAND in
+        start)
+	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
+	    ;;
+	restart)
+	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
+	    ;;
+	restore)
+	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
+	    ;;
+    esac
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+
+	case $COMMAND in
+	    start)
+		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restart)
+		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restore)
+		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	esac
+    fi
+
+    kill $$
+    exit 2
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IP6TABLES $@
+	status=$?
+	[ $status -ne 4 ] && break
+    done
+
+    if [ $status -ne 0 ]; then
+        error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
+	stop_firewall
+        exit 2
+    fi
+}
+
+#
+# Run iptables retrying exit status 4
+#
+do_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IP6TABLES $@
+	status=$?
+	[ $status -ne 4 ] && return $status;
+    done
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_ip()
+{
+    if ! $IP -6 $@; then
+	error_message "ERROR: Command \"$IP -6 $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run tc and if an error occurs, stop/restore the firewall
+#
+run_tc() {
+    if ! $TC $@ ; then
+	error_message "ERROR: Command \"$TC $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Restore the rules generated by 'drop','reject','logdrop', etc.
+#
+restore_dynamic_rules() {
+    if [ -f ${VARDIR}/save ]; then
+	progress_message2 "Setting up dynamic rules..."
+	rangematch='source IP range'
+	while read target ignore1 ignore2 address ignore3 rest; do
+	    case $target in
+		DROP|reject|logdrop|logreject)
+		    case $rest in
+			$rangematch*)
+			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
+			    ;;
+			*)
+			    if [ -z "$rest" ]; then
+				run_iptables -A dynamic -s $address -j $target
+			    else
+				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
+			    fi
+			    ;;
+		    esac
+		    ;;
+	    esac
+	done < ${VARDIR}/save
+    fi
+}
+
+#
+# Run the .iptables_restore_input as a set of discrete iptables commands
+#
+debug_restore_input() {
+    local first second rest table chain
+    #
+    # Clear the ruleset 
+    #
+    qt1 $IP6TABLES -t mangle -F
+    qt1 $IP6TABLES -t mangle -X
+
+    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	qt1 $IP6TABLES -t mangle -P $chain ACCEPT
+    done
+
+    qt1 $IP6TABLES -t raw    -F
+    qt1 $IP6TABLES -t raw    -X
+
+    for chain in PREROUTING OUTPUT; do
+	qt1 $IP6TABLES -t raw -P $chain ACCEPT
+    done
+
+    qt1 $IP6TABLES -t filter -F
+    qt1 $IP6TABLES -t filter -X
+
+    for chain in INPUT FORWARD OUTPUT; do
+	qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
+    done
+
+    while read first second rest; do
+	case $first in
+	    -*)
+		#
+		# We can't call run_iptables() here because the rules may contain quoted strings
+		#
+		eval $IP6TABLES -t $table $first $second $rest
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    :*)
+		chain=${first#:}
+
+		if [ "x$second" = x- ]; then
+		    do_iptables -t $table -N $chain
+		else
+		    do_iptables -t $table -P $chain $second
+		fi
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    #
+	    # This grotesque hack with the table names works around a bug/feature with ash
+	    #
+	    '*'raw)
+		table=raw
+		;;
+	    '*'mangle)
+		table=mangle
+		;;
+	    '*'nat)
+		table=nat
+		;;
+	    '*'filter)
+		table=filter
+		;;
+	esac
+    done
+}
+
 #
 # Give Usage Information
 #
@@ -27,8 +265,6 @@ fi
 initialize
 
 if [ -n "$STARTUP_LOG" ]; then
-    touch $STARTUP_LOG
-    chmod 0600 $STARTUP_LOG
     if [ ${SHOREWALL_INIT_SCRIPT:-0} -eq 1 ]; then
 	#
 	# We're being run by a startup script that isn't redirecting STDOUT
@@ -79,7 +315,7 @@ COMMAND="$1"
 
 [ -n "${PRODUCT:=Shorewall6}" ]
 
-kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2> /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1)
 if [ $kernel -lt 20624 ]; then
     error_message "ERROR: $PRODUCT requires Linux kernel 2.6.24 or later"
     status=2
@@ -92,7 +328,6 @@ else
 		status=0
 	    else
 		progress_message3 "Starting $PRODUCT...."
-		detect_configuration
 		define_firewall
 		status=$?
 		[ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
@@ -102,7 +337,6 @@ else
 	stop)
 	    [ $# -ne 1 ] && usage 2
 	    progress_message3 "Stopping $PRODUCT...."
-	    detect_configuration
 	    stop_firewall
 	    status=0
 	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
@@ -145,7 +379,6 @@ else
 		progress_message3 "Starting $PRODUCT...."
 	    fi
 
-	    detect_configuration
 	    define_firewall
 	    status=$?
 	    if [ -n "$SUBSYSLOCK" ]; then
@@ -157,7 +390,6 @@ else
 	    [ $# -ne 1 ] && usage 2
 	    if shorewall6_is_started; then
 		progress_message3 "Refreshing $PRODUCT...."
-		detect_configuration
 		define_firewall
 		status=$?
 		progress_message3 "done."
@@ -168,7 +400,6 @@ else
 	    ;;
 	restore)
 	    [ $# -ne 1 ] && usage 2
-	    detect_configuration
 	    define_firewall
 	    status=$?
 	    if [ -n "$SUBSYSLOCK" ]; then

Shorewall/Perl/prog.header

@@ -255,7 +255,7 @@ reload_kernel_modules() {
 
     [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
 
     MODULES=$(lsmod | cut -d ' ' -f1)
 
@@ -294,7 +294,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 
     [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
 
     for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -1071,283 +1071,6 @@ conditionally_flush_conntrack() {
     fi
 }
 
-#
-# Clear Proxy Arp
-#
-delete_proxyarp() {
-    if [ -f ${VARDIR}/proxyarp ]; then
-	while read address interface external haveroute; do
-	    qt arp -i $external -d $address pub
-	    [ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
-	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
-	    [ -f $f ] && echo 0 > $f
-	done < ${VARDIR}/proxyarp
-    fi
-
-    rm -f ${VARDIR}/proxyarp
-}
-
-#
-# Remove all Shorewall-added rules
-#
-clear_firewall() {
-    stop_firewall
-
-    setpolicy INPUT ACCEPT
-    setpolicy FORWARD ACCEPT
-    setpolicy OUTPUT ACCEPT
-
-    run_iptables -F
-
-    echo 1 > /proc/sys/net/ipv4/ip_forward
-
-    if [ -n "$DISABLE_IPV6" ]; then
-	if [ -x $IPTABLES ]; then
-    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
-	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
-	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
-	fi
-    fi
-
-    run_clear_exit
-
-    set_state "Cleared"
-
-    logger -p kern.info "$PRODUCT Cleared"
-}
-
-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IPTABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -4 $@; then
-	error_message "ERROR: Command \"$IP -4 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Restore the rules generated by 'drop','reject','logdrop', etc.
-#
-restore_dynamic_rules() {
-    if [ -f ${VARDIR}/save ]; then
-	progress_message2 "Setting up dynamic rules..."
-	rangematch='source IP range'
-	while read target ignore1 ignore2 address ignore3 rest; do
-	    case $target in
-		DROP|reject|logdrop|logreject)
-		    case $rest in
-			$rangematch*)
-			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
-			    ;;
-			*)
-			    if [ -z "$rest" ]; then
-				run_iptables -A dynamic -s $address -j $target
-			    else
-				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
-			    fi
-			    ;;
-		    esac
-		    ;;
-	    esac
-	done < ${VARDIR}/save
-    fi
-}
-
-#
-# Get a list of all configured broadcast addresses on the system
-#
-get_all_bcasts()
-{
-    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
-}
-
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset
-    #
-    qt1 $IPTABLES -t mangle -F
-    qt1 $IPTABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IPTABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t raw    -F
-    qt1 $IPTABLES -t raw    -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IPTABLES -t raw -P $chain ACCEPT
-    done
-
-    run_iptables -t nat -F
-    run_iptables -t nat -X
-
-    for chain in PREROUTING POSTROUTING OUTPUT; do
-	qt1 $IPTABLES -t nat -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t filter -F
-    qt1 $IPTABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IPTABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IPTABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 ################################################################################
 # End of functions in /usr/share/shorewall/prog.header
 ################################################################################

Shorewall/Perl/prog.header6

@@ -268,7 +268,7 @@ reload_kernel_modules() {
 
     [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
 
-    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched/
+    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
     MODULES=$(lsmod | cut -d ' ' -f1)
 
     for directory in $(split $MODULESDIR); do
@@ -304,7 +304,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
     [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
 
     [ -z "$MODULESDIR" ] && \
-	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched/
+	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
 
     for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -946,244 +946,6 @@ conditionally_flush_conntrack() {
     fi
 }
 
-#
-# Remove all Shorewall-added rules
-#
-clear_firewall() {
-    stop_firewall
-
-    setpolicy INPUT ACCEPT
-    setpolicy FORWARD ACCEPT
-    setpolicy OUTPUT ACCEPT
-
-    run_iptables -F
-
-    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-
-    run_clear_exit
-
-    set_state "Cleared"
-
-    logger -p kern.info "$PRODUCT Cleared"
-}
-
-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -6 $@; then
-	error_message "ERROR: Command \"$IP -6 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Restore the rules generated by 'drop','reject','logdrop', etc.
-#
-restore_dynamic_rules() {
-    if [ -f ${VARDIR}/save ]; then
-	progress_message2 "Setting up dynamic rules..."
-	rangematch='source IP range'
-	while read target ignore1 ignore2 address ignore3 rest; do
-	    case $target in
-		DROP|reject|logdrop|logreject)
-		    case $rest in
-			$rangematch*)
-			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
-			    ;;
-			*)
-			    if [ -z "$rest" ]; then
-				run_iptables -A dynamic -s $address -j $target
-			    else
-				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
-			    fi
-			    ;;
-		    esac
-		    ;;
-	    esac
-	done < ${VARDIR}/save
-    fi
-}
-
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset
-    #
-    qt1 $IP6TABLES -t mangle -F
-    qt1 $IP6TABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IP6TABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t raw    -F
-    qt1 $IP6TABLES -t raw    -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IP6TABLES -t raw -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t filter -F
-    qt1 $IP6TABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IP6TABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 ################################################################################
 # End of functions imported from /usr/share/shorewall/prog.header6
 ################################################################################

Shorewall/changelog.txt

@@ -1,168 +1,11 @@
-Changes in Shorewall 4.4.5.1
 
-1)  Handle rp_filter and kernel's 2.6.31 and later.
+Changes in Shorewall 4.4.0.1
 
-Changes in Shorewall 4.4.5
+1)  Updated release versions.
 
-1)  Fix 15-port limit removal change.
+2)  Fix log level in rules at the end of INPUT and OUTPUT
 
-2)  Fix handling of interfaces with the 'bridge' option.
-
-3)  Generate error for port number 0
-
-4)  Allow zone::serverport in rules DEST column.
-
-5)  Fix 'show policies' in Shorewall6.
-
-6)  Auto-load tc modules.
-
-7)  Allow LOGFILE=/dev/null
-
-8)  Fix shorewall6-lite/shorecap
-
-9) Fix MODULE_SUFFIX.
-
-10) Fix ENHANCED_REJECT detection for IPv4.
-
-11) Fix DONT_LOAD vs 'reload -c'
-
-12) Fix handling of SOURCE and DEST vs macros.
-
-13) Remove silly logic in expand_rule().
-
-14) Add current and limit to Conntrack Table Heading.
-
-Changes in Shorewall 4.4.4
-
-1)  Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.
-
-2)  Fix access to uninitialized variable.
-
-3)  Add logrotate scripts.
-
-4)  Allow long port lists in /etc/shorewall/routestopped.
-
-5)  Implement 'physical' interface option.
-
-6)  Implement ZONE2ZONE option.
-
-7)  Suppress duplicate COMMENT warnings.
-
-8)  Implement 'show policies' command.
-
-9)  Fix route_rule suppression for down provider.
-
-10) Suppress redundant tests for provider availability in route rules
-    processing.
-
-11) Implement the '-l' option to the 'show' command.
-
-12) Fix class number assignment when WIDE_TC_MARKS=Yes
-
-13) Allow wide marks in tcclasses when WIDE_TC_MARKS=Yes
-
-Changes in Shorewall 4.4.3
-
-1)  Move Debian INITLOG initialization to /etc/default/shorewall
-
-2)  Fix 'routeback' in /etc/shorewall/routestopped.
-
-3)  Rename 'object' to 'script' in compiler and config modules.
-
-4)  Correct RETAIN_ALIASES=No.
-
-5)  Fix detection of IP config.
-
-6)  Fix nested zones.
-
-7)  Move all function declarations from prog.footer to prog.header
-
-8)  Remove superfluous variables from generated script
-
-9)  Make 'track' the default.
-
-10)  Add TRACK_PROVIDERS option.
-
-11)  Fix IPv6 address parsing bug.
-
-12)  Add hack to work around iproute IPv6 bug in route handling
-
-13)  Correct messages issued when an optional provider is not usable.
-
-14)  Fix optional interfaces.
-
-15)  Add 'limit' option to tcclasses.
-
-Changes in Shorewall 4.4.2
-
-1)  BUGFIX: Correct detection of Persistent SNAT support
-
-2)  BUGFIX: Fix chain table initialization
-
-3)  BUGFIX: Validate routestopped file on 'check'
-
-4)  Let the Actions module add the builtin actions to
-    %Shorewall::Chains::targets. Much better modularization that way.
-
-5)  Some changes to make Lenny->Squeeze less painful.
-
-6)  Allow comments at the end of continued lines.
-
-7)  Call process_routestopped() during 'check' rather than
-    'compile_stop_firewall()'.
-
-8)  Don't look for an extension script for built-in actions.
-
-9)  Apply Jesse Shrieve's patch for SNAT range.
-
-10) Add -<family> to 'ip route del default' command.
-
-11) Add three new columns to macro body.
-
-12) Change 'wait4ifup' so that it requires no PATH
-
-13) Allow extension scripts for accounting chains.
-
-14) Allow per-ip LIMIT to work on ancient iptables releases.
-
-15) Add 'MARK' column to action body.
-
-Changes in Shorewall 4.4.1
-
-1)  Deleted extra 'use ...IPAddrs.pm' from Nat.pm.
-
-2)  Deleted superfluous export from Chains.pm.
-
-3)  Added support for --persistent.
-
-4)  Don't do module initialization in an INIT block.
-
-5)  Minor performance improvements.
-
-6)  Add 'clean' target to Makefile.
-
-7)  Redefine 'full' for sub-classes.
-
-8)  Fix log level in rules at the end of INPUT and OUTPUT chains.
-
-9)  Fix nested ipsec zones.
-
-10) Change one-interface sample to IP_FORWARDING=Off.
-
-11) Allow multicast to non-dynamic zones defined with nets=.
-
-12) Allow zones with nets= to be extended by /etc/shorewall/hosts
-    entries.
-
-13) Don't allow nets= in a multi-zone interface definition.
-
-14) Fix rule generated by MULTICAST=Yes
-
-15) Fix silly hole in zones file parsing.
-
-16) Tighen up zone membership checking.
-
-17) Combine portlist-spitting routines into a single function.
+3)  Correct handling of nested IPSEC chains.
 
 Changes in Shorewall 4.4.0
 
@@ -176,7 +19,7 @@ Changes in Shorewall 4.4.0
 
 5)  Fix 'upnpclient' with required interfaces.
 
-6)  Fix provider number in masq file.
+5)  Fix provider number in 
 
 Changes in Shorewall 4.4.0-RC2
 
@@ -382,8 +225,10 @@ Changes in Shorewall 4.3.5
 
 1)  Remove support for shorewall-shell.
 
-2)  Combine shorewall-common and shorewall-perl to produce shorewall.
+2)  Combine shorewall-common and shorewall-perl to product shorewall.
 
 3)  Add nets= OPTION in interfaces file.
 
+4)  Add SAME MARK/CLASSIFY target
+
 

Shorewall/configfiles/findgw

@@ -1,5 +1,5 @@
 #
-# Shorewall version 4 - Findgw File
+# Shorewall version 4 - Filegw File
 #
 # /etc/shorewall/findgw
 #

Shorewall/configfiles/shorewall.conf

@@ -32,9 +32,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=/var/log/shorewall-init.log
+STARTUP_LOG=
 
-LOG_VERBOSITY=2
+LOG_VERBOSITY=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -189,10 +189,6 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=No
 
-TRACK_PROVIDERS=No
-
-ZONE2ZONE=2
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall/default.debian

@@ -21,9 +21,4 @@ startup=0
 
 OPTIONS=""
 
-#
-# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
-#
-INITLOG=/dev/null
-
 # EOF

Shorewall/init.debian.sh

@@ -15,11 +15,13 @@
 SRWL=/sbin/shorewall
 SRWL_OPTS="-tvv"
 WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
-test -n ${INITLOG:=/var/log/shorewall-init.log}
+# Note, set INITLOG to /dev/null if you want to
+# use Shorewall's STARTUP_LOG feature.
+INITLOG=/var/log/shorewall-init.log
 
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n "$INITLOG" || {
+test -n $INITLOG || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }
@@ -47,7 +49,7 @@ not_configured () {
 	then
 		echo ""
 		echo "Please read about Debian specific customization in"
-		echo "/usr/share/doc/shorewall/README.Debian.gz."
+		echo "/usr/share/doc/shorewall-common/README.Debian.gz."
 	fi
 	echo "#################"
 	exit 0

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.5.1
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {
@@ -176,7 +176,7 @@ else
     fi
 
     if [ -z "$CYGWIN" ]; then
-	if [ -f /etc/debian_version ]; then
+	if [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
 	    DEBIAN=yes
 	elif [ -f /etc/slackware-version ] ; then
 	    echo "installing Slackware specific configuration..."
@@ -242,12 +242,6 @@ mkdir -p ${PREFIX}/var/lib/shorewall
 chmod 755 ${PREFIX}/etc/shorewall
 chmod 755 ${PREFIX}/usr/share/shorewall
 chmod 755 ${PREFIX}/usr/share/shorewall/configfiles
-
-if [ -n "$PREFIX" ]; then
-    mkdir -p ${PREFIX}/etc/logrotate.d
-    chmod 755 ${PREFIX}/etc/logrotate.d
-fi
-    
 #
 # Install the config file
 #
@@ -459,15 +453,6 @@ if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/blacklist ]; then
     echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
 fi
 #
-# Install the findgw file
-#
-run_install $OWNERSHIP -m 0644 configfiles/findgw ${PREFIX}/usr/share/shorewall/configfiles/findgw
-
-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/findgw ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/findgw ${PREFIX}/etc/shorewall/findgw
-    echo "Find GW file installed as ${PREFIX}/etc/shorewall/findgw"
-fi
-#
 # Delete the Routes file
 #
 delete_file ${PREFIX}/etc/shorewall/routes
@@ -798,16 +783,6 @@ cd ..
 
 echo "Man Pages Installed"
 
-if [ -d ${PREFIX}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall
-    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall"
-fi
-
-if [ -z "$PREFIX" ]; then
-    rm -rf /usr/share/shorewall-perl
-    rm -rf /usr/share/shorewall-shell
-fi
-
 if [ -z "$PREFIX" -a -n "$first_install" -a -z "$CYGWIN" ]; then
     if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall

Shorewall/known_problems.txt

@@ -1,15 +1,16 @@
-1) In kernel 2.6.31, the handling of the rp_filter interface option was
-   changed incompatibly. Previously, the effective value was determined
-   by the setting of net.ipv4.config.dev.rp_filter logically ANDed with
-   the setting of net.ipv4.config.all.rp_filter.
+1)  If ULOG is specified as the LOG LEVEL in the all->all policy, the
+    rules at the end of the INPUT and OUTPUT chains still use the
+    LOG target rather than ULOG.
 
-   Beginning with kernel 2.6.31, the value is the arithmetic MAX of
-   those two values. 
+    You can work around this problem by adding two additional policies
+    before the all->all one:
 
-   Given that Shorewall sets net.ipv4.config.all.rp_filter to 1 if
-   there are any interfaces specifying 'routefilter', specifying
-   'routefilter' on any interface has the effect of setting the option
-   on all interfaces.
+    	   all 		$FW	DROP	ULOG
+	   $FW		all	REJECT	ULOG
 
-   A workaround for this problem is included in Shorewall 4.4.5.1.
+    This problem was corrected in Shorewall 4.4.0.1.
 
+2)  Use of CONTINUE policies with a nested IPSEC zone was broken in
+    some cases.
+
+    This problem was corrected in Shorewall 4.4.0.1.

Shorewall/lib.base

@@ -30,7 +30,7 @@
 #
 
 SHOREWALL_LIBVERSION=40000
-SHOREWALL_CAPVERSION=40406
+SHOREWALL_CAPVERSION=40310
 
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -220,7 +220,7 @@ reload_kernel_modules() {
 
     [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
 
     MODULES=$(lsmod | cut -d ' ' -f1)
 
@@ -259,7 +259,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 
     [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
 
     for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -777,13 +777,6 @@ set_state () # $1 = state
 # Determine which optional facilities are supported by iptables/netfilter
 #
 determine_capabilities() {
-    [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
-
-    if [ -z "$IPTABLES" ]; then
-	echo "   ERROR: No executable iptables binary can be found on your PATH" >&2
-	exit 1
-    fi
-
     qt $IPTABLES -t nat    -L -n && NAT_ENABLED=Yes    || NAT_ENABLED=
     qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
 
@@ -827,16 +820,14 @@ determine_capabilities() {
     LOGMARK_TARGET=
     IPMARK_TARGET=
     LOG_TARGET=Yes
-    PERSISTENT_SNAT=
 
     chain=fooX$$
 
-    if [ -n "$NAT_ENABLED" ]; then
-	if qt $IPTABLES -t nat -N $chain; then
-	    qt $IPTABLES -t nat -A $chain -j SNAT --to-source 1.2.3.4 --persistent && PERSISTENT_SNAT=Yes
-	    qt $IPTABLES -t nat -F $chain
-	    qt $IPTABLES -t nat -X $chain
-	fi
+    [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
+
+    if [ -z "$IPTABLES" ]; then
+	echo "   ERROR: No executable iptables binary can be found on your PATH" >&2
+	exit 1
     fi
 
     qt $IPTABLES -F $chain
@@ -945,11 +936,7 @@ determine_capabilities() {
     qt $IPTABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
     qt $IPTABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
     qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
-    qt $IPTABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
-    if [ -z "$HASHLIMIT_MATCH" ]; then
-	qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && NEW_HL_MATCH=Yes
-	HASHLIMIT_MATCH=$OLD_HL_MATCH
-    fi	
+    qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
     qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
     qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
     qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
@@ -965,7 +952,6 @@ determine_capabilities() {
     qt $IPTABLES -X $chain1
 
     CAPVERSION=$SHOREWALL_CAPVERSION
-    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 }
 
 report_capabilities() {
@@ -1016,7 +1002,6 @@ report_capabilities() {
 	report_capability "Address Type Match" $ADDRTYPE
 	report_capability "TCPMSS Match" $TCPMSS_MATCH
 	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
-	report_capability "Old Hashlimit Match" $OLD_HL_MATCH
 	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
 	report_capability "Realm Match" $REALM_MATCH
 	report_capability "Helper Match" $HELPER_MATCH
@@ -1026,7 +1011,6 @@ report_capabilities() {
 	report_capability "LOGMARK Target" $LOGMARK_TARGET
 	report_capability "IPMARK Target" $IPMARK_TARGET
 	report_capability "LOG Target" $LOG_TARGET
-	report_capability "Persistent SNAT" $PERSISTENT_SNAT
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1075,7 +1059,6 @@ report_capabilities1() {
     report_capability1 ADDRTYPE
     report_capability1 TCPMSS_MATCH
     report_capability1 HASHLIMIT_MATCH
-    report_capability1 OLD_HL_MATCH
     report_capability1 NFQUEUE_TARGET
     report_capability1 REALM_MATCH
     report_capability1 HELPER_MATCH
@@ -1085,10 +1068,8 @@ report_capabilities1() {
     report_capability1 LOGMARK_TARGET
     report_capability1 IPMARK_TARGET
     report_capability1 LOG_TARGET
-    report_capability1 PERSISTENT_SNAT
     
     echo CAPVERSION=$SHOREWALL_CAPVERSION
-    echo KERNELVERSION=$KERNELVERSION
 }
 
 # Function to truncate a string -- It uses 'cut -b -<n>'

Shorewall/lib.cli

@@ -430,10 +430,6 @@ show_command() {
 			    option=
 			    shift
 			    ;;
-			l*)
-			    IPT_OPTIONS1="--line-numbers"
-			    option=${option#l}
-			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -447,15 +443,11 @@ show_command() {
 	esac
     done
 
-    IPT_OPTIONS="$IPT_OPTIONS $IPT_OPTIONS1"
-
     [ -n "$debugging" ] && set -x
     case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
-	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-	    echo "$PRODUCT $version Connections ($count out of $max) at $HOSTNAME - $(date)"
+	    echo "$PRODUCT $version Connections at $HOSTNAME - $(date)"
 	    echo
 	    [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
 	    ;;
@@ -568,12 +560,6 @@ show_command() {
 	vardir)
 	    echo $VARDIR;
 	    ;;
-	policies)
-	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version Policies at $HOSTNAME - $(date)"
-	    echo
-	    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
-	    ;;
 	*)
 	    if [ "$PRODUCT" = Shorewall ]; then
 		case $1 in
@@ -687,10 +673,6 @@ dump_command() {
 			    SHOWMACS=Yes
 			    option=${option#m}
 			    ;;
-			l*)
-			    IPT_OPTIONS1="--line-numbers"
-			    option=${option#l}
-			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -704,8 +686,6 @@ dump_command() {
 	esac
     done
 
-    IPT_OPTIONS="$IPT_OPTIONS $IPT_OPTIONS1"
-
     [ $VERBOSE -lt 2 ] && VERBOSE=2
 
     [ -n "$debugging" ] && set -x
@@ -730,10 +710,7 @@ dump_command() {
     heading "Raw Table"
     $IPTABLES -t raw -L $IPT_OPTIONS
 
-    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-
-    heading "Conntrack Table ($count out of $max)"
+    heading "Conntrack Table"
     [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
 
     heading "IP Configuration"

Shorewall/logrotate

@@ -1,5 +0,0 @@
-/var/log/shorewall-init.log {
-  missingok
-  notifempty
-  create 0600 root root
-}

Shorewall/releasenotes.txt

@@ -1,4 +1,4 @@
-Shorewall 4.4.5 Patch Release 1.
+Shorewall 4.4.0 patch release 1.
 
 ----------------------------------------------------------------------------
                R E L E A S E  4 . 4  H I G H L I G H T S
@@ -66,9 +66,10 @@ Shorewall 4.4.5 Patch Release 1.
        WARNING: SHOREWALL_COMPILER=shell ignored. Shorewall-shell
                 support has been removed in this release.
 
-    b) Review the migration issues at
-       http://www.shorewall.net/LennyToSqueeze.html and make changes as
-       required.
+    b) Review the incompatibilities between Shorewall-shell and
+       Shorewall-perl at
+       http://www.shorewall.net/Shorewall-perl.html#Incompatibilities
+       and make changes to your configuration as necessary.
 
     We strongly recommend that you migrate to Shorewall-perl on your
     current Shorewall version before upgrading to Shorewall 4.4.0. That
@@ -104,7 +105,7 @@ Shorewall 4.4.5 Patch Release 1.
              starts/restarts
 
     To avoid this warning, replace interface names by the corresponding
-    network(s) in CIDR format (e.g., 192.168.144.0/24).
+    network addresses (e.g., 192.168.144.0/24).
 
 6)  Previously, Shorewall has treated traffic shaping class IDs as
     decimal numbers (or pairs of decimal numbers). That worked fine
@@ -152,110 +153,62 @@ Shorewall 4.4.5 Patch Release 1.
 
 10) The name 'any' is now reserved and may not be used as a zone name.
 
-11) Perl module initialization has changed in Shorewall
-    4.4.1. Previously, each Shorewall Perl package would initialize its
-    global variables for IPv4 in an INIT block. Then, if the
-    compilation turned out to be for IPv6,
-    Shorewall::Compiler::compiler() would reinitialize them for IPv6.
-
-    Beginning in Shorewall 4.4.1, the modules do not initialize
-    themselves in an INIT block. So if you use Shorewall modules
-    outside of the Shorewall compilation environment, then you must
-    explicitly call the module's 'initialize' function after the module
-    has been loaded.
-
-12) Checking for zone membership has been tighened up. Previously, 
-    a zone could contain <interface>:0.0.0.0/0 along with other hosts;
-    now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
-    then it may have no additional members in /etc/shorewall/hosts.
-
 ----------------------------------------------------------------------------
-        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 5 . 1
-----------------------------------------------------------------------------
-1)  In kernel 2.6.31, the handling of the rp_filter interface option was
-    changed incompatibly. Previously, the effective value was determined
-    by the setting of net.ipv4.config.dev.rp_filter logically ANDed with
-    the setting of net.ipv4.config.all.rp_filter.
-
-    Beginning with kernel 2.6.31, the value is the arithmetic MAX of
-    those two values. 
-
-    Given that Shorewall sets net.ipv4.config.all.rp_filter to 1 if
-    there are any interfaces specifying 'routefilter', specifying
-    'routefilter' on any interface has the effect of setting the option
-    on all interfaces.
-
-    To allow Shorewall to handle this issue, a number of changes were
-    necessary:
-
-    a)  There is no way to safely determine if a kernel supports the
-        new semantics or the old so the Shorewall compiler uses the
-        kernel version reported by uname.
-
-    b)  This means that the kernel version is now recorded in
-        the capabilities file. So if you use capabilities files, you
-        need to regenerate the files with Shorewall[-lite] 4.4.5.1.
-
-    c)  If the capabilities file does not contain a kernel version,
-        the compiler assumes version 2.6.30 (the old rp_filter
-        behavior).
-
-    d)  The ROUTE_FILTER option in shorewall.conf now accepts the
-    	following values:
-
-	0 or No  - Shorewall sets net.ipv4.config.all.rp_filter to 0.
-	1 or Yes - Shorewall sets net.ipv4.config.all.rp_filter to 1.
-	2        - Shorewall sets net.ipv4.config.all.rp_filter to 2.
-	Keep	 - Shorewall does not change the setting of
-	           net.ipv4.config.all.rp_filter if the kernel version
-		   is 2.6.31 or later.
-        
-	The default remains Keep.
-
-    e)  The 'routefilter' interface option can have values 0,1 or 2. If
-    	'routefilter' is specified without a value, the value 1 is
-    	assumed. 
-
-----------------------------------------------------------------------------
-          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 5
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 0 . 1
 ----------------------------------------------------------------------------
 
-1)  The change which removed the 15 port limitation on
-    /etc/shorewall/routestopped was incomplete. The result was that if
-    more than 15 ports were listed, an error was generated.
+1)  If ULOG was specified as the LOG LEVEL in the all->all policy, the
+    rules at the end of the INPUT and OUTPUT chains still used the
+    LOG target rather than ULOG.
 
-2)  If any interfaces had the 'bridge' option specified, compilation
-    failed with the error:
+2)  Use of CONTINUE policies with a nested IPSEC zone was broken in
+    some cases.
 
-    Undefined subroutine &Shorewall::Rules::match_source_interface called 
-    at /usr/share/shorewall/Shorewall/Rules.pm line 2319.
+----------------------------------------------------------------------------
+          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 0
+----------------------------------------------------------------------------
 
-3)  The compiler now flags port number 0 as an error in all
-    contexts. Previously, port 0 was allowed with the result that
-    invalid iptables-restore input could be generated in some cases.
+1)  When compiling to standard out, it is no longer necessary to
+    specify '-v-1' to suppress the 'Compiling...' progress message 
 
-4)  The 'show policies' command now works in Shorewall6 and
-    Shorewall6-lite.
+2)  Previously, Shorewall would generate invalid iptables-restore input
+    if all of these conditions were met:
 
-5)  Traffic shaping modules from /lib/modules/<version>/net/sched/ are
-    now correctly loaded. Previously, that directory was not
-    searched. Additionally, Shorewall6 now tries to load the cls_flow
-    module; previously, only Shorewall attempts to load that module.
+    - a nat rule (DNAT, REDIRECT, DNAT-, etc.) changed the destination
+      port number
+    - logging was specified on the rule
+    - no non-trivial exclusions in the rule (a non-trivial exclusion is
+      one whose exclusion list has more than one element)
 
-6)  The Shorewall6-lite shorecap program was previously including the
-    IPv4 base library rather than the IPv6 version. Also, Shorewall6
-    capability detection was determing the availablity of the mangle
-    capability before it had determined if ip6tables was installed.
+    Example of rule:
 
-7)  The setting of MODULE_SUFFIX was previously ignored except when
-    compiling for export.
+    	    REDIRECT:ULOG   wall    82      tcp     80
 
-8)  Detection of the Enhanced Reject capability in the compiler was
-    broken for IPv4 compilations.
+    Example of error message:
 
-9)  The 'reload -c' command would ignore the setting of DONT_LOAD in
-    shorewall.conf. The 'reload' command without '-c' worked as
-    expected. 
+       iptables v1.3.5: Need TCP or UDP with port specification
+        Try `iptables -h' or 'iptables --help' for more information.
+	ERROR: Command "/sbin/iptables -A log0 -j REDIRECT --to-port
+        82" Failed
+
+3)  Previously, log displays from the 'dump', 'show log' and 'logwatch'
+    commands did not properly suppress redundant fields in the records
+    (host name, and leading constant part of the LOGPREFIX).
+
+4)  Given that Jozsef Kadlecsik has not yet released ipset 3.1, ipset
+    bindings are once again supported.
+
+5)  The 'upnpclient' option only worked correctly if 'optional' was
+    also specified for the interface.
+
+6)  Where more than one internet provider shares the same external
+    interface, specifying the provider by number in /etc/shorewall/masq
+    (e.g., eth1(2)) resulted in the fatal compilation error:
+
+    	   ERROR: 2 is not a shared-interface provider
+
+    Also, the shorewall-masq (5) man page did not describe the syntax
+    for specifying the provider.
 
 ----------------------------------------------------------------------------
              K N O W N   P R O B L E M S   R E M A I N I N G
@@ -264,40 +217,7 @@ Shorewall 4.4.5 Patch Release 1.
 None.
 
 ----------------------------------------------------------------------------
-                N E W   F E A T U R E S   I N   4 . 4 . 5
-----------------------------------------------------------------------------
-
-1)  Shorewall now allows DNAT rules that change only the destination
-    port.
-
-    Example:
-
-	DNAT	loc	net::456	udp	234
-
-    That rule will modify the destination port in UDP packets received
-    from the 'loc' zone from 456 to 234. Note that if the destination
-    is the firewall itself, then the destination port will be rewritten
-    but that no ACCEPT rule from the loc zone to the $FW zone will have
-    been created to handle the request. So such rules should probably
-    exclude the firewall's IP addresses in the ORIGINAL DEST column.
-
-2)  Systems that do not log Netfilter messages locally can now set
-    LOGFILE=/dev/null in shorewall.conf.
-
-3)  The 'shorewall show connections' and 'shorewall dump' commands now
-    display the current number of connections and the max supported
-    connections.
-
-    Example:
-
-	shorewall show connections
-    	Shorewall 4.5.0 Connections (62 out of 65536) at gateway - Sat ...
-
-    In that case, there were 62 current connections out of a maximum
-    number supported of 65536.
-
-----------------------------------------------------------------------------
-                N E W   F E A T U R E S   I N   4 . 4 . 0
+                 N E W   F E A T U R E S   IN   4 . 4
 ----------------------------------------------------------------------------
 
 1)  The Shorewall packaging has been completely revamped in Shorewall
@@ -306,7 +226,7 @@ None.
     The new packages are:
 
     - Shorewall.   Includes the former Shorewall-common and
-                   Shorewall-perl packages. Includes everything needed
+                   Shorewall-perl packages. Has everything needed
                    to create an IPv4 firewall.
 
 		   Shorewall-shell is no longer available.
@@ -945,472 +865,3 @@ None.
     the iptables utility is discovered using the PATH setting, then
     ip6tables in the same directory as the discovered iptables will be
     used.
-
-28) A 'flow=<keys>' option has been added to the
-    /etc/shorewall/tcclasses OPTIONS column.
-
-    Shorewall attaches an SFQ queuing discipline to each leaf HTB
-    and HFSC class. SFQ ensures that each flow gets equal access to the
-    interface. The default definition of a flow corresponds roughly to
-    a Netfilter connection. So if one internal system is running
-    BitTorrent, for example, it can have lots of 'flows' and can thus
-    take up a larger share of the bandwidth than a system having only a
-    single active connection. The flow classifier (module cls_flow)
-    works around this by letting you define what a 'flow' is.
-
-    The clasifier must be used carefully or it can block off all
-    traffic on an interface!
-
-    The flow option can be specified for an HTB or HFSC leaf class (one
-    that has no sub-classes). We recommend that you use the following:
-
-    	Shaping internet-bound traffic: flow=nfct-src
-	Shaping traffic bound for your local net: flow=dst
-
-    These will cause a 'flow' to consists of the traffic to/from each
-    internal system.
-
-    When more than one key is give, they must be enclosed in
-    parenthesis and separated by commas.
-
-    To see a list of the possible flow keys, run this command:
-
-       tc filter add flow help
-
-    Those that begin with "nfct-" are Netfilter connection tracking
-    fields. As shown above, we recommend flow=nfct-src; that means that
-    we want to use the source IP address before SNAT as the key.
-
-    Note: Shorewall cannot determine ahead of time if the flow
-    classifier is available in your kernel (especially if it was built
-    into the kernel as opposed to being loaded as a
-    module). Consequently, you should check ahead of time to ensure
-    that both your kernel and 'tc' utility support the feature.
-
-    You can test the 'tc' utility by typing (as root):
-
-    	tc filter add flow help
-
-    If flow is supported, you will see:
-
-       Usage: ... flow ...
-
-       	      [mapping mode]: map key KEY [ OPS ] ...
- 	      [hashing mode]: hash keys KEY-LIST ...
-
-       ...
-
-    If flow is not supported, you will see:
-
-       Unknown filter "flow", hence option "help" is unparsable
-    
-    If your kernel supports module autoloading, just type (as root):
-
-       modprobe cls_flow
-
-    If 'flow' is supported, no output is produced; otherwise, you will
-    see:
-
-       FATAL: Module cls_flow not found.
-    
-    If your kernel is not modularized or does not support module
-     autoloading, look at your kernel configuration (either
-    /proc/config.gz or the .config file in
-    /lib/modules/<kernel-version>/build/
-
-    If 'flow' is supported, you will see:
-
-       NET_CLS_FLOW=m 
-
-    or
-
-       NET_CLS_FLOW=y
-
-    For modularized kernels, Shorewall will attempt to load
-    /lib/modules/<kernel-version>/net/sched/cls_flow.ko by default.
-       
-----------------------------------------------------------------------------
-          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1
-----------------------------------------------------------------------------
-
-1)  If ULOG was specified as the LOG LEVEL in the all->all policy, the
-    rules at the end of the INPUT and OUTPUT chains would still use the
-    LOG target rather than ULOG.
-
-2)  Using CONTINUE policies with a nested IPSEC zone was still broken
-    in some cases.
-
-3)  The setting of IP_FORWARDING has been change to Off in the
-    one-interface sample configuration since forwarding is typically
-    not required with only a single interface.
-
-4)  If MULTICAST=Yes in shorewall.conf, multicast traffic was
-    incorrectly exempted from ACCEPT policies.
-
-5)  Previously, the definition of a zone that specified "nets=" in
-    /etc/shorewall/interfaces could not be extended by entries in
-    /etc/shorewall/hosts.
-
-6)  Previously, "nets=" could be specified in a multi-zone interface
-    definition ("-" in the ZONES column) in /etc/shorewall/zones. This
-    now raises a fatal compilation error.
-
-7)  MULTICAST=Yes generates an incorrect rule that limits its
-    effectiveness to a small part of the multicast address space.
-
-8)  Checking for zone membership has been tighened up. Previously, 
-    a zone could contain <interface>:0.0.0.0/0 along with other hosts;
-    now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
-    then it may have no additional members in /etc/shorewall/hosts.
-
-----------------------------------------------------------------------------
-                N E W   F E A T U R E S   I N   4 . 4 . 1
-----------------------------------------------------------------------------
-
-1)  To replace the SAME keyword in /etc/shorewall/masq, support has
-    been added for 'persistent' SNAT. Persistent SNAT is required when
-    an address range is specified in the ADDRESS column and when you
-    want a client to always receive the same source/destination IP
-    pair. It replaces SAME: which was removed in Shorewall 4.4.0.
-
-    To specify persistence, follow the address range with
-    ":persistent".
-
-    Example:
-
-    #INTERFACE	SOURCE	   ADDRESS
-    eth0	0.0.0.0/0  206.124.146.177-206.124.146.179:persistent
-
-    This feature requires Persistent SNAT support in your kernel and
-    iptables. 
-
-    If you use a capabilities file, you will need to create a new one
-    as a result of this feature.
-
-    WARNING: Linux kernels beginning with 2.6.29 include persistent
-    SNAT support. If your iptables supports persistent SNAT but your
-    kernel does not, there is no way for Shorewall to determine that
-    persistent SNAT isn't going to work. The kernel SNAT code blindly
-    accepts all SNAT flags without verifying them and returns them to
-    iptables when asked.
-
-2)  A 'clean' target has been added to the Makefiles. It removes backup
-    files (*~ and .*~). 
-
-3)  The meaning of 'full' has been redefined when used in the context
-    of a traffic shaping sub-class. Previously, 'full' always meant the
-    OUT-BANDWIDTH of the device. In the case of a sub-class, however,
-    that definition is awkward to use because the sub-class is limited
-    by the parent class.
-
-    Beginning with this release, 'full' in a sub-class definition
-    refers to the specified rate defined for the parent class. So
-    'full' used in the RATE column refers to the parent class's RATE;
-    when used in the CEIL column, 'full' refers to the parent class's
-    CEIL.
-
-    As part of this change, the compiler now issues a warning if the
-    sum of the top-level classes' RATEs exceeds the OUT-BANDWIDTH of
-    the device. Similarly, a warning is issued if the sum of the RATEs
-    of a class's sub-classes exceeds the rate of the CLASS.
-
-4)  When 'nets=<network>' or 'nets=(<net1>,<net2>,...) is specified in
-    /etc/shorewall/interfaces, multicast traffic will now be sent to
-    the zone along with limited broadcasts.
-
-5)  A flaw in the parsing logic for the zones file allowed most zone
-    types containing the character string 'ip' to be accepted as a
-    synonym for 'ipv4' (or ipv6 if compiling an IPv6 configuration).
-
-----------------------------------------------------------------------------
-          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 2
-----------------------------------------------------------------------------
-
-1)  Detection of Persistent SNAT was broken in the rules compiler. 
-
-2)  Initialization of the compiler's chain table was occurring before 
-    shorewall.conf had been read and before the capabilities had been
-    determined. This could lead to incorrect rules and Perl runtime
-    errors.
-
-3)  The 'shorewall check' command previously did not detect errors in
-    /etc/shorewall/routestopped.
-
-4)  In earlier versions, if a file with the same name as a built-in
-    action were present in the CONFIG_PATH, then the compiler would
-    process that file like it was an extension script.
-
-    The compiler now ignores the presence of such files.
-
-5)  Several configuration issues which previously produced an error or
-    warning are now handled differently.
-
-    a)  MAPOLDACTIONS=Yes and MAPOLDACTIONS= in shorewall.conf are now
-        handled as they were by the old shell-based compiler. That is,
-        they cause pre-3.0 built-in actions to be mapped automatically
-        to the corresponding macro invocation.
-
-    b)  SAVE_IPSETS=Yes no longer produces a fatal error -- it is now a
-        warning.
-
-    c)  DYNAMIC_ZONES=Yes no longer produces a fatal error -- it is now
-        a warning.
-
-    d)  RFC1918_STRICT=Yes no longer produces a fatal error -- it is now
-        a warning.
-
-6)  Previously, it was not possible to specify an IP address range in
-    the ADDRESS column of /etc/shorewall/masq. Thanks go to Jessee
-    Shrieve for the patch.
-
-7)  The 'wait4ifup' script included for Debian compatibility now runs
-    correctly with no PATH.
-
-8)  The new per-IP LIMIT feature now works with ancient iptables
-    releases (e.g., 1.3.5 as found on RHEL 5). This change required
-    testing for an additional capability which means that those who use
-    a capabilities file should regenerate that file after installing
-    4.4.2.
-
-9)  One unintended difference between Shorewall-shell and
-    Shorewall-perl was that Shorewall-perl did not support the MARK
-    column in action bodies. This has been corrected.
-
-----------------------------------------------------------------------------
-                N E W   F E A T U R E S   I N   4 . 4 . 2
-----------------------------------------------------------------------------
-
-1)  Prior to this release, line continuation has taken precedence over 
-    #-style comments. This prevented us from doing the following:
-
-    	    ACCEPT    net:206.124.146.176,\   #Gateway
-	    	          206.124.146.177,\   #Mail
-			  206.124.146.178\    #Server
-			  		      ...
-    
-    Now, unless a line ends with '\', any trailing comment is stripped
-    off (including any white-space preceding the '#'). Then if the line
-    ends with '\', it is treated as a continuation line as normal.
-
-2)  Three new columns have been added to FORMAT-2 macro bodies.
-
-    	  MARK
-	  CONNLIMIT
-	  TIME
-
-    These three columns correspond to the similar columns in
-    /etc/shorewall/rules and must be empty in macros invoked from an
-    action.
-
-3)  Accounting chains may now have extension scripts. Simply place your
-    Perl script in the file /etc/shorewall/<chain> and when the
-    accounting chain named <chain> is created, your script will be
-    invoked.
-
-    As usual, the variable $chainref will contain a reference to the
-    chain's table entry.
-
-----------------------------------------------------------------------------
-          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 3
-----------------------------------------------------------------------------
-
-1.  Previously, if 'routeback' was specified in /etc/shorewall/routestopped:
-
-    a) 'shorewall check' produced an internal error
-    b) The 'routeback' option didn't work
-
-2)  If an alias IP address was added and RETAIN_ALIASES=No in
-    shorewall.conf, then a compiler internal error resulted.
-
-3)  Previously, the generated script would try to detect the values
-    for all run-time variables (such as IP addresses), regardless of
-    what command was being executed. Now, this information is only
-    detected when it is needed.
-
-4)  Nested zones where the parent zone was defined by a wildcard
-    interface (name ends with +) in /etc/shorewall/interfaces did
-    not work correctly in some cases.
-
-5)  IPv4 addresses embedded in IPv6 (e.g., ::192.168.1.5) were
-    incorrectly reported as invalid.
-
-6)  Under certain circumstances, optional providers were not detected
-    as being usable.
-
-    Additionally, the messages issued when an optional provider was not
-    usable were confusing; the message intended to be issued when the
-    provider shared an interface ("WARNING: Gateway <gateway> is not
-    reachable -- Provider <name> (<number>) not Added") was being
-    issued when the provider did not share an interface. Similarly, the
-    message intended to be issued when the provider did not share an
-    interface ("WARNING: Interface <interface> is not usable --
-    Provider <name> (<number>) not Added") was being issued when the
-    provider did share an interface.
-
-----------------------------------------------------------------------------
-                N E W   F E A T U R E S   I N   4 . 4 . 3
-----------------------------------------------------------------------------
-
-1)  On Debian systems, a default installation will now set
-    INITLOG=/dev/null in /etc/default/shorewall. In all configurations,
-    the default values for the log variables are changed to:
-
-    	STARTUP_LOG=/var/log/shorewall-init.log
-	LOG_VERBOSITY=2
-
-    The effect is much the same as the old defaults, with the exception 
-    that:
-
-	a) Start, stop, etc. commands issued through /sbin/shorewall
-	   will be logged.
-	b) Logging will occur at maximum verbosity.
-	c) Log entries will be date/time stamped.
-
-    On non-Debian systems, new installs will now log all Shorewall 
-    commands to /var/log/shorewall-init.log.
-
-2)  A new TRACK_PROVIDERS option has been added in shorewall.conf.
-    The value of this option becomes the default for the 'track'
-    provider option in /etc/shorewall/providers.
-
-3)  A new 'limit' option has been added to
-    /etc/shorewall/tcclasses. This option specifies the number of
-    packets that are allowed to be queued within the class. Packets
-    exceeding this limit are dropped. The default value is 127 which is
-    the value that earlier versions of Shorewall used.  The option is
-    ignored with a warning if the 'pfifo' option has been specified.
-----------------------------------------------------------------------------
-          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 4
-----------------------------------------------------------------------------
-
-1)  In some simple one-interface configurations, the following Perl
-    run-time error messages were issued:
-
-      Generating Rule Matrix...
-      Use of uninitialized value in concatenation (.) or string at
-      /usr/share/shorewall/Shorewall/Chains.pm line 649.
-      Use of uninitialized value in concatenation (.) or string at
-      /usr/share/shorewall/Shorewall/Chains.pm line 649.
-      Creating iptables-restore input...
-
-2)  The Shorewall operations log (specified by STARTUP_LOG) is now
-    secured 0600.
-
-3)  Previously, the compiler generated an incorrect test for interface
-    availability in the generated code for adding route rules. The
-    result was that the rules were always added, regardless of the
-    state of the provider's interface. Now, the rules are only added
-    when the interface is available.
-
-4)  When TC_WIDE_MARKS=Yes and class numbers are not explicitly
-    specified in /etc/shorewall/tcclasses, duplicate class numbers
-    result. A typical error message is:
-
-    	    ERROR: Command "tc class add dev eth3 parent 1:1 classid
-    	    1:1 htb rate 1024kbit ceil 100000kbit prio 1 quantum 1500"
-    	    Failed
-
-    Note that the class ID of the class being added is a duplicate of
-    the parent's class ID.
-
-    Also, when TC_WIDE_MARKS=Yes, values > 255 in the MARK column of
-    /etc/shorewall/tcclasses were rejected.
-
-----------------------------------------------------------------------------
-                N E W   F E A T U R E S   I N   4 . 4 . 4
-----------------------------------------------------------------------------
-
-1)  The Shorewall packages now include a logrotate configuration file.
-
-2)  The limit of 15 entries in a port list has been relaxed in
-    /etc/shorewall/routestopped.
-
-3)  The following seemingly valid configuration produces a fatal
-    error reporting "Duplicate interface name (p+)"
-
-    /etc/shorewall/zones:
-
-       #ZONE		TYPE	
-       fw		firewall
-       world		ipv4
-       z1:world		bport4
-       z2:world		bport4
-
-    /etc/shorewall/interfaces:
-
-       #ZONE		INTERFACE	BROADCAST	OPTIONS
-       world		br0		-		bridge
-       world		br1		-		bridge
-       z1		br0:p+
-       z2		br1:p+
-
-    This error occurs because the Shorewall implementation requires
-    that each bridge port must have a unique name.
-
-    To work around this problem, a new 'physical' interface option has
-    been created. The above configuration may be defined using the
-    following in /etc/shorewall/interfaces:
-
-       #ZONE		INTERFACE	BROADCAST	OPTIONS
-       world		br0		-		bridge
-       world		br1		-		bridge
-       z1		br0:x+		-		physical=p+
-       z2		br1:y+		-		physical=p+
-
-    In this configuration, 'x+' is the logical name for ports p+ on
-    bridge br0 while 'y+' is the logical name for ports p+ on bridge
-    br1.
-
-    If you need to refer to a particular port on br1 (for example
-    p1023), you write it as y1023; Shorewall will translate that name
-    to p1023 when needed.
-
-    It is allowed to have a physical name ending in '+' with a logical
-    name that does not end with '+'. The reverse is not allowed; if the
-    logical name ends in '+' then the physical name must also end in
-    '+'.
-
-    This feature is not restricted to bridge ports. Beginning with this
-    release, the interface name in the INTERFACE column can be
-    considered a logical name for the interface, and the actual
-    interface name is specified using the 'physical' option. If no
-    'physical' option is present, then the physical name is assumed to
-    be the same as the logical name. As before, the logical interface
-    name is used throughout the rest of the configuration to refer to
-    the interface.
-
-4)  Previously, Shorewall has used the character '2' to form the name
-    of chains involving zones and/or the word 'all' (e.g., fw2net,
-    all2all). When zones names are given numeric suffixes, these
-    generated names are hard to read (e.g., foo1232bar). To make these
-    names clearer, a ZONE2ZONE option has been added.
-
-    ZONE2ZONE has a default value of "2" but can also be given the
-    value "-" (e.g., ZONE2ZONE="-") which causes Shorewall to separate
-    the two parts of the name with a hyphen (e.g., foo123-bar).
-
-5)  Only one instance of the following warning is now generated;
-    previously, one instance of a similar warning was generated for
-    each COMMENT encountered.
-
-	COMMENTs ignored -- require comment support in iptables/Netfilter
-
-6)  The shorewall and shorewall6 utilities now support a 'show
-    policies' command. Once Shorewall or Shorewall6 has been restarted
-    using a script generated by this version, the 'show policies'
-    command will list each pair of zones and give the applicable
-    policy. If the policy is enforced in a chain, the name of the chain
-    is given.
-
-    Example:
-
-	net 	=>	loc	DROP using chain net2all
-
-    Note that implicit intrazone ACCEPT policies are not displayed for
-    zones associated with a single network where that network
-    doesn't specify 'routeback'.
-
-7)  The 'show' and 'dump' commands now support an '-l' option which
-    causes chain displays to include the rule number of each rule.
-
-    (Type 'iptables -h' and look for '--line-number')

Shorewall/shorewall

@@ -23,9 +23,99 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#       For a list of supported commands, type 'shorewall help'
+#	If an error occurs while starting or restarting the firewall, the
+#	firewall is automatically stopped.
 #
-#####################################################################################################
+#	The firewall uses configuration files in /etc/shorewall/ - skeleton
+#	files are included with the firewall.
+#
+#	Commands are:
+#
+#          shorewall add <iface>[:<host>] zone     Adds a host or subnet to a zone
+#          shorewall delete <iface>[:<host>] zone  Deletes a host or subnet from a zone
+#          shorewall dump                          Dumps all Shorewall-related information
+#                                                  for problem analysis
+#	   shorewall start 			   Starts the firewall
+#	   shorewall restart			   Restarts the firewall
+#	   shorewall stop			   Stops the firewall
+#	   shorewall status			   Displays firewall status
+#	   shorewall reset			   Resets iptables packet and
+#						   byte counts
+#	   shorewall clear			   Open the floodgates by
+#						   removing all iptables rules
+#						   and setting the three permanent
+#						   chain policies to ACCEPT
+#	   shorewall refresh			   Rebuild the common chain to
+#						   compensate for a change of
+#						   broadcast address on any "detect"
+#						   interface.
+#	   shorewall [re]load [ <directory> ] <system>
+#						   Compile a script and install it on a
+#						   remote Shorewall Lite system.
+#	   shorewall show <chain> [ <chain> ... ]  Display the rules in each <chain> listed
+#          shorewall show actions                  Displays the available actions
+#	   shorewall show log			   Print the last 20 log messages
+#	   shorewall show connections		   Show the kernel's connection
+#						   tracking table
+#	   shorewall show nat			   Display the rules in the nat table
+#	   shorewall show {mangle|tos}		   Display the rules in the mangle table
+#	   shorewall show tc			   Display traffic control info
+#	   shorewall show classifiers		   Display classifiers
+#          shorewall show capabilities             Display iptables/kernel capabilities
+#          shorewall show vardir                   Display the VARDIR setting.
+#	   shorewall version			   Display the installed version id
+#	   shorewall check [ -e ] [ <directory> ]  Dry-run compilation.
+#	   shorewall try <directory> [ <timeout> ] Try a new configuration and if
+#						   it doesn't work, revert to the
+#						   standard one. If a timeout is supplied
+#						   the command reverts back to the
+#						   standard configuration after that many
+#						   seconds have elapsed after successfully
+#						   starting the new configuration.
+#	   shorewall logwatch [ refresh-interval ] Monitor the local log for Shorewall
+#						   messages.
+#	   shorewall drop <address> ...		   Temporarily drop all packets from the
+#						   listed address(es)
+#	   shorewall reject <address> ...	   Temporarily reject all packets from the
+#						   listed address(es)
+#	   shorewall allow <address> ...	   Reenable address(es) previously
+#						   disabled with "drop" or "reject"
+#	   shorewall save [ <file> ]		   Save the list of "rejected" and
+#						   "dropped" addresses so that it will
+#						   be automatically reinstated the
+#						   next time that Shorewall starts.
+#                                                  Save the current state so that 'shorewall
+#                                                  restore' can be used.
+#
+#          shorewall forget [ <file> ]             Discard the data saved by 'shorewall save'
+#
+#          shorewall restore [ <file> ]            Restore the state of the firewall from
+#                                                  previously saved information.
+#
+#          shorewall ipaddr { <address>/<cidr> | <address> <netmask> }
+#
+#                                                  Displays information about the network
+#                                                  defined by the argument[s]
+#
+#          shorewall iprange <address>-<address>   Decomposes a range of IP addresses into
+#                                                  a list of network/host addresses.
+#
+#          shorewall ipdecimal { <address> | <integer> }
+#
+#                                                  Displays the decimal equivalent of an IP
+#                                                  address and vice versa.
+#
+#          shorewall safe-start [ <directory> ]    Starts the firewall and promtp for a c
+#                                                  confirmation to accept or reject the new
+#                                                  configuration
+#
+#          shorewall safe-restart [ <directory> ]  Restarts the firewall and prompt for a
+#                                                  confirmation to accept or reject the new
+#                                                  configuration
+#
+#          shorewall compile [ -e ] [ <directory> ] <filename>
+#                                                  Compile a firewall program file.
+
 #
 # Set the configuration variables from shorewall.conf
 #
@@ -33,6 +123,7 @@
 #     $2 = Yes: check for STARTUP_ENABLED
 #     $3 = Yes: Check for LOGFILE
 #     
+#
 get_config() {
     local prog
 
@@ -73,7 +164,7 @@ get_config() {
 
 	    if [ -n "$(syslog_circular_buffer)" ]; then
 		LOGREAD="logread | tac"
-	    elif [ -r $LOGFILE ]; then
+	    elif [ -f $LOGFILE ]; then
 		LOGREAD="tac $LOGFILE"
 	    else
 		echo "LOGFILE ($LOGFILE) does not exist!" >&2
@@ -184,7 +275,7 @@ get_config() {
 		    ;;
 		*)
 		    if [ -n "$STARTUP_ENABLED" ]; then
-			echo "   ERROR: Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED" >&2
+			echo "   ERROR: Invalid Value for STARTUP_ENABLE: $STARTUP_ENABLED" >&2
 			exit 2
 		    fi
 		    ;;
@@ -971,7 +1062,7 @@ safe_commands() {
 
     [ -n "$nolock" ] || mutex_on
 
-    if ${VARDIR}/.$command $debugging $command; then
+    if ${VARDIR}/.$command $command; then
 
 	echo -n "Do you want to accept the new firewall configuration? [y/n] "
 
@@ -1231,10 +1322,8 @@ reload_command() # $* = original arguments less the command.
 	    ensure_config_path
 	fi
 
-	[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
-
 	progress_message "Getting Capabilities on system $system..."
-	if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then
+	if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then
 	    fatal_error "ERROR: Capturing capabilities on system $system failed"
 	fi
     fi
@@ -1389,7 +1478,6 @@ usage() # $1 = exit status
     echo "   show [ -m ] log"
     echo "   show macros"
     echo "   show [ -x ] mangle|nat|raw|routing"
-    echo "   show policies"
     echo "   show tc"
     echo "   show vardir"
     echo "   show zones"

Shorewall/shorewall.spec

@@ -1,5 +1,5 @@
 %define name shorewall
-%define version 4.4.5
+%define version 4.4.0
 %define release 1
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -77,8 +77,6 @@ fi
 %attr(0644,root,root) %config(noreplace) /etc/shorewall/*
 %attr(0600,root,root) /etc/shorewall/Makefile
 
-%attr(0644,root,root) /etc/logrotate.d/shorewall
-
 %attr(0755,root,root) /sbin/shorewall
 
 %attr(0644,root,root) /usr/share/shorewall/version
@@ -106,24 +104,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 
 %changelog
-* Sat Dec 19 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.5-1
-* Fri Nov 27 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.5-0base
-* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0base
-* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta2
-* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta1
-* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.3-0base
-* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.1-0base
+* Thu Aug 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-1
 * Sun Aug 09 2009 Tom Eastep tom@shorewall.net
 - Made Perl a dependency
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.5.1
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {

Shorewall/wait4ifup

@@ -33,7 +33,7 @@
 #
 
 interface_is_up() {
-    [ -n "$(/sbin/ip link list dev $1 2> /dev/null | /bin/grep -e '[<,]UP[,>]')" ] 
+    [ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] 
 }
 
 case $# in
@@ -51,7 +51,7 @@ esac
 
 while [ $timeout -gt 0 ]; do
     interface_is_up $1 && exit 0
-    /bin/sleep 1
+    sleep 1
     timeout=$(( $timeout - 1 ))
 done
 

Shorewall6-lite/default.debian

@@ -21,9 +21,4 @@ startup=0
 
 OPTIONS=""
 
-#
-# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
-#
-INITLOG=/dev/null
-
 # EOF

Shorewall6-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.5.1
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {

Shorewall6-lite/init.debian.sh

@@ -15,7 +15,9 @@
 
 SRWL=/sbin/shorewall6-lite
 SRWL_OPTS="-tvv"
-test -n ${INITLOG:=/var/log/shorewall6-lite-init.log}
+# Note, set INITLOG to /dev/null if you do not want to
+# keep logs of the firewall (not recommended)
+INITLOG=/var/log/shorewall6-lite-init.log
 
 [ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
 
@@ -23,7 +25,7 @@ export SHOREWALL_INIT_SCRIPT
 
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n "$INITLOG" || {
+test -n $INITLOG || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.5.1
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {
@@ -219,11 +219,6 @@ mkdir -p ${PREFIX}/var/lib/shorewall6-lite
 chmod 755 ${PREFIX}/etc/shorewall6-lite
 chmod 755 ${PREFIX}/usr/share/shorewall6-lite
 
-if [ -n "$PREFIX" ]; then
-    mkdir -p ${PREFIX}/etc/logrotate.d
-    chmod 755 ${PREFIX}/etc/logrotate.d
-fi
-
 #
 # Install the config file
 #
@@ -308,11 +303,6 @@ cd ..
 
 echo "Man Pages Installed"
 
-if [ -d ${PREFIX}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall6-lite
-    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall6-lite"
-fi
-
 #
 # Create the version file
 #

Shorewall6-lite/logrotate

@@ -1,5 +0,0 @@
-/var/log/shorewall6-init.log {
-  missingok
-  notifempty
-  create 0600 root root
-}

Shorewall6-lite/shorecap

@@ -45,17 +45,17 @@
 #    used during firewall compilation, then the generated firewall program will likewise not
 #    require Shorewall to be installed.
 
-SHAREDIR=/usr/share/shorewall6-lite
-VARDIR=/var/lib/shorewall6-lite
-CONFDIR=/etc/shorewall6-lite
+SHAREDIR=/usr/share/shorewall-lite
+VARDIR=/var/lib/shorewall-lite
+CONFDIR=/etc/shorewall-lite
 PRODUCT="Shorewall Lite"
 
-. /usr/share/shorewall6-lite/lib.base
-. /usr/share/shorewall6-lite/configpath
+. /usr/share/shorewall-lite/lib.base
+. /usr/share/shorewall-lite/configpath
 
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
-VERSION=$(cat /usr/share/shorewall6-lite/version)
+VERSION=$(cat /usr/share/shorewall-lite/version)
 
 [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
 

Shorewall6-lite/shorewall6-lite

@@ -95,7 +95,7 @@ get_config() {
 
     if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
 	LOGREAD="logread | tac"
-    elif [ -r $LOGFILE ]; then
+    elif [ -f $LOGFILE ]; then
 	LOGREAD="tac $LOGFILE"
     else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2

Shorewall6-lite/shorewall6-lite.spec

@@ -1,5 +1,5 @@
 %define name shorewall6-lite
-%define version 4.4.5
+%define version 4.4.0
 %define release 1
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
@@ -70,8 +70,6 @@ fi
 %attr(0755,root,root) %dir /usr/share/shorewall6-lite
 %attr(0700,root,root) %dir /var/lib/shorewall6-lite
 
-%attr(0644,root,root) /etc/logrotate.d/shorewall6-lite
-
 %attr(0755,root,root) /sbin/shorewall6-lite
 
 %attr(0644,root,root) /usr/share/shorewall6-lite/version
@@ -91,24 +89,8 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sat Dec 19 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.5-1
-* Fri Nov 27 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.5-0base
-* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0base
-* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta2
-* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta1
-* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.3-0base
-* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.1-0base
+* Thu Aug 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-1
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0base
 * Tue Jul 28 2009 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.5.1
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {

Shorewall6/Makefile

@@ -14,8 +14,4 @@ $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
 	    /sbin/shorewall6 -q restart 2>&1 | tail >&2; \
 	fi
 
-clean:
-	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
-.PHONY: clean
-
 # EOF

Shorewall6/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.5.1
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {

Shorewall6/init.debian.sh

@@ -15,11 +15,13 @@
 SRWL=/sbin/shorewall6
 SRWL_OPTS="-tvv"
 WAIT_FOR_IFUP=/usr/share/shorewall6/wait4ifup
-test -n ${INITLOG:=/var/log/shorewall6-init.log}
+# Note, set INITLOG to /dev/null if you do not want to
+# keep logs of the firewall (not recommended)
+INITLOG=/var/log/shorewall6-init.log
 
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n "$INITLOG" || {
+test -n $INITLOG || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.5.1
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {
@@ -234,12 +234,6 @@ mkdir -p ${PREFIX}/var/lib/shorewall6
 chmod 755 ${PREFIX}/etc/shorewall6
 chmod 755 ${PREFIX}/usr/share/shorewall6
 chmod 755 ${PREFIX}/usr/share/shorewall6/configfiles
-
-if [ -n "$PREFIX" ]; then
-    mkdir -p ${PREFIX}/etc/logrotate.d
-    chmod 755 ${PREFIX}/etc/logrotate.d
-fi
-
 #
 # Install the config file
 #
@@ -648,11 +642,6 @@ cd ..
 
 echo "Man Pages Installed"
 
-if [ -d ${PREFIX}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall6
-    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall6"
-fi
-
 if [ -z "$PREFIX" -a -n "$first_install" -a -z "$CYGWIN" ]; then
     if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6

Shorewall6/lib.base

@@ -33,7 +33,7 @@
 #
 
 SHOREWALL_LIBVERSION=40300
-SHOREWALL_CAPVERSION=40402
+SHOREWALL_CAPVERSION=40310
 
 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
@@ -260,7 +260,7 @@ reload_kernel_modules() {
 
     [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
 
-    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched
+    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
     MODULES=$(lsmod | cut -d ' ' -f1)
 
     for directory in $(split $MODULESDIR); do
@@ -296,7 +296,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
     [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
 
     [ -z "$MODULESDIR" ] && \
-	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched
+	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
 
     for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -696,6 +696,8 @@ set_state () # $1 = state
 # Determine which optional facilities are supported by iptables/netfilter
 #
 determine_capabilities() {
+    qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
+
     CONNTRACK_MATCH=
     NEW_CONNTRACK_MATCH=
     OLD_CONNTRACK_MATCH=
@@ -745,8 +747,6 @@ determine_capabilities() {
 	exit 1
     fi
 
-    qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
-    
     qt $IP6TABLES -F $chain
     qt $IP6TABLES -X $chain
     if ! $IP6TABLES -N $chain; then
@@ -853,11 +853,7 @@ determine_capabilities() {
     qt $IP6TABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
     qt $IP6TABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
     qt $IP6TABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
-    qt $IP6TABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
-    if [ -z "$HASHLIMIT_MATCH" ]; then
-	qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
-	HASHLIMIT_MATCH=$OLD_HL_MATCH
-    fi	
+    qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
     qt $IP6TABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
     qt $IP6TABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
     qt $IP6TABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
@@ -921,7 +917,6 @@ report_capabilities() {
 	report_capability "Address Type Match" $ADDRTYPE
 	report_capability "TCPMSS Match" $TCPMSS_MATCH
 	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
-	report_capability "Old Hashlimit Match" $OLD_HL_MATCH
 	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
 	report_capability "Realm Match" $REALM_MATCH
 	report_capability "Helper Match" $HELPER_MATCH
@@ -977,7 +972,6 @@ report_capabilities1() {
     report_capability1 ADDRTYPE
     report_capability1 TCPMSS_MATCH
     report_capability1 HASHLIMIT_MATCH
-    report_capability1 OLD_HL_MATCH
     report_capability1 NFQUEUE_TARGET
     report_capability1 REALM_MATCH
     report_capability1 HELPER_MATCH

Shorewall6/lib.cli

@@ -383,10 +383,6 @@ show_command() {
 			    option=
 			    shift
 			    ;;
-			l*)
-			    IPT_OPTIONS1="--line-numbers"
-			    option=${option#l}
-			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -400,15 +396,11 @@ show_command() {
 	esac
     done
 
-    IPT_OPTIONS="$IPT_OPTIONS $IPT_OPTIONS1"
-
     [ -n "$debugging" ] && set -x
     case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
-	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-	    echo "$PRODUCT $version Connections ($count of $max) at $HOSTNAME - $(date)"
+	    echo "$PRODUCT $version Connections at $HOSTNAME - $(date)"
 	    echo
 	    grep '^ipv6' /proc/net/nf_conntrack
 	    ;;
@@ -513,12 +505,6 @@ show_command() {
 	vardir)
 	    echo $VARDIR;
 	    ;;
-	policies)
-	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version Policies at $HOSTNAME - $(date)"
-	    echo
-	    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
-	    ;;
 	*)
 	    if [ "$PRODUCT" = Shorewall6 ]; then
 		case $1 in
@@ -616,10 +602,6 @@ dump_command() {
 			    SHOWMACS=Yes
 			    option=${option#m}
 			    ;;
-			l*)
-			    IPT_OPTIONS1="--line-numbers"
-			    option=${option#l}
-			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -633,8 +615,6 @@ dump_command() {
 	esac
     done
 
-    IPT_OPTIONS="$IPT_OPTIONS $IPT_OPTIONS1"
-
     [ $VERBOSE -lt 2 ] && VERBOSE=2
 
     [ -n "$debugging" ] && set -x
@@ -661,10 +641,7 @@ dump_command() {
     heading "Raw Table"
     $IP6TABLES -t raw -L $IPT_OPTIONS
 
-    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-
-    heading "Conntrack Table ($count out of $max)"
+    heading "Conntrack Table"
     grep '^ipv6' /proc/net/nf_conntrack
 
     heading "IP Configuration"

Shorewall6/logrotate

@@ -1,5 +0,0 @@
-/var/log/shorewall6-init.log {
-  missingok
-  notifempty
-  create 0600 root root
-}

Shorewall6/modules

@@ -85,7 +85,6 @@ loadmodule sch_ingress
 loadmodule sch_htb
 loadmodule cls_u32
 loadmodule cls_fw
-loadmodule cls_flow
 loadmodule act_police
 #
 # Extensions

Shorewall6/shorewall6

@@ -23,9 +23,99 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#       For a list of supported commands, type 'shorewall6 help'
+#	If an error occurs while starting or restarting the firewall, the
+#	firewall is automatically stopped.
 #
-################################################################################################
+#	The firewall uses configuration files in /etc/shorewall/ - skeleton
+#	files are included with the firewall.
+#
+#	Commands are:
+#
+#          shorewall6 add <iface>[:<host>] zone    Adds a host or subnet to a zone
+#          shorewall6 delete <iface>[:<host>] zone Deletes a host or subnet from a zone
+#          shorewall6 dump                         Dumps all Shorewall6-related information
+#                                                  for problem analysis
+#	   shorewall6 start 			   Starts the firewall
+#	   shorewall6 restart			   Restarts the firewall
+#	   shorewall6 stop			   Stops the firewall
+#	   shorewall6 status			   Displays firewall status
+#	   shorewall6 reset			   Resets ip6tables packet and
+#						   byte counts
+#	   shorewall6 clear			   Open the floodgates by
+#						   removing all ip6tables rules
+#						   and setting the three permanent
+#						   chain policies to ACCEPT
+#	   shorewall6 refresh			   Rebuild the common chain to
+#						   compensate for a change of
+#						   broadcast address on any "detect"
+#						   interface.
+#	   shorewall6 [re]load [ <directory> ] <system>
+#						   Compile a script and install it on a
+#						   remote Shorewall6 Lite system.
+#	   shorewall6 show <chain> [ <chain> ... ] Display the rules in each <chain> listed
+#          shorewall6 show actions                 Displays the available actions
+#	   shorewall6 show log			   Print the last 20 log messages
+#	   shorewall6 show connections		   Show the kernel's connection
+#						   tracking table
+#	   shorewall6 show nat			   Display the rules in the nat table
+#	   shorewall6 show {mangle|tos}		   Display the rules in the mangle table
+#	   shorewall6 show tc			   Display traffic control info
+#	   shorewall6 show classifiers		   Display classifiers
+#          shorewall6 show capabilities            Display ip6tables/kernel capabilities
+#          shorewall6 show vardir                  Display the VARDIR setting.
+#	   shorewall6 version			   Display the installed version id
+#	   shorewall6 check [ -e ] [ <directory> ] Dry-run compilation.
+#	   shorewall6 try <directory> [ <timeout> ] Try a new configuration and if
+#						   it doesn't work, revert to the
+#						   standard one. If a timeout is supplied
+#						   the command reverts back to the
+#						   standard configuration after that many
+#						   seconds have elapsed after successfully
+#						   starting the new configuration.
+#	   shorewall6 logwatch [ refresh-interval ] Monitor the local log for Shorewall6
+#						    messages.
+#	   shorewall6 drop <address> ...	   Temporarily drop all packets from the
+#						   listed address(es)
+#	   shorewall6 reject <address> ...	   Temporarily reject all packets from the
+#						   listed address(es)
+#	   shorewall6 allow <address> ...	   Reenable address(es) previously
+#						   disabled with "drop" or "reject"
+#	   shorewall6 save [ <file> ]		   Save the list of "rejected" and
+#						   "dropped" addresses so that it will
+#						   be automatically reinstated the
+#						   next time that Shorewall6 starts.
+#                                                  Save the current state so that 'shorewall6
+#                                                  restore' can be used.
+#
+#          shorewall6 forget [ <file> ]            Discard the data saved by 'shorewall6 save'
+#
+#          shorewall6 restore [ <file> ]           Restore the state of the firewall from
+#                                                  previously saved information.
+#
+#          shorewall6 ipaddr { <address>/<cidr> | <address> <netmask> }
+#
+#                                                  Displays information about the network
+#                                                  defined by the argument[s]
+#
+#          shorewall6 iprange <address>-<address>  Decomposes a range of IP addresses into
+#                                                  a list of network/host addresses.
+#
+#          shorewall6 ipdecimal { <address> | <integer> }
+#
+#                                                  Displays the decimal equivalent of an IP
+#                                                  address and vice versa.
+#
+#          shorewall6 safe-start [ <directory> ]   Starts the firewall and promtp for a c
+#                                                  confirmation to accept or reject the new
+#                                                  configuration
+#
+#          shorewall6 safe-restart [ <directory> ] Restarts the firewall and prompt for a
+#                                                  confirmation to accept or reject the new
+#                                                  configuration
+#
+#          shorewall6 compile [ -e ] [ <directory> ] <filename>
+#                                                  Compile a firewall program file.
+
 #
 # Set the configuration variables from shorewall6.conf
 #
@@ -73,7 +163,7 @@ get_config() {
 
 	    if [ -n "$(syslog_circular_buffer)" ]; then
 		LOGREAD="logread | tac"
-	    elif [ -r $LOGFILE ]; then
+	    elif [ -f $LOGFILE ]; then
 		LOGREAD="tac $LOGFILE"
 	    else
 		echo "LOGFILE ($LOGFILE) does not exist!" >&2
@@ -115,7 +205,7 @@ get_config() {
 		    ;;
 		*)
 		    if [ -n "$STARTUP_ENABLED" ]; then
-			echo "   ERROR: Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED" >&2
+			echo "   ERROR: Invalid Value for STARTUP_ENABLE: $STARTUP_ENABLED" >&2
 			exit 2
 		    fi
 		    ;;
@@ -1289,7 +1379,7 @@ usage() # $1 = exit status
     echo "   restart [ -n ] [ -f ] [ <directory> ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|policies|raw|routing|tc|vardir|zones} ]"
+    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|raw|routing|tc|vardir|zones} ]"
     echo "   start [ -f ] [ -n ] [ <directory> ]"
     echo "   stop [ -f ]"
     echo "   status"

Shorewall6/shorewall6.conf

@@ -32,9 +32,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=/var/log/shorewall6-init.log
+STARTUP_LOG=
 
-LOG_VERBOSITY=2
+LOG_VERBOSITY=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -145,10 +145,6 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=No
 
-TRACK_PROVIDERS=No
-
-ZONE2ZONE=2
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall6/shorewall6.spec

@@ -1,5 +1,5 @@
 %define name shorewall6
-%define version 4.4.5
+%define version 4.4.0
 %define release 1
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
@@ -69,8 +69,6 @@ fi
 %attr(0644,root,root) %config(noreplace) /etc/shorewall6/*
 %attr(0600,root,root) /etc/shorewall6/Makefile
 
-%attr(0644,root,root) /etc/logrotate.d/shorewall6
-
 %attr(0755,root,root) /sbin/shorewall6
 
 %attr(0644,root,root) /usr/share/shorewall6/version
@@ -95,24 +93,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
-* Sat Dec 19 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.5-1
-* Fri Nov 27 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.5-0base
-* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0base
-* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta2
-* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta1
-* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.3-0base
-* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.1-0base
+* Thu Aug 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-1
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0base
 * Tue Jul 28 2009 Tom Eastep tom@shorewall.net

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.5.1
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {

contrib/shoregen/AUTHORS

@@ -0,0 +1 @@
+Paul Gear <paul@gear.dyndns.org>

contrib/shoregen/BUGS

@@ -0,0 +1 @@
+None known at present.

contrib/shoregen/COPYING

@@ -0,0 +1,340 @@
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+			    Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+		    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+			    NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+		     END OF TERMS AND CONDITIONS
+
+	    How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Library General
+Public License instead of this License.

contrib/shoregen/ChangeLog

@@ -0,0 +1,14 @@
+0.1.1	Paul Gear <paul@gear.dyndns.org>  No idea when
+	- Initial release.
+
+0.1.2	Paul Gear <paul@gear.dyndns.org>  No idea when
+	- Removed filtering of zones that are on the same interface.
+	  This caused problems when a zone was accessible via more than
+	  one interface.
+
+0.1.3	Paul Gear <paul@gear.dyndns.org>  No idea when
+	- Optimisation to detect whether system is a router and remove
+	  redundant zones from rules and policies if so.
+
+3.2.0-beta1	Paul Gear <paul@gear.dyndns.org>
+	- First attempt at compatibility with Shorewall 3.2.x.

contrib/shoregen/README

@@ -0,0 +1,124 @@
+Shoreline Firewall configuration generator
+(c) Copyright 2004-2006 Paul D. Gear <paul@gear.dyndns.org>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+
+SHOREWALL
+
+The quick plug:
+
+  - Shorewall is the only firewall i trust.
+
+The IT Manager plug:
+
+  - Shorewall is a policy-driven firewall which lets you think about your
+    firewall at a higher level than iptables commands.
+
+The hard sell to you crazy people still maintaining manual firewall scripts:
+
+  - Shorewall is a wrapper around the kernel iptables, so your existing
+    Linux firewall skills transfer.  I converted from a 900-plus-line
+    ipchains shell script to around 50 lines of shorewall configuration in
+    less than 4 hours, with no prior experience.
+
+
+ISSUES
+
+  - I'm paranoid - i want more than one firewall between me and the world.
+
+  - Configuring multiple firewalls separately is a recipe for getting your
+    rules out of sync, and allowing security problems to creep in.
+
+  - IT Manager types (like me) like to know their policy is consistently
+    implemented.
+
+
+SOLUTION
+
+Shoregen is a script that generates shorewall configurations for multiple
+firewalls from a common set of rules and policies.  Only the minimal
+information necessary for operation is stored on each firewall, so, for
+example, your DMZ server doesn't need to know about the rules on your
+internal network, but at the same time, it gets consistent rules to your
+outer guard.
+
+
+PHILOSOPHY
+
+Shoregen assumes the X-Files approach to firewall design: trust no one.
+That is, paranoia is a virtue.  All access should be as limited as possible
+for things to work.  If you don't already agree with this philosophy, you
+may find some of the things shoregen does frustrating, but then again,
+you're probably not reading this document.  :-)
+
+
+DESIGN
+
+Shoregen distinguishes between two different types of shorewall
+configuration files.  Most shorewall configuration files are simply
+concatenated together from parts constructed from common and host-specific
+parts.  These are called simple configs; shoregen doesn't substantially
+alter them, and uses little information from them.
+
+Configs with which shoregen is more concerned are treated separately, and
+additional features beyond the scope of shorewall itself are implemented.
+Most importantly, two new policy/rule keywords are introduced: WARN and
+BAN.  These keywords are not included in shoregen's output, but when a
+subsequent rule or policy is encountered which matches a rule or policy
+marked WARN or BAN, an error message is issued.  In the case of BAN, the
+offending line is also dropped from the output, and a non-zero return code
+issued.
+
+
+PREREQUISITES
+
+The tools you will need to use shoregen are:
+	perl	The main shoregen script is written in Perl
+	rsync	Used to keep /etc/shorewall directories on your firewalls
+		in sync with the central repository
+	ssh	Encrypted transport for rsync
+	make	Optional, but saves a few keystrokes.
+
+
+USAGE
+
+Put shoregen and install_shoregen in a directory on your PATH.
+
+Make a central directory for your configs.  I recommend somewhere in a
+trusted user's home directory or central system admin repository.  This
+directory should be on a trusted machine in the most secure part of your
+network.  Put all of your policies, rules, and zones together in the
+correct order in files in the top level of this directory.
+
+For each of the simple configs you want to generate centrally, create a
+directory, with a file called COMMON (if necessary) containing the content
+you want to see in that file on all hosts, and a file named for each host
+for host-specific content.  I recommend that the default shorewall
+configuration file be placed in the COMMON file of the corresponding
+directory, with directives that are not appropriate commented out.
+
+When shoregen is run, it places the generated files in the directory 
+SPOOL/<host>, where <host> is the hostname of the target firewall.  The
+files in this directory are synchronised and the firewall checked and/or
+restarted by a simple wrapper script called install_shoregen.
+
+See the samples directory for a starting point configuration.  It provides
+some suggested policies & rules for the network shown in example1.png.  The
+sample configuration has not been tested in any way.
+
+I hope you find shoregen useful.  I welcome your comments, contributions,
+criticisms, and questions.
+

contrib/shoregen/TODO

@@ -0,0 +1,21 @@
+
+- Make it possible for a host to have the same $FW name as the zone in
+  which it belongs, and have shoregen automatically create appropriate
+  rules.
+
+- At the moment, if a fully-expanded policy file (such as is shown 
+
+- Better rule & policy sanitisation.
+
+- Hosts and interfaces could be reduced based on what's used in the policy
+  and rules files.
+
+- The Makefile could be improved to detect changes in the lower level
+  config files and call shoregen automatically when they are out-of-date.
+  At the moment, shoregen is so simple (and thus fast) that the amount of
+  time that would be saved by a clever Makefile (in comparison to the
+  rsync, ssh, and shorewall steps) is probably not worth the trouble to
+  code.
+
+- Automatic generation of firewall hosts & interfaces files.
+

contrib/shoregen/install_shoregen

@@ -0,0 +1,116 @@
+#!/bin/sh
+#
+# $Id: install_shoregen,v 1.5 2004/04/22 11:12:51 paulgear Exp $
+# 
+# Wrapper script to install shoregen-generated shorewall configuration files.
+#
+
+# 
+# (c) Copyright 2004 Paul D. Gear <paul@gear.dyndns.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
+# Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA, or go to
+# <http://www.gnu.org/licenses/old-licenses/gpl-2.0.txtl> on the World Wide Web.
+
+VERBOSE=0
+RESTART=0
+CHECK=1
+TIME=0
+
+usage()
+{
+    echo "Usage:	$0 [--verbose] [--restart] host ...
+	Generates and installs shorewall configuration on the given hosts" >&2
+    exit 1
+}
+
+error()
+{
+    echo "$0: ERROR -" "$@" >&2
+}
+
+while :; do
+    case "$1" in
+
+    -v|--verbose)
+    	VERBOSE=1
+	shift
+	;;
+
+    -r|--restart)
+	RESTART=1
+	shift
+	;;
+
+    -c|--nocheck)
+	CHECK=0
+	shift
+	;;
+
+    -t|--notime)
+	TIME=0
+	shift
+	;;
+
+    --)
+	shift
+	break 2
+    	;;
+
+    --*)
+	error "Unrecognised option $1"
+	usage
+	;;
+
+    *)
+	break 2
+    	;;
+
+    esac
+done
+
+set -e
+set -u
+
+if [ "$#" -lt 1 ]; then
+    usage
+fi
+
+USER=root
+RSYNC_ARGS="--recursive --backup --times --cvs-exclude --rsh=ssh"
+#--progress 
+if [ "$VERBOSE" -gt 0 ]; then
+    RSYNC_ARGS="$RSYNC_ARGS --verbose"
+fi
+DIR=/etc/shorewall
+SW_PATH=/sbin/shorewall
+
+PATH=$PATH:
+
+if [ "$TIME" -gt 0 ]; then
+    TIME="time"
+else
+    TIME=""
+fi
+
+for HOST; do
+    shoregen $HOST
+    rsync $RSYNC_ARGS SPOOL/$HOST/ $USER@$HOST:$DIR/
+    if [ "$CHECK" -gt 0 ]; then
+	$TIME ssh -l $USER -t $HOST $SW_PATH check
+    fi
+    if [ "$RESTART" -gt 0 ]; then
+	$TIME ssh -l $USER -t $HOST $SW_PATH restart
+    fi
+done

contrib/shoregen/samples/Makefile

@@ -0,0 +1,10 @@
+FLAGS=-c -r
+HOSTS=ig proxy mail og
+
+default:	$(HOSTS)
+
+$(HOSTS):
+	shoregen $@
+
+install:	$(HOSTS)
+	install_shoregen -c -r $(HOSTS)

contrib/shoregen/samples/hosts/ig

@@ -0,0 +1,13 @@
+# ZONE		HOST(S)				OPTIONS
+
+# I used the vi command
+#	!Gsort -k2 -k1 
+# to sort this file, starting at the next line.
+mail		eth0:$MAIL
+og		eth0:$OG
+proxy		eth0:$PROXY
+net		eth0:0.0.0.0/0
+lan		eth1:$LAN
+other		eth1:0.0.0.0/0
+guest		eth2:$GUEST
+other		eth2:0.0.0.0/0

contrib/shoregen/samples/hosts/mail

@@ -0,0 +1,7 @@
+# ZONE		HOST(S)				OPTIONS
+guest		eth0:$GUEST
+ig		eth0:$IG
+lan		eth0:$LAN
+og		eth0:$OG
+proxy		eth0:$PROXY
+net		eth0:0.0.0.0/0