Update documentation regarding FLOW_FILTER

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Samples/one-interface/shorewall.conf

@@ -109,7 +109,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 IP_FORWARDING=Off
 
-ADD_IP_ALIASES=Yes
+ADD_IP_ALIASES=No
 
 ADD_SNAT_ALIASES=No
 
@@ -119,6 +119,8 @@ TC_ENABLED=Internal
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -137,7 +139,7 @@ BLACKLISTNEWONLY=Yes
 
 DELAYBLACKLISTLOAD=No
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
@@ -195,6 +197,14 @@ TRACK_PROVIDERS=Yes
 
 ZONE2ZONE=2
 
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/three-interfaces/shorewall.conf

@@ -109,7 +109,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 IP_FORWARDING=On
 
-ADD_IP_ALIASES=Yes
+ADD_IP_ALIASES=No
 
 ADD_SNAT_ALIASES=No
 
@@ -119,6 +119,8 @@ TC_ENABLED=Internal
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -137,7 +139,7 @@ BLACKLISTNEWONLY=Yes
 
 DELAYBLACKLISTLOAD=No
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
@@ -195,6 +197,14 @@ TRACK_PROVIDERS=Yes
 
 ZONE2ZONE=2
 
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/two-interfaces/shorewall.conf

@@ -116,7 +116,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 IP_FORWARDING=On
 
-ADD_IP_ALIASES=Yes
+ADD_IP_ALIASES=No
 
 ADD_SNAT_ALIASES=No
 
@@ -126,6 +126,8 @@ TC_ENABLED=Internal
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -144,7 +146,7 @@ BLACKLISTNEWONLY=Yes
 
 DELAYBLACKLISTLOAD=No
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
@@ -202,6 +204,14 @@ TRACK_PROVIDERS=Yes
 
 ZONE2ZONE=2
 
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/one-interface/shorewall6.conf

@@ -99,6 +99,8 @@ TC_ENABLED=No
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -111,7 +113,7 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 FASTACCEPT=No
 
@@ -143,7 +145,15 @@ TRACK_PROVIDERS=Yes
 
 ZONE2ZONE=2
 
-###############################################################################
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
+##############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
 

Samples6/three-interfaces/shorewall6.conf

@@ -99,6 +99,8 @@ TC_ENABLED=No
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -111,7 +113,7 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 FASTACCEPT=No
 
@@ -143,6 +145,14 @@ TRACK_PROVIDERS=Yes
 
 ZONE2ZONE=2
 
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/two-interfaces/shorewall6.conf

@@ -99,6 +99,8 @@ TC_ENABLED=No
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -111,7 +113,7 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 FASTACCEPT=No
 
@@ -143,6 +145,14 @@ TRACK_PROVIDERS=Yes
 
 ZONE2ZONE=2
 
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.5.1
+VERSION=4.4.7
 
 usage() # $1 = exit status
 {

Shorewall-lite/install.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.5.1
+VERSION=4.4.7
 
 usage() # $1 = exit status
 {

Shorewall-lite/shorecap

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall.
 #

Shorewall-lite/shorewall-lite

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall-lite.
 #
@@ -366,13 +366,14 @@ usage() # $1 = exit status
 {
     echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
     echo "where <command> is one of:"
+    echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
-    echo "   clear"
+    echo "   clear [ -f ]"
+    echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   drop <address> ..."
     echo "   dump [ -x ]"
     echo "   forget [ <file name> ]"
     echo "   help"
-    echo "   hits [ -t ]"
     echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
     echo "   ipdecimal { <address> | <integer> }"
     echo "   iprange <address>-<address>"
@@ -381,7 +382,7 @@ usage() # $1 = exit status
     echo "   logwatch [<refresh interval>]"
     echo "   reject <address> ..."
     echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ]"
+    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
     echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
@@ -389,19 +390,18 @@ usage() # $1 = exit status
     echo "   show classifiers"
     echo "   show config"
     echo "   show connections"
-    echo "   show dynamic <zone>"
-    echo "   show filter"
+    echo "   show filters"
     echo "   show ip"
     echo "   show [ -m ] log"
-    echo "   show [ -x ] mangle|nat|raw"
-    echo "   show routing"
-    echo "   show tc"
+    echo "   show [ -x ] mangle|nat|raw|routing"
+    echo "   show policies"
+    echo "   show tc [ device ]"
     echo "   show vardir"
     echo "   show zones"
-    echo "   start [ -n ] [ -p ]"
-    echo "   stop"
+    echo "   start [ -f ] [ -p ] [ <directory> ]"
+    echo "   stop [ -f ]"
     echo "   status"
-    echo "   version"
+    echo "   version [ -a ]"
     echo
     exit $1
 }
@@ -431,6 +431,8 @@ NOROUTES=
 EXPORT=
 export TIMESTAMP=
 noroutes=
+RECOVERING=
+export RECOVERING
 
 finished=0
 

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.5
-%define release 1
+%define version 4.4.7
+%define release 0base
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -100,9 +100,25 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sat Dec 19 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.5-1
-* Fri Nov 27 2009 Tom Eastep tom@shorewall.net
+* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0base
+* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0RC2
+* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0RC1
+* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta4
+* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta3
+* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta2
+* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta1
+* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.6-0base
+* Tue Jan 12 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.6-0Beta1
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.5-0base
 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.4-0base

Shorewall-lite/uninstall.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.5.1
+VERSION=4.4.7
 
 usage() # $1 = exit status
 {

Shorewall/Macros/macro.BGP

@@ -3,9 +3,9 @@
 #
 # /usr/share/shorewall/macro.BGP
 #
-#       This macro handles BGP4 traffic.
+#	This macro handles BGP4 traffic.
 #
 ###############################################################################
-#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
-#                               PORT(S) PORT(S) LIMIT   GROUP
-PARAM   -       -       tcp     179     				# BGP4
+#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S) PORT(S) LIMIT	GROUP
+PARAM	-	-	tcp	179	# BGP4

Shorewall/Macros/macro.Citrix

@@ -3,11 +3,12 @@
 #
 # /usr/share/shorewall/macro.Citrix
 #
-# This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a. ICA Session Reliability)
+#	This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a.
+#	ICA Session Reliability)
 #
 ####################################################################################
-#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
-#                               PORT(S) PORT(S) LIMIT   GROUP
-PARAM   -       -       tcp     1494 				   # ICA
-PARAM   -       -       udp     1604    			   # ICA Browser
-PARAM   -       -       tcp     2598    			   # CGP Session Reliabilty
+#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S) PORT(S) LIMIT	GROUP
+PARAM	-	-	tcp	1494	# ICA
+PARAM	-	-	udp	1604	# ICA Browser
+PARAM	-	-	tcp	2598	# CGP Session Reliabilty

Shorewall/Macros/macro.DHCPfwd

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - DHCPfwd Macro
+#
+# /usr/share/shorewall/macro.DHCPfwd
+#
+#	This macro (bidirectional) handles forwarded DHCP traffic
+#
+###############################################################################
+#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S) PORT(S) LIMIT	GROUP
+PARAM	-	-	udp	67:68	67:68	# DHCP
+PARAM	DEST	SOURCE	udp	67:68	67:68	# DHCP

Shorewall/Macros/macro.OSPF

@@ -3,9 +3,9 @@
 #
 # /usr/share/shorewall/macro.OSPF
 #
-#       This macro handles OSPF multicast traffic
+#	This macro handles OSPF multicast traffic
 #
-#######################################################################################################
-#ACTION         SOURCE          DEST    PROTO   DEST    SOURCE  ORIGINAL        RATE    USER/   ORIGINAL
-#                                               PORT(S) PORT(S) DEST            LIMIT   GROUP   DEST
-PARAM           -               -       89      -                                                       # OSPF
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	89	# OSPF

Shorewall/Macros/macro.Razor

@@ -3,7 +3,7 @@
 #
 # /usr/share/shorewall/macro.Razor
 #
-# This macro handles traffic for the Razor Antispam System
+#	This macro handles traffic for the Razor Antispam System
 #
 ###############################################################################
 #ACTION         SOURCE          DEST    PROTO   DEST    SOURCE  RATE    USER/

Shorewall/Macros/macro.mDNS

@@ -1,12 +1,14 @@
 #
 # Shorewall version 4 - Multicast DNS Macro
 #
-# /usr/share/shorewall/macro.DNS
+# /usr/share/shorewall/macro.mDNS
 #
 #	This macro handles multicast DNS traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	5353
-PARAM	DEST	SOURCE	udp	5353
+#ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
+#						PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	224.0.0.251		udp	5353
+PARAM	-	224.0.0.251		2
+PARAM	DEST	SOURCE:224.0.0.251	udp	5353
+PARAM	DEST	SOURCE:224.0.0.251	2

Shorewall/Perl/Shorewall/Accounting.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4.7';
 
 #
 # Called by the compiler to [re-]initialize this module's state
@@ -84,7 +84,7 @@ sub process_accounting_rule( ) {
     $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
     $sports = ''    if $sports eq 'any' || $sports eq 'all';
 
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, 0xFF );
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
     my $rule2 = 0;
 
     unless ( $action eq 'COUNT' ) {
@@ -185,17 +185,17 @@ sub setup_accounting() {
     if ( have_bridges ) {
 	if ( $filter_table->{accounting} ) {
 	    for my $chain ( qw/INPUT FORWARD/ ) {
-		insert_rule1 $filter_table->{$chain}, 0, '-j accounting';
+		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 	    }
 	}
 
 	if ( $filter_table->{accountout} ) {
-	    insert_rule1 $filter_table->{OUTPUT}, 0, '-j accountout';
+	    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
 	}
     } else {
 	if ( $filter_table->{accounting} ) {
 	    for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-		insert_rule1 $filter_table->{$chain}, 0, '-j accounting';
+		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 	    }
 	}
     }

Shorewall/Perl/Shorewall/Actions.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -57,7 +57,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_5';
+our $VERSION = '4.4_7';
 
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -213,7 +213,7 @@ sub merge_macro_source_dest( $$ ) {
     if ( $invocation ) {
 	if ( $body ) {
 	    return $body if $invocation eq '-';
-	    return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^!+|^~|^!~|~</;
+	    return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^!+|^~|^!~|~<|~\[/;
 	    return "$invocation:$body";
 	}
 
@@ -305,10 +305,10 @@ sub map_old_actions( $ ) {
 # Create and record a log action chain -- Log action chains have names
 # that are formed from the action name by prepending a "%" and appending
 # a 1- or 2-digit sequence number. In the functions that follow,
-# the CHAIN, LEVEL and TAG variable serves as arguments to the user's
+# the $chain, $level and $tag variable serves as arguments to the user's
 # exit. We call the exit corresponding to the name of the action but we
-# set CHAIN to the name of the iptables chain where rules are to be added.
-# Similarly, LEVEL and TAG contain the log level and log tag respectively.
+# set $chain to the name of the iptables chain where rules are to be added.
+# Similarly, $level and $tag contain the log level and log tag respectively.
 #
 # The maximum length of a chain name is 30 characters -- since the log
 # action chain name is 2-3 characters longer than the base chain name,
@@ -341,6 +341,8 @@ sub createlogactionchain( $$ ) {
 
     unless ( $targets{$action} & BUILTIN ) {
 
+	dont_optimize $chainref;
+
 	my $file = find_file $chain;
 
 	if ( -f $file ) {
@@ -367,6 +369,8 @@ sub createsimpleactionchain( $ ) {
 
     unless ( $targets{$action} & BUILTIN ) {
 
+	dont_optimize $chainref;
+
 	my $file = find_file $action;
 
 	if ( -f $file ) {
@@ -384,7 +388,7 @@ sub createsimpleactionchain( $ ) {
 }
 
 #
-# Create an action chain and run it's associated user exit
+# Create an action chain and run its associated user exit
 #
 sub createactionchain( $ ) {
     my ( $action , $level ) = split_action $_[0];
@@ -574,7 +578,7 @@ sub process_actions2 () {
 	for my $target (keys %usedactions) {
 	    my ($action, $level) = split_action $target;
 	    my $actionref = $actions{$action};
-	    fatal_error "Null Action Reference in process_actions2" unless $actionref;
+	    assert( $actionref );
 	    for my $action1 ( keys %{$actionref->{requires}} ) {
 		my $action2 = merge_levels $target, $action1;
 		unless ( $usedactions{ $action2 } ) {
@@ -609,7 +613,7 @@ sub process_action( $$$$$$$$$$$ ) {
 
     expand_rule ( $chainref ,
 		  NO_RESTRICT ,
-		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user . do_test( $mark, 0xFF ) ,
+		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user . do_test( $mark, $globals{TC_MASK} ) ,
 		  $source ,
 		  $dest ,
 		  '', #Original Dest
@@ -766,10 +770,14 @@ sub process_action3( $$$$$ ) {
 sub dropBcast( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    if ( $capabilities{ADDRTYPE} ) {
+    if ( have_capability( 'ADDRTYPE' ) ) {
 	if ( $level ne '' ) {
 	    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
-	    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
+	    if ( $family == F_IPV4 ) {
+		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
+	    } else {
+		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d ff00::/10 -j DROP ';
+	    }		
 	}
 
 	add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
@@ -800,7 +808,7 @@ sub dropBcast( $$$ ) {
 sub allowBcast( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    if ( $family == F_IPV4 && $capabilities{ADDRTYPE} ) {
+    if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
 	if ( $level ne '' ) {
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
@@ -834,15 +842,15 @@ sub allowBcast( $$$ ) {
 sub dropNotSyn ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level ne '';
-    add_rule $chainref , '-p tcp ! --syn -j DROP';
+    log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
+    add_rule $chainref , '-p 6 ! --syn -j DROP';
 }
 
 sub rejNotSyn ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level ne '';
-    add_rule $chainref , '-p tcp ! --syn -j REJECT --reject-with tcp-reset';
+    log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
+    add_rule $chainref , '-p 6 ! --syn -j REJECT --reject-with tcp-reset';
 }
 
 sub dropInvalid ( $$$ ) {
@@ -860,18 +868,19 @@ sub allowInvalid ( $$$ ) {
 }
 
 sub forwardUPnP ( $$$ ) {
+    dont_optimize 'forwardUPnP';
 }
 
 sub allowinUPnP ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
     if ( $level ne '' ) {
-	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p udp --dport 1900 ';
-	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p tcp --dport 49152 ';
+	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 17 --dport 1900 ';
+	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 6 --dport 49152 ';
     }
 
-    add_rule $chainref, '-p udp --dport 1900 -j ACCEPT';
-    add_rule $chainref, '-p tcp --dport 49152 -j ACCEPT';
+    add_rule $chainref, '-p 17 --dport 1900 -j ACCEPT';
+    add_rule $chainref, '-p 6 --dport 49152 -j ACCEPT';
 }
 
 sub Limit( $$$ ) {
@@ -897,7 +906,7 @@ sub Limit( $$$ ) {
 	my $xchainref = new_chain 'filter' , "$chainref->{name}%";
 	log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
 	add_rule $xchainref, '-j DROP';
-	add_rule $chainref,  "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";
+	add_jump $chainref,  $xchainref, 0, "-m recent --name $set --update --seconds $tag[2] --hitcount $count ";
     } else {
 	add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
     }

Shorewall/Perl/Shorewall/Compiler.pm

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -43,7 +43,7 @@ use Shorewall::Raw;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_4';
+our $VERSION = '4.4_7';
 
 our $export;
 
@@ -334,9 +334,9 @@ sub generate_script_3($) {
     save_progress_message 'Initializing...';
 
     if ( $export ) {
-	my $fn = find_file 'modules';
+	my $fn = find_file $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules';
 
-	if ( $fn ne "$globals{SHAREDIR}/modules" && -f $fn ) {
+	if ( -f $fn && ! $fn =~ "^$globals{SHAREDIR}/" ) {
 	    emit 'echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir';
 	    emit 'cat > ${VARDIR}/.modules << EOF';
 	    open_file $fn;
@@ -355,15 +355,17 @@ sub generate_script_3($) {
     if ( $family == F_IPV4 ) {
 	my @ipsets = all_ipsets;
 
-	if ( @ipsets ) {
+	if ( @ipsets || $config{SAVE_IPSETS} ) {
 	    emit ( '',
+		   'local hack',
+		   '',
 		   'case $IPSET in',
 		   '    */*)',
-		   '        [ -x "$IPSET" ] || fatal_error "IPSET=$IPSET does not exist or is not executable"',
+		   '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
 		   '        ;;',
 		   '    *)',
 		   '        IPSET="$(mywhich $IPSET)"',
-		   '        [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"' ,
+		   '        [ -n "$IPSET" ] || startup_error "The ipset utility cannot be located"' ,
 		   '        ;;',
 		   'esac',
 		   '',
@@ -373,20 +375,44 @@ sub generate_script_3($) {
 		   '        $IPSET -X' ,
 		   '        $IPSET -R < ${VARDIR}/ipsets.save' ,
 		   '    fi' ,
-		   '' );
+		   'elif [ "$COMMAND" = restore -a -z "$RECOVERING" ]; then' ,
+		   '    if [ -f $(my_pathname)-ipsets ]; then' ,
+		   '        if chain_exists shorewall; then' ,
+		   '            startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
+		   '        else' ,
+		   '            $IPSET -F' ,
+		   '            $IPSET -X' ,
+		   '            $IPSET -R < $(my_pathname)-ipsets' ,
+		   '        fi' ,
+		   '    fi' ,
+		 );
 
-	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+	    if ( @ipsets ) {
+		emit '';
 
-	    emit ( '' ,
-		   'elif [ "$COMMAND" = restart ]; then' ,
-		   '' );
+		emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
 
-	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+		emit ( '' ,
+		       'elif [ "$COMMAND" = restart ]; then' ,
+		       '' );
+
+		emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+
+		emit ( '' ,
+		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
+		       '        #',
+		       '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
+		       '        #',
+		       '        hack=\'| grep -v /31\'' ,
+		       '    else' ,
+		       '        hack=' ,
+		       '    fi' ,
+		       '',
+		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
+		       '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
+		       '    fi' );
+	    }
 
-	    emit ( '' ,
-		   '    if $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
-		   '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
-		   '    fi' );
 	    emit ( 'fi',
 		   '' );
 	}
@@ -408,7 +434,7 @@ sub generate_script_3($) {
 	       ''
 	     );
 
-	if ( $capabilities{NAT_ENABLED} ) {
+	if ( have_capability( 'NAT_ENABLED' ) ) {
 	    emit(  'if [ -f ${VARDIR}/nat ]; then',
 		   '    while read external interface; do',
 		   '        del_ip_addr $external $interface',
@@ -536,8 +562,8 @@ EOF
 #
 sub compiler {
 
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1 );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0 );
 
     $export = 0;
     $test   = 0;
@@ -569,6 +595,7 @@ sub compiler {
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
+		  preview       => { store => \$preview },
 		);
     #
     #                               P A R A M E T E R    P R O C E S S I N G
@@ -602,11 +629,11 @@ sub compiler {
     #
     get_configuration( $export );
 
-    report_capabilities;
+    report_capabilities unless $config{LOAD_HELPERS_ONLY};
 
     require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
     require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
-    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{HIGH_ROUTE_MARKS};
+    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
     require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
 
     if ( $scriptfilename ) {
@@ -746,7 +773,7 @@ sub compiler {
 	#
 	# ECN
 	#
-	setup_ecn if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
+	setup_ecn if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
 	#
 	# Setup Masquerading/SNAT
 	#
@@ -789,14 +816,26 @@ sub compiler {
     #
     # Accounting.
     #
-    setup_accounting;
+    setup_accounting if $config{ACCOUNTING};
 
     if ( $scriptfilename ) {
 	#
-	# Generate the zone by zone matrix
+	# Compiling a script - generate the zone by zone matrix
 	#
 	generate_matrix;
 
+	if ( $config{OPTIMIZE} & 6 ) {
+	    progress_message2 'Optimizing Ruleset...';
+	    #
+	    # Optimize Policy Chains
+	    #
+	    optimize_policy_chains if $config{OPTIMIZE} & 2;
+	    #
+	    # More Optimization
+	    #
+	    optimize_ruleset if $config{OPTIMIZE} & 4;
+	}
+
 	enable_script;
 	#
 	#                             I N I T I A L I Z E
@@ -818,7 +857,7 @@ sub compiler {
 	#                           S T O P _ F I R E W A L L
 	#         (Writes the stop_firewall() function to the compiled script)
 	#
-	compile_stop_firewall( $test );
+	compile_stop_firewall( $test, $export );
 	#
 	# Copy the footer to the script
 	#
@@ -840,6 +879,29 @@ sub compiler {
 	#
 	enable_script, generate_aux_config if $export;
     } else {
+	#
+	# Just checking the configuration
+	#
+	if ( $preview ) {
+	    #
+	    # User wishes to preview the ruleset -- generate the rule matrix
+	    #
+	    generate_matrix;
+
+	    if ( $config{OPTIMIZE} & 6 ) {
+		progress_message2 'Optimizing Ruleset...';
+		#
+		# Optimize Policy Chains
+		#
+		optimize_policy_chains if $config{OPTIMIZE} & 2;
+		#
+		# Ruleset Optimization
+		#
+		optimize_ruleset if $config{OPTIMIZE} & 4;
+	    }
+
+	    preview_netfilter_load;
+	}
 	#
 	# Re-initialize the chain table so that process_routestopped() has the same
 	# environment that it would when called by compile_stop_firewall().

Shorewall/Perl/Shorewall/Config.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -68,6 +68,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 		                       in_hex8
 		                       in_hexp
 				       emit
+				       emitstd
 				       emit_unindented
 				       save_progress_message
 				       save_progress_message_short
@@ -100,6 +101,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       ensure_config_path
 				       get_configuration
 				       require_capability
+				       have_capability
 				       report_capabilities
 				       propagateconfig
 				       append_file
@@ -116,7 +118,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $currentline
 				       %config
 				       %globals
-				       %capabilities
 
 		                       F_IPV4
 		                       F_IPV6
@@ -127,7 +128,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.4_5';
+our $VERSION = '4.4_7';
 
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -188,7 +189,7 @@ our %config;
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX SUBSYSLOCK /;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY SUBSYSLOCK /;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -226,6 +227,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 KLUDGEFREE      => 'Repeat match',
 		 MARK            => 'MARK Target',
 		 XMARK           => 'Extended Mark Target',
+		 EXMARK          => 'Extended Mark Target 2',
 		 MANGLE_FORWARD  => 'Mangle FORWARD Chain',
 		 COMMENTS        => 'Comments',
 		 ADDRTYPE        => 'Address Type Match',
@@ -242,6 +244,8 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 IPMARK_TARGET   => 'IPMARK Target',
 		 PERSISTENT_SNAT => 'Persistent SNAT',
 		 OLD_HL_MATCH    => 'Old Hash Limit Match',
+		 TPROXY_TARGET   => 'TPROXY Target',
+		 FLOW_FILTER     => 'Flow Classifier',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -277,6 +281,11 @@ our $toolNAME;                # Tool name in CAPS
 our $product;                 # Name of product that will run the generated script
 our $Product;                 # $product with initial cap.
 
+our $sillyname;               # Name of temporary filter chains for testing capabilities
+our $sillyname1;
+our $iptables;                # Path to iptables/ip6tables
+our $tc;                      # Path to tc
+
 use constant { MIN_VERBOSITY => -1,
 	       MAX_VERBOSITY => 2 ,
 	       F_IPV4 => 4,
@@ -316,6 +325,7 @@ sub initialize( $ ) {
     $indent        = '';       # Current total indentation
     ( $dir, $file ) = ('',''); # Script's Directory and Filename
     $tempfile = '';            # Temporary File Name
+    $sillyname = '';           # Temporary ipchain
 
     #
     # Misc Globals
@@ -323,13 +333,12 @@ sub initialize( $ ) {
     %globals  =   ( SHAREDIR => '/usr/share/shorewall' ,
 		    SHAREDIRPL => '/usr/share/shorewall/' ,
 		    CONFDIR =>  '/etc/shorewall',
-		    ORIGINAL_POLICY_MATCH => '',
 		    LOGPARMS => '',
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
-		    VERSION => "4.4.5.1",
-		    CAPVERSION => 40406 ,
+		    VERSION => "4.4.7",
+		    CAPVERSION => 40407 ,
 		  );
 
     #
@@ -402,6 +411,7 @@ sub initialize( $ ) {
 	      RETAIN_ALIASES => undef,
 	      TC_ENABLED => undef,
 	      TC_EXPERT => undef,
+	      TC_PRIOMAP => undef,
 	      CLEAR_TC => undef,
 	      MARK_IN_FORWARD_CHAIN => undef,
 	      CLAMPMSS => undef,
@@ -442,12 +452,23 @@ sub initialize( $ ) {
 	      WIDE_TC_MARKS => undef,
 	      TRACK_PROVIDERS => undef,
 	      ZONE2ZONE => undef,
+	      ACCOUNTING => undef,
+	      OPTIMIZE_ACCOUNTING => undef,
+	      DYNAMIC_BLACKLIST => undef,
+	      LOAD_HELPERS_ONLY => undef,
 	      #
 	      # Packet Disposition
 	      #
 	      MACLIST_DISPOSITION => undef,
 	      TCP_FLAGS_DISPOSITION => undef,
 	      BLACKLIST_DISPOSITION => undef,
+	      #
+	      # Mark Geometry
+	      #
+	      TC_BITS => undef,
+	      PROVIDER_BITS => undef,
+	      PROVIDER_OFFSET => undef,
+	      MASK_BITS => undef
 	    );
 
 	%validlevels = ( DEBUG   => 7,
@@ -526,6 +547,7 @@ sub initialize( $ ) {
 	      IP_FORWARDING => undef,
 	      TC_ENABLED => undef,
 	      TC_EXPERT => undef,
+	      TC_PRIOMAP => undef,
 	      CLEAR_TC => undef,
 	      MARK_IN_FORWARD_CHAIN => undef,
 	      CLAMPMSS => undef,
@@ -550,11 +572,22 @@ sub initialize( $ ) {
 	      WIDE_TC_MARKS => undef,
 	      TRACK_PROVIDERS => undef,
 	      ZONE2ZONE => undef,
+	      ACCOUNTING => undef,
+	      OPTIMIZE_ACCOUNTING => undef,
+	      DYNAMIC_BLACKLIST => undef,
+	      LOAD_HELPERS_ONLY => undef,
 	      #
 	      # Packet Disposition
 	      #
 	      TCP_FLAGS_DISPOSITION => undef,
 	      BLACKLIST_DISPOSITION => undef,
+	      #
+	      # Mark Geometry
+	      #
+	      TC_BITS => undef,
+	      PROVIDER_BITS => undef,
+	      PROVIDER_OFFSET => undef,
+	      MASK_BITS => undef
 	    );
 
 	%validlevels = ( DEBUG   => 7,
@@ -573,7 +606,7 @@ sub initialize( $ ) {
 		         LOGMARK => 'LOGMARK' );
     }
     #
-    # From parsing the capabilities file
+    # From parsing the capabilities file or capabilities detection
     #
     %capabilities =
 	     ( NAT_ENABLED => undef,
@@ -604,6 +637,7 @@ sub initialize( $ ) {
 	       KLUDGEFREE => undef,
 	       MARK => undef,
 	       XMARK => undef,
+	       EXMARK => undef,
 	       MANGLE_FORWARD => undef,
 	       COMMENTS => undef,
 	       ADDRTYPE => undef,
@@ -617,10 +651,13 @@ sub initialize( $ ) {
 	       GOTO_TARGET => undef,
 	       LOGMARK_TARGET => undef,
 	       IPMARK_TARGET => undef,
+	       TPROXY_TARGET => undef,
 	       LOG_TARGET => 1,         # Assume that we have it.
 	       PERSISTENT_SNAT => undef,
 	       OLD_HL_MATCH => undef,
+	       FLOW_FILTER => 'default',
 	       CAPVERSION => undef,
+	       KERNELVERSION => undef,
 	       );
     #
     # Directories to search for configuration files
@@ -698,6 +735,21 @@ sub cleanup() {
     unlink ( $tempfile ), $tempfile = undef             if $tempfile;
     unlink ( $perlscriptname ), $perlscriptname = undef if $perlscriptname;
     unlink ( @tempfiles ), @tempfiles = ()              if @tempfiles;
+    #
+    # Delete temporary chains
+    #
+    if ( $sillyname ) {
+	#
+	# We went through determine_capabilities()
+	#
+	qt1( "$iptables -F $sillyname" );
+	qt1( "$iptables -X $sillyname" );
+	qt1( "$iptables -F $sillyname1" );
+	qt1( "$iptables -X $sillyname1" );
+	qt1( "$iptables -t mangle -F $sillyname" );
+	qt1( "$iptables -t mangle -X $sillyname" );
+	$sillyname = '';
+    }
 }
 
 #
@@ -846,6 +898,25 @@ sub emit {
     }
 }
 
+#
+# Version of emit() that writes to standard out
+#
+sub emitstd {
+    for ( @_ ) {
+	unless ( /^\s*$/ ) {
+	    my $line = $_; # This copy is necessary because the actual arguments are almost always read-only.
+	    $line =~ s/^\n// if $lastlineblank;
+	    $line =~ s/^/$indent/gm if $indent;
+	    $line =~ s/        /\t/gm;
+	    print "$line\n";
+	    $lastlineblank = ( substr( $line, -1, 1 ) eq "\n" );
+	} else {
+	    print "\n" unless $lastlineblank;
+	    $lastlineblank = 1;
+	}
+    }
+}
+
 #
 # Write passed message to the script with newline but no indentation.
 #
@@ -1734,6 +1805,26 @@ sub default_yes_no_ipv4 ( $$ ) {
     warning_message "$var=Yes is ignored for IPv6" if $family == F_IPV6 && $config{$var};
 }
 
+sub numeric_option( $$$ ) {
+    my ( $option, $default, $min ) = @_;
+
+    my $value = $config{$option};
+
+    my $val = $default;
+    
+    if ( defined $value && $value ne '' ) {
+	$val = numeric_value $value;
+	fatal_error "Invalid value ($value) for '$option'" unless defined $val && $val <= 32;
+    }
+
+    $val = $min if $val < $min;
+
+    $config{$option} = $val;
+}
+
+sub make_mask( $ ) {
+    0xffffffff >> ( 32 - $_[0] );
+}   
 
 my @suffixes = qw(group range threshold nlgroup cprange qthreshold);
 
@@ -1893,7 +1984,7 @@ sub load_kernel_modules( ) {
 
     my @moduledirectories = split /:/, $modulesdir;
 
-    if ( $moduleloader && open_file 'modules' ) {
+    if ( $moduleloader && open_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' ) ) {
 	my %loadedmodules;
 
 	$loadedmodules{$_}++ for split_list( $config{DONT_LOAD}, 'module' );
@@ -1957,135 +2048,195 @@ sub determine_kernelversion() {
     if ( $kernelversion =~ /^(\d+)\.(\d+).(\d+)/ ) {
 	$capabilities{KERNELVERSION} = sprintf "%d%02d%02d", $1 , $2 , $3;
     } else {
-	fatal_error "Inrecognized Kernel Version Format ($kernelversion)";
+	fatal_error "Unrecognized Kernel Version Format ($kernelversion)";
     }
 }
 
 #
-# Determine which optional facilities are supported by iptables/netfilter
+# Capability Reporting and detection.
 #
-sub determine_capabilities( $ ) {
+sub have_capability( $ );
 
-    my $iptables   = $_[0];
-    my $pid        = $$;
-    my $sillyname  = "fooX$pid";
-    my $sillyname1 = "foo1X$pid";
+sub Nat_Enabled() {
+    $family == F_IPV4 ? qt1( "$iptables -t nat -L -n" ) : '';
+}
 
-    $capabilities{NAT_ENABLED}    = qt1( "$iptables -t nat -L -n" ) if $family == F_IPV4;
+sub Persistent_Snat() {
+    have_capability 'NAT_ENABLED' || return '';
 
-    if ( $capabilities{NAT_ENABLED} ) {
-	if ( qt1( "$iptables -t nat -N $sillyname" ) ) {
-	    $capabilities{PERSISTENT_SNAT} = qt1( "$iptables -t nat -A $sillyname -j SNAT --to-source 1.2.3.4 --persistent" );
-	    qt1( "$iptables -t NAT -F $sillyname" );
-	    qt1( "$iptables -t NAT -X $sillyname" );
-	}
+    my $result = '';
+
+    if ( qt1( "$iptables -t nat -N $sillyname" ) ) {
+	$result = qt1( "$iptables -t nat -A $sillyname -j SNAT --to-source 1.2.3.4 --persistent" );
+	qt1( "$iptables -t nat -F $sillyname" );
+	qt1( "$iptables -t nat -X $sillyname" );
+	
     }
 
-    $capabilities{MANGLE_ENABLED} = qt1( "$iptables -t mangle -L -n" );
+    $result;
+}
 
-    qt1( "$iptables -N $sillyname" );
-    qt1( "$iptables -N $sillyname1" );
-
-    fatal_error 'Your kernel/iptables do not include state match support. No version of Shorewall will run on this system'
-	unless qt1( "$iptables -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");
+sub Mangle_Enabled() {
+    if ( qt1( "$iptables -t mangle -L -n" ) ) { 
+	system( "$iptables -t mangle -N $sillyname" ) == 0 || fatal_error "Cannot Create Mangle chain $sillyname";
+    }
+}
 
+sub Conntrack_Match() {
     if ( $family == F_IPV4 ) {
-	$capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" );
+	qt1( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" );
     } else {
-	$capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst ::1 -j ACCEPT" );
+	qt1( "$iptables -A $sillyname -m conntrack --ctorigdst ::1 -j ACCEPT" );
     }
+}
 
-    if ( $capabilities{CONNTRACK_MATCH} ) {
-	$capabilities{NEW_CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT" );
-	$capabilities{OLD_CONNTRACK_MATCH} = ! qt1( "$iptables -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" );
-    }
+sub New_Conntrack_Match() {
+    have_capability 'CONNTRACK_MATCH' && qt1( "$iptables -A $sillyname -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT" );
+}
 
-    if ( qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" ) ) {
-	$capabilities{MULTIPORT}  = 1;
-	$capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT" );
-    }
+sub Old_Conntrack_Match() {
+    ! qt1( "$iptables -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" );
+}
 
-    $capabilities{XMULTIPORT}      = qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21:22 -j ACCEPT" );
-    $capabilities{POLICY_MATCH}    = qt1( "$iptables -A $sillyname -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT" );
+sub Multiport() {
+    qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" );
+}
 
-    if ( qt1( "$iptables -A $sillyname -m physdev --physdev-in eth0 -j ACCEPT" ) ) {
-	$capabilities{PHYSDEV_MATCH}  = 1;
-	$capabilities{PHYSDEV_BRIDGE} = qt1( "$iptables -A $sillyname -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j ACCEPT" );
-	unless ( $capabilities{KLUDGEFREE} ) {
-	    $capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT" );
-	}
-    }
+sub Kludgefree1() {
+    have_capability 'MULTIPORT' && qt1( "$iptables -A $sillyname -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT" );
+}
 
+sub Kludgefree2() {
+    have_capability 'PHYSDEV_MATCH' && qt1( "$iptables -A $sillyname -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT" );
+}
+
+sub Kludgefree3() {
     if ( $family == F_IPV4 ) {
-	if ( qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT" ) ) {
-	    $capabilities{IPRANGE_MATCH} = 1;
-	    unless ( $capabilities{KLUDGEFREE} ) {
-		$capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT" );
-	    }
-	}
+	qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT" );
     } else {
-	if ( qt1( "$iptables -A $sillyname -m iprange --src-range ::1-::2 -j ACCEPT" ) ) {
-	    $capabilities{IPRANGE_MATCH} = 1;
-	    unless ( $capabilities{KLUDGEFREE} ) {
-		$capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -m iprange --src-range ::1-::2 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT" );
-	    }
-	}
+	qt1( "$iptables -A $sillyname -m iprange --src-range ::1-::2 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT" );
     }
+}
 
-    $capabilities{RECENT_MATCH} = qt1( "$iptables -A $sillyname -m recent --update -j ACCEPT" );
-    $capabilities{OWNER_MATCH}  = qt1( "$iptables -A $sillyname -m owner --uid-owner 0 -j ACCEPT" );
+sub Kludgefree() {
+    Kludgefree1 || Kludgefree2 || Kludgefree3;
+}
 
-    if ( qt1( "$iptables -A $sillyname -m connmark --mark 2  -j ACCEPT" )) {
-	$capabilities{CONNMARK_MATCH}  = 1;
-	$capabilities{XCONNMARK_MATCH} = qt1( "$iptables -A $sillyname -m connmark --mark 2/0xFF -j ACCEPT" );
+sub Xmultiport() {
+    qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21:22 -j ACCEPT" );
+}
+
+sub Policy_Match() {
+    qt1( "$iptables -A $sillyname -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT" );
+}
+
+sub Physdev_Match() {
+    qt1( "$iptables -A $sillyname -m physdev --physdev-in eth0 -j ACCEPT" );
+}
+
+sub Physdev_Bridge() {
+    qt1( "$iptables -A $sillyname -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j ACCEPT" );
+}
+
+sub IPRange_Match() {
+    if ( $family == F_IPV4 ) {
+	qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT" );
+    } else {
+	qt1( "$iptables -A $sillyname -m iprange --src-range ::1-::2 -j ACCEPT" );
     }
+}
 
-    $capabilities{IPP2P_MATCH}     = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --edk -j ACCEPT" );
-    $capabilities{OLD_IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --ipp2p -j ACCEPT" ) if $capabilities{IPP2P_MATCH};
-    $capabilities{LENGTH_MATCH}    = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" );
-    
+sub Recent_Match() {
+    qt1( "$iptables -A $sillyname -m recent --update -j ACCEPT" );
+}
+
+sub Owner_Match() {
+    qt1( "$iptables -A $sillyname -m owner --uid-owner 0 -j ACCEPT" );
+}
+
+sub Connmark_Match() {
+    qt1( "$iptables -A $sillyname -m connmark --mark 2  -j ACCEPT" );
+}
+
+sub Xconnmark_Match() {
+    have_capability 'CONNMARK_MATCH' && qt1( "$iptables -A $sillyname -m connmark --mark 2/0xFF -j ACCEPT" );
+}
+
+sub Ipp2p_Match() {
+    qt1( "$iptables -A $sillyname -p tcp -m ipp2p --edk -j ACCEPT" );
+}
+
+sub Old_Ipp2p_Match() {
+    qt1( "$iptables -A $sillyname -p tcp -m ipp2p --ipp2p -j ACCEPT" ) if $capabilities{IPP2P_MATCH};
+}
+
+sub Length_Match() {
+    qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" );
+}
+
+sub Enhanced_Reject() {
     if ( $family == F_IPV6 ) {
-	$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-adm-prohibited" );
+	qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-adm-prohibited" );
     } else {
-	$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp-host-prohibited" );
+	qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp-host-prohibited" );
     }
+}
 
-    $capabilities{COMMENTS}        = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
+sub Comments() {
+    qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
+}
 
-    $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
+sub Hashlimit_Match() {
+    have_capability 'OLD_HL_MATCH' || qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
+}
 
-    if ( $capabilities{HASHLIMIT_MATCH} ) {
-	$capabilities{OLD_HL_MATCH} = '';
-    } else {
-	$capabilities{OLD_HL_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
-	$capabilities{HASHLIMIT_MATCH} = $capabilities{OLD_HL_MATCH};
-    }
+sub Old_Hashlimit_Match() {
+    qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
+}
 
-    if  ( $capabilities{MANGLE_ENABLED} ) {
-	qt1( "$iptables -t mangle -N $sillyname" );
+sub Mark() {
+    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1" );
+}
 
-	if ( qt1( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1" ) ) {
-	    $capabilities{MARK}  = 1;
-	    $capabilities{XMARK} = qt1( "$iptables -t mangle -A $sillyname -j MARK --and-mark 0xFF" );
-	}
+sub Xmark() {
+    have_capability 'MARK' && qt1( "$iptables -t mangle -A $sillyname -j MARK --and-mark 0xFF" );
+}
 
-	if ( qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark" ) ) {
-	    $capabilities{CONNMARK}  = 1;
-	    $capabilities{XCONNMARK} = qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark --mask 0xFF" );
-	}
+sub Exmark() {
+    have_capability 'MARK' && qt1( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1/0xFF" );
+}
 
-	$capabilities{CLASSIFY_TARGET} = qt1( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" );
-	$capabilities{IPMARK_TARGET}   = qt1( "$iptables -t mangle -A $sillyname -j IPMARK --addr src" );
+sub Connmark() {
+    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark" );
+}
 
-	qt1( "$iptables -t mangle -F $sillyname" );
-	qt1( "$iptables -t mangle -X $sillyname" );
+sub Xconnmark() {
+    have_capability 'XCONNMARK_MATCH' && have_capability 'XMARK' && qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark --mask 0xFF" );
+}
 
-	$capabilities{MANGLE_FORWARD} = qt1( "$iptables -t mangle -L FORWARD -n" );
-    }
+sub Classify_Target() {
+    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" );
+}
 
-    $capabilities{RAW_TABLE} = qt1( "$iptables -t raw -L -n" );
+sub IPMark_Target() {
+    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j IPMARK --addr src" );
+}
 
-    my $ipset = $config{IPSET} || 'ipset';
+sub Tproxy_Target() {
+    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -p tcp -j TPROXY --on-port 0 --tproxy-mark 1" );
+}
+
+sub Mangle_Forward() {
+    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -L FORWARD -n" );
+}
+
+sub Raw_Table() {
+    qt1( "$iptables -t raw -L -n" );
+}
+
+sub IPSet_Match() {
+    my $ipset  = $config{IPSET} || 'ipset';
+    my $result = 0;
 
     $ipset = which $ipset unless $ipset =~ '//';
 
@@ -2095,33 +2246,237 @@ sub determine_capabilities( $ ) {
 	if ( qt( "$ipset -N $sillyname iphash" ) ) {
 	    if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
 		qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" );
-		$capabilities{IPSET_MATCH} = 1;
+		$result = 1;
 	    }
 
 	    qt( "$ipset -X $sillyname" );
 	}
     }
 
-    $capabilities{USEPKTTYPE}      = qt1( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
-    $capabilities{ADDRTYPE}        = qt1( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
-    $capabilities{TCPMSS_MATCH}    = qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
-    $capabilities{NFQUEUE_TARGET}  = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
-    $capabilities{REALM_MATCH}     = qt1( "$iptables -A $sillyname -m realm --realm 1" );
-    $capabilities{HELPER_MATCH}    = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
-    $capabilities{CONNLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m connlimit --connlimit-above 8" );
-    $capabilities{TIME_MATCH}      = qt1( "$iptables -A $sillyname -m time --timestart 11:00" );
-    $capabilities{GOTO_TARGET}     = qt1( "$iptables -A $sillyname -g $sillyname1" );
-    $capabilities{LOG_TARGET}      = qt1( "$iptables -A $sillyname -j LOG" );
-    $capabilities{LOGMARK_TARGET}  = qt1( "$iptables -A $sillyname -j LOGMARK" );
+    $result;
+}
 
-    qt1( "$iptables -F $sillyname" );
-    qt1( "$iptables -X $sillyname" );
-    qt1( "$iptables -F $sillyname1" );
-    qt1( "$iptables -X $sillyname1" );
+sub Usepkttype() {
+    qt1( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
+}
+
+sub Addrtype() {
+    qt1( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
+}
+
+sub Tcpmss_Match() {
+    qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
+}
+
+sub Nfqueue_Target() {
+    qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
+}
+
+sub Realm_Match() {
+    qt1( "$iptables -A $sillyname -m realm --realm 1" );
+}
+
+sub Helper_Match() {
+    qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
+}
+
+sub Connlimit_Match() {
+    qt1( "$iptables -A $sillyname -m connlimit --connlimit-above 8" );
+}
+
+sub Time_Match() {
+    qt1( "$iptables -A $sillyname -m time --timestart 11:00" );
+}
+
+sub Goto_Target() {
+    qt1( "$iptables -A $sillyname -g $sillyname1" );
+}
+
+sub Log_Target() {
+    qt1( "$iptables -A $sillyname -j LOG" );
+}
+
+sub Logmark_Target() {
+    qt1( "$iptables -A $sillyname -j LOGMARK" );
+}
+
+sub Flow_Filter() {
+    $tc && system( "$tc filter add flow add help 2>&1 | grep -q ^Usage" ) == 0;
+}
+
+our %detect_capability =
+    ( ADDRTYPE => \&Addrtype,
+      CLASSIFY_TARGET => \&Classify_Target,
+      COMMENTS => \&Comments,
+      CONNLIMIT_MATCH => \&Connlimit_Match,
+      CONNMARK => \&Connmark,
+      CONNMARK_MATCH => \&Connmark_Match,
+      CONNTRACK_MATCH => \&Conntrack_Match,
+      ENHANCED_REJECT => \&Enhanced_Reject,
+      EXMARK => \&Exmark,
+      FLOW_FILTER => \&Flow_Filter,
+      GOTO_TARGET => \&Goto_Target,
+      HASHLIMIT_MATCH => \&Hashlimit_Match,
+      HELPER_MATCH => \&Helper_Match,
+      IPMARK_TARGET => \&IPMark_Target,
+      IPP2P_MATCH => \&Ipp2p_Match,
+      IPRANGE_MATCH => \&IPRange_Match,
+      IPSET_MATCH => \&IPSet_Match,
+      KLUDGEFREE => \&Kludgefree,
+      LENGTH_MATCH => \&Length_Match,
+      LOGMARK_TARGET => \&Logmark_Target,
+      LOG_TARGET => \&Log_Target,
+      MANGLE_ENABLED => \&Mangle_Enabled,
+      MANGLE_FORWARD => \&Mangle_Forward,
+      MARK => \&Mark,
+      MULTIPORT => \&Multiport,
+      NAT_ENABLED => \&Nat_Enabled,
+      NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
+      NFQUEUE_TARGET => \&Nfqueue_Target,
+      OLD_CONNTRACK_MATCH => \&Old_Conntrack_Match,
+      OLD_HL_MATCH => \&Old_Hashlimit_Match,
+      OLD_IPP2P_MATCH => \&Old_Ipp2p_Match,
+      OWNER_MATCH => \&Owner_Match,
+      PERSISTENT_SNAT => \&Persistent_Snat,
+      PHYSDEV_BRIDGE => \&Physdev_Bridge,
+      PHYSDEV_MATCH => \&Physdev_Match,
+      POLICY_MATCH => \&Policy_Match,
+      RAW_TABLE => \&Raw_Table,
+      REALM_MATCH => \&Realm_Match,
+      RECENT_MATCH => \&Recent_Match,
+      TCPMSS_MATCH => \&Tcpmss_Match,
+      TIME_MATCH => \&Time_Match,
+      TPROXY_TARGET => \&Tproxy_Target,
+      USEPKTTYPE => \&Usepkttype,
+      XCONNMARK_MATCH => \&Xconnmark_Match,
+      XCONNMARK => \&Xconnmark,
+      XMARK => \&Xmark,
+      XMULTIPORT => \&Xmultiport,
+    );
+
+sub detect_capability( $ ) {
+    my $capability = shift;
+    my $function = $detect_capability{ $capability };
+
+    assert( ( reftype( $function ) || '' ) eq 'CODE' );
+    $function->();
+}
+
+#
+# Report the passed capability
+#
+sub have_capability( $ ) {
+    my $capability = shift;
+    our %detect_capability;
+
+    $capabilities{ $capability } = detect_capability( $capability ) unless defined $capabilities{ $capability };
+
+    $capabilities{ $capability }; 
+}
+
+#
+# Determine which optional facilities are supported by iptables/netfilter
+#
+sub determine_capabilities() {
+
+    my $pid     = $$;
 
     $capabilities{CAPVERSION} = $globals{CAPVERSION};
 
     determine_kernelversion;
+
+    $sillyname  = "fooX$pid";
+    $sillyname1 = "foo1X$pid";
+
+    qt1( "$iptables -N $sillyname" );
+    qt1( "$iptables -N $sillyname1" );
+
+    fatal_error 'Your kernel/iptables do not include state match support. No version of Shorewall will run on this system'
+	unless qt1( "$iptables -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");
+  
+    unless ( $config{ LOAD_HELPERS_ONLY } ) {
+	#
+	# Using 'detect_capability()' is a bit less efficient than calling the individual detection
+	# functions but it ensures that %detect_capability is initialized properly.
+	#
+	$capabilities{NAT_ENABLED}     = detect_capability( 'NAT_ENABLED' );
+	$capabilities{PERSISTENT_SNAT} = detect_capability( 'PERSISTENT_SNAT' );
+	$capabilities{MANGLE_ENABLED}  = detect_capability( 'MANGLE_ENABLED' );
+	
+	if ( $capabilities{CONNTRACK_MATCH} = detect_capability( 'CONNTRACK_MATCH' ) ) {
+	    $capabilities{NEW_CONNTRACK_MATCH} = detect_capability( 'NEW_CONNTRACK_MATCH' );
+	    $capabilities{OLD_CONNTRACK_MATCH} = detect_capability( 'OLD_CONNTRACK_MATCH' );
+	} else {
+	    $capabilities{NEW_CONNTRACK_MATCH} = '';
+	    $capabilities{OLD_CONNTRACK_MATCH} = '';
+	}
+
+	if ( $capabilities{ MULTIPORT } = detect_capability( 'MULTIPORT' ) ) {
+	     $capabilities{KLUDGEFREE}  = Kludgefree1;
+	}
+
+	$capabilities{XMULTIPORT}   = detect_capability( 'XMULTIPORT' ); 
+	$capabilities{POLICY_MATCH} = detect_capability( 'POLICY_MATCH' );
+
+	if ( $capabilities{PHYSDEV_MATCH} = detect_capability( 'PHYSDEV_MATCH' ) ) {
+	    $capabilities{PHYSDEV_BRIDGE} = detect_capability( 'PHYSDEV_BRIDGE' );
+	    $capabilities{KLUDGEFREE}   ||= Kludgefree2;
+	} else {
+	    $capabilities{PHYSDEV_BRIDGE} = '';
+	}
+
+	if ( $capabilities{IPRANGE_MATCH} = detect_capability( 'IPRANGE_MATCH' ) ) {
+	    $capabilities{KLUDGEFREE}   ||= Kludgefree3;
+	}
+
+	$capabilities{RECENT_MATCH}    = detect_capability( 'RECENT_MATCH' );
+	$capabilities{OWNER_MATCH}     = detect_capability( 'OWNER_MATCH' );
+	$capabilities{CONNMARK_MATCH}  = detect_capability( 'CONNMARK_MATCH' );
+	$capabilities{XCONNMARK_MATCH} = detect_capability( 'XCONNMARK_MATCH' );
+	$capabilities{IPP2P_MATCH}     = detect_capability( 'IPP2P_MATCH' );
+	$capabilities{OLD_IPP2P_MATCH} = detect_capability( 'OLD_IPP2P_MATCH' );
+	$capabilities{LENGTH_MATCH}    = detect_capability( 'LENGTH_MATCH' );
+	$capabilities{ENHANCED_REJECT} = detect_capability( 'ENHANCED_REJECT' );
+	$capabilities{COMMENTS}        = detect_capability( 'COMMENTS' );
+	$capabilities{OLD_HL_MATCH}    = detect_capability( 'OLD_HL_MATCH' );
+	$capabilities{HASHLIMIT_MATCH} = detect_capability( 'HASHLIMIT_MATCH' );
+	$capabilities{MARK}            = detect_capability( 'MARK' );
+	$capabilities{XMARK}           = detect_capability( 'XMARK' );
+	$capabilities{EXMARK}          = detect_capability( 'EXMARK' );
+	$capabilities{CONNMARK}        = detect_capability( 'CONNMARK' );
+	$capabilities{XCONNMARK}       = detect_capability( 'XCONNMARK' );
+	$capabilities{CLASSIFY_TARGET} = detect_capability( 'CLASSIFY_TARGET' );
+	$capabilities{IPMARK_TARGET}   = detect_capability( 'IPMARK_TARGET' );
+	$capabilities{TPROXY_TARGET}   = detect_capability( 'TPROXY_TARGET' );
+
+	if ( $capabilities{MANGLE_ENABLED} ) {
+	    qt1( "$iptables -t mangle -F $sillyname" );
+	    qt1( "$iptables -t mangle -X $sillyname" );
+	}
+
+	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
+	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
+	$capabilities{IPSET_MATCH}     = detect_capability( 'IPSET_MATCH' );
+	$capabilities{USEPKTTYPE}      = detect_capability( 'USEPKTTYPE' );
+	$capabilities{ADDRTYPE}        = detect_capability( 'ADDRTYPE' );
+	$capabilities{TCPMSS_MATCH}    = detect_capability( 'TCPMSS_MATCH' );
+	$capabilities{NFQUEUE_TARGET}  = detect_capability( 'NFQUEUE_TARGET' );
+	$capabilities{REALM_MATCH}     = detect_capability( 'REALM_MATCH' );
+	$capabilities{HELPER_MATCH}    = detect_capability( 'HELPER_MATCH' );
+	$capabilities{CONNLIMIT_MATCH} = detect_capability( 'CONNLIMIT_MATCH' );
+	$capabilities{TIME_MATCH}      = detect_capability( 'TIME_MATCH' );
+	$capabilities{GOTO_TARGET}     = detect_capability( 'GOTO_TARGET' );
+	$capabilities{LOG_TARGET}      = detect_capability( 'LOG_TARGET' );
+	$capabilities{LOGMARK_TARGET}  = detect_capability( 'LOGMARK_TARGET' );
+
+
+	qt1( "$iptables -F $sillyname" );
+	qt1( "$iptables -X $sillyname" );
+	qt1( "$iptables -F $sillyname1" );
+	qt1( "$iptables -X $sillyname1" );
+
+	$sillyname = $sillyname1 = undef;
+    }
 }
 
 #
@@ -2130,7 +2485,7 @@ sub determine_capabilities( $ ) {
 sub require_capability( $$$ ) {
     my ( $capability, $description, $singular ) = @_;
 
-    fatal_error "$description require${singular} $capdesc{$capability} in your kernel and iptables" unless $capabilities{$capability};
+    fatal_error "$description require${singular} $capdesc{$capability} in your kernel and iptables" unless have_capability $capability;
 }
 
 #
@@ -2242,6 +2597,15 @@ sub read_capabilities() {
 	warning_message "Your capabilities file does not contain a Kernel Version -- using 2.6.30";
 	$capabilities{KERNELVERSION} = 20630;
     }
+
+    for ( keys %capabilities ) {
+	$capabilities{$_} = '' unless defined $capabilities{$_};
+    }
+
+    if ( $capabilities{FLOW_FILTER} eq 'default' ) {
+	$capabilities{FLOW_FILTER} = $capabilities{OLD_HL_MATCH} ? '' : 'Yes';
+    }
+    
 }
 
 #
@@ -2251,7 +2615,7 @@ sub get_capabilities( $ ) {
     my $export = $_[0];
 
     if ( ! $export && $> == 0 ) { # $> == $EUID
-	my $iptables = $config{$toolNAME};
+	$iptables = $config{$toolNAME};
 
 	if ( $iptables ) {
 	    fatal_error "$toolNAME=$iptables does not exist or is not executable" unless -x $iptables;
@@ -2263,12 +2627,18 @@ sub get_capabilities( $ ) {
 
 	fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;
 
+	$tc = $config{TC};
+
+	if ( $tc ) {
+	    fatal_error "TC=$tc does not exist or is not executable" unless -x $tc;
+	}
+
 	load_kernel_modules;
 
 	if ( open_file 'capabilities' ) {
 	    read_capabilities;
 	} else {
-	    determine_capabilities $iptables;
+	    determine_capabilities;
 	}
     } else {
 	unless ( open_file 'capabilities' ) {
@@ -2325,13 +2695,14 @@ sub get_configuration( $ ) {
     unshift @INC, @config_path;
 
     default 'PATH' , '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin';
-
+    #
+    # get_capabilities requires that the true settings of these options be established
+    #
     default 'MODULE_PREFIX', 'o gz ko o.gz ko.gz';
+    default_yes_no 'LOAD_HELPERS_ONLY'          , '';
 
     get_capabilities( $export );
 
-    $globals{ORIGINAL_POLICY_MATCH} = $capabilities{POLICY_MATCH};
-
     if ( $config{LOGRATE} || $config{LOGBURST} ) {
 	if ( defined $config{LOGRATE} ) {
 	    fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE}  =~ /^\d+\/(second|minute)$/;
@@ -2352,22 +2723,24 @@ sub get_configuration( $ ) {
     
     my $val;
 
-    if ( $capabilities{KERNELVERSION} < 20631 ) {
+    if ( have_capability( 'KERNELVERSION' ) < 20631 ) {
 	check_trivalue ( 'ROUTE_FILTER',  '' );
     } else {
-	$val = $capabilities{ROUTE_FILTER};
+	$val = $config{ROUTE_FILTER};
 	if ( defined $val ) {
 	    if ( $val =~ /\d+/ ) {
 		fatal_error "Invalid value ($val) for ROUTE_FILTER" unless $val < 3;
 	    } else {
 		check_trivalue( 'ROUTE_FILTER', '' );
 	    }
+	} else {
+	    check_trivalue( 'ROUTE_FILTER', '' );
 	}
     }
 
     if ( $family == F_IPV6 ) {
-	$val = $capabilities{ROUTE_FILTER};	
-	fatal_error "ROUTE_FILTER=$val is not supported in IPv6" unless $val eq 'off' || $val eq '';
+	$val = $config{ROUTE_FILTER};	
+	fatal_error "ROUTE_FILTER=$val is not supported in IPv6" if $val && $val ne 'off';
     }
 
     if ( $family == F_IPV4 ) {
@@ -2419,9 +2792,9 @@ sub get_configuration( $ ) {
 
     unsupported_yes_no_warning 'DYNAMIC_ZONES';
     unsupported_yes_no         'BRIDGING';
-    unsupported_yes_no_warning 'SAVE_IPSETS';
     unsupported_yes_no_warning 'RFC1918_STRICT';
 
+    default_yes_no 'SAVE_IPSETS'                , '';
     default_yes_no 'STARTUP_ENABLED'            , 'Yes';
     default_yes_no 'DELAYBLACKLISTLOAD'         , '';
     default_yes_no 'MAPOLDACTIONS'              , 'Yes';
@@ -2455,6 +2828,24 @@ sub get_configuration( $ ) {
     default_yes_no 'AUTOMAKE'                   , '';
     default_yes_no 'WIDE_TC_MARKS'              , '';
     default_yes_no 'TRACK_PROVIDERS'            , '';
+    default_yes_no 'ACCOUNTING'                 , 'Yes';
+    default_yes_no 'OPTIMIZE_ACCOUNTING'        , '';
+    default_yes_no 'DYNAMIC_BLACKLIST'          , 'Yes';
+
+    numeric_option 'TC_BITS',          $config{WIDE_TC_MARKS} ? 14 : 8 , 0;
+    numeric_option 'MASK_BITS',        $config{WIDE_TC_MARKS} ? 16 : 8,  $config{TC_BITS};
+    numeric_option 'PROVIDER_BITS' ,   8, 0;
+    numeric_option 'PROVIDER_OFFSET' , $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? 16 : 8 : 0, 0;
+    
+    if ( $config{PROVIDER_OFFSET} ) {
+	$config{PROVIDER_OFFSET} = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS};
+	fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 32' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 32;
+    }
+
+    $globals{TC_MAX}                 = make_mask( $config{TC_BITS} );
+    $globals{TC_MASK}                = make_mask( $config{MASK_BITS} );
+    $globals{PROVIDER_MIN}           = 1 << $config{PROVIDER_OFFSET};
+    $globals{PROVIDER_MASK}          = make_mask( $config{PROVIDER_BITS} ) << $config{PROVIDER_OFFSET};
 
     if ( defined ( $val = $config{ZONE2ZONE} ) ) {
 	fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
@@ -2462,8 +2853,6 @@ sub get_configuration( $ ) {
 	$config{ZONE2ZONE} = '2';
     }
 
-    $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
-
     default 'BLACKLIST_DISPOSITION'    , 'DROP';
 
     default_log_level 'BLACKLIST_LOGLEVEL',  '';
@@ -2518,12 +2907,30 @@ sub get_configuration( $ ) {
 	$globals{TC_SCRIPT} = $file;
     } elsif ( $val eq 'internal' ) {
 	$config{TC_ENABLED} = 'Internal';
+    } elsif ( $val eq 'simple' ) {
+	$config{TC_ENABLED} = 'Simple';
     } else {
 	fatal_error "Invalid value ($config{TC_ENABLED}) for TC_ENABLED" unless $val eq 'no';
 	$config{TC_ENABLED} = '';
     }
 
-    fatal_error "TC_ENABLED=$config{TC_ENABLED} is not allowed with MANGLE_ENABLED=No" if $config{TC_ENABLED} && ! $config{MANGLE_ENABLED};
+    if ( $config{TC_ENABLED} ) {
+	fatal_error "TC_ENABLED=$config{TC_ENABLED} is not allowed with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED};
+	require_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
+    }
+
+    if ( $val = $config{TC_PRIOMAP} ) {
+	my @priomap = split ' ',$val;
+	fatal_error "Invalid TC_PRIOMAP ($val)" unless @priomap == 16;
+	for ( @priomap ) {
+	    fatal_error "Invalid TC_PRIOMAP entry ($_)" unless /[1-3]/;
+	    $_--;
+	}
+
+	$config{TC_PRIOMAP} = join ' ', @priomap;
+    } else {
+	$config{TC_PRIOMAP} = '1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1';
+    }
 
     default 'RESTOREFILE'           , 'restore';
     default 'IPSECFILE'             , 'zones';
@@ -2541,10 +2948,9 @@ sub get_configuration( $ ) {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
     }
 
-    $val = $config{OPTIMIZE};
-
-    fatal_error "Invalid OPTIMIZE value ($val)" unless ( $val eq '0' ) || ( $val eq '1' );
+    $val = numeric_value $config{OPTIMIZE};
 
+    fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless defined( $val ) && $val >= 0 && $val <= 7;
 
     $globals{MARKING_CHAIN} = $config{MARK_IN_FORWARD_CHAIN} ? 'tcfor' : 'tcpre';
 

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -26,7 +26,7 @@
 #
 package Shorewall::IPAddrs;
 require Exporter;
-use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 F_IPV4 F_IPV6 );
+use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 );
 use Socket;
 
 use strict;
@@ -72,7 +72,7 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_5';
+our $VERSION = '4.4_7';
 
 #
 # Some IPv4/6 useful stuff
@@ -287,7 +287,12 @@ sub resolve_proto( $ ) {
     my $proto = $_[0];
     my $number;
 
-    $proto =~ /^(\d+)$/ ? $proto <= 65535 ? $proto : undef : defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
+    if ( $proto =~ /^\d+$/ || $proto =~ /^0x/ ) {
+	$number = numeric_value ( $proto );
+	defined $number && $number <= 65535 ? $number : undef;
+    } else {
+	defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
+    }
 }
 
 sub proto_name( $ ) {
@@ -301,14 +306,15 @@ sub validate_port( $$ ) {
 
     my $value;
 
-    if ( $port =~ /^(\d+)$/ ) {
-	return $port if $port && $port <= 65535;
+    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
+	$port = numeric_value $port;
+	return $port if defined $port && $port && $port <= 65535;
     } else {
 	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
 	$value = getservbyname( $port, $proto );
     }
 
-    fatal_error "Invalid/Unknown $proto port/service ($port)" unless defined $value;
+    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
 
     $value;
 }

Shorewall/Perl/Shorewall/Nat.pm

@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_4';
+our $VERSION = '4.4_6';
 
 our @addresses_to_add;
 our %addresses_to_add;
@@ -150,7 +150,7 @@ sub process_one_masq( )
     # Handle IPSEC options, if any
     #
     if ( $ipsec ne '-' ) {
-	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless $globals{ORIGINAL_POLICY_MATCH};
+	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless have_capability( 'POLICY_MATCH' );
 
 	if ( $ipsec =~ /^yes$/i ) {
 	    $baserule .= '-m policy --pol ipsec --dir out ';
@@ -159,7 +159,7 @@ sub process_one_masq( )
 	} else {
 	    $baserule .= do_ipsec_options $ipsec;
 	}
-    } elsif ( $capabilities{POLICY_MATCH} ) {
+    } elsif ( have_ipsec ) {
 	$baserule .= '-m policy --pol none --dir out ';
     }
 
@@ -170,8 +170,8 @@ sub process_one_masq( )
     #
     # Handle Mark
     #
-    $baserule .= do_test( $mark, 0xFF) if $mark ne '-';
-    $baserule .= do_user( $user )      if $user ne '-';
+    $baserule .= do_test( $mark, $globals{TC_MASK} ) if $mark ne '-';
+    $baserule .= do_user( $user )                    if $user ne '-';
 
     for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
@@ -372,7 +372,7 @@ sub do_one_nat( $$$$$ )
 	$interface = $interfaceref->{name};
     }
 
-    if ( $capabilities{POLICY_MATCH} ) {
+    if ( have_ipsec ) {
 	$policyin = ' -m policy --pol none --dir in';
 	$policyout =  '-m policy --pol none --dir out';
     }
@@ -402,7 +402,6 @@ sub do_one_nat( $$$$$ )
 	    push @addresses_to_add, ( $external , $fullinterface );
 	}
     }
-
 }
 
 #

Shorewall/Perl/Shorewall/Policy.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -32,9 +32,9 @@ use Shorewall::Actions;
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies );
+our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains);
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.4_4';
+our $VERSION = '4.4_7';
 
 # @policy_chains is a list of references to policy chains in the filter table
 
@@ -362,7 +362,7 @@ sub policy_rules( $$$$$ ) {
 
     unless ( $target eq 'NONE' ) {
 	add_rule $chainref, "-d 224.0.0.0/4 -j RETURN" if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
-	add_rule $chainref, "-j $default" if $default && $default ne 'none';
+	add_jump $chainref, $default, 0 if $default && $default ne 'none';
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
 
@@ -418,10 +418,21 @@ sub apply_policy_rules() {
 	my $provisional = $chainref->{provisional};
 	my $default     = $chainref->{default};
 	my $name        = $chainref->{name};
+	my $synparms    = $chainref->{synparms};
 
 	if ( $policy ne 'NONE' ) {
-	    if ( ! $chainref->{referenced} && ( ! $provisional && $policy ne 'CONTINUE' ) ) {
-		ensure_filter_chain $name, 1;
+	    unless ( $chainref->{referenced} || $provisional || $policy eq 'CONTINUE' ) {
+		if ( $config{OPTIMIZE} & 2 ) {
+		    #
+		    # This policy chain is empty and the only thing that we would put in it is
+		    # the policy-related stuff. Don't create it if all we are going to put in it
+		    # is a single jump. Generate_matrix() will just use the policy target when
+		    # needed.
+		    #
+		    ensure_filter_chain $name, 1 if $default ne 'none' || $loglevel || $synparms || $config{MULTICAST} || ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} );
+		} else {
+		    ensure_filter_chain $name, 1;
+		}
 	    }
 
 	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
@@ -487,4 +498,24 @@ sub setup_syn_flood_chains() {
     }
 }
 
+#
+# Optimize Policy chains with ACCEPT policy
+#
+sub optimize_policy_chains() {
+    for my $chainref ( grep $_->{policy} eq 'ACCEPT', @policy_chains ) {
+	optimize_chain ( $chainref );
+    }
+    #
+    # Often, fw->all has an ACCEPT policy. This code allows optimization in that case
+    #
+    my $outputrules = $filter_table->{OUTPUT}{rules};
+
+    if ( @{$outputrules} && $outputrules->[-1] =~ /-j ACCEPT/ ) {
+	optimize_chain( $filter_table->{OUTPUT} );
+    }
+
+    progress_message '  Policy chains optimized';
+    progress_message '';
+}
+
 1;

Shorewall/Perl/Shorewall/Proc.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -41,7 +41,7 @@ our @EXPORT = qw(
 		 setup_forwarding
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_4';
+our $VERSION = '4.4_7';
 
 #
 # ARP Filtering
@@ -130,7 +130,7 @@ sub setup_route_filtering() {
 	    emit   "fi\n";
 	}
 
-	if ( $capabilities{KERNELVERSION} < 20631 ) {
+	if ( have_capability( 'KERNELVERSION' ) < 20631 ) {
 	    emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
 	} elsif ( $val ne '' ) {
 	    emit "echo $val > /proc/sys/net/ipv4/conf/all/rp_filter";

Shorewall/Perl/Shorewall/Providers.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_4';
+our $VERSION = '4.4_7';
 
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -59,6 +59,8 @@ our @providers;
 
 our $family;
 
+our $lastmark;
+
 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 
 #
@@ -94,7 +96,7 @@ sub initialize( $ ) {
 # Set up marking for 'tracked' interfaces.
 #
 sub setup_route_marking() {
-    my $mask = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';
+    my $mask = in_hex( $globals{PROVIDER_MASK} );
 
     require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
 
@@ -112,7 +114,7 @@ sub setup_route_marking() {
 	my $mark      = $providerref->{mark};
 
 	unless ( $marked_interfaces{$interface} ) {
-	    add_rule $mangle_table->{PREROUTING} , "-i $physical -m mark --mark 0/$mask -j routemark";
+	    add_jump $mangle_table->{PREROUTING} , $chainref,  0, "-i $physical -m mark --mark 0/$mask ";
 	    add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "! -i $physical -m mark --mark  $mark/$mask ";
 	    add_jump $mangle_table->{OUTPUT}     , $chainref2, 0, "-m mark --mark  $mark/$mask ";
 	    $marked_interfaces{$interface} = 1;
@@ -293,36 +295,8 @@ sub add_a_provider( ) {
 	$gateway = '';
     }
 
-    my $val = 0;
-    my $pref;
-
-    if ( $mark ne '-' ) {
-
-	$val = numeric_value $mark;
-
-	fatal_error "Invalid Mark Value ($mark)" unless defined $val;
-
-	verify_mark $mark;
-
-	if ( $val < 65535 ) {
-	    if ( $config{HIGH_ROUTE_MARKS} ) {
-		fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes" if $config{WIDE_TC_MARKS};
-		fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" if $val < 256;
-	    }
-	} else {
-	    fatal_error "Invalid Mark Value ($mark)" unless $config{HIGH_ROUTE_MARKS} && $config{WIDE_TC_MARKS};
-	}
-
-	for my $providerref ( values %providers  ) {
-	    fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
-	}
-
-	$pref = 10000 + $number - 1;
-
-    }
-
-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu ) = 
-	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), '' );
+    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local ) = 
+	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0 );
 
     unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
@@ -363,12 +337,43 @@ sub add_a_provider( ) {
 		} else {
 		    $default = -1;
 		}
+	    } elsif ( $option eq 'local' ) {
+		$local = 1;
+		$track = 0           if $config{TRACK_PROVIDERS};
+		$default_balance = 0 if$config{USE_DEFAULT_RT}; 
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
 	}
     }
 
+    my $val = 0;
+    my $pref;
+
+    $mark = ( $lastmark += ( 1 << $config{PROVIDER_OFFSET} ) ) if $mark eq '-' && $track;
+
+    if ( $mark ne '-' ) {
+
+	$val = numeric_value $mark;
+
+	fatal_error "Invalid Mark Value ($mark)" unless defined $val && $val;
+
+	verify_mark $mark;
+
+	fatal_error "Invalid Mark Value ($mark)" unless ( $val & $globals{PROVIDER_MASK} ) == $val;
+
+	fatal_error "Provider MARK may not be specified when PROVIDER_BITS=0" unless $config{PROVIDER_BITS};
+
+	for my $providerref ( values %providers  ) {
+	    fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
+	}
+
+	$pref = 10000 + $number - 1;
+
+	$lastmark = $val;
+
+    }
+
     unless ( $loose ) {
 	warning_message q(The 'proxyarp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyarp' );
 	warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
@@ -420,7 +425,13 @@ sub add_a_provider( ) {
 
 	$provider_interfaces{$interface} = $table;
 
-	emit "run_ip route add default dev $physical table $number" if $gatewaycase eq 'none';
+	if ( $gatewaycase eq 'none' ) {
+	    if ( $local ) {
+		emit "run_ip route add local 0.0.0.0/0 dev $physical table $number";
+	    } else {
+		emit "run_ip route add default dev $physical table $number";
+	    }
+	}
     }
 
     if ( $mark ne '-' ) {
@@ -470,7 +481,12 @@ sub add_a_provider( ) {
 	}
     }
 
-    if ( $loose ) {
+    if ( $local ) {
+	fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
+	fatal_error "'track' not valid with 'local'"          if $track;
+	fatal_error "DUPLICATE not valid with 'local'"        if $duplicate ne '-';
+	fatal_error "MARK required with 'local'"              unless $mark;
+    } elsif ( $loose ) {
 	if ( $config{DELETE_THEN_ADD} ) {
 	    emit ( "\nfind_interface_addresses $physical | while read address; do",
 		   "    qt \$IP -$family rule del from \$address",
@@ -589,7 +605,7 @@ sub add_an_rtrule( ) {
 	} else {
 	    $source = "iif $source";
 	}
-    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ) {
+    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ ) {
 	my ($interface, $source ) = ($1, $2);
 	validate_net ($source, 0);
 	$interface = physical_name $interface;
@@ -737,12 +753,14 @@ sub finish_providers() {
 sub setup_providers() {
     my $providers = 0;
 
+    $lastmark = 0;
+
     my $fn = open_file 'providers';
 
     first_entry sub() {
+	progress_message2 "$doing $fn...";
 	emit "\nif [ -z \"\$NOROUTES\" ]; then";
 	push_indent;
-	progress_message2 "$doing $fn...";
 	start_providers; };
 
     add_a_provider, $providers++ while read_a_line;
@@ -767,7 +785,7 @@ sub setup_providers() {
 	setup_null_routing if $config{NULL_ROUTE_RFC1918};
 	emit "\nrun_ip route flush cache";
 	#
-	# This completes the if block begun in the first_entry closure
+	# This completes the if-block begun in the first_entry closure above
 	#
 	pop_indent;
 	emit "fi\n";
@@ -869,7 +887,7 @@ sub handle_optional_interfaces() {
 #
 sub handle_stickiness( $ ) {
     my $havesticky   = shift;
-    my $mask         = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';
+    my $mask         = in_hex( $globals{PROVIDER_MASK} );
     my $setstickyref = $mangle_table->{setsticky};
     my $setstickoref = $mangle_table->{setsticko};
     my $tcpreref     = $mangle_table->{tcpre};

Shorewall/Perl/Shorewall/Rules.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -46,7 +46,7 @@ our @EXPORT = qw( process_tos
 		  compile_stop_firewall
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.4_5';
+our $VERSION = '4.4_7';
 
 #
 # Set to one if we find a SECTION
@@ -85,8 +85,8 @@ sub initialize( $ ) {
 use constant { MAX_MACRO_NEST_LEVEL => 5 };
 
 sub process_tos() {
-    my $chain    = $capabilities{MANGLE_FORWARD} ? 'fortos'  : 'pretos';
-    my $stdchain = $capabilities{MANGLE_FORWARD} ? 'FORWARD' : 'PREROUTING';
+    my $chain    = have_capability( 'MANGLE_FORWARD' ) ? 'fortos'  : 'pretos';
+    my $stdchain = have_capability( 'MANGLE_FORWARD' ) ? 'FORWARD' : 'PREROUTING';
 
     my %tosoptions = ( 'minimize-delay'       => 0x10 ,
 		       'maximize-throughput'  => 0x08 ,
@@ -125,7 +125,7 @@ sub process_tos() {
 	    if ( $family == F_IPV4 ) {
 		( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
 		fatal_error 'Invalid SOURCE' if defined $remainder;
-	    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ ) {
+	    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) {
 		$srczone = $1;
 		$source  = $2;
 	    } else {
@@ -146,7 +146,7 @@ sub process_tos() {
 	    expand_rule
 		$chainref ,
 		$restriction ,
-		do_proto( $proto, $ports, $sports ) . do_test( $mark , 0xFF ) ,
+		do_proto( $proto, $ports, $sports ) . do_test( $mark , $globals{TC_MASK} ) ,
 		$src ,
 		$dst ,
 		'' ,
@@ -157,8 +157,8 @@ sub process_tos() {
 	}
 
 	unless ( $first_entry ) {
-	    add_rule $mangle_table->{$stdchain}, "-j $chain" if $pretosref->{referenced};
-	    add_rule $mangle_table->{OUTPUT},    "-j outtos" if $outtosref->{referenced};
+	    add_jump( $mangle_table->{$stdchain}, $chain,   0 ) if $pretosref->{referenced};
+	    add_jump( $mangle_table->{OUTPUT},    'outtos', 0 ) if $outtosref->{referenced};
 	}
     }
 }
@@ -214,7 +214,7 @@ sub add_rule_pair( $$$$ ) {
     my ($chainref , $predicate , $target , $level ) = @_;
 
     log_rule( $level, $chainref, "\U$target", $predicate )  if defined $level && $level ne '';
-    add_rule $chainref , "${predicate}-j $target";
+    add_jump( $chainref , $target, 0, $predicate );
 }
 
 sub setup_blacklist() {
@@ -232,7 +232,7 @@ sub setup_blacklist() {
 
 	    log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add',	'' );
 
-	    add_rule $logchainref, "-j $target" ;
+	    add_jump $logchainref, $target, 1;
 
 	    $target = 'blacklog';
 	}
@@ -281,7 +281,7 @@ sub setup_blacklist() {
 	for my $hostref ( @$hosts ) {
 	    my $interface  = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my $policy     = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
+	    my $policy     = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
 	    my $network    = $hostref->[2];
 	    my $source     = match_source_net $network;
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
@@ -315,7 +315,6 @@ sub process_routestopped() {
 	my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file';
 
 	fatal_error "Unknown interface ($interface)" unless known_interface $interface;
-
 	$hosts = ALLIP unless $hosts && $hosts ne '-';
 
 	my @hosts;
@@ -325,6 +324,7 @@ sub process_routestopped() {
 	my $rule = do_proto( $proto, $ports, $sports, 0 );
 
 	for my $host ( split /,/, $hosts ) {
+	    fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
 	    validate_host $host, 1;
 	    push @hosts, "$interface|$host|$seq";
 	    push @rule, $rule;
@@ -419,17 +419,21 @@ sub setup_mss();
 sub add_common_rules() {
     my $interface;
     my $chainref;
-    my $level;
     my $target;
     my $rule;
     my $list;
     my $chain;
 
-    new_standard_chain 'dynamic';
+    my $state     = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? '-m state --state NEW,INVALID,UNTRACKED ' : '-m state --state NEW,INVALID ' : '';
+    my $level     = $config{BLACKLIST_LOGLEVEL};
+    my $rejectref = dont_move new_standard_chain 'reject';
 
-    my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? '-m state --state NEW,INVALID,UNTRACKED ' : '-m state --state NEW,INVALID ' : '';
-
-    add_rule $filter_table->{$_}, "$state -j dynamic" for qw( INPUT FORWARD );
+    if ( $config{DYNAMIC_BLACKLIST} ) {
+	add_rule_pair dont_delete( new_standard_chain( 'logdrop' ) ),   ' ' , 'DROP'   , $level ;
+	add_rule_pair dont_delete( new_standard_chain( 'logreject' ) ), ' ' , 'reject' , $level ;
+	$chainref = dont_optimize( new_standard_chain( 'dynamic' ) );
+	add_jump $filter_table->{$_}, $chainref, 0, $state for qw( INPUT FORWARD );
+    }
 
     setup_mss;
 
@@ -437,13 +441,6 @@ sub add_common_rules() {
 	add_rule( $filter_table->{$_} , "-m state --state ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT FORWARD OUTPUT );
     }
 
-    my $rejectref = new_standard_chain 'reject';
-
-    $level = $config{BLACKLIST_LOGLEVEL};
-
-    add_rule_pair new_standard_chain( 'logdrop' ),   ' ' , 'DROP'   , $level ;
-    add_rule_pair new_standard_chain( 'logreject' ), ' ' , 'reject' , $level ;
-
     for $interface ( all_interfaces ) {
 	ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface );
     }
@@ -454,32 +451,74 @@ sub add_common_rules() {
 
     $list = find_hosts_by_option 'nosmurfs';
 
-    $chainref = new_standard_chain 'smurfs';
+    if ( @$list ) {
+	progress_message2 'Adding Anti-smurf Rules';
 
-    if ( $capabilities{ADDRTYPE} ) {
-	add_rule $chainref , '-s 0.0.0.0 -j RETURN';
-	add_rule_pair $chainref, '-m addrtype --src-type BROADCAST ', 'DROP', $config{SMURF_LOG_LEVEL} ;
-    } else {
-	if ( $family == F_IPV4 ) {
-	    add_commands $chainref, 'for address in $ALL_BCASTS; do';
+	$chainref = new_standard_chain 'smurfs';
+    
+	my $smurfdest;
+
+	if ( defined $config{SMURF_LOG_LEVEL} && $config{SMURF_LOG_LEVEL} ne '' ) {
+	    my $smurfref = new_chain( 'filter', $smurfdest = 'smurflog' );
+	    
+	    log_rule_limit( $config{SMURF_LOG_LEVEL},
+			    $smurfref,
+			    'smurfs' ,
+			    'DROP',
+			    $globals{LOGLIMIT},
+			    '', 
+			    'add',
+			    '' );
+	    add_rule( $smurfref, '-j DROP' );
 	} else {
-	    add_commands $chainref, 'for address in $ALL_ACASTS; do';
+	    $smurfdest = 'DROP';
 	}
 
-	incr_cmd_level $chainref;
-	log_rule( $config{SMURF_LOG_LEVEL} , $chainref, 'DROP', '-s $address ' );
-	add_rule $chainref, '-s $address -j DROP';
-	decr_cmd_level $chainref;
-	add_commands $chainref, 'done';
+	if ( have_capability( 'ADDRTYPE' ) ) {
+	    if ( $family == F_IPV4 ) {
+		add_rule $chainref , '-s 0.0.0.0 -j RETURN';
+	    } else {
+		add_rule $chainref , '-s :: -j RETURN';
+	    }
+
+	    add_jump( $chainref, $smurfdest, 1, '-m addrtype --src-type BROADCAST ' ) ;
+	} else {
+	    if ( $family == F_IPV4 ) {
+		add_commands $chainref, 'for address in $ALL_BCASTS; do';
+	    } else {
+		add_commands $chainref, 'for address in $ALL_ACASTS; do';
+	    }
+	    
+	    incr_cmd_level $chainref;
+	    add_jump( $chainref, $smurfdest, 1, '-s $address ' );
+	    decr_cmd_level $chainref;
+	    add_commands $chainref, 'done';
+	}
+
+	if ( $family == F_IPV4 ) {
+	    add_jump( $chainref, $smurfdest, 1, '-s 224.0.0.0/4 ' );
+	} else {
+	    add_jump( $chainref, $smurfdest, 1, '-s ff00::/10 ' );
+	}
+
+	my $state = $globals{UNTRACKED} ? 'NEW,INVALID,UNTRACKED' : 'NEW,INVALID';
+
+	for my $hostref  ( @$list ) {
+	    $interface     = $hostref->[0];
+	    my $ipsec      = $hostref->[1];
+	    my $policy     = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
+	    my $target     = source_exclusion( $hostref->[3], $chainref );
+
+	    for $chain ( first_chains $interface ) {
+		add_jump $filter_table->{$chain} , $target, 0, join( '', "-m state --state $state ", match_source_net( $hostref->[2] ),  $policy );
+	    }
+
+	    set_interface_option $interface, 'use_input_chain', 1;
+	    set_interface_option $interface, 'use_forward_chain', 1;
+	}
     }
 
-    if ( $family == F_IPV4 ) {
-	add_rule_pair $chainref, '-s 224.0.0.0/4 ', 'DROP', $config{SMURF_LOG_LEVEL};
-    } else {
-	add_rule_pair $chainref, '-s ff00::/10 ', 'DROP', $config{SMURF_LOG_LEVEL} if $family == F_IPV4;
-    }
-
-    if ( $capabilities{ADDRTYPE} ) {
+    if ( have_capability( 'ADDRTYPE' ) ) {
 	add_rule $rejectref , '-m addrtype --src-type BROADCAST -j DROP';
     } else {
 	if ( $family == F_IPV4 ) {
@@ -500,30 +539,10 @@ sub add_common_rules() {
 	add_rule $rejectref , '-s ff00::/10 -j DROP';
     }
 
-    if ( @$list ) {
-	progress_message2 'Adding Anti-smurf Rules';
-
-	my $state = $globals{UNTRACKED} ? 'NEW,INVALID,UNTRACKED' : 'NEW,INVALID';
-
-	for my $hostref  ( @$list ) {
-	    $interface     = $hostref->[0];
-	    my $ipsec      = $hostref->[1];
-	    my $policy     = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
-	    my $target     = source_exclusion( $hostref->[3], $chainref );
-
-	    for $chain ( first_chains $interface ) {
-		add_jump $filter_table->{$chain} , $target, 0, join( '', "-m state --state $state ", match_source_net( $hostref->[2] ),  $policy );
-	    }
-
-	    set_interface_option $interface, 'use_input_chain', 1;
-	    set_interface_option $interface, 'use_forward_chain', 1;
-	}
-    }
-
     add_rule $rejectref , '-p 2 -j DROP';
     add_rule $rejectref , '-p 6 -j REJECT --reject-with tcp-reset';
 
-    if ( $capabilities{ENHANCED_REJECT} ) {
+    if ( have_capability( 'ENHANCED_REJECT' ) ) {
 	add_rule $rejectref , '-p 17 -j REJECT';
 
 	if ( $family == F_IPV4 ) {
@@ -591,16 +610,16 @@ sub add_common_rules() {
 	    $disposition = $config{TCP_FLAGS_DISPOSITION};
 	}
 
-	add_rule $chainref , "-p tcp --tcp-flags ALL FIN,URG,PSH -j $disposition";
-	add_rule $chainref , "-p tcp --tcp-flags ALL NONE        -j $disposition";
-	add_rule $chainref , "-p tcp --tcp-flags SYN,RST SYN,RST -j $disposition";
-	add_rule $chainref , "-p tcp --tcp-flags SYN,FIN SYN,FIN -j $disposition";
-	add_rule $chainref , "-p tcp --syn --sport 0 -j $disposition";
+	add_jump $chainref , $disposition, 1, '-p tcp --tcp-flags ALL FIN,URG,PSH ';
+	add_jump $chainref , $disposition, 1, '-p tcp --tcp-flags ALL NONE ';
+	add_jump $chainref , $disposition, 1, '-p tcp --tcp-flags SYN,RST SYN,RST ';
+	add_jump $chainref , $disposition, 1, '-p tcp --tcp-flags SYN,FIN SYN,FIN ';
+	add_jump $chainref , $disposition, 1, '-p tcp --syn --sport 0 ';
 
 	for my $hostref  ( @$list ) {
 	    my $interface  = $hostref->[0];
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
-	    my $policy     = $capabilities{POLICY_MATCH} ? "-m policy --pol $hostref->[1] --dir in " : '';
+	    my $policy     = have_ipsec ? "-m policy --pol $hostref->[1] --dir in " : '';
 
 	    for $chain ( first_chains $interface ) {
 		add_jump $filter_table->{$chain} , $target, 0, join( '', '-p tcp ', match_source_net( $hostref->[2] ), $policy );
@@ -618,12 +637,12 @@ sub add_common_rules() {
 	if ( @$list ) {
 	    progress_message2 "$doing UPnP";
 
-	    new_nat_chain( 'UPnP' );
+	    dont_optimize new_nat_chain( 'UPnP' );
 
 	    $announced = 1;
 
 	    for $interface ( @$list ) {
-		add_rule $nat_table->{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP';
+		add_jump $nat_table->{PREROUTING} , 'UPnP', 0, match_source_dev ( $interface );
 	    }
 	}
 
@@ -706,7 +725,7 @@ sub setup_mac_lists( $ ) {
 		my $chain = $chainref->{name};
 
 		add_rule $chainref, "-m recent --rcheck --seconds $ttl --name $chain -j RETURN";
-		add_rule $chainref, "-j $chain1ref->{name}";
+		add_jump $chainref, $chain1ref, 0;
 		add_rule $chainref, "-m recent --update --name $chain -j RETURN";
 		add_rule $chainref, "-m recent --set --name $chain";
 	    }
@@ -766,7 +785,7 @@ sub setup_mac_lists( $ ) {
 	for my $hostref ( @$maclist_hosts ) {
 	    my $interface  = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my $policy     = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
+	    my $policy     = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
 	    my $source     = match_source_net $hostref->[2];
 
 	    my $state = $globals{UNTRACKED} ? 'NEW,UNTRACKED' : 'NEW';
@@ -797,7 +816,7 @@ sub setup_mac_lists( $ ) {
 		if ( $level ne '' || $disposition ne 'ACCEPT' ) {
 		    my $variable = get_interface_addresses source_port_to_bridge( $interface );
 
-		    if ( $capabilities{ADDRTYPE} ) {
+		    if ( have_capability( 'ADDRTYPE' ) ) {
 			add_commands( $chainref,
 				      "for address in $variable; do",
 				      "    echo \"-A $chainref->{name} -s \$address -m addrtype --dst-type BROADCAST -j RETURN\" >&3",
@@ -834,7 +853,7 @@ sub setup_mac_lists( $ ) {
 	    run_user_exit2( 'maclog', $chainref );
 
 	    log_rule_limit $level, $chainref , $chain , $disposition, '', '', 'add', '' if $level ne '';
-	    add_rule $chainref, "-j $target";
+	    add_jump $chainref, $target, 0;
 	}
     }
 }
@@ -958,7 +977,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
     my ( $basictarget, $param ) = get_target_param $action;
     my $rule = '';
     my $actionchainref;
-    my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} ) : 0;
+    my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} & 1 ) : 0;
 
     $param = '' unless defined $param;
 
@@ -1128,7 +1147,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    }
 	}
 
-	$chain    = rules_chain( ${sourcezone}, ${destzone} );
+	$chain = rules_chain( ${sourcezone}, ${destzone} );
 	#
 	# Ensure that the chain exists but don't mark it as referenced until after optimization is checked
 	#
@@ -1154,12 +1173,22 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	# Mark the chain as referenced and add appropriate rules from earlier sections.
 	#
 	$chainref = ensure_filter_chain $chain, 1;
+	#
+	# Don't let the rules in this chain be moved elsewhere
+	#
+	dont_move $chainref;
     }
 
     #
     # Generate Fixed part of the rule
     #
-    $rule = join( '', do_proto($proto, $ports, $sports), do_ratelimit( $ratelimit, $basictarget ) , do_user( $user ) , do_test( $mark , 0xFF ) , do_connlimit( $connlimit ), do_time( $time ) );
+    $rule = join( '', 
+		  do_proto($proto, $ports, $sports),
+		  do_ratelimit( $ratelimit, $basictarget ) ,
+		  do_user( $user ) ,
+		  do_test( $mark , $globals{TC_MASK} ) ,
+		  do_connlimit( $connlimit ),
+		  do_time( $time ) );
 
     unless ( $section eq 'NEW' ) {
 	fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
@@ -1292,7 +1321,11 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	#   - the target will be ACCEPT.
 	#
 	unless ( $actiontype & NATONLY ) {
-	    $rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit, 'ACCEPT' ), do_user $user , do_test( $mark , 0xFF ) );
+	    $rule = join( '',
+			  do_proto( $proto, $ports, $sports ),
+			  do_ratelimit( $ratelimit, 'ACCEPT' ),
+			  do_user $user ,
+			  do_test( $mark , $globals{TC_MASK} ) );
 	    $loglevel = '';
 	    $dest     = $server;
 	    $action   = 'ACCEPT';
@@ -1370,7 +1403,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 		     "-j $tgt",
 		     $loglevel ,
 		     $log_action ,
-		     ''
+		     '' ,
 		   );
 	#
 	# Possible optimization if the rule just generated was a simple jump to the nonat chain
@@ -1405,7 +1438,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    }
 	}
 
-	$rule .= "-m conntrack --ctorigdstport $origdstports " if $capabilities{NEW_CONNTRACK_MATCH} && $origdstports;
+	$rule .= "-m conntrack --ctorigdstport $origdstports " if have_capability( 'NEW_CONNTRACK_MATCH' ) && $origdstports;
 
 	expand_rule( ensure_chain( 'filter', $chain ) ,
 		     $restriction ,
@@ -1624,7 +1657,7 @@ sub add_interface_jumps {
     my $fw = firewall_zone;
     my $chainref = $filter_table->{rules_chain( ${fw}, ${fw} )};
 
-    add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );
+    add_jump $filter_table->{OUTPUT} ,  ($chainref->{referenced} ? $chainref : 'ACCEPT' ), 0, '-o lo ';
     add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT';
 }
 
@@ -1657,7 +1690,8 @@ sub generate_matrix() {
 	if ( $chainref->{policy} ne 'CONTINUE' ) {
 	    my $policyref = $filter_table->{$chainref->{policychain}};
 	    assert( $policyref );
-	    return $policyref->{name};
+	    return $policyref->{name} if $policyref ne $chainref;
+	    return $chainref->{policy} eq 'REJECT' ? 'reject' : $chainref->{policy};
 	}
 
 	''; # CONTINUE policy
@@ -1697,7 +1731,7 @@ sub generate_matrix() {
 	#
 	my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
 
-	if ( $capabilities{POLICY_MATCH} ) {
+	if ( have_ipsec ) {
 	    #
 	    # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
 	    # '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
@@ -1739,7 +1773,7 @@ sub generate_matrix() {
     #
     # NOTRACK from firewall
     #
-    add_rule $raw_table->{OUTPUT}, "-j $notrackref->{name}" if $notrackref->{referenced};
+    add_jump $raw_table->{OUTPUT}, $notrackref, 0 if $notrackref->{referenced};
     #
     # Main source-zone matrix-generation loop
     #
@@ -1818,13 +1852,17 @@ sub generate_matrix() {
 			my $dest   = match_dest_net $net;
 
 			if ( $chain1 ) {
+			    my $chain1ref = $filter_table->{$chain1};
 			    my $nextchain = dest_exclusion( $exclusions, $chain1 );
 			    my $outputref;
+			    my $interfacechainref = $filter_table->{output_chain $interface};
 			    my $interfacematch = '';
+			    my $use_output = 0;
 
-			    if ( use_output_chain $interface ) {
-				$outputref = $filter_table->{output_chain $interface};
+			    if ( use_output_chain $interface || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
+				$outputref = $interfacechainref;
 				add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
+				$use_output = 1;
 			    } else {
 				$outputref = $filter_table->{OUTPUT};
 				$interfacematch = match_dest_dev $interface;
@@ -1835,7 +1873,7 @@ sub generate_matrix() {
 			    add_jump( $outputref , $nextchain, 0, join('', $interfacematch, '-d 255.255.255.255 ' , $ipsec_out_match ) )
 				if $hostref->{options}{broadcast};
 
-			    move_rules( $filter_table->{output_chain $interface} , $filter_table->{$chain1} ) unless use_output_chain $interface;
+			    move_rules( $interfacechainref , $chain1ref ) unless $use_output;
 			}
 
 			clearrule;
@@ -1850,6 +1888,7 @@ sub generate_matrix() {
 			    # Add a jump from this source network to this zone's DNAT/REDIRECT chain
 			    #
 			    add_jump $preroutingref, source_exclusion( $exclusions, $dnatref), 0, join( '', match_source_dev( $interface), $source, $ipsec_in_match );
+			    check_optimization( $dnatref ) if $source;
 			}
 
 			if ( $notrackref->{referenced} ) {
@@ -1859,6 +1898,7 @@ sub generate_matrix() {
 			    #
 			    add_jump $raw_table->{PREROUTING}, source_exclusion( $exclusions, $notrackref), 0, join( '', match_source_dev( $interface), $source, $ipsec_in_match );
 			}
+
 			#
 			# If this zone has parents with DNAT/REDIRECT or notrack rules and there are no CONTINUE polcies with this zone as the source
 			# then add a RETURN jump for this source network.
@@ -1868,12 +1908,16 @@ sub generate_matrix() {
 			    add_rule $raw_table->{PREROUTING}, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j RETURN' ) if $parenthasnotrack;
 			}
 
+			my $chain2ref = $filter_table->{$chain2};
 			my $inputchainref;
+			my $interfacechainref = $filter_table->{input_chain $interface};
 			my $interfacematch = '';
+			my $use_input;
 
-			if ( use_input_chain $interface ) {
-			    $inputchainref = $filter_table->{input_chain $interface};
+			if ( use_input_chain $interface || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
+			    $inputchainref = $interfacechainref;
 			    add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++;
+			    $use_input = 1;
 			} else {
 			    $inputchainref = $filter_table->{INPUT};
 			    $interfacematch = match_source_dev $interface;
@@ -1881,7 +1925,7 @@ sub generate_matrix() {
 
 			if ( $chain2 ) {
 			    add_jump $inputchainref, source_exclusion( $exclusions, $chain2 ), 0, join( '', $interfacematch, $source, $ipsec_in_match );
-			    move_rules( $filter_table->{input_chain $interface} , $filter_table->{$chain2} ) unless use_input_chain $interface;
+			    move_rules( $interfacechainref , $chain2ref ) unless $use_input;
 			}
 
 			if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) {
@@ -1906,7 +1950,7 @@ sub generate_matrix() {
 	my @dest_zones;
 	my $last_chain = '';
 
-	if ( $config{OPTIMIZE} > 0 ) {
+	if ( $config{OPTIMIZE} & 1 ) {
 	    my @temp_zones;
 
 	    for my $zone1 ( @zones )  {
@@ -2105,11 +2149,11 @@ sub setup_mss( ) {
 	if ( "\L$clampmss" eq 'yes' ) {
 	    $option = '--clamp-mss-to-pmtu';
 	} else {
-	    $match  = "-m tcpmss --mss $clampmss: " if $capabilities{TCPMSS_MATCH};
+	    $match  = "-m tcpmss --mss $clampmss: " if have_capability( 'TCPMSS_MATCH' );
 	    $option = "--set-mss $clampmss";
 	}
 
-	$match .= '-m policy --pol none --dir out ' if $capabilities{POLICY_MATCH};
+	$match .= '-m policy --pol none --dir out ' if have_ipsec;
     }
 
     my $interfaces = find_interfaces_by_option( 'mss' );
@@ -2122,19 +2166,19 @@ sub setup_mss( ) {
 	#
 	# Send all forwarded SYN packets to the 'settcpmss' chain
 	#
-	add_rule $filter_table->{FORWARD} ,  "-p tcp --tcp-flags SYN,RST SYN -j settcpmss";
+	add_jump $filter_table->{FORWARD} , $chainref, 0, '-p tcp --tcp-flags SYN,RST SYN ';
 
 	my $in_match  = '';
 	my $out_match = '';
 
-	if ( $capabilities{POLICY_MATCH} ) {
+	if ( have_ipsec ) {
 	    $in_match  = '-m policy --pol none --dir in ';
 	    $out_match = '-m policy --pol none --dir out ';
 	}
 
 	for ( @$interfaces ) {
 	    my $mss      = get_interface_option( $_, 'mss' );
-	    my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : '';
+	    my $mssmatch = have_capability( 'TCPMSS_MATCH' ) ? "-m tcpmss --mss $mss: " : '';
 	    my $source   = match_source_dev $_;
 	    my $dest     = match_dest_dev $_;
 	    add_rule $chainref, "${dest}-p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss";
@@ -2150,8 +2194,8 @@ sub setup_mss( ) {
 #
 # Compile the stop_firewall() function
 #
-sub compile_stop_firewall( $ ) {
-    my $test = shift;
+sub compile_stop_firewall( $$ ) {
+    my ( $test, $export ) = @_;
 
     my $input   = $filter_table->{INPUT};
     my $output  = $filter_table->{OUTPUT};
@@ -2162,6 +2206,7 @@ sub compile_stop_firewall( $ ) {
 # Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
 #
 stop_firewall() {
+    local hack
 EOF
 
     $output->{policy} = 'ACCEPT' if $config{ADMINISABSENTMINDED};
@@ -2190,8 +2235,8 @@ EOF
 	        restart)
 	            logger -p kern.err "ERROR:$PRODUCT restart failed"
 	            ;;
-	        restore)
-	            logger -p kern.err "ERROR:$PRODUCT restore failed"
+	        refresh)
+	            logger -p kern.err "ERROR:$PRODUCT refresh failed"
 	            ;;
             esac
 
@@ -2207,6 +2252,9 @@ EOF
 
 	        if [ -x $RESTOREPATH ]; then
 		    echo Restoring ${PRODUCT:=Shorewall}...
+                    
+                    RECOVERING=Yes
+                    export RECOVERING
 
 		    if $RESTOREPATH restore; then
 		        echo "$PRODUCT restored from $RESTOREPATH"
@@ -2233,7 +2281,7 @@ EOF
     run_stop_exit
 EOF
 
-    if ( $capabilities{NAT_ENABLED} ) {
+    if ( have_capability( 'NAT_ENABLED' ) ) {
 	emit<<'EOF';
     if [ -f ${VARDIR}/nat ]; then
         while read external interface; do
@@ -2341,16 +2389,38 @@ EOF
 
     my @ipsets = all_ipsets;
 
-    if ( @ipsets ) {
+    if ( @ipsets || $config{SAVE_IPSETS} ) {
 	emit <<'EOF';
 
-    if [ -n "$(mywhich ipset)" ]; then
-        if $IPSET -S > ${VARDIR}/ipsets.tmp; then
+    case $IPSET in
+        */*)
+            if [ ! -x "$IPSET" ]; then
+                error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
+                IPSET=
+            fi
+	    ;;
+	*)
+	    IPSET="$(mywhich $IPSET)"
+	    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
+	    ;;
+    esac
+
+    if [ -n "$IPSET" ]; then
+        if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
+            #
+            # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
+            #
+            hack='| grep -v /31'
+        else
+            hack=
+        fi
+
+        if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
             #
             # Don't save an 'empty' file
             #
             grep -q '^-N' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save
-	fi
+        fi
     fi
 EOF
     }

Shorewall/Perl/Shorewall/Tc.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #     Traffic Control is from tc4shorewall Version 0.5
 #     (c) 2005 Arne Bernin <arne@ucbering.de>
@@ -40,7 +40,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.4_5';
+our $VERSION = '4.4_7';
 
 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
@@ -79,48 +79,6 @@ use constant { NOMARK    => 0 ,
 	       HIGHMARK  => 2
 	       };
 
-our @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
-		 target    => 'CONNMARK --save-mark --mask' ,
-		 mark      => SMALLMARK ,
-		 mask      => '0xFF' ,
-		 connmark  => 1
-	       } ,
-	      { match     => sub ( $ ) { $_[0] eq 'RESTORE' },
-		target    => 'CONNMARK --restore-mark --mask' ,
-		mark      => SMALLMARK ,
-		mask      => '0xFF' ,
-		connmark  => 1
-		} ,
-	      { match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
-		target    => 'RETURN' ,
-		mark      => NOMARK ,
-		mask      => '' ,
-		connmark  => 0
-		} ,
-	      { match     => sub ( $ ) { $_[0] eq 'SAME' },
-		target    => 'sticky' ,
-		mark      => NOMARK ,
-		mask      => '' ,
-		connmark  => 0
-		} ,
-	      { match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
-		target    => 'IPMARK' ,
-		mark      => NOMARK,
-		mask      => '',
-		connmark  => 0
-	        } ,
-	      { match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
-		target    => 'MARK --or-mark' ,
-		mark      => HIGHMARK ,
-		mask      => '' } ,
-	      { match     => sub ( $ ) { $_[0] =~ '&.*' },
-		target    => 'MARK --and-mark ' ,
-		mark      => HIGHMARK ,
-		mask      => '' ,
-		connmark  => 0
-		}
-	      );
-
 our %flow_keys = ( 'src'            => 1,
 		   'dst'            => 1,
 		   'proto'          => 1,
@@ -172,6 +130,7 @@ our %tcdevices;
 our @devnums;
 our $devnum;
 our $sticky;
+our $ipp2p;
 
 
 #
@@ -225,11 +184,14 @@ sub initialize( $ ) {
     @devnums   = ();
     $devnum = 0;
     $sticky = 0;
+    $ipp2p  = 0;
 }
 
 sub process_tc_rule( ) {
     my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules file';
 
+    our @tccmd;
+
     if ( $originalmark eq 'COMMENT' ) {
 	process_comment;
 	return;
@@ -265,9 +227,9 @@ sub process_tc_rule( ) {
 		fatal_error "Invalid chain designator for source $fw" unless $tcsref->{fw};
 	    }
 
-	    $chain    = $tcsref->{chain}  if $tcsref->{chain};
-	    $target   = $tcsref->{target} if $tcsref->{target};
-	    $mark     = "$mark/0xFF"      if $connmark = $tcsref->{connmark};
+	    $chain    = $tcsref->{chain}                       if $tcsref->{chain};
+	    $target   = $tcsref->{target}                      if $tcsref->{target};
+	    $mark     = "$mark/" . in_hex( $globals{TC_MASK} ) if $connmark = $tcsref->{connmark};
 
 	    require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
 
@@ -285,8 +247,6 @@ sub process_tc_rule( ) {
 	}
     }
 
-    my $mask = 0xffff;
-
     my ($cmd, $rest) = split( '/', $mark, 2 );
 
     $list = '';
@@ -354,7 +314,39 @@ sub process_tc_rule( ) {
 			}
 
 			$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
+		    } elsif ( $target eq 'TPROXY ' ) {
+			require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
+
+			fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
+			
+			$chain = 'tcpre';
+
+			$cmd =~ /TPROXY\((.+?)\)$/;
+
+			my $params = $1;
+
+			fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
+
+			( $mark, my $port, my $ip, my $bad ) = split ',', $params;
+
+			fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
+
+			if ( $port ) {
+			    $port = validate_port( 'tcp', $port );
+			} else {
+			    $port = 0;
+			}
+
+			$target .= "--on-port $port";
+			
+			if ( defined $ip && $ip ne '' ) {
+			    validate_address $ip, 1;
+			    $target .= " --on-ip $ip";
+			}
+
+			$target .= ' --tproxy-mark';	
 		    }
+			
 
 		    if ( $rest ) {
 			fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK;
@@ -376,10 +368,10 @@ sub process_tc_rule( ) {
 
 	    validate_mark $mark;
 
-	    if ( $config{HIGH_ROUTE_MARKS} ) {
+	    if ( $config{PROVIDER_OFFSET} ) {
 		my $val = numeric_value( $cmd );
 		fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
-		my $limit = $config{WIDE_TC_MARKS} ? 65535 : 255;
+		my $limit = $globals{TC_MASK};
 		fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
 		    if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
 	    }
@@ -390,7 +382,7 @@ sub process_tc_rule( ) {
 				     $restrictions{$chain} ,
 				     do_proto( $proto, $ports, $sports) .
 				     do_user( $user ) .
-				     do_test( $testval, $mask ) .
+				     do_test( $testval, $globals{TC_MASK} ) .
 				     do_length( $length ) .
 				     do_tos( $tos ) .
 				     do_connbytes( $connbytes ) .
@@ -451,6 +443,96 @@ sub process_flow($) {
     $flow;
 }
 
+sub process_simple_device() {
+    my ( $device , $type , $bandwidth ) = split_line 1, 3, 'tcinterfaces';
+
+    my $devnumber;
+
+    if ( $device =~ /:/ ) {
+	( my $number, $device, my $rest )  = split /:/, $device, 3;
+
+	fatal_error "Invalid NUMBER:INTERFACE ($device:$number:$rest)" if defined $rest;
+
+	if ( defined $number ) {
+	    $devnumber = hex_value( $number );
+	    fatal_error "Invalid interface NUMBER ($number)" unless defined $devnumber && $devnumber;
+	    fatal_error "Duplicate interface number ($number)" if defined $devnums[ $devnumber ];
+	    $devnum = $devnumber if $devnumber > $devnum;
+	} else {
+	    fatal_error "Missing interface NUMBER";
+	}
+    } else {
+	$devnumber = ++$devnum;
+    }
+
+    $devnums[ $devnumber ] = $device;
+
+    my $number = in_hexp $devnumber;
+
+    fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
+    fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
+
+    my $physical = physical_name $device;
+    my $dev      = chain_base( $physical );
+
+    if ( $type ne '-' ) {
+	if ( lc $type eq 'external' ) {
+	    $type = 'nfct-src';
+	} elsif ( lc $type eq 'internal' ) {
+	    $type = 'dst';
+	} else {
+	    fatal_error "Invalid TYPE ($type)";
+	}
+    }
+
+    $tcdevices{$device} = { number   => $devnumber ,
+			    physical => physical_name $device ,
+			    type     => $type ,
+			    in_bandwidth => $bandwidth = rate_to_kbit( $bandwidth ) ,
+			  };
+
+    push @tcdevices, $device;
+
+    emit "if interface_is_up $physical; then";
+
+    push_indent;
+
+    emit ( "${dev}_exists=Yes",
+	   "qt \$TC qdisc del dev $physical root",
+	   "qt \$TC qdisc del dev $physical ingress\n"	   
+	 );
+
+    if ( $bandwidth ) {
+	emit ( "run_tc qdisc add dev $physical handle ffff: ingress",
+	       "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${bandwidth}kbit burst 10k drop flowid :1\n"
+	     );
+    }
+	  
+    emit "run_tc qdisc add dev $physical root handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
+    
+    my $i = 0;
+
+    while ( ++$i <= 3 ) {
+	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
+	emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $devnum:$i";
+	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
+	emit '';
+    }
+
+    save_progress_message_short "   TC Device $physical defined.";
+    
+    pop_indent;
+    emit 'else';
+    push_indent;
+
+    emit qq(error_message "WARNING: Device $physical is not in the UP state -- traffic-shaping configuration skipped");
+    emit "${dev}_exists=";
+    pop_indent;
+    emit "fi\n";
+ 
+    progress_message "  Simple tcdevice \"$currentline\" $done.";
+}    
+
 sub validate_tc_device( ) {
     my ( $device, $inband, $outband , $options , $redirected ) = split_line 3, 5, 'tcdevices';
 
@@ -648,10 +730,12 @@ sub validate_tc_class( ) {
 	if ( $devref->{classify} ) {
 	    warning_message "INTERFACE $device has the 'classify' option - MARK value ($mark) ignored";
 	} else {
+	    fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};
+
 	    $markval = numeric_value( $mark );
 	    fatal_error "Invalid MARK ($markval)" unless defined $markval;
 
-	    fatal_error "Invalid Mark ($mark)" unless $markval <= ( $config{WIDE_TC_MARKS} ? 0x3fff : 0xff );
+	    fatal_error "Invalid Mark ($mark)" unless $markval <= $globals{TC_MAX};
 
 	    if ( $classnumber ) {
 		fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
@@ -755,7 +839,7 @@ sub validate_tc_class( ) {
 		fatal_error q(The 'occurs' option is only valid for IPv4)           if $family == F_IPV6;
 		fatal_error q(The 'occurs' option may not be used with 'classify')  if $devref->{classify};
 		fatal_error "Invalid 'occurs' ($val)"                               unless defined $occurs && $occurs > 1 && $occurs <= 256;
-		fatal_error "Invalid 'occurs' ($val)"                               if $occurs > ( $config{WIDE_TC_MARKS} ? 8191 : 255 );
+		fatal_error "Invalid 'occurs' ($val)"                               if $occurs > $globals{TC_MAX};
 		fatal_error q(Duplicate 'occurs')                                   if $tcref->{occurs} > 1;
 		fatal_error q(The 'occurs' option is not valid with 'default')      if $devref->{default} == $classnumber;
 		fatal_error q(The 'occurs' option is not valid with 'tos')          if @{$tcref->{tos}};
@@ -1016,6 +1100,91 @@ sub process_tc_filter( ) {
 
 }
 
+sub process_tc_priority() {
+    my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 1, 6, 'tcpri';
+
+    if ( $band eq 'COMMENT' ) {
+	process_comment;
+	return;
+    }
+
+    my $val = numeric_value $band;
+
+    fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
+
+    my $rule = do_helper( $helper ) . "-j MARK --set-mark $band";
+
+    $rule .= join('', '/', in_hex( $globals{TC_MASK} ) ) if have_capability( 'EXMARK' );
+
+    if ( $interface ne '-' ) {
+	fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $ports eq '-';
+
+	my $forwardref = $mangle_table->{tcfor};
+
+	add_rule( $forwardref ,
+		  join( '', match_source_dev( $interface) , $rule ) ,
+		  1 );
+    } else {
+	my $postref = $mangle_table->{tcpost};
+	
+	if ( $address ne '-' ) {
+	    fatal_error "Invalid combination of columns" unless $proto eq '-' && $ports eq '-';
+	    add_rule( $postref ,
+		      join( '', match_source_net( $address) , $rule ) ,
+		      1 );
+	} else {
+	    add_rule( $postref , 
+		      join( '', do_proto( $proto, $ports, '-' , 0 ) , $rule ) ,
+		      1 );
+
+	    if ( $ports ne '-' ) {
+		my $protocol = resolve_proto $proto;
+
+		if ( $proto =~ /^ipp2p/ ) {
+		    fatal_error "ipp2p may not be used when there are tracked providers and PROVIDER_OFFSET=0" if @routemarked_interfaces && $config{PROVIDER_OFFSET} == 0;
+		    $ipp2p = 1;
+		}
+
+		add_rule( $postref , 
+			  join( '' , do_proto( $proto, '-', $ports, 0 ) , $rule ) ,
+			  1 )
+		    unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
+	    }
+	}
+    }
+}
+
+sub setup_simple_traffic_shaping() {
+    my $interfaces;
+
+    save_progress_message "Setting up Traffic Control...";
+
+    my $fn = open_file 'tcinterfaces';
+
+    if ( $fn ) {
+	first_entry "$doing $fn...";
+	process_simple_device, $interfaces++ while read_a_line;
+    } else {
+	$fn = find_file 'tcinterfaces';
+    }
+
+    my $fn1 = open_file 'tcpri';
+
+    if ( $fn1 ) {
+	first_entry sub { progress_message2 "$doing $fn1...";
+			  warning_message "There are entries in $fn1 but $fn was empty" unless $interfaces;
+		      };
+	process_tc_priority while read_a_line;
+
+	clear_comment;
+
+	if ( $ipp2p ) {
+	    insert_rule1 $mangle_table->{tcpost} , 0 , '-m mark --mark 0/'   . in_hex( $globals{TC_MASK} ) . ' -j CONNMARK --restore-mark --ctmask ' . in_hex( $globals{TC_MASK} );
+	    add_rule     $mangle_table->{tcpost} ,     '-m mark ! --mark 0/' . in_hex( $globals{TC_MASK} ) . ' -j CONNMARK --save-mark --ctmask '    . in_hex( $globals{TC_MASK} );
+	}
+    }
+}
+
 sub setup_traffic_shaping() {
     our $lastrule = '';
 
@@ -1211,11 +1380,11 @@ sub setup_traffic_shaping() {
 #
 sub setup_tc() {
 
-    if ( $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED} ) {
+    if ( $config{MANGLE_ENABLED} ) {
 	ensure_mangle_chain 'tcpre';
 	ensure_mangle_chain 'tcout';
 
-	if ( $capabilities{MANGLE_FORWARD} ) {
+	if ( have_capability( 'MANGLE_FORWARD' ) ) {
 	    ensure_mangle_chain 'tcfor';
 	    ensure_mangle_chain 'tcpost';
 	}
@@ -1223,29 +1392,25 @@ sub setup_tc() {
 	my $mark_part = '';
 
 	if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) {
-	    $mark_part = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFF0000' : '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF';
+	    $mark_part = '-m mark --mark 0/' . in_hex( $globals{PROVIDER_MASK} ) . ' ';
 
-	    for my $interface ( @routemarked_interfaces ) {
-		add_rule $mangle_table->{PREROUTING} , match_source_dev( $interface ) . "-j tcpre";
+	    unless ( $config{TRACK_PROVIDERS} ) {
+		#
+		# This is overloading TRACK_PROVIDERS a bit but sending tracked packets through PREROUTING is a PITA for users
+		#
+		for my $interface ( @routemarked_interfaces ) {
+		    add_rule $mangle_table->{PREROUTING} , match_source_dev( $interface ) . "-j tcpre";
+		}
 	    }
 	}
 
-	add_rule $mangle_table->{PREROUTING} , "$mark_part -j tcpre";
-	add_rule $mangle_table->{OUTPUT} ,     "$mark_part -j tcout";
+	add_jump $mangle_table->{PREROUTING} , 'tcpre', 0, $mark_part;
+	add_jump $mangle_table->{OUTPUT} ,     'tcout', 0, $mark_part;
 
-	if ( $capabilities{MANGLE_FORWARD} ) {
-	    add_rule $mangle_table->{FORWARD} ,     '-j tcfor';
-	    add_rule $mangle_table->{POSTROUTING} , '-j tcpost';
-	}
-
-	if ( $config{HIGH_ROUTE_MARKS} ) {
-	    for my $chain qw(INPUT FORWARD) {
-		insert_rule1 $mangle_table->{$chain}, 0, $config{WIDE_TC_MARKS} ? '-j MARK --and-mark 0xFFFF' : '-j MARK --and-mark 0xFF';
-	    }
-	    #
-	    # In POSTROUTING, we only want to clear routing mark and not IPMARK.
-	    #
-	    insert_rule1 $mangle_table->{POSTROUTING}, 0, $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFFFF -j MARK --and-mark 0' : '-m mark --mark 0/0xFF -j MARK --and-mark 0';
+	if ( have_capability( 'MANGLE_FORWARD' ) ) {
+	    add_rule( $mangle_table->{FORWARD},     '-j MARK --set-mark 0' ) if have_capability 'MARK';
+	    add_jump $mangle_table->{FORWARD} ,     'tcfor',  0;
+	    add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0;
 	}
     }
 
@@ -1254,12 +1419,61 @@ sub setup_tc() {
 	append_file $globals{TC_SCRIPT};
     } elsif ( $config{TC_ENABLED} eq 'Internal' ) {
 	setup_traffic_shaping;
+    } elsif ( $config{TC_ENABLED} eq 'Simple' ) {
+	setup_simple_traffic_shaping;
     }
 
     if ( $config{TC_ENABLED} ) {
+	our  @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
+			  target    => 'CONNMARK --save-mark --mask' ,
+			  mark      => SMALLMARK ,
+			  mask      => in_hex( $globals{TC_MASK} ) ,
+			  connmark  => 1
+			} ,
+			{ match     => sub ( $ ) { $_[0] eq 'RESTORE' },
+			  target    => 'CONNMARK --restore-mark --mask' ,
+			  mark      => SMALLMARK ,
+			  mask      => in_hex( $globals{TC_MASK} ) ,
+			  connmark  => 1
+			} ,
+			{ match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
+			  target    => 'RETURN' ,
+			  mark      => NOMARK ,
+			  mask      => '' ,
+			  connmark  => 0
+			} ,
+			{ match     => sub ( $ ) { $_[0] eq 'SAME' },
+			  target    => 'sticky' ,
+			  mark      => NOMARK ,
+			  mask      => '' ,
+			  connmark  => 0
+			} ,
+			{ match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
+			  target    => 'IPMARK' ,
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			} ,
+			{ match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
+			  target    => 'MARK --or-mark' ,
+			  mark      => HIGHMARK ,
+			  mask      => '' } ,
+			{ match     => sub ( $ ) { $_[0] =~ '&.*' },
+			  target    => 'MARK --and-mark ' ,
+			  mark      => HIGHMARK ,
+			  mask      => '' ,
+			  connmark  => 0
+			} ,
+			{ match     => sub ( $ ) { $_[0] =~ /^TPROXY/ },
+			  target    => 'TPROXY',
+			  mark      => HIGHMARK,
+			  mask      => '',
+			  connmark  => '' },
+		      );
+
 	if ( my $fn = open_file 'tcrules' ) {
 
-	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's'; } );
+	    first_entry "$doing $fn...";
 
 	    process_tc_rule while read_a_line;
 

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_7';
 
 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@@ -86,7 +86,7 @@ sub setup_tunnels() {
 		$inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
 		$outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
 
-		unless ( $capabilities{POLICY_MATCH} ) {
+		unless ( have_ipsec ) {
 		    add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
 		    add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT";
 

Shorewall/Perl/Shorewall/Zones.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -72,10 +72,11 @@ our @EXPORT = qw( NOTHING
 		  validate_hosts_file
 		  find_hosts_by_option
 		  all_ipsets
+		  have_ipsec
 		 );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_4';
+our $VERSION = '4.4_7';
 
 #
 # IPSEC Option types
@@ -156,6 +157,7 @@ our @bport_zones;
 our %ipsets;
 our %physical;
 our $family;
+our $have_ipsec;
 
 use constant { FIREWALL => 1,
 	       IP       => 2,
@@ -199,6 +201,7 @@ sub initialize( $ ) {
     @zones = ();
     %zones = ();
     $firewall_zone = '';
+    $have_ipsec = undef;
 
     @interfaces = ();
     %interfaces = ();
@@ -245,14 +248,14 @@ sub initialize( $ ) {
 				    dhcp        => SIMPLE_IF_OPTION,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
-				    nosmurfs    => SIMPLE_IF_OPTION,
+				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION,
-				    forward     => NUMERIC_IF_OPTION,
+				    forward     => BINARY_IF_OPTION,
 				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				 );
 	%validhostoptions = (
@@ -399,6 +402,7 @@ sub process_zone( \$ ) {
     }
 
     if ( $type eq IPSEC ) {
+	require_capability 'POLICY_MATCH' , 'IPSEC zones', '';
 	for ( @parents ) {
 	    unless ( $zones{$_}{type} == IPSEC ) {
 		set_super( $zones{$_} );
@@ -669,7 +673,7 @@ sub add_group_to_zone($$$$$)
 
     fatal_error "Duplicate Host Group ($interface:" . ALLIP . ") in zone $zone" if $allip && @$interfaceref;
 
-    $zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions );
+    $zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions ) || $options->{routeback};
 
     push @{$interfaceref}, { options => $options,
 			     hosts   => \@newnetworks,
@@ -752,7 +756,7 @@ sub process_interface( $ ) {
     if ( defined $port && $port ne '' ) {
 	fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
 	require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', '');
-	fatal_error "Your iptables is not recent enough to support bridge ports" unless $capabilities{KLUDGEFREE};
+	fatal_error "Your iptables is not recent enough to support bridge ports" unless have_capability( 'KLUDGEFREE' );
 
 	fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
 	fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
@@ -796,7 +800,7 @@ sub process_interface( $ ) {
 	    fatal_error 'Invalid BROADCAST address' unless $address =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
 	}
 
-	if ( $capabilities{ADDRTYPE} ) {
+	if ( have_capability( 'ADDRTYPE' ) ) {
 	    warning_message 'Shorewall no longer uses broadcast addresses in rule generation when Address Type Match is available';
 	} else {
 	    $broadcasts = \@broadcasts;
@@ -919,15 +923,15 @@ sub process_interface( $ ) {
 	    $ipsets{$ipset} = 1;
 	}
 
-	$zoneref->{options}{in_out}{routeback} = 1 if $zoneref && $options{routeback};
-
 	if ( $options{bridge} ) {
 	    require_capability( 'PHYSDEV_MATCH', 'The "bridge" option', 's');
 	    fatal_error "Bridges may not have wildcard names" if $wildcard;
+	    $options{routeback} = 1;
 	}
 
-	$hostoptionsref = \%hostoptions;
+	$zoneref->{options}{in_out}{routeback} = 1 if $zoneref && $options{routeback};
 
+	$hostoptionsref = \%hostoptions;
     }
 
     $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
@@ -1186,15 +1190,13 @@ sub process_host( ) {
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
+    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>\s*$/ || $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]\s*$/   ) {
+	$interface = $1;
+	$hosts = $2;
+	$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
+	fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
     } else {
-	if ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>\s*$/ ) {
-	    $interface = $1;
-	    $hosts = $2;
-	    $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
-	    fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
-	} else {
-	    fatal_error "Invalid HOST(S) column contents: $hosts";
-	}
+	fatal_error "Invalid HOST(S) column contents: $hosts";
     }
 
     if ( $type == BPORT ) {
@@ -1214,6 +1216,7 @@ sub process_host( ) {
 
 	for my $option ( @options ) {
 	    if ( $option eq 'ipsec' ) {
+		require_capability 'POLICY_MATCH' , q(The 'ipsec' option), 's';
 		$type = IPSEC;
 		$zoneref->{options}{complex} = 1;
 		$ipsec = 1;
@@ -1273,7 +1276,15 @@ sub validate_hosts_file()
 
     $ipsec |= process_host while read_a_line;
 
-    $capabilities{POLICY_MATCH} = '' unless $ipsec || haveipseczones;
+    $have_ipsec = $ipsec || haveipseczones;
+
+}
+
+#
+# Return an indication of whether IPSEC is present
+#
+sub have_ipsec() {
+    return defined $have_ipsec ? $have_ipsec : have_capability 'POLICY_MATCH';
 }
 
 #

Shorewall/Perl/compiler.pl

@@ -36,6 +36,7 @@
 #         --log=<filename>            # Log file
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
+#         --preview                   # Preview the ruleset.
 #
 use strict;
 use FindBin;
@@ -58,6 +59,7 @@ sub usage( $ ) {
     [ --log=<filename> ]
     [ --log-verbose={-1|0-2} ]
     [ --test ]
+    [ --preview ]
     [ --family={4|6} ]
 ';
 
@@ -78,6 +80,7 @@ my $log_verbose   = 0;
 my $help          = 0;
 my $test          = 0;
 my $family        = 4; # F_IPV4
+my $preview       = 0;
 
 Getopt::Long::Configure ('bundling');
 
@@ -98,6 +101,7 @@ my $result = GetOptions('h'               => \$help,
 			'l=s'             => \$log,
 			'log_verbosity=i' => \$log_verbose,
 			'test'            => \$test,
+			'preview'         => \$preview,
 			'f=i'             => \$family,
 			'family=i'        => \$family,
 		       );
@@ -115,4 +119,5 @@ compiler( script          => defined $ARGV[0] ? $ARGV[0] : '',
 	  log             => $log,
 	  log_verbosity   => $log_verbose,
 	  test            => $test,
+	  preview         => $preview,
 	  family          => $family );

Shorewall/Perl/prog.header

@@ -300,7 +300,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
     done
 
-    modules=$(find_file modules)
+    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
 
     if [ -f $modules -a -n "$moduledirectories" ]; then
 	MODULES=$(lsmod | cut -d ' ' -f1)
@@ -606,6 +606,7 @@ find_first_interface_address_if_any() # $1 = interface
 #
 interface_is_usable() # $1 = interface
 {
+    [ "$1" = lo ] && return 0
     interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && run_isusable_exit $1
 }
 
@@ -1102,7 +1103,7 @@ clear_firewall() {
     echo 1 > /proc/sys/net/ipv4/ip_forward
 
     if [ -n "$DISABLE_IPV6" ]; then
-	if [ -x $IPTABLES ]; then
+	if [ -x $IP6TABLES ]; then
     	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
 	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
 	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null

Shorewall/Perl/prog.header6

@@ -310,7 +310,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
     done
 
-    modules=$(find_file modules)
+    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
 
     if [ -f $modules -a -n "$moduledirectories" ]; then
 	MODULES=$(lsmod | cut -d ' ' -f1)
@@ -472,6 +472,7 @@ find_first_interface_address_if_any() # $1 = interface
 #
 interface_is_usable() # $1 = interface
 {
+    [ "$1" = lo ] && return 0
     interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
 }
 

Shorewall/changelog.txt

@@ -1,6 +1,46 @@
-Changes in Shorewall 4.4.5.1
+Changes in Shorewall 4.4.7
 
-1)  Handle rp_filter and kernel's 2.6.31 and later.
+1)  Backport optimization changes from 4.5.
+
+2)  Backport two new options from 4.5.
+
+3)  Backport TPROXY from 4.5
+
+4)  Add TC_PRIOMAP to shorewall*.conf
+
+5)  Implement LOAD_HELPERS_ONLY
+
+6)  Avoid excessive module loading with LOAD_HELPERS_ONLY=Yes
+
+7)  Fix case where MARK target is unavailable.
+
+8)  Change default to ADD_IP_ALIASES=No
+
+9)  Correct defects in generate_matrix().
+
+10) Fix and optimize 'nosmurfs'.
+
+11) Use 'OLD_HL_MATCH' to suppress use of 'flow' in Simple TC.
+
+Changes in Shorewall 4.4.6
+
+1)  Fix for rp_filter and kernel 2.6.31.
+
+2)  Add a hack to work around a bug in Lenny + xtables-addons
+
+3)  Re-enable SAVE_IPSETS
+
+4)  Allow both <...> and [...] for IPv6 Addresses.
+
+5)  Port mark geometry change from 4.5.
+
+6)  Add Macro patch from Tuomo Soini
+
+7)  Add 'show macro' command.
+
+8)  Add -r option to check.
+
+9)  Port simplified TC from 4.5.
 
 Changes in Shorewall 4.4.5
 

Shorewall/configfiles/shorewall.conf

@@ -107,7 +107,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 IP_FORWARDING=On
 
-ADD_IP_ALIASES=Yes
+ADD_IP_ALIASES=No
 
 ADD_SNAT_ALIASES=No
 
@@ -117,6 +117,8 @@ TC_ENABLED=Internal
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -135,7 +137,7 @@ BLACKLISTNEWONLY=Yes
 
 DELAYBLACKLISTLOAD=No
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
@@ -193,6 +195,14 @@ TRACK_PROVIDERS=No
 
 ZONE2ZONE=2
 
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall/configfiles/tcinterfaces

@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - Tcinterfaces File
+#
+# For information about entries in this file, type "man shorewall-tcinterfaces"
+#
+# See http://shorewall.net/simple_traffic_shaping.htm for additional
+# information.
+#
+###############################################################################
+#INTERFACE	TYPE		IN-BANDWIDTH
+

Shorewall/configfiles/tcpri

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Tcpri File
+#
+# For information about entries in this file, type "man shorewall-tcpri"
+#
+# See http://shorewall.net/simple_traffic_shaping.htm for additional
+# information.
+#
+###############################################################################
+#BAND	PROTO	PORT(S)		ADDRESS		IN-INTERFACE	HELPER
+
+
+

Shorewall/helpers

@@ -0,0 +1,63 @@
+#
+# Shorewall version 4 - Helpers File
+#
+# /usr/share/shorewall/helpers
+#
+#	This file loads the kernel helper modules.
+#
+#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+#	dependency order. i.e., if M2 depends on M1 then you must load M1
+#	before you load M2.
+#
+#  If you need to modify this file, copy it to /etc/shorewall and modify the
+#  copy.
+#
+###############################################################################
+
+# Helpers
+#
+loadmodule ip_conntrack_amanda
+loadmodule ip_conntrack_ftp
+loadmodule ip_conntrack_h323
+loadmodule ip_conntrack_irc
+loadmodule ip_conntrack_netbios_ns
+loadmodule ip_conntrack_pptp
+loadmodule ip_conntrack_sip
+loadmodule ip_conntrack_tftp
+loadmodule ip_nat_amanda
+loadmodule ip_nat_ftp
+loadmodule ip_nat_h323
+loadmodule ip_nat_irc
+loadmodule ip_nat_pptp
+loadmodule ip_nat_sip
+loadmodule ip_nat_snmp_basic
+loadmodule ip_nat_tftp
+loadmodule ip_set
+loadmodule ip_set_iphash
+loadmodule ip_set_ipmap
+loadmodule ip_set_macipmap
+loadmodule ip_set_portmap
+#
+# 2.6.20+ helpers
+#
+loadmodule nf_conntrack_ftp
+loadmodule nf_conntrack_h323
+loadmodule nf_conntrack_irc
+loadmodule nf_conntrack_netbios_ns
+loadmodule nf_conntrack_netlink
+loadmodule nf_conntrack_pptp
+loadmodule nf_conntrack_proto_gre
+loadmodule nf_conntrack_proto_sctp
+loadmodule nf_conntrack_sip         sip_direct_media=0
+loadmodule nf_conntrack_tftp
+loadmodule nf_conntrack_sane
+loadmodule nf_nat_amanda
+loadmodule nf_nat_ftp
+loadmodule nf_nat_h323
+loadmodule nf_nat_irc
+loadmodule nf_nat
+loadmodule nf_nat_pptp
+loadmodule nf_nat_proto_gre
+loadmodule nf_nat_sip
+loadmodule nf_nat_snmp_basic
+loadmodule nf_nat_tftp

Shorewall/install.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2009,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.5.1
+VERSION=4.4.7
 
 usage() # $1 = exit status
 {
@@ -196,7 +196,7 @@ fi
 #
 cd "$(dirname $0)"
 
-echo "Installing Shorewall-common Version $VERSION"
+echo "Installing Shorewall Version $VERSION"
 
 #
 # Check for /etc/shorewall
@@ -421,6 +421,12 @@ fi
 run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall/modules
 echo "Modules file installed as ${PREFIX}/usr/share/shorewall/modules"
 
+#
+# Install the Module Helpers file
+#
+run_install $OWNERSHIP -m 0600 helpers ${PREFIX}/usr/share/shorewall/helpers
+echo "Helper modules file installed as ${PREFIX}/usr/share/shorewall/helpers"
+
 #
 # Install the TC Rules file
 #
@@ -431,6 +437,26 @@ if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcrules ]; then
     echo "TC Rules file installed as ${PREFIX}/etc/shorewall/tcrules"
 fi
 
+#
+# Install the TC Interfaces file
+#
+run_install $OWNERSHIP -m 0644 configfiles/tcinterfaces ${PREFIX}/usr/share/shorewall/configfiles/tcinterfaces
+
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcinterfaces ]; then
+    run_install $OWNERSHIP -m 0600 configfiles/tcinterfaces ${PREFIX}/etc/shorewall/tcinterfaces
+    echo "TC Interfaces file installed as ${PREFIX}/etc/shorewall/tcinterfaces"
+fi
+
+#
+# Install the TC Priority file
+#
+run_install $OWNERSHIP -m 0644 configfiles/tcpri ${PREFIX}/usr/share/shorewall/configfiles/tcpri
+
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcpri ]; then
+    run_install $OWNERSHIP -m 0600 configfiles/tcpri ${PREFIX}/etc/shorewall/tcpri
+    echo "TC Priority file installed as ${PREFIX}/etc/shorewall/tcpri"
+fi
+
 #
 # Install the TOS file
 #
@@ -848,4 +874,4 @@ fi
 #
 #  Report Success
 #
-echo "shorewall-common Version $VERSION Installed"
+echo "shorewall Version $VERSION Installed"

Shorewall/known_problems.txt

@@ -1,15 +1 @@
-1) In kernel 2.6.31, the handling of the rp_filter interface option was
-   changed incompatibly. Previously, the effective value was determined
-   by the setting of net.ipv4.config.dev.rp_filter logically ANDed with
-   the setting of net.ipv4.config.all.rp_filter.
-
-   Beginning with kernel 2.6.31, the value is the arithmetic MAX of
-   those two values. 
-
-   Given that Shorewall sets net.ipv4.config.all.rp_filter to 1 if
-   there are any interfaces specifying 'routefilter', specifying
-   'routefilter' on any interface has the effect of setting the option
-   on all interfaces.
-
-   A workaround for this problem is included in Shorewall 4.4.5.1.
-
+There are no known problems in Shorewall 4.4.7.

Shorewall/lib.base

@@ -29,8 +29,8 @@
 #   and /usr/share/shorewall-lite/shorecap.
 #
 
-SHOREWALL_LIBVERSION=40000
-SHOREWALL_CAPVERSION=40406
+SHOREWALL_LIBVERSION=40407
+SHOREWALL_CAPVERSION=40407
 
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -265,7 +265,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
     done
 
-    modules=$(find_file modules)
+    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
 
     if [ -f $modules -a -n "$moduledirectories" ]; then
 	MODULES=$(lsmod | cut -d ' ' -f1)
@@ -784,6 +784,10 @@ determine_capabilities() {
 	exit 1
     fi
 
+    [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)
+
+    [ -n "$TC" -a -x "$TC" ] || TC=
+
     qt $IPTABLES -t nat    -L -n && NAT_ENABLED=Yes    || NAT_ENABLED=
     qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
 
@@ -813,6 +817,8 @@ determine_capabilities() {
     KLUDGEFREE=
     MARK=
     XMARK=
+    EXMARK=
+    TPROXY_TARGET=
     MANGLE_FORWARD=
     COMMENTS=
     ADDRTYPE=
@@ -828,6 +834,7 @@ determine_capabilities() {
     IPMARK_TARGET=
     LOG_TARGET=Yes
     PERSISTENT_SNAT=
+    FLOW_FILTER=
 
     chain=fooX$$
 
@@ -914,6 +921,7 @@ determine_capabilities() {
 	if qt $IPTABLES -t mangle -A $chain -j MARK --set-mark 1; then
 	    MARK=Yes
 	    qt $IPTABLES -t mangle -A $chain -j MARK --and-mark 0xFF && XMARK=Yes
+	    qt $IPTABLES -t mangle -A $chain -j MARK --set-mark 1/0xFF && EXMARK=Yes
 	fi
 
 	if qt $IPTABLES -t mangle -A $chain -j CONNMARK --save-mark; then
@@ -923,6 +931,7 @@ determine_capabilities() {
 
 	qt $IPTABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
 	qt $IPTABLES -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
+	qt $IPTABLES -t mangle -A $chain -p tcp -j TPROXY --on-port 0 --tproxy-mark 1 && TPROXY_TARGET=Yes
 	qt $IPTABLES -t mangle -F $chain
 	qt $IPTABLES -t mangle -X $chain
 	qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
@@ -964,6 +973,8 @@ determine_capabilities() {
     qt $IPTABLES -F $chain1
     qt $IPTABLES -X $chain1
 
+    [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
+
     CAPVERSION=$SHOREWALL_CAPVERSION
     KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 }
@@ -1011,6 +1022,7 @@ report_capabilities() {
 	report_capability "Repeat match" $KLUDGEFREE
 	report_capability "MARK Target" $MARK
 	[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
+	[ -n "$XMARK" ] && report_capability "Extended MARK Target 2" $EXMARK
 	report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
 	report_capability "Comments" $COMMENTS
 	report_capability "Address Type Match" $ADDRTYPE
@@ -1027,6 +1039,8 @@ report_capabilities() {
 	report_capability "IPMARK Target" $IPMARK_TARGET
 	report_capability "LOG Target" $LOG_TARGET
 	report_capability "Persistent SNAT" $PERSISTENT_SNAT
+	report_capability "TPROXY Target" $TPROXY_TARGET
+	report_capability "FLOW Classifier" $FLOW_FILTER
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1070,6 +1084,7 @@ report_capabilities1() {
     report_capability1 KLUDGEFREE
     report_capability1 MARK
     report_capability1 XMARK
+    report_capability1 EXMARK
     report_capability1 MANGLE_FORWARD
     report_capability1 COMMENTS
     report_capability1 ADDRTYPE
@@ -1086,6 +1101,8 @@ report_capabilities1() {
     report_capability1 IPMARK_TARGET
     report_capability1 LOG_TARGET
     report_capability1 PERSISTENT_SNAT
+    report_capability1 TPROXY_TARGET
+    report_capability1 FLOW_FILTER
     
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION

Shorewall/lib.cli

@@ -177,9 +177,13 @@ show_tc() {
 	fi
     }
 
-    ip -o link list | while read inx interface details; do
-	show_one_tc ${interface%:}
-    done
+    if [ $# -gt 0 ]; then
+	show_one_tc $1
+    else
+	ip -o link list | while read inx interface details; do
+	    show_one_tc ${interface%:}
+	done
+    fi
 
 }
 
@@ -263,6 +267,70 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 #
 # Save currently running configuration
 #
+do_save() {
+    local status
+    status=0
+
+    if [ -f ${VARDIR}/firewall ]; then
+	if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then
+	    cp -f ${VARDIR}/firewall $RESTOREPATH
+	    mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
+	    chmod +x $RESTOREPATH
+	    echo "   Currently-running Configuration Saved to $RESTOREPATH"
+	    run_user_exit save
+	else
+	    rm -f ${VARDIR}/restore-$$
+	    echo "   ERROR: Currently-running Configuration Not Saved" >&2
+	    status=1
+	fi
+    else
+	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
+	status=1
+    fi
+
+    case ${SAVE_IPSETS:=No} in 
+	[Yy]es)
+	    case ${IPSET:=ipset} in
+		*/*)
+		    if [ ! -x "$IPSET" ]; then
+			error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
+			IPSET=
+		    fi
+		    ;;
+		*)
+		    IPSET="$(mywhich $IPSET)"
+		    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
+		    ;;
+	    esac
+
+	    if [ -n "$IPSET" ]; then
+		if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
+                    #
+                    # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
+                    #
+		    hack='| grep -v /31'
+		else
+		    hack=
+		fi
+
+		if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
+                    #
+                    # Don't save an 'empty' file
+                    #
+		    grep -q '^-N' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${RESTOREPATH}-ipsets
+		fi
+	    fi
+	    ;;
+	[Nn]o)
+	    ;;
+	*)
+	    error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
+	    ;;
+    esac
+
+    return $status
+}
+
 save_config() {
 
     local result
@@ -285,24 +353,15 @@ save_config() {
 		*)
 		    validate_restorefile RESTOREFILE
 
-		    if $IPTABLES -L dynamic -n > ${VARDIR}/save; then
-			echo "   Dynamic Rules Saved"
-			if [ -f ${VARDIR}/firewall ]; then
-			    if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then
-				cp -f ${VARDIR}/firewall $RESTOREPATH
-				mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
-				chmod +x $RESTOREPATH
-				echo "   Currently-running Configuration Saved to $RESTOREPATH"
-				run_user_exit save
-			    else
-			        rm -f ${VARDIR}/restore-$$
-				echo "   ERROR: Currently-running Configuration Not Saved" >&2
-			    fi
+		    if chain_exists dynamic; then
+			if $IPTABLES -L dynamic -n > ${VARDIR}/save; then
+			    echo "   Dynamic Rules Saved"
+			    do_save
 			else
-			    echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
+		            echo "Error Saving the Dynamic Rules" >&2
 			fi
 		    else
-		        echo "Error Saving the Dynamic Rules" >&2
+			do_save && rm -f ${VARDIR}/save
 		    fi
 		    ;;
 	    esac
@@ -489,10 +548,11 @@ show_command() {
 	    packet_log 20
 	    ;;
 	tc)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 2 ] && usage 1
 	    echo "$PRODUCT $version Traffic Control at $HOSTNAME - $(date)"
 	    echo
-	    show_tc
+	    shift
+	    show_tc $1
 	    ;;
 	classifiers|filters)
 	    [ $# -gt 1 ] && usage 1
@@ -599,6 +659,18 @@ show_command() {
 			    grep -Ev '^\#|^$' ${SHAREDIR}/actions.std
 			fi
 
+			return
+			;;
+		    macro)
+			[ $# -ne 2 ] && usage 1
+			for directory in $(split $CONFIG_PATH); do
+			    if [ -f ${directory}/macro.$2 ]; then
+				echo "Shorewall $version Macro $2 at $HOSTNAME - $(date)"
+				cat ${directory}/macro.$2
+				return
+			    fi
+			done
+			echo "   WARNING: Macro $2 not found" >&2
 			return
 			;;
 		    macros)
@@ -947,6 +1019,12 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
     local finished
     finished=$2
 
+    if ! chain_exists dynamic; then
+	echo "Dynamic blacklisting is not enabled in the current $PRODUCT configuration" >&2
+	[ -n "$nolock" ] || mutex_off
+	exit 2
+    fi
+
     shift 3
 
     while [ $# -gt 0 ]; do
@@ -1053,7 +1131,7 @@ add_command() {
     local interface host hostlist zone ipset
     if ! shorewall_is_started ; then
 	echo "Shorewall Not Started" >&2
-	exit 2;
+	exit 2
     fi
 
     case "$IPSET" in
@@ -1259,6 +1337,11 @@ allow_command() {
     [ -n "$debugging" ] && set -x
     [ $# -eq 1 ] && usage 1
     if shorewall_is_started ; then
+	if ! chain_exists dynamic; then
+	    echo "Dynamic blacklisting is not enabled in the current $PRODUCT configuration" >&2
+	    exit 2
+	fi
+
 	[ -n "$nolock" ] || mutex_on
 	while [ $# -gt 1 ]; do
 	    shift

Shorewall/modules

@@ -54,6 +54,8 @@ loadmodule xt_owner
 loadmodule xt_physdev
 loadmodule xt_pkttype
 loadmodule xt_tcpmss
+loadmodule xt_IPMARK
+loadmodule xt_TPROXY
 #
 # Helpers
 #

Shorewall/shorewall

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall.
 #
@@ -315,6 +315,20 @@ get_config() {
 	    fi
 	    ;;
     esac
+
+    case $LOAD_HELPERS_ONLY in
+	Yes|yes)
+	    ;;
+	No|no)
+	    LOAD_HELPERS_ONLY=
+	    ;;
+	*)
+	    if [ -n "$LOAD_HELPERS_ONLY" ]; then
+		echo "   ERROR: Invalid LOAD_HELPERS_ONLY setting ($LOAD_HELPERS_ONLY)" >&2
+		exit 1
+	    fi
+	    ;;
+    esac
 }
 
 #
@@ -362,6 +376,7 @@ compiler() {
     [ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR"
     [ -n "$TIMESTAMP" ] && options="$options --timestamp"
     [ -n "$TEST" ] && options="$options --test"
+    [ -n "$PREVIEW" ] && options="$options --preview"
     [ "$debugging" = trace ] && options="$options --debug"
     [ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS"
     #
@@ -642,6 +657,10 @@ check_command() {
 			    DEBUG=Yes;
 			    option=${option#d}
 			    ;;
+			r*)
+			    PREVIEW=Yes;
+			    option=${option#r}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1351,7 +1370,7 @@ usage() # $1 = exit status
     echo "where <command> is one of:"
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
-    echo "   check [ -e ] [ <directory> ]"
+    echo "   check [ -e ] [ -r ] [ <directory> ]"
     echo "   clear [ -f ]"
     echo "   compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
     echo "   delete <interface>[:<host-list>] ... <zone>"
@@ -1384,13 +1403,14 @@ usage() # $1 = exit status
     echo "   show config"
     echo "   show connections"
     echo "   show dynamic <zone>"
-    echo "   show filter"
+    echo "   show filters"
     echo "   show ip"
     echo "   show [ -m ] log"
+    echo "   show macro <macro>"
     echo "   show macros"
     echo "   show [ -x ] mangle|nat|raw|routing"
     echo "   show policies"
-    echo "   show tc"
+    echo "   show tc [ device ]"
     echo "   show vardir"
     echo "   show zones"
     echo "   start [ -f ] [ -n ] [ -p ] [ <directory> ]"
@@ -1428,6 +1448,7 @@ VERBOSE_OFFSET=0
 USE_VERBOSITY=
 NOROUTES=
 PURGE=
+DEBUG=
 EXPORT=
 export TIMESTAMP=
 noroutes=
@@ -1593,6 +1614,8 @@ FIREWALL=${VARDIR}/firewall
 LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
 VERSION_FILE=$SHAREDIR/version
 REFRESHCHAINS=
+RECOVERING=
+export RECOVERING
 
 for library in $LIBRARIES; do
     if [ -f $library ]; then
@@ -1752,6 +1775,11 @@ case "$COMMAND" in
 	[ -n "$debugging" ] && set -x
 	[ $# -eq 1 ] && usage 1
 	if shorewall_is_started ; then
+	    if ! chain_exists dynamic; then
+		echo "Dynamic blacklisting is not supported in the current $PRODUCT configuration"
+		exit 2
+	    fi
+
 	    [ -n "$nolock" ] || mutex_on
 	    block DROP Dropped $*
 	    [ -n "$nolock" ] || mutex_off
@@ -1764,6 +1792,11 @@ case "$COMMAND" in
 	[ -n "$debugging" ] && set -x
 	[ $# -eq 1 ] && usage 1
 	if shorewall_is_started ; then
+	    if ! chain_exists dynamic; then
+		echo "Dynamic blacklisting is not supported in the current $PRODUCT configuration"
+		exit 2
+	    fi
+
 	    [ -n "$nolock" ] || mutex_on
 	    block logdrop Dropped $*
 	    [ -n "$nolock" ] || mutex_off

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
-%define version 4.4.5
-%define release 1
+%define version 4.4.7
+%define release 0base
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -91,6 +91,7 @@ fi
 %attr(0644,root,root) /usr/share/shorewall/lib.cli
 %attr(0644,root,root) /usr/share/shorewall/macro.*
 %attr(0644,root,root) /usr/share/shorewall/modules
+%attr(0644,root,root) /usr/share/shorewall/helpers
 %attr(0644,root,root) /usr/share/shorewall/configpath
 %attr(0755,root,root) /usr/share/shorewall/wait4ifup
 
@@ -106,9 +107,27 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 
 %changelog
-* Sat Dec 19 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.5-1
-* Fri Nov 27 2009 Tom Eastep tom@shorewall.net
+* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0base
+* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0RC2
+* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0RC1
+* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta4
+* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta3
+* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta2
+* Thu Jan 21 2010 Tom Eastep tom@shorewall.net
+- Add /usr/share/shorewall/helpers
+* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta1
+* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.6-0base
+* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.6-0Beta1
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.5-0base
 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.4-0base

Shorewall/uninstall.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.5.1
+VERSION=4.4.7
 
 usage() # $1 = exit status
 {

Shorewall6-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.5.1
+VERSION=4.4.7
 
 usage() # $1 = exit status
 {

Shorewall6-lite/install.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.5.1
+VERSION=4.4.7
 
 usage() # $1 = exit status
 {

Shorewall6-lite/shorecap

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall.
 #

Shorewall6-lite/shorewall6-lite

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall-lite.
 #
@@ -367,28 +367,26 @@ usage() # $1 = exit status
     echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
     echo "where <command> is one of:"
     echo "   allow <address> ..."
-    echo "   clear"
+    echo "   clear [ -f ]"
     echo "   drop <address> ..."
     echo "   dump [ -x ]"
     echo "   forget [ <file name> ]"
     echo "   help"
-    echo "   hits [ -t ]"
-    echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
-    echo "   ipdecimal { <address> | <integer> }"
-    echo "   iprange <address>-<address>"
+    echo "   load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
     echo "   logdrop <address> ..."
     echo "   logreject <address> ..."
     echo "   logwatch [<refresh interval>]"
+    echo "   refresh [ <chain>... ]"
     echo "   reject <address> ..."
-    echo "   reset"
-    echo "   restart [ -n ] [ -p ]"
+    echo "   reset [ <chain> ... ]"
+    echo "   restart [ -n ] [ -f ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -m ] [ -f ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|capabilities|classifiers|config|connections|filters|ip|log|mangle|nat|routing|tc|vardir|zones} ]"
-    echo "   start [ -f ] [ -n ] [ -p ]"
-    echo "   stop"
+    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|policies|raw|routing|tc|vardir|zones} ]"
+    echo "   start [ -f ] [ <directory> ]"
+    echo "   stop [ -f ]"
     echo "   status"
-    echo "   version"
+    echo "   version [ -a ]"
     echo
     exit $1
 }
@@ -417,6 +415,8 @@ USE_VERBOSITY=
 NOROUTES=
 EXPORT=
 export TIMESTAMP=
+RECOVERING=
+export RECOVERING
 noroutes=
 
 finished=0

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
-%define version 4.4.5
-%define release 1
+%define version 4.4.7
+%define release 0base
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -91,9 +91,25 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sat Dec 19 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.5-1
-* Fri Nov 27 2009 Tom Eastep tom@shorewall.net
+* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0base
+* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0RC2
+* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0RC1
+* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta4
+* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta3
+* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta2
+* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta1
+* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.6-0base
+* Tue Jan 12 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.6-0Beta1
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.5-0base
 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.4-0base

Shorewall6-lite/uninstall.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.5.1
+VERSION=4.4.7
 
 usage() # $1 = exit status
 {

Shorewall6/action.Drop

@@ -22,7 +22,7 @@
 #
 # Reject 'auth'
 #
-Auth/REJECT
+Auth(REJECT)
 #
 # ACCEPT critical ICMP types
 #
@@ -35,7 +35,7 @@ dropInvalid
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
-SMB/DROP
+SMB(DROP)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #

Shorewall6/action.Reject

@@ -18,7 +18,7 @@
 #
 # Don't log 'auth' -- REJECT
 #
-Auth/REJECT
+Auth(REJECT)
 #
 # ACCEPT critical ICMP types
 #
@@ -32,7 +32,7 @@ dropInvalid
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
-SMB/REJECT
+SMB(REJECT)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #

Shorewall6/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.5.1
+VERSION=4.4.7
 
 usage() # $1 = exit status
 {

Shorewall6/helpers

@@ -0,0 +1,36 @@
+#
+# Shorewall6 version 4 - Helpers File
+#
+# /usr/share/shorewall6/helpers
+#
+#	This file loads the modules that may be needed by the firewall.
+#
+#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+#	dependency order. i.e., if M2 depends on M1 then you must load M1
+#	before you load M2.
+#
+#  If you need to modify this file, copy it to /etc/shorewall and modify the
+#  copy.
+#
+###############################################################################
+#
+# Helpers
+#
+loadmodule nf_conntrack_amanda
+loadmodule nf_conntrack_ftp
+loadmodule nf_conntrack_h323
+loadmodule nf_conntrack_irc
+loadmodule nf_conntrack_netbios_ns
+loadmodule nf_conntrack_netbios_ns
+loadmodule nf_conntrack_netlink
+loadmodule nf_conntrack_pptp
+loadmodule nf_conntrack_proto_sctp
+loadmodule nf_conntrack_proto_udplite
+loadmodule nf_conntrack_sane
+loadmodule nf_conntrack_sip         sip_direct_media=0
+loadmodule nf_conntrack_pptp
+loadmodule nf_conntrack_proto_gre
+loadmodule nf_conntrack_proto_sctp
+loadmodule nf_conntrack_sip
+loadmodule nf_conntrack_tftp
+loadmodule nf_conntrack_sane

Shorewall6/install.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2008 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.5.1
+VERSION=4.4.7
 
 usage() # $1 = exit status
 {
@@ -361,6 +361,12 @@ fi
 run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall6/modules
 echo "Modules file installed as ${PREFIX}/usr/share/shorewall6/modules"
 
+#
+# Install the Module Helpers file
+#
+run_install $OWNERSHIP -m 0600 helpers ${PREFIX}/usr/share/shorewall6/helpers
+echo "Helper modules file installed as ${PREFIX}/usr/share/shorewall6/helpers"
+
 #
 # Install the TC Rules file
 #
@@ -371,6 +377,26 @@ if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/tcrules ]; then
     echo "TC Rules file installed as ${PREFIX}/etc/shorewall6/tcrules"
 fi
 
+#
+# Install the TC Interfaces file
+#
+run_install $OWNERSHIP -m 0644 tcinterfaces ${PREFIX}/usr/share/shorewall6/configfiles/tcinterfaces
+
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/tcinterfaces ]; then
+    run_install $OWNERSHIP -m 0600 tcinterfaces ${PREFIX}/etc/shorewall6/tcinterfaces
+    echo "TC Interfaces file installed as ${PREFIX}/etc/shorewall6/tcinterfaces"
+fi
+
+#
+# Install the TC Priority file
+#
+run_install $OWNERSHIP -m 0644 tcpri ${PREFIX}/usr/share/shorewall6/configfiles/tcpri
+
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/tcpri ]; then
+    run_install $OWNERSHIP -m 0600 tcpri ${PREFIX}/etc/shorewall6/tcpri
+    echo "TC Priority file installed as ${PREFIX}/etc/shorewall6/tcpri"
+fi
+
 #
 # Install the TOS file
 #
@@ -693,4 +719,4 @@ fi
 #
 #  Report Success
 #
-echo "shorewall6-common Version $VERSION Installed"
+echo "shorewall6 Version $VERSION Installed"

Shorewall6/lib.base

@@ -32,8 +32,8 @@
 #   by the compiler.
 #
 
-SHOREWALL_LIBVERSION=40300
-SHOREWALL_CAPVERSION=40402
+SHOREWALL_LIBVERSION=40407
+SHOREWALL_CAPVERSION=40407
 
 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
@@ -302,7 +302,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
     done
 
-    modules=$(find_file modules)
+    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
 
     if [ -f $modules -a -n "$moduledirectories" ]; then
 	MODULES=$(lsmod | cut -d ' ' -f1)
@@ -722,6 +722,8 @@ determine_capabilities() {
     KLUDGEFREE=
     MARK=
     XMARK=
+    EXMARK=
+    TPROXY_TARGET=
     MANGLE_FORWARD=
     COMMENTS=
     ADDRTYPE=
@@ -735,6 +737,7 @@ determine_capabilities() {
     GOTO_TARGET=
     IPMARK_TARGET=
     LOG_TARGET=Yes
+    FLOW_FILTER=
 
     chain=fooX$$
 
@@ -745,8 +748,12 @@ determine_capabilities() {
 	exit 1
     fi
 
+    [ -n "$IP" ] || IP=$(which ip)
+
+    [ -n "$IP" -a -x "$IP" ] || IP=
+
     qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
-    
+
     qt $IP6TABLES -F $chain
     qt $IP6TABLES -X $chain
     if ! $IP6TABLES -N $chain; then
@@ -822,6 +829,7 @@ determine_capabilities() {
 	if qt $IP6TABLES -t mangle -A $chain -j MARK --set-mark 1; then
 	    MARK=Yes
 	    qt $IP6TABLES -t mangle -A $chain -j MARK --and-mark 0xFF && XMARK=Yes
+	    qt $IP6TABLES -t mangle -A $chain -j MARK --set-mark 1/0xFF && EXMARK=Yes
 	fi
 
 	if qt $IP6TABLES -t mangle -A $chain -j CONNMARK --save-mark; then
@@ -831,6 +839,7 @@ determine_capabilities() {
 
 	qt $IP6TABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
 	qt $IP6TABLES -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
+	qt $IP6TABLES -t mangle -A $chain -p tcp -j TPROXY --on-port 0 --tproxy-mark 1 && TPROXY_TARGET=Yes
 	qt $IP6TABLES -t mangle -F $chain
 	qt $IP6TABLES -t mangle -X $chain
 	qt $IP6TABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
@@ -871,7 +880,10 @@ determine_capabilities() {
     qt $IP6TABLES -F $chain1
     qt $IP6TABLES -X $chain1
 
+    [ -n "$IP" ] && $IP filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
+
     CAPVERSION=$SHOREWALL_CAPVERSION
+    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 }
 
 report_capabilities() {
@@ -916,6 +928,7 @@ report_capabilities() {
 	report_capability "Repeat match" $KLUDGEFREE
 	report_capability "MARK Target" $MARK
 	[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
+	[ -n "$XMARK" ] && report_capability "Extended MARK Target 2" $EXMARK
 	report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
 	report_capability "Comments" $COMMENTS
 	report_capability "Address Type Match" $ADDRTYPE
@@ -930,6 +943,8 @@ report_capabilities() {
 	report_capability "Goto Support" $GOTO_TARGET
 	report_capability "IPMARK Target" $IPMARK_TARGET
 	report_capability "LOG Target" $LOG_TARGET
+	report_capability "TPROXY Target" $TPROXY_TARGET
+	report_capability "FLOW Classifier" $FLOW_FILTER
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -972,6 +987,7 @@ report_capabilities1() {
     report_capability1 KLUDGEFREE
     report_capability1 MARK
     report_capability1 XMARK
+    report_capability1 EXMARK
     report_capability1 MANGLE_FORWARD
     report_capability1 COMMENTS
     report_capability1 ADDRTYPE
@@ -986,8 +1002,11 @@ report_capabilities1() {
     report_capability1 GOTO_TARGET
     report_capability1 IPMARK_TARGET
     report_capability1 LOG_TARGET
+    report_capability1 TPROXY_TARGET
+    report_capability1 FLOW_FILTER
     
     echo CAPVERSION=$SHOREWALL_CAPVERSION
+    echo KERNELVERSION=$KERNELVERSION    
 }
 
 detect_gateway() # $1 = interface

Shorewall6/lib.cli

@@ -158,9 +158,13 @@ show_tc() {
 	fi
     }
 
-    ip -o link list | while read inx interface details; do
-	show_one_tc ${interface%:}
-    done
+    if [ $# -gt 0 ]; then
+	show_one_tc $1
+    else
+	ip -o link list | while read inx interface details; do
+	    show_one_tc ${interface%:}
+	done
+    fi
 
 }
 
@@ -244,6 +248,30 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 #
 # Save currently running configuration
 #
+do_save() {
+    local status
+    status=0
+
+    if [ -f ${VARDIR}/firewall ]; then
+	if $iptables_save > ${VARDIR}/restore-$$; then
+	    cp -f ${VARDIR}/firewall $RESTOREPATH
+	    mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
+	    chmod +x $RESTOREPATH
+	    echo "   Currently-running Configuration Saved to $RESTOREPATH"
+	    run_user_exit save
+	else
+	    rm -f ${VARDIR}/restore-$$
+	    echo "   ERROR: Currently-running Configuration Not Saved" >&2
+	    status=1
+	fi
+    else
+	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
+	status=1
+    fi
+
+    return $status
+}
+
 save_config() {
 
     local result
@@ -266,24 +294,15 @@ save_config() {
 		*)
 		    validate_restorefile RESTOREFILE
 
-		    if $IP6TABLES -L dynamic -n > ${VARDIR}/save; then
-			echo "   Dynamic Rules Saved"
-			if [ -f ${VARDIR}/firewall ]; then
-			    if $iptables_save > ${VARDIR}/restore-$$; then
-				cp -f ${VARDIR}/firewall $RESTOREPATH
-				mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
-				chmod +x $RESTOREPATH
-				echo "   Currently-running Configuration Saved to $RESTOREPATH"
-				run_user_exit save
-			    else
-			        rm -f ${VARDIR}/restore-$$
-				echo "   ERROR: Currently-running Configuration Not Saved" >&2
-			    fi
+		    if chain_exists dynamic; then
+			if $IP6TABLES -L dynamic -n > ${VARDIR}/save; then
+			    echo "   Dynamic Rules Saved"
+			    do_save
 			else
-			    echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
+		            echo "Error Saving the Dynamic Rules" >&2
 			fi
 		    else
-		        echo "Error Saving the Dynamic Rules" >&2
+			do_save && rm -f ${VARDIR}/save
 		    fi
 		    ;;
 	    esac
@@ -435,7 +454,7 @@ show_command() {
 	    packet_log 20
 	    ;;
 	tc)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 2 ] && usage 1
 	    echo "$PRODUCT $version Traffic Control at $HOSTNAME - $(date)"
 	    echo
 	    show_tc
@@ -696,8 +715,8 @@ dump_command() {
 
     show_routing
 
-    heading "ARP"
-    arp -na
+    heading "Neighbors"
+    ip -6 neigh ls
 
     if qt mywhich lsmod; then
 	heading "Modules"
@@ -883,6 +902,12 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
     local finished
     finished=$2
 
+    if ! chain_exists dynamic; then
+	echo "Dynamic blacklisting is not enabled in the current $PRODUCT configuration" >&2
+	[ -n "$nolock" ] || mutex_off
+	exit 2
+    fi
+
     shift 3
 
     while [ $# -gt 0 ]; do
@@ -1004,6 +1029,11 @@ allow_command() {
     [ -n "$debugging" ] && set -x
     [ $# -eq 1 ] && usage 1
     if shorewall6_is_started ; then
+	if ! chain_exists dynamic; then
+	    echo "Dynamic blacklisting is not enabled in the current $PRODUCT configuration" >&2
+	    exit 2
+	fi
+
 	[ -n "$nolock" ] || mutex_on
 	while [ $# -gt 1 ]; do
 	    shift

Shorewall6/modules

@@ -56,6 +56,8 @@ loadmodule xt_sctp
 loadmodule xt_tcpmss
 loadmodule xt_TCPMSS
 loadmodule xt_time
+loadmodule xt_IPMARK
+loadmodule xt_TPROXY
 #
 # Helpers
 #

Shorewall6/shorewall6

@@ -220,6 +220,20 @@ get_config() {
 	    fi
 	    ;;
     esac
+
+    case $LOAD_HELPERS_ONLY in
+	Yes|yes)
+	    ;;
+	No|no)
+	    LOAD_HELPERS_ONLY=
+	    ;;
+	*)
+	    if [ -n "$LOAD_HELPERS_ONLY" ]; then
+		echo "   ERROR: Invalid LOAD_HELPERS_ONLY setting ($LOAD_HELPERS_ONLY)" >&2
+		exit 1
+	    fi
+	    ;;
+    esac
 }
 
 #
@@ -279,6 +293,7 @@ compiler() {
     [ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR"
     [ -n "$TIMESTAMP" ] && options="$options --timestamp"
     [ -n "$TEST" ] && options="$options --test"
+    [ -n "$PREVIEW" ] && options="$options --preview"
     [ "$debugging" = trace ] && options="$options --debug"
     [ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS"
     [ -x $pc ] || startup_error "Shorewall6 requires the shorewall package which is not installed"
@@ -552,6 +567,10 @@ check_command() {
 			    PROFILE=Yes
 			    option=${option#p}
 			    ;;
+			r*)
+			    PREVIEW=Yes;
+			    option=${option#r}
+			    ;;
 			d*)
 			    DEBUG=Yes;
 			    option=${option#d}
@@ -1267,7 +1286,7 @@ usage() # $1 = exit status
     echo "where <command> is one of:"
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
-    echo "   check [ -e ] [ <directory> ]"
+    echo "   check [ -e ] [ -r ] [ <directory> ]"
     echo "   clear [ -f ]"
     echo "   compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
     echo "   delete <interface>[:<host-list>] ... <zone>"
@@ -1325,6 +1344,7 @@ VERBOSE_OFFSET=0
 USE_VERBOSITY=
 NOROUTES=
 PURGE=
+DEBUG=
 EXPORT=
 export TIMESTAMP=
 noroutes=
@@ -1494,7 +1514,8 @@ fi
 FIREWALL=${VARDIR}/firewall
 LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
 VERSION_FILE=$SHAREDIR/version
-REFRESHCHAINS=
+RECOVERING=
+export RECOVERING
 
 for library in $LIBRARIES; do
     if [ -f $library ]; then

Shorewall6/shorewall6.conf

@@ -105,6 +105,8 @@ TC_ENABLED=No
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=No
 
 MARK_IN_FORWARD_CHAIN=No
@@ -117,7 +119,7 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 FASTACCEPT=No
 
@@ -149,6 +151,14 @@ TRACK_PROVIDERS=No
 
 ZONE2ZONE=2
 
+ACCOUNTING=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+DYNAMIC_BLACKLIST=Yes
+
+LOAD_HELPERS_ONLY=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
-%define version 4.4.5
-%define release 1
+%define version 4.4.7
+%define release 0base
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -84,6 +84,7 @@ fi
 %attr(0644,root,root) /usr/share/shorewall6/lib.cli
 %attr(0644,root,root) /usr/share/shorewall6/macro.*
 %attr(0644,root,root) /usr/share/shorewall6/modules
+%attr(0644,root,root) /usr/share/shorewall6/helpers
 %attr(0644,root,root) /usr/share/shorewall6/configpath
 %attr(0755,root,root) /usr/share/shorewall6/wait4ifup
 
@@ -95,9 +96,26 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
-* Sat Dec 19 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.5-1
-* Fri Nov 27 2009 Tom Eastep tom@shorewall.net
+* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0base
+* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0RC2
+* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0RC1
+* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta4
+* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta3
+* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta2
+- Added helpers file
+* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta1
+* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.6-0base
+* Tue Jan 12 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.6-0Beta1
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.5-0base
 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.4-0base

Shorewall6/tcinterfaces

@@ -0,0 +1,11 @@
+#
+# Shorewall6 version 4 - Tcinterfaces File
+#
+# For information about entries in this file, type "man shorewall6-tcinterfaces"
+#
+# See http://shorewall.net/simple_traffic_shaping.htm for additional
+# information.
+#
+###############################################################################
+#INTERFACE		TYPE	IN-BANDWIDTH
+

Shorewall6/tcpri

@@ -0,0 +1,13 @@
+#
+# Shorewall6 version 4 - Tcpri File
+#
+# For information about entries in this file, type "man shorewall6-tcpri"
+#
+# See http://shorewall.net/simple_traffic_shaping.htm for additional
+# information.
+#
+###############################################################################
+#BAND	PROTO	PORT(S)		ADDRESS		IN-INTERFACE	HELPER
+
+
+

Shorewall6/uninstall.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2008 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.5.1
+VERSION=4.4.7
 
 usage() # $1 = exit status
 {

docs/Actions.xml

@@ -26,6 +26,8 @@
 
       <year>2009</year>
 
+      <year>2010</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -129,9 +131,9 @@ ACCEPT   -              -               tcp     135,139,445
 
     <para>Shorewall allows the association of a <firstterm>default
     action</firstterm> with policies. A separate default action may be
-    associated with ACCEPT, DROP and REJECT policies. Default actions provide
-    a way to invoke a set of common rules just before the policy is enforced.
-    Default actions accomplish two goals:</para>
+    associated with ACCEPT, DROP, REJECT, QUEUE and NFQUEUE policies. Default
+    actions provide a way to invoke a set of common rules just before the
+    policy is enforced. Default actions accomplish two goals:</para>
 
     <orderedlist>
       <listitem>
@@ -164,12 +166,12 @@ ACCEPT   -              -               tcp     135,139,445
     specifying a different action in the POLICY column of <filename><ulink
     url="manpages/shorewall-policy.html">/etc/shorewall/policy</ulink></filename>.</para>
 
-    <warning>
+    <important>
       <para>Entries in the DROP and REJECT default actions <emphasis
       role="bold">ARE NOT THE CAUSE OF CONNECTION PROBLEMS</emphasis>.
       Remember — default actions are only invoked immediately before the
       packet is going to be dropped or rejected anyway!!!</para>
-    </warning>
+    </important>
   </section>
 
   <section id="Defining">
@@ -217,7 +219,7 @@ ACCEPT   -              -               tcp     135,139,445
     <itemizedlist>
       <listitem>
         <para>TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or
-        &lt;<emphasis>action</emphasis>&gt; where
+        an &lt;<emphasis>action</emphasis>&gt; where
         &lt;<emphasis>action</emphasis>&gt; is a previously-defined action
         (that is, it must precede the action being defined in this file in
         your <filename>/etc/shorewall/actions</filename> file). These actions
@@ -255,10 +257,6 @@ ACCEPT   -              -               tcp     135,139,445
       <listitem>
         <para>DEST - Location of Server. Same as above with the exception that
         MAC addresses are not allowed.</para>
-
-        <para>Unlike in the SOURCE column, you may specify a range of up to
-        256 IP addresses using the syntax &lt;<emphasis>first
-        ip</emphasis>&gt;-&lt;<emphasis>last ip</emphasis>&gt;.</para>
       </listitem>
 
       <listitem>
@@ -279,23 +277,6 @@ ACCEPT   -              -               tcp     135,139,445
         <para>This column is ignored if PROTO = <quote>all</quote>, but must
         be entered if any of the following fields are supplied. In that case,
         it is suggested that this field contain <quote>-</quote>.</para>
-
-        <para>If your kernel contains multi-port match support, then only a
-        single Netfilter rule will be generated if in this list and in the
-        CLIENT PORT(S) list below:</para>
-
-        <orderedlist>
-          <listitem>
-            <para>There are 15 or less ports listed.</para>
-          </listitem>
-
-          <listitem>
-            <para>No port ranges are included.</para>
-          </listitem>
-        </orderedlist>
-
-        <para>Otherwise, a separate rule will be generated for each
-        port.</para>
       </listitem>
 
       <listitem>
@@ -306,23 +287,6 @@ ACCEPT   -              -               tcp     135,139,445
         <para>If you don't want to restrict client ports but need to specify
         any of the subsequent fields, then place <quote>-</quote> in this
         column.</para>
-
-        <para>If your kernel contains multi-port match support, then only a
-        single Netfilter rule will be generated if in this list and in the
-        DEST PORT(S) list above:</para>
-
-        <orderedlist>
-          <listitem>
-            <para>There are 15 or less ports listed.</para>
-          </listitem>
-
-          <listitem>
-            <para>No port ranges are included.</para>
-          </listitem>
-        </orderedlist>
-
-        <para>Otherwise, a separate rule will be generated for each
-        port.</para>
       </listitem>
 
       <listitem>
@@ -539,8 +503,13 @@ bar:debug</programlisting>
 
       <para>/etc/shorewall/action.DropBcasts<programlisting># This file is empty</programlisting>/etc/shorewall/DropBcasts<programlisting>use Shorewall::Chains;
 
-log_rule_limit( $level, $chainref, 'DropBcasts', 'DROP', '', $tag, 'add', '' ) if $level ne ''; 
-add_rule( $chainref, '-m pkttype --pkttype broadcast -j DROP' );
+if ( $level ne '' ) {
+    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
+    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
+}
+
+add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
+add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
 
 1;</programlisting></para>
     </example>
@@ -619,7 +588,9 @@ Limit:info:SSHA,3,60   net               $FW            tcp         22</programl
       <para>For those who are curious, the Limit action is implemented as
       follows:</para>
 
-      <programlisting>my @tag = split /,/, $tag;
+      <programlisting>use Shorewall::Chains;
+
+my @tag = split /,/, $tag;
 
 fatal_error 'Limit rules must include &lt;list name&gt;,&lt;max connections&gt;,&lt;interval&gt; as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')'
     unless @tag == 3;

docs/Build.xml

@@ -20,6 +20,8 @@
     <copyright>
       <year>2009</year>
 
+      <year>2010</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -85,13 +87,6 @@
         role="bold">branches</emphasis>.</para>
       </section>
 
-      <section>
-        <title>trunk/web</title>
-
-        <para>The files from the web site that are maintained in HTML format.
-        are kept in this directory.</para>
-      </section>
-
       <section>
         <title>trunk/manpages, trunk/manpages6, trunk/manpages-lite and
         trunk/manpages6-lite</title>
@@ -100,31 +95,38 @@
         the release cycle, these documents may also apply to the current
         stable version.</para>
       </section>
+    </section>
 
-      <section>
-        <title>trunk/tools</title>
+    <section>
+      <title>tools</title>
 
-        <para>This is where the release and build tools are kept. There are
-        two subordinate directories:</para>
+      <para>This is where the release and build tools are kept. There are two
+      subordinate directories:</para>
 
-        <variablelist>
-          <varlistentry>
-            <term>trunk/tools/build</term>
+      <variablelist>
+        <varlistentry>
+          <term>trunk/tools/build</term>
 
-            <listitem>
-              <para>Tools for building and uploading new releases.</para>
-            </listitem>
-          </varlistentry>
+          <listitem>
+            <para>Tools for building and uploading new releases.</para>
+          </listitem>
+        </varlistentry>
 
-          <varlistentry>
-            <term>trunk/tools/web</term>
+        <varlistentry>
+          <term>trunk/tools/web</term>
 
-            <listitem>
-              <para>Tools for publishing web content.</para>
-            </listitem>
-          </varlistentry>
-        </variablelist>
-      </section>
+          <listitem>
+            <para>Tools for publishing web content</para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </section>
+
+    <section>
+      <title>web</title>
+
+      <para>The files from the web site that are maintained in HTML format.
+      are kept in this directory.</para>
     </section>
   </section>
 
@@ -201,7 +203,12 @@
           <term>xmlto (I use version 0.0.18-182.27)</term>
 
           <listitem>
-            <para>Required to convert the XML manpages to manpages.</para>
+            <para>Required to convert the XML manpages to manpages. Note that
+            not all versions of xmlto will work (those released by Debian and
+            Ubuntu, for example, do <emphasis>not</emphasis> work). If you
+            find that xmlto fails, install
+            tools<filename>/build/xmlto</filename> in <filename
+            class="directory">/usr/local/bin</filename>.</para>
           </listitem>
         </varlistentry>
       </variablelist>
@@ -249,14 +256,6 @@
           </listitem>
         </varlistentry>
 
-        <varlistentry>
-          <term>GPG</term>
-
-          <listitem>
-            <para>Command to be used for signing your packages</para>
-          </listitem>
-        </varlistentry>
-
         <varlistentry>
           <term>GIT</term>
 
@@ -336,6 +335,22 @@
                   <para>Build the shorewall6-lite package.</para>
                 </listitem>
               </varlistentry>
+
+              <varlistentry>
+                <term>h</term>
+
+                <listitem>
+                  <para>Build the html document package.</para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term>x</term>
+
+                <listitem>
+                  <para>Build the xml document package.</para>
+                </listitem>
+              </varlistentry>
             </variablelist>
           </listitem>
         </varlistentry>
@@ -437,7 +452,7 @@
           <term><emphasis>release</emphasis></term>
 
           <listitem>
-            <para>The version number of the release to update.</para>
+            <para>The version number of the release to upload.</para>
           </listitem>
         </varlistentry>
       </variablelist>
@@ -445,13 +460,13 @@
       <para>Example 1 - Upload release 4.3.7:</para>
 
       <blockquote>
-        <para><command>upload 4.3.7</command></para>
+        <para><command>upload44 4.3.7</command></para>
       </blockquote>
 
       <para>Example 2 - Upload shorewall-perl-4.3.7.3:</para>
 
       <blockquote>
-        <para><command>upload -p 4.3.7.3</command></para>
+        <para><command>upload44 -p 4.3.7.3</command></para>
       </blockquote>
     </section>
   </section>

docs/Documentation_Index.xml

@@ -5,7 +5,7 @@
   <!--/$Id$-->
 
   <articleinfo>
-    <title>Shorewall 4.4 Documentation</title>
+    <title>Shorewall 4.4/4.5 Documentation</title>
 
     <authorgroup>
       <author>
@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2009</year>
+      <year>2001-2010</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -155,20 +155,19 @@
             <entry><ulink url="Multiple_Zones.html">Multiple Zones Through One
             Interface</ulink></entry>
 
-            <entry><ulink url="Accounting.html">Traffic
-            Accounting</ulink></entry>
+            <entry><ulink url="configuration_file_basics.htm">Tips and
+            Hints</ulink></entry>
           </row>
 
           <row>
             <entry><ulink url="Build.html">Building Shorewall from
-            SVN</ulink></entry>
+            GIT</ulink></entry>
 
             <entry><ulink url="MyNetwork.html">My Shorewall
             Configuration</ulink></entry>
 
-            <entry><ulink url="traffic_shaping.htm">Traffic
-            Shaping/QOS</ulink> (<ulink
-            url="traffic_shaping_ru.html">Russian</ulink>)</entry>
+            <entry><ulink url="Accounting.html">Traffic
+            Accounting</ulink></entry>
           </row>
 
           <row>
@@ -178,8 +177,8 @@
             <entry><ulink url="NetfilterOverview.html">Netfilter
             Overview</ulink></entry>
 
-            <entry><ulink url="Shorewall_Squid_Usage.html">Transparent
-            Proxy</ulink></entry>
+            <entry> <ulink url="simple_traffic_shaping.html">Traffic
+            Shaping/QOS - Simple</ulink></entry>
           </row>
 
           <row>
@@ -188,7 +187,9 @@
 
             <entry><ulink url="netmap.html">Network Mapping</ulink></entry>
 
-            <entry><ulink url="UPnP.html">UPnP</ulink></entry>
+            <entry><ulink url="traffic_shaping.htm">Traffic Shaping/QOS -
+            Complex</ulink> (<ulink
+            url="traffic_shaping_ru.html">Russian</ulink>)</entry>
           </row>
 
           <row>
@@ -198,8 +199,8 @@
             <entry><ulink url="NAT.htm">One-to-one NAT</ulink> (Static
             NAT)</entry>
 
-            <entry><ulink url="upgrade_issues.htm">Upgrade
-            Issues</ulink></entry>
+            <entry><ulink url="Shorewall_Squid_Usage.html">Transparent
+            Proxy</ulink></entry>
           </row>
 
           <row>
@@ -208,8 +209,7 @@
             <entry><ulink url="Multiple_Zones.html"><ulink
             url="OPENVPN.html">OpenVPN</ulink></ulink></entry>
 
-            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
-            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
+            <entry><ulink url="UPnP.html">UPnP</ulink></entry>
           </row>
 
           <row>
@@ -219,7 +219,8 @@
 
             <entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>
 
-            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
+            <entry><ulink url="upgrade_issues.htm">Upgrade
+            Issues</ulink></entry>
           </row>
 
           <row>
@@ -228,7 +229,8 @@
             <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
             Shorewall</ulink></entry>
 
-            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
+            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
+            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
           </row>
 
           <row>
@@ -238,8 +240,7 @@
             <entry><ulink url="PacketMarking.html">Packet
             Marking</ulink></entry>
 
-            <entry><ulink url="whitelisting_under_shorewall.htm">White List
-            Creation</ulink></entry>
+            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
           </row>
 
           <row>
@@ -250,8 +251,7 @@
             <entry><ulink url="PacketHandling.html">Packet Processing in a
             Shorewall-based Firewall</ulink></entry>
 
-            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
-            DomU</ulink></entry>
+            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
           </row>
 
           <row>
@@ -260,8 +260,8 @@
 
             <entry><ulink url="ping.html">'Ping' Management</ulink></entry>
 
-            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
-            Xen Dom0</ulink></entry>
+            <entry><ulink url="whitelisting_under_shorewall.htm">White List
+            Creation</ulink></entry>
           </row>
 
           <row>
@@ -270,7 +270,8 @@
             <entry><ulink url="two-interface.htm#DNAT">Port
             Forwarding</ulink></entry>
 
-            <entry></entry>
+            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
+            DomU</ulink></entry>
           </row>
 
           <row>
@@ -279,7 +280,8 @@
 
             <entry><ulink url="ports.htm">Port Information</ulink></entry>
 
-            <entry></entry>
+            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
+            Xen Dom0</ulink></entry>
           </row>
 
           <row>

docs/Dynamic.xml

@@ -96,6 +96,10 @@
         <para>run 'make'</para>
       </listitem>
 
+      <listitem>
+        <para>as root, run 'make install'</para>
+      </listitem>
+
       <listitem>
         <para>Your new iptables binary will now be installed in
         /usr/local/sbin. Modify shorewall.conf to specify

docs/FAQ.xml

@@ -2029,6 +2029,22 @@ shorewall status > /dev/null 2>&1 || shorewall start # Start Shorewall
         </listitem>
       </itemizedlist>
     </section>
+
+    <section id="faq87">
+      <title>(FAQ 87) My firewall starts and restarts fine but if I try
+      'shorewall restore', the script fails because none of my shell variables
+      from /etc/shorewall/params are set. Why?</title>
+
+      <para><emphasis role="bold">Answer</emphasis>: You probably need to set
+      EXPORTPARAMS=Yes. During <emphasis role="bold">start</emphasis> and
+      <emphasis role="bold">restart</emphasis>,
+      <filename>/etc/shorewall/params</filename> is processed by the shell
+      after <emphasis role="bold">set -a</emphasis>; as a result, all param
+      settings become part of the shell's environment and are inherited by the
+      running script. The shell does not process
+      <filename>/etc/shorewall/params</filename> when processing the <emphasis
+      role="bold">restore</emphasis> command.</para>
+    </section>
   </section>
 
   <section id="MultiISP">
@@ -2333,17 +2349,57 @@ etc...</programlisting>
       but I can hear them. If I plug the Asterisk server directly into the
       router, bypassing the firewall, the problem goes away.</para>
 
-      <para><emphasis role="bold">Answer (requires Shorewall 4.0.6 or
-      later):</emphasis> If your kernel version is 2.6.20 or
-      earlier:<programlisting>rmmod ip_nat_sip
-rmmod ip_conntrack_sip</programlisting>Then change the DONT_LOAD specification
-      in your shorewall.conf to:<programlisting>DONT_LOAD=ip_nat_sip,ip_conntrack_sip</programlisting>If
-      your kernel version is 2.6.21 or later:<programlisting>rmmod nf_nat_sip
-rmmod nf_conntrack_sip</programlisting>Then change the DONT_LOAD specification
-      in your shorewall.conf to:<programlisting>DONT_LOAD=nf_nat_sip,nf_conntrack_sip</programlisting>If
-      you are running a version of Shorewall earlier than 4.0.6, you can avoid
-      loading the sip helper modules by following the suggestions in <link
-      linkend="faq59">FAQ 59</link>.</para>
+      <para><emphasis role="bold">Answer:</emphasis> There are two things to
+      try when VOIP problems are encountered. Both begin with executing two
+      <command>rmmod</command> commands.</para>
+
+      <para>If your kernel version is 2.6.20 or earlier:<programlisting>rmmod ip_nat_sip
+rmmod ip_conntrack_sip</programlisting>If your kernel version is 2.6.21 or
+      later:<programlisting>rmmod nf_nat_sip
+rmmod nf_conntrack_sip</programlisting></para>
+
+      <para>The first alternative seems to work for those running recent
+      kernels (2.6.26 or later):</para>
+
+      <orderedlist>
+        <listitem>
+          <para>Copy <filename>/usr/share/shorewall/module</filename>s to
+          <filename class="directory">/etc/shorewall</filename>.</para>
+        </listitem>
+
+        <listitem>
+          <para>Edit the copy and change this line:</para>
+
+          <blockquote>
+            <para>loadmodule nf_conntrack_sip</para>
+          </blockquote>
+
+          <para>to</para>
+
+          <blockquote>
+            <para>loadmodule nf_conntrack_sip sip_direct_media=0</para>
+          </blockquote>
+        </listitem>
+
+        <listitem>
+          <para><command>shorewall restart</command></para>
+        </listitem>
+      </orderedlist>
+
+      <para>The second alternative is to not load the sip helpers:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para>If you are running kernel 2.6.20 or earlier, then change the
+          DONT_LOAD specification in your shorewall.conf to:<programlisting>DONT_LOAD=ip_nat_sip,ip_conntrack_sip</programlisting></para>
+        </listitem>
+
+        <listitem>
+          <para>If you are running kernel 2.6.21 or later, then change Then
+          change the DONT_LOAD specification in your shorewall.conf
+          to:<programlisting>DONT_LOAD=nf_nat_sip,nf_conntrack_sip</programlisting></para>
+        </listitem>
+      </itemizedlist>
     </section>
   </section>
 
@@ -2619,5 +2675,16 @@ loc                $FW                     ACCEPT           </programlisting>
       loc-&gt;$FW since those rules are redundant with the above
       policies.</para>
     </section>
+
+    <section id="faq88">
+      <title>(FAQ 88) Can I run Snort with Shorewall?</title>
+
+      <para><emphasis role="bold">Answer</emphasis>: Yes. In <emphasis>Network
+      Intrusion Detection System (NIDS) mode</emphasis>, Snort is libpcap
+      based (like tcpdump) so it doesn't interfere with Shorewall. We have had
+      reports that users have also been successful in using Snort in
+      <emphasis>inline</emphasis> more with Shorewall, but no HOWTO exists at
+      this time.</para>
+    </section>
   </section>
 </article>

docs/IPv6Support.xml

@@ -419,6 +419,15 @@ ACCEPT         net                 $FW:<2002:ce7c:92b4::3>     tcp
           <programlisting>#ACTION        SOURCE                            DEST          PROTO          DEST
 #                                                                             PORT(S)
 ACCEPT         net:wlan0:&lt;2002:ce7c:92b4::3&gt;     tcp                         22</programlisting>
+
+          <para>Beginning with Shorewall 4.4.6 and 4.5.4, square brackets ("["
+          and "]") may also be used.</para>
+
+          <para>Example (<filename>/etc/shorewall6/rules</filename>):</para>
+
+          <programlisting>#ACTION        SOURCE                            DEST          PROTO          DEST
+#                                                                             PORT(S)
+ACCEPT         net:wlan0:[2002:ce7c:92b4::3]     tcp                         22</programlisting>
         </listitem>
       </varlistentry>
 

docs/LennyToSqueeze.xml

@@ -21,6 +21,8 @@
     <copyright>
       <year>2009</year>
 
+      <year>2010</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -38,11 +40,11 @@
   <section>
     <title>Introduction</title>
 
-    <para>Debian Lenny includes Shorewall version 4.0.15 while Squeeze will
-    soon include Shorewall 4.4. Because there are significant differences
-    between the two product versions, some users may experience upgrade
-    issues. This article outlines those issues and offers advice for dealing
-    with them.</para>
+    <para>Debian Lenny includes Shorewall version 4.0.15 while Squeeze
+    includes Shorewall 4.4. Because there are significant differences between
+    the two product versions, some users may experience upgrade issues. This
+    article outlines those issues and offers advice for dealing with
+    them.</para>
 
     <note>
       <para>Although this article is targeted specifically at Lenny -&gt;
@@ -354,7 +356,7 @@
           <term>SAVE_IPSETS</term>
 
           <listitem>
-            <para>Shorewall 4.4 will issue a warning if you set
+            <para>Shorewall 4.4.0-4.4.5 will issue a warning if you set
             SAVE_IPSETS=Yes in <filename>shorewall.conf</filename>:</para>
 
             <para><emphasis role="bold">WARNING SAVE_IPSETS=Yes is not
@@ -896,57 +898,32 @@ insert_rule $filter_table-&gt;{OUTPUT},     1, "-p udp --sport 1701 -j ACCEPT";
       Shorewall configuration file, the name must be preceded by a plus sign
       (+) as with the shell-based compiler.</para>
 
-      <para>Shorewall 4.4 is out of the ipset load/reload business with the
-      exception of ipsets used for dynamic zones. With scripts generated by
-      Shorwall 4.4, the Netfilter rule set is never cleared. That means that
-      there is no opportunity for Shorewall to load/reload your ipsets since
-      that cannot be done while there are any current rules using
-      ipsets.</para>
+      <para>Shorewall 4.4.6 re-introduced SAVE_IPSETS=Yes with slightly
+      different semantics:</para>
 
-      <para>So:</para>
-
-      <orderedlist numeration="upperroman">
+      <itemizedlist>
         <listitem>
-          <para>Your ipsets must be loaded before Shorewall starts. You are
-          free to try to do that with the following code in
-          <filename>/etc/shorewall/init (it works for me; your mileage may
-          vary)</filename>:</para>
-
-          <programlisting>if [ "$COMMAND" = start ]; then
-    ipset -U :all: :all:
-    ipset -U :all: :default:
-    ipset -F
-    ipset -X
-    ipset -R &lt; /etc/shorewall/ipsets
-fi</programlisting>
-
-          <para>The file <filename>/etc/shorewall/ipsets</filename> will
-          normally be produced using the <command>ipset -S</command> command.
-          I have this in my<filename> /etc/shorewall/stop</filename>
-          file:</para>
-
-          <programlisting>if ipset -S &gt; /etc/shorewall/ipsets.tmp; then
-    mv -f /etc/shorewall/ipsets /etc/shorewall/ipsets.bak
-    mv /etc/shorewall/ipsets.tmp /etc/shorewall/ipsets
-fi</programlisting>
-
-          <para>The above extension scripts will work most of the time but
-          will fail in a <command>shorewall stop</command> -
-          <command>shorewall start</command> sequence if you use ipsets in
-          your routestopped file (see <link
-          linkend="routestopped">below</link>).</para>
+          <para>The contents of the ipsets are saved during processing of the
+          <command>stop</command> command in addition to during processing of
+          the <command>save</command> command.</para>
         </listitem>
 
         <listitem>
-          <para>Your ipsets may not be reloaded until Shorewall is stopped or
-          cleared.</para>
+          <para>The contents of the ipsets are restored during processing of
+          the <command>start</command> command in addition to during
+          processing of the <command>restore</command> command. When
+          <command>restore</command> is being run when Shorewall is not in the
+          stopped state (such as when it is run to recover from a failed
+          <command>start</command>, <command>restart</command> or
+          <command>refresh</command>) ipsets are not restored.</para>
         </listitem>
 
         <listitem>
-          <para>If you specify ipsets in your routestopped file then Shorewall
-          must be cleared in order to reload your ipsets.</para>
+          <para>Specifying an ipset in <ulink
+          url="manpages/shorewall-routestopped.html">shorewall-routestopped
+          </ulink>(5) is prohibited when SAVE_IPSETS=Yes.</para>
         </listitem>
-      </orderedlist>
+      </itemizedlist>
     </section>
   </section>
 

docs/Manpages.xml

@@ -5,7 +5,7 @@
   <!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
 
   <articleinfo>
-    <title>Shorewall 4.3 Manpages</title>
+    <title>Shorewall 4.4/4.5 Manpages</title>
 
     <authorgroup>
       <author>
@@ -137,6 +137,13 @@
         url="manpages/shorewall-tcdevices.html">tcdevices</ulink> - Specify
         speed of devices for traffic shaping.</member>
 
+        <member><ulink
+        url="manpages/shorewall-tcinterfaces.html">tcinterfaces</ulink> -
+        Specify devices for simplified traffic shaping.</member>
+
+        <member><ulink url="manpages/shorewall-tcpri.html">tcpri</ulink> -
+        Classify traffic for simplified traffic shaping.</member>
+
         <member><ulink url="manpages/shorewall-tcrules.html">tcrules</ulink> -
         Define packet marking rules, usually for traffic shaping.</member>
 

docs/Manpages6.xml

@@ -5,7 +5,7 @@
   <!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
 
   <articleinfo>
-    <title>Shorewall6 4.3 Manpages</title>
+    <title>Shorewall6 4.4/4.5 Manpages</title>
 
     <authorgroup>
       <author>
@@ -122,6 +122,13 @@
         url="manpages6/shorewall6-tcdevices.html">tcdevices</ulink> - Specify
         speed of devices for traffic shaping.</member>
 
+        <member><ulink
+        url="manpages6/shorewall6-tcinterfaces.html">tcinterfaces</ulink> -
+        Specify interfaces for simplified traffic shaping.</member>
+
+        <member><ulink url="manpages6/shorewall6-tcpri.html">tcpri</ulink> -
+        Classify traffic for simplified traffic shaping.</member>
+
         <member><ulink url="manpages6/shorewall6-tcrules.html">tcrules</ulink>
         - Define packet marking rules, usually for traffic shaping.</member>
 

docs/MultiISP.xml

@@ -1140,8 +1140,8 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
 
         <listitem>
           <para>Packets are sent through the main routing table by a routing
-          rule with priority 999. In ), the priority range 1-998 may be used
-          for inserting rules that bypass the main table.</para>
+          rule with priority 999. The priority range 1-998 may be used for
+          inserting rules that bypass the main table.</para>
         </listitem>
 
         <listitem>

docs/Shorewall-perl.xml

@@ -361,23 +361,27 @@ insert_rule $filter_table->{OUTPUT},     1, "-p udp --sport 1701 -j ACCEPT";
           used in a Shorewall configuration file, the name must be preceded by
           a plus sign (+) as with the shell-based compiler.</para>
 
-          <para>Shorewall is now out of the ipset load/reload business with
-          the exception of ipsets used for dynamic zones. With scripts
-          generated by the Perl-based Compiler, the Netfilter rule set is
-          never cleared. That means that there is no opportunity for Shorewall
-          to load/reload your ipsets since that cannot be done while there are
-          any current rules using ipsets.</para>
+          <para>From Shorewall-perl 4.0.0 - Shorewall 4.4.5, Shorewall was out
+          of the ipset load/reload business with the exception of ipsets used
+          for dynamic zones:</para>
 
-          <para>So:</para>
+          <blockquote>
+            <para>With scripts generated by the Perl-based Compiler, the
+            Netfilter rule set is never cleared. That means that there is no
+            opportunity for Shorewall to load/reload your ipsets since that
+            cannot be done while there are any current rules using
+            ipsets.</para>
 
-          <orderedlist numeration="upperroman">
-            <listitem>
-              <para>Your ipsets must be loaded before Shorewall starts. You
-              are free to try to do that with the following code in
-              <filename>/etc/shorewall/init (it works for me; your mileage may
-              vary)</filename>:</para>
+            <para>So:</para>
 
-              <programlisting>if [ "$COMMAND" = start ]; then
+            <orderedlist numeration="upperroman">
+              <listitem>
+                <para>Your ipsets must be loaded before Shorewall starts. You
+                are free to try to do that with the following code in
+                <filename>/etc/shorewall/init (it works for me; your mileage
+                may vary)</filename>:</para>
+
+                <programlisting>if [ "$COMMAND" = start ]; then
     ipset -U :all: :all:
     ipset -U :all: :default:
     ipset -F
@@ -385,37 +389,43 @@ insert_rule $filter_table-&gt;{OUTPUT},     1, "-p udp --sport 1701 -j ACCEPT";
     ipset -R &lt; /etc/shorewall/ipsets
 fi</programlisting>
 
-              <para>The file <filename>/etc/shorewall/ipsets</filename> will
-              normally be produced using the <command>ipset -S</command>
-              command. I have this in my<filename>
-              /etc/shorewall/stop</filename> file:</para>
+                <para>The file <filename>/etc/shorewall/ipsets</filename> will
+                normally be produced using the <command>ipset -S</command>
+                command. I have this in my<filename>
+                /etc/shorewall/stop</filename> file:</para>
 
-              <programlisting>if ipset -S &gt; /etc/shorewall/ipsets.tmp; then
+                <programlisting>if ipset -S &gt; /etc/shorewall/ipsets.tmp; then
     mv -f /etc/shorewall/ipsets /etc/shorewall/ipsets.bak
     mv /etc/shorewall/ipsets.tmp /etc/shorewall/ipsets
 fi</programlisting>
 
-              <para>The above extension scripts will work most of the time but
-              will fail in a <command>shorewall stop</command> -
-              <command>shorewall start</command> sequence if you use ipsets in
-              your routestopped file (see below).</para>
-            </listitem>
+                <para>The above extension scripts will work most of the time
+                but will fail in a <command>shorewall stop</command> -
+                <command>shorewall start</command> sequence if you use ipsets
+                in your routestopped file (see below).</para>
+              </listitem>
 
-            <listitem>
-              <para>Your ipsets may not be reloaded until Shorewall is stopped
-              or cleared.</para>
-            </listitem>
+              <listitem>
+                <para>Your ipsets may not be reloaded until Shorewall is
+                stopped or cleared.</para>
+              </listitem>
 
-            <listitem>
-              <para>If you specify ipsets in your routestopped file then
-              Shorewall must be cleared in order to reload your ipsets.</para>
-            </listitem>
-          </orderedlist>
+              <listitem>
+                <para>If you specify ipsets in your routestopped file then
+                Shorewall must be cleared in order to reload your
+                ipsets.</para>
+              </listitem>
+            </orderedlist>
 
-          <para>As a consequence, scripts generated by the Perl-based compiler
-          will ignore <filename>/etc/shorewall/ipsets</filename> and will
-          issue a warning if you set SAVE_IPSETS=Yes in
-          <filename>shorewall.conf</filename>.</para>
+            <para>As a consequence, scripts generated by the Perl-based
+            compiler will ignore <filename>/etc/shorewall/ipsets</filename>
+            and will issue a warning if you set SAVE_IPSETS=Yes in
+            <filename>shorewall.conf</filename>.</para>
+          </blockquote>
+
+          <para>Beginning with Shorewall 4.4.6 (and 4.5.3), SAVE_IPSETS=Yes is
+          once again supported. See <ulink
+          url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
         </listitem>
 
         <listitem>

docs/Shorewall_Squid_Usage.xml

@@ -285,4 +285,40 @@ ACCEPT    loc      $FW    tcp      8080
 ACCEPT    $FW      net    tcp      80,443</programlisting></para>
     </example>
   </section>
+
+  <section id="TPROXY">
+    <title>Transparent with TPROXY</title>
+
+    <para>Shorewall 4.4.7 contains support for TPROXY. TPROXY differs from
+    REDIRECT in that it does not modify the IP header. Because the IP header
+    stays intact, TPROXY requires policy routing to direct the packets to the
+    proxy server running on the firewall. This approach requires TPROXY
+    support in your kernel and iptables and Squid 3. See <ulink
+    url="http://wiki.squid-cache.org/Features/Tproxy4">http://wiki.squid-cache.org/Features/Tproxy4</ulink>.</para>
+
+    <para>The following configuration works with Squid running on the firewall
+    itself.</para>
+
+    <para><filename>/etc/shorewall/interfaces:</filename></para>
+
+    <programlisting>#ZONE        INTERFACE        BROADCAST         OPTIONS
+-            lo               -                 -</programlisting>
+
+    <para><filename>/etc/shorewall/providers</filename>:</para>
+
+    <programlisting>#NAME   NUMBER   MARK    DUPLICATE  INTERFACE  GATEWAY         OPTIONS               COPY
+Tproxy    1        1        -           lo        -            local</programlisting>
+
+    <para><filename>/etc/shorewall/tcrules</filename> (assume Z interface is
+    eth1):</para>
+
+    <programlisting>MARK            SOURCE      DEST        PROTO      PORT(S)
+TPROXY(1,3128)  eth1        0.0.0.0/0   tcp        80</programlisting>
+
+    <para>/etc/shorewall/rules:</para>
+
+    <programlisting>#ACTION   SOURCE   DEST   PROTO   DEST PORT(S)
+ACCEPT    Z        $FW    tcp     SP
+ACCEPT    $FW      net    tcp     80</programlisting>
+  </section>
 </article>

docs/Shorewall_and_Aliased_Interfaces.xml

@@ -64,12 +64,13 @@ eth0:0    Link encap:Ethernet  HWaddr 02:00:08:3:FA:55
     </example>
 
     <para>The ifconfig utility is being gradually phased out in favor of the
-    ip utility which is part of the <emphasis>iproute</emphasis> package. The
-    ip utility does not use the concept of aliases or virtual interfaces but
-    rather treats additional addresses on an interface as objects in their own
-    right. The ip utility does provide for interaction with ifconfig in that
-    it allows addresses to be <emphasis>labeled</emphasis> where these labels
-    take the form of ipconfig virtual interfaces.</para>
+    <firstterm>ip</firstterm> utility which is part of the
+    <emphasis>iproute</emphasis> package. The ip utility does not use the
+    concept of aliases or virtual interfaces but rather treats additional
+    addresses on an interface as objects in their own right. The ip utility
+    does provide for interaction with ifconfig in that it allows addresses to
+    be <emphasis>labeled</emphasis> where these labels take the form of
+    ipconfig virtual interfaces.</para>
 
     <example id="ip">
       <title>ip</title>
@@ -150,6 +151,11 @@ iface eth0 inet static
     In the sub-sections that follow, we'll take a look at common
     scenarios.</para>
 
+    <note>
+      <para>The examples in the following sub-sections assume that the local
+      network is 192.168.1.0/24.</para>
+    </note>
+
     <section id="Rules">
       <title>Separate Rules</title>
 
@@ -186,7 +192,7 @@ DNAT      net        loc:192.168.1.3      tcp        80             -         20
       <filename>/etc/shorewall/masq</filename>:</para>
 
       <programlisting>#INTERFACE             SUBNET          ADDRESS
-eth0                   eth1            206.124.146.178</programlisting>
+eth0                   192.168.1.0/24  206.124.146.178</programlisting>
 
       <para>Shorewall can create the alias (additional address) for you if you
       set ADD_SNAT_ALIASES=Yes in
@@ -204,16 +210,15 @@ eth0                   eth1            206.124.146.178</programlisting>
       the INTERFACE column as follows.</para>
 
       <para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE              SUBNET         ADDRESS
-eth0:0                  eth1           206.124.146.178</programlisting></para>
-
-      <para>Shorewall can also set up SNAT to round-robin over a range of IP
-      addresses. To do that, you specify a range of IP addresses in the
-      ADDRESS column. If you specify a label in the INTERFACE column,
-      Shorewall will use that label for the first address of the range and
-      will increment the label by one for each subsequent label.</para>
+eth0:0                  192.168.1.0/24 206.124.146.178</programlisting>Shorewall
+      can also set up SNAT to round-robin over a range of IP addresses. To do
+      that, you specify a range of IP addresses in the ADDRESS column. If you
+      specify a label in the INTERFACE column, Shorewall will use that label
+      for the first address of the range and will increment the label by one
+      for each subsequent label.</para>
 
       <para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE               SUBNET         ADDRESS
-eth0:0                   eth1           206.124.146.178-206.124.146.180</programlisting></para>
+eth0:0                   192.168.1.0/24 206.124.146.178-206.124.146.180</programlisting></para>
 
       <para>The above would create three IP addresses:</para>
 

docs/blacklisting_support.xml

@@ -156,8 +156,13 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
   <section id="Dynamic">
     <title>Dynamic Blacklisting</title>
 
-    <para>Dynamic blacklisting doesn't use any configuration parameters but is
-    rather controlled using /sbin/shorewall[-lite] commands:</para>
+    <para>Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
+    setting DYNAMIC_BLACKLIST=Yes in <filename>shorewall.conf</filename>.
+    Prior to that release, the feature is always enabled.</para>
+
+    <para>Once enabled, dynamic blacklisting doesn't use any configuration
+    parameters but is rather controlled using /sbin/shorewall[-lite]
+    commands:</para>
 
     <itemizedlist>
       <listitem>

docs/bridge-Shorewall-perl.xml

@@ -62,8 +62,8 @@
 
       <listitem>
         <para>As a consequence of the first difference, routers can be
-        connected to more than one IP network while a bridge may be part of
-        only a single network.</para>
+        connected to more than one IP network while a bridge/firewall may be
+        part of only a single network (see below).</para>
       </listitem>
 
       <listitem>
@@ -650,7 +650,7 @@ br0             192.168.1.0/24  routeback
     port to have a unique name. The <option>physical</option> interface option
     was added in Shorewall 4.4.4 to work around this problem. The above
     configuration may be defined using the following in
-    <filename>/etc/shorewall/interfaces</filename>: </para>
+    <filename>/etc/shorewall/interfaces</filename>:</para>
 
     <programlisting>       #ZONE            INTERFACE       BROADCAST       OPTIONS
        world            br0             -               bridge

docs/configuration_file_basics.xml

@@ -5,7 +5,7 @@
   <!--$Id$-->
 
   <articleinfo>
-    <title>Configuration Files</title>
+    <title>Configuration Files Tips and Tricks</title>
 
     <authorgroup>
       <author>
@@ -222,7 +222,14 @@
 
         <listitem>
           <para><filename>/usr/share/modules</filename> — Specifies the kernel
-          modules to be loaded during shorewall start/restart . .</para>
+          modules to be loaded during shorewall start/restart.</para>
+        </listitem>
+
+        <listitem>
+          <para><filename>/usr/share/helpers</filename> — Added in Shorewall
+          4.4.7. Specifies the kernel modules to be loaded during shorewall
+          start/restart when LOAD_HELPERS_ONLY=Yes in
+          <filename>shorewall.conf</filename>.</para>
         </listitem>
       </itemizedlist></para>
 
@@ -697,9 +704,9 @@ SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
     </orderedlist>
 
     <note>
-      <para>Only the $VAR and ${VAR} forms of variable expansion are
-      supported. You may not use the more exotic forms supported by the shell
-      ($VAR, ${VAR}, ${VAR:=val}, ...)</para>
+      <para>Within your configuration files, only the $VAR and ${VAR} forms of
+      variable expansion are supported. You may not use the more exotic forms
+      supported by the shell (${VAR:=val}, ${VAR:-val}, ...)</para>
     </note>
   </section>
 

docs/dhcp.xml

@@ -26,6 +26,8 @@
 
       <year>2005</year>
 
+      <year>2010</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -85,8 +87,8 @@
         <para>Specify the <quote>dhcp</quote> option for this interface in the
         <ulink
         url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
-        file. This will generate rules that will allow DHCP to and from
-        your firewall system.</para>
+        file. This will generate rules that will allow DHCP to and from your
+        firewall system.</para>
       </listitem>
 
       <listitem>
@@ -131,8 +133,8 @@
         <para>Specify the <quote>dhcp</quote> option for the bridge interface
         in the <ulink
         url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
-        file. This will generate rules that will allow DHCP to and from
-        your firewall system as well as through the bridge.</para>
+        file. This will generate rules that will allow DHCP to and from your
+        firewall system as well as through the bridge.</para>
       </listitem>
     </itemizedlist>
   </section>
@@ -148,6 +150,16 @@
         relayed.</para>
       </listitem>
 
+      <listitem>
+        <para>Allow UDP ports 67 and 68 ("67:68") between the client zone and
+        the server zone:</para>
+
+        <programlisting>#ACTION        SOURCE        DEST        PROTO       DEST
+#                                                    PORT(S)
+ACCEPT         ZONEA         ZONEB       udp         67:68
+ACCEPT         ZONEB         ZONEA       udp         67:68</programlisting>
+      </listitem>
+
       <listitem>
         <para>If the server is configured with 'ping-check' true, then you
         must <ulink url="ping.htm">allow 'ping'</ulink> from the server's zone

docs/shorewall_extension_scripts.xml

@@ -124,9 +124,9 @@
       </listitem>
 
       <listitem>
-        <para><filename>refresh</filename> -- invoked while the firewall is
-        being refreshed but before the blacklst chains have been
-        rebuilt.</para>
+        <para><filename>refresh</filename> -- called in place of
+        <filename>init</filename> when the firewall is being refreshed rather
+        than started or restarted.</para>
       </listitem>
 
       <listitem>

docs/simple_traffic_shaping.xml

@@ -0,0 +1,247 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<article>
+  <!--$Id$-->
+
+  <articleinfo>
+    <title>Simple Traffic Shaping/Control</title>
+
+    <authorgroup>
+      <author>
+        <firstname>Tom</firstname>
+
+        <surname>Eastep</surname>
+      </author>
+    </authorgroup>
+
+    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
+
+    <copyright>
+      <year>2009</year>
+
+      <year>2010</year>
+
+      <holder>Thomas M. Eastep</holder>
+    </copyright>
+
+    <legalnotice>
+      <para>Permission is granted to copy, distribute and/or modify this
+      document under the terms of the GNU Free Documentation License, Version
+      1.2 or any later version published by the Free Software Foundation; with
+      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      Texts. A copy of the license is included in the section entitled
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+      License</ulink></quote>.</para>
+    </legalnotice>
+  </articleinfo>
+
+  <section>
+    <title>Introduction</title>
+
+    <para>Traffic shaping and control was originally introduced into Shorewall
+    in version 2.2.5. That facility was based on Arne Bernin's
+    <firstterm>tc4shorewall</firstterm> and is generally felt to be complex
+    and difficult to use.</para>
+
+    <para>In Shorewall 4.4.6, a second traffic shaping facility that is simple
+    to understand and to configure was introduced. This newer facility is
+    described in this document while the original facility is documented in
+    <ulink url="traffic_shaping.htm">Complex Traffic
+    Shaping/Control</ulink>.</para>
+  </section>
+
+  <section>
+    <title>Enabling Simple Traffic Shaping</title>
+
+    <para>Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
+    <ulink url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5). You
+    then add an entry for your external interface to <ulink
+    url="manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5)
+    (<filename>/etc/shorewall/tcinterfaces</filename>).</para>
+
+    <para>Assuming that your external interface is eth0:</para>
+
+    <programlisting>#INTERFACE             TYPE          IN-BANDWIDTH
+eth0                   External</programlisting>
+
+    <note>
+      <para>If you experience an error such as the following during
+      <command>shorewall start</command> or <command>shorewall
+      restart</command>, your kernel and iproute do not support the <emphasis
+      role="bold">flow</emphasis> classifier. In that case, you must leave the
+      TYPE column empty (or specify '-').</para>
+
+      <programlisting>Unknown filter "flow", hence option "hash" is unparsable
+   ERROR: Command "tc filter add dev eth0 protocol all prio 1 parent 11: handle 11 flow hash keys nfct-src divisor 1024" Failed</programlisting>
+
+      <para>RHEL5-based systems such as <trademark>CentOS</trademark> 5 and
+      <trademark>Foobar</trademark> 5 are known to experience this
+      error.</para>
+
+      <para><emphasis role="bold">Update</emphasis>: Beginning with Shorewall
+      4.4.7, Shorewall can determine that some environments, such as RHEL5 and
+      derivatives, are incapable of using the TYPE parameter and simply ignore
+      it.</para>
+    </note>
+
+    <para>With this simple configuration, packets to be sent through interface
+    eth0 will be assigned to a priority band based on the value of their TOS
+    field:</para>
+
+    <programlisting>TOS     Bits  Means                    Linux Priority    BAND
+------------------------------------------------------------
+0x0     0     Normal Service           0 Best Effort     2
+0x2     1     Minimize Monetary Cost   1 Filler          3
+0x4     2     Maximize Reliability     0 Best Effort     2
+0x6     3     mmc+mr                   0 Best Effort     2
+0x8     4     Maximize Throughput      2 Bulk            3
+0xa     5     mmc+mt                   2 Bulk            3
+0xc     6     mr+mt                    2 Bulk            3
+0xe     7     mmc+mr+mt                2 Bulk            3
+0x10    8     Minimize Delay           6 Interactive     1
+0x12    9     mmc+md                   6 Interactive     1
+0x14    10    mr+md                    6 Interactive     1
+0x16    11    mmc+mr+md                6 Interactive     1
+0x18    12    mt+md                    4 Int. Bulk       2
+0x1a    13    mmc+mt+md                4 Int. Bulk       2
+0x1c    14    mr+mt+md                 4 Int. Bulk       2
+0x1e    15    mmc+mr+mt+md             4 Int. Bulk       2</programlisting>
+
+    <para>When dequeueing, band 1 is tried first and only if it did not
+    deliver a packet does the system try band 2, and so onwards. Maximum
+    reliability packets should therefore go to band 1, minimum delay to band 2
+    and the rest to band 3.</para>
+
+    <note>
+      <para>If you run both an IPv4 and an IPv6 firewall on your system, you
+      should define each interface in only one of the two
+      configurations.</para>
+    </note>
+  </section>
+
+  <section>
+    <title>Customizing Simple Traffic Shaping</title>
+
+    <para>The default mapping of TOS to bands can be changed using the
+    TC_PRIOMAP setting in <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The default
+    setting of this option is:</para>
+
+    <programlisting>TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"</programlisting>
+
+    <para>These entries map Linux Priority to priority BAND. So only entries
+    0, 1, 2, 4 and 6 in the map are relevant to TOS-&gt;BAND mapping.</para>
+
+    <para>Further customizations can be defined in <ulink
+    url="manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5)
+    (<filename>/etc/shorewall/tcpri</filename>). Using that file, you
+    can:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>Assign traffic entering the firewall on a particular interface
+        to a specific priority band:</para>
+
+        <programlisting>#BAND         PROTO         PORT(S)         ADDRESS             INTERFACE        HELPER
+2               -             -                -                eth1</programlisting>
+
+        <para>In this example, traffic from eth1 will be assigned to priority
+        band 2.</para>
+
+        <note>
+          <para>When an INTERFACE is specified, the PROTO, PORT(S) and ADDRESS
+          column must contain '-'.</para>
+        </note>
+      </listitem>
+
+      <listitem>
+        <para>Assign traffic from a particular IP address to a specific
+        priority band:</para>
+
+        <programlisting>#BAND         PROTO         PORT(S)         ADDRESS             INTERFACE        HELPER
+1               -             -             192.168.1.44</programlisting>
+
+        <para>In this example, traffic from 192.168.1.44 will be assigned to
+        priority band 1.</para>
+
+        <note>
+          <para>When an ADDRESS is specified, the PROTO, PORT(S) and INTERFACE
+          columns must be empty.</para>
+        </note>
+      </listitem>
+
+      <listitem>
+        <para>Assign traffic to/from a particular application to a specific
+        priority band:</para>
+
+        <programlisting>#BAND         PROTO         PORT(S)         ADDRESS             INTERFACE        HELPER
+1             udp           1194</programlisting>
+
+        <para>In that example, OpenVPN traffic is assigned to priority band
+        1.</para>
+      </listitem>
+
+      <listitem>
+        <para>Assign traffic that uses a particular Netfilter helper to a
+        particular priority band:</para>
+
+        <programlisting>#BAND         PROTO         PORT(S)         ADDRESS             INTERFACE        HELPER
+1               -             -             -                   -                sip</programlisting>
+
+        <para>In this example, SIP and associated RTP traffic will be assigned
+        to priority band 1 (assuming that the nf_conntrack_sip helper is
+        loaded).</para>
+      </listitem>
+    </orderedlist>
+
+    <para>It is suggested that entries specifying an INTERFACE be placed at
+    the top of the file. That way, the band assigned to a particular packet
+    will be the <emphasis role="bold">last</emphasis> entry matched by the
+    packet. Packets which match no entry in <ulink
+    url="manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5) are
+    assigned to priority bands using their TOS field as previously
+    described.</para>
+
+    <para>One cause of high latency on interactive traffic can be that queues
+    are building up at your ISP's gateway router. If you suspect that is
+    happening in your case, you can try to eliminate the problem by using the
+    IN-BANDWIDTH setting in <ulink
+    url="manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5).
+    The contents of the column are a <replaceable>rate</replaceable>. For
+    defining the rate, use <emphasis role="bold">kbit</emphasis> or <emphasis
+    role="bold">kbps</emphasis> (for Kilobytes per second) and make sure there
+    is NO space between the number and the unit (it is 100kbit not 100 kbit).
+    <emphasis role="bold">mbit</emphasis>, <emphasis
+    role="bold">mbps</emphasis> or a raw number (which means bytes) can be
+    used, but note that only integer numbers are supported (0.5 is not valid).
+    To pick an appropriate setting, we recommend that you start by setting
+    IN-BANDWIDTH significantly below your measured download bandwidth (20% or
+    so). While downloading, measure the ping response time from the firewall
+    to the upstream router as you gradually increase the setting. The optimal
+    setting is at the point beyond which the ping time increases sharply as
+    you increase the setting.</para>
+
+    <para>Simple Traffic Shaping is only appropriate on interfaces where
+    output queuing occurs. As a consequence, you usually only use it on
+    extermal interfaces. There are cases where you may need to use it on an
+    internal interface (a VPN interface, for example). If so, just add an
+    entry to <ulink
+    url="manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5):</para>
+
+    <programlisting>#INTERFACE             TYPE          IN-BANDWIDTH
+tun0                   Internal</programlisting>
+  </section>
+
+  <section>
+    <title>Additional Reading</title>
+
+    <para>The PRIO(8) (tc-prio) manpage has additional information on the
+    facility that Shorewall Simple Traffic Shaping is based on.</para>
+
+    <caution>
+      <para>Please note that Shorewall numbers the bands 1-3 whereas PRIO(8)
+      refers to them as bands 0-2.</para>
+    </caution>
+  </section>
+</article>

docs/standalone.xml

@@ -458,7 +458,7 @@ root@lists:~# </programlisting>
     <itemizedlist>
       <listitem>
         <para>Debian and its derivatives log Netfilter messages to
-        <filename>/var/log/daemon.log</filename>.</para>
+        <filename>/var/log/kern.log</filename>.</para>
       </listitem>
 
       <listitem>
@@ -487,6 +487,37 @@ root@lists:~# </programlisting>
     </important>
   </section>
 
+  <section id="Modules">
+    <title>Kernel Module Loading</title>
+
+    <para>Beginning in Shorewall 4.4.7,
+    <filename>/etc/shorewall/shorewall.conf</filename> contains a
+    LOAD_HELPERS_ONLY option which is set to <option>Yes</option> in the
+    samples. This causes Shorewall to attempt to load the modules listed in
+    <filename>/usr/share/shorewall/helpers</filename>. In addition, it sets
+    <emphasis role="bold">sip_direct_media=0</emphasis> when loading the
+    nf_conntrack_sip module. That setting is somewhat less secure than
+    <emphasis role="bold">sip_direct_media=1</emphasis>, but it generally
+    makes VOIP through the firewall work much better.</para>
+
+    <para>The modules in <filename>/usr/share/shorewall/helpers</filename> are
+    those that are not autoloaded. If your kernel does not support module
+    autoloading and you want Shorewall to attempt to load all netfilter
+    modules that it might require, then set LOAD_HELPERS_ONLY=No. That will
+    cause Shorewall to try to load the modules listed in
+    <filename>/usr/share/shorewall/modules</filename>. That file does not set
+    <emphasis role="bold">sip_direct_media=0</emphasis>.</para>
+
+    <para>If you need to modify either
+    <filename>/usr/share/shorewall/helpers</filename> or
+    <filename>/usr/share/shorewall/modules</filename> then copy the file to
+    <filename>/etc/shorewall</filename> and modify the copy.</para>
+
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+
+    <para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
+  </section>
+
   <section id="Open">
     <title>Enabling other Connections</title>
 

docs/three-interface.xml

@@ -726,7 +726,7 @@ root@lists:~# </programlisting>
     <itemizedlist>
       <listitem>
         <para>Debian and its derivatives log Netfilter messages to
-        <filename>/var/log/daemon.log</filename>.</para>
+        <filename>/var/log/kern.log</filename>.</para>
       </listitem>
 
       <listitem>
@@ -755,6 +755,37 @@ root@lists:~# </programlisting>
     </important>
   </section>
 
+  <section id="Modules">
+    <title>Kernel Module Loading</title>
+
+    <para>Beginning in Shorewall 4.4.7,
+    <filename>/etc/shorewall/shorewall.conf</filename> contains a
+    LOAD_HELPERS_ONLY option which is set to <option>Yes</option> in the
+    samples. This causes Shorewall to attempt to load the modules listed in
+    <filename>/usr/share/shorewall/helpers</filename>. In addition, it sets
+    <emphasis role="bold">sip_direct_media=0</emphasis> when loading the
+    nf_conntrack_sip module. That setting is somewhat less secure than
+    <emphasis role="bold">sip_direct_media=1</emphasis>, but it generally
+    makes VOIP through the firewall work much better.</para>
+
+    <para>The modules in <filename>/usr/share/shorewall/helpers</filename> are
+    those that are not autoloaded. If your kernel does not support module
+    autoloading and you want Shorewall to attempt to load all netfilter
+    modules that it might require, then set LOAD_HELPERS_ONLY=No. That will
+    cause Shorewall to try to load the modules listed in
+    <filename>/usr/share/shorewall/modules</filename>. That file does not set
+    <emphasis role="bold">sip_direct_media=0</emphasis>.</para>
+
+    <para>If you need to modify either
+    <filename>/usr/share/shorewall/helpers</filename> or
+    <filename>/usr/share/shorewall/modules</filename> then copy the file to
+    <filename>/etc/shorewall</filename> and modify the copy.</para>
+
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+
+    <para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
+  </section>
+
   <section id="DNAT">
     <title>Port Forwarding (DNAT)</title>
 

docs/traffic_shaping.xml

@@ -5,7 +5,7 @@
   <!--$Id$-->
 
   <articleinfo>
-    <title>Traffic Shaping/Control</title>
+    <title>Complex Traffic Shaping/Control</title>
 
     <authorgroup>
       <author>
@@ -93,6 +93,14 @@
   <section id="Intro">
     <title>Introduction</title>
 
+    <para>Beginning with Shorewall 4.4.6, Shorewall includes two separate
+    implementations of traffic shaping. This document describes the original
+    implementation which is complex and difficult to configure. A much simpler
+    version is described in <ulink role="bold"
+    url="simple_traffic_shaping.html">Simple Traffic Shaping/Control</ulink>
+    and is highly recommended unless you really need to delay certain traffic
+    passing through your firewall.</para>
+
     <para>Shorewall has builtin support for traffic shaping and control. This
     support does not cover all options available (and especially all
     algorithms that can be used to queue traffic) in the Linux kernel but it
@@ -183,6 +191,13 @@
         url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) ). You
         assign packet marks to different types of traffic using entries in the
         <filename>/etc/shorewall/tcrules</filename> file.</para>
+
+        <note>
+          <para>In Shorewall 4.5.0, WIDE_TC_MARKS was superseded by TC_BITS
+          which specifies the width in bits of the traffic shaping mark field.
+          The default is based on the setting of WIDE_TC_MARKS so as to
+          provide upward compatibility.</para>
+        </note>
       </listitem>
     </orderedlist>
 
@@ -479,6 +494,13 @@ ppp0           6000kbit         500kbit</programlisting>
           if the device specified in the INTERFACE column has the <emphasis
           role="bold">classify</emphasis> option in
           <filename>/etc/shorewall/tcdevices</filename>.</para>
+
+          <note>
+            <para>In Shorewall 4.5.0, WIDE_TC_MARKS was superseded by TC_BITS
+            which specifies the width in bits of the traffic shaping mark
+            field. The default is based on the setting of WIDE_TC_MARKS so as
+            to provide upward compatibility.</para>
+          </note>
         </listitem>
 
         <listitem>
@@ -647,7 +669,7 @@ ppp0           6000kbit         500kbit</programlisting>
               <emphasis>before SNAT</emphasis> as the key.</para>
 
               <note>
-                <para> Shorewall cannot determine ahead of time if the flow
+                <para>Shorewall cannot determine ahead of time if the flow
                 classifier is available in your kernel (especially if it was
                 built into the kernel as opposed to being loaded as a module).
                 Consequently, you should check ahead of time to ensure that
@@ -669,7 +691,7 @@ ppp0           6000kbit         500kbit</programlisting>
 
    ...</programlisting>
 
-                <para> If 'flow' is not supported, you will see:</para>
+                <para>If 'flow' is not supported, you will see:</para>
 
                 <programlisting>   Unknown filter "flow", hence option "help" is unparsable</programlisting>
 
@@ -696,7 +718,7 @@ ppp0           6000kbit         500kbit</programlisting>
 
                 <para>For modularized kernels, Shorewall will attempt to load
                 <filename>/lib/modules/&lt;kernel-version&gt;/net/sched/cls_flow.ko</filename>
-                by default. </para>
+                by default.</para>
               </note>
             </listitem>
 
@@ -808,12 +830,21 @@ ppp0           6000kbit         500kbit</programlisting>
           <para>MARK or CLASSIFY - MARK specifies the mark value is to be
           assigned in case of a match. This is an integer in the range 1-255
           (1-16383 if you set WIDE_TC_MARKS=Yes in <ulink
-          url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) ).
-          This value may be optionally followed by <quote>:</quote> and either
-          <quote>F</quote>, <quote>P</quote> or "T" to designate that the
-          marking will occur in the FORWARD, PREROUTING or POSTROUTING chains
-          respectively. If this additional specification is omitted, the chain
-          used to mark packets will be determined as follows:</para>
+          url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
+          ).</para>
+
+          <note>
+            <para>In Shorewall 4.5.0, WIDE_TC_MARKS was superseded by TC_BITS
+            which specifies the width in bits of the traffic shaping mark
+            field. The default is based on the setting of WIDE_TC_MARKS so as
+            to provide upward compatibility.</para>
+          </note>
+
+          <para>This value may be optionally followed by <quote>:</quote> and
+          either <quote>F</quote>, <quote>P</quote> or "T" to designate that
+          the marking will occur in the FORWARD, PREROUTING or POSTROUTING
+          chains respectively. If this additional specification is omitted,
+          the chain used to mark packets will be determined as follows:</para>
 
           <itemizedlist>
             <listitem>
@@ -1446,17 +1477,13 @@ IPMARK(src,0xff,0x10100):F 192.168.1.0/29 eth0</programlisting>
         <title>Configuration to replace Wondershaper</title>
 
         <para>You are able to fully replace the wondershaper script by using
-        the buitin traffic control.You can find example configuration files at
-        <ulink
-        url="http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall/">"http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall/</ulink>.
-        Please note that they are just examples and need to be adjusted to
-        work for you. In this example it is assumed that your interface for
-        your Internet connection is ppp0 (for DSL), if you use another
-        connection type, you have to change it. You also need to change the
-        settings in the tcdevices.wondershaper file to reflect your line
-        speed. The relevant lines of the config files follow here. Please note
-        that this is just a 1:1 replacement doing exactly what wondershaper
-        should do. You are free to change it...</para>
+        the buitin traffic control.. In this example it is assumed that your
+        interface for your Internet connection is ppp0 (for DSL), if you use
+        another connection type, you have to change it. You also need to
+        change the settings in the tcdevices.wondershaper file to reflect your
+        line speed. The relevant lines of the config files follow here. Please
+        note that this is just a 1:1 replacement doing exactly what
+        wondershaper should do. You are free to change it...</para>
 
         <section id="realtcd">
           <title>tcdevices file</title>

docs/two-interface.xml

@@ -678,7 +678,7 @@ root@lists:~# </programlisting>
     <itemizedlist>
       <listitem>
         <para>Debian and its derivatives log Netfilter messages to
-        <filename>/var/log/daemon.log</filename>.</para>
+        <filename>/var/log/kern.log</filename>.</para>
       </listitem>
 
       <listitem>
@@ -707,6 +707,37 @@ root@lists:~# </programlisting>
     </important>
   </section>
 
+  <section id="Modules">
+    <title>Kernel Module Loading</title>
+
+    <para>Beginning in Shorewall 4.4.7,
+    <filename>/etc/shorewall/shorewall.conf</filename> contains a
+    LOAD_HELPERS_ONLY option which is set to <option>Yes</option> in the
+    samples. This causes Shorewall to attempt to load the modules listed in
+    <filename>/usr/share/shorewall/helpers</filename>. In addition, it sets
+    <emphasis role="bold">sip_direct_media=0</emphasis> when loading the
+    nf_conntrack_sip module. That setting is somewhat less secure than
+    <emphasis role="bold">sip_direct_media=1</emphasis>, but it generally
+    makes VOIP through the firewall work much better.</para>
+
+    <para>The modules in <filename>/usr/share/shorewall/helpers</filename> are
+    those that are not autoloaded. If your kernel does not support module
+    autoloading and you want Shorewall to attempt to load all netfilter
+    modules that it might require, then set LOAD_HELPERS_ONLY=No. That will
+    cause Shorewall to try to load the modules listed in
+    <filename>/usr/share/shorewall/modules</filename>. That file does not set
+    <emphasis role="bold">sip_direct_media=0</emphasis>.</para>
+
+    <para>If you need to modify either
+    <filename>/usr/share/shorewall/helpers</filename> or
+    <filename>/usr/share/shorewall/modules</filename> then copy the file to
+    <filename>/etc/shorewall</filename> and modify the copy.</para>
+
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+
+    <para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
+  </section>
+
   <section id="DNAT">
     <title>Port Forwarding (DNAT)</title>
 

manpages/shorewall-interfaces.xml

@@ -233,7 +233,9 @@ loc     eth2            -</programlisting>
               <term><emphasis role="bold">bridge</emphasis></term>
 
               <listitem>
-                <para>Designates the interface as a bridge.</para>
+                <para>Designates the interface as a bridge. Beginning with
+                Shorewall 4.4.7, setting this option also sets
+                <option>routeback</option>.</para>
               </listitem>
             </varlistentry>
 

manpages/shorewall-masq.xml

@@ -32,8 +32,10 @@
     </warning>
 
     <warning>
-      <para>If you have more than one ISP, adding entries to this file will
-      *not* force connections to go out through a particular ISP. You must use
+      <para>If you have more than one ISP link, adding entries to this file
+      will <emphasis role="bold">not</emphasis> force connections to go out
+      through a particular link. You must use entries in <ulink
+      url="shorewall-route_rules.html">shorewall-route_rules</ulink>(5) or
       PREROUTING entries in <ulink
       url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5) to do
       that.</para>
@@ -72,8 +74,8 @@
 
           <para>Where <ulink
           url="http://www.shorewall.net/4.4/MultiISP.html#Shared">more that
-          one internet providers shares a single interface</ulink>, the
-          provider is specified by including the provider name or number in
+          one internet provider share a single interface</ulink>, the provider
+          is specified by including the provider name or number in
           parentheses:</para>
 
           <programlisting>        eth0(Avvanta)</programlisting>

manpages/shorewall-tcdevices.xml

@@ -44,7 +44,7 @@
 
         <variablelist>
           <varlistentry>
-            <term><emphasis role="bold">kpbs</emphasis></term>
+            <term><emphasis role="bold">kbps</emphasis></term>
 
             <listitem>
               <para>Kilobytes per second.</para>

manpages/shorewall-tcinterfaces.xml

@@ -0,0 +1,166 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-tcinterfaces</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>tcinterfaces</refname>
+
+    <refpurpose>Shorewall file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall/tcinterfaces</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file lists the interfaces that are subject to simple traffic
+    shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
+    <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+
+    <para>A note on the <emphasis>bandwidth</emphasis> definition used in this
+    file:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>don't use a space between the integer value and the unit: 30kbit
+        is valid while 30 kbit is not.</para>
+      </listitem>
+
+      <listitem>
+        <para>you can use one of the following units:</para>
+
+        <variablelist>
+          <varlistentry>
+            <term><emphasis role="bold">kbps</emphasis></term>
+
+            <listitem>
+              <para>Kilobytes per second.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><emphasis role="bold">mbps</emphasis></term>
+
+            <listitem>
+              <para>Megabytes per second.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><emphasis role="bold">kbit</emphasis></term>
+
+            <listitem>
+              <para>Kilobits per second.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><emphasis role="bold">mbit</emphasis></term>
+
+            <listitem>
+              <para>Megabits per second.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><emphasis role="bold">bps</emphasis> or <emphasis
+            role="bold">number</emphasis></term>
+
+            <listitem>
+              <para>Bytes per second.</para>
+            </listitem>
+          </varlistentry>
+        </variablelist>
+      </listitem>
+
+      <listitem>
+        <para>Only whole integers are allowed.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>The columns in the file are as follows.</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">INTERFACE</emphasis></term>
+
+        <listitem>
+          <para>The logical name of an interface. If you run both IPv4 and
+          IPv6 Shorewall firewalls, a given interface should only be listed in
+          one of the two configurations.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">TYPE</emphasis> - [<emphasis
+        role="bold">external</emphasis>|<emphasis
+        role="bold">internal</emphasis>]</term>
+
+        <listitem>
+          <para>Optional. If given specifies whether the interface is
+          <emphasis role="bold">external</emphasis> (facing toward the
+          Internet) or <emphasis role="bold">internal</emphasis> (facing
+          toward a local network) and enables SFQ flow classification.</para>
+
+          <note>
+            <para>Simple traffic shaping is only useful on interfaces where
+            queuing occurs. As a consequence, internal interfaces seldom
+            benefit from simple traffic shaping. VPN interfaces are an
+            exception because the encapsulated packets are later transferred
+            over a slower external link.</para>
+          </note>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IN-BANDWIDTH - [<replaceable>rate</replaceable>]</term>
+
+        <listitem>
+          <para>Optional. If specified, enables ingress policing on the
+          interface. If incoming traffic exceeds the given
+          <replaceable>rate</replaceable>, received packets are dropped
+          randomly. With some DSL and Cable links, large queues can build up
+          in the ISP's gateway router. While this insures maximum throughput,
+          it kills interactive response time. By setting IN-BANDWIDTH, you can
+          eliminate these queues.</para>
+
+          <para>To pick an appropriate setting, we recommend that you start by
+          setting it significantly below your measured download bandwidth (20%
+          or so). While downloading, measure the ping response time from the
+          firewall to the upstream router as you gradually increase the
+          setting.The optimal setting is at the point beyond which the ping
+          time increases sharply as you increase the setting.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall/tcinterfaces.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-tcpri(5), shorewall-tcrules(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+  </refsect1>
+</refentry>

manpages/shorewall-tcpri.xml

@@ -0,0 +1,159 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-tcpri</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>tcpri</refname>
+
+    <refpurpose>Shorewall file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall/tcpri</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file is used to specify the priority of traffic for simple
+    traffic shaping (TC_ENABLED=Simple in <ulink
+    url="shorewall.conf.html">shorewall.conf</ulink>(5)). The priority band of
+    each packet is determined by the <emphasis role="bold">last</emphasis>
+    entry that the packet matches. If a packet doesn't match any entry in this
+    file, then its priority will be determined by its TOS field. The default
+    mapping is as follows but can be changed by setting the TC_PRIOMAP option
+    in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+
+    <programlisting>TOS     Bits  Means                    Linux Priority    BAND
+------------------------------------------------------------
+0x0     0     Normal Service           0 Best Effort     2
+0x2     1     Minimize Monetary Cost   1 Filler          3
+0x4     2     Maximize Reliability     0 Best Effort     2
+0x6     3     mmc+mr                   0 Best Effort     2
+0x8     4     Maximize Throughput      2 Bulk            3
+0xa     5     mmc+mt                   2 Bulk            3
+0xc     6     mr+mt                    2 Bulk            3
+0xe     7     mmc+mr+mt                2 Bulk            3
+0x10    8     Minimize Delay           6 Interactive     1
+0x12    9     mmc+md                   6 Interactive     1
+0x14    10    mr+md                    6 Interactive     1
+0x16    11    mmc+mr+md                6 Interactive     1
+0x18    12    mt+md                    4 Int. Bulk       2
+0x1a    13    mmc+mt+md                4 Int. Bulk       2
+0x1c    14    mr+mt+md                 4 Int. Bulk       2
+0x1e    15    mmc+mr+mt+md             4 Int. Bulk       2</programlisting>
+
+    <para>The columns in the file are as follows.</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">BAND</emphasis> - {<emphasis
+        role="bold">1</emphasis>|<emphasis role="bold">2</emphasis>|<emphasis
+        role="bold">3</emphasis>}</term>
+
+        <listitem>
+          <para>Classifies matching traffic as High Priority (1), Medium
+          Priority (2) or Low Priority (3). For those interfaces listed in
+          <ulink
+          url="shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5),
+          Priority 2 traffic will be deferred so long and there is Priority 1
+          traffic queued and Priority 3 traffic will be deferred so long as
+          there is Priority 1 or Priority 2 traffic to send.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROTO</emphasis> -
+        <replaceable>protocol</replaceable></term>
+
+        <listitem>
+          <para>Optional. The name or number of an IPv4
+          <replaceable>protocol</replaceable>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PORT(S) - <replaceable>port</replaceable> [,...]</term>
+
+        <listitem>
+          <para>Optional. May only be given if the the PROTO is tcp (6) or udp
+          (17). A list of one or more port numbers or service names from
+          /etc/services. Port ranges of the form
+          <replaceable>lowport</replaceable>:<replaceable>highport</replaceable>
+          may also be included.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>ADDRESS - [<replaceable>address</replaceable>]</term>
+
+        <listitem>
+          <para>Optional. The IP or MAC address that the traffic originated
+          from. MAC addresses must be given in Shorewall format. If this
+          column contains an address, then the PROTO, PORT(S) and INTERFACE
+          column must be empty ("-").</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>INTERFACE - [<replaceable>interface</replaceable>]</term>
+
+        <listitem>
+          <para>Optional. The logical name of an
+          <replaceable>interface</replaceable> that traffic arrives from. If
+          given, the PROTO, PORT(S) and ADDRESS columns must be empty
+          ("-").</para>
+
+          <note>
+            <para>INTERFACE classification of packets occurs before
+            classification by PROTO/PORT(S)/ADDRESS. So it is highly
+            recommended to place entries that specify INTERFACE at the top of
+            the file so that the rule about <emphasis>last entry
+            matches</emphasis> is preserved.</para>
+          </note>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">HELPER</emphasis> -
+        [<replaceable>helper</replaceable>]</term>
+
+        <listitem>
+          <para>Optional. Names a Netfiler protocol helper module such as ftp,
+          sip, amanda, etc. A packet will match if it was accepted by the
+          named helper module. You can also append "-" and a port number to
+          the helper module name (e.g., ftp-21) to specify the port number
+          that the original connection was made on.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall/tcpri</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para>PRIO(8), shorewall(8), shorewall-accounting(5),
+    shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5),
+    shorewall-interfaces(5), shorewall-ipsec(5), shorewall-maclist(5),
+    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
+    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
+    shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+  </refsect1>
+</refentry>

manpages/shorewall.conf.xml

@@ -169,6 +169,19 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">ACCOUNTING=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting
+          is enabled (see <ulink
+          url="shorewall-accounting.html">shorewall-accounting</ulink>(5)). If
+          not specified or set to the empty value, ACCOUNTING=Yes is
+          assumed.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">ADD_IP_ALIASES=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -462,20 +475,21 @@
         role="bold">DONT_LOAD=</emphasis>[<emphasis>module</emphasis>[,<emphasis>module</emphasis>]...]</term>
 
         <listitem>
-          <para>Added in Shorewall-4.0.6. Causes Shorewall to not load the
-          listed modules.</para>
+          <para>Causes Shorewall to not load the listed kernel modules.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DYNAMIC_ZONES=</emphasis>{<emphasis
+        <term><emphasis role="bold">DYNAMIC_BLACKLIST=</emphasis>{<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
 
         <listitem>
-          <para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
-          role="bold">yes</emphasis>, enables dynamic zones. DYNAMIC_ZONES=Yes
-          is not allowed in configurations that will run under Shorewall
-          Lite.</para>
+          <para>Added in Shorewall 4.4.7. When set to <emphasis
+          role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
+          dynamic blacklisting using the <command>shorewall drop</command>,
+          <command>shorewall reject</command>, <command>shorewall
+          logdrop</command> and <command>shorewall logreject</command> is
+          disabled. Default is <emphasis role="bold">Yes</emphasis>.</para>
         </listitem>
       </varlistentry>
 
@@ -514,7 +528,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
           variables on the firewall system for use by your extension scripts,
           then do so in the init extension script.</para>
 
-          <para>The default is EXPORTPARAMS=Yes</para>
+          <para>The default is EXPORTPARAMS=Yes which is the recommended
+          setting unless you are using Shorewall Lite.</para>
         </listitem>
       </varlistentry>
 
@@ -554,9 +569,13 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
           url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5) if you had
           a multi-ISP configuration that uses the track option.</para>
 
-          <para>Beginning with release 3.2.0, you may set HIGH_ROUTE_MARKS=Yes
-          in to effectively divide the packet mark and connection mark into
-          two mark fields.</para>
+          <para>You may set HIGH_ROUTE_MARKS=Yes in to effectively divide the
+          packet mark and connection mark into two mark fields.</para>
+
+          <note>
+            <para>From Shorewall 2.5.0 onward, this option is deprecated in
+            favor of the PROVIDER_OFFSET option.</para>
+          </note>
 
           <para>The width of the fields are determined by the setting of
           WIDE_TC_MARKS. If WIDE_TC_MARKS=No (the default):</para>
@@ -745,6 +764,19 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">LOAD_HELPERS_ONLY=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.4.7. When set to Yes, restricts the set
+          of modules loaded by shorewall to those listed in
+          /var/lib/shorewall/helpers and those that are actually used. When
+          not set, or set to the empty value, LOAD_HELPERS_ONLY=No is
+          assumed.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis
@@ -1136,24 +1168,116 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">OPTIMIZE=</emphasis>[<emphasis
-        role="bold">0</emphasis>|<emphasis role="bold">1</emphasis>]</term>
+        <term><emphasis
+        role="bold">OPTIMIZE=</emphasis>[<replaceable>value</replaceable>]</term>
 
         <listitem>
-          <para>Traditionally, Shorewall has created rules for <ulink
-          url="../ScalabilityAndPerformance.html">the complete matrix of host
-          groups defined by the zones, interfaces and hosts files</ulink>. Any
-          traffic that didn't correspond to an element of that matrix was
-          rejected in one of the built-in chains. When the matrix is sparse,
-          this results in lots of largely useless rules.</para>
+          <para>The specified <replaceable>value</replaceable> enables certain
+          optimizations. Each optimization category is associated with a power
+          of two. To enable multiple optimization categories, simply add their
+          corresponding numbers together.</para>
 
-          <para>These extra rules can be eliminated by setting
-          OPTIMIZE=1.</para>
+          <itemizedlist>
+            <listitem>
+              <para>Optimization category 1 - Traditionally, Shorewall has
+              created rules for <ulink
+              url="../ScalabilityAndPerformance.html">the complete matrix of
+              host groups defined by the zones, interfaces and hosts
+              files</ulink>. Any traffic that didn't correspond to an element
+              of that matrix was rejected in one of the built-in chains. When
+              the matrix is sparse, this results in lots of largely useless
+              rules.</para>
 
-          <para>The OPTIMIZE setting also controls the suppression of
-          redundant wildcard rules (those specifying "all" in the SOURCE or
-          DEST column). A wildcard rule is considered to be redundant when it
-          has the same ACTION and Log Level as the applicable policy.</para>
+              <para>These extra rules can be eliminated by setting the 1 bit
+              in OPTIMIZE.</para>
+
+              <para>The 1 bit setting also controls the suppression of
+              redundant wildcard rules (those specifying "all" in the SOURCE
+              or DEST column). A wildcard rule is considered to be redundant
+              when it has the same ACTION and Log Level as the applicable
+              policy.</para>
+            </listitem>
+
+            <listitem>
+              <para>Optimization category 2 - Added in Shorewall 4.4.7. When
+              set, suppresses superfluous ACCEPT rules in a policy chain that
+              implements an ACCEPT policy. Any ACCEPT rules that immediately
+              preceed the final blanket ACCEPT rule in the chain are now
+              omitted.</para>
+            </listitem>
+
+            <listitem>
+              <para>Optimization category 4 - Added in Shorewall 4.4.7. When
+              set, causes short chains (those with less than 2 rules) to be
+              optimized away. The following chains are excluded from
+              optimization:</para>
+
+              <itemizedlist>
+                <listitem>
+                  <para>accounting chains (unless
+                  OPTIMIZE_ACCOUNTING=Yes)</para>
+                </listitem>
+
+                <listitem>
+                  <para>action chains (user-defined)</para>
+                </listitem>
+
+                <listitem>
+                  <para>dynamic</para>
+                </listitem>
+
+                <listitem>
+                  <para>forwardUPnP</para>
+                </listitem>
+
+                <listitem>
+                  <para>UPnP (nat table)</para>
+                </listitem>
+              </itemizedlist>
+
+              <para>Additionally:</para>
+
+              <itemizedlist>
+                <listitem>
+                  <para>If a built-in chain has a single rule that branches to
+                  a second chain, then the rules from the second chain are
+                  moved to the built-in chain and the target chain is
+                  omitted.</para>
+                </listitem>
+
+                <listitem>
+                  <para>Chains with no references are deleted.</para>
+                </listitem>
+
+                <listitem>
+                  <para>Accounting chains are subject to optimization if the
+                  OPTIMIZE_ACCOUNTING option is set to 'Yes'.</para>
+                </listitem>
+
+                <listitem>
+                  <para>If a chain ends with an unconditional branch to a
+                  second chain (other than to 'reject'), then the branch is
+                  deleted from the first chain and the rules from the second
+                  chain are appended to it.</para>
+                </listitem>
+              </itemizedlist>
+            </listitem>
+          </itemizedlist>
+
+          <para>The default value is zero which disables all
+          optimizations.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">OPTIMIZE_ACCOUNTING=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting
+          changes are subject to optimization (OPTIMIZE=4,5,6 or 7). If not
+          specified or set to the empty value, OPTIMIZE_ACCOUNTING=No is
+          assumed.</para>
         </listitem>
       </varlistentry>
 
@@ -1291,28 +1415,24 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
 
       <varlistentry>
         <term><emphasis role="bold">ROUTE_FILTER=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|1|<emphasis
-        role="bold">No|0</emphasis>|2|Keep]</term>
+        role="bold">Yes</emphasis>|<emphasis
+        role="bold">No</emphasis>|Keep]</term>
 
         <listitem>
           <para>If this parameter is given the value <emphasis
           role="bold">Yes</emphasis> or <emphasis role="bold">yes</emphasis>
-          or 1 then route filtering (anti-spoofing) is enabled on all network
+          then route filtering (anti-spoofing) is enabled on all network
           interfaces which are brought up while Shorewall is in the started
           state. The default value is <emphasis
-          role="bold">Keep</emphasis>.</para>
+          role="bold">no</emphasis>.</para>
 
           <para>The value <emphasis role="bold">Keep</emphasis> causes
           Shorewall to ignore the option. If the option is set to <emphasis
-          role="bold">Yes</emphasis> or 1, then route filtering occurs on all
+          role="bold">Yes</emphasis>, then route filtering occurs on all
           interfaces. If the option is set to <emphasis
           role="bold">No</emphasis>, then route filtering is disabled on all
           interfaces except those specified in <ulink
           url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
-
-          <para>The value 2 is only available with Shorewall 4.4.5.1 and later
-          running on kernel 2.6.31 or later. It specifies a looser form of
-          reverse path filtering than the value Yes (1).</para>
         </listitem>
       </varlistentry>
 
@@ -1321,11 +1441,12 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
 
         <listitem>
-          <para>If SAVE_IPSETS=Yes, then the current contents of your ipsets
-          will be saved by the <emphasis role="bold">shorewall save</emphasis>
-          command. Regardless of the setting of SAVE_IPSETS, if saved ipset
-          contents are available then they will be restored by <emphasis
-          role="bold">shorewall restore</emphasis>.</para>
+          <para>Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the
+          current contents of your ipsets will be saved by the <emphasis
+          role="bold">shorewall stop</emphasis> and <emphasis
+          role="bold">shorewall save</emphasis> commands and restored by the
+          <emphasis role="bold">shorewall start</emphasis> and <emphasis
+          role="bold">shorewall restore</emphasis> commands.</para>
         </listitem>
       </varlistentry>
 
@@ -1411,7 +1532,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         <term><emphasis role="bold">TC_ENABLED=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis
         role="bold">No</emphasis>|<emphasis
-        role="bold">Internal</emphasis>]</term>
+        role="bold">Internal</emphasis>|<emphasis
+        role="bold">Simple</emphasis>]</term>
 
         <listitem>
           <para>If you say <emphasis role="bold">Yes</emphasis> or <emphasis
@@ -1424,6 +1546,12 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
           role="bold">no</emphasis> then traffic shaping is not
           enabled.</para>
 
+          <para>If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later),
+          simple traffic shaping using <ulink
+          url="shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5)
+          and <ulink url="shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
+          enabled.</para>
+
           <para>If you set TC_ENABLED=Internal or internal or leave the option
           empty then Shorewall will use its builtin traffic shaper
           (tc4shorewall written by Arne Bernin.</para>
@@ -1445,6 +1573,24 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">TC_PRIOMAP</emphasis>=<emphasis>map</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.4.6. Determines the mapping of a packet's
+          TOS field to priority bands. See <ulink
+          url="shorewall-tcpri.html">shorewall-tcpri</ulink>(5). The
+          <emphasis>map</emphasis> consists of 16 space-separated digits with
+          values 1, 2 or 3. The first entry corresponds to Linux priority 9,
+          the second to Linux priority 1, the third to Linux Priority 2, and
+          so on. See tc-prio(8) for additional information.</para>
+
+          <para>The default setting is TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2
+          2 2".</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">TCP_FLAGS_DISPOSITION=</emphasis>[<emphasis
@@ -1476,6 +1622,37 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">TRACK_PROVIDERS=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.4.3. When set to Yes, causes the
+          <option>track</option> option to be assumed on all providers defined
+          in <ulink
+          url="shorewall-providers.html">shorewall-providers</ulink>(5). May
+          be overridden on an individual provider through use of the
+          <option>notrack</option> option. The default value is 'No'.</para>
+
+          <para>Beginning in Shorewall 4.4.6, setting this option to 'Yes'
+          also simplifies PREROUTING rules in <ulink
+          url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
+          Previously, when TC_EXPERT=No, packets arriving through 'tracked'
+          provider interfaces were unconditionally passed to the PREROUTING
+          tcrules. This was done so that tcrules could reset the packet mark
+          to zero, thus allowing the packet to be routed using the 'main'
+          routing table. Using the main table allowed dynamic routes (such as
+          those added for VPNs) to be effective. The route_rules file was
+          created to provide a better alternative to clearing the packet mark.
+          As a consequence, passing these packets to PREROUTING complicates
+          things without providing any real benefit. Beginning with Shorewall
+          4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving
+          through 'tracked' interfaces will not be passed to the PREROUTING
+          rules. Since TRACK_PROVIDERS was just introduced in 4.4.3, this
+          change should be transparent to most, if not all, users.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -1576,6 +1753,11 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
           traffic shaping marks are 14 bytes wide (values 1-16383). The
           setting of WIDE_TC_MARKS also has an effect on the HIGH_ROUTE_MARKS
           option (see above).</para>
+
+          <note>
+            <para>From Shorewall 2.5.0 onware, this option is deprecated in
+            favor of the TC_BITS option.</para>
+          </note>
         </listitem>
       </varlistentry>
 
@@ -1607,7 +1789,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
     shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
     shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
     shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcinterfaces(5),
+    shorewall-tcpri(5), shorewall-tcrules(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
   </refsect1>
 </refentry>

manpages/shorewall.xml

@@ -60,6 +60,8 @@
 
       <arg><option>-p</option></arg>
 
+      <arg><option>-r</option></arg>
+
       <arg><replaceable>directory</replaceable></arg>
     </cmdsynopsis>
 
@@ -488,6 +490,19 @@
       choice="req"><option>actions|classifiers|connections|config|filters|macros|zones</option></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>show</option></arg>
+
+      <arg choice="plain"><option>macro</option><arg
+      choice="plain"><replaceable>macro</replaceable></arg></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall</command>
 
@@ -707,6 +722,10 @@
           <para>The <option>-p</option> option causes the compiler to be
           profiled via the Perl <option>-wd:DProf</option> command-line
           option.</para>
+
+          <para>The <option>-r</option> option was added in Shorewall 4.5.2
+          and causes the compiler to print the generated ruleset to standard
+          out.</para>
         </listitem>
       </varlistentry>
 
@@ -1269,6 +1288,17 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">macro</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.6. Displays the file that
+                implements the specified <replaceable>macro</replaceable>
+                (usually
+                <filename>/usr/share/shorewall/macro</filename>.<replaceable>macro</replaceable>).</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">mangle</emphasis></term>
 

manpages6/shorewall6-interfaces.xml

@@ -129,7 +129,19 @@ loc     eth2            -</programlisting>
               <term><emphasis role="bold">bridge</emphasis></term>
 
               <listitem>
-                <para>Designates the interface as a bridge.</para>
+                <para>Designates the interface as a bridge. Beginning with
+                Shorewall 4.4.7, setting this option also sets
+                <option>routeback</option>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">forward</emphasis>[={0|1}]</term>
+
+              <listitem>
+                <para>Sets the /proc/sys/net/ipv6/conf/interface/forwarding
+                option to the specified value. If no value is supplied, then 1
+                is assumed.</para>
               </listitem>
             </varlistentry>
 
@@ -178,7 +190,7 @@ loc     eth2            -</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term>physical=<emphasis
+              <term><emphasis role="bold">physical</emphasis>=<emphasis
               role="bold"><emphasis>name</emphasis></emphasis></term>
 
               <listitem>
@@ -220,7 +232,7 @@ loc     eth2            -</programlisting>
                 <para>If this option is not specified for an interface, then
                 source-routed packets will not be accepted from that interface
                 (sets
-                /proc/sys/net/ipv6/conf/<emphasis></emphasis>/accept_source_route
+                /proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/accept_source_route
                 to 1). Only set this option if you know what you are doing.
                 This might represent a security risk and is not usually
                 needed.</para>
@@ -251,7 +263,7 @@ loc     eth2            -</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term>proxyndp[={0|1}]</term>
+              <term><emphasis role="bold">proxyndp</emphasis>[={0|1}]</term>
 
               <listitem>
                 <para>Sets