Update TRACK_PROVIDER description in the man pages.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Samples/one-interface/shorewall.conf

@@ -109,13 +109,13 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 IP_FORWARDING=Off
 
-ADD_IP_ALIASES=No
+ADD_IP_ALIASES=Yes
 
 ADD_SNAT_ALIASES=No
 
 RETAIN_ALIASES=No
 
-TC_ENABLED=Internal
+TC_ENABLED=Simple
 
 TC_EXPERT=No
 
@@ -163,11 +163,9 @@ FASTACCEPT=No
 
 IMPLICIT_CONTINUE=No
 
-HIGH_ROUTE_MARKS=No
-
 USE_ACTIONS=Yes
 
-OPTIMIZE=1
+OPTIMIZE=7
 
 EXPORTPARAMS=No
 
@@ -191,19 +189,26 @@ RESTORE_DEFAULT_ROUTE=Yes
 
 AUTOMAKE=No
 
-WIDE_TC_MARKS=Yes
-
 TRACK_PROVIDERS=Yes
 
 ZONE2ZONE=2
 
 ACCOUNTING=Yes
 
-DYNAMIC_BLACKLIST=Yes
-
 OPTIMIZE_ACCOUNTING=No
 
-LOAD_HELPERS_ONLY=Yes
+DYNAMIC_BLACKLIST=Yes
+
+###############################################################################
+# MARK Layout
+###############################################################################
+TC_BITS=8
+
+MASK_BITS=8
+
+PROVIDER_BITS=8
+
+PROVIDER_OFFSET=8
 
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N

Samples/three-interfaces/shorewall.conf

@@ -109,13 +109,13 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 IP_FORWARDING=On
 
-ADD_IP_ALIASES=No
+ADD_IP_ALIASES=Yes
 
 ADD_SNAT_ALIASES=No
 
 RETAIN_ALIASES=No
 
-TC_ENABLED=Internal
+TC_ENABLED=Simple
 
 TC_EXPERT=No
 
@@ -163,11 +163,9 @@ FASTACCEPT=No
 
 IMPLICIT_CONTINUE=No
 
-HIGH_ROUTE_MARKS=No
-
 USE_ACTIONS=Yes
 
-OPTIMIZE=1
+OPTIMIZE=7
 
 EXPORTPARAMS=No
 
@@ -191,19 +189,26 @@ RESTORE_DEFAULT_ROUTE=Yes
 
 AUTOMAKE=No
 
-WIDE_TC_MARKS=Yes
-
 TRACK_PROVIDERS=Yes
 
 ZONE2ZONE=2
 
 ACCOUNTING=Yes
 
-DYNAMIC_BLACKLIST=Yes
-
 OPTIMIZE_ACCOUNTING=No
 
-LOAD_HELPERS_ONLY=Yes
+DYNAMIC_BLACKLIST=Yes
+
+###############################################################################
+# MARK Layout
+###############################################################################
+TC_BITS=8
+
+MASK_BITS=8
+
+PROVIDER_BITS=8
+
+PROVIDER_OFFSET=8
 
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N

Samples/two-interfaces/shorewall.conf

@@ -116,13 +116,13 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 IP_FORWARDING=On
 
-ADD_IP_ALIASES=No
+ADD_IP_ALIASES=Yes
 
 ADD_SNAT_ALIASES=No
 
 RETAIN_ALIASES=No
 
-TC_ENABLED=Internal
+TC_ENABLED=Simple
 
 TC_EXPERT=No
 
@@ -170,11 +170,9 @@ FASTACCEPT=No
 
 IMPLICIT_CONTINUE=No
 
-HIGH_ROUTE_MARKS=No
-
 USE_ACTIONS=Yes
 
-OPTIMIZE=1
+OPTIMIZE=7
 
 EXPORTPARAMS=No
 
@@ -198,19 +196,26 @@ RESTORE_DEFAULT_ROUTE=Yes
 
 AUTOMAKE=No
 
-WIDE_TC_MARKS=Yes
-
 TRACK_PROVIDERS=Yes
 
 ZONE2ZONE=2
 
 ACCOUNTING=Yes
 
-DYNAMIC_BLACKLIST=Yes
-
 OPTIMIZE_ACCOUNTING=No
 
-LOAD_HELPERS_ONLY=Yes
+DYNAMIC_BLACKLIST=Yes
+
+###############################################################################
+# MARK Layout
+###############################################################################
+TC_BITS=8
+
+MASK_BITS=8
+
+PROVIDER_BITS=8
+
+PROVIDER_OFFSET=8
 
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N

Samples6/one-interface/shorewall6.conf

@@ -99,8 +99,6 @@ TC_ENABLED=No
 
 TC_EXPERT=No
 
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -121,7 +119,7 @@ IMPLICIT_CONTINUE=No
 
 HIGH_ROUTE_MARKS=No
 
-OPTIMIZE=1
+OPTIMIZE=7
 
 EXPORTPARAMS=No
 
@@ -147,13 +145,22 @@ ZONE2ZONE=2
 
 ACCOUNTING=Yes
 
-DYNAMIC_BLACKLIST=Yes
-
 OPTIMIZE_ACCOUNTING=No
 
-LOAD_HELPERS_ONLY=Yes
+DYNAMIC_BLACKLIST=Yes
 
-##############################################################################
+###############################################################################
+# MARK Layout
+###############################################################################
+TC_BITS=8
+
+MASK_BITS=8
+
+PROVIDER_BITS=8
+
+PROVIDER_OFFSET=8
+
+###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
 

Samples6/three-interfaces/shorewall6.conf

@@ -99,8 +99,6 @@ TC_ENABLED=No
 
 TC_EXPERT=No
 
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -121,7 +119,7 @@ IMPLICIT_CONTINUE=No
 
 HIGH_ROUTE_MARKS=No
 
-OPTIMIZE=1
+OPTIMIZE=7
 
 EXPORTPARAMS=No
 
@@ -147,11 +145,20 @@ ZONE2ZONE=2
 
 ACCOUNTING=Yes
 
-DYNAMIC_BLACKLIST=Yes
-
 OPTIMIZE_ACCOUNTING=No
 
-LOAD_HELPERS_ONLY=Yes
+DYNAMIC_BLACKLIST=Yes
+
+###############################################################################
+# MARK Layout
+###############################################################################
+TC_BITS=8
+
+MASK_BITS=8
+
+PROVIDER_BITS=8
+
+PROVIDER_OFFSET=8
 
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N

Samples6/two-interfaces/shorewall6.conf

@@ -99,8 +99,6 @@ TC_ENABLED=No
 
 TC_EXPERT=No
 
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -121,7 +119,7 @@ IMPLICIT_CONTINUE=No
 
 HIGH_ROUTE_MARKS=No
 
-OPTIMIZE=1
+OPTIMIZE=7
 
 EXPORTPARAMS=No
 
@@ -147,11 +145,20 @@ ZONE2ZONE=2
 
 ACCOUNTING=Yes
 
-DYNAMIC_BLACKLIST=Yes
-
 OPTIMIZE_ACCOUNTING=No
 
-LOAD_HELPERS_ONLY=Yes
+DYNAMIC_BLACKLIST=Yes
+
+###############################################################################
+# MARK Layout
+###############################################################################
+TC_BITS=8
+
+MASK_BITS=8
+
+PROVIDER_BITS=8
+
+PROVIDER_OFFSET=8
 
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N

Shorewall-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.7.1
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {

Shorewall-lite/install.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.7.1
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {

Shorewall-lite/shorecap

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall.
 #

Shorewall-lite/shorewall-lite

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall-lite.
 #
@@ -366,14 +366,13 @@ usage() # $1 = exit status
 {
     echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
     echo "where <command> is one of:"
-    echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
-    echo "   clear [ -f ]"
-    echo "   delete <interface>[:<host-list>] ... <zone>"
+    echo "   clear"
     echo "   drop <address> ..."
     echo "   dump [ -x ]"
     echo "   forget [ <file name> ]"
     echo "   help"
+    echo "   hits [ -t ]"
     echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
     echo "   ipdecimal { <address> | <integer> }"
     echo "   iprange <address>-<address>"
@@ -382,7 +381,7 @@ usage() # $1 = exit status
     echo "   logwatch [<refresh interval>]"
     echo "   reject <address> ..."
     echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
+    echo "   restart [ -n ] [ -p ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
     echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
@@ -390,18 +389,19 @@ usage() # $1 = exit status
     echo "   show classifiers"
     echo "   show config"
     echo "   show connections"
-    echo "   show filters"
+    echo "   show dynamic <zone>"
+    echo "   show filter"
     echo "   show ip"
     echo "   show [ -m ] log"
-    echo "   show [ -x ] mangle|nat|raw|routing"
-    echo "   show policies"
-    echo "   show tc [ device ]"
+    echo "   show [ -x ] mangle|nat|raw"
+    echo "   show routing"
+    echo "   show tc"
     echo "   show vardir"
     echo "   show zones"
-    echo "   start [ -f ] [ -p ] [ <directory> ]"
-    echo "   stop [ -f ]"
+    echo "   start [ -n ] [ -p ]"
+    echo "   stop"
     echo "   status"
-    echo "   version [ -a ]"
+    echo "   version"
     echo
     exit $1
 }

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.7
-%define release 1
+%define version 4.5.4
+%define release 0base
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -100,27 +100,17 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sat Feb 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-1
-* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0base
-* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0RC2
-* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0RC1
-* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta4
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta3
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta2
-* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta1
-* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.6-0base
-* Tue Jan 12 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.6-0Beta1
-* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+* Fri Jan 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.5.4-0base
+* Mon Jan 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.5.3-0base
+* Wed Dec 30 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.2-0base
+* Sun Dec 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.1-0base
+* Tue Dec 01 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.0-0base
+* Fri Nov 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.5-0base
 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.4-0base

Shorewall-lite/uninstall.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.7.1
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {

Shorewall/Macros/macro.Forward

@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - Forward Macro
+#
+# /usr/share/shorewall/macro.Forward
+#
+#	This macro provides an alias for DNAT.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+DNAT

Shorewall/Perl/Shorewall/Accounting.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4.7';
+our $VERSION = '4.5_2';
 
 #
 # Called by the compiler to [re-]initialize this module's state

Shorewall/Perl/Shorewall/Actions.pm

@@ -57,7 +57,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_7';
+our $VERSION = '4.5_2';
 
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -88,6 +88,8 @@ our $family;
 
 our @builtins;
 
+our $oldmacros;
+
 #
 # Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited).
 #
@@ -120,6 +122,8 @@ sub initialize( $ ) {
     } else {
 	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/;
     }
+
+    $oldmacros = 0;
 }
 
 #
@@ -248,7 +252,9 @@ sub isolate_basic_target( $ ) {
 sub get_target_param( $ ) {
     my ( $target, $param ) = split '/', $_[0];
 
-    unless ( defined $param ) {
+    if ( defined $param ) {
+	warning_message "The form <macro>/<param> is deprecated in favor of <macro>(<param>)" unless $oldmacros++;
+    } else {
 	( $target, $param ) = ( $1, $2 ) if $target =~ /^(.*?)[(](.*)[)]$/;
     }
 
@@ -770,14 +776,10 @@ sub process_action3( $$$$$ ) {
 sub dropBcast( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    if ( have_capability( 'ADDRTYPE' ) ) {
+    if ( $capabilities{ADDRTYPE} ) {
 	if ( $level ne '' ) {
 	    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
-	    if ( $family == F_IPV4 ) {
-		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
-	    } else {
-		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d ff00::/10 -j DROP ';
-	    }		
+	    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
 	}
 
 	add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
@@ -808,7 +810,7 @@ sub dropBcast( $$$ ) {
 sub allowBcast( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
+    if ( $family == F_IPV4 && $capabilities{ADDRTYPE} ) {
 	if ( $level ne '' ) {
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';

Shorewall/Perl/Shorewall/Chains.pm

@@ -117,7 +117,6 @@ our %EXPORT_TAGS = (
 				       ensure_filter_chain
 				       finish_section
 				       optimize_chain
-				       check_optimization
 				       optimize_ruleset
 				       setup_zone_mss
 				       newexclusionchain
@@ -174,7 +173,7 @@ our %EXPORT_TAGS = (
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.4_7';
+our $VERSION = '4.5_3';
 
 #
 # Chain Table
@@ -382,7 +381,7 @@ sub initialize( $ ) {
 # Process a COMMENT line (in $currentline)
 #
 sub process_comment() {
-    if ( have_capability( 'COMMENTS' ) ) {
+    if ( $capabilities{COMMENTS} ) {
 	( $comment = $currentline ) =~ s/^\s*COMMENT\s*//;
 	$comment =~ s/\s*$//;
     } else {
@@ -394,7 +393,7 @@ sub process_comment() {
 # Returns True if there is a current COMMENT or if COMMENTS are not available.
 #
 sub no_comment() {
-    $comment ? 1 : have_capability( 'COMMENTS' ) ? 0 : 1;
+    $comment ? 1 : $capabilities{COMMENTS} ? 0 : 1;
 }
 
 #
@@ -410,7 +409,7 @@ sub clear_comment() {
 sub macro_comment( $ ) {
     my $macro = $_[0];
 
-    $comment = $macro unless $comment || ! ( have_capability( 'COMMENTS' ) && $config{AUTO_COMMENT} );
+    $comment = $macro unless $comment || ! ( $capabilities{COMMENTS} && $config{AUTO_COMMENT} );
 }
 
 #
@@ -641,7 +640,7 @@ sub add_jump( $$$;$$$ ) {
     #
     $toref->{referenced} = 1, add_reference $fromref, $toref if $toref;
 
-    my $param = $goto_ok && $toref && have_capability( 'GOTO_TARGET' ) ? 'g' : 'j';
+    my $param = $goto_ok && $toref && $capabilities{GOTO_TARGET} ? 'g' : 'j';
 
     if ( defined $index ) {
 	assert( ! $expandports );
@@ -1207,7 +1206,7 @@ sub initialize_chain_table()
 	    new_builtin_chain 'mangle', $chain, 'ACCEPT';
 	}
 
-	if ( have_capability( 'MANGLE_FORWARD' ) ) {
+	if ( $capabilities{MANGLE_FORWARD} ) {
 	    for my $chain qw( FORWARD POSTROUTING ) {
 		new_builtin_chain 'mangle', $chain, 'ACCEPT';
 	    }
@@ -1316,7 +1315,7 @@ sub optimize_chain( $ ) {
     
 	pop @$rules;
 
-	pop @$rules, $count++ while @$rules && $rules->[-1] =~ /-j ACCEPT\b/;
+	pop @$rules, $count++ while @$rules && $rules->[-1] =~ /-j ACCEPT/;
 
 	if ( @${rules} ) {
 	    add_rule $chainref, '-j ACCEPT';
@@ -1476,23 +1475,6 @@ sub conditionally_move_rules( $$ ) {
     }
 }
 
-#
-# The passed chain is branched to with a rule containing '-s'. If the chain has any rule that also contains '-s' then
-# mark the chain as "don't optimize".
-#
-sub check_optimization( $ ) {
-
-    if ( $config{OPTIMIZE} & 4 ) {
-	my $chainref = shift;
-
-	for ( @{$chainref->{rules}} ) {
-	    dont_optimize $chainref, return 0 if / -s /;
-	}
-    }
-
-    1;
-}
-
 #
 # Perform Optimization
 #
@@ -1617,7 +1599,7 @@ sub optimize_ruleset() {
 	
 	#
 	# In this loop, we look for chains that end in an unconditional jump. If the target of the jump
-	# is subject to deletion (dont_delete = false), the jump is replaced by target's rules.
+	# is subject to optimization (dont_optimize = false), the jump is replaced by target's rules.
 	#
 	$progress = 1;
 
@@ -1658,7 +1640,7 @@ sub set_mss1( $$ ) {
     my $chainref = ensure_chain 'filter', $chain;
 
     if ( $chainref->{policy} ne 'NONE' ) {
-	my $match = have_capability( 'TCPMSS_MATCH' ) ? "-m tcpmss --mss $mss: " : '';
+	my $match = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : '';
 	insert_rule1 $chainref, 0, "-p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS --set-mss $mss"
     }
 }
@@ -1848,7 +1830,7 @@ sub do_proto( $$$;$ )
 		    if ( $ports ne '' ) {
 			$invert = $ports =~ s/^!// ? '! ' : '';
 			if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
-			    fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' );
+			    fatal_error "Port lists require Multiport support in your kernel/iptables" unless $capabilities{MULTIPORT};
 			    fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
 			    fatal_error "A port list in this file may only have up to 15 ports" if $restricted && port_count( $ports ) > 15;
 			    $ports = validate_port_list $pname , $ports;
@@ -1921,7 +1903,7 @@ sub do_proto( $$$;$ )
 		    $options .= " --$_" for split /,/, $ports;
 		}
 
-		$options = have_capability( 'OLD_IPP2P_MATCH' ) ? ' --ipp2p' : ' --edk --kazaa --gnu --dc' unless $options;
+		$options = $capabilities{OLD_IPP2P_MATCH} ? ' --ipp2p' : ' --edk --kazaa --gnu --dc' unless $options;
 
 		$output .= "${proto}-m ipp2p${options} ";
 	    } else {
@@ -2025,7 +2007,7 @@ sub do_ratelimit( $$ ) {
 	require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
 
 	my $limit = "-m hashlimit ";
-	my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
+	my $match = $capabilities{OLD_HL_MATCH} ? 'hashlimit' : 'hashlimit-upto';
 
 	if ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
 	    $limit .= "--hashlimit $3 --hashlimit-burst $6 --hashlimit-name ";
@@ -2236,7 +2218,7 @@ sub match_dest_dev( $ ) {
     my $interfaceref =  known_interface( $interface );
     $interface = $interfaceref->{physical} if $interfaceref;
     if ( $interfaceref && $interfaceref->{options}{port} ) {
-	if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
+	if ( $capabilities{PHYSDEV_BRIDGE} ) {
 	    "-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $interface ";
 	} else {
 	    "-o $interfaceref->{bridge} -m physdev --physdev-out $interface ";
@@ -2255,7 +2237,7 @@ sub iprange_match() {
     require_capability( 'IPRANGE_MATCH' , 'Address Ranges' , '' );
     unless ( $iprangematch ) {
 	$match = '-m iprange ';
-	$iprangematch = 1 unless have_capability( 'KLUDGEFREE' );
+	$iprangematch = 1 unless $capabilities{KLUDGEFREE};
     }
 
     $match;
@@ -2347,11 +2329,11 @@ sub match_orig_dest ( $ ) {
     my $net = $_[0];
 
     return '' if $net eq ALLIP;
-    return '' unless have_capability( 'CONNTRACK_MATCH' );
+    return '' unless $capabilities{CONNTRACK_MATCH};
 
     if ( $net =~ s/^!// ) {
 	validate_net $net, 1;
-	have_capability( 'OLD_CONNTRACK_MATCH' ) ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net ";
+	$capabilities{OLD_CONNTRACK_MATCH} ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net ";
     } else {
 	validate_net $net, 1;
 	$net eq ALLIP ? '' : "-m conntrack --ctorigdst $net ";
@@ -2372,7 +2354,7 @@ sub match_ipsec_in( $$ ) {
 
 	if ( $zoneref->{type} eq 'ipsec' ) {
 	    $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
-	} elsif ( have_ipsec ) {
+	} elsif ( $capabilities{POLICY_MATCH} ) {
 	    $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
 	} else {
 	    return '';
@@ -2396,7 +2378,7 @@ sub match_ipsec_out( $$ ) {
 
 	if ( $zoneref->{type} eq 'ipsec' ) {
 	    $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}";
-	} elsif ( have_ipsec ) {
+	} elsif ( $capabilities{POLICY_MATCH} ) {
 	    $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"
 	} else {
 	    return '';
@@ -2817,7 +2799,7 @@ sub get_interface_mac( $$$ ) {
 }
 
 sub have_global_variables() {
-    have_capability( 'ADDRTYPE' ) ? $global_variables : $global_variables | NOT_RESTORE;
+    $capabilities{ADDRTYPE} ? $global_variables : $global_variables | NOT_RESTORE;
 }
 
 #
@@ -2836,7 +2818,7 @@ sub set_global_variables( $ ) {
 	emit $_ for values %interfaceaddrs;
 	emit $_ for values %interfacenets;
 
-	unless ( have_capability( 'ADDRTYPE' ) ) {
+	unless ( $capabilities{ADDRTYPE} ) {
 
 	    if ( $family == F_IPV4 ) {
 		emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
@@ -3080,7 +3062,7 @@ sub expand_rule( $$$$$$$$$$;$ )
     }
 
     if ( $origdest ) {
-	if ( $origdest eq '-' || ! have_capability( 'CONNTRACK_MATCH' ) ) {
+	if ( $origdest eq '-' || ! $capabilities{CONNTRACK_MATCH} ) {
 	    $origdest = '';
 	} elsif ( $origdest =~ /^detect:(.*)$/ ) {
 	    #
@@ -3247,10 +3229,10 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    for my $inet ( mysplit $inets ) {
 		my $source_match;
 
-		$source_match = match_source_net( $inet, $restriction ) if have_capability( 'KLUDGEFREE' );
+		$source_match = match_source_net( $inet, $restriction ) if $capabilities{KLUDGEFREE};
 
 		for my $dnet ( mysplit $dnets ) {
-		    $source_match  = match_source_net( $inet, $restriction ) unless have_capability( 'KLUDGEFREE' );
+		    $source_match  = match_source_net( $inet, $restriction ) unless $capabilities{KLUDGEFREE};
 		    my $dest_match = match_dest_net( $dnet );
 		    my $matches = join( '', $rule, $source_match, $dest_match, $onet );
 
@@ -3401,9 +3383,9 @@ sub create_netfilter_load( $ ) {
 
     my @table_list;
 
-    push @table_list, 'raw'    if have_capability( 'RAW_TABLE' );
-    push @table_list, 'nat'    if have_capability( 'NAT_ENABLED' );
-    push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+    push @table_list, 'raw'    if $capabilities{RAW_TABLE};
+    push @table_list, 'nat'    if $capabilities{NAT_ENABLED};
+    push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
     push @table_list, 'filter';
 
     $mode = NULL_MODE;
@@ -3503,9 +3485,9 @@ sub preview_netfilter_load() {
 
     my @table_list;
 
-    push @table_list, 'raw'    if have_capability( 'RAW_TABLE' );
-    push @table_list, 'nat'    if have_capability( 'NAT_ENABLED' );
-    push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+    push @table_list, 'raw'    if $capabilities{RAW_TABLE};
+    push @table_list, 'nat'    if $capabilities{NAT_ENABLED};
+    push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
     push @table_list, 'filter';
 
     $mode = NULL_MODE;
@@ -3575,7 +3557,7 @@ sub create_chainlist_reload($) {
 
     unless ( @chains ) {
 	@chains = qw( blacklst ) if $filter_table->{blacklst};
-	push @chains, 'mangle:' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+	push @chains, 'mangle:' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
 	$chains = join( ',', @chains ) if @chains;
     }
 
@@ -3695,9 +3677,9 @@ sub create_stop_load( $ ) {
 
     my @table_list;
 
-    push @table_list, 'raw'    if have_capability( 'RAW_TABLE' );
-    push @table_list, 'nat'    if have_capability( 'NAT_ENABLED' );
-    push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+    push @table_list, 'raw'    if $capabilities{RAW_TABLE};
+    push @table_list, 'nat'    if $capabilities{NAT_ENABLED};
+    push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
     push @table_list, 'filter';
 
     my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';

Shorewall/Perl/Shorewall/Compiler.pm

@@ -43,7 +43,7 @@ use Shorewall::Raw;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_7';
+our $VERSION = '4.5_3';
 
 our $export;
 
@@ -334,9 +334,9 @@ sub generate_script_3($) {
     save_progress_message 'Initializing...';
 
     if ( $export ) {
-	my $fn = find_file $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules';
+	my $fn = find_file 'modules';
 
-	if ( -f $fn && ! $fn =~ "^$globals{SHAREDIR}/" ) {
+	if ( $fn ne "$globals{SHAREDIR}/modules" && -f $fn ) {
 	    emit 'echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir';
 	    emit 'cat > ${VARDIR}/.modules << EOF';
 	    open_file $fn;
@@ -434,7 +434,7 @@ sub generate_script_3($) {
 	       ''
 	     );
 
-	if ( have_capability( 'NAT_ENABLED' ) ) {
+	if ( $capabilities{NAT_ENABLED} ) {
 	    emit(  'if [ -f ${VARDIR}/nat ]; then',
 		   '    while read external interface; do',
 		   '        del_ip_addr $external $interface',
@@ -629,11 +629,11 @@ sub compiler {
     #
     get_configuration( $export );
 
-    report_capabilities unless $config{LOAD_HELPERS_ONLY};
+    report_capabilities;
 
     require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
     require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
-    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
+    require_capability( 'XCONNMARK'       , 'PROVIDER_OFFSET > 0' , 's' )   if $config{PROVIDER_OFFSET};
     require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
 
     if ( $scriptfilename ) {
@@ -773,7 +773,7 @@ sub compiler {
 	#
 	# ECN
 	#
-	setup_ecn if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+	setup_ecn if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
 	#
 	# Setup Masquerading/SNAT
 	#

Shorewall/Perl/Shorewall/Config.pm

@@ -101,7 +101,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       ensure_config_path
 				       get_configuration
 				       require_capability
-				       have_capability
 				       report_capabilities
 				       propagateconfig
 				       append_file
@@ -109,6 +108,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       run_user_exit1
 				       run_user_exit2
 				       generate_aux_config
+				       is_bridge
 
 				       $product
 				       $Product
@@ -118,6 +118,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $currentline
 				       %config
 				       %globals
+				       %capabilities
 
 		                       F_IPV4
 		                       F_IPV6
@@ -128,7 +129,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.4_7';
+our $VERSION = '4.5_3';
 
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -189,7 +190,7 @@ our %config;
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY SUBSYSLOCK /;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX SUBSYSLOCK /;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -245,7 +246,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 PERSISTENT_SNAT => 'Persistent SNAT',
 		 OLD_HL_MATCH    => 'Old Hash Limit Match',
 		 TPROXY_TARGET   => 'TPROXY Target',
-		 FLOW_FILTER     => 'Flow Classifier',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -281,11 +281,6 @@ our $toolNAME;                # Tool name in CAPS
 our $product;                 # Name of product that will run the generated script
 our $Product;                 # $product with initial cap.
 
-our $sillyname;               # Name of temporary filter chains for testing capabilities
-our $sillyname1;
-our $iptables;                # Path to iptables/ip6tables
-our $tc;                      # Path to tc
-
 use constant { MIN_VERBOSITY => -1,
 	       MAX_VERBOSITY => 2 ,
 	       F_IPV4 => 4,
@@ -325,7 +320,6 @@ sub initialize( $ ) {
     $indent        = '';       # Current total indentation
     ( $dir, $file ) = ('',''); # Script's Directory and Filename
     $tempfile = '';            # Temporary File Name
-    $sillyname = '';           # Temporary ipchain
 
     #
     # Misc Globals
@@ -333,12 +327,13 @@ sub initialize( $ ) {
     %globals  =   ( SHAREDIR => '/usr/share/shorewall' ,
 		    SHAREDIRPL => '/usr/share/shorewall/' ,
 		    CONFDIR =>  '/etc/shorewall',
+		    ORIGINAL_POLICY_MATCH => '',
 		    LOGPARMS => '',
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
-		    VERSION => "4.4.7.1",
-		    CAPVERSION => 40407 ,
+		    VERSION => "4.5.4",
+		    CAPVERSION => 40503 ,
 		  );
 
     #
@@ -455,7 +450,6 @@ sub initialize( $ ) {
 	      ACCOUNTING => undef,
 	      OPTIMIZE_ACCOUNTING => undef,
 	      DYNAMIC_BLACKLIST => undef,
-	      LOAD_HELPERS_ONLY => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -575,7 +569,6 @@ sub initialize( $ ) {
 	      ACCOUNTING => undef,
 	      OPTIMIZE_ACCOUNTING => undef,
 	      DYNAMIC_BLACKLIST => undef,
-	      LOAD_HELPERS_ONLY => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -606,7 +599,7 @@ sub initialize( $ ) {
 		         LOGMARK => 'LOGMARK' );
     }
     #
-    # From parsing the capabilities file or capabilities detection
+    # From parsing the capabilities file
     #
     %capabilities =
 	     ( NAT_ENABLED => undef,
@@ -655,7 +648,6 @@ sub initialize( $ ) {
 	       LOG_TARGET => 1,         # Assume that we have it.
 	       PERSISTENT_SNAT => undef,
 	       OLD_HL_MATCH => undef,
-	       FLOW_FILTER => 'default',
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@@ -735,21 +727,6 @@ sub cleanup() {
     unlink ( $tempfile ), $tempfile = undef             if $tempfile;
     unlink ( $perlscriptname ), $perlscriptname = undef if $perlscriptname;
     unlink ( @tempfiles ), @tempfiles = ()              if @tempfiles;
-    #
-    # Delete temporary chains
-    #
-    if ( $sillyname ) {
-	#
-	# We went through determine_capabilities()
-	#
-	qt1( "$iptables -F $sillyname" );
-	qt1( "$iptables -X $sillyname" );
-	qt1( "$iptables -F $sillyname1" );
-	qt1( "$iptables -X $sillyname1" );
-	qt1( "$iptables -t mangle -F $sillyname" );
-	qt1( "$iptables -t mangle -X $sillyname" );
-	$sillyname = '';
-    }
 }
 
 #
@@ -1984,7 +1961,7 @@ sub load_kernel_modules( ) {
 
     my @moduledirectories = split /:/, $modulesdir;
 
-    if ( $moduleloader && open_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' ) ) {
+    if ( $moduleloader && open_file 'modules' ) {
 	my %loadedmodules;
 
 	$loadedmodules{$_}++ for split_list( $config{DONT_LOAD}, 'module' );
@@ -2053,190 +2030,132 @@ sub determine_kernelversion() {
 }
 
 #
-# Capability Reporting and detection.
+# Determine which optional facilities are supported by iptables/netfilter
 #
-sub have_capability( $ );
+sub determine_capabilities( $ ) {
 
-sub Nat_Enabled() {
-    $family == F_IPV4 ? qt1( "$iptables -t nat -L -n" ) : '';
-}
+    my $iptables   = $_[0];
+    my $pid        = $$;
+    my $sillyname  = "fooX$pid";
+    my $sillyname1 = "foo1X$pid";
 
-sub Persistent_Snat() {
-    have_capability 'NAT_ENABLED' || return '';
+    $capabilities{NAT_ENABLED}    = qt1( "$iptables -t nat -L -n" ) if $family == F_IPV4;
 
-    my $result = '';
-
-    if ( qt1( "$iptables -t nat -N $sillyname" ) ) {
-	$result = qt1( "$iptables -t nat -A $sillyname -j SNAT --to-source 1.2.3.4 --persistent" );
-	qt1( "$iptables -t nat -F $sillyname" );
-	qt1( "$iptables -t nat -X $sillyname" );
-	
+    if ( $capabilities{NAT_ENABLED} ) {
+	if ( qt1( "$iptables -t nat -N $sillyname" ) ) {
+	    $capabilities{PERSISTENT_SNAT} = qt1( "$iptables -t nat -A $sillyname -j SNAT --to-source 1.2.3.4 --persistent" );
+	    qt1( "$iptables -t nat -F $sillyname" );
+	    qt1( "$iptables -t nat -X $sillyname" );
+	}
     }
 
-    $result;
-}
+    $capabilities{MANGLE_ENABLED} = qt1( "$iptables -t mangle -L -n" );
 
-sub Mangle_Enabled() {
-    if ( qt1( "$iptables -t mangle -L -n" ) ) { 
-	system( "$iptables -t mangle -N $sillyname" ) == 0 || fatal_error "Cannot Create Mangle chain $sillyname";
-    }
-}
+    qt1( "$iptables -N $sillyname" );
+    qt1( "$iptables -N $sillyname1" );
+
+    fatal_error 'Your kernel/iptables do not include state match support. No version of Shorewall will run on this system'
+	unless qt1( "$iptables -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");
 
-sub Conntrack_Match() {
     if ( $family == F_IPV4 ) {
-	qt1( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" );
+	$capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" );
     } else {
-	qt1( "$iptables -A $sillyname -m conntrack --ctorigdst ::1 -j ACCEPT" );
+	$capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst ::1 -j ACCEPT" );
     }
-}
 
-sub New_Conntrack_Match() {
-    have_capability 'CONNTRACK_MATCH' && qt1( "$iptables -A $sillyname -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT" );
-}
+    if ( $capabilities{CONNTRACK_MATCH} ) {
+	$capabilities{NEW_CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT" );
+	$capabilities{OLD_CONNTRACK_MATCH} = ! qt1( "$iptables -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" );
+    }
 
-sub Old_Conntrack_Match() {
-    ! qt1( "$iptables -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" );
-}
+    if ( qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" ) ) {
+	$capabilities{MULTIPORT}  = 1;
+	$capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT" );
+    }
 
-sub Multiport() {
-    qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" );
-}
+    $capabilities{XMULTIPORT}      = qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21:22 -j ACCEPT" );
+    $capabilities{POLICY_MATCH}    = qt1( "$iptables -A $sillyname -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT" );
 
-sub Kludgefree1() {
-    have_capability 'MULTIPORT' && qt1( "$iptables -A $sillyname -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT" );
-}
+    if ( qt1( "$iptables -A $sillyname -m physdev --physdev-in eth0 -j ACCEPT" ) ) {
+	$capabilities{PHYSDEV_MATCH}  = 1;
+	$capabilities{PHYSDEV_BRIDGE} = qt1( "$iptables -A $sillyname -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j ACCEPT" );
+	unless ( $capabilities{KLUDGEFREE} ) {
+	    $capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT" );
+	}
+    }
 
-sub Kludgefree2() {
-    have_capability 'PHYSDEV_MATCH' && qt1( "$iptables -A $sillyname -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT" );
-}
-
-sub Kludgefree3() {
     if ( $family == F_IPV4 ) {
-	qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT" );
+	if ( qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT" ) ) {
+	    $capabilities{IPRANGE_MATCH} = 1;
+	    unless ( $capabilities{KLUDGEFREE} ) {
+		$capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT" );
+	    }
+	}
     } else {
-	qt1( "$iptables -A $sillyname -m iprange --src-range ::1-::2 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT" );
+	if ( qt1( "$iptables -A $sillyname -m iprange --src-range ::1-::2 -j ACCEPT" ) ) {
+	    $capabilities{IPRANGE_MATCH} = 1;
+	    unless ( $capabilities{KLUDGEFREE} ) {
+		$capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -m iprange --src-range ::1-::2 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT" );
+	    }
+	}
     }
-}
 
-sub Kludgefree() {
-    Kludgefree1 || Kludgefree2 || Kludgefree3;
-}
+    $capabilities{RECENT_MATCH} = qt1( "$iptables -A $sillyname -m recent --update -j ACCEPT" );
+    $capabilities{OWNER_MATCH}  = qt1( "$iptables -A $sillyname -m owner --uid-owner 0 -j ACCEPT" );
 
-sub Xmultiport() {
-    qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21:22 -j ACCEPT" );
-}
-
-sub Policy_Match() {
-    qt1( "$iptables -A $sillyname -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT" );
-}
-
-sub Physdev_Match() {
-    qt1( "$iptables -A $sillyname -m physdev --physdev-in eth0 -j ACCEPT" );
-}
-
-sub Physdev_Bridge() {
-    qt1( "$iptables -A $sillyname -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j ACCEPT" );
-}
-
-sub IPRange_Match() {
-    if ( $family == F_IPV4 ) {
-	qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT" );
-    } else {
-	qt1( "$iptables -A $sillyname -m iprange --src-range ::1-::2 -j ACCEPT" );
+    if ( qt1( "$iptables -A $sillyname -m connmark --mark 2  -j ACCEPT" )) {
+	$capabilities{CONNMARK_MATCH}  = 1;
+	$capabilities{XCONNMARK_MATCH} = qt1( "$iptables -A $sillyname -m connmark --mark 2/0xFF -j ACCEPT" );
     }
-}
 
-sub Recent_Match() {
-    qt1( "$iptables -A $sillyname -m recent --update -j ACCEPT" );
-}
-
-sub Owner_Match() {
-    qt1( "$iptables -A $sillyname -m owner --uid-owner 0 -j ACCEPT" );
-}
-
-sub Connmark_Match() {
-    qt1( "$iptables -A $sillyname -m connmark --mark 2  -j ACCEPT" );
-}
-
-sub Xconnmark_Match() {
-    have_capability 'CONNMARK_MATCH' && qt1( "$iptables -A $sillyname -m connmark --mark 2/0xFF -j ACCEPT" );
-}
-
-sub Ipp2p_Match() {
-    qt1( "$iptables -A $sillyname -p tcp -m ipp2p --edk -j ACCEPT" );
-}
-
-sub Old_Ipp2p_Match() {
-    qt1( "$iptables -A $sillyname -p tcp -m ipp2p --ipp2p -j ACCEPT" ) if $capabilities{IPP2P_MATCH};
-}
-
-sub Length_Match() {
-    qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" );
-}
-
-sub Enhanced_Reject() {
+    $capabilities{IPP2P_MATCH}     = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --edk -j ACCEPT" );
+    $capabilities{OLD_IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --ipp2p -j ACCEPT" ) if $capabilities{IPP2P_MATCH};
+    $capabilities{LENGTH_MATCH}    = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" );
+    
     if ( $family == F_IPV6 ) {
-	qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-adm-prohibited" );
+	$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-adm-prohibited" );
     } else {
-	qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp-host-prohibited" );
+	$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp-host-prohibited" );
     }
-}
 
-sub Comments() {
-    qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
-}
+    $capabilities{COMMENTS}        = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
 
-sub Hashlimit_Match() {
-    have_capability 'OLD_HL_MATCH' || qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
-}
+    $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
 
-sub Old_Hashlimit_Match() {
-    qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
-}
+    if ( $capabilities{HASHLIMIT_MATCH} ) {
+	$capabilities{OLD_HL_MATCH} = '';
+    } else {
+	$capabilities{OLD_HL_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
+	$capabilities{HASHLIMIT_MATCH} = $capabilities{OLD_HL_MATCH};
+    }
 
-sub Mark() {
-    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1" );
-}
+    if  ( $capabilities{MANGLE_ENABLED} ) {
+	qt1( "$iptables -t mangle -N $sillyname" );
 
-sub Xmark() {
-    have_capability 'MARK' && qt1( "$iptables -t mangle -A $sillyname -j MARK --and-mark 0xFF" );
-}
+	if ( qt1( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1" ) ) {
+	    $capabilities{MARK}  = 1;
+	    $capabilities{XMARK} = qt1( "$iptables -t mangle -A $sillyname -j MARK --and-mark 0xFF" );
+	    $capabilities{EXMARK} = qt1( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1/0xFF" );
+	}
 
-sub Exmark() {
-    have_capability 'MARK' && qt1( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1/0xFF" );
-}
+	if ( qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark" ) ) {
+	    $capabilities{CONNMARK}  = 1;
+	    $capabilities{XCONNMARK} = qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark --mask 0xFF" );
+	}
 
-sub Connmark() {
-    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark" );
-}
+	$capabilities{CLASSIFY_TARGET} = qt1( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" );
+	$capabilities{IPMARK_TARGET}   = qt1( "$iptables -t mangle -A $sillyname -j IPMARK --addr src" );
+	$capabilities{TPROXY_TARGET}   = qt1( "$iptables -t mangle -A $sillyname -p tcp -j TPROXY --on-port 0 --tproxy-mark 1" );
 
-sub Xconnmark() {
-    have_capability 'XCONNMARK_MATCH' && have_capability 'XMARK' && qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark --mask 0xFF" );
-}
+	qt1( "$iptables -t mangle -F $sillyname" );
+	qt1( "$iptables -t mangle -X $sillyname" );
 
-sub Classify_Target() {
-    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" );
-}
+	$capabilities{MANGLE_FORWARD} = qt1( "$iptables -t mangle -L FORWARD -n" );
+    }
 
-sub IPMark_Target() {
-    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j IPMARK --addr src" );
-}
+    $capabilities{RAW_TABLE} = qt1( "$iptables -t raw -L -n" );
 
-sub Tproxy_Target() {
-    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -p tcp -j TPROXY --on-port 0 --tproxy-mark 1" );
-}
-
-sub Mangle_Forward() {
-    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -L FORWARD -n" );
-}
-
-sub Raw_Table() {
-    qt1( "$iptables -t raw -L -n" );
-}
-
-sub IPSet_Match() {
-    my $ipset  = $config{IPSET} || 'ipset';
-    my $result = 0;
+    my $ipset = $config{IPSET} || 'ipset';
 
     $ipset = which $ipset unless $ipset =~ '//';
 
@@ -2246,237 +2165,33 @@ sub IPSet_Match() {
 	if ( qt( "$ipset -N $sillyname iphash" ) ) {
 	    if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
 		qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" );
-		$result = 1;
+		$capabilities{IPSET_MATCH} = 1;
 	    }
 
 	    qt( "$ipset -X $sillyname" );
 	}
     }
 
-    $result;
-}
+    $capabilities{USEPKTTYPE}      = qt1( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
+    $capabilities{ADDRTYPE}        = qt1( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
+    $capabilities{TCPMSS_MATCH}    = qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
+    $capabilities{NFQUEUE_TARGET}  = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
+    $capabilities{REALM_MATCH}     = qt1( "$iptables -A $sillyname -m realm --realm 1" );
+    $capabilities{HELPER_MATCH}    = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
+    $capabilities{CONNLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m connlimit --connlimit-above 8" );
+    $capabilities{TIME_MATCH}      = qt1( "$iptables -A $sillyname -m time --timestart 11:00" );
+    $capabilities{GOTO_TARGET}     = qt1( "$iptables -A $sillyname -g $sillyname1" );
+    $capabilities{LOG_TARGET}      = qt1( "$iptables -A $sillyname -j LOG" );
+    $capabilities{LOGMARK_TARGET}  = qt1( "$iptables -A $sillyname -j LOGMARK" );
 
-sub Usepkttype() {
-    qt1( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
-}
-
-sub Addrtype() {
-    qt1( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
-}
-
-sub Tcpmss_Match() {
-    qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
-}
-
-sub Nfqueue_Target() {
-    qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
-}
-
-sub Realm_Match() {
-    qt1( "$iptables -A $sillyname -m realm --realm 1" );
-}
-
-sub Helper_Match() {
-    qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
-}
-
-sub Connlimit_Match() {
-    qt1( "$iptables -A $sillyname -m connlimit --connlimit-above 8" );
-}
-
-sub Time_Match() {
-    qt1( "$iptables -A $sillyname -m time --timestart 11:00" );
-}
-
-sub Goto_Target() {
-    qt1( "$iptables -A $sillyname -g $sillyname1" );
-}
-
-sub Log_Target() {
-    qt1( "$iptables -A $sillyname -j LOG" );
-}
-
-sub Logmark_Target() {
-    qt1( "$iptables -A $sillyname -j LOGMARK" );
-}
-
-sub Flow_Filter() {
-    $tc && system( "$tc filter add flow add help 2>&1 | grep -q ^Usage" ) == 0;
-}
-
-our %detect_capability =
-    ( ADDRTYPE => \&Addrtype,
-      CLASSIFY_TARGET => \&Classify_Target,
-      COMMENTS => \&Comments,
-      CONNLIMIT_MATCH => \&Connlimit_Match,
-      CONNMARK => \&Connmark,
-      CONNMARK_MATCH => \&Connmark_Match,
-      CONNTRACK_MATCH => \&Conntrack_Match,
-      ENHANCED_REJECT => \&Enhanced_Reject,
-      EXMARK => \&Exmark,
-      FLOW_FILTER => \&Flow_Filter,
-      GOTO_TARGET => \&Goto_Target,
-      HASHLIMIT_MATCH => \&Hashlimit_Match,
-      HELPER_MATCH => \&Helper_Match,
-      IPMARK_TARGET => \&IPMark_Target,
-      IPP2P_MATCH => \&Ipp2p_Match,
-      IPRANGE_MATCH => \&IPRange_Match,
-      IPSET_MATCH => \&IPSet_Match,
-      KLUDGEFREE => \&Kludgefree,
-      LENGTH_MATCH => \&Length_Match,
-      LOGMARK_TARGET => \&Logmark_Target,
-      LOG_TARGET => \&Log_Target,
-      MANGLE_ENABLED => \&Mangle_Enabled,
-      MANGLE_FORWARD => \&Mangle_Forward,
-      MARK => \&Mark,
-      MULTIPORT => \&Multiport,
-      NAT_ENABLED => \&Nat_Enabled,
-      NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
-      NFQUEUE_TARGET => \&Nfqueue_Target,
-      OLD_CONNTRACK_MATCH => \&Old_Conntrack_Match,
-      OLD_HL_MATCH => \&Old_Hashlimit_Match,
-      OLD_IPP2P_MATCH => \&Old_Ipp2p_Match,
-      OWNER_MATCH => \&Owner_Match,
-      PERSISTENT_SNAT => \&Persistent_Snat,
-      PHYSDEV_BRIDGE => \&Physdev_Bridge,
-      PHYSDEV_MATCH => \&Physdev_Match,
-      POLICY_MATCH => \&Policy_Match,
-      RAW_TABLE => \&Raw_Table,
-      REALM_MATCH => \&Realm_Match,
-      RECENT_MATCH => \&Recent_Match,
-      TCPMSS_MATCH => \&Tcpmss_Match,
-      TIME_MATCH => \&Time_Match,
-      TPROXY_TARGET => \&Tproxy_Target,
-      USEPKTTYPE => \&Usepkttype,
-      XCONNMARK_MATCH => \&Xconnmark_Match,
-      XCONNMARK => \&Xconnmark,
-      XMARK => \&Xmark,
-      XMULTIPORT => \&Xmultiport,
-    );
-
-sub detect_capability( $ ) {
-    my $capability = shift;
-    my $function = $detect_capability{ $capability };
-
-    assert( ( reftype( $function ) || '' ) eq 'CODE' );
-    $function->();
-}
-
-#
-# Report the passed capability
-#
-sub have_capability( $ ) {
-    my $capability = shift;
-    our %detect_capability;
-
-    $capabilities{ $capability } = detect_capability( $capability ) unless defined $capabilities{ $capability };
-
-    $capabilities{ $capability }; 
-}
-
-#
-# Determine which optional facilities are supported by iptables/netfilter
-#
-sub determine_capabilities() {
-
-    my $pid     = $$;
+    qt1( "$iptables -F $sillyname" );
+    qt1( "$iptables -X $sillyname" );
+    qt1( "$iptables -F $sillyname1" );
+    qt1( "$iptables -X $sillyname1" );
 
     $capabilities{CAPVERSION} = $globals{CAPVERSION};
 
     determine_kernelversion;
-
-    $sillyname  = "fooX$pid";
-    $sillyname1 = "foo1X$pid";
-
-    qt1( "$iptables -N $sillyname" );
-    qt1( "$iptables -N $sillyname1" );
-
-    fatal_error 'Your kernel/iptables do not include state match support. No version of Shorewall will run on this system'
-	unless qt1( "$iptables -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");
-  
-    unless ( $config{ LOAD_HELPERS_ONLY } ) {
-	#
-	# Using 'detect_capability()' is a bit less efficient than calling the individual detection
-	# functions but it ensures that %detect_capability is initialized properly.
-	#
-	$capabilities{NAT_ENABLED}     = detect_capability( 'NAT_ENABLED' );
-	$capabilities{PERSISTENT_SNAT} = detect_capability( 'PERSISTENT_SNAT' );
-	$capabilities{MANGLE_ENABLED}  = detect_capability( 'MANGLE_ENABLED' );
-	
-	if ( $capabilities{CONNTRACK_MATCH} = detect_capability( 'CONNTRACK_MATCH' ) ) {
-	    $capabilities{NEW_CONNTRACK_MATCH} = detect_capability( 'NEW_CONNTRACK_MATCH' );
-	    $capabilities{OLD_CONNTRACK_MATCH} = detect_capability( 'OLD_CONNTRACK_MATCH' );
-	} else {
-	    $capabilities{NEW_CONNTRACK_MATCH} = '';
-	    $capabilities{OLD_CONNTRACK_MATCH} = '';
-	}
-
-	if ( $capabilities{ MULTIPORT } = detect_capability( 'MULTIPORT' ) ) {
-	     $capabilities{KLUDGEFREE}  = Kludgefree1;
-	}
-
-	$capabilities{XMULTIPORT}   = detect_capability( 'XMULTIPORT' ); 
-	$capabilities{POLICY_MATCH} = detect_capability( 'POLICY_MATCH' );
-
-	if ( $capabilities{PHYSDEV_MATCH} = detect_capability( 'PHYSDEV_MATCH' ) ) {
-	    $capabilities{PHYSDEV_BRIDGE} = detect_capability( 'PHYSDEV_BRIDGE' );
-	    $capabilities{KLUDGEFREE}   ||= Kludgefree2;
-	} else {
-	    $capabilities{PHYSDEV_BRIDGE} = '';
-	}
-
-	if ( $capabilities{IPRANGE_MATCH} = detect_capability( 'IPRANGE_MATCH' ) ) {
-	    $capabilities{KLUDGEFREE}   ||= Kludgefree3;
-	}
-
-	$capabilities{RECENT_MATCH}    = detect_capability( 'RECENT_MATCH' );
-	$capabilities{OWNER_MATCH}     = detect_capability( 'OWNER_MATCH' );
-	$capabilities{CONNMARK_MATCH}  = detect_capability( 'CONNMARK_MATCH' );
-	$capabilities{XCONNMARK_MATCH} = detect_capability( 'XCONNMARK_MATCH' );
-	$capabilities{IPP2P_MATCH}     = detect_capability( 'IPP2P_MATCH' );
-	$capabilities{OLD_IPP2P_MATCH} = detect_capability( 'OLD_IPP2P_MATCH' );
-	$capabilities{LENGTH_MATCH}    = detect_capability( 'LENGTH_MATCH' );
-	$capabilities{ENHANCED_REJECT} = detect_capability( 'ENHANCED_REJECT' );
-	$capabilities{COMMENTS}        = detect_capability( 'COMMENTS' );
-	$capabilities{OLD_HL_MATCH}    = detect_capability( 'OLD_HL_MATCH' );
-	$capabilities{HASHLIMIT_MATCH} = detect_capability( 'HASHLIMIT_MATCH' );
-	$capabilities{MARK}            = detect_capability( 'MARK' );
-	$capabilities{XMARK}           = detect_capability( 'XMARK' );
-	$capabilities{EXMARK}          = detect_capability( 'EXMARK' );
-	$capabilities{CONNMARK}        = detect_capability( 'CONNMARK' );
-	$capabilities{XCONNMARK}       = detect_capability( 'XCONNMARK' );
-	$capabilities{CLASSIFY_TARGET} = detect_capability( 'CLASSIFY_TARGET' );
-	$capabilities{IPMARK_TARGET}   = detect_capability( 'IPMARK_TARGET' );
-	$capabilities{TPROXY_TARGET}   = detect_capability( 'TPROXY_TARGET' );
-
-	if ( $capabilities{MANGLE_ENABLED} ) {
-	    qt1( "$iptables -t mangle -F $sillyname" );
-	    qt1( "$iptables -t mangle -X $sillyname" );
-	}
-
-	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
-	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
-	$capabilities{IPSET_MATCH}     = detect_capability( 'IPSET_MATCH' );
-	$capabilities{USEPKTTYPE}      = detect_capability( 'USEPKTTYPE' );
-	$capabilities{ADDRTYPE}        = detect_capability( 'ADDRTYPE' );
-	$capabilities{TCPMSS_MATCH}    = detect_capability( 'TCPMSS_MATCH' );
-	$capabilities{NFQUEUE_TARGET}  = detect_capability( 'NFQUEUE_TARGET' );
-	$capabilities{REALM_MATCH}     = detect_capability( 'REALM_MATCH' );
-	$capabilities{HELPER_MATCH}    = detect_capability( 'HELPER_MATCH' );
-	$capabilities{CONNLIMIT_MATCH} = detect_capability( 'CONNLIMIT_MATCH' );
-	$capabilities{TIME_MATCH}      = detect_capability( 'TIME_MATCH' );
-	$capabilities{GOTO_TARGET}     = detect_capability( 'GOTO_TARGET' );
-	$capabilities{LOG_TARGET}      = detect_capability( 'LOG_TARGET' );
-	$capabilities{LOGMARK_TARGET}  = detect_capability( 'LOGMARK_TARGET' );
-
-
-	qt1( "$iptables -F $sillyname" );
-	qt1( "$iptables -X $sillyname" );
-	qt1( "$iptables -F $sillyname1" );
-	qt1( "$iptables -X $sillyname1" );
-
-	$sillyname = $sillyname1 = undef;
-    }
 }
 
 #
@@ -2485,7 +2200,7 @@ sub determine_capabilities() {
 sub require_capability( $$$ ) {
     my ( $capability, $description, $singular ) = @_;
 
-    fatal_error "$description require${singular} $capdesc{$capability} in your kernel and iptables" unless have_capability $capability;
+    fatal_error "$description require${singular} $capdesc{$capability} in your kernel and iptables" unless $capabilities{$capability};
 }
 
 #
@@ -2597,15 +2312,6 @@ sub read_capabilities() {
 	warning_message "Your capabilities file does not contain a Kernel Version -- using 2.6.30";
 	$capabilities{KERNELVERSION} = 20630;
     }
-
-    for ( keys %capabilities ) {
-	$capabilities{$_} = '' unless defined $capabilities{$_};
-    }
-
-    if ( $capabilities{FLOW_FILTER} eq 'default' ) {
-	$capabilities{FLOW_FILTER} = $capabilities{OLD_HL_MATCH} ? '' : 'Yes';
-    }
-    
 }
 
 #
@@ -2615,7 +2321,7 @@ sub get_capabilities( $ ) {
     my $export = $_[0];
 
     if ( ! $export && $> == 0 ) { # $> == $EUID
-	$iptables = $config{$toolNAME};
+	my $iptables = $config{$toolNAME};
 
 	if ( $iptables ) {
 	    fatal_error "$toolNAME=$iptables does not exist or is not executable" unless -x $iptables;
@@ -2627,18 +2333,12 @@ sub get_capabilities( $ ) {
 
 	fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;
 
-	$tc = $config{TC};
-
-	if ( $tc ) {
-	    fatal_error "TC=$tc does not exist or is not executable" unless -x $tc;
-	}
-
 	load_kernel_modules;
 
 	if ( open_file 'capabilities' ) {
 	    read_capabilities;
 	} else {
-	    determine_capabilities;
+	    determine_capabilities $iptables;
 	}
     } else {
 	unless ( open_file 'capabilities' ) {
@@ -2695,14 +2395,13 @@ sub get_configuration( $ ) {
     unshift @INC, @config_path;
 
     default 'PATH' , '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin';
-    #
-    # get_capabilities requires that the true settings of these options be established
-    #
+
     default 'MODULE_PREFIX', 'o gz ko o.gz ko.gz';
-    default_yes_no 'LOAD_HELPERS_ONLY'          , '';
 
     get_capabilities( $export );
 
+    $globals{ORIGINAL_POLICY_MATCH} = $capabilities{POLICY_MATCH};
+
     if ( $config{LOGRATE} || $config{LOGBURST} ) {
 	if ( defined $config{LOGRATE} ) {
 	    fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE}  =~ /^\d+\/(second|minute)$/;
@@ -2723,7 +2422,7 @@ sub get_configuration( $ ) {
     
     my $val;
 
-    if ( have_capability( 'KERNELVERSION' ) < 20631 ) {
+    if ( $capabilities{KERNELVERSION} < 20631 ) {
 	check_trivalue ( 'ROUTE_FILTER',  '' );
     } else {
 	$val = $config{ROUTE_FILTER};
@@ -2842,17 +2541,40 @@ sub get_configuration( $ ) {
 	fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 32' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 32;
     }
 
+    $val = 1;
+    
     $globals{TC_MAX}                 = make_mask( $config{TC_BITS} );
     $globals{TC_MASK}                = make_mask( $config{MASK_BITS} );
     $globals{PROVIDER_MIN}           = 1 << $config{PROVIDER_OFFSET};
     $globals{PROVIDER_MASK}          = make_mask( $config{PROVIDER_BITS} ) << $config{PROVIDER_OFFSET};
 
+    if ( $config{TC_BITS} || $config{PROVIDER_BITS} ) {
+	progress_message2 "\n   ******** Packet/Connection Mark Information ********";
+	if ( $config{TC_BITS} ) {
+	    progress_message2 "   TC Mark Values       = 1 - $globals{TC_MAX} (" . in_hex( $globals{TC_MAX} ) . ')';
+	}
+
+	progress_message2 '   Default Mask         = /' . in_hex( $globals{TC_MASK} );
+    
+	if ( $config{PROVIDER_BITS} ) {
+	    if ( $config{PROVIDER_OFFSET} ) {
+		progress_message2( '   Provider Mark Values = ' . in_hex( $globals{PROVIDER_MIN} ) . ' - ' . in_hex( $globals{PROVIDER_MASK} ) );
+	    } else {
+		progress_message2( "   Provider Mark Values = 1 - $globals{PROVIDER_MASK} (" . in_hex( $globals{PROVIDER_MASK} ) . ')' );
+	    }
+	}
+    }
+
+    progress_message2 "   ****************************************************\n";
+
     if ( defined ( $val = $config{ZONE2ZONE} ) ) {
 	fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
     } else {
 	$config{ZONE2ZONE} = '2';
     }
 
+    $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
+
     default 'BLACKLIST_DISPOSITION'    , 'DROP';
 
     default_log_level 'BLACKLIST_LOGLEVEL',  '';
@@ -3152,6 +2874,12 @@ sub generate_aux_config() {
 
 }
 
+sub is_bridge( $ ) {
+    my $dev = $_[0];
+
+    which 'brctl' and qt1( qq(brctl show $dev | tail -n +2 | grep -q "^$dev\b") );
+}
+
 END {
     cleanup;
 }

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -72,7 +72,7 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_7';
+our $VERSION = '4.4_5';
 
 #
 # Some IPv4/6 useful stuff
@@ -287,12 +287,7 @@ sub resolve_proto( $ ) {
     my $proto = $_[0];
     my $number;
 
-    if ( $proto =~ /^\d+$/ || $proto =~ /^0x/ ) {
-	$number = numeric_value ( $proto );
-	defined $number && $number <= 65535 ? $number : undef;
-    } else {
-	defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
-    }
+    $proto =~ /^(\d+)$/ ? $proto <= 65535 ? $proto : undef : defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
 }
 
 sub proto_name( $ ) {
@@ -306,7 +301,7 @@ sub validate_port( $$ ) {
 
     my $value;
 
-    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
+    if ( $port =~ /^(\d+)$/ ) {
 	$port = numeric_value $port;
 	return $port if defined $port && $port && $port <= 65535;
     } else {
@@ -314,7 +309,7 @@ sub validate_port( $$ ) {
 	$value = getservbyname( $port, $proto );
     }
 
-    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
+    fatal_error "Invalid/Unknown $proto port/service ($port)" unless defined $value;
 
     $value;
 }

Shorewall/Perl/Shorewall/Nat.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_6';
+our $VERSION = '4.5_2';
 
 our @addresses_to_add;
 our %addresses_to_add;
@@ -150,7 +150,7 @@ sub process_one_masq( )
     # Handle IPSEC options, if any
     #
     if ( $ipsec ne '-' ) {
-	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless have_capability( 'POLICY_MATCH' );
+	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless $globals{ORIGINAL_POLICY_MATCH};
 
 	if ( $ipsec =~ /^yes$/i ) {
 	    $baserule .= '-m policy --pol ipsec --dir out ';
@@ -159,7 +159,7 @@ sub process_one_masq( )
 	} else {
 	    $baserule .= do_ipsec_options $ipsec;
 	}
-    } elsif ( have_ipsec ) {
+    } elsif ( $capabilities{POLICY_MATCH} ) {
 	$baserule .= '-m policy --pol none --dir out ';
     }
 
@@ -171,7 +171,7 @@ sub process_one_masq( )
     # Handle Mark
     #
     $baserule .= do_test( $mark, $globals{TC_MASK} ) if $mark ne '-';
-    $baserule .= do_user( $user )                    if $user ne '-';
+    $baserule .= do_user( $user ) if $user ne '-';
 
     for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
@@ -372,7 +372,7 @@ sub do_one_nat( $$$$$ )
 	$interface = $interfaceref->{name};
     }
 
-    if ( have_ipsec ) {
+    if ( $capabilities{POLICY_MATCH} ) {
 	$policyin = ' -m policy --pol none --dir in';
 	$policyout =  '-m policy --pol none --dir out';
     }
@@ -402,6 +402,7 @@ sub do_one_nat( $$$$$ )
 	    push @addresses_to_add, ( $external , $fullinterface );
 	}
     }
+
 }
 
 #

Shorewall/Perl/Shorewall/Policy.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains);
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.4_7';
+our $VERSION = '4.5_2';
 
 # @policy_chains is a list of references to policy chains in the filter table
 
@@ -204,7 +204,7 @@ sub process_a_policy() {
 	    if ( zone_type( $client ) == FIREWALL ) || ( zone_type( $server ) == FIREWALL );
     }
 
-    unless ( $clientwild || $serverwild ) {
+    unless ( $clientwild || $serverwild || $policy eq 'NONE' ) {
 	if ( zone_type( $server ) == BPORT ) {
 	    fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge"
 		unless find_zone( $client )->{bridge} eq find_zone( $server)->{bridge} || single_interface( $client ) eq find_zone( $server )->{bridge};

Shorewall/Perl/Shorewall/Proc.pm

@@ -41,7 +41,7 @@ our @EXPORT = qw(
 		 setup_forwarding
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_7';
+our $VERSION = '4.4_4';
 
 #
 # ARP Filtering
@@ -130,7 +130,7 @@ sub setup_route_filtering() {
 	    emit   "fi\n";
 	}
 
-	if ( have_capability( 'KERNELVERSION' ) < 20631 ) {
+	if ( $capabilities{KERNELVERSION} < 20631 ) {
 	    emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
 	} elsif ( $val ne '' ) {
 	    emit "echo $val > /proc/sys/net/ipv4/conf/all/rp_filter";

Shorewall/Perl/Shorewall/Providers.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_7';
+our $VERSION = '4.5_2';
 
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #

Shorewall/Perl/Shorewall/Raw.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.3_7';
+our $VERSION = '4.5_2';
 
 #
 # Notrack

Shorewall/Perl/Shorewall/Rules.pm

@@ -46,7 +46,7 @@ our @EXPORT = qw( process_tos
 		  compile_stop_firewall
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.4_7';
+our $VERSION = '4.5_3';
 
 #
 # Set to one if we find a SECTION
@@ -85,8 +85,8 @@ sub initialize( $ ) {
 use constant { MAX_MACRO_NEST_LEVEL => 5 };
 
 sub process_tos() {
-    my $chain    = have_capability( 'MANGLE_FORWARD' ) ? 'fortos'  : 'pretos';
-    my $stdchain = have_capability( 'MANGLE_FORWARD' ) ? 'FORWARD' : 'PREROUTING';
+    my $chain    = $capabilities{MANGLE_FORWARD} ? 'fortos'  : 'pretos';
+    my $stdchain = $capabilities{MANGLE_FORWARD} ? 'FORWARD' : 'PREROUTING';
 
     my %tosoptions = ( 'minimize-delay'       => 0x10 ,
 		       'maximize-throughput'  => 0x08 ,
@@ -281,7 +281,7 @@ sub setup_blacklist() {
 	for my $hostref ( @$hosts ) {
 	    my $interface  = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my $policy     = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
+	    my $policy     = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
 	    my $network    = $hostref->[2];
 	    my $source     = match_source_net $network;
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
@@ -451,74 +451,32 @@ sub add_common_rules() {
 
     $list = find_hosts_by_option 'nosmurfs';
 
-    if ( @$list ) {
-	progress_message2 'Adding Anti-smurf Rules';
-
-	$chainref = new_standard_chain 'smurfs';
-    
-	my $smurfdest;
-
-	if ( defined $config{SMURF_LOG_LEVEL} && $config{SMURF_LOG_LEVEL} ne '' ) {
-	    my $smurfref = new_chain( 'filter', $smurfdest = 'smurflog' );
-	    
-	    log_rule_limit( $config{SMURF_LOG_LEVEL},
-			    $smurfref,
-			    'smurfs' ,
-			    'DROP',
-			    $globals{LOGLIMIT},
-			    '', 
-			    'add',
-			    '' );
-	    add_rule( $smurfref, '-j DROP' );
-	} else {
-	    $smurfdest = 'DROP';
-	}
-
-	if ( have_capability( 'ADDRTYPE' ) ) {
-	    if ( $family == F_IPV4 ) {
-		add_rule $chainref , '-s 0.0.0.0 -j RETURN';
-	    } else {
-		add_rule $chainref , '-s :: -j RETURN';
-	    }
-
-	    add_jump( $chainref, $smurfdest, 1, '-m addrtype --src-type BROADCAST ' ) ;
-	} else {
-	    if ( $family == F_IPV4 ) {
-		add_commands $chainref, 'for address in $ALL_BCASTS; do';
-	    } else {
-		add_commands $chainref, 'for address in $ALL_ACASTS; do';
-	    }
-	    
-	    incr_cmd_level $chainref;
-	    add_jump( $chainref, $smurfdest, 1, '-s $address ' );
-	    decr_cmd_level $chainref;
-	    add_commands $chainref, 'done';
-	}
+    $chainref = new_standard_chain 'smurfs';
 
+    if ( $capabilities{ADDRTYPE} ) {
+	add_rule $chainref , '-s 0.0.0.0 -j RETURN';
+	add_rule_pair $chainref, '-m addrtype --src-type BROADCAST ', 'DROP', $config{SMURF_LOG_LEVEL} ;
+    } else {
 	if ( $family == F_IPV4 ) {
-	    add_jump( $chainref, $smurfdest, 1, '-s 224.0.0.0/4 ' );
+	    add_commands $chainref, 'for address in $ALL_BCASTS; do';
 	} else {
-	    add_jump( $chainref, $smurfdest, 1, '-s ff00::/10 ' );
+	    add_commands $chainref, 'for address in $ALL_ACASTS; do';
 	}
 
-	my $state = $globals{UNTRACKED} ? 'NEW,INVALID,UNTRACKED' : 'NEW,INVALID';
-
-	for my $hostref  ( @$list ) {
-	    $interface     = $hostref->[0];
-	    my $ipsec      = $hostref->[1];
-	    my $policy     = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
-	    my $target     = source_exclusion( $hostref->[3], $chainref );
-
-	    for $chain ( first_chains $interface ) {
-		add_jump $filter_table->{$chain} , $target, 0, join( '', "-m state --state $state ", match_source_net( $hostref->[2] ),  $policy );
-	    }
-
-	    set_interface_option $interface, 'use_input_chain', 1;
-	    set_interface_option $interface, 'use_forward_chain', 1;
-	}
+	incr_cmd_level $chainref;
+	log_rule( $config{SMURF_LOG_LEVEL} , $chainref, 'DROP', '-s $address ' );
+	add_rule $chainref, '-s $address -j DROP';
+	decr_cmd_level $chainref;
+	add_commands $chainref, 'done';
     }
 
-    if ( have_capability( 'ADDRTYPE' ) ) {
+    if ( $family == F_IPV4 ) {
+	add_rule_pair $chainref, '-s 224.0.0.0/4 ', 'DROP', $config{SMURF_LOG_LEVEL};
+    } else {
+	add_rule_pair $chainref, '-s ff00::/10 ', 'DROP', $config{SMURF_LOG_LEVEL} if $family == F_IPV4;
+    }
+
+    if ( $capabilities{ADDRTYPE} ) {
 	add_rule $rejectref , '-m addrtype --src-type BROADCAST -j DROP';
     } else {
 	if ( $family == F_IPV4 ) {
@@ -539,10 +497,30 @@ sub add_common_rules() {
 	add_rule $rejectref , '-s ff00::/10 -j DROP';
     }
 
+    if ( @$list ) {
+	progress_message2 'Adding Anti-smurf Rules';
+
+	my $state = $globals{UNTRACKED} ? 'NEW,INVALID,UNTRACKED' : 'NEW,INVALID';
+
+	for my $hostref  ( @$list ) {
+	    $interface     = $hostref->[0];
+	    my $ipsec      = $hostref->[1];
+	    my $policy     = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
+	    my $target     = source_exclusion( $hostref->[3], $chainref );
+
+	    for $chain ( first_chains $interface ) {
+		add_jump $filter_table->{$chain} , $target, 0, join( '', "-m state --state $state ", match_source_net( $hostref->[2] ),  $policy );
+	    }
+
+	    set_interface_option $interface, 'use_input_chain', 1;
+	    set_interface_option $interface, 'use_forward_chain', 1;
+	}
+    }
+
     add_rule $rejectref , '-p 2 -j DROP';
     add_rule $rejectref , '-p 6 -j REJECT --reject-with tcp-reset';
 
-    if ( have_capability( 'ENHANCED_REJECT' ) ) {
+    if ( $capabilities{ENHANCED_REJECT} ) {
 	add_rule $rejectref , '-p 17 -j REJECT';
 
 	if ( $family == F_IPV4 ) {
@@ -619,7 +597,7 @@ sub add_common_rules() {
 	for my $hostref  ( @$list ) {
 	    my $interface  = $hostref->[0];
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
-	    my $policy     = have_ipsec ? "-m policy --pol $hostref->[1] --dir in " : '';
+	    my $policy     = $capabilities{POLICY_MATCH} ? "-m policy --pol $hostref->[1] --dir in " : '';
 
 	    for $chain ( first_chains $interface ) {
 		add_jump $filter_table->{$chain} , $target, 0, join( '', '-p tcp ', match_source_net( $hostref->[2] ), $policy );
@@ -767,6 +745,7 @@ sub setup_mac_lists( $ ) {
 			log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
 			    if defined $level && $level ne '';
 			add_rule $chainref , "${mac}${source}-j $targetref->{target}";
+
 		    }
 		} else {
 		    log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
@@ -785,7 +764,7 @@ sub setup_mac_lists( $ ) {
 	for my $hostref ( @$maclist_hosts ) {
 	    my $interface  = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my $policy     = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
+	    my $policy     = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
 	    my $source     = match_source_net $hostref->[2];
 
 	    my $state = $globals{UNTRACKED} ? 'NEW,UNTRACKED' : 'NEW';
@@ -816,7 +795,7 @@ sub setup_mac_lists( $ ) {
 		if ( $level ne '' || $disposition ne 'ACCEPT' ) {
 		    my $variable = get_interface_addresses source_port_to_bridge( $interface );
 
-		    if ( have_capability( 'ADDRTYPE' ) ) {
+		    if ( $capabilities{ADDRTYPE} ) {
 			add_commands( $chainref,
 				      "for address in $variable; do",
 				      "    echo \"-A $chainref->{name} -s \$address -m addrtype --dst-type BROADCAST -j RETURN\" >&3",
@@ -1182,25 +1161,13 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
     #
     # Generate Fixed part of the rule
     #
-    if ( ( $actiontype & ( NATRULE | NATONLY ) ) == NATRULE ) {
-	#
-	# Don't apply rate limiting twice
-	#
-	$rule = join( '', 
-		      do_proto($proto, $ports, $sports),
-		      do_user( $user ) ,
-		      do_test( $mark , $globals{TC_MASK} ) ,
-		      do_connlimit( $connlimit ),
-		      do_time( $time ) );
-    } else {
-	$rule = join( '', 
-		      do_proto($proto, $ports, $sports),
-		      do_ratelimit( $ratelimit, $basictarget ) ,
-		      do_user( $user ) ,
-		      do_test( $mark , $globals{TC_MASK} ) ,
-		      do_connlimit( $connlimit ),
-		      do_time( $time ) );
-    }
+    $rule = join( '', 
+		  do_proto($proto, $ports, $sports),
+		  do_ratelimit( $ratelimit, $basictarget ) ,
+		  do_user( $user ) ,
+		  do_test( $mark , $globals{TC_MASK} ) ,
+		  do_connlimit( $connlimit ),
+		  do_time( $time ) );
 
     unless ( $section eq 'NEW' ) {
 	fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
@@ -1450,7 +1417,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    }
 	}
 
-	$rule .= "-m conntrack --ctorigdstport $origdstports " if have_capability( 'NEW_CONNTRACK_MATCH' ) && $origdstports;
+	$rule .= "-m conntrack --ctorigdstport $origdstports " if $capabilities{NEW_CONNTRACK_MATCH} && $origdstports;
 
 	expand_rule( ensure_chain( 'filter', $chain ) ,
 		     $restriction ,
@@ -1743,7 +1710,7 @@ sub generate_matrix() {
 	#
 	my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
 
-	if ( have_ipsec ) {
+	if ( $capabilities{POLICY_MATCH} ) {
 	    #
 	    # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
 	    # '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
@@ -1864,17 +1831,13 @@ sub generate_matrix() {
 			my $dest   = match_dest_net $net;
 
 			if ( $chain1 ) {
-			    my $chain1ref = $filter_table->{$chain1};
 			    my $nextchain = dest_exclusion( $exclusions, $chain1 );
 			    my $outputref;
-			    my $interfacechainref = $filter_table->{output_chain $interface};
 			    my $interfacematch = '';
-			    my $use_output = 0;
 
-			    if ( use_output_chain $interface || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
-				$outputref = $interfacechainref;
+			    if ( use_output_chain $interface ) {
+				$outputref = $filter_table->{output_chain $interface};
 				add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
-				$use_output = 1;
 			    } else {
 				$outputref = $filter_table->{OUTPUT};
 				$interfacematch = match_dest_dev $interface;
@@ -1885,7 +1848,7 @@ sub generate_matrix() {
 			    add_jump( $outputref , $nextchain, 0, join('', $interfacematch, '-d 255.255.255.255 ' , $ipsec_out_match ) )
 				if $hostref->{options}{broadcast};
 
-			    move_rules( $interfacechainref , $chain1ref ) unless $use_output;
+			    move_rules( $filter_table->{output_chain $interface} , $filter_table->{$chain1} ) unless use_output_chain $interface;
 			}
 
 			clearrule;
@@ -1900,7 +1863,6 @@ sub generate_matrix() {
 			    # Add a jump from this source network to this zone's DNAT/REDIRECT chain
 			    #
 			    add_jump $preroutingref, source_exclusion( $exclusions, $dnatref), 0, join( '', match_source_dev( $interface), $source, $ipsec_in_match );
-			    check_optimization( $dnatref ) if $source;
 			}
 
 			if ( $notrackref->{referenced} ) {
@@ -1910,7 +1872,6 @@ sub generate_matrix() {
 			    #
 			    add_jump $raw_table->{PREROUTING}, source_exclusion( $exclusions, $notrackref), 0, join( '', match_source_dev( $interface), $source, $ipsec_in_match );
 			}
-
 			#
 			# If this zone has parents with DNAT/REDIRECT or notrack rules and there are no CONTINUE polcies with this zone as the source
 			# then add a RETURN jump for this source network.
@@ -1920,16 +1881,12 @@ sub generate_matrix() {
 			    add_rule $raw_table->{PREROUTING}, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j RETURN' ) if $parenthasnotrack;
 			}
 
-			my $chain2ref = $filter_table->{$chain2};
 			my $inputchainref;
-			my $interfacechainref = $filter_table->{input_chain $interface};
 			my $interfacematch = '';
-			my $use_input;
 
-			if ( use_input_chain $interface || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
-			    $inputchainref = $interfacechainref;
+			if ( use_input_chain $interface ) {
+			    $inputchainref = $filter_table->{input_chain $interface};
 			    add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++;
-			    $use_input = 1;
 			} else {
 			    $inputchainref = $filter_table->{INPUT};
 			    $interfacematch = match_source_dev $interface;
@@ -1937,7 +1894,7 @@ sub generate_matrix() {
 
 			if ( $chain2 ) {
 			    add_jump $inputchainref, source_exclusion( $exclusions, $chain2 ), 0, join( '', $interfacematch, $source, $ipsec_in_match );
-			    move_rules( $interfacechainref , $chain2ref ) unless $use_input;
+			    move_rules( $filter_table->{input_chain $interface} , $filter_table->{$chain2} ) unless use_input_chain $interface;
 			}
 
 			if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) {
@@ -2161,11 +2118,11 @@ sub setup_mss( ) {
 	if ( "\L$clampmss" eq 'yes' ) {
 	    $option = '--clamp-mss-to-pmtu';
 	} else {
-	    $match  = "-m tcpmss --mss $clampmss: " if have_capability( 'TCPMSS_MATCH' );
+	    $match  = "-m tcpmss --mss $clampmss: " if $capabilities{TCPMSS_MATCH};
 	    $option = "--set-mss $clampmss";
 	}
 
-	$match .= '-m policy --pol none --dir out ' if have_ipsec;
+	$match .= '-m policy --pol none --dir out ' if $capabilities{POLICY_MATCH};
     }
 
     my $interfaces = find_interfaces_by_option( 'mss' );
@@ -2183,14 +2140,14 @@ sub setup_mss( ) {
 	my $in_match  = '';
 	my $out_match = '';
 
-	if ( have_ipsec ) {
+	if ( $capabilities{POLICY_MATCH} ) {
 	    $in_match  = '-m policy --pol none --dir in ';
 	    $out_match = '-m policy --pol none --dir out ';
 	}
 
 	for ( @$interfaces ) {
 	    my $mss      = get_interface_option( $_, 'mss' );
-	    my $mssmatch = have_capability( 'TCPMSS_MATCH' ) ? "-m tcpmss --mss $mss: " : '';
+	    my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : '';
 	    my $source   = match_source_dev $_;
 	    my $dest     = match_dest_dev $_;
 	    add_rule $chainref, "${dest}-p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss";
@@ -2293,7 +2250,7 @@ EOF
     run_stop_exit
 EOF
 
-    if ( have_capability( 'NAT_ENABLED' ) ) {
+    if ( $capabilities{NAT_ENABLED} ) {
 	emit<<'EOF';
     if [ -f ${VARDIR}/nat ]; then
         while read external interface; do
@@ -2362,7 +2319,9 @@ EOF
 	    #
 	    # This might be a bridge
 	    #
-	    add_rule $forward, "-p udp " . match_source_dev( $interface ) . match_dest_dev( $interface ) . "--dport $ports -j ACCEPT";
+	    if ( $export || $test || is_bridge( get_physical( $interface ) ) ) {
+		add_rule $forward, "-p udp " . match_source_dev( $interface ) . match_dest_dev( $interface ) . "--dport $ports -j ACCEPT";
+	    }
 	}
     }
 

Shorewall/Perl/Shorewall/Tc.pm

@@ -40,7 +40,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.4_7';
+our $VERSION = '4.5_3';
 
 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
@@ -372,7 +372,7 @@ sub process_tc_rule( ) {
 		my $val = numeric_value( $cmd );
 		fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
 		my $limit = $globals{TC_MASK};
-		fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
+		fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when PROVIDER_OFFSET > 0"
 		    if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
 	    }
 	}
@@ -515,7 +515,7 @@ sub process_simple_device() {
     while ( ++$i <= 3 ) {
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
 	emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $devnum:$i";
-	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
+	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-';
 	emit '';
     }
 
@@ -1114,7 +1114,7 @@ sub process_tc_priority() {
 
     my $rule = do_helper( $helper ) . "-j MARK --set-mark $band";
 
-    $rule .= join('', '/', in_hex( $globals{TC_MASK} ) ) if have_capability( 'EXMARK' );
+    $rule .= join('', '/', in_hex( $globals{TC_MASK} ) ) if $capabilities{EXMARK};
 
     if ( $interface ne '-' ) {
 	fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $ports eq '-';
@@ -1384,7 +1384,7 @@ sub setup_tc() {
 	ensure_mangle_chain 'tcpre';
 	ensure_mangle_chain 'tcout';
 
-	if ( have_capability( 'MANGLE_FORWARD' ) ) {
+	if ( $capabilities{MANGLE_FORWARD} ) {
 	    ensure_mangle_chain 'tcfor';
 	    ensure_mangle_chain 'tcpost';
 	}
@@ -1407,8 +1407,8 @@ sub setup_tc() {
 	add_jump $mangle_table->{PREROUTING} , 'tcpre', 0, $mark_part;
 	add_jump $mangle_table->{OUTPUT} ,     'tcout', 0, $mark_part;
 
-	if ( have_capability( 'MANGLE_FORWARD' ) ) {
-	    add_rule( $mangle_table->{FORWARD},     '-j MARK --set-mark 0' ) if have_capability 'MARK';
+	if ( $capabilities{MANGLE_FORWARD} ) {
+	    add_rule( $mangle_table->{FORWARD},     '-j MARK --set-mark 0' );
 	    add_jump $mangle_table->{FORWARD} ,     'tcfor',  0;
 	    add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0;
 	}

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.4_7';
+our $VERSION = '4.5_0';
 
 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@@ -86,7 +86,7 @@ sub setup_tunnels() {
 		$inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
 		$outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
 
-		unless ( have_ipsec ) {
+		unless ( $capabilities{POLICY_MATCH} ) {
 		    add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
 		    add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT";
 

Shorewall/Perl/Shorewall/Zones.pm

@@ -72,11 +72,10 @@ our @EXPORT = qw( NOTHING
 		  validate_hosts_file
 		  find_hosts_by_option
 		  all_ipsets
-		  have_ipsec
 		 );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_7';
+our $VERSION = '4.5_0';
 
 #
 # IPSEC Option types
@@ -148,6 +147,7 @@ our %reservedName = ( all => 1,
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
+#                                     include     => [ <if1>, ... ]
 #                                   }
 #                 }
 #
@@ -157,7 +157,6 @@ our @bport_zones;
 our %ipsets;
 our %physical;
 our $family;
-our $have_ipsec;
 
 use constant { FIREWALL => 1,
 	       IP       => 2,
@@ -172,10 +171,10 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       IPLIST_IF_OPTION   => 6,
 	       STRING_IF_OPTION   => 7,
 
-	       MASK_IF_OPTION     => 7,
+	       MASK_IF_OPTION     => 15,
 
-	       IF_OPTION_ZONEONLY => 8,
-	       IF_OPTION_HOST     => 16,
+	       IF_OPTION_ZONEONLY => 16,
+	       IF_OPTION_HOST     => 32,
 	   };
 
 our %validinterfaceoptions;
@@ -201,7 +200,6 @@ sub initialize( $ ) {
     @zones = ();
     %zones = ();
     $firewall_zone = '';
-    $have_ipsec = undef;
 
     @interfaces = ();
     %interfaces = ();
@@ -248,7 +246,7 @@ sub initialize( $ ) {
 				    dhcp        => SIMPLE_IF_OPTION,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
-				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
+				    nosmurfs    => SIMPLE_IF_OPTION,
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
@@ -402,7 +400,6 @@ sub process_zone( \$ ) {
     }
 
     if ( $type eq IPSEC ) {
-	require_capability 'POLICY_MATCH' , 'IPSEC zones', '';
 	for ( @parents ) {
 	    unless ( $zones{$_}{type} == IPSEC ) {
 		set_super( $zones{$_} );
@@ -730,8 +727,8 @@ sub firewall_zone() {
 #
 # Process a record in the interfaces file
 #
-sub process_interface( $ ) {
-    my $nextinum = $_[0];
+sub process_interface( $$ ) {
+    my ( $nextinum , $export ) = @_;
     my $netsref = '';
     my ($zone, $originalinterface, $bcasts, $options ) = split_line 2, 4, 'interfaces file';
     my $zoneref;
@@ -756,7 +753,7 @@ sub process_interface( $ ) {
     if ( defined $port && $port ne '' ) {
 	fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
 	require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', '');
-	fatal_error "Your iptables is not recent enough to support bridge ports" unless have_capability( 'KLUDGEFREE' );
+	fatal_error "Your iptables is not recent enough to support bridge ports" unless $capabilities{KLUDGEFREE};
 
 	fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
 	fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
@@ -800,7 +797,7 @@ sub process_interface( $ ) {
 	    fatal_error 'Invalid BROADCAST address' unless $address =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
 	}
 
-	if ( have_capability( 'ADDRTYPE' ) ) {
+	if ( $capabilities{ADDRTYPE} ) {
 	    warning_message 'Shorewall no longer uses broadcast addresses in rule generation when Address Type Match is available';
 	} else {
 	    $broadcasts = \@broadcasts;
@@ -923,15 +920,21 @@ sub process_interface( $ ) {
 	    $ipsets{$ipset} = 1;
 	}
 
+	$zoneref->{options}{in_out}{routeback} = 1 if $zoneref && $options{routeback};
+
 	if ( $options{bridge} ) {
 	    require_capability( 'PHYSDEV_MATCH', 'The "bridge" option', 's');
 	    fatal_error "Bridges may not have wildcard names" if $wildcard;
-	    $options{routeback} = 1;
 	}
 
-	$zoneref->{options}{in_out}{routeback} = 1 if $zoneref && $options{routeback};
-
 	$hostoptionsref = \%hostoptions;
+
+    }
+    #
+    # Automatically set 'routeback' for local bridges
+    #
+    unless ( $export || $wildcard || $options{routeback} ) {
+	$options{routeback} = $hostoptionsref->{routeback} = is_bridge $physical;
     }
 
     $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
@@ -974,7 +977,7 @@ sub validate_interfaces_file( $ ) {
 
     first_entry "$doing $fn...";
 
-    push @ifaces, process_interface( $nextinum++) while read_a_line;
+    push @ifaces, process_interface( $nextinum++, $export ) while read_a_line;
 
     #
     # We now assemble the @interfaces array such that bridge ports immediately precede their associated bridge
@@ -1216,7 +1219,6 @@ sub process_host( ) {
 
 	for my $option ( @options ) {
 	    if ( $option eq 'ipsec' ) {
-		require_capability 'POLICY_MATCH' , q(The 'ipsec' option), 's';
 		$type = IPSEC;
 		$zoneref->{options}{complex} = 1;
 		$ipsec = 1;
@@ -1276,15 +1278,7 @@ sub validate_hosts_file()
 
     $ipsec |= process_host while read_a_line;
 
-    $have_ipsec = $ipsec || haveipseczones;
-
-}
-
-#
-# Return an indication of whether IPSEC is present
-#
-sub have_ipsec() {
-    return defined $have_ipsec ? $have_ipsec : have_capability 'POLICY_MATCH';
+    $capabilities{POLICY_MATCH} = '' unless $ipsec || haveipseczones;
 }
 
 #

Shorewall/Perl/prog.header

@@ -300,7 +300,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
     done
 
-    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
+    modules=$(find_file modules)
 
     if [ -f $modules -a -n "$moduledirectories" ]; then
 	MODULES=$(lsmod | cut -d ' ' -f1)

Shorewall/Perl/prog.header6

@@ -310,7 +310,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
     done
 
-    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
+    modules=$(find_file modules)
 
     if [ -f $modules -a -n "$moduledirectories" ]; then
 	MODULES=$(lsmod | cut -d ' ' -f1)
@@ -472,7 +472,6 @@ find_first_interface_address_if_any() # $1 = interface
 #
 interface_is_usable() # $1 = interface
 {
-    [ "$1" = lo ] && return 0
     interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
 }
 

Shorewall/changelog.txt

@@ -1,433 +1,65 @@
-Changes in Shorewall 4.4.7-1
+Changes in 4.5.4
 
-1)  Don't apply rate limiting twice in NAT rules.
+1) Autodetect local bridges.
 
-Changes in Shorewall 4.4.7
+2) Add 'show macro' command.
 
-1)  Backport optimization changes from 4.5.
+Changes in 4.5.3
 
-2)  Backport two new options from 4.5.
+1) Fix logging NONAT rules.
 
-3)  Backport TPROXY from 4.5
+2) Don't let fw-fw be optimized away.
 
-4)  Add TC_PRIOMAP to shorewall*.conf
+3) Don't optimize away non-empty rules chains.
 
-5)  Implement LOAD_HELPERS_ONLY
+4) Represent masks in hex.
 
-6)  Avoid excessive module loading with LOAD_HELPERS_ONLY=Yes
+5) Don't specify a mask in tcpri-generated rules.
 
-7)  Fix case where MARK target is unavailable.
+6) Add TPROXY support.
 
-8)  Change default to ADD_IP_ALIASES=No
+Changes in 4.5.2
 
-9)  Correct defects in generate_matrix().
+1) Extend OPTIMIZE & 4 to all tables.
 
-10) Fix and optimize 'nosmurfs'.
+2) Add OPTIMIZE_ACCOUNTING.
 
-11) Use 'OLD_HL_MATCH' to suppress use of 'flow' in Simple TC.
+3) Add -p option to check.
 
-Changes in Shorewall 4.4.6
+Changes in 4.5.1
 
-1)  Fix for rp_filter and kernel 2.6.31.
+1)  Fix syntax error in /sbin/shorewall.
 
-2)  Add a hack to work around a bug in Lenny + xtables-addons
+2)  Don't generate source type rule for ICMP/ICMPv6.
 
-3)  Re-enable SAVE_IPSETS
+3)  Add <device> argument to 'show tc'.
 
-4)  Allow both <...> and [...] for IPv6 Addresses.
+4)  Fix 'save' when DYNAMIC_BLACKLIST=No
 
-5)  Port mark geometry change from 4.5.
+5)  Allow COMMENTs in tcpri.
 
-6)  Add Macro patch from Tuomo Soini
+6)  More ACCEPT optimization with OPTIMIZE & 2.
 
-7)  Add 'show macro' command.
+7)  OPTIMIZE & 4.
 
-8)  Add -r option to check.
+8)  Allow ipp2p in tcpri.
 
-9)  Port simplified TC from 4.5.
+Changes in 4.5.0
 
-Changes in Shorewall 4.4.5
+1)  Allow control over how the Mark is used.
 
-1)  Fix 15-port limit removal change.
+2)  Generate warning on <macro>/<param>.
 
-2)  Fix handling of interfaces with the 'bridge' option.
+3)  Add a new optimization option.
 
-3)  Generate error for port number 0
+4)  Combine identical logging chains.
 
-4)  Allow zone::serverport in rules DEST column.
+5)  Added ACCOUNTING and DYNAMIC_BLACKLIST options.
 
-5)  Fix 'show policies' in Shorewall6.
+6)  Don't unconditionally pass traffic from routemarked interfaces
+    through the tcpre chain.
 
-6)  Auto-load tc modules.
-
-7)  Allow LOGFILE=/dev/null
-
-8)  Fix shorewall6-lite/shorecap
-
-9) Fix MODULE_SUFFIX.
-
-10) Fix ENHANCED_REJECT detection for IPv4.
-
-11) Fix DONT_LOAD vs 'reload -c'
-
-12) Fix handling of SOURCE and DEST vs macros.
-
-13) Remove silly logic in expand_rule().
-
-14) Add current and limit to Conntrack Table Heading.
-
-Changes in Shorewall 4.4.4
-
-1)  Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.
-
-2)  Fix access to uninitialized variable.
-
-3)  Add logrotate scripts.
-
-4)  Allow long port lists in /etc/shorewall/routestopped.
-
-5)  Implement 'physical' interface option.
-
-6)  Implement ZONE2ZONE option.
-
-7)  Suppress duplicate COMMENT warnings.
-
-8)  Implement 'show policies' command.
-
-9)  Fix route_rule suppression for down provider.
-
-10) Suppress redundant tests for provider availability in route rules
-    processing.
-
-11) Implement the '-l' option to the 'show' command.
-
-12) Fix class number assignment when WIDE_TC_MARKS=Yes
-
-13) Allow wide marks in tcclasses when WIDE_TC_MARKS=Yes
-
-Changes in Shorewall 4.4.3
-
-1)  Move Debian INITLOG initialization to /etc/default/shorewall
-
-2)  Fix 'routeback' in /etc/shorewall/routestopped.
-
-3)  Rename 'object' to 'script' in compiler and config modules.
-
-4)  Correct RETAIN_ALIASES=No.
-
-5)  Fix detection of IP config.
-
-6)  Fix nested zones.
-
-7)  Move all function declarations from prog.footer to prog.header
-
-8)  Remove superfluous variables from generated script
-
-9)  Make 'track' the default.
-
-10)  Add TRACK_PROVIDERS option.
-
-11)  Fix IPv6 address parsing bug.
-
-12)  Add hack to work around iproute IPv6 bug in route handling
-
-13)  Correct messages issued when an optional provider is not usable.
-
-14)  Fix optional interfaces.
-
-15)  Add 'limit' option to tcclasses.
-
-Changes in Shorewall 4.4.2
-
-1)  BUGFIX: Correct detection of Persistent SNAT support
-
-2)  BUGFIX: Fix chain table initialization
-
-3)  BUGFIX: Validate routestopped file on 'check'
-
-4)  Let the Actions module add the builtin actions to
-    %Shorewall::Chains::targets. Much better modularization that way.
-
-5)  Some changes to make Lenny->Squeeze less painful.
-
-6)  Allow comments at the end of continued lines.
-
-7)  Call process_routestopped() during 'check' rather than
-    'compile_stop_firewall()'.
-
-8)  Don't look for an extension script for built-in actions.
-
-9)  Apply Jesse Shrieve's patch for SNAT range.
-
-10) Add -<family> to 'ip route del default' command.
-
-11) Add three new columns to macro body.
-
-12) Change 'wait4ifup' so that it requires no PATH
-
-13) Allow extension scripts for accounting chains.
-
-14) Allow per-ip LIMIT to work on ancient iptables releases.
-
-15) Add 'MARK' column to action body.
-
-Changes in Shorewall 4.4.1
-
-1)  Deleted extra 'use ...IPAddrs.pm' from Nat.pm.
-
-2)  Deleted superfluous export from Chains.pm.
-
-3)  Added support for --persistent.
-
-4)  Don't do module initialization in an INIT block.
-
-5)  Minor performance improvements.
-
-6)  Add 'clean' target to Makefile.
-
-7)  Redefine 'full' for sub-classes.
-
-8)  Fix log level in rules at the end of INPUT and OUTPUT chains.
-
-9)  Fix nested ipsec zones.
-
-10) Change one-interface sample to IP_FORWARDING=Off.
-
-11) Allow multicast to non-dynamic zones defined with nets=.
-
-12) Allow zones with nets= to be extended by /etc/shorewall/hosts
-    entries.
-
-13) Don't allow nets= in a multi-zone interface definition.
-
-14) Fix rule generated by MULTICAST=Yes
-
-15) Fix silly hole in zones file parsing.
-
-16) Tighen up zone membership checking.
-
-17) Combine portlist-spitting routines into a single function.
-
-Changes in Shorewall 4.4.0
-
-1)  Fix 'compile ... -' so that it no longer requires '-v-1'
-
-2)  Fix rule generation for logging nat rules with no exclusion.
-
-3)  Fix log record formatting.
-
-4)  Restore ipset binding
-
-5)  Fix 'upnpclient' with required interfaces.
-
-6)  Fix provider number in masq file.
-
-Changes in Shorewall 4.4.0-RC2
-
-1)  Fix capabilities file with Shorewall6.
-
-2)  Allow Shorewall6 to recognize TC, IP and IPSET
-
-3)  Make 'any' a reserved zone name.
-
-4)  Correct handling of an ipsec zone nested in a non-ipsec zone.
-
-Changes in Shorewall 4.4.0-RC1
-
-1)  Delete duplicate Git macro.
-
-2)  Fix routing when no providers.
-
-3)  Add 'any' as a SOURCE/DEST in rules.
-
-4)  Fix NONAT on child zone.
-
-5)  Fix rpm -U from earlier versions
-
-6)  Generate error on 'status' by non-root.
-
-7)  Get rid of prog.functions and prog.functions6
-
-Changes in Shorewall 4.4.0-Beta4
-
-1)  Add more macros.
-
-2)  Correct broadcast address detection
-
-3) Fix 'show dynamic'
-
-4) Fix BGP and OSFP macros.
-
-5) Change DISABLE_IPV6 default and use 'correct' ip6tables.
-
-Changes in Shorewall 4.4.0-Beta3
-
-1)  Add new macros.
-
-2)  Work around mis-configured interfaces.
-
-3)  Fix 'show dynamic'.
-
-4)  Check for xt_LOG.
-
-5)  Fix 'findgw'
-
-Changes in Shorewall 4.4.0-Beta2
-
-1)  The 'find_first_interface_address()' and
-    'find_first_interface_address_if_any()' functions have been restored to
-    lib.base.
-
-2)  Integerize r2q before inserting it into 'tc qdisc add root'
-    command.
-
-3)  Remove '-h' from the help text for install.sh in Shorewall and
-    Shorewall6.
-
-4)  Delete the 'continue' file from the Shorewall package.
-
-5)  Add 'upnpclient' interface option.
-
-6)  Fix handling of optional interfaces.
-
-7)  Add 'iptrace' and 'noiptrace' command.
-
-8)  Add 'USER/GROUP' column to masq file.
-
-9)  Added lib.private.
-
-Changes in Shorewall 4.4.0-Beta1
-
-1)  Correct typo in Shorewall6 two-interface sample shorewall.conf.
-
-2)  Fix TOS mnemonic handling in /etc/shorewall/tcfilters.
-
-Changes in Shorewall 4.3.12
-
-1) Eliminate 'large quantum' warnings.
-
-2) Add HFSC support.
-
-3) Delete support for ipset binding. Jozsef has removed the capability
-   from ipset.
-
-4) Add TOS and LENGTH columns to tcfilters file.
-
-5) Fix 'reset' command.
-
-6) Fix 'findgw'.
-
-7) Remove 'norfc1918' support.
-
-Changes in Shorewall 4.3.11
-
-1) Reduce the number of arguments passed in may cases.
-
-2) Fix SCTP source port handling in tcfilters.
-
-3) Add 'findgw' user exit.
-
-4) Add macro.Trcrt
-
-Changes in Shorewall 4.3.10
-
-1) Fix handling of shared optional providers.
-
-2) Add WIDE_TC_MARKS option.
-
-3) Allow compile to STDOUT.
-
-4) Fix handling of class IDs.
-
-5) Deprecate use of an interface in the SOURCE column of
-   /etc/shorewall/masq.
-
-6) Fix handling of 'all' in the SOURCE of DNAT- rules.
-
-7) Fix compile for export.
-
-8) Optimize IPMARK.
-
-9) Implement nested HTB classes.
-
-10) Fix 'iprange' command.
-
-11) Make traffic shaping work better with IPv6.
-
-12) Externalize 'flow'.
-
-13) Fix 'start' with AUTOMAKE=Yes
-
-Changes in Shorewall 4.3.9
-
-1) Logging rules now create separate chain.
-
-2) Fix netmask genereation in tcfilters.
-
-3) Allow Shorewall6 with kernel 2.6.24
-
-4) Avoid 'Invalid BROADCAST address' errors.
-
-5) Allow Shorewall6 on kernel 4.2.24:Shorewall/changelog.txt
-
-6) Add IP, TC and IPSET options in shorewall.conf and shorewall6.conf.
-
-7) Add IPMARK support
-
-Changes in Shorewall 4.3.8
-
-1) Apply Tuomo Soini's patch for USE_DEFAULT_RT.
-
-2) Use 'startup_error' for those errors caught early.
-
-3) Fix swping
-
-4) Detect gateway via dhclient leases file.
-
-5) Suppress leading whitespace on certain continuation lines.
-
-6) Use iptables[6]-restore to stop the firewall.
-
-7) Add AUTOMAKE option
-
-8) Remove SAME support.
-
-9) Allow 'compile' without a pathname.
-
-10) Fix LOG_MARTIANS=Yes.
-
-11) Adapt I. Buijs's hashlimit patch.
-
-Changes in Shorewall 4.3.7
-
-1)  Fix forward treatment of interface options.
-
-2)  Replace $VARDIR/.restore with $VARDIR/firewall
-
-3)  Fix DNAT- parsing of DEST column.
-
-4)  Implement dynamic zones
-
-5)  Allow 'HOST' options on bridge ports.
-
-6)  Deprecate old macro parameter syntax.
-
-Changes in Shorewall 4.3.6
-
-1)  Add SAME tcrules target.
-
-2)  Make 'dump' display the raw table. Fix shorewall6 dump anomalies.
-
-3)  Fix split_list1()
-
-4)  Fix Shorewall6 file location bugs.
-
-Changes in Shorewall 4.3.5
-
-1)  Remove support for shorewall-shell.
-
-2)  Combine shorewall-common and shorewall-perl to produce shorewall.
-
-3)  Add nets= OPTION in interfaces file.
+7)  Automatically assign mark values.
 
+8)  Simplified Traffic Shaping
 

Shorewall/configfiles/shorewall.conf

@@ -107,7 +107,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 IP_FORWARDING=On
 
-ADD_IP_ALIASES=No
+ADD_IP_ALIASES=Yes
 
 ADD_SNAT_ALIASES=No
 
@@ -197,11 +197,20 @@ ZONE2ZONE=2
 
 ACCOUNTING=Yes
 
-DYNAMIC_BLACKLIST=Yes
-
 OPTIMIZE_ACCOUNTING=No
 
-LOAD_HELPERS_ONLY=No
+DYNAMIC_BLACKLIST=Yes
+
+###############################################################################
+# MARK Layout
+###############################################################################
+TC_BITS=
+
+MASK_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
 
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N

Shorewall/configfiles/tcinterfaces

@@ -7,5 +7,5 @@
 # information.
 #
 ###############################################################################
-#INTERFACE	TYPE		IN-BANDWIDTH
+#INTERFACE		TYPE	IN-BANDWIDTH
 

Shorewall/helpers

@@ -1,63 +0,0 @@
-#
-# Shorewall version 4 - Helpers File
-#
-# /usr/share/shorewall/helpers
-#
-#	This file loads the kernel helper modules.
-#
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
-#
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
-#
-###############################################################################
-
-# Helpers
-#
-loadmodule ip_conntrack_amanda
-loadmodule ip_conntrack_ftp
-loadmodule ip_conntrack_h323
-loadmodule ip_conntrack_irc
-loadmodule ip_conntrack_netbios_ns
-loadmodule ip_conntrack_pptp
-loadmodule ip_conntrack_sip
-loadmodule ip_conntrack_tftp
-loadmodule ip_nat_amanda
-loadmodule ip_nat_ftp
-loadmodule ip_nat_h323
-loadmodule ip_nat_irc
-loadmodule ip_nat_pptp
-loadmodule ip_nat_sip
-loadmodule ip_nat_snmp_basic
-loadmodule ip_nat_tftp
-loadmodule ip_set
-loadmodule ip_set_iphash
-loadmodule ip_set_ipmap
-loadmodule ip_set_macipmap
-loadmodule ip_set_portmap
-#
-# 2.6.20+ helpers
-#
-loadmodule nf_conntrack_ftp
-loadmodule nf_conntrack_h323
-loadmodule nf_conntrack_irc
-loadmodule nf_conntrack_netbios_ns
-loadmodule nf_conntrack_netlink
-loadmodule nf_conntrack_pptp
-loadmodule nf_conntrack_proto_gre
-loadmodule nf_conntrack_proto_sctp
-loadmodule nf_conntrack_sip         sip_direct_media=0
-loadmodule nf_conntrack_tftp
-loadmodule nf_conntrack_sane
-loadmodule nf_nat_amanda
-loadmodule nf_nat_ftp
-loadmodule nf_nat_h323
-loadmodule nf_nat_irc
-loadmodule nf_nat
-loadmodule nf_nat_pptp
-loadmodule nf_nat_proto_gre
-loadmodule nf_nat_sip
-loadmodule nf_nat_snmp_basic
-loadmodule nf_nat_tftp

Shorewall/install.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2009,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.7.1
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {
@@ -196,7 +196,7 @@ fi
 #
 cd "$(dirname $0)"
 
-echo "Installing Shorewall Version $VERSION"
+echo "Installing Shorewall-common Version $VERSION"
 
 #
 # Check for /etc/shorewall
@@ -421,12 +421,6 @@ fi
 run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall/modules
 echo "Modules file installed as ${PREFIX}/usr/share/shorewall/modules"
 
-#
-# Install the Module Helpers file
-#
-run_install $OWNERSHIP -m 0600 helpers ${PREFIX}/usr/share/shorewall/helpers
-echo "Helper modules file installed as ${PREFIX}/usr/share/shorewall/helpers"
-
 #
 # Install the TC Rules file
 #
@@ -437,26 +431,6 @@ if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcrules ]; then
     echo "TC Rules file installed as ${PREFIX}/etc/shorewall/tcrules"
 fi
 
-#
-# Install the TC Interfaces file
-#
-run_install $OWNERSHIP -m 0644 configfiles/tcinterfaces ${PREFIX}/usr/share/shorewall/configfiles/tcinterfaces
-
-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcinterfaces ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tcinterfaces ${PREFIX}/etc/shorewall/tcinterfaces
-    echo "TC Interfaces file installed as ${PREFIX}/etc/shorewall/tcinterfaces"
-fi
-
-#
-# Install the TC Priority file
-#
-run_install $OWNERSHIP -m 0644 configfiles/tcpri ${PREFIX}/usr/share/shorewall/configfiles/tcpri
-
-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcpri ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tcpri ${PREFIX}/etc/shorewall/tcpri
-    echo "TC Priority file installed as ${PREFIX}/etc/shorewall/tcpri"
-fi
-
 #
 # Install the TOS file
 #
@@ -874,4 +848,4 @@ fi
 #
 #  Report Success
 #
-echo "shorewall Version $VERSION Installed"
+echo "shorewall-common Version $VERSION Installed"

Shorewall/known_problems.txt

@@ -1,5 +1 @@
-1)  All versions of Shorewall-perl mishandle per-IP rate limiting in
-    REDIRECT and DNAT rules. The effective rate and burst are 1/2 of
-    the values given in the rule.
-
-    Corrected in 4.4.7.1
+There are no known problems in Shorewall 4.5.4

Shorewall/lib.base

@@ -29,8 +29,8 @@
 #   and /usr/share/shorewall-lite/shorecap.
 #
 
-SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40407
+SHOREWALL_LIBVERSION=40503
+SHOREWALL_CAPVERSION=40503
 
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -265,7 +265,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
     done
 
-    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
+    modules=$(find_file modules)
 
     if [ -f $modules -a -n "$moduledirectories" ]; then
 	MODULES=$(lsmod | cut -d ' ' -f1)
@@ -784,10 +784,6 @@ determine_capabilities() {
 	exit 1
     fi
 
-    [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)
-
-    [ -n "$TC" -a -x "$TC" ] || TC=
-
     qt $IPTABLES -t nat    -L -n && NAT_ENABLED=Yes    || NAT_ENABLED=
     qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
 
@@ -834,7 +830,6 @@ determine_capabilities() {
     IPMARK_TARGET=
     LOG_TARGET=Yes
     PERSISTENT_SNAT=
-    FLOW_FILTER=
 
     chain=fooX$$
 
@@ -973,8 +968,6 @@ determine_capabilities() {
     qt $IPTABLES -F $chain1
     qt $IPTABLES -X $chain1
 
-    [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
-
     CAPVERSION=$SHOREWALL_CAPVERSION
     KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 }
@@ -1040,7 +1033,6 @@ report_capabilities() {
 	report_capability "LOG Target" $LOG_TARGET
 	report_capability "Persistent SNAT" $PERSISTENT_SNAT
 	report_capability "TPROXY Target" $TPROXY_TARGET
-	report_capability "FLOW Classifier" $FLOW_FILTER
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1102,7 +1094,6 @@ report_capabilities1() {
     report_capability1 LOG_TARGET
     report_capability1 PERSISTENT_SNAT
     report_capability1 TPROXY_TARGET
-    report_capability1 FLOW_FILTER
     
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION

Shorewall/shorewall

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall.
 #
@@ -315,20 +315,6 @@ get_config() {
 	    fi
 	    ;;
     esac
-
-    case $LOAD_HELPERS_ONLY in
-	Yes|yes)
-	    ;;
-	No|no)
-	    LOAD_HELPERS_ONLY=
-	    ;;
-	*)
-	    if [ -n "$LOAD_HELPERS_ONLY" ]; then
-		echo "   ERROR: Invalid LOAD_HELPERS_ONLY setting ($LOAD_HELPERS_ONLY)" >&2
-		exit 1
-	    fi
-	    ;;
-    esac
 }
 
 #
@@ -1448,7 +1434,6 @@ VERBOSE_OFFSET=0
 USE_VERBOSITY=
 NOROUTES=
 PURGE=
-DEBUG=
 EXPORT=
 export TIMESTAMP=
 noroutes=

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
-%define version 4.4.7
-%define release 1
+%define version 4.5.4
+%define release 0base
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -91,7 +91,6 @@ fi
 %attr(0644,root,root) /usr/share/shorewall/lib.cli
 %attr(0644,root,root) /usr/share/shorewall/macro.*
 %attr(0644,root,root) /usr/share/shorewall/modules
-%attr(0644,root,root) /usr/share/shorewall/helpers
 %attr(0644,root,root) /usr/share/shorewall/configpath
 %attr(0755,root,root) /usr/share/shorewall/wait4ifup
 
@@ -107,29 +106,17 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 
 %changelog
-* Sat Feb 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-1
-* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0base
-* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0RC2
-* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0RC1
-* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta4
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta3
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta2
-* Thu Jan 21 2010 Tom Eastep tom@shorewall.net
-- Add /usr/share/shorewall/helpers
-* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta1
-* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.6-0base
-* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.6-0Beta1
-* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+* Fri Jan 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.5.4-0base
+* Mon Jan 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.5.3-0base
+* Wed Dec 30 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.2-0base
+* Sun Dec 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.1-0base
+* Tue Dec 01 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.0-0base
+* Fri Nov 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.5-0base
 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.4-0base

Shorewall/uninstall.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.7.1
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {

Shorewall6-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.7.1
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {

Shorewall6-lite/install.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.7.1
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {

Shorewall6-lite/shorecap

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall.
 #
@@ -45,17 +45,17 @@
 #    used during firewall compilation, then the generated firewall program will likewise not
 #    require Shorewall to be installed.
 
-SHAREDIR=/usr/share/shorewall6-lite
-VARDIR=/var/lib/shorewall6-lite
-CONFDIR=/etc/shorewall6-lite
+SHAREDIR=/usr/share/shorewall-lite
+VARDIR=/var/lib/shorewall-lite
+CONFDIR=/etc/shorewall-lite
 PRODUCT="Shorewall Lite"
 
-. /usr/share/shorewall6-lite/lib.base
-. /usr/share/shorewall6-lite/configpath
+. /usr/share/shorewall-lite/lib.base
+. /usr/share/shorewall-lite/configpath
 
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
-VERSION=$(cat /usr/share/shorewall6-lite/version)
+VERSION=$(cat /usr/share/shorewall-lite/version)
 
 [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
 

Shorewall6-lite/shorewall6-lite

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall-lite.
 #
@@ -367,26 +367,28 @@ usage() # $1 = exit status
     echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
     echo "where <command> is one of:"
     echo "   allow <address> ..."
-    echo "   clear [ -f ]"
+    echo "   clear"
     echo "   drop <address> ..."
     echo "   dump [ -x ]"
     echo "   forget [ <file name> ]"
     echo "   help"
-    echo "   load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
+    echo "   hits [ -t ]"
+    echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
+    echo "   ipdecimal { <address> | <integer> }"
+    echo "   iprange <address>-<address>"
     echo "   logdrop <address> ..."
     echo "   logreject <address> ..."
     echo "   logwatch [<refresh interval>]"
-    echo "   refresh [ <chain>... ]"
     echo "   reject <address> ..."
-    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -f ]"
+    echo "   reset"
+    echo "   restart [ -n ] [ -p ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|policies|raw|routing|tc|vardir|zones} ]"
-    echo "   start [ -f ] [ <directory> ]"
-    echo "   stop [ -f ]"
+    echo "   show [ -x ] [ -m ] [ -f ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|capabilities|classifiers|config|connections|filters|ip|log|mangle|nat|routing|tc|vardir|zones} ]"
+    echo "   start [ -f ] [ -n ] [ -p ]"
+    echo "   stop"
     echo "   status"
-    echo "   version [ -a ]"
+    echo "   version"
     echo
     exit $1
 }

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
-%define version 4.4.7
-%define release 1
+%define version 4.5.4
+%define release 0base
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -91,27 +91,17 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sat Feb 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-1
-* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0base
-* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0RC2
-* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0RC1
-* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta4
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta3
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta2
-* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta1
-* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.6-0base
-* Tue Jan 12 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.6-0Beta1
-* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+* Fri Jan 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.5.4-0base
+* Mon Jan 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.5.3-0base
+* Wed Dec 30 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.2-0base
+* Sun Dec 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.1-0base
+* Tue Dec 01 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.0-0base
+* Fri Nov 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.5-0base
 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.4-0base

Shorewall6-lite/uninstall.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.7.1
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {

Shorewall6/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.7.1
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {

Shorewall6/helpers

@@ -1,36 +0,0 @@
-#
-# Shorewall6 version 4 - Helpers File
-#
-# /usr/share/shorewall6/helpers
-#
-#	This file loads the modules that may be needed by the firewall.
-#
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
-#
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
-#
-###############################################################################
-#
-# Helpers
-#
-loadmodule nf_conntrack_amanda
-loadmodule nf_conntrack_ftp
-loadmodule nf_conntrack_h323
-loadmodule nf_conntrack_irc
-loadmodule nf_conntrack_netbios_ns
-loadmodule nf_conntrack_netbios_ns
-loadmodule nf_conntrack_netlink
-loadmodule nf_conntrack_pptp
-loadmodule nf_conntrack_proto_sctp
-loadmodule nf_conntrack_proto_udplite
-loadmodule nf_conntrack_sane
-loadmodule nf_conntrack_sip         sip_direct_media=0
-loadmodule nf_conntrack_pptp
-loadmodule nf_conntrack_proto_gre
-loadmodule nf_conntrack_proto_sctp
-loadmodule nf_conntrack_sip
-loadmodule nf_conntrack_tftp
-loadmodule nf_conntrack_sane

Shorewall6/install.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2008 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.7.1
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {
@@ -361,12 +361,6 @@ fi
 run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall6/modules
 echo "Modules file installed as ${PREFIX}/usr/share/shorewall6/modules"
 
-#
-# Install the Module Helpers file
-#
-run_install $OWNERSHIP -m 0600 helpers ${PREFIX}/usr/share/shorewall6/helpers
-echo "Helper modules file installed as ${PREFIX}/usr/share/shorewall6/helpers"
-
 #
 # Install the TC Rules file
 #
@@ -719,4 +713,4 @@ fi
 #
 #  Report Success
 #
-echo "shorewall6 Version $VERSION Installed"
+echo "shorewall6-common Version $VERSION Installed"

Shorewall6/lib.base

@@ -32,8 +32,8 @@
 #   by the compiler.
 #
 
-SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40407
+SHOREWALL_LIBVERSION=40503
+SHOREWALL_CAPVERSION=40503
 
 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
@@ -302,7 +302,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
     done
 
-    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
+    modules=$(find_file modules)
 
     if [ -f $modules -a -n "$moduledirectories" ]; then
 	MODULES=$(lsmod | cut -d ' ' -f1)
@@ -737,7 +737,6 @@ determine_capabilities() {
     GOTO_TARGET=
     IPMARK_TARGET=
     LOG_TARGET=Yes
-    FLOW_FILTER=
 
     chain=fooX$$
 
@@ -748,10 +747,6 @@ determine_capabilities() {
 	exit 1
     fi
 
-    [ -n "$IP" ] || IP=$(which ip)
-
-    [ -n "$IP" -a -x "$IP" ] || IP=
-
     qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
 
     qt $IP6TABLES -F $chain
@@ -880,8 +875,6 @@ determine_capabilities() {
     qt $IP6TABLES -F $chain1
     qt $IP6TABLES -X $chain1
 
-    [ -n "$IP" ] && $IP filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
-
     CAPVERSION=$SHOREWALL_CAPVERSION
     KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 }
@@ -944,7 +937,6 @@ report_capabilities() {
 	report_capability "IPMARK Target" $IPMARK_TARGET
 	report_capability "LOG Target" $LOG_TARGET
 	report_capability "TPROXY Target" $TPROXY_TARGET
-	report_capability "FLOW Classifier" $FLOW_FILTER
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1003,7 +995,6 @@ report_capabilities1() {
     report_capability1 IPMARK_TARGET
     report_capability1 LOG_TARGET
     report_capability1 TPROXY_TARGET
-    report_capability1 FLOW_FILTER
     
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION    

Shorewall6/modules

@@ -56,8 +56,6 @@ loadmodule xt_sctp
 loadmodule xt_tcpmss
 loadmodule xt_TCPMSS
 loadmodule xt_time
-loadmodule xt_IPMARK
-loadmodule xt_TPROXY
 #
 # Helpers
 #

Shorewall6/shorewall6

@@ -220,20 +220,6 @@ get_config() {
 	    fi
 	    ;;
     esac
-
-    case $LOAD_HELPERS_ONLY in
-	Yes|yes)
-	    ;;
-	No|no)
-	    LOAD_HELPERS_ONLY=
-	    ;;
-	*)
-	    if [ -n "$LOAD_HELPERS_ONLY" ]; then
-		echo "   ERROR: Invalid LOAD_HELPERS_ONLY setting ($LOAD_HELPERS_ONLY)" >&2
-		exit 1
-	    fi
-	    ;;
-    esac
 }
 
 #
@@ -1344,7 +1330,6 @@ VERBOSE_OFFSET=0
 USE_VERBOSITY=
 NOROUTES=
 PURGE=
-DEBUG=
 EXPORT=
 export TIMESTAMP=
 noroutes=
@@ -1673,7 +1658,7 @@ case "$COMMAND" in
 	    block DROP Dropped $*
 	    [ -n "$nolock" ] || mutex_off
 	else
-	    fatal_error "Shorewall6 is not started"
+	    fatal_error "$PRODUCT is not started"
 	fi
 	;;
     logdrop)

Shorewall6/shorewall6.conf

@@ -105,8 +105,6 @@ TC_ENABLED=No
 
 TC_EXPERT=No
 
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
 CLEAR_TC=No
 
 MARK_IN_FORWARD_CHAIN=No
@@ -157,7 +155,16 @@ OPTIMIZE_ACCOUNTING=No
 
 DYNAMIC_BLACKLIST=Yes
 
-LOAD_HELPERS_ONLY=No
+###############################################################################
+# MARK Layout
+###############################################################################
+TC_BITS=
+
+MASK_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
 
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
-%define version 4.4.7
-%define release 1
+%define version 4.5.4
+%define release 0base
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -84,7 +84,6 @@ fi
 %attr(0644,root,root) /usr/share/shorewall6/lib.cli
 %attr(0644,root,root) /usr/share/shorewall6/macro.*
 %attr(0644,root,root) /usr/share/shorewall6/modules
-%attr(0644,root,root) /usr/share/shorewall6/helpers
 %attr(0644,root,root) /usr/share/shorewall6/configpath
 %attr(0755,root,root) /usr/share/shorewall6/wait4ifup
 
@@ -96,28 +95,17 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
-* Sat Feb 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-1
-* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0base
-* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0RC2
-* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0RC1
-* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta4
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta3
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta2
-- Added helpers file
-* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta1
-* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.6-0base
-* Tue Jan 12 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.6-0Beta1
-* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+* Fri Jan 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.5.4-0base
+* Mon Jan 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.5.3-0base
+* Wed Dec 30 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.2-0base
+* Sun Dec 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.1-0base
+* Tue Dec 01 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.0-0base
+* Fri Nov 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.5-0base
 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.4-0base

Shorewall6/uninstall.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2008 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.7.1
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {

docs/Accounting.xml

@@ -44,6 +44,11 @@
   <section id="Basics">
     <title>Accounting Basics</title>
 
+    <para>Shorewall's accounting facility is enabled by the ACCOUNTING setting
+    in <ulink url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5).
+    This option was added in Shorewall 4.5.0 and defaults to 'Yes'. Versions
+    prior to 4.5.0 unconditionally enable accounting.</para>
+
     <para>Shorewall accounting rules are described in the file
     <filename><filename>/etc/shorewall/accounting</filename></filename>. By
     default, the accounting rules are placed in a chain called

docs/Actions.xml

@@ -131,9 +131,9 @@ ACCEPT   -              -               tcp     135,139,445
 
     <para>Shorewall allows the association of a <firstterm>default
     action</firstterm> with policies. A separate default action may be
-    associated with ACCEPT, DROP, REJECT, QUEUE and NFQUEUE policies. Default
-    actions provide a way to invoke a set of common rules just before the
-    policy is enforced. Default actions accomplish two goals:</para>
+    associated with ACCEPT, DROP and REJECT policies. Default actions provide
+    a way to invoke a set of common rules just before the policy is enforced.
+    Default actions accomplish two goals:</para>
 
     <orderedlist>
       <listitem>
@@ -166,12 +166,12 @@ ACCEPT   -              -               tcp     135,139,445
     specifying a different action in the POLICY column of <filename><ulink
     url="manpages/shorewall-policy.html">/etc/shorewall/policy</ulink></filename>.</para>
 
-    <important>
+    <warning>
       <para>Entries in the DROP and REJECT default actions <emphasis
       role="bold">ARE NOT THE CAUSE OF CONNECTION PROBLEMS</emphasis>.
       Remember — default actions are only invoked immediately before the
       packet is going to be dropped or rejected anyway!!!</para>
-    </important>
+    </warning>
   </section>
 
   <section id="Defining">
@@ -219,7 +219,7 @@ ACCEPT   -              -               tcp     135,139,445
     <itemizedlist>
       <listitem>
         <para>TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or
-        an &lt;<emphasis>action</emphasis>&gt; where
+        &lt;<emphasis>action</emphasis>&gt; where
         &lt;<emphasis>action</emphasis>&gt; is a previously-defined action
         (that is, it must precede the action being defined in this file in
         your <filename>/etc/shorewall/actions</filename> file). These actions
@@ -257,6 +257,10 @@ ACCEPT   -              -               tcp     135,139,445
       <listitem>
         <para>DEST - Location of Server. Same as above with the exception that
         MAC addresses are not allowed.</para>
+
+        <para>Unlike in the SOURCE column, you may specify a range of up to
+        256 IP addresses using the syntax &lt;<emphasis>first
+        ip</emphasis>&gt;-&lt;<emphasis>last ip</emphasis>&gt;.</para>
       </listitem>
 
       <listitem>
@@ -277,6 +281,23 @@ ACCEPT   -              -               tcp     135,139,445
         <para>This column is ignored if PROTO = <quote>all</quote>, but must
         be entered if any of the following fields are supplied. In that case,
         it is suggested that this field contain <quote>-</quote>.</para>
+
+        <para>If your kernel contains multi-port match support, then only a
+        single Netfilter rule will be generated if in this list and in the
+        CLIENT PORT(S) list below:</para>
+
+        <orderedlist>
+          <listitem>
+            <para>There are 15 or less ports listed.</para>
+          </listitem>
+
+          <listitem>
+            <para>No port ranges are included.</para>
+          </listitem>
+        </orderedlist>
+
+        <para>Otherwise, a separate rule will be generated for each
+        port.</para>
       </listitem>
 
       <listitem>
@@ -287,6 +308,23 @@ ACCEPT   -              -               tcp     135,139,445
         <para>If you don't want to restrict client ports but need to specify
         any of the subsequent fields, then place <quote>-</quote> in this
         column.</para>
+
+        <para>If your kernel contains multi-port match support, then only a
+        single Netfilter rule will be generated if in this list and in the
+        DEST PORT(S) list above:</para>
+
+        <orderedlist>
+          <listitem>
+            <para>There are 15 or less ports listed.</para>
+          </listitem>
+
+          <listitem>
+            <para>No port ranges are included.</para>
+          </listitem>
+        </orderedlist>
+
+        <para>Otherwise, a separate rule will be generated for each
+        port.</para>
       </listitem>
 
       <listitem>
@@ -503,13 +541,8 @@ bar:debug</programlisting>
 
       <para>/etc/shorewall/action.DropBcasts<programlisting># This file is empty</programlisting>/etc/shorewall/DropBcasts<programlisting>use Shorewall::Chains;
 
-if ( $level ne '' ) {
-    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
-    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
-}
-
-add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
-add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
+log_rule_limit( $level, $chainref, 'DropBcasts', 'DROP', '', $tag, 'add', '' ) if $level ne ''; 
+add_rule( $chainref, '-m pkttype --pkttype broadcast -j DROP' );
 
 1;</programlisting></para>
     </example>

docs/Build.xml

@@ -87,6 +87,13 @@
         role="bold">branches</emphasis>.</para>
       </section>
 
+      <section>
+        <title>trunk/web</title>
+
+        <para>The files from the web site that are maintained in HTML format.
+        are kept in this directory.</para>
+      </section>
+
       <section>
         <title>trunk/manpages, trunk/manpages6, trunk/manpages-lite and
         trunk/manpages6-lite</title>
@@ -95,38 +102,31 @@
         the release cycle, these documents may also apply to the current
         stable version.</para>
       </section>
-    </section>
 
-    <section>
-      <title>tools</title>
+      <section>
+        <title>trunk/tools</title>
 
-      <para>This is where the release and build tools are kept. There are two
-      subordinate directories:</para>
+        <para>This is where the release and build tools are kept. There are
+        two subordinate directories:</para>
 
-      <variablelist>
-        <varlistentry>
-          <term>trunk/tools/build</term>
+        <variablelist>
+          <varlistentry>
+            <term>trunk/tools/build</term>
 
-          <listitem>
-            <para>Tools for building and uploading new releases.</para>
-          </listitem>
-        </varlistentry>
+            <listitem>
+              <para>Tools for building and uploading new releases.</para>
+            </listitem>
+          </varlistentry>
 
-        <varlistentry>
-          <term>trunk/tools/web</term>
+          <varlistentry>
+            <term>trunk/tools/web</term>
 
-          <listitem>
-            <para>Tools for publishing web content</para>
-          </listitem>
-        </varlistentry>
-      </variablelist>
-    </section>
-
-    <section>
-      <title>web</title>
-
-      <para>The files from the web site that are maintained in HTML format.
-      are kept in this directory.</para>
+            <listitem>
+              <para>Tools for publishing web content.</para>
+            </listitem>
+          </varlistentry>
+        </variablelist>
+      </section>
     </section>
   </section>
 

docs/Documentation_Index.xml

@@ -155,8 +155,8 @@
             <entry><ulink url="Multiple_Zones.html">Multiple Zones Through One
             Interface</ulink></entry>
 
-            <entry><ulink url="configuration_file_basics.htm">Tips and
-            Hints</ulink></entry>
+            <entry><ulink url="Accounting.html">Traffic
+            Accounting</ulink></entry>
           </row>
 
           <row>
@@ -166,8 +166,8 @@
             <entry><ulink url="MyNetwork.html">My Shorewall
             Configuration</ulink></entry>
 
-            <entry><ulink url="Accounting.html">Traffic
-            Accounting</ulink></entry>
+            <entry><ulink url="simple_traffic_shaping.html">Traffic
+            Shaping/QOS - Simple </ulink></entry>
           </row>
 
           <row>
@@ -177,8 +177,9 @@
             <entry><ulink url="NetfilterOverview.html">Netfilter
             Overview</ulink></entry>
 
-            <entry> <ulink url="simple_traffic_shaping.html">Traffic
-            Shaping/QOS - Simple</ulink></entry>
+            <entry><ulink url="traffic_shaping.htm">Traffic Shaping/QOS -
+            Complex</ulink> (<ulink
+            url="traffic_shaping_ru.html">Russian</ulink>)</entry>
           </row>
 
           <row>
@@ -187,9 +188,8 @@
 
             <entry><ulink url="netmap.html">Network Mapping</ulink></entry>
 
-            <entry><ulink url="traffic_shaping.htm">Traffic Shaping/QOS -
-            Complex</ulink> (<ulink
-            url="traffic_shaping_ru.html">Russian</ulink>)</entry>
+            <entry><ulink url="Shorewall_Squid_Usage.html">Transparent
+            Proxy</ulink></entry>
           </row>
 
           <row>
@@ -199,8 +199,7 @@
             <entry><ulink url="NAT.htm">One-to-one NAT</ulink> (Static
             NAT)</entry>
 
-            <entry><ulink url="Shorewall_Squid_Usage.html">Transparent
-            Proxy</ulink></entry>
+            <entry><ulink url="UPnP.html">UPnP</ulink></entry>
           </row>
 
           <row>
@@ -209,7 +208,8 @@
             <entry><ulink url="Multiple_Zones.html"><ulink
             url="OPENVPN.html">OpenVPN</ulink></ulink></entry>
 
-            <entry><ulink url="UPnP.html">UPnP</ulink></entry>
+            <entry><ulink url="upgrade_issues.htm">Upgrade
+            Issues</ulink></entry>
           </row>
 
           <row>
@@ -219,8 +219,8 @@
 
             <entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>
 
-            <entry><ulink url="upgrade_issues.htm">Upgrade
-            Issues</ulink></entry>
+            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
+            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
           </row>
 
           <row>
@@ -229,8 +229,7 @@
             <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
             Shorewall</ulink></entry>
 
-            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
-            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
+            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
           </row>
 
           <row>
@@ -240,7 +239,7 @@
             <entry><ulink url="PacketMarking.html">Packet
             Marking</ulink></entry>
 
-            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
+            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
           </row>
 
           <row>
@@ -251,7 +250,8 @@
             <entry><ulink url="PacketHandling.html">Packet Processing in a
             Shorewall-based Firewall</ulink></entry>
 
-            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
+            <entry><ulink url="whitelisting_under_shorewall.htm">White List
+            Creation</ulink></entry>
           </row>
 
           <row>
@@ -260,8 +260,8 @@
 
             <entry><ulink url="ping.html">'Ping' Management</ulink></entry>
 
-            <entry><ulink url="whitelisting_under_shorewall.htm">White List
-            Creation</ulink></entry>
+            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
+            DomU</ulink></entry>
           </row>
 
           <row>
@@ -270,8 +270,8 @@
             <entry><ulink url="two-interface.htm#DNAT">Port
             Forwarding</ulink></entry>
 
-            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
-            DomU</ulink></entry>
+            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
+            Xen Dom0</ulink></entry>
           </row>
 
           <row>
@@ -280,8 +280,7 @@
 
             <entry><ulink url="ports.htm">Port Information</ulink></entry>
 
-            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
-            Xen Dom0</ulink></entry>
+            <entry></entry>
           </row>
 
           <row>

docs/Dynamic.xml

@@ -96,10 +96,6 @@
         <para>run 'make'</para>
       </listitem>
 
-      <listitem>
-        <para>as root, run 'make install'</para>
-      </listitem>
-
       <listitem>
         <para>Your new iptables binary will now be installed in
         /usr/local/sbin. Modify shorewall.conf to specify

docs/FAQ.xml

@@ -5,7 +5,7 @@
   <!--$Id$-->
 
   <articleinfo>
-    <title>Shorewall FAQs</title>
+    <title>Shorewall 4.4/4.5 FAQs</title>
 
     <authorgroup>
       <corpauthor>Shorewall Community</corpauthor>
@@ -20,7 +20,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2009</year>
+      <year>2001-2010</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -2007,8 +2007,8 @@ iptables: Invalid argument
       which requires them to be up and configured when Shorewall starts but
       Shorewall is being started before NetworkManager.</title>
 
-      <para>Answer: I faced a similar problem which I solved as
-      follows:</para>
+      <para><emphasis role="bold">Answer</emphasis>: I faced a similar problem
+      which I solved as follows:</para>
 
       <itemizedlist>
         <listitem>
@@ -2043,7 +2043,7 @@ shorewall status &gt; /dev/null 2&gt;&amp;1 || shorewall start # Start Shorewall
       settings become part of the shell's environment and are inherited by the
       running script. The shell does not process
       <filename>/etc/shorewall/params</filename> when processing the <emphasis
-      role="bold">restore</emphasis> command.</para>
+      role="bold">restore</emphasis> command. </para>
     </section>
   </section>
 
@@ -2349,57 +2349,17 @@ etc...</programlisting>
       but I can hear them. If I plug the Asterisk server directly into the
       router, bypassing the firewall, the problem goes away.</para>
 
-      <para><emphasis role="bold">Answer:</emphasis> There are two things to
-      try when VOIP problems are encountered. Both begin with executing two
-      <command>rmmod</command> commands.</para>
-
-      <para>If your kernel version is 2.6.20 or earlier:<programlisting>rmmod ip_nat_sip
-rmmod ip_conntrack_sip</programlisting>If your kernel version is 2.6.21 or
-      later:<programlisting>rmmod nf_nat_sip
-rmmod nf_conntrack_sip</programlisting></para>
-
-      <para>The first alternative seems to work for those running recent
-      kernels (2.6.26 or later):</para>
-
-      <orderedlist>
-        <listitem>
-          <para>Copy <filename>/usr/share/shorewall/module</filename>s to
-          <filename class="directory">/etc/shorewall</filename>.</para>
-        </listitem>
-
-        <listitem>
-          <para>Edit the copy and change this line:</para>
-
-          <blockquote>
-            <para>loadmodule nf_conntrack_sip</para>
-          </blockquote>
-
-          <para>to</para>
-
-          <blockquote>
-            <para>loadmodule nf_conntrack_sip sip_direct_media=0</para>
-          </blockquote>
-        </listitem>
-
-        <listitem>
-          <para><command>shorewall restart</command></para>
-        </listitem>
-      </orderedlist>
-
-      <para>The second alternative is to not load the sip helpers:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>If you are running kernel 2.6.20 or earlier, then change the
-          DONT_LOAD specification in your shorewall.conf to:<programlisting>DONT_LOAD=ip_nat_sip,ip_conntrack_sip</programlisting></para>
-        </listitem>
-
-        <listitem>
-          <para>If you are running kernel 2.6.21 or later, then change Then
-          change the DONT_LOAD specification in your shorewall.conf
-          to:<programlisting>DONT_LOAD=nf_nat_sip,nf_conntrack_sip</programlisting></para>
-        </listitem>
-      </itemizedlist>
+      <para><emphasis role="bold">Answer (requires Shorewall 4.0.6 or
+      later):</emphasis> If your kernel version is 2.6.20 or
+      earlier:<programlisting>rmmod ip_nat_sip
+rmmod ip_conntrack_sip</programlisting>Then change the DONT_LOAD specification
+      in your shorewall.conf to:<programlisting>DONT_LOAD=ip_nat_sip,ip_conntrack_sip</programlisting>If
+      your kernel version is 2.6.21 or later:<programlisting>rmmod nf_nat_sip
+rmmod nf_conntrack_sip</programlisting>Then change the DONT_LOAD specification
+      in your shorewall.conf to:<programlisting>DONT_LOAD=nf_nat_sip,nf_conntrack_sip</programlisting>If
+      you are running a version of Shorewall earlier than 4.0.6, you can avoid
+      loading the sip helper modules by following the suggestions in <link
+      linkend="faq59">FAQ 59</link>.</para>
     </section>
   </section>
 
@@ -2675,16 +2635,5 @@ loc                $FW                     ACCEPT           </programlisting>
       loc-&gt;$FW since those rules are redundant with the above
       policies.</para>
     </section>
-
-    <section id="faq88">
-      <title>(FAQ 88) Can I run Snort with Shorewall?</title>
-
-      <para><emphasis role="bold">Answer</emphasis>: Yes. In <emphasis>Network
-      Intrusion Detection System (NIDS) mode</emphasis>, Snort is libpcap
-      based (like tcpdump) so it doesn't interfere with Shorewall. We have had
-      reports that users have also been successful in using Snort in
-      <emphasis>inline</emphasis> more with Shorewall, but no HOWTO exists at
-      this time.</para>
-    </section>
   </section>
 </article>

docs/Manpages.xml

@@ -24,6 +24,8 @@
 
       <year>2009</year>
 
+      <year>2010</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 

docs/Manpages6.xml

@@ -24,6 +24,8 @@
 
       <year>2009</year>
 
+      <year>2010</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 

docs/ManualChains.xml

@@ -72,6 +72,32 @@
         for normal processing.</para>
       </listitem>
     </itemizedlist>
+
+    <para>As shown in the following example, manual chains are created using a
+    call to &amp;Shorewall::Chains::new_manual_chain. That function returns a
+    reference to the newly-created chain.</para>
+
+    <para>By default, chains are subject to optimize 4 (see OPTIMIZE in <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)). You can
+    exempt your chain from that optimization by calling one of two
+    functions:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>&amp;Shorewall::Chains::dont_delete - exempt the chain from all
+        optimizations.</para>
+      </listitem>
+
+      <listitem>
+        <para>&amp;Shorewall::Chains::dont_optimize - exempt the chain from
+        all optimizations except that the chain will be omitted from the
+        configuration if there are no branches to the chain.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Both functions accept the name of the chain or a reference to the
+    chain as a single argument and both return a reference to the chain (to
+    the chain's table entry).</para>
   </section>
 
   <section id="Example">

docs/MultiISP.xml

@@ -28,6 +28,8 @@
 
       <year>2009</year>
 
+      <year>2010</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -252,6 +254,34 @@
                     url="manpages/shorewall.conf.html">shorewall.conf
                     </ulink>(5) and use mark values in the range 0x10000 -
                     0xFF0000 with the low-order 16 bits being zero.</para>
+
+                    <note>
+                      <para>In Shorewall 4.5.0, WIDE_TC_MARKS and
+                      HIGH_ROUTE_MARKS were superseded by a new set of options
+                      in <ulink
+                      url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5):</para>
+
+                      <itemizedlist>
+                        <listitem>
+                          <para>TC_BITS - The number of bits occupied by the
+                          traffic shaping classification mark.</para>
+                        </listitem>
+
+                        <listitem>
+                          <para>PROVIDER_BITS - The number of bits occupied by
+                          the Provider mark value.</para>
+                        </listitem>
+
+                        <listitem>
+                          <para>PROVIDER_OFFSET - The number of bits to the
+                          right of the provider field.</para>
+                        </listitem>
+                      </itemizedlist>
+
+                      <para>The default values for these options are based on
+                      the settings of HIGH_ROUTE_MARKS and WIDE_TC_MARKS to
+                      provide upward compatability.</para>
+                    </note>
                   </listitem>
                 </itemizedlist>
               </listitem>

docs/Shorewall_Squid_Usage.xml

@@ -289,11 +289,12 @@ ACCEPT    $FW      net    tcp      80,443</programlisting></para>
   <section id="TPROXY">
     <title>Transparent with TPROXY</title>
 
-    <para>Shorewall 4.4.7 contains support for TPROXY. TPROXY differs from
-    REDIRECT in that it does not modify the IP header. Because the IP header
-    stays intact, TPROXY requires policy routing to direct the packets to the
-    proxy server running on the firewall. This approach requires TPROXY
-    support in your kernel and iptables and Squid 3. See <ulink
+    <para>Shorewall 4.5.3 contains experimental support for TPROXY. TPROXY
+    differs from REDIRECT in that it does not modify the IP header. Because
+    the IP header stays intact, TPROXY requires policy routing to direct the
+    packets to the proxy server running on the firewall. This approach
+    requires TPROXY support in your kernel and iptables and Squid 3. See
+    <ulink
     url="http://wiki.squid-cache.org/Features/Tproxy4">http://wiki.squid-cache.org/Features/Tproxy4</ulink>.</para>
 
     <para>The following configuration works with Squid running on the firewall

docs/Shorewall_and_Aliased_Interfaces.xml

@@ -64,13 +64,12 @@ eth0:0    Link encap:Ethernet  HWaddr 02:00:08:3:FA:55
     </example>
 
     <para>The ifconfig utility is being gradually phased out in favor of the
-    <firstterm>ip</firstterm> utility which is part of the
-    <emphasis>iproute</emphasis> package. The ip utility does not use the
-    concept of aliases or virtual interfaces but rather treats additional
-    addresses on an interface as objects in their own right. The ip utility
-    does provide for interaction with ifconfig in that it allows addresses to
-    be <emphasis>labeled</emphasis> where these labels take the form of
-    ipconfig virtual interfaces.</para>
+    ip utility which is part of the <emphasis>iproute</emphasis> package. The
+    ip utility does not use the concept of aliases or virtual interfaces but
+    rather treats additional addresses on an interface as objects in their own
+    right. The ip utility does provide for interaction with ifconfig in that
+    it allows addresses to be <emphasis>labeled</emphasis> where these labels
+    take the form of ipconfig virtual interfaces.</para>
 
     <example id="ip">
       <title>ip</title>
@@ -151,11 +150,6 @@ iface eth0 inet static
     In the sub-sections that follow, we'll take a look at common
     scenarios.</para>
 
-    <note>
-      <para>The examples in the following sub-sections assume that the local
-      network is 192.168.1.0/24.</para>
-    </note>
-
     <section id="Rules">
       <title>Separate Rules</title>
 
@@ -192,7 +186,7 @@ DNAT      net        loc:192.168.1.3      tcp        80             -         20
       <filename>/etc/shorewall/masq</filename>:</para>
 
       <programlisting>#INTERFACE             SUBNET          ADDRESS
-eth0                   192.168.1.0/24  206.124.146.178</programlisting>
+eth0                   eth1            206.124.146.178</programlisting>
 
       <para>Shorewall can create the alias (additional address) for you if you
       set ADD_SNAT_ALIASES=Yes in
@@ -210,15 +204,16 @@ eth0                   192.168.1.0/24  206.124.146.178</programlisting>
       the INTERFACE column as follows.</para>
 
       <para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE              SUBNET         ADDRESS
-eth0:0                  192.168.1.0/24 206.124.146.178</programlisting>Shorewall
-      can also set up SNAT to round-robin over a range of IP addresses. To do
-      that, you specify a range of IP addresses in the ADDRESS column. If you
-      specify a label in the INTERFACE column, Shorewall will use that label
-      for the first address of the range and will increment the label by one
-      for each subsequent label.</para>
+eth0:0                  eth1           206.124.146.178</programlisting></para>
+
+      <para>Shorewall can also set up SNAT to round-robin over a range of IP
+      addresses. To do that, you specify a range of IP addresses in the
+      ADDRESS column. If you specify a label in the INTERFACE column,
+      Shorewall will use that label for the first address of the range and
+      will increment the label by one for each subsequent label.</para>
 
       <para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE               SUBNET         ADDRESS
-eth0:0                   192.168.1.0/24 206.124.146.178-206.124.146.180</programlisting></para>
+eth0:0                   eth1           206.124.146.178-206.124.146.180</programlisting></para>
 
       <para>The above would create three IP addresses:</para>
 

docs/UPnP.xml

@@ -20,6 +20,8 @@
     <copyright>
       <year>2005</year>
 
+      <year>2010</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -101,21 +103,9 @@ net     eth1            detect          dhcp,routefilter,tcpflags,<emphasis
     <para>If your fw-&gt;loc policy is not ACCEPT then you need this
     rule:</para>
 
-    <programlisting>#ACTION            SOURCE  DEST
-allowoutUPnP       $FW     loc</programlisting>
-
-    <note>
-      <para>To use 'allowoutUPnP', your iptables and kernel must support the
-      'owner match' feature (see the output of "shorewall show capabilities")
-      and you may not be running kernel version 2.6.14 or later. If you are
-      running 2.6.14 or later, then replace the above rule with:</para>
-    </note>
-
-    <blockquote>
-      <programlisting>#ACTION            SOURCE  DEST   PROTO     DEST PORT(S)     SOURCE     ORIGINAL     RATE     USER/
+    <programlisting>#ACTION            SOURCE  DEST   PROTO     DEST PORT(S)     SOURCE     ORIGINAL     RATE     USER/
 #                                                            PORT(S)    DESTINATION  LIMIT    GROUP
 ACCEPT             $FW     loc    all       -                -          -            -        root</programlisting>
-    </blockquote>
 
     <para>If your loc-&gt;fw policy is not ACCEPT then you need this
     rule:</para>
@@ -152,6 +142,6 @@ forwardUPnP        net     loc</programlisting>
     <para>The <emphasis role="bold">upnpclient</emphasis> option causes
     Shorewall to detect the default gateway through the interface and to
     accept UDP packets from that gateway. Note that, like all aspects of UPnP,
-    this is a security hole so use this option at your own risk. </para>
+    this is a security hole so use this option at your own risk.</para>
   </section>
 </article>

docs/blacklisting_support.xml

@@ -156,13 +156,14 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
   <section id="Dynamic">
     <title>Dynamic Blacklisting</title>
 
-    <para>Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
-    setting DYNAMIC_BLACKLIST=Yes in <filename>shorewall.conf</filename>.
-    Prior to that release, the feature is always enabled.</para>
+    <para>Dynamic blacklisting is enabled unconditionally in Shorewall
+    versions prior to 4.5.0. Beginning with 4.5.0, dynamic blacklisting is
+    enabled by default but may be disabled by setting DYNAMIC_BLACKLIST=No in
+    <ulink url="manpages/shorewall.conf.html">shorewall.conf</ulink>
+    (5).</para>
 
-    <para>Once enabled, dynamic blacklisting doesn't use any configuration
-    parameters but is rather controlled using /sbin/shorewall[-lite]
-    commands:</para>
+    <para>Dynamic blacklisting doesn't use any configuration parameters but is
+    rather controlled using /sbin/shorewall[-lite] commands:</para>
 
     <itemizedlist>
       <listitem>

docs/bridge-Shorewall-perl.xml

@@ -22,6 +22,8 @@
 
       <year>2009</year>
 
+      <year>2010</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -62,8 +64,8 @@
 
       <listitem>
         <para>As a consequence of the first difference, routers can be
-        connected to more than one IP network while a bridge/firewall may be
-        part of only a single network (see below).</para>
+        connected to more than one IP network while a bridge may be part of
+        only a single network.</para>
       </listitem>
 
       <listitem>
@@ -101,7 +103,8 @@
 
       <listitem>
         <para>Your kernel must contain Netfilter physdev match support
-        (CONFIG_IP_NF_MATCH_PHYSDEV=m or CONFIG_IP_NF_MATCH_PHYSDEV=y).
+        (CONFIG_IP_NF_MATCH_PHYSDEV=m or CONFIG_IP_NF_MATCH_PHYSDEV=y --
+        recent kernels call this option CONFIG_NETFILTER_XT_MATCH_PHYSDEV).
         Physdev match is standard in the 2.6 kernel series but must be patched
         into the 2.4 kernels (see <ulink
         url="http://bridge.sf.net">http://bridge.sf.net</ulink>). Bering and

docs/configuration_file_basics.xml

@@ -5,7 +5,7 @@
   <!--$Id$-->
 
   <articleinfo>
-    <title>Configuration Files Tips and Tricks</title>
+    <title>Configuration Files</title>
 
     <authorgroup>
       <author>
@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2008</year>
+      <year>2001-2010</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -222,14 +222,7 @@
 
         <listitem>
           <para><filename>/usr/share/modules</filename> — Specifies the kernel
-          modules to be loaded during shorewall start/restart.</para>
-        </listitem>
-
-        <listitem>
-          <para><filename>/usr/share/helpers</filename> — Added in Shorewall
-          4.4.7. Specifies the kernel modules to be loaded during shorewall
-          start/restart when LOAD_HELPERS_ONLY=Yes in
-          <filename>shorewall.conf</filename>.</para>
+          modules to be loaded during shorewall start/restart . .</para>
         </listitem>
       </itemizedlist></para>
 
@@ -1246,6 +1239,241 @@ Comcast 2        0x20000 main       COM_IF     detect          balance
     class="devicefile">tun*</filename> in the COPY column.</para>
   </section>
 
+  <section id="Marks">
+    <title>Packet/Connection Marks</title>
+
+    <para>Shorewall makes use of Netfilter Packet/Connection Marks in two
+    ways:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>For <ulink url="traffic_shaping.htm">traffic
+        shaping</ulink>.</para>
+      </listitem>
+
+      <listitem>
+        <para>For <ulink url="MultiISP.html">policy routing</ulink> (Multi-ISP
+        support).</para>
+      </listitem>
+    </orderedlist>
+
+    <para>The use of marks for traffic shaping classification is optional.
+    Traffic shaping classes may be defined with the <emphasis
+    role="bold">classify</emphasis> option which avoids the need to assign a
+    mark value to the class. The assignment of a unique mark value to each
+    <firstterm>provider</firstterm> is required in most Multi-ISP
+    configurations.</para>
+
+    <para>Traffic shaping was implemented before policy routing. Traffic
+    shaping packet and connection marks were initially limited to the values
+    1-255.</para>
+
+    <para>When Multi-ISP support was added, packet marks assigned to providers
+    were also restricted to the range 1-255. This worked because the provider
+    mark is assigned in the <ulink url="NetfilterOverview.html">PREROUTING and
+    OUTPUT chains and is only needed until the packet is routed</ulink>.
+    Traffic shaping marks can then be assigned in the FORWARD or POSTROUTING
+    chains.</para>
+
+    <para>The <emphasis role="bold">track</emphasis> provider option requires
+    that the provider's mark be stored in the connection mark. So if <emphasis
+    role="bold">track</emphasis> was used, the user could not store the
+    traffic shaping mark in the connection because it would overwrite the
+    provider mark. To solve this problem, the HIGH_ROUTE_MARK option was added
+    to <ulink url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5).
+    With HIGH_ROUTE_MARKS=Yes, the traffic shaping mark remained in the
+    low-order byte of the mark value while the traffic-shaping mark value was
+    stored in the next byte.</para>
+
+    <para>In the introduction of per-IP traffic-shaping classes Shorewall 4.4,
+    there was a need for more than 255 distinct mark-based traffic shaping
+    classes. To accomodate that need, the WIDE_TC_MARKS option was introduced.
+    With WIDE_TC_MARKS=Yes, the provider mark is moved left one additional
+    byte in the mark and the traffic-shaping mark is widened to 14 bits. The
+    two bits between the traffic-shaping mark and provider mark are
+    unused.</para>
+
+    <para>Netfilter marks are only 32 bits wide, even on 64-bit architectures.
+    So with WIDE_TC_MARKS=Yes and HIGH_ROUTE_MARKS=Yes, 22 of the 32 bits are
+    used and allocating bits for additional uses becomes difficult. To address
+    that issue, Shorewall 4.5 introduced the notion of
+    <firstterm>variable-width mark fields</firstterm>.</para>
+
+    <para>Variable-width marks are controlled by four options in <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>TC_BITS</term>
+
+        <listitem>
+          <para>Number of bits reserved at the low-order end of of the mark
+          for traffic classification. May be zero (0) if traffic shaping marks
+          are not used.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>MASK_BITS</term>
+
+        <listitem>
+          <para>Number of 1 bits in the default mask when specifying a test on
+          the packet or connection mark. These tests appear in the TEST column
+          of <ulink
+          url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink> (5)
+          and in the MARK columns of <ulink
+          url="manpages/shorewall-accounting.html">shorewall-accounting</ulink>
+          (5), <ulink
+          url="manpages/shorewall-masq.html">shorewall-masq</ulink> (5) and
+          <ulink url="manpages/shorewall-tos.html">shorewall-tos</ulink>
+          (5).</para>
+
+          <para>The bits defined by the default mask are also retained after a
+          packet is routed. The remaining bits are cleared.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PROVIDER_BITS</term>
+
+        <listitem>
+          <para>Number of bits reserved in the mark for provider marks. May be
+          zero if policy routing is not used.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PROVIDER_OFFSET</term>
+
+        <listitem>
+          <para>The offset, in bits, of the provider mark value from the
+          low-order end of the mark. If zero, the provider mark and traffic
+          shaping mark occupy the same part of the mark.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>To make the transition to variable-width marks as transparent as
+    possible, the default values of the new options are derived from the
+    settings of the old ones.</para>
+
+    <table>
+      <title>Default Values of Variable-width Mark Field Options</title>
+
+      <tgroup cols="6">
+        <tbody>
+          <row>
+            <entry><emphasis role="bold">HIGH_ROUTE_MARKS</emphasis></entry>
+
+            <entry><emphasis role="bold">WIDE_TC_MARKS</emphasis></entry>
+
+            <entry><emphasis role="bold">TC_BITS</emphasis></entry>
+
+            <entry><emphasis role="bold">MASK_BITS</emphasis></entry>
+
+            <entry><emphasis role="bold">PROVIDER_BITS</emphasis></entry>
+
+            <entry><emphasis role="bold">PROVIDER_OFFSET</emphasis></entry>
+          </row>
+
+          <row>
+            <entry>No</entry>
+
+            <entry>No</entry>
+
+            <entry>8</entry>
+
+            <entry>8</entry>
+
+            <entry>8</entry>
+
+            <entry>0</entry>
+          </row>
+
+          <row>
+            <entry>Yes</entry>
+
+            <entry>No</entry>
+
+            <entry>8</entry>
+
+            <entry>8</entry>
+
+            <entry>8</entry>
+
+            <entry>8</entry>
+          </row>
+
+          <row>
+            <entry>No</entry>
+
+            <entry>Yes</entry>
+
+            <entry>14</entry>
+
+            <entry>16</entry>
+
+            <entry>8</entry>
+
+            <entry>0</entry>
+          </row>
+
+          <row>
+            <entry>Yes</entry>
+
+            <entry>Yes</entry>
+
+            <entry>14</entry>
+
+            <entry>16</entry>
+
+            <entry>8</entry>
+
+            <entry>16</entry>
+          </row>
+        </tbody>
+      </tgroup>
+    </table>
+
+    <para>These defaults may be overridden by explicitly setting the new
+    options.</para>
+
+    <para>There are a couple of restrictions regarding the setting of those
+    options.</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>MASK_BITS must be greater than or equal to TC_BITS. Shorewall
+        will automatically adjust the value (given or defaulted) to meet this
+        requirment.</para>
+      </listitem>
+
+      <listitem>
+        <para>If PROVIDER_OFFSET is non-zero, then its value must be greater
+        than or equal to MASK_BITS. Shorewall will automatically adjust the
+        given value of PROVIDER_OFFSET to meet this requirement.</para>
+      </listitem>
+
+      <listitem>
+        <para>The sum of PROVIDER_BITS and PROVIDER_OFFSET (adjusted) must be
+        less than or equal to 32.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Under verbosity levels 1 and 2 (see VERBOSITY in <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)), the
+    compiler reports on the effect of the settings.</para>
+
+    <para>Example (with HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes and the new
+    options left at their default values):</para>
+
+    <programlisting>        ******** Packet/Connection Mark Information ********
+        TC Mark Values       = 1 - 16383 (0x3fff)
+        Default Mask         = /0xffff
+        Provider Mark Values = 0x10000 - 0xff0000
+        ****************************************************</programlisting>
+  </section>
+
   <section id="Levels">
     <title>Shorewall Configurations</title>
 

docs/shorewall_extension_scripts.xml

@@ -124,9 +124,9 @@
       </listitem>
 
       <listitem>
-        <para><filename>refresh</filename> -- called in place of
-        <filename>init</filename> when the firewall is being refreshed rather
-        than started or restarted.</para>
+        <para><filename>refresh</filename> -- invoked while the firewall is
+        being refreshed but before the blacklst chains have been
+        rebuilt.</para>
       </listitem>
 
       <listitem>

docs/simple_traffic_shaping.xml

@@ -44,7 +44,7 @@
     <firstterm>tc4shorewall</firstterm> and is generally felt to be complex
     and difficult to use.</para>
 
-    <para>In Shorewall 4.4.6, a second traffic shaping facility that is simple
+    <para>In Shorewall 4.5.0, a second traffic shaping facility that is simple
     to understand and to configure was introduced. This newer facility is
     described in this document while the original facility is documented in
     <ulink url="traffic_shaping.htm">Complex Traffic
@@ -65,26 +65,6 @@
     <programlisting>#INTERFACE             TYPE          IN-BANDWIDTH
 eth0                   External</programlisting>
 
-    <note>
-      <para>If you experience an error such as the following during
-      <command>shorewall start</command> or <command>shorewall
-      restart</command>, your kernel and iproute do not support the <emphasis
-      role="bold">flow</emphasis> classifier. In that case, you must leave the
-      TYPE column empty (or specify '-').</para>
-
-      <programlisting>Unknown filter "flow", hence option "hash" is unparsable
-   ERROR: Command "tc filter add dev eth0 protocol all prio 1 parent 11: handle 11 flow hash keys nfct-src divisor 1024" Failed</programlisting>
-
-      <para>RHEL5-based systems such as <trademark>CentOS</trademark> 5 and
-      <trademark>Foobar</trademark> 5 are known to experience this
-      error.</para>
-
-      <para><emphasis role="bold">Update</emphasis>: Beginning with Shorewall
-      4.4.7, Shorewall can determine that some environments, such as RHEL5 and
-      derivatives, are incapable of using the TYPE parameter and simply ignore
-      it.</para>
-    </note>
-
     <para>With this simple configuration, packets to be sent through interface
     eth0 will be assigned to a priority band based on the value of their TOS
     field:</para>
@@ -195,10 +175,10 @@ eth0                   External</programlisting>
       </listitem>
     </orderedlist>
 
-    <para>It is suggested that entries specifying an INTERFACE be placed at
-    the top of the file. That way, the band assigned to a particular packet
-    will be the <emphasis role="bold">last</emphasis> entry matched by the
-    packet. Packets which match no entry in <ulink
+    <para>It is suggested that entries specifying an INTERFACE be placed the
+    top of the file. That way, the band assigned to a particular packet will
+    be the <emphasis role="bold">last</emphasis> entry matched by the packet.
+    Packets which match no entry in <ulink
     url="manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5) are
     assigned to priority bands using their TOS field as previously
     described.</para>

docs/standalone.xml

@@ -487,37 +487,6 @@ root@lists:~# </programlisting>
     </important>
   </section>
 
-  <section id="Modules">
-    <title>Kernel Module Loading</title>
-
-    <para>Beginning in Shorewall 4.4.7,
-    <filename>/etc/shorewall/shorewall.conf</filename> contains a
-    LOAD_HELPERS_ONLY option which is set to <option>Yes</option> in the
-    samples. This causes Shorewall to attempt to load the modules listed in
-    <filename>/usr/share/shorewall/helpers</filename>. In addition, it sets
-    <emphasis role="bold">sip_direct_media=0</emphasis> when loading the
-    nf_conntrack_sip module. That setting is somewhat less secure than
-    <emphasis role="bold">sip_direct_media=1</emphasis>, but it generally
-    makes VOIP through the firewall work much better.</para>
-
-    <para>The modules in <filename>/usr/share/shorewall/helpers</filename> are
-    those that are not autoloaded. If your kernel does not support module
-    autoloading and you want Shorewall to attempt to load all netfilter
-    modules that it might require, then set LOAD_HELPERS_ONLY=No. That will
-    cause Shorewall to try to load the modules listed in
-    <filename>/usr/share/shorewall/modules</filename>. That file does not set
-    <emphasis role="bold">sip_direct_media=0</emphasis>.</para>
-
-    <para>If you need to modify either
-    <filename>/usr/share/shorewall/helpers</filename> or
-    <filename>/usr/share/shorewall/modules</filename> then copy the file to
-    <filename>/etc/shorewall</filename> and modify the copy.</para>
-
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
-
-    <para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
-  </section>
-
   <section id="Open">
     <title>Enabling other Connections</title>
 

docs/three-interface.xml

@@ -755,37 +755,6 @@ root@lists:~# </programlisting>
     </important>
   </section>
 
-  <section id="Modules">
-    <title>Kernel Module Loading</title>
-
-    <para>Beginning in Shorewall 4.4.7,
-    <filename>/etc/shorewall/shorewall.conf</filename> contains a
-    LOAD_HELPERS_ONLY option which is set to <option>Yes</option> in the
-    samples. This causes Shorewall to attempt to load the modules listed in
-    <filename>/usr/share/shorewall/helpers</filename>. In addition, it sets
-    <emphasis role="bold">sip_direct_media=0</emphasis> when loading the
-    nf_conntrack_sip module. That setting is somewhat less secure than
-    <emphasis role="bold">sip_direct_media=1</emphasis>, but it generally
-    makes VOIP through the firewall work much better.</para>
-
-    <para>The modules in <filename>/usr/share/shorewall/helpers</filename> are
-    those that are not autoloaded. If your kernel does not support module
-    autoloading and you want Shorewall to attempt to load all netfilter
-    modules that it might require, then set LOAD_HELPERS_ONLY=No. That will
-    cause Shorewall to try to load the modules listed in
-    <filename>/usr/share/shorewall/modules</filename>. That file does not set
-    <emphasis role="bold">sip_direct_media=0</emphasis>.</para>
-
-    <para>If you need to modify either
-    <filename>/usr/share/shorewall/helpers</filename> or
-    <filename>/usr/share/shorewall/modules</filename> then copy the file to
-    <filename>/etc/shorewall</filename> and modify the copy.</para>
-
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
-
-    <para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
-  </section>
-
   <section id="DNAT">
     <title>Port Forwarding (DNAT)</title>
 

docs/traffic_shaping.xml

@@ -24,7 +24,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2009</year>
+      <year>2001-2010</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -93,7 +93,7 @@
   <section id="Intro">
     <title>Introduction</title>
 
-    <para>Beginning with Shorewall 4.4.6, Shorewall includes two separate
+    <para>Beginning with Shorewall 4.5.0, Shorewall includes two separate
     implementations of traffic shaping. This document describes the original
     implementation which is complex and difficult to configure. A much simpler
     version is described in <ulink role="bold"

docs/two-interface.xml

@@ -707,37 +707,6 @@ root@lists:~# </programlisting>
     </important>
   </section>
 
-  <section id="Modules">
-    <title>Kernel Module Loading</title>
-
-    <para>Beginning in Shorewall 4.4.7,
-    <filename>/etc/shorewall/shorewall.conf</filename> contains a
-    LOAD_HELPERS_ONLY option which is set to <option>Yes</option> in the
-    samples. This causes Shorewall to attempt to load the modules listed in
-    <filename>/usr/share/shorewall/helpers</filename>. In addition, it sets
-    <emphasis role="bold">sip_direct_media=0</emphasis> when loading the
-    nf_conntrack_sip module. That setting is somewhat less secure than
-    <emphasis role="bold">sip_direct_media=1</emphasis>, but it generally
-    makes VOIP through the firewall work much better.</para>
-
-    <para>The modules in <filename>/usr/share/shorewall/helpers</filename> are
-    those that are not autoloaded. If your kernel does not support module
-    autoloading and you want Shorewall to attempt to load all netfilter
-    modules that it might require, then set LOAD_HELPERS_ONLY=No. That will
-    cause Shorewall to try to load the modules listed in
-    <filename>/usr/share/shorewall/modules</filename>. That file does not set
-    <emphasis role="bold">sip_direct_media=0</emphasis>.</para>
-
-    <para>If you need to modify either
-    <filename>/usr/share/shorewall/helpers</filename> or
-    <filename>/usr/share/shorewall/modules</filename> then copy the file to
-    <filename>/etc/shorewall</filename> and modify the copy.</para>
-
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
-
-    <para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
-  </section>
-
   <section id="DNAT">
     <title>Port Forwarding (DNAT)</title>
 

manpages/shorewall-accounting.xml

@@ -28,6 +28,9 @@
     their packet and byte counters using the <command>shorewall show
     accounting</command> command.</para>
 
+    <para>This file is not processed if ACCOUNTING=No in <ulink
+    url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
+
     <para>The columns in the file are as follows.</para>
 
     <variablelist>

manpages/shorewall-interfaces.xml

@@ -233,9 +233,7 @@ loc     eth2            -</programlisting>
               <term><emphasis role="bold">bridge</emphasis></term>
 
               <listitem>
-                <para>Designates the interface as a bridge. Beginning with
-                Shorewall 4.4.7, setting this option also sets
-                <option>routeback</option>.</para>
+                <para>Designates the interface as a bridge.</para>
               </listitem>
             </varlistentry>
 
@@ -501,7 +499,7 @@ loc     eth2            -</programlisting>
 
             <varlistentry>
               <term><emphasis
-              role="bold">routefilter[={0|1|2}]</emphasis></term>
+              role="bold">routefilter[={0|1}]</emphasis></term>
 
               <listitem>
                 <para>Turn on kernel route filtering for this interface
@@ -512,10 +510,7 @@ loc     eth2            -</programlisting>
                 changes; the value assigned to the setting will be the value
                 specified (if any) or 1 if no value is given.</para>
 
-                <para>The value 2 is only available with Shorewall 4.4.5.1 and
-                later when the kernel version is 2.6.31 or later. It specifies
-                a <firstterm>loose</firstterm> form of reverse path
-                filtering.</para>
+                <para></para>
 
                 <note>
                   <para>This option does not work with a wild-card

manpages/shorewall-masq.xml

@@ -32,10 +32,8 @@
     </warning>
 
     <warning>
-      <para>If you have more than one ISP link, adding entries to this file
-      will <emphasis role="bold">not</emphasis> force connections to go out
-      through a particular link. You must use entries in <ulink
-      url="shorewall-route_rules.html">shorewall-route_rules</ulink>(5) or
+      <para>If you have more than one ISP, adding entries to this file will
+      *not* force connections to go out through a particular ISP. You must use
       PREROUTING entries in <ulink
       url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5) to do
       that.</para>
@@ -74,8 +72,8 @@
 
           <para>Where <ulink
           url="http://www.shorewall.net/4.4/MultiISP.html#Shared">more that
-          one internet provider share a single interface</ulink>, the provider
-          is specified by including the provider name or number in
+          one internet providers shares a single interface</ulink>, the
+          provider is specified by including the provider name or number in
           parentheses:</para>
 
           <programlisting>        eth0(Avvanta)</programlisting>

manpages/shorewall-providers.xml

@@ -87,8 +87,13 @@
           being zero). Otherwise, the value must be between 1 and 255. Each
           provider must be assigned a unique mark value. This column may be
           omitted if you don't use packet marking to direct connections to a
-          particular provider and you don't specify <option>track</option> in
-          the OPTIONS column.</para>
+          particular provider.</para>
+
+          <para>Note: If you are using a Shorewall version earlier that 4.5.0,
+          you must specify a MARK value if you specify the
+          <option>track</option> option or if you have set TRACK_PROVIDERS=Yes
+          in <ulink
+          url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
         </listitem>
       </varlistentry>
 
@@ -268,6 +273,16 @@
                 <filename>shorewall.conf</filename>.</para>
               </listitem>
             </varlistentry>
+
+            <varlistentry>
+              <term>local</term>
+
+              <listitem>
+                <para>Indicates that this is a local zone associated with with
+                the 'lo' interface. Used in conjunction with TPROXY in <ulink
+                url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
           </variablelist>
         </listitem>
       </varlistentry>

manpages/shorewall-tcdevices.xml

@@ -44,7 +44,7 @@
 
         <variablelist>
           <varlistentry>
-            <term><emphasis role="bold">kbps</emphasis></term>
+            <term><emphasis role="bold">kpbs</emphasis></term>
 
             <listitem>
               <para>Kilobytes per second.</para>

manpages/shorewall-tcinterfaces.xml

@@ -27,67 +27,6 @@
     shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
     <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
 
-    <para>A note on the <emphasis>bandwidth</emphasis> definition used in this
-    file:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>don't use a space between the integer value and the unit: 30kbit
-        is valid while 30 kbit is not.</para>
-      </listitem>
-
-      <listitem>
-        <para>you can use one of the following units:</para>
-
-        <variablelist>
-          <varlistentry>
-            <term><emphasis role="bold">kbps</emphasis></term>
-
-            <listitem>
-              <para>Kilobytes per second.</para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><emphasis role="bold">mbps</emphasis></term>
-
-            <listitem>
-              <para>Megabytes per second.</para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><emphasis role="bold">kbit</emphasis></term>
-
-            <listitem>
-              <para>Kilobits per second.</para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><emphasis role="bold">mbit</emphasis></term>
-
-            <listitem>
-              <para>Megabits per second.</para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><emphasis role="bold">bps</emphasis> or <emphasis
-            role="bold">number</emphasis></term>
-
-            <listitem>
-              <para>Bytes per second.</para>
-            </listitem>
-          </varlistentry>
-        </variablelist>
-      </listitem>
-
-      <listitem>
-        <para>Only whole integers are allowed.</para>
-      </listitem>
-    </itemizedlist>
-
     <para>The columns in the file are as follows.</para>
 
     <variablelist>

manpages/shorewall-tcrules.xml

@@ -16,7 +16,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/rules</command>
+      <command>/etc/shorewall/tcrules</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -43,30 +43,24 @@
     <variablelist>
       <varlistentry>
         <term><emphasis role="bold">MARK/CLASSIFY</emphasis> -
-        {<emphasis>value</emphasis>|<emphasis>major</emphasis><emphasis
-        role="bold">:</emphasis><emphasis>minor</emphasis>|<emphasis
-        role="bold">RESTORE</emphasis>[<emphasis
-        role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
-        role="bold">SAVE</emphasis>[<emphasis
-        role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
-        role="bold">CONTINUE</emphasis>|<emphasis
-        role="bold">SAME</emphasis>|<emphasis
-        role="bold">COMMENT</emphasis>|<emphasis
-        role="bold">IPMARK</emphasis>[([(<emphasis
-        role="bold">src</emphasis>|<emphasis
-        role="bold">dst</emphasis>}][,[<emphasis>mask1</emphasis>][,[<emphasis>mask2</emphasis>][,[<emphasis>shift</emphasis>]]]]])]}[<emphasis
-        role="bold">:</emphasis>{<emphasis role="bold">C</emphasis>|<emphasis
-        role="bold">F</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis
-        role="bold">T</emphasis>|<emphasis role="bold">CF</emphasis>|<emphasis
-        role="bold">CP</emphasis>|<emphasis role="bold">CT</emphasis>}]</term>
+        <emphasis>mark</emphasis></term>
 
         <listitem>
-          <para>May assume one of the following values.</para>
+          <para>Where mark is one of the following:</para>
 
           <orderedlist numeration="arabic">
             <listitem>
-              <para>A mark <emphasis>value</emphasis> which is an integer in
-              the range 1-255.</para>
+              <para><emphasis>value</emphasis>[:{<emphasis
+              role="bold">C</emphasis>|<emphasis
+              role="bold">F</emphasis>|<emphasis
+              role="bold">P</emphasis>|<emphasis
+              role="bold">T</emphasis>|<emphasis
+              role="bold">CF</emphasis>|<emphasis
+              role="bold">CP</emphasis>|<emphasis
+              role="bold">CT</emphasis>}]</para>
+
+              <para>]A mark <emphasis>value</emphasis> is an integer,
+              expressed either in decimal or in hex.</para>
 
               <para>Normally will set the mark value. If preceded by a
               vertical bar ("|"), the mark value will be logically ORed with
@@ -94,10 +88,11 @@
               role="bold">$FW</emphasis>[<emphasis
               role="bold">:</emphasis><emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...],
               then the rule is inserted into the OUTPUT chain. When
-              HIGH_ROUTE_MARKS=Yes, only high mark values may be assigned
-              there. Packet marking rules for traffic shaping of packets
-              originating on the firewall must be coded in the POSTROUTING
-              chain (see below).</para>
+              HIGH_ROUTE_MARKS=Yes (PROVIDER_OFFSET &gt; 0 in 4.5.0 and
+              later), only provider mark values may be assigned there. Packet
+              marking rules for traffic shaping of packets originating on the
+              firewall must be coded in the POSTROUTING chain (see
+              below).</para>
 
               <para>- Otherwise, the chain is determined by the setting of
               MARK_IN_FORWARD_CHAIN in <ulink
@@ -109,7 +104,7 @@
               <para>The mark value may be optionally followed by "/" and a
               mask value (used to determine those bits of the connection mark
               to actually be set). The mark and optional mask are then
-              followed by one of:+</para>
+              followed by one of:</para>
 
               <variablelist>
                 <varlistentry>
@@ -141,34 +136,21 @@
                   <term>CT</term>
 
                   <listitem>
-                    <para>Mark the connecdtion in the POSTROUTING chain</para>
+                    <para>Mark the connection in the POSTROUTING chain</para>
                   </listitem>
                 </varlistentry>
               </variablelist>
 
-              <para><emphasis role="bold">Special considerations for If
-              HIGH_ROUTE_MARKS=Yes in <ulink
-              url="shorewall.conf.html">shorewall.conf</ulink>(5</emphasis>).</para>
-
-              <para>If HIGH_ROUTE_MARKS=Yes, then you may also specify a value
-              in the range 0x0100-0xFF00 with the low-order byte being zero.
-              Such values may only be used in the PREROUTING chain (value
-              followed by <emphasis role="bold">:P</emphasis> or you have set
-              MARK_IN_FORWARD_CHAIN=No in <ulink
-              url="shorewall.conf.html">shorewall.conf</ulink>(5) and have not
-              followed the value with <option>:F</option>) or the OUTPUT chain
-              (SOURCE is <emphasis role="bold">$FW</emphasis>). With
-              HIGH_ROUTE_MARKS=Yes, non-zero mark values less that 256 are not
-              permitted. Shorewall prohibits non-zero mark values less that
-              256 in the OUTPUT chain when HIGH_ROUTE_MARKS=Yes. While earlier
-              versions allow such values in the OUTPUT chain, it is strongly
-              recommended that with HIGH_ROUTE_MARKS=Yes, you use the
-              POSTROUTING chain to apply traffic shaping
-              marks/classification.</para>
+              <para>When marking in the prerouting chain, the
+              <emphasis>value</emphasis> must fall within the proper range for
+              provider marks. See PROVIDER_OFFSET and PROVIDER_BITS in <ulink
+              url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
             </listitem>
 
             <listitem>
-              <para>A classification Id (classid) of the form
+              <para><emphasis>major</emphasis>:<emphasis>minor</emphasis></para>
+
+              <para>A classification Id (classid) takes the form
               <emphasis>major</emphasis>:<emphasis>minor</emphasis> where
               <emphasis>major</emphasis> and <emphasis>minor</emphasis> are
               integers. Corresponds to the 'class' specification in these
@@ -201,50 +183,62 @@
 
             <listitem>
               <para><emphasis
-              role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>] --
-              restore the packet's mark from the connection's mark using the
-              supplied mask if any. Your kernel and iptables must include
+              role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>][:{<emphasis
+              role="bold">P</emphasis>|<emphasis role="bold">F|<emphasis
+              role="bold">T</emphasis></emphasis>}]</para>
+
+              <para>Restore the packet's mark from the connection's mark using
+              the supplied mask if any. Your kernel and iptables must include
               CONNMARK support.</para>
 
               <para>As in 1) above, may be followed by <emphasis
-              role="bold">:P</emphasis> or <emphasis
-              role="bold">:F</emphasis></para>
+              role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
+              or <emphasis role="bold">:T</emphasis>.</para>
             </listitem>
 
             <listitem>
               <para><emphasis
-              role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>] -- save
-              the packet's mark to the connection's mark using the supplied
-              mask if any. Your kernel and iptables must include CONNMARK
-              support.</para>
+              role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>][:{<emphasis
+              role="bold">P</emphasis>|<emphasis
+              role="bold">F</emphasis>|<emphasis
+              role="bold">T</emphasis>}]</para>
+
+              <para>Save the packet's mark to the connection's mark using the
+              supplied mask if any. Your kernel and iptables must include
+              CONNMARK support.</para>
 
               <para>As in 1) above, may be followed by <emphasis
-              role="bold">:P</emphasis> or <emphasis
-              role="bold">:F</emphasis></para>
+              role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
+              or <emphasis role="bold">:T</emphasis>.</para>
             </listitem>
 
             <listitem>
-              <para><emphasis role="bold">CONTINUE</emphasis> Don't process
-              any more marking rules ‒in the table.</para>
+              <para><emphasis role="bold">CONTINUE[:{<emphasis
+              role="bold">P</emphasis>|<emphasis role="bold">F|<emphasis
+              role="bold">T</emphasis></emphasis>}]</emphasis></para>
+
+              <para>Don't process any more marking rules in the table.</para>
 
               <para>As in 1) above, may be followed by <emphasis
-              role="bold">:P</emphasis> or <emphasis
-              role="bold">:F</emphasis>. Currently, CONTINUE may not be used
-              with <emphasis>exclusion</emphasis> (see the SOURCE and DEST
-              columns below); that restriction will be removed when
+              role="bold">:P</emphasis>,<emphasis role="bold"> :F</emphasis>,
+              or <emphasis role="bold">:T</emphasis>. Currently, CONTINUE may
+              not be used with <emphasis>exclusion</emphasis> (see the SOURCE
+              and DEST columns below); that restriction will be removed when
               iptables/Netfilter provides the necessary support.</para>
             </listitem>
 
             <listitem>
-              <para><emphasis role="bold">SAME</emphasis> Some websites run
-              applications that require multiple connections from a client
-              browser. Where multiple 'balanced' providers are configured,
-              this can lead to problems when some of the connections are
-              routed through one provider and some through another. The SAME
-              target allows you to work around that problem. SAME may be used
-              in the PREROUTING and OUTPUT chains. When used in PREROUTING, it
-              causes matching connections from an individual local system to
-              all use the same provider. For example: <programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
+              <para><emphasis role="bold">SAME</emphasis></para>
+
+              <para>Some websites run applications that require multiple
+              connections from a client browser. Where multiple 'balanced'
+              providers are configured, this can lead to problems when some of
+              the connections are routed through one provider and some through
+              another. The SAME target allows you to work around that problem.
+              SAME may be used in the PREROUTING and OUTPUT chains. When used
+              in PREROUTING, it causes matching connections from an individual
+              local system to all use the same provider. For example:
+              <programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
 #CLASSIFY                                                PORT(S)
 SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
               If a host in 192.168.1.0/24 attempts a connection on TCP port 80
@@ -266,118 +260,48 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
             </listitem>
 
             <listitem>
-              <para><emphasis role="bold">COMMENT</emphasis> -- the rest of
-              the line will be attached as a comment to the Netfilter rule(s)
-              generated by the following entries. The comment will appear
-              delimited by "/* ... */" in the output of <command>shorewall
-              show mangle</command></para>
+              <para><emphasis role="bold">COMMENT</emphasis></para>
+
+              <para>The rest of the line will be attached as a comment to the
+              Netfilter rule(s) generated by the following entries. The
+              comment will appear delimited by "/* ... */" in the output of
+              <command>shorewall show mangle</command></para>
 
               <para>To stop the comment from being attached to further rules,
               simply include COMMENT on a line by itself.</para>
             </listitem>
 
             <listitem>
-              <para><emphasis role="bold">IPMARK</emphasis> ‒ Assigns a mark
-              to each matching packet based on the either the source or
-              destination IP address. By default, it assigns a mark value
-              equal to the low-order 8 bits of the source address. Default
-              values are:</para>
+              <para><emphasis
+              role="bold">TPROXY</emphasis>(<emphasis>mark</emphasis>[/<emphasis>mask</emphasis>][,[<emphasis>port</emphasis>][,[<emphasis>address</emphasis>]]])</para>
 
-              <simplelist>
-                <member>src</member>
+              <para>Transparently redirects a packet without altering the IP
+              header. Requires a local provider to be defined in <ulink
+              url="manpages/shorewall-providers.html">shorewall-providers</ulink>(5).</para>
 
-                <member><emphasis>mask1</emphasis> = 0xFF</member>
+              <para>There are three parameters to TPROXY - only the first
+              (<emphasis>mark</emphasis>) is required:</para>
 
-                <member><emphasis>mask2</emphasis> = 0x00</member>
+              <itemizedlist>
+                <listitem>
+                  <para><emphasis>mark</emphasis> - the MARK value
+                  corresponding to the local provider in <ulink
+                  url="manpages/shorewall-providers.html">shorewall-providers</ulink>(5).</para>
+                </listitem>
 
-                <member><emphasis>shift</emphasis> = 0</member>
-              </simplelist>
+                <listitem>
+                  <para><emphasis>port</emphasis> - the port on which the
+                  proxy server is listening. If omitted, the original
+                  destination port.</para>
+                </listitem>
 
-              <para>'src' and 'dst' specify whether the mark is to be based on
-              the source or destination address respectively. The selected
-              address is first shifted to the right by
-              <emphasis>shift</emphasis> bits. The result is then LANDed with
-              <emphasis>mask1</emphasis> then LORed with
-              <emphasis>ma<emphasis>s</emphasis>k2</emphasis>.</para>
-
-              <para>In a sense, the IPMARK target is more like an IPCLASSIFY
-              target in that the mark value is later interpreted as a class
-              ID. A packet mark is 32 bits wide; so is a class ID. The
-              &lt;major&gt; class occupies the high-order 16 bits and the
-              &lt;minor&gt; class occupies the low-order 16 bits. So the class
-              ID 1:4ff (remember that class IDs are always in hex) is
-              equivalent to a mark value of 0x104ff. Remember that Shorewall
-              uses the interface number as the &lt;major&gt; number where the
-              first interface in tcdevices has &lt;major&gt; number 1, the
-              second has &lt;major&gt; number 2, and so on.</para>
-
-              <para>The IPMARK target assigns a mark to each matching packet
-              based on the either the source or destination IP address. By
-              default, it assigns a mark value equal to the low-order 8 bits
-              of the source address. The syntax is as follows:</para>
-
-              <blockquote>
-                <para><option>IPMARK</option>[([{<option>src</option>|<option>dst</option>}][,[<replaceable>mask1</replaceable>][,[<replaceable>mask2</replaceable>][,[<replaceable>shift</replaceable>]]]])]</para>
-              </blockquote>
-
-              <para>Default values are:</para>
-
-              <simplelist>
-                <member><option>src</option></member>
-
-                <member><replaceable>mask1</replaceable> = 0xFF</member>
-
-                <member><replaceable>mask2</replaceable> = 0x00</member>
-
-                <member><replaceable>shift</replaceable> = 0</member>
-              </simplelist>
-
-              <para><option>src</option> and <option>dst</option> specify
-              whether the mark is to be based on the source or destination
-              address respectively. The selected address is first shifted
-              right by <replaceable>shift</replaceable>, then LANDed with
-              <replaceable>mask1</replaceable> and then LORed with
-              <replaceable>mask2</replaceable>. The
-              <replaceable>shift</replaceable> argument is intended to be used
-              primarily with IPv6 addresses.</para>
-
-              <para>Example:</para>
-
-              <blockquote>
-                <para>IPMARK(src,0xff,0x10100)</para>
-
-                <simplelist>
-                  <member>Suppose that the source IP address is 192.168.4.3 =
-                  0xc0a80403; then</member>
-
-                  <member>0xc0a80403 &gt;&gt; 0 = 0xc0a80403</member>
-
-                  <member>0xc0a80403 LAND 0xFF = 0x03</member>
-
-                  <member>0x03 LOR 0x0x10100 = 0x10103 or class ID
-                  1:103</member>
-                </simplelist>
-              </blockquote>
-
-              <para>It is important to realize that, while class IDs are
-              composed of a <replaceable>major</replaceable> and a
-              <replaceable>minor</replaceable> value, the set of values must
-              be unique. That is, the same numeric value cannot be used as
-              both a <replaceable>major</replaceable> and a
-              <replaceable>minor</replaceable> number for the same interface
-              unless class nesting occurs (which is not currently possible
-              with Shorewall). You should keep this in mind when deciding how
-              to map IP addresses to class IDs.</para>
-
-              <para>For example, suppose that your internal network is
-              192.168.1.0/29 (host IP addresses 192.168.1.1 - 192.168.1.6).
-              Your first notion might be to use IPMARK(src,0xFF,0x10000) so as
-              to produce class IDs 1:1 through 1:6. But 1:1 is an invalid
-              class ID since the <replaceable>major</replaceable> and
-              <replaceable>minor</replaceable> classes are equal. So you might
-              chose instent to use IPMARK(src,0xFF,0x10100) as in the example
-              above so that all of your <replaceable>minor</replaceable>
-              classes will have a value &gt; 256.</para>
+                <listitem>
+                  <para><emphasis>address</emphasis> - a local (to the
+                  firewall) IP address on which the proxy server is listening.
+                  If omitted, the IP address of the interface on which the
+                  request arrives.</para>
+                </listitem>
+              </itemizedlist>
             </listitem>
           </orderedlist>
         </listitem>

manpages/shorewall.conf.xml

@@ -174,7 +174,7 @@
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
 
         <listitem>
-          <para>Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting
+          <para>Added in Shorewall 4.5.0. If set to Yes, Shorewall accounting
           is enabled (see <ulink
           url="shorewall-accounting.html">shorewall-accounting</ulink>(5)). If
           not specified or set to the empty value, ACCOUNTING=Yes is
@@ -475,21 +475,20 @@
         role="bold">DONT_LOAD=</emphasis>[<emphasis>module</emphasis>[,<emphasis>module</emphasis>]...]</term>
 
         <listitem>
-          <para>Causes Shorewall to not load the listed kernel modules.</para>
+          <para>Added in Shorewall-4.0.6. Causes Shorewall to not load the
+          listed modules.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DYNAMIC_BLACKLIST=</emphasis>{<emphasis
+        <term><emphasis role="bold">DYNAMIC_ZONES=</emphasis>{<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
 
         <listitem>
-          <para>Added in Shorewall 4.4.7. When set to <emphasis
-          role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
-          dynamic blacklisting using the <command>shorewall drop</command>,
-          <command>shorewall reject</command>, <command>shorewall
-          logdrop</command> and <command>shorewall logreject</command> is
-          disabled. Default is <emphasis role="bold">Yes</emphasis>.</para>
+          <para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
+          role="bold">yes</emphasis>, enables dynamic zones. DYNAMIC_ZONES=Yes
+          is not allowed in configurations that will run under Shorewall
+          Lite.</para>
         </listitem>
       </varlistentry>
 
@@ -764,19 +763,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><emphasis role="bold">LOAD_HELPERS_ONLY=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.4.7. When set to Yes, restricts the set
-          of modules loaded by shorewall to those listed in
-          /var/lib/shorewall/helpers and those that are actually used. When
-          not set, or set to the empty value, LOAD_HELPERS_ONLY=No is
-          assumed.</para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis
@@ -1076,6 +1062,24 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">MASK_BITS</emphasis>=<emphasis>bits</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.0. This option specifies the number of
+          <emphasis>bits</emphasis> to use as a mask for traffic shaping marks
+          and must be greater than or equal to TC_BITS. The default value
+          depends on the setting of WIDE_TC_MARKS:</para>
+
+          <simplelist>
+            <member>WIDE_TC_MARKS=No - 8 bits.</member>
+
+            <member>WIDE_TC_MARKS=Yes - 16 bits.</member>
+          </simplelist>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">MODULE_SUFFIX=</emphasis>[<emphasis
         role="bold">"</emphasis><emphasis>extension</emphasis> ...<emphasis
@@ -1199,7 +1203,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
             </listitem>
 
             <listitem>
-              <para>Optimization category 2 - Added in Shorewall 4.4.7. When
+              <para>Optimization category 2 - Added in Shorewall 4.5.0. When
               set, suppresses superfluous ACCEPT rules in a policy chain that
               implements an ACCEPT policy. Any ACCEPT rules that immediately
               preceed the final blanket ACCEPT rule in the chain are now
@@ -1207,7 +1211,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
             </listitem>
 
             <listitem>
-              <para>Optimization category 4 - Added in Shorewall 4.4.7. When
+              <para>Optimization category 4 - Added in Shorewall 4.5.1. When
               set, causes short chains (those with less than 2 rules) to be
               optimized away. The following chains are excluded from
               optimization:</para>
@@ -1274,7 +1278,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
 
         <listitem>
-          <para>Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting
+          <para>Added in Shorewall 4.5.2. If set to Yes, Shorewall accounting
           changes are subject to optimization (OPTIMIZE=4,5,6 or 7). If not
           specified or set to the empty value, OPTIMIZE_ACCOUNTING=No is
           assumed.</para>
@@ -1292,6 +1296,42 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">PROVIDER_BITS</emphasis>=<emphasis>bits</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.0. Specifies the number of bits of the
+          packet/connection mark to use for the provider (routing) mark.
+          Provider mark values must be &gt;= 2**PROVIDER_OFFSET and less than
+          2**(PROVIDER_OFFSET + PROVIDER_BITS). The default value is 8
+          bits.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis
+        role="bold">PROVIDER_OFFSET</emphasis>=<emphasis>offset</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.0. Specifies the
+          <emphasis>offset</emphasis> in bits from the least significate bit
+          of the packet/connection mark where the Provider Mark value is
+          stored. The default is based on the settings of HIGH_ROUTE_MARKS and
+          WIDE_TC_MARKS:</para>
+
+          <simplelist>
+            <member>HIGH_ROUTE_MARKS=No - 0 bits.</member>
+
+            <member>HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=No - 8
+            bits.</member>
+
+            <member>HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes - 16
+            bits.</member>
+          </simplelist>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">PKTTYPE=</emphasis>{<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@@ -1528,6 +1568,28 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">TC_BITS</emphasis>=<emphasis>bits</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.0. This option replaces WIDE_TC_MARKS
+          by allowing you to specify the number of <emphasis>bits</emphasis>
+          of the 32-bit packet/connection mark to be used for traffic shaping.
+          The default value is based on the settings of WIDE_TC_MARKS:</para>
+
+          <simplelist>
+            <member>WIDE_TC_MARKS=No - 8 bits.</member>
+
+            <member>WIDE_TC_MARKS=Yes - 14 bits.</member>
+          </simplelist>
+
+          <para>Mark values specified in <ulink
+          url="shorewall-tcclasses.html">shorewall-tcclasses (5)</ulink> must
+          be &lt; 2**TC_BITS.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">TC_ENABLED=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis
@@ -1546,7 +1608,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
           role="bold">no</emphasis> then traffic shaping is not
           enabled.</para>
 
-          <para>If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later),
+          <para>If you set TC_ENABLED=Simple (Shorewall 4.5.0 and later),
           simple traffic shaping using <ulink
           url="shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5)
           and <ulink url="shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
@@ -1578,7 +1640,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         role="bold">TC_PRIOMAP</emphasis>=<emphasis>map</emphasis></term>
 
         <listitem>
-          <para>Added in Shorewall 4.4.6. Determines the mapping of a packet's
+          <para>Added in Shorewall 4.5.0. Determines the mapping of a packet's
           TOS field to priority bands. See <ulink
           url="shorewall-tcpri.html">shorewall-tcpri</ulink>(5). The
           <emphasis>map</emphasis> consists of 16 space-separated digits with

manpages/shorewall.xml

@@ -538,7 +538,8 @@
 
       <arg choice="plain"><option>show</option></arg>
 
-      <arg choice="plain"><option>tc</option></arg>
+      <arg
+      choice="plain"><option>tc</option><arg><replaceable>device</replaceable></arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -1293,9 +1294,9 @@
 
               <listitem>
                 <para>Added in Shorewall 4.4.6. Displays the file that
-                implements the specified <replaceable>macro</replaceable>
-                (usually
-                <filename>/usr/share/shorewall/macro</filename>.<replaceable>macro</replaceable>).</para>
+                implements the specified <replaceable>macro</replaceable> -
+                usually
+                <filename>/usr/share/shorewall/macro</filename><replaceable>.macro.</replaceable></para>
               </listitem>
             </varlistentry>
 
@@ -1355,7 +1356,9 @@
 
               <listitem>
                 <para>Displays information about queuing disciplines, classes
-                and filters.</para>
+                and filters. With Shorewall 4.5.1 and later, the display can
+                be restricted to a specified
+                <replaceable>device</replaceable>.</para>
               </listitem>
             </varlistentry>
 

manpages6/shorewall6-accounting.xml

@@ -28,6 +28,9 @@
     their packet and byte counters using the <command>shorewall6 show
     accounting</command> command.</para>
 
+    <para>This file is not processed if ACCOUNTING=No in <ulink
+    url="shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
+
     <para>The columns in the file are as follows.</para>
 
     <variablelist>

manpages6/shorewall6-interfaces.xml

@@ -129,9 +129,7 @@ loc     eth2            -</programlisting>
               <term><emphasis role="bold">bridge</emphasis></term>
 
               <listitem>
-                <para>Designates the interface as a bridge. Beginning with
-                Shorewall 4.4.7, setting this option also sets
-                <option>routeback</option>.</para>
+                <para>Designates the interface as a bridge.</para>
               </listitem>
             </varlistentry>
 

manpages6/shorewall6-providers.xml

@@ -87,8 +87,13 @@
           of the value being zero). Otherwise, the value must be between 1 and
           255. Each provider must be assigned a unique mark value. This column
           may be omitted if you don't use packet marking to direct connections
-          to a particular provider and you don't specify
-          <option>track</option> in the OPTIONS column.</para>
+          to a particular provider.</para>
+
+          <para>Note: If you are using a Shorewall version earlier that 4.5.0,
+          you must specify a MARK value if you specify the
+          <option>track</option> option or if you have set TRACK_PROVIDERS=Yes
+          in <ulink
+          url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
         </listitem>
       </varlistentry>
 

manpages6/shorewall6-tcdevices.xml

@@ -44,7 +44,7 @@
 
         <variablelist>
           <varlistentry>
-            <term><emphasis role="bold">kbps</emphasis></term>
+            <term><emphasis role="bold">kpbs</emphasis></term>
 
             <listitem>
               <para>Kilobytes per second.</para>

manpages6/shorewall6-tcinterfaces.xml

@@ -27,67 +27,6 @@
     shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
     <ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
 
-    <para>A note on the <emphasis>bandwidth</emphasis> definition used in this
-    file:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>don't use a space between the integer value and the unit: 30kbit
-        is valid while 30 kbit is not.</para>
-      </listitem>
-
-      <listitem>
-        <para>you can use one of the following units:</para>
-
-        <variablelist>
-          <varlistentry>
-            <term><emphasis role="bold">kbps</emphasis></term>
-
-            <listitem>
-              <para>Kilobytes per second.</para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><emphasis role="bold">mbps</emphasis></term>
-
-            <listitem>
-              <para>Megabytes per second.</para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><emphasis role="bold">kbit</emphasis></term>
-
-            <listitem>
-              <para>Kilobits per second.</para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><emphasis role="bold">mbit</emphasis></term>
-
-            <listitem>
-              <para>Megabits per second.</para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><emphasis role="bold">bps</emphasis> or <emphasis
-            role="bold">number</emphasis></term>
-
-            <listitem>
-              <para>Bytes per second.</para>
-            </listitem>
-          </varlistentry>
-        </variablelist>
-      </listitem>
-
-      <listitem>
-        <para>Only whole integers are allowed.</para>
-      </listitem>
-    </itemizedlist>
-
     <para>The columns in the file are as follows.</para>
 
     <variablelist>

manpages6/shorewall6-tcrules.xml

@@ -16,7 +16,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall6/rules</command>
+      <command>/etc/shorewall6/tcrules</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -43,26 +43,24 @@
     <variablelist>
       <varlistentry>
         <term><emphasis role="bold">MARK/CLASSIFY</emphasis> -
-        {<emphasis>value</emphasis>|<emphasis>major</emphasis><emphasis
-        role="bold">:</emphasis><emphasis>minor</emphasis>|<emphasis
-        role="bold">RESTORE</emphasis>[<emphasis
-        role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
-        role="bold">SAVE</emphasis>[<emphasis
-        role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
-        role="bold">CONTINUE</emphasis>|<emphasis
-        role="bold">COMMENT</emphasis>}[<emphasis
-        role="bold">:</emphasis>{<emphasis role="bold">C</emphasis>|<emphasis
-        role="bold">F</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis
-        role="bold">T</emphasis>|<emphasis role="bold">CF</emphasis>|<emphasis
-        role="bold">CP</emphasis>|<emphasis role="bold">CT</emphasis>}]</term>
+        <emphasis>mark</emphasis></term>
 
         <listitem>
-          <para>May assume one of the following values.</para>
+          <para>Where mark is one of the following:</para>
 
           <orderedlist numeration="arabic">
             <listitem>
-              <para>A mark <emphasis>value</emphasis> which is an integer in
-              the range 1-255.</para>
+              <para><emphasis>value</emphasis>[:{<emphasis
+              role="bold">C</emphasis>|<emphasis
+              role="bold">F</emphasis>|<emphasis
+              role="bold">P</emphasis>|<emphasis
+              role="bold">T</emphasis>|<emphasis
+              role="bold">CF</emphasis>|<emphasis
+              role="bold">CP</emphasis>|<emphasis
+              role="bold">CT</emphasis>}]</para>
+
+              <para>]A mark <emphasis>value</emphasis> is an integer,
+              expressed either in decimal or in hex.</para>
 
               <para>Normally will set the mark value. If preceded by a
               vertical bar ("|"), the mark value will be logically ORed with
@@ -89,11 +87,11 @@
               <para>- If the SOURCE is <emphasis
               role="bold">$FW</emphasis>[<emphasis
               role="bold">:</emphasis><emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...],
-              then the rule is inserted into the OUTPUT chain. The behavior
-              changed in Shorewall6-perl 4.1. Only high mark values may be
-              assigned in this case. Packet marking rules for traffic shaping
-              of packets originating on the firewall must be coded in the
-              POSTROUTING chain (see below).</para>
+              then the rule is inserted into the OUTPUT chain. When
+              HIGH_ROUTE_MARKS=Yes (PROVIDER_OFFSET&gt; 0 in 4.5.0 and later),
+              only provider mark values may be assigned there. Packet marking
+              rules for traffic shaping of packets originating on the firewall
+              must be coded in the POSTROUTING chain (see below).</para>
 
               <para>- Otherwise, the chain is determined by the setting of
               MARK_IN_FORWARD_CHAIN in <ulink
@@ -105,7 +103,7 @@
               <para>The mark value may be optionally followed by "/" and a
               mask value (used to determine those bits of the connection mark
               to actually be set). The mark and optional mask are then
-              followed by one of:+</para>
+              followed by one of:</para>
 
               <variablelist>
                 <varlistentry>
@@ -137,34 +135,21 @@
                   <term>CT</term>
 
                   <listitem>
-                    <para>Mark the connecdtion in the POSTROUTING chain</para>
+                    <para>Mark the connection in the POSTROUTING chain</para>
                   </listitem>
                 </varlistentry>
               </variablelist>
 
-              <para><emphasis role="bold">Special considerations for If
-              HIGH_ROUTE_MARKS=Yes in <ulink
-              url="shorewall6.conf.html">shorewall6.conf</ulink>(5</emphasis>).</para>
-
-              <para>If HIGH_ROUTE_MARKS=Yes, then you may also specify a value
-              in the range 0x0100-0xFF00 with the low-order byte being zero.
-              Such values may only be used in the PREROUTING chain (value
-              followed by <emphasis role="bold">:P</emphasis> or you have set
-              MARK_IN_FORWARD_CHAIN=No in <ulink
-              url="shorewall6.conf.html">shorewall6.conf</ulink>(5) and have
-              not followed the value with <option>:F</option>) or the OUTPUT
-              chain (SOURCE is <emphasis role="bold">$FW</emphasis>). With
-              HIGH_ROUTE_MARKS=Yes, non-zero mark values less that 256 are not
-              permitted. Shorewall6 prohibits non-zero mark values less that
-              256 in the OUTPUT chain when HIGH_ROUTE_MARKS=Yes. While earlier
-              versions allow such values in the OUTPUT chain, it is strongly
-              recommended that with HIGH_ROUTE_MARKS=Yes, you use the
-              POSTROUTING chain to apply traffic shaping
-              marks/classification.</para>
+              <para>When marking in the prerouting chain, the
+              <emphasis>value</emphasis> must fall within the proper range for
+              provider marks. See PROVIDER_OFFSET and PROVIDER_BITS in <ulink
+              url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
             </listitem>
 
             <listitem>
-              <para>A classification Id (classid) of the form
+              <para><emphasis>major</emphasis>:<emphasis>minor</emphasis></para>
+
+              <para>A classification Id (classid) takes the form
               <emphasis>major</emphasis>:<emphasis>minor</emphasis> where
               <emphasis>major</emphasis> and <emphasis>minor</emphasis> are
               integers. Corresponds to the 'class' specification in these
@@ -197,43 +182,54 @@
 
             <listitem>
               <para><emphasis
-              role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>] --
-              restore the packet's mark from the connection's mark using the
-              supplied mask if any. Your kernel and ip6tables must include
+              role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>][:{<emphasis
+              role="bold">P</emphasis>|<emphasis role="bold">F|<emphasis
+              role="bold">T</emphasis></emphasis>}]</para>
+
+              <para>Restore the packet's mark from the connection's mark using
+              the supplied mask if any. Your kernel and ip6tables must include
               CONNMARK support.</para>
 
               <para>As in 1) above, may be followed by <emphasis
-              role="bold">:P</emphasis> or <emphasis
-              role="bold">:F</emphasis></para>
+              role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
+              or <emphasis role="bold">:T</emphasis>.</para>
             </listitem>
 
             <listitem>
               <para><emphasis
-              role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>] -- save
-              the packet's mark to the connection's mark using the supplied
-              mask if any. Your kernel and ip6tables must include CONNMARK
-              support.</para>
+              role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>][:{<emphasis
+              role="bold">P</emphasis>|<emphasis
+              role="bold">F</emphasis>|<emphasis
+              role="bold">T</emphasis>}]</para>
+
+              <para>Save the packet's mark to the connection's mark using the
+              supplied mask if any. Your kernel and ip6tables must include
+              CONNMARK support.</para>
 
               <para>As in 1) above, may be followed by <emphasis
-              role="bold">:P</emphasis> or <emphasis
-              role="bold">:F</emphasis></para>
+              role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
+              or <emphasis role="bold">:T</emphasis>.</para>
             </listitem>
 
             <listitem>
-              <para><emphasis role="bold">CONTINUE</emphasis> Don't process
-              any more marking rules in the table.</para>
+              <para><emphasis role="bold">CONTINUE[:{<emphasis
+              role="bold">P</emphasis>|<emphasis role="bold">F|<emphasis
+              role="bold">T</emphasis></emphasis>}]</emphasis></para>
+
+              <para>Don't process any more marking rules in the table.</para>
 
               <para>As in 1) above, may be followed by <emphasis
-              role="bold">:P</emphasis> or <emphasis
-              role="bold">:F</emphasis>. Currently, CONTINUE may not be used
-              with <emphasis>exclusion</emphasis> (see the SOURCE and DEST
-              columns below); that restriction will be removed when
+              role="bold">:P</emphasis>,<emphasis role="bold"> :F</emphasis>,
+              or <emphasis role="bold">:T</emphasis>. Currently, CONTINUE may
+              not be used with <emphasis>exclusion</emphasis> (see the SOURCE
+              and DEST columns below); that restriction will be removed when
               ip6tables/Netfilter provides the necessary support.</para>
             </listitem>
 
             <listitem>
-              <para><emphasis role="bold">SAME</emphasis> (Added in Shorewall
-              4.3.5) -- Some websites run applications that require multiple
+              <para><emphasis role="bold">SAME</emphasis></para>
+
+              <para>Some websites run applications that require multiple
               connections from a client browser. Where multiple 'balanced'
               providers are configured, this can lead to problems when some of
               the connections are routed through one provider and some through
@@ -241,9 +237,9 @@
               SAME may be used in the PREROUTING and OUTPUT chains. When used
               in PREROUTING, it causes matching connections from an individual
               local system to all use the same provider. For example:
-              <programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
-#CLASSIFY                                                PORT(S)
-SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
+              <programlisting>#MARK/            SOURCE                 DEST         PROTO      DEST
+#CLASSIFY                                                        PORT(S)
+SAME:P            2002:ce7c:92b4::1/64   ::           tcp        80,443</programlisting>
               If a host in 192.168.1.0/24 attempts a connection on TCP port 80
               or 443 and it has sent a packet on either of those ports in the
               last five minutes then the new connection will use the same
@@ -254,7 +250,7 @@ SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
               connections to an individual remote system to all use the same
               provider. For example:<programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
 #CLASSIFY                                                PORT(S)
-SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
+SAME              $FW            ::           tcp        80,443</programlisting>
               If the firewall attempts a connection on TCP port 80 or 443 and
               it has sent a packet on either of those ports in the last five
               minutes to the same remote system then the new connection will
@@ -263,15 +259,49 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
             </listitem>
 
             <listitem>
-              <para><emphasis role="bold">COMMENT</emphasis> -- the rest of
-              the line will be attached as a comment to the Netfilter rule(s)
-              generated by the following entries. The comment will appear
-              delimited by "/* ... */" in the output of <command>shorewall6
-              show mangle</command></para>
+              <para><emphasis role="bold">COMMENT</emphasis></para>
+
+              <para>The rest of the line will be attached as a comment to the
+              Netfilter rule(s) generated by the following entries. The
+              comment will appear delimited by "/* ... */" in the output of
+              <command>shorewall6 show mangle</command></para>
 
               <para>To stop the comment from being attached to further rules,
               simply include COMMENT on a line by itself.</para>
             </listitem>
+
+            <listitem>
+              <para><emphasis
+              role="bold">TPROXY</emphasis>(<emphasis>mark</emphasis>[/<emphasis>mask</emphasis>][,[<emphasis>port</emphasis>][,[<emphasis>address</emphasis>]]])</para>
+
+              <para>Transparently redirects a packet without altering the IP
+              header. Requires a local provider to be defined in <ulink
+              url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
+
+              <para>There are three parameters to TPROXY - only the first
+              (<emphasis>mark</emphasis>) is required:</para>
+
+              <itemizedlist>
+                <listitem>
+                  <para><emphasis>mark</emphasis> - the MARK value
+                  corresponding to the local provider in <ulink
+                  url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
+                </listitem>
+
+                <listitem>
+                  <para><emphasis>port</emphasis> - the port on which the
+                  proxy server is listening. If omitted, the original
+                  destination port.</para>
+                </listitem>
+
+                <listitem>
+                  <para><emphasis>address</emphasis> - a local (to the
+                  firewall) IP address on which the proxy server is listening.
+                  If omitted, the IP address of the interface on which the
+                  request arrives.</para>
+                </listitem>
+              </itemizedlist>
+            </listitem>
           </orderedlist>
         </listitem>
       </varlistentry>
@@ -280,36 +310,48 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
         <term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
         role="bold">-</emphasis>|{<emphasis>interface</emphasis>|<emphasis
         role="bold">$FW</emphasis>}|[{<emphasis>interface</emphasis>|<emphasis
-        role="bold">$FW</emphasis>}:]&lt;<emphasis>address-or-range</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]&gt;</term>
+        role="bold">$FW</emphasis>}:]<emphasis>address-or-range</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
 
         <listitem>
-          <para>Source of the packet. A comma-separated list of interface
-          names, IP addresses, MAC addresses and/or subnets for packets being
-          routed through a common path. List elements may also consist of an
-          interface name followed by ":" and an address (e.g.,
-          eth1:&lt;2002:ce7c:92b4::/48&gt;). For example, all packets for
-          connections masqueraded to eth0 from other interfaces can be matched
-          in a single rule with several alternative SOURCE criteria. However,
-          a connection whose packets gets to eth0 in a different way, e.g.,
-          direct from the firewall itself, needs a different rule.</para>
+          <para>May be:</para>
 
-          <para>Accordingly, use $<emphasis role="bold">FW</emphasis> in its
-          own separate rule for packets originating on the firewall. In such a
-          rule, the MARK column may NOT specify either <emphasis
-          role="bold">:P</emphasis> or <emphasis role="bold">:F</emphasis>
-          because marking for firewall-originated packets always occurs in the
-          OUTPUT chain.</para>
+          <orderedlist>
+            <listitem>
+              <para>An interface name - matches traffic entering the firewall
+              on the specified interface. May not be used in classify rules or
+              in rules using the :T chain qualifier.</para>
+            </listitem>
+
+            <listitem>
+              <para>A comma-separated list of host or network IP addresses or
+              MAC addresses. <emphasis role="bold">This form will not match
+              traffic that originates on the firewall itself unless either
+              &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
+              the MARK column.</emphasis></para>
+            </listitem>
+
+            <listitem>
+              <para>An interface name followed by a colon (":") followed by a
+              comma-separated list of host or network IP addresses or MAC
+              addresses (e.g., eth1:&lt;2002:ce7c:92b4::/48&gt;). May not be
+              used in classify rules or in rules using the :T chain
+              qualifier.</para>
+            </listitem>
+
+            <listitem>
+              <para>$FW optionally followed by a colon (":") and a
+              comma-separated list of host or network IP addresses. Matches
+              packets originating on the firewall. May not be used with a
+              chain qualifier (:P, :F, etc.) in the MARK column.</para>
+            </listitem>
+          </orderedlist>
 
           <para>MAC addresses must be prefixed with "~" and use "-" as a
           separator.</para>
 
           <para>Example: ~00-A0-C9-15-39-78</para>
 
-          <para>When an interface is not specified, the angled brackets
-          ('&lt;' and '&gt;') surrounding the address(es) may be
-          omitted.</para>
-
           <para>You may exclude certain hosts from the set already defined
           through use of an <emphasis>exclusion</emphasis> (see <ulink
           url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
@@ -318,23 +360,28 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
 
       <varlistentry>
         <term><emphasis role="bold">DEST</emphasis> - {<emphasis
-        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|[<emphasis>interface</emphasis>:]&lt;<emphasis>address-or-range</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]&gt;</term>
+        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|[<emphasis>interface</emphasis>:]<emphasis>address-or-range</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
 
         <listitem>
-          <para>Destination of the packet. Comma separated list of IP
-          addresses and/or subnets. If your kernel and ip6tables include
-          iprange match support, IP address ranges are also allowed. List
-          elements may also consist of an interface name followed by ":" and
-          an address (e.g., eth1:&lt;2002:ce7c:92b4::/48&gt;). If the
-          <emphasis role="bold">MARK</emphasis> column specificies a
-          classification of the form
-          <emphasis>major</emphasis>:<emphasis>minor</emphasis> then this
-          column may also contain an interface name.</para>
+          <para>May be:</para>
 
-          <para>When an interface is not specified, the angled brackets
-          ('&lt;' and '&gt;') surrounding the address(es) may be
-          omitted.</para>
+          <orderedlist>
+            <listitem>
+              <para>An interface name. May not be used in the PREROUTING chain
+              (:P in the mark column or no chain qualifier and
+              MARK_IN_FORWARD_CHAIN=No in <ulink
+              url="manpages/shorewall.conf">shorewall.conf</ulink> (5)). The
+              interface name may be optionally followed by a colon (":") and
+              an IP address list.</para>
+            </listitem>
+
+            <listitem>
+              <para>A comma-separated list of host or network IP addresses.
+              The list may include ip address ranges if your kernel and
+              ip6tables include iprange support.</para>
+            </listitem>
+          </orderedlist>
 
           <para>You may exclude certain hosts from the set already defined
           through use of an <emphasis>exclusion</emphasis> (see <ulink
@@ -400,7 +447,8 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
       <varlistentry>
         <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
         role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
-        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>
+        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
+        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
 
         <listitem>
           <para>This column may only be non-empty if the SOURCE is the
@@ -439,6 +487,19 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
                 group</para>
               </listitem>
             </varlistentry>
+
+            <varlistentry>
+              <term>+upnpd</term>
+
+              <listitem>
+                <para>#program named upnpd</para>
+
+                <important>
+                  <para>The ability to specify a program name was removed from
+                  Netfilter in kernel version 2.6.14.</para>
+                </important>
+              </listitem>
+            </varlistentry>
           </variablelist>
         </listitem>
       </varlistentry>
@@ -550,8 +611,8 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               <para><emphasis role="bold">O</emphasis> - The original
               direction of the connection.</para>
 
-              <para><emphasis role="bold">R</emphasis> - The opposite
-              direction from the original connection.</para>
+              <para>- The opposite direction from the original
+              connection.</para>
 
               <para><emphasis role="bold">B</emphasis> - The total of both
               directions.</para>
@@ -603,8 +664,8 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
         <term>Example 1:</term>
 
         <listitem>
-          <para>Mark all forwarded ICMP echo traffic with packet mark 1. Mark
-          all forwarded peer to peer traffic with packet mark 4.</para>
+          <para>Mark all ICMP echo traffic with packet mark 1. Mark all peer
+          to peer traffic with packet mark 4.</para>
 
           <para>This is a little more complex than otherwise expected. Since
           the ipp2p module is unable to determine all packets in a connection
@@ -634,7 +695,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
   <refsect1>
     <title>FILES</title>
 
-    <para>/etc/shorewall6/tcrules</para>
+    <para>/etc/shorewall/tcrules</para>
   </refsect1>
 
   <refsect1>

manpages6/shorewall6.conf.xml

@@ -172,7 +172,7 @@
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
 
         <listitem>
-          <para>Added in Shorewall 4.4.7. If set to Yes, Shorewall6 accounting
+          <para>Added in Shorewall 4.5.0. If set to Yes, Shorewall6 accounting
           is enabled (see <ulink
           url="shorewall6-accounting.html">shorewall6-accounting</ulink>(5)).
           If not specified or set to the empty value, ACCOUNTING=Yes is
@@ -396,20 +396,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><emphasis role="bold">DYNAMIC_BLACKLIST=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.4.7. When set to <emphasis
-          role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
-          dynamic blacklisting using the <command>shorewall6 drop</command>,
-          <command>shorewall6 reject</command>, <command>shorewall6
-          logdrop</command> and <command>shorewall6 logreject</command> is
-          disabled. Default is <emphasis role="bold">Yes</emphasis>.</para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis role="bold">EXPAND_POLICIES=</emphasis>{<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@@ -670,19 +656,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><emphasis role="bold">LOAD_HELPERS_ONLY=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.4.7. When set to Yes, restricts the set
-          of modules loaded by shorewall to those listed in
-          /var/lib/shorewall6/helpers and those that are actually used. When
-          not set, or set to the empty value, LOAD_HELPERS_ONLY=No is
-          assumed.</para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis
         role="bold">LOG_VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>
@@ -909,6 +882,24 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">MASK_BITS</emphasis>=<emphasis>bits</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.0. This option specifies the number of
+          <emphasis>bits</emphasis> to use as a mask for traffic shaping marks
+          and must be greater than or equal to TC_BITS. The default value
+          depends on the setting of WIDE_TC_MARKS:</para>
+
+          <simplelist>
+            <member>WIDE_TC_MARKS=No - 8 bits.</member>
+
+            <member>WIDE_TC_MARKS=Yes - 16 bits.</member>
+          </simplelist>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">MODULE_SUFFIX=</emphasis>[<emphasis
         role="bold">"</emphasis><emphasis>extension</emphasis> ...<emphasis
@@ -987,7 +978,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
             </listitem>
 
             <listitem>
-              <para>Optimization category 2 - Added in Shorewall 4.4.7. When
+              <para>Optimization category 2 - Added in Shorewall 4.5.0. When
               set, suppresses superfluous ACCEPT rules in a policy chain that
               implements an ACCEPT policy. Any ACCEPT rules that immediately
               preceed the final blanket ACCEPT rule in the chain are now
@@ -995,7 +986,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
             </listitem>
 
             <listitem>
-              <para>Optimization category 4 - Added in Shorewall 4.4.7. When
+              <para>Optimization category 4 - Added in Shorewall 4.5.1. When
               set, causes short chains (those with less than 2 rules) to be
               optimized away. The following chains are excluded from
               optimization:</para>
@@ -1054,7 +1045,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
 
         <listitem>
-          <para>Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting
+          <para>Added in Shorewall 4.5.2. If set to Yes, Shorewall accounting
           changes are subject to optimization (OPTIMIZE=4,5,6 or 7). If not
           specified or set to the empty value, OPTIMIZE_ACCOUNTING=No is
           assumed.</para>
@@ -1072,6 +1063,42 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">PROVIDER_BITS</emphasis>=<emphasis>bits</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.0. Specifies the number of bits of the
+          packet/connection mark to use for the provider (routing) mark.
+          Provider mark values must be &gt;= 2**PROVIDER_OFFSET and less than
+          2**(PROVIDER_OFFSET + PROVIDER_BITS). The default value is 8
+          bits.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis
+        role="bold">PROVIDER_OFFSET</emphasis>=<emphasis>offset</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.0. Specifies the
+          <emphasis>offset</emphasis> in bits from the least significate bit
+          of the packet/connection mark where the Provider Mark value is
+          stored. The default is based on the settings of HIGH_ROUTE_MARKS and
+          WIDE_TC_MARKS:</para>
+
+          <simplelist>
+            <member>HIGH_ROUTE_MARKS=No - 0 bits.</member>
+
+            <member>HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=No - 8
+            bits.</member>
+
+            <member>HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes - 16
+            bits.</member>
+          </simplelist>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">RCP_COMMAND="</emphasis><replaceable>command</replaceable><emphasis
@@ -1230,6 +1257,28 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">TC_BITS</emphasis>=<emphasis>bits</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.0. This option replaces WIDE_TC_MARKS
+          by allowing you to specify the number of <emphasis>bits</emphasis>
+          of the 32-bit packet/connection mark to be used for traffic shaping.
+          The default value is based on the settings of WIDE_TC_MARKS:</para>
+
+          <simplelist>
+            <member>WIDE_TC_MARKS=No - 8 bits.</member>
+
+            <member>WIDE_TC_MARKS=Yes - 14 bits.</member>
+          </simplelist>
+
+          <para>Mark values specified in <ulink
+          url="shorewall6-tcclasses.html">shorewall6-tcclasses (5)</ulink>
+          must be &lt; 2**TC_BITS.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">TC_ENABLED=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis
@@ -1280,7 +1329,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         role="bold">TC_PRIOMAP</emphasis>=<emphasis>map</emphasis></term>
 
         <listitem>
-          <para>Added in Shorewall 4.4.6. Determines the mapping of a packet's
+          <para>Added in Shorewall 4.5.0. Determines the mapping of a packet's
           TOS field to priority bands. See <ulink
           url="shorewall6-tcpri.html">shorewall6-tcpri</ulink>(5). The
           <emphasis>map</emphasis> consists of 16 space-separated digits with

manpages6/shorewall6.xml

@@ -428,7 +428,8 @@
 
       <arg choice="plain"><option>show</option></arg>
 
-      <arg choice="plain"><option>tc</option></arg>
+      <arg
+      choice="plain"><option>tc</option><arg><replaceable>device</replaceable></arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -1126,7 +1127,9 @@
 
               <listitem>
                 <para>Displays information about queuing disciplines, classes
-                and filters.</para>
+                and filters. Beginning with Shorewall6 4.5.1, the display can
+                be restricted to a specified
+                <replaceable>device</replaceable>.</para>
               </listitem>
             </varlistentry>