Revert "Remove tools and web"

This reverts commit 966f162c87.

Samples/one-interface/interfaces

@@ -10,6 +10,10 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
+#
+# For additional information, see
+# http://shorewall.net/Documentation.htm#Interfaces
+#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          dhcp,tcpflags,logmartians,nosmurfs

Samples/one-interface/policy

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
+#
+# See http://shorewall.net/Documentation.htm#Policy for additional information.
+#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 $FW		net		ACCEPT

Samples/one-interface/rules

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
+#
+# For more information, see http://www.shorewall.net/Documentation.htm#Zones
+#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Samples/one-interface/shorewall.conf

@@ -34,9 +34,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=/var/log/shorewall-init.log
+STARTUP_LOG=
 
-LOG_VERBOSITY=2
+LOG_VERBOSITY=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -107,9 +107,9 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 
-IP_FORWARDING=Off
+IP_FORWARDING=On
 
-ADD_IP_ALIASES=No
+ADD_IP_ALIASES=Yes
 
 ADD_SNAT_ALIASES=No
 
@@ -119,8 +119,6 @@ TC_ENABLED=Internal
 
 TC_EXPERT=No
 
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -139,7 +137,7 @@ BLACKLISTNEWONLY=Yes
 
 DELAYBLACKLISTLOAD=No
 
-MODULE_SUFFIX=ko
+MODULE_SUFFIX=
 
 DISABLE_IPV6=No
 
@@ -193,18 +191,6 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/one-interface/zones

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
+#
+# For more information, see http://www.shorewall.net/Documentation.htm#Zones
+#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS

Samples/three-interfaces/interfaces

@@ -10,6 +10,10 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
+#
+# For additional information, see
+# http://shorewall.net/Documentation.htm#Interfaces
+#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          tcpflags,dhcp,nosmurfs,routefilter,logmartians

Samples/three-interfaces/masq

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
+#
+# For additional information, see http://shorewall.net/Documentation.htm#Masq
+#
 ##############################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
 eth0			10.0.0.0/8,\

Samples/three-interfaces/policy

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
+#
+# See http://shorewall.net/Documentation.htm#Policy for additional information.
+#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 

Samples/three-interfaces/routestopped

@@ -10,6 +10,11 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-routestopped"
+#
+# See http://shorewall.net/Documentation.htm#Routestopped and
+# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
+# information.
+#
 ##############################################################################
 #INTERFACE	HOST(S)
 eth1		-

Samples/three-interfaces/rules

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
+#
+# For additional information, see http://shorewall.net/Documentation.htm#Rules
+#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Samples/three-interfaces/shorewall.conf

@@ -34,9 +34,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=/var/log/shorewall-init.log
+STARTUP_LOG=
 
-LOG_VERBOSITY=2
+LOG_VERBOSITY=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -109,7 +109,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 IP_FORWARDING=On
 
-ADD_IP_ALIASES=No
+ADD_IP_ALIASES=Yes
 
 ADD_SNAT_ALIASES=No
 
@@ -119,8 +119,6 @@ TC_ENABLED=Internal
 
 TC_EXPERT=No
 
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -139,7 +137,7 @@ BLACKLISTNEWONLY=Yes
 
 DELAYBLACKLISTLOAD=No
 
-MODULE_SUFFIX=ko
+MODULE_SUFFIX=
 
 DISABLE_IPV6=No
 
@@ -193,18 +191,6 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/three-interfaces/zones

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
+#
+# For more information, see http://www.shorewall.net/Documentation.htm#Zones
+#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS

Samples/two-interfaces/interfaces

@@ -10,6 +10,10 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
+#
+# For additional information, see
+# http://shorewall.net/Documentation.htm#Interfaces
+#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians

Samples/two-interfaces/masq

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
+#
+# For additional information, see http://shorewall.net/Documentation.htm#Masq
+#
 ###############################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
 eth0			10.0.0.0/8,\

Samples/two-interfaces/policy

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
+#
+# See http://shorewall.net/Documentation.htm#Policy for additional information.
+#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 

Samples/two-interfaces/routestopped

@@ -10,6 +10,11 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-routestopped"
+#
+# See http://shorewall.net/Documentation.htm#Routestopped and
+# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
+# information.
+#
 ##############################################################################
 #INTERFACE	HOST(S)                  OPTIONS
 eth1		-

Samples/two-interfaces/rules

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
+#
+# For more information, see http://www.shorewall.net/Documentation.htm#Rules
+#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Samples/two-interfaces/shorewall.conf

@@ -41,9 +41,9 @@ SHOREWALL_COMPILER=
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=/var/log/shorewall-init.log
+STARTUP_LOG=
 
-LOG_VERBOSITY=2
+LOG_VERBOSITY=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -116,7 +116,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 IP_FORWARDING=On
 
-ADD_IP_ALIASES=No
+ADD_IP_ALIASES=Yes
 
 ADD_SNAT_ALIASES=No
 
@@ -126,8 +126,6 @@ TC_ENABLED=Internal
 
 TC_EXPERT=No
 
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -146,7 +144,7 @@ BLACKLISTNEWONLY=Yes
 
 DELAYBLACKLISTLOAD=No
 
-MODULE_SUFFIX=ko
+MODULE_SUFFIX=
 
 DISABLE_IPV6=No
 
@@ -200,18 +198,6 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/two-interfaces/zones

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
+#
+# For more information, see http://www.shorewall.net/Documentation.htm#Zones
+#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS

Samples6/one-interface/shorewall6.conf

@@ -32,9 +32,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=/var/log/shorewall6-init.log
+STARTUP_LOG=
 
-LOG_VERBOSITY=2
+LOG_VERBOSITY=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -99,8 +99,6 @@ TC_ENABLED=No
 
 TC_EXPERT=No
 
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -113,7 +111,7 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=ko
+MODULE_SUFFIX=
 
 FASTACCEPT=No
 
@@ -141,19 +139,7 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
-##############################################################################
+###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
 

Samples6/three-interfaces/shorewall6.conf

@@ -32,9 +32,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=/var/log/shorewall6-init.log
+STARTUP_LOG=
 
-LOG_VERBOSITY=2
+LOG_VERBOSITY=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -99,8 +99,6 @@ TC_ENABLED=No
 
 TC_EXPERT=No
 
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -113,7 +111,7 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=ko
+MODULE_SUFFIX=
 
 FASTACCEPT=No
 
@@ -141,18 +139,6 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/two-interfaces/shorewall6.conf

@@ -32,9 +32,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=/var/log/shorewall6-init.log
+STARTUP_LOG=
 
-LOG_VERBOSITY=2
+LOG_VERBOSITY=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -99,8 +99,6 @@ TC_ENABLED=No
 
 TC_EXPERT=No
 
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -113,7 +111,7 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=ko
+MODULE_SUFFIX=
 
 FASTACCEPT=No
 
@@ -141,18 +139,6 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall-lite/README.txt

@@ -1 +1 @@
-This is the Shorewall-lite stable 4.4 branch of Git.
+This is the Shorewall-lite development 4.3 branch of SVN.

Shorewall-lite/default.debian

@@ -21,9 +21,4 @@ startup=0
 
 OPTIONS=""
 
-#
-# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
-#
-INITLOG=/dev/null
-
 # EOF

Shorewall-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.8-Beta2
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {

Shorewall-lite/init.debian.sh

@@ -2,8 +2,8 @@
 
 ### BEGIN INIT INFO
 # Provides:          shorewall-lite
-# Required-Start:    $network $remote_fs
-# Required-Stop:     $network $remote_fs
+# Required-Start:    $network
+# Required-Stop:     $network
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
@@ -15,7 +15,9 @@
 
 SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
-test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
+# Note, set INITLOG to /dev/null if you do not want to
+# keep logs of the firewall (not recommended)
+INITLOG=/var/log/shorewall-lite-init.log
 
 [ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
 
@@ -23,7 +25,7 @@ export SHOREWALL_INIT_SCRIPT
 
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n "$INITLOG" || {
+test -n $INITLOG || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }
@@ -42,7 +44,6 @@ echo_notdone () {
 	  echo "not done (check $INITLOG)."
   fi
 
-  exit 1
 }
 
 not_configured () {

Shorewall-lite/install.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.8-Beta2
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {
@@ -220,11 +220,6 @@ mkdir -p ${PREFIX}/var/lib/shorewall-lite
 chmod 755 ${PREFIX}/etc/shorewall-lite
 chmod 755 ${PREFIX}/usr/share/shorewall-lite
 
-if [ -n "$PREFIX" ]; then
-    mkdir -p ${PREFIX}/etc/logrotate.d
-    chmod 755 ${PREFIX}/etc/logrotate.d
-fi
-
 #
 # Install the config file
 #
@@ -309,12 +304,6 @@ cd ..
 
 echo "Man Pages Installed"
 
-if [ -d ${PREFIX}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall-lite
-    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall-lite"
-fi
-
-
 #
 # Create the version file
 #

Shorewall-lite/logrotate

@@ -1,5 +0,0 @@
-/var/log/shorewall-init.log {
-  missingok
-  notifempty
-  create 0600 root root
-}

Shorewall-lite/shorecap

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall.
 #
@@ -48,19 +48,18 @@
 SHAREDIR=/usr/share/shorewall-lite
 VARDIR=/var/lib/shorewall-lite
 CONFDIR=/etc/shorewall-lite
-g_product="Shorewall Lite"
+PRODUCT="Shorewall Lite"
 
 . /usr/share/shorewall-lite/lib.base
-. /usr/share/shorewall-lite/lib.cli
 . /usr/share/shorewall-lite/configpath
 
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
-SHOREWALL_VERSION=$(cat /usr/share/shorewall-lite/version)
+VERSION=$(cat /usr/share/shorewall-lite/version)
 
 [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
 
-VERBOSITY=0
+VERBOSE=0
 load_kernel_modules No
 determine_capabilities
 report_capabilities1

Shorewall-lite/shorewall-lite

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall-lite.
 #
@@ -95,7 +95,7 @@ get_config() {
 
     if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
 	LOGREAD="logread | tac"
-    elif [ -r $LOGFILE ]; then
+    elif [ -f $LOGFILE ]; then
 	LOGREAD="tac $LOGFILE"
     else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
@@ -117,6 +117,8 @@ get_config() {
 
     [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
 
+    export LOGFORMAT
+
     if [ -n "$IPTABLES" ]; then
 	if [ ! -x "$IPTABLES" ]; then
 	    echo "   ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
@@ -130,6 +132,8 @@ get_config() {
 	fi
     fi
 
+    export IPTABLES
+
     if [ -n "$SHOREWALL_SHELL" ]; then
 	if [ ! -x "$SHOREWALL_SHELL" ]; then
 	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
@@ -141,20 +145,15 @@ get_config() {
 
     validate_restorefile RESTOREFILE
 
+    export RESTOREFILE
+
     [ -n "${VERBOSITY:=2}" ]
 
-    [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
+    [ -n "$USE_VERBOSITY" ] && VERBOSE=$USE_VERBOSITY || VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY))
 
-    g_hostname=$(hostname 2> /dev/null)
+    export VERBOSE
 
-    IP=$(mywhich ip 2> /dev/null)
-    if [ -z "$IP" ] ; then
-	echo "   ERROR: Can't find ip executable" >&2
-	exit 2
-    fi
-
-    IPSET=ipset
-    TC=tc
+    [ -n "${HOSTNAME:=$(hostname)}" ]
 
 }
 
@@ -162,13 +161,13 @@ get_config() {
 # Verify that we have a compiled firewall script
 #
 verify_firewall_script() {
-    if [ ! -f $g_firewall ]; then
+    if [ ! -f $FIREWALL ]; then
 	echo "   ERROR: Shorewall Lite is not properly installed" >&2
-	if [ -L $g_firewall ]; then
-	    echo "          $g_firewall is a symbolic link to a" >&2
+	if [ -L $FIREWALL ]; then
+	    echo "          $FIREWALL is a symbolic link to a" >&2
 	    echo "          non-existant file" >&2
 	else
-	    echo "          The file $g_firewall does not exist" >&2
+	    echo "          The file $FIREWALL does not exist" >&2
 	fi
 	
 	exit 2
@@ -188,7 +187,7 @@ start_command() {
 	[ -n "$nolock" ] || mutex_on
 
 	if [ -x ${LITEDIR}/firewall ]; then
-	    run_it ${LITEDIR}/firewall $debugging start
+	    ${LITEDIR}/firewall $debugging start
 	    rc=$?
 	else
 	    error_message "${LITEDIR}/firewall is missing or is not executable"
@@ -220,12 +219,12 @@ start_command() {
 			    option=
 			    ;;
 			f*)
-			    g_fast=Yes
+			    FAST=Yes
 			    option=${option#f}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    g_purge=Yes
+			    PURGE=Yes
 			    option=${option%p}
 			    ;;
 			*)
@@ -249,21 +248,36 @@ start_command() {
 	    ;;
     esac
 
-    if [ -n "$g_fast" ]; then
+    export NOROUTES
+
+    if [ -n "$FAST" ]; then
 	if qt mywhich make; then
-	    export RESTOREFILE
-	    make -qf ${CONFDIR}/Makefile || g_fast=
+	    #
+	    # RESTOREFILE is exported by get_config()
+	    #
+	    make -qf ${CONFDIR}/Makefile || FAST=
 	fi
 
-	if [ -n "$g_fast" ]; then
+	if [ -n "$FAST" ]; then
 
-	    g_restorepath=${VARDIR}/$RESTOREFILE
+	    RESTOREPATH=${VARDIR}/$RESTOREFILE
+
+	    if [ -x $RESTOREPATH ]; then
+		if [ -x ${RESTOREPATH}-ipsets ]; then
+		    echo Restoring Ipsets...
+		    #
+		    # We must purge iptables to be sure that there are no
+		    # references to ipsets
+		    #
+		    iptables -F
+		    iptables -X
+		    $SHOREWALL_SHELL ${RESTOREPATH}-ipsets
+		fi
 
-	    if [ -x $g_restorepath ]; then
 		echo Restoring Shorewall Lite...
-		run_it $g_restorepath restore
+		$SHOREWALL_SHELL $RESTOREPATH restore
 		date > ${VARDIR}/restarted
-		progress_message3 Shorewall Lite restored from $g_restorepath
+		progress_message3 Shorewall Lite restored from $RESTOREPATH
 	    else
 		do_it
 	    fi
@@ -299,12 +313,12 @@ restart_command() {
 			    option=
 			    ;;
 			n*)
-			    g_noroutes=Yes
+			    NOROUTES=Yes
 			    option=${option#n}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    g_purge=Yes
+			    PURGE=Yes
 			    option=${option%p}
 			    ;;
 			*)
@@ -328,10 +342,12 @@ restart_command() {
 	    ;;
     esac
 
+    export NOROUTES
+
     [ -n "$nolock" ] || mutex_on
 
     if [ -x ${LITEDIR}/firewall ]; then
-	run_it ${LITEDIR}/firewall $debugging restart
+	$SHOREWALL_SHELL ${LITEDIR}/firewall $debugging restart
 	rc=$?
     else
 	error_message "${LITEDIR}/firewall is missing or is not executable"
@@ -350,14 +366,13 @@ usage() # $1 = exit status
 {
     echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
     echo "where <command> is one of:"
-    echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
-    echo "   clear [ -f ]"
-    echo "   delete <interface>[:<host-list>] ... <zone>"
+    echo "   clear"
     echo "   drop <address> ..."
     echo "   dump [ -x ]"
     echo "   forget [ <file name> ]"
     echo "   help"
+    echo "   hits [ -t ]"
     echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
     echo "   ipdecimal { <address> | <integer> }"
     echo "   iprange <address>-<address>"
@@ -366,7 +381,7 @@ usage() # $1 = exit status
     echo "   logwatch [<refresh interval>]"
     echo "   reject <address> ..."
     echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
+    echo "   restart [ -n ] [ -p ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
     echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
@@ -374,18 +389,19 @@ usage() # $1 = exit status
     echo "   show classifiers"
     echo "   show config"
     echo "   show connections"
-    echo "   show filters"
+    echo "   show dynamic <zone>"
+    echo "   show filter"
     echo "   show ip"
     echo "   show [ -m ] log"
-    echo "   show [ -x ] mangle|nat|raw|routing"
-    echo "   show policies"
-    echo "   show tc [ device ]"
+    echo "   show [ -x ] mangle|nat|raw"
+    echo "   show routing"
+    echo "   show tc"
     echo "   show vardir"
     echo "   show zones"
-    echo "   start [ -f ] [ -p ] [ <directory> ]"
-    echo "   stop [ -f ]"
+    echo "   start [ -n ] [ -p ]"
+    echo "   stop"
     echo "   status"
-    echo "   version [ -a ]"
+    echo "   version"
     echo
     exit $1
 }
@@ -407,13 +423,14 @@ if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
     shift
 fi
 
-g_ipt_options="-nv"
-g_fast=
-g_verbose_offset=0
-g_use_verbosity=
-g_noroutes=
-g_timestamp=
-g_recovering=
+IPT_OPTIONS="-nv"
+FAST=
+VERBOSE_OFFSET=0
+USE_VERBOSITY=
+NOROUTES=
+EXPORT=
+export TIMESTAMP=
+noroutes=
 
 finished=0
 
@@ -432,48 +449,48 @@ while [ $finished -eq 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    x*)
-			g_ipt_options="-xnv"
+			IPT_OPTIONS="-xnv"
 			option=${option#x}
 			;;
 		    q*)
-			g_verbose_offset=$(($g_verbose_offset - 1 ))
+			VERBOSE_OFFSET=$(($VERBOSE_OFFSET - 1 ))
 			option=${option#q}
 			;;
 		    f*)
-			g_fast=Yes
+			FAST=Yes
 			option=${option#f}
 			;;
 		    v*)
 			option=${option#v}
 			case $option in 
 			    -1*)
-				g_use_verbosity=-1
+				USE_VERBOSITY=-1
 				option=${option#-1}
 				;;
 			    0*)
-				g_use_verbosity=0
+				USE_VERBOSITY=0
 				option=${option#0}
 				;;
 			    1*)
-				g_use_verbosity=1
+				USE_VERBOSITY=1
 				option=${option#1}
 				;;
 			    2*)
-				g_use_verbosity=2
+				USE_VERBOSITY=2
 				option=${option#2}
 				;;
 			    *)
-				g_verbose_offset=$(($g_verbose_offset + 1 ))
-				g_use_verbosity=
+				VERBOSE_OFFSET=$(($VERBOSE_OFFSET + 1 ))
+				USE_VERBOSITY=
 				;;
 			esac
 			;;
 		    n*)
-			g_noroutes=Yes
+			NOROUTES=Yes
 			option=${option#n}
 			;;
 		    t*)
-			g_timestamp=Yes
+			TIMESTAMP=Yes
 			option=${option#t}
 			;;
 		    -)
@@ -498,11 +515,12 @@ if [ $# -eq 0 ]; then
 fi
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+export PATH
 MUTEX_TIMEOUT=
 
 SHAREDIR=/usr/share/shorewall-lite
 CONFDIR=/etc/shorewall-lite
-g_product="Shorewall Lite"
+export PRODUCT="Shorewall Lite"
 
 [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]
 
@@ -510,10 +528,17 @@ g_product="Shorewall Lite"
 
 [ -d $VARDIR ] || mkdir -p $VARDIR || fatal_error "Unable to create $VARDIR"
 
-version_file=$SHAREDIR/version
+LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
+VERSION_FILE=$SHAREDIR/version
+HELP=$SHAREDIR/help
 
-for library in base cli; do
-    . ${SHAREDIR}/lib.$library
+for library in $LIBRARIES; do
+    if [ -f $library ]; then
+	. $library
+    else
+	echo "Installation error: $library does not exist!" >&2
+	exit 2
+    fi
 done
 
 ensure_config_path
@@ -533,6 +558,7 @@ else
 fi
 
 ensure_config_path
+export CONFIG_PATH
 
 LITEDIR=${VARDIR}
 
@@ -540,17 +566,17 @@ LITEDIR=${VARDIR}
 
 get_config
 
-g_firewall=$LITEDIR/firewall
+FIREWALL=$LITEDIR/firewall
 
-if [ -f $version_file ]; then
-    SHOREWALL_VERSION=$(cat $version_file)
+if [ -f $VERSION_FILE ]; then
+    version=$(cat $VERSION_FILE)
 else
     echo "   ERROR: Shorewall Lite is not properly installed" >&2
-    echo "          The file $version_file does not exist" >&2
+    echo "          The file $VERSION_FILE does not exist" >&2
     exit 1
 fi
 
-banner="Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname -"
+banner="Shorewall Lite $version Status at $HOSTNAME -"
 
 case $(echo -e) in
     -e*)
@@ -582,11 +608,12 @@ case "$COMMAND" in
     stop|clear)
 	[ $# -ne 1 ] && usage 1
 	verify_firewall_script
-	run_it $g_firewall $debugging $nolock $COMMAND
+	export NOROUTES
+	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
 	;;
     reset)
 	verify_firewall_script
-	run_it $SHOREWALL_SHELL $g_firewall $debugging $nolock $@
+	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $@
 	;;
     restart)
 	shift
@@ -599,7 +626,7 @@ case "$COMMAND" in
     status)
 	[ $# -eq 1 ] || usage 1
 	[ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root"
-	echo "Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname - $(date)"
+	echo "Shorewall Lite $version Status at $HOSTNAME - $(date)"
 	echo
 	if shorewall_is_started ; then
 	    echo "Shorewall Lite is running"
@@ -633,7 +660,7 @@ case "$COMMAND" in
 	hits_command $@
 	;;
     version)
-	echo $SHOREWALL_VERSION Lite
+	echo $version Lite
 	;;
     logwatch)
 	logwatch_command $@
@@ -702,7 +729,7 @@ case "$COMMAND" in
 	    ;;
 	esac
 
-	g_restorepath=${VARDIR}/$RESTOREFILE
+	RESTOREPATH=${VARDIR}/$RESTOREFILE
 
 	[ "$nolock" ] || mutex_on
 
@@ -724,20 +751,20 @@ case "$COMMAND" in
 	esac
 
 
-	g_restorepath=${VARDIR}/$RESTOREFILE
+	RESTOREPATH=${VARDIR}/$RESTOREFILE
 
-	if [ -x $g_restorepath ]; then
+	if [ -x $RESTOREPATH ]; then
 
-	    if [ -x ${g_restorepath}-ipsets ]; then
-		rm -f ${g_restorepath}-ipsets
-		echo "    ${g_restorepath}-ipsets removed"
+	    if [ -x ${RESTOREPATH}-ipsets ]; then
+		rm -f ${RESTOREPATH}-ipsets
+		echo "    ${RESTOREPATH}-ipsets removed"
 	    fi
 
-	    rm -f $g_restorepath
-	    rm -f ${g_restorepath}-iptables
-	    echo "    $g_restorepath removed"
-	elif [ -f $g_restorepath ]; then
-	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"
+	    rm -f $RESTOREPATH
+	    rm -f ${RESTOREPATH}-iptables
+	    echo "    $RESTOREPATH removed"
+	elif [ -f $RESTOREPATH ]; then
+	    echo "   $RESTOREPATH exists and is not a saved Shorewall configuration"
 	fi
 	rm -f ${VARDIR}/save
 	;;

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.8
-%define release 0Beta2
+%define version 4.4.0
+%define release 1
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -79,8 +79,6 @@ fi
 %attr(0755,root,root) %dir /usr/share/shorewall-lite
 %attr(0700,root,root) %dir /var/lib/shorewall-lite
 
-%attr(0644,root,root) /etc/logrotate.d/shorewall-lite
-
 %attr(0755,root,root) /sbin/shorewall-lite
 
 %attr(0644,root,root) /usr/share/shorewall-lite/version
@@ -88,7 +86,6 @@ fi
 %attr(-   ,root,root) /usr/share/shorewall-lite/functions
 %attr(0644,root,root) /usr/share/shorewall-lite/lib.base
 %attr(0644,root,root) /usr/share/shorewall-lite/lib.cli
-%attr(0644,root,root) /usr/share/shorewall-lite/lib.common
 %attr(0644,root,root) /usr/share/shorewall-lite/modules
 %attr(0544,root,root) /usr/share/shorewall-lite/shorecap
 %attr(0755,root,root) /usr/share/shorewall-lite/wait4ifup
@@ -101,44 +98,8 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sun Feb 28 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0Beta2
-* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0Beta1
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0base
-* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0RC2
-* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0RC1
-* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta4
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta3
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta2
-* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta1
-* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.6-0base
-* Tue Jan 12 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.6-0Beta1
-* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.5-0base
-* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0base
-* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta2
-* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta1
-* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.3-0base
-* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.1-0base
+* Thu Aug 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-1
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0base
 * Tue Jul 28 2009 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.8-Beta2
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {

Shorewall/Contrib/swping

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall WAN Interface monitor - V4.4
+#     Shorewall WAN Interface monitor - V4.2
 #
 #     Inspired by Angsuman Chakraborty's gwping script.
 #

Shorewall/Contrib/swping.init

@@ -1,5 +1,5 @@
 #!/bin/sh
-#     Shorewall WAN Interface monitor - V4.4
+#     Shorewall WAN Interface monitor - V4.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Macros/macro.BGP

@@ -3,9 +3,9 @@
 #
 # /usr/share/shorewall/macro.BGP
 #
-#	This macro handles BGP4 traffic.
+#       This macro handles BGP4 traffic.
 #
 ###############################################################################
-#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S) PORT(S) LIMIT	GROUP
-PARAM	-	-	tcp	179	# BGP4
+#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
+#                               PORT(S) PORT(S) LIMIT   GROUP
+PARAM   -       -       tcp     179     				# BGP4

Shorewall/Macros/macro.Citrix

@@ -3,12 +3,11 @@
 #
 # /usr/share/shorewall/macro.Citrix
 #
-#	This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a.
-#	ICA Session Reliability)
+# This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a. ICA Session Reliability)
 #
 ####################################################################################
-#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S) PORT(S) LIMIT	GROUP
-PARAM	-	-	tcp	1494	# ICA
-PARAM	-	-	udp	1604	# ICA Browser
-PARAM	-	-	tcp	2598	# CGP Session Reliabilty
+#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
+#                               PORT(S) PORT(S) LIMIT   GROUP
+PARAM   -       -       tcp     1494 				   # ICA
+PARAM   -       -       udp     1604    			   # ICA Browser
+PARAM   -       -       tcp     2598    			   # CGP Session Reliabilty

Shorewall/Macros/macro.DHCPfwd

@@ -1,12 +0,0 @@
-#
-# Shorewall version 4 - DHCPfwd Macro
-#
-# /usr/share/shorewall/macro.DHCPfwd
-#
-#	This macro (bidirectional) handles forwarded DHCP traffic
-#
-###############################################################################
-#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S) PORT(S) LIMIT	GROUP
-PARAM	-	-	udp	67:68	67:68	# DHCP
-PARAM	DEST	SOURCE	udp	67:68	67:68	# DHCP

Shorewall/Macros/macro.HKP

@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - HKP Macro
-#
-# /usr/share/shorewall/macro.HKP
-#
-#	This macro handles OpenPGP HTTP keyserver protocol traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	11371

Shorewall/Macros/macro.OSPF

@@ -3,9 +3,9 @@
 #
 # /usr/share/shorewall/macro.OSPF
 #
-#	This macro handles OSPF multicast traffic
+#       This macro handles OSPF multicast traffic
 #
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	89	# OSPF
+#######################################################################################################
+#ACTION         SOURCE          DEST    PROTO   DEST    SOURCE  ORIGINAL        RATE    USER/   ORIGINAL
+#                                               PORT(S) PORT(S) DEST            LIMIT   GROUP   DEST
+PARAM           -               -       89      -                                                       # OSPF

Shorewall/Macros/macro.Razor

@@ -3,7 +3,7 @@
 #
 # /usr/share/shorewall/macro.Razor
 #
-#	This macro handles traffic for the Razor Antispam System
+# This macro handles traffic for the Razor Antispam System
 #
 ###############################################################################
 #ACTION         SOURCE          DEST    PROTO   DEST    SOURCE  RATE    USER/

Shorewall/Macros/macro.mDNS

@@ -1,14 +1,12 @@
 #
 # Shorewall version 4 - Multicast DNS Macro
 #
-# /usr/share/shorewall/macro.mDNS
+# /usr/share/shorewall/macro.DNS
 #
 #	This macro handles multicast DNS traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
-#						PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	224.0.0.251		udp	5353
-PARAM	-	224.0.0.251		2
-PARAM	DEST	SOURCE:224.0.0.251	udp	5353
-PARAM	DEST	SOURCE:224.0.0.251	2
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	udp	5353
+PARAM	DEST	SOURCE	udp	5353

Shorewall/Macros/macro.template

@@ -269,7 +269,7 @@
 #                       an action. See 'man shorewall-rules'.
 #
 #	RATE LIMIT	You may rate-limit the rule by placing a value in
-#			this column:
+#			this colume:
 #
 #				<rate>/<interval>[:<burst>]
 #
@@ -304,100 +304,6 @@
 #					#removed from Netfilter in kernel
 #					#version 2.6.14).
 #
-#	MARK		Specifies a MARK value to match. Must be empty or 
-#			'-' if the macro is to be used within an action.
-#			
-#				[!]value[/mask][:C]
-#
-#    			Defines a test on the existing packet or connection
-#			mark. The rule will match only if the test returns
-#			true.
-#
-#    			If you don't want to define a test but need to
-#			specify anything in the following columns,
-#			place a "-" in this field.
-#
-#    			!
-#
-#				Inverts the test (not equal)
-#
-#    			value
-#
-#				Value of the packet or connection mark.
-#
-#  			mask
-#
-#				A mask to be applied to the mark before
-#				testing.
-#
-#    			:C
-#
-#				Designates a connection mark. If omitted, the
-#				packet mark's value is tested.
-#
-#	CONNLIMIT	Must be empty or '-' if the macro is to be used within
-#			an action.
-#
-#				[!]limit[:mask]
-#
-#			May be used to limit the number of simultaneous
-#			connections from each individual host to limit 
-#			connections. Requires connlimit match in your kernel
-#			and iptables. While the limit is only checked on rules
-#			specifying CONNLIMIT, the number of current connections
-#			is calculated over all current connections from the
-#			SOURCE host. By default, the limit is applied to each
-#			host but can be made to apply to networks of hosts by
-#			specifying a mask. The mask specifies the width of a
-#			VLSM mask to be applied to the source address; the
-#			number of current connections is then taken over all
-#			hosts in the subnet source-address/mask. When ! is
-#			specified, the rule matches when the number of
-#			connection exceeds the limit.
-#
-#	TIME		Must be empty or '-' if the macro is to be used within
-#			an action.
-#
-#
-#				<timeelement>[&...]
-#
-#			timeelement may be:
-#
-#    				timestart=hh:mm[:ss]
-#
-#					Defines the starting time of day.
-#
-#    				timestop=hh:mm[:ss]
-#
-#					Defines the ending time of day.
-#
-#    				utc
-#
-#					Times are expressed in Greenwich Mean
-#					Time.
-#
-#    				localtz
-#
-#					Times are expressed in Local Civil Time
-#					(default).
-#
-#    				weekdays=ddd[,ddd]...
-#
-#					where ddd is one of Mon, Tue, Wed, Thu,
-#					Fri, Sat or Sun
-#
-#    				monthdays=dd[,dd],...
-#
-#					where dd is an ordinal day of the month#
-#
-#    				datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
-#
-#					Defines the starting date and time.
-#
-#    				datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
-#
-#					Defines the ending date and time.
-#
 # A few examples should help show how Macros work.
 #
 # /etc/shorewall/macro.FwdFTP:

Shorewall/Makefile

@@ -14,8 +14,4 @@ $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
 	    /sbin/shorewall -q restart 2>&1 | tail >&2; \
 	fi
 
-clean:
-	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
-.PHONY: clean
-
 # EOF

Shorewall/Perl/Shorewall/Accounting.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,16 +35,27 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4.7';
+our $VERSION = '4.3_7';
 
 #
-# Called by the compiler to [re-]initialize this module's state
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function or when compiling
+#                       for IPv6.
 #
+
 sub initialize() {
     our $jumpchainref;
     $jumpchainref = undef;
 }
 
+INIT {
+    initialize;
+}
+
 #
 # Accounting
 #
@@ -84,7 +95,7 @@ sub process_accounting_rule( ) {
     $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
     $sports = ''    if $sports eq 'any' || $sports eq 'all';
 
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, 0xFF );
     my $rule2 = 0;
 
     unless ( $action eq 'COUNT' ) {
@@ -98,7 +109,7 @@ sub process_accounting_rule( ) {
 		} elsif ( $cmd ne 'JUMP' ) {
 		    accounting_error;
 		}
-	    }
+	    } 
 
 	    $target = jump_to_chain $action;
 	}
@@ -185,17 +196,17 @@ sub setup_accounting() {
     if ( have_bridges ) {
 	if ( $filter_table->{accounting} ) {
 	    for my $chain ( qw/INPUT FORWARD/ ) {
-		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
+		insert_rule1 $filter_table->{$chain}, 0, '-j accounting';
 	    }
 	}
 
 	if ( $filter_table->{accountout} ) {
-	    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
+	    insert_rule1 $filter_table->{OUTPUT}, 0, '-j accountout';
 	}
     } else {
 	if ( $filter_table->{accounting} ) {
 	    for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
+		insert_rule1 $filter_table->{$chain}, 0, '-j accounting';
 	    }
 	}
     }

Shorewall/Perl/Shorewall/Actions.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -47,7 +47,6 @@ our @EXPORT = qw( merge_levels
 		  substitute_param
 		  merge_macro_source_dest
 		  merge_macro_column
-		  map_old_actions
 
 		  %usedactions
 		  %default_actions
@@ -57,7 +56,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_7';
+our $VERSION = '4.3_7';
 
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -86,23 +85,21 @@ our %macros;
 
 our $family;
 
-our @builtins;
-
 #
 # Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited).
 #
 our $macro_commands = { COMMENT => 0, FORMAT => 2 };
 
 #
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function or when compiling
+#                       for IPv6.
 #
+
 sub initialize( $ ) {
 
     $family          = shift;
@@ -114,12 +111,10 @@ sub initialize( $ ) {
     %actions         = ();
     %logactionchains = ();
     %macros          = ();
+}
 
-    if ( $family == F_IPV4 ) {
-	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit/;
-    } else {
-	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/;
-    }
+INIT {
+    initialize( F_IPV4 );
 }
 
 #
@@ -213,7 +208,7 @@ sub merge_macro_source_dest( $$ ) {
     if ( $invocation ) {
 	if ( $body ) {
 	    return $body if $invocation eq '-';
-	    return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^!+|^~|^!~|~<|~\[/;
+	    return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^~|^!~/;
 	    return "$invocation:$body";
 	}
 
@@ -237,7 +232,7 @@ sub merge_macro_column( $$ ) {
 # Get Macro Name -- strips away trailing /*, :* and (*) from the first column in a rule, macro or action.
 #
 sub isolate_basic_target( $ ) {
-    my $target = ( split '[/:]', $_[0])[0];
+    my $target = ( split '[/:]', $_[0])[0]; 
 
     $target =~ /^(\w+)[(].*[)]$/ ? $1 : $target;
 }
@@ -273,42 +268,14 @@ sub add_requiredby ( $$ ) {
     $actions{$requires}{requires}{$requiredby} = 1;
 }
 
-#
-# Map pre-3.0 actions to the corresponding Macro invocation
-#
-
-sub find_old_action ( $$$ ) {
-    my ( $target, $macro, $param ) = @_;
-
-    if ( my $actiontype = find_macro( $macro ) ) {
-	( $macro, $actiontype , $param );
-    } else {
-	( $target, 0, '' );
-    }
-}
-
-sub map_old_actions( $ ) {
-    my $target = shift;
-
-    if ( $target =~ /^Allow(.*)$/ ) {
-	find_old_action( $target, $1, 'ACCEPT' );
-    } elsif ( $target =~ /^Drop(.*)$/ ) {
-	find_old_action( $target, $1, 'DROP' );
-    } elsif ( $target = /^Reject(.*)$/ ) {
-	find_old_action( $target, $1, 'REJECT' );
-    } else {
-	( $target, 0, '' );
-    }
-}
-
 #
 # Create and record a log action chain -- Log action chains have names
 # that are formed from the action name by prepending a "%" and appending
 # a 1- or 2-digit sequence number. In the functions that follow,
-# the $chain, $level and $tag variable serves as arguments to the user's
+# the CHAIN, LEVEL and TAG variable serves as arguments to the user's
 # exit. We call the exit corresponding to the name of the action but we
-# set $chain to the name of the iptables chain where rules are to be added.
-# Similarly, $level and $tag contain the log level and log tag respectively.
+# set CHAIN to the name of the iptables chain where rules are to be added.
+# Similarly, LEVEL and TAG contain the log level and log tag respectively.
 #
 # The maximum length of a chain name is 30 characters -- since the log
 # action chain name is 2-3 characters longer than the base chain name,
@@ -339,9 +306,7 @@ sub createlogactionchain( $$ ) {
 
     fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99;
 
-    unless ( $targets{$action} & BUILTIN ) {
-
-	dont_optimize $chainref;
+    unless ( $targets{$action} & STANDARD ) {
 
 	my $file = find_file $chain;
 
@@ -367,9 +332,7 @@ sub createsimpleactionchain( $ ) {
 
     $logactionchains{"$action:none"} = $chainref;
 
-    unless ( $targets{$action} & BUILTIN ) {
-
-	dont_optimize $chainref;
+    unless ( $targets{$action} & STANDARD ) {
 
 	my $file = find_file $action;
 
@@ -388,7 +351,7 @@ sub createsimpleactionchain( $ ) {
 }
 
 #
-# Create an action chain and run its associated user exit
+# Create an action chain and run it's associated user exit
 #
 sub createactionchain( $ ) {
     my ( $action , $level ) = split_action $_[0];
@@ -454,9 +417,8 @@ sub process_macro1 ( $$ ) {
 #
 # The functions process_actions1-3() implement the three phases of action processing.
 #
-# The first phase (process_actions1) occurs before the rules file is processed. The builtin-actions are added
-# to the target table (%Shorewall::Chains::targets) and actions table, then ${SHAREDIR}/actions.std and
-# ${CONFDIR}/actions are scanned (in that order). For each action:
+# The first phase (process_actions1) occurs before the rules file is processed. ${SHAREDIR}/actions.std
+# and ${CONFDIR}/actions are scanned (in that order) and for each action:
 #
 #      a) The related action definition file is located and scanned.
 #      b) Forward and unresolved action references are trapped as errors.
@@ -518,10 +480,10 @@ sub process_action1 ( $$ ) {
 sub process_actions1() {
 
     progress_message2 "Preprocessing Action Files...";
-    #
-    # Add built-in actions to the target table and create those actions
-    #
-    $targets{$_} = ACTION + BUILTIN, new_action( $_ ) for @builtins;
+
+    for my $act ( grep $targets{$_} & ACTION , keys %targets ) {
+	new_action $act;
+    }
 
     for my $file ( qw/actions.std actions/ ) {
 	open_file $file;
@@ -557,7 +519,7 @@ sub process_actions1() {
 
 	    while ( read_a_line ) {
 
-		my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users, $mark ) = split_line 1, 9, 'action file';
+		my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) = split_line 1, 8, 'action file';
 
 		process_action1( $action, $wholetarget );
 
@@ -578,7 +540,7 @@ sub process_actions2 () {
 	for my $target (keys %usedactions) {
 	    my ($action, $level) = split_action $target;
 	    my $actionref = $actions{$action};
-	    assert( $actionref );
+	    fatal_error "Null Action Reference in process_actions2" unless $actionref;
 	    for my $action1 ( keys %{$actionref->{requires}} ) {
 		my $action2 = merge_levels $target, $action1;
 		unless ( $usedactions{ $action2 } ) {
@@ -594,8 +556,8 @@ sub process_actions2 () {
 #
 # This function is called to process each rule generated from an action file.
 #
-sub process_action( $$$$$$$$$$$ ) {
-    my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = @_;
+sub process_action( $$$$$$$$$$ ) {
+    my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
 
     my ( $action , $level ) = split_action $target;
 
@@ -613,7 +575,7 @@ sub process_action( $$$$$$$$$$$ ) {
 
     expand_rule ( $chainref ,
 		  NO_RESTRICT ,
-		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user . do_test( $mark, $globals{TC_MASK} ) ,
+		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user ,
 		  $source ,
 		  $dest ,
 		  '', #Original Dest
@@ -626,8 +588,8 @@ sub process_action( $$$$$$$$$$$ ) {
 #
 # Expand Macro in action files.
 #
-sub process_macro3( $$$$$$$$$$$$ ) {
-    my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = @_;
+sub process_macro3( $$$$$$$$$$$ ) {
+    my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
 
     my $nocomment = no_comment;
 
@@ -643,14 +605,12 @@ sub process_macro3( $$$$$$$$$$$$ ) {
 
     while ( read_a_line ) {
 
-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark );
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser );
 
 	if ( $format == 1 ) {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands;
-	    $morigdest = '-';
-	    $mmark     = '-';
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', $macro_commands;
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark ) = split_line1 1, 10, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands;
 	}
 
 	if ( $mtarget eq 'COMMENT' ) {
@@ -664,6 +624,8 @@ sub process_macro3( $$$$$$$$$$$$ ) {
 	    next;
 	}
 
+	fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1;
+
 	if ( $mtarget =~ /^PARAM:?/ ) {
 	    fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
 	    $mtarget = substitute_param $param,  $mtarget;
@@ -704,9 +666,8 @@ sub process_macro3( $$$$$$$$$$$$ ) {
 	$msports = merge_macro_column $msports, $sports;
 	$mrate   = merge_macro_column $mrate,   $rate;
 	$muser   = merge_macro_column $muser,   $user;
-	$mmark   = merge_macro_column $mmark,   $mark;
 
-	process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $mark;
+	process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser;
     }
 
     pop_open;
@@ -731,7 +692,7 @@ sub process_action3( $$$$$ ) {
 
     while ( read_a_line ) {
 
-	my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = split_line1 1, 9, 'action file';
+	my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line1 1, 8, 'action file';
 
 	if ( $target eq 'COMMENT' ) {
 	    process_comment;
@@ -744,7 +705,7 @@ sub process_action3( $$$$$ ) {
 
 	( $action2 , my $param ) = get_target_param $action2;
 
-	my $action2type = $targets{$action2} || 0;
+	my $action2type = $targets{$action2} || 0; 
 
 	unless ( $action2type == STANDARD ) {
 	    if ( $action2type & ACTION ) {
@@ -755,9 +716,9 @@ sub process_action3( $$$$$ ) {
 	}
 
 	if ( $action2type == MACRO ) {
-	    process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark );
+	    process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user );
 	} else {
-	    process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark;
+	    process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user;
 	}
     }
 
@@ -770,14 +731,10 @@ sub process_action3( $$$$$ ) {
 sub dropBcast( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    if ( have_capability( 'ADDRTYPE' ) ) {
+    if ( $capabilities{ADDRTYPE} ) {
 	if ( $level ne '' ) {
 	    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
-	    if ( $family == F_IPV4 ) {
-		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
-	    } else {
-		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d ff00::/10 -j DROP ';
-	    }		
+	    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
 	}
 
 	add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
@@ -808,7 +765,7 @@ sub dropBcast( $$$ ) {
 sub allowBcast( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
+    if ( $family == F_IPV4 && $capabilities{ADDRTYPE} ) {
 	if ( $level ne '' ) {
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
@@ -842,15 +799,15 @@ sub allowBcast( $$$ ) {
 sub dropNotSyn ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
-    add_rule $chainref , '-p 6 ! --syn -j DROP';
+    log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level ne '';
+    add_rule $chainref , '-p tcp ! --syn -j DROP';
 }
 
 sub rejNotSyn ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
-    add_rule $chainref , '-p 6 ! --syn -j REJECT --reject-with tcp-reset';
+    log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level ne '';
+    add_rule $chainref , '-p tcp ! --syn -j REJECT --reject-with tcp-reset';
 }
 
 sub dropInvalid ( $$$ ) {
@@ -868,19 +825,18 @@ sub allowInvalid ( $$$ ) {
 }
 
 sub forwardUPnP ( $$$ ) {
-    dont_optimize 'forwardUPnP';
 }
 
 sub allowinUPnP ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
     if ( $level ne '' ) {
-	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 17 --dport 1900 ';
-	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 6 --dport 49152 ';
+	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p udp --dport 1900 ';
+	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p tcp --dport 49152 ';
     }
 
-    add_rule $chainref, '-p 17 --dport 1900 -j ACCEPT';
-    add_rule $chainref, '-p 6 --dport 49152 -j ACCEPT';
+    add_rule $chainref, '-p udp --dport 1900 -j ACCEPT';
+    add_rule $chainref, '-p tcp --dport 49152 -j ACCEPT';
 }
 
 sub Limit( $$$ ) {
@@ -906,7 +862,7 @@ sub Limit( $$$ ) {
 	my $xchainref = new_chain 'filter' , "$chainref->{name}%";
 	log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
 	add_rule $xchainref, '-j DROP';
-	add_jump $chainref,  $xchainref, 0, "-m recent --name $set --update --seconds $tag[2] --hitcount $count ";
+	add_rule $chainref,  "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";
     } else {
 	add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
     }
@@ -919,10 +875,10 @@ sub process_actions3 () {
 		       'allowBcast'     => \&allowBcast,
 		       'dropNotSyn'     => \&dropNotSyn,
 		       'rejNotSyn'      => \&rejNotSyn,
-		       'dropInvalid'    => \&dropInvalid,
+		       'dropInvalid'    => \&dropInvalid, 
 		       'allowInvalid'   => \&allowInvalid,
-		       'allowinUPnP'    => \&allowinUPnP,
-		       'forwardUPnP'    => \&forwardUPnP,
+		       'allowinUPnP'    => \&allowinUPnP, 
+		       'forwardUPnP'    => \&forwardUPnP, 
 		       'Limit'          => \&Limit, );
 
     for my $wholeaction ( keys %usedactions ) {

Shorewall/Perl/Shorewall/Compiler.pm

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -41,20 +41,22 @@ use Shorewall::IPAddrs;
 use Shorewall::Raw;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( compiler );
+our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_8';
+our $VERSION = '4.4_0';
 
 our $export;
 
 our $test;
 
-our $family;
+our $reused = 0;
+
+our $family = F_IPV4;
 
 #
-# Initilize the package-globals in the other modules
+# Reinitilize the package-globals in the other modules
 #
-sub initialize_package_globals() {
+sub reinitialize() {
     Shorewall::Config::initialize($family);
     Shorewall::Chains::initialize ($family);
     Shorewall::Zones::initialize ($family);
@@ -72,41 +74,22 @@ sub initialize_package_globals() {
 #
 # First stage of script generation.
 #
-#    Copy prog.header and lib.common to the generated script.
+#    Copy prog.header to the generated script.
 #    Generate the various user-exit jacket functions.
 #
-#    Note: This function is not called when $command eq 'check'. So it must have no side effects other
-#          than those related to writing to the output script file.
-#
 sub generate_script_1() {
 
+    my $date = localtime;
+
     if ( $test ) {
 	emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
     } else {
-	my $date = localtime;
-
 	emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
-
 	if ( $family == F_IPV4 ) {
 	    copy $globals{SHAREDIRPL} . 'prog.header';
 	} else {
 	    copy $globals{SHAREDIRPL} . 'prog.header6';
 	}
-
-	copy $globals{SHAREDIR} . '/lib.common';
-    }
-
-    my $lib = find_file 'lib.private';
-
-    if ( -f $lib ) {
-	emit <<'EOF';
-################################################################################
-# Functions imported from lib.private
-################################################################################
-EOF
-
-	copy1 $lib;
-	emit "\n";
     }
 
     emit <<'EOF';
@@ -114,6 +97,9 @@ EOF
 # Functions to execute the various user exits (extension scripts)
 ################################################################################
 EOF
+    my $lib = find_file 'lib.private';
+
+    copy1 $lib, emit "\n" if -f $lib;
 
     for my $exit qw/init start tcclear started stop stopped clear refresh refreshed restored/ {
 	emit "\nrun_${exit}_exit() {";
@@ -145,7 +131,7 @@ EOF
 #    Generate the 'initialize()' function.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
-#          than those related to writing to the output script file.
+#          than those related to writing to the object file.
 
 sub generate_script_2() {
 
@@ -170,24 +156,24 @@ sub generate_script_2() {
 	if ( $export ) {
 	    emit ( 'SHAREDIR=/usr/share/shorewall-lite',
 		   'CONFDIR=/etc/shorewall-lite',
-		   'g_product="Shorewall Lite"'
+		   'PRODUCT="Shorewall Lite"'
 		 );
 	} else {
 	    emit ( 'SHAREDIR=/usr/share/shorewall',
 		   'CONFDIR=/etc/shorewall',
-		   'g_product=\'Shorewall\'',
+		   'PRODUCT=\'Shorewall\'',
 		 );
 	}
     } else {
 	if ( $export ) {
 	    emit ( 'SHAREDIR=/usr/share/shorewall6-lite',
 		   'CONFDIR=/etc/shorewall6-lite',
-		   'g_product="Shorewall6 Lite"'
+		   'PRODUCT="Shorewall6 Lite"'
 		 );
 	} else {
 	    emit ( 'SHAREDIR=/usr/share/shorewall6',
 		   'CONFDIR=/etc/shorewall6',
-		   'g_product=\'Shorewall6\'',
+		   'PRODUCT=\'Shorewall6\'',
 		 );
 	}
     }
@@ -219,15 +205,17 @@ sub generate_script_2() {
     my @dont_load = split_list $config{DONT_LOAD}, 'module';
 
     emit ( '[ -n "${COMMAND:=restart}" ]',
-	   '[ -n "${VERBOSITY:=0}" ]',
-	   qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]) );
+	   '[ -n "${VERBOSE:=0}" ]',
+	   qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]),
+	   '[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"' );
 
-    emit ( qq(SHOREWALL_VERSION="$globals{VERSION}") ) unless $test;
+    emit ( qq(VERSION="$globals{VERSION}") ) unless $test;
 
     emit ( qq(PATH="$config{PATH}") ,
 	   'TERMINATOR=fatal_error' ,
 	   qq(DONT_LOAD="@dont_load") ,
 	   qq(STARTUP_LOG="$config{STARTUP_LOG}") ,
+	   "LOG_VERBOSE=$config{LOG_VERBOSITY}" ,
 	   ''
 	   );
 
@@ -236,7 +224,7 @@ sub generate_script_2() {
     append_file 'params' if $config{EXPORTPARAMS};
 
     emit ( '',
-	   "g_stopping=",
+	   "STOPPING=",
 	   '',
 	   '#',
 	   '# The library requires that ${VARDIR} exist',
@@ -244,24 +232,14 @@ sub generate_script_2() {
 	   '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
 	   );
 
-    pop_indent;
-
-    emit "\n}\n"; # End of initialize()
-
-    emit( '' ,
-	  '#' ,
-	  '# Set global variables holding detected IP information' ,
-	  '#' ,
-	  'detect_configuration()',
-	  '{' );
-
     my $global_variables = have_global_variables;
 
-    push_indent;
-
     if ( $global_variables ) {
-	
-	emit( 'case $COMMAND in' );
+	emit( '' ,
+	      '#' ,
+	      '# Set global variables holding detected IP information' ,
+	      '#' ,
+	      'case $COMMAND in' );
 
 	push_indent;
 
@@ -270,7 +248,7 @@ sub generate_script_2() {
 	} else {
 	    emit( 'start|restart|refresh|restore)' );
 	}
-
+	 
 	push_indent;
 
 	set_global_variables(1);
@@ -278,10 +256,10 @@ sub generate_script_2() {
 	handle_optional_interfaces;
 
 	emit ';;';
-
+    
 	if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
 	    pop_indent;
-
+	
 	    emit 'restore)';
 
 	    push_indent;
@@ -297,14 +275,12 @@ sub generate_script_2() {
 	pop_indent;
 
 	emit ( 'esac' ) ,
-    } else {
-	emit( 'true' ) unless handle_optional_interfaces;
     }
 
     pop_indent;
 
-    emit "\n}\n"; # End of detect_configuration()
-    
+    emit "\n}\n"; # End of initialize()
+
 }
 
 #
@@ -317,7 +293,7 @@ sub generate_script_2() {
 #    Generate the 'define_firewall()' function.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
-#          than those related to writing to the output script file.
+#          than those related to writing to the object file.
 #
 sub generate_script_3($) {
 
@@ -339,9 +315,9 @@ sub generate_script_3($) {
     save_progress_message 'Initializing...';
 
     if ( $export ) {
-	my $fn = find_file $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules';
+	my $fn = find_file 'modules';
 
-	if ( -f $fn && ! $fn =~ "^$globals{SHAREDIR}/" ) {
+	if ( $fn ne "$globals{SHAREDIR}/modules" && -f $fn ) {
 	    emit 'echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir';
 	    emit 'cat > ${VARDIR}/.modules << EOF';
 	    open_file $fn;
@@ -360,17 +336,15 @@ sub generate_script_3($) {
     if ( $family == F_IPV4 ) {
 	my @ipsets = all_ipsets;
 
-	if ( @ipsets || $config{SAVE_IPSETS} ) {
+	if ( @ipsets ) {
 	    emit ( '',
-		   'local hack',
-		   '',
 		   'case $IPSET in',
 		   '    */*)',
-		   '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
+		   '        [ -x "$IPSET" ] || fatal_error "IPSET=$IPSET does not exist or is not executable"',
 		   '        ;;',
 		   '    *)',
 		   '        IPSET="$(mywhich $IPSET)"',
-		   '        [ -n "$IPSET" ] || startup_error "The ipset utility cannot be located"' ,
+		   '        [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"' ,
 		   '        ;;',
 		   'esac',
 		   '',
@@ -380,44 +354,20 @@ sub generate_script_3($) {
 		   '        $IPSET -X' ,
 		   '        $IPSET -R < ${VARDIR}/ipsets.save' ,
 		   '    fi' ,
-		   'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ,
-		   '    if [ -f $(my_pathname)-ipsets ]; then' ,
-		   '        if chain_exists shorewall; then' ,
-		   '            startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
-		   '        else' ,
-		   '            $IPSET -F' ,
-		   '            $IPSET -X' ,
-		   '            $IPSET -R < $(my_pathname)-ipsets' ,
-		   '        fi' ,
-		   '    fi' ,
-		 );
+		   '' );
 
-	    if ( @ipsets ) {
-		emit '';
+	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
 
-		emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+	    emit ( '' ,
+		   'elif [ "$COMMAND" = restart ]; then' ,
+		   '' );
 
-		emit ( '' ,
-		       'elif [ "$COMMAND" = restart ]; then' ,
-		       '' );
-
-		emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
-
-		emit ( '' ,
-		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
-		       '        #',
-		       '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
-		       '        #',
-		       '        hack=\'| grep -v /31\'' ,
-		       '    else' ,
-		       '        hack=' ,
-		       '    fi' ,
-		       '',
-		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
-		       '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
-		       '    fi' );
-	    }
+	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
 
+	    emit ( '' , 
+		   '    if $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
+		   '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
+		   '    fi' );
 	    emit ( 'fi',
 		   '' );
 	}
@@ -433,13 +383,13 @@ sub generate_script_3($) {
 	       '' );
 
 	mark_firewall_not_started;
-
+		       	       
 	emit ('',
 	       'delete_proxyarp',
 	       ''
 	     );
 
-	if ( have_capability( 'NAT_ENABLED' ) ) {
+	if ( $capabilities{NAT_ENABLED} ) {
 	    emit(  'if [ -f ${VARDIR}/nat ]; then',
 		   '    while read external interface; do',
 		   '        del_ip_addr $external $interface',
@@ -452,10 +402,23 @@ sub generate_script_3($) {
 	emit "disable_ipv6\n" if $config{DISABLE_IPV6};
 
     } else {
-	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', 
+	emit ( '#',
+	       '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
+	       '#',
+	       'qt1 $IP6TABLES -N foox1234',
+	       'qt1 $IP6TABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT',
+	       'result=$?',
+	       'qt1 $IP6TABLES -F foox1234',
+	       'qt1 $IP6TABLES -X foox1234',
+	       '[ $result = 0 ] || startup_error "Your kernel/ip6tables do not include state match support. No version of Shorewall6 will run on this system"',
 	       '' );
-	mark_firewall_not_started;
-	emit '';
+
+	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
+		   '',
+	       'qt1 $IP6TABLES -L shorewall -n && qt1 $IP6TABLES -F shorewall && qt1 $IP6TABLES -X shorewall',
+	       ''
+	     );
+
     }
 
     emit qq(delete_tc1\n) if $config{CLEAR_TC};
@@ -477,10 +440,6 @@ sub generate_script_3($) {
     dump_zone_contents;
     emit_unindented '__EOF__';
 
-    emit 'cat > ${VARDIR}/policies << __EOF__';
-    save_policies;
-    emit_unindented '__EOF__';
-
     pop_indent;
 
     emit "fi\n";
@@ -508,7 +467,6 @@ EOF
     pop_indent;
     setup_forwarding( $family , 1 );
     push_indent;
-
     emit<<'EOF';
     set_state "Started"
     run_restored_exit
@@ -517,7 +475,6 @@ else
         chainlist_reload
 EOF
     setup_forwarding( $family , 0 );
-
     emit<<'EOF';
         run_refreshed_exit
         do_iptables -N shorewall
@@ -528,7 +485,6 @@ EOF
         conditionally_flush_conntrack
 EOF
     setup_forwarding( $family , 0 );
-
     emit<<'EOF';
         run_start_exit
         do_iptables -N shorewall
@@ -543,16 +499,16 @@ date > ${VARDIR}/restarted
 
 case $COMMAND in
     start)
-        logger -p kern.info "$g_product started"
+        logger -p kern.info "$PRODUCT started"
         ;;
     restart)
-        logger -p kern.info "$g_product restarted"
+        logger -p kern.info "$PRODUCT restarted"
         ;;
     refresh)
-        logger -p kern.info "$g_product refreshed"
+        logger -p kern.info "$PRODUCT refreshed"
         ;;
     restore)
-        logger -p kern.info "$g_product restored"
+        logger -p kern.info "$PRODUCT restored"
         ;;
 esac
 EOF
@@ -570,14 +526,14 @@ EOF
 #
 sub compiler {
 
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0 );
+    my ( $objectfile, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) = 
+       ( '',          '',         -1,          '',          0,      '',       '',   -1 );
 
     $export = 0;
     $test   = 0;
 
     sub validate_boolean( $ ) {
-	 my $val = numeric_value( shift );
+	 my $val = numeric_value( shift ); 
 	 defined($val) && ($val >= 0) && ($val < 2);
      }
 
@@ -591,8 +547,7 @@ sub compiler {
 	defined($val) && ($val == F_IPV4 || $val == F_IPV6);
     }
 
-    my %parms = ( object        => { store => \$scriptfilename },    #Deprecated
-		  script        => { store => \$scriptfilename },
+    my %parms = ( object        => { store => \$objectfile },
 		  directory     => { store => \$directory  },
 		  family        => { store => \$family    ,    validate => \&validate_family    } ,
 		  verbosity     => { store => \$verbosity ,    validate => \&validate_verbosity } ,
@@ -603,7 +558,6 @@ sub compiler {
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
-		  preview       => { store => \$preview },
 		);
     #
     #                               P A R A M E T E R    P R O C E S S I N G
@@ -618,17 +572,14 @@ sub compiler {
 	${$ref->{store}} = $val;
     }
 
-    #
-    # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
-    #
-    initialize_package_globals;
+    reinitialize if $reused++ || $family == F_IPV6;
 
     if ( $directory ne '' ) {
 	fatal_error "$directory is not an existing directory" unless -d $directory;
 	set_shorewall_dir( $directory );
     }
 
-    set_verbosity( $verbosity );
+    set_verbose( $verbosity );
     set_log($log, $log_verbosity) if $log;
     set_timestamp( $timestamp );
     set_debug( $debug );
@@ -637,25 +588,21 @@ sub compiler {
     #
     get_configuration( $export );
 
-    report_capabilities unless $config{LOAD_HELPERS_ONLY};
+    report_capabilities;
 
     require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
     require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
-    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
+    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{HIGH_ROUTE_MARKS};
     require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
 
-    if ( $scriptfilename ) {
-	set_command( 'compile', 'Compiling', 'Compiled' );
-	create_temp_script( $scriptfilename , $export );
-    } else {
-	set_command( 'check', 'Checking', 'Checked' );
-    }
-    #
-    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
-    # shorewall.conf has been processed and the capabilities have been determined.
-    #
+    set_command( 'check', 'Checking', 'Checked' ) unless $objectfile;
+
     initialize_chain_table;
 
+    unless ( $command eq 'check' ) {
+	create_temp_object( $objectfile , $export );
+    }
+
     #
     # Allow user to load Perl modules
     #
@@ -692,11 +639,11 @@ sub compiler {
     #
     setup_notrack;
 
-    enable_script;
-
-    if ( $scriptfilename ) {
+    enable_object;
+    
+    unless ( $command eq 'check' ) {
 	#
-	# Place Header in the script
+	# Place Header in the object
 	#
 	generate_script_1;
 	#
@@ -710,13 +657,13 @@ sub compiler {
 	    );
 
 	push_indent;
-    }
+    } 
     #
-    # Do all of the zone-independent stuff (mostly /proc)
+    # Do all of the zone-independent stuff
     #
     add_common_rules;
     #
-    # More /proc
+    # /proc stuff
     #
     if ( $family == F_IPV4 ) {
 	setup_arp_filtering;
@@ -730,24 +677,25 @@ sub compiler {
     #
     setup_proxy_arp;
     #
-    # Handle MSS settings in the zones file
+    # Handle MSS setings in the zones file
     #
     setup_zone_mss;
 
-    if ( $scriptfilename ) {
+    unless ( $command eq 'check' ) {
 	emit 'return 0';
 	pop_indent;
 	emit '}';
     }
 
-    disable_script;
+    disable_object;
     #
     #                      R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
     #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
     #
-    enable_script;
+    enable_object;
+    
+    unless ( $command eq 'check' ) {
 
-    if ( $scriptfilename ) {
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
 	       '#',
@@ -765,12 +713,12 @@ sub compiler {
     #
     setup_tc;
 
-    if ( $scriptfilename ) {
+    unless ( $command eq 'check' ) {
 	pop_indent;
 	emit "}\n";
     }
 
-    disable_script;
+    disable_object;
     #
     #                                       N E T F I L T E R
     #       (Produces no output to the compiled script -- rules are stored in the chain table)
@@ -781,11 +729,11 @@ sub compiler {
 	#
 	# ECN
 	#
-	setup_ecn if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+	setup_ecn if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
 	#
 	# Setup Masquerading/SNAT
 	#
-	setup_masq;
+	setup_masq; 
 	#
 	# Setup Nat
 	#
@@ -824,30 +772,24 @@ sub compiler {
     #
     # Accounting.
     #
-    setup_accounting if $config{ACCOUNTING};
+    setup_accounting;
 
-    if ( $scriptfilename ) {
+    if ( $command eq 'check' ) {
+	if ( $family == F_IPV4 ) {
+	    progress_message3 "Shorewall configuration verified";
+	} else {
+	    progress_message3 "Shorewall6 configuration verified";
+	}
+    } else {
 	#
-	# Compiling a script - generate the zone by zone matrix
+	# Generate the zone x zone matrix
 	#
 	generate_matrix;
 
-	if ( $config{OPTIMIZE} & 6 ) {
-	    progress_message2 'Optimizing Ruleset...';
-	    #
-	    # Optimize Policy Chains
-	    #
-	    optimize_policy_chains if $config{OPTIMIZE} & 2;
-	    #
-	    # More Optimization
-	    #
-	    optimize_ruleset if $config{OPTIMIZE} & 4;
-	}
-
-	enable_script;
+	enable_object;
 	#
-	#                             I N I T I A L I Z E
-	#           (Writes the initialize() function to the compiled script)
+	#                                    I N I T I A L I Z E
+	#                  (Writes the initialize() function to the compiled script)
 	#
 	generate_script_2;
 	#
@@ -855,19 +797,17 @@ sub compiler {
 	#    (Produces setup_netfilter(), chainlist_reload() and define_firewall() )
 	#
 	generate_script_3( $chains );
+	#                               S T O P _ F I R E W A L L
+	#             (Writes the stop_firewall() function to the compiled script)
 	#
 	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
 	# for stopping the firewall
 	#
 	Shorewall::Chains::initialize( $family );
 	initialize_chain_table;
+	compile_stop_firewall( $test ); 
 	#
-	#                           S T O P _ F I R E W A L L
-	#         (Writes the stop_firewall() function to the compiled script)
-	#
-	compile_stop_firewall( $test, $export );
-	#
-	# Copy the footer to the script
+	# Copy the footer to the object
 	#
 	unless ( $test ) {
 	    if ( $family == F_IPV4 ) {
@@ -876,57 +816,16 @@ sub compiler {
 		copy $globals{SHAREDIRPL} . 'prog.footer6';
 	    }
 	}
-
-	disable_script;
+	
+	disable_object;
 	#
-	# Close, rename and secure the script
+	# Close, rename and secure the object
 	#
-	finalize_script ( $export );
+	finalize_object ( $export );
 	#
 	# And generate the auxilary config file
 	#
-	enable_script, generate_aux_config if $export;
-    } else {
-	#
-	# Just checking the configuration
-	#
-	if ( $preview ) {
-	    #
-	    # User wishes to preview the ruleset -- generate the rule matrix
-	    #
-	    generate_matrix;
-
-	    if ( $config{OPTIMIZE} & 6 ) {
-		progress_message2 'Optimizing Ruleset...';
-		#
-		# Optimize Policy Chains
-		#
-		optimize_policy_chains if $config{OPTIMIZE} & 2;
-		#
-		# Ruleset Optimization
-		#
-		optimize_ruleset if $config{OPTIMIZE} & 4;
-	    }
-
-	    preview_netfilter_load;
-	}
-	#
-	# Re-initialize the chain table so that process_routestopped() has the same
-	# environment that it would when called by compile_stop_firewall().
-	#
-	Shorewall::Chains::initialize( $family );
-	initialize_chain_table;
-	#
-	# compile_stop_firewall() also validates the routestopped file. Since we don't
-	# call that function during 'check', we must validate routestopped here.
-	#
-	process_routestopped;
-
-	if ( $family == F_IPV4 ) {
-	    progress_message3 "Shorewall configuration verified";
-	} else {
-	    progress_message3 "Shorewall6 configuration verified";
-	}
+	enable_object, generate_aux_config if $export;
     }
 
     close_log if $log;

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -21,12 +21,12 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #   This module provides interfaces for dealing with IPv4 addresses, protocol names, and
-#   port names. It also exports functions for validating protocol- and port- (service)
+#   port names. It also exports functions for validating protocol- and port- (service) 
 #   related constructs.
 #
 package Shorewall::IPAddrs;
 require Exporter;
-use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 );
+use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 F_IPV4 F_IPV6 );
 use Socket;
 
 use strict;
@@ -34,10 +34,10 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( ALLIPv4
                   ALLIPv6
-	          IPv4_MULTICAST
 	          IPv6_MULTICAST
 	          IPv6_LINKLOCAL
 	          IPv6_SITELOCAL
+	          IPv6_LINKLOCAL
 	          IPv6_LOOPBACK
 	          IPv6_LINK_ALLNODES
 	          IPv6_LINK_ALLRTRS
@@ -72,34 +72,28 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_7';
+our $VERSION = '4.3_7';
 
 #
 # Some IPv4/6 useful stuff
 #
 our @allipv4 = ( '0.0.0.0/0' );
 our @allipv6 = ( '::/0' );
-our $allip;
-our @allip;
-our $valid_address;
-our $validate_address;
-our $validate_net;
-our $validate_range;
-our $validate_host;
+our $family;
 
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
-	       IPv4_MULTICAST      => '224.0.0.0/4' ,
 	       IPv6_MULTICAST      => 'FF00::/10' ,
 	       IPv6_LINKLOCAL      => 'FF80::/10' ,
 	       IPv6_SITELOCAL      => 'FFC0::/10' ,
+	       IPv6_LINKLOCAL      => 'FF80::/10' ,
 	       IPv6_LOOPBACK       => '::1' ,
 	       IPv6_LINK_ALLNODES  => 'FF01::1' ,
 	       IPv6_LINK_ALLRTRS   => 'FF01::2' ,
 	       IPv6_SITE_ALLNODES  => 'FF02::1' ,
 	       IPv6_SITE_ALLRTRS   => 'FF02::2' ,
-	       ICMP                => 1,
-	       TCP                 => 6,
+	       ICMP                => 1, 
+	       TCP                 => 6, 
 	       UDP                 => 17,
 	       DCCP                => 33,
 	       IPv6_ICMP           => 58,
@@ -107,10 +101,23 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 
 our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
 
+#
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function.
+#
+
+sub initialize( $ ) {
+    $family = shift;
+}
+
+INIT {
+    initialize( F_IPV4 );
+}
 
-#
-# Note: initialize() is declared at the bottom of the file
-#
 sub vlsm_to_mask( $ ) {
     my $vlsm = $_[0];
 
@@ -200,7 +207,7 @@ sub validate_4net( $$ ) {
 	    ( decodeaddr( $net ) , $vlsm );
 	} else {
 	    "$net/$vlsm";
-	}
+	}	    
     }
 }
 
@@ -287,12 +294,7 @@ sub resolve_proto( $ ) {
     my $proto = $_[0];
     my $number;
 
-    if ( $proto =~ /^\d+$/ || $proto =~ /^0x/ ) {
-	$number = numeric_value ( $proto );
-	defined $number && $number <= 65535 ? $number : undef;
-    } else {
-	defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
-    }
+    $proto =~ /^(\d+)$/ ? $proto <= 65535 ? $proto : undef : defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
 }
 
 sub proto_name( $ ) {
@@ -306,15 +308,14 @@ sub validate_port( $$ ) {
 
     my $value;
 
-    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
-	$port = numeric_value $port;
-	return $port if defined $port && $port && $port <= 65535;
+    if ( $port =~ /^(\d+)$/ ) {
+	return $port if $port <= 65535;
     } else {
 	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
 	$value = getservbyname( $port, $proto );
     }
 
-    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
+    fatal_error "Invalid/Unknown $proto port/service ($port)" unless defined $value;
 
     $value;
 }
@@ -397,6 +398,7 @@ my %icmp_types = ( any                          => 'any',
 		   'address-mask-reply'         => 18 );
 
 sub validate_icmp( $ ) {
+    fatal_error "IPv4 ICMP not allowed in an IPv6 Rule" unless $family == F_IPV4;
 
     my $type = $_[0];
 
@@ -443,7 +445,7 @@ sub expand_port_range( $$ ) {
 	# Break the range into groups:
 	#
 	#      - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
-	#      - Otherwise, find the largest power of two P that divides the first address such that
+	#      - Otherwise, find the largest power of two P that divides the first address such that 
 	#        the remaining range has less than or equal to P ports. The next group is
 	#        ( <first> , ~( P-1 ) ).
 	#
@@ -469,8 +471,8 @@ sub expand_port_range( $$ ) {
 
     } else {
 	( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
-    }
-}
+    } 
+}   
 
 sub valid_6address( $ ) {
     my $address = $_[0];
@@ -482,7 +484,6 @@ sub valid_6address( $ ) {
 	return 0 unless valid_4address pop @address;
 	$max = 6;
 	$address = join ':', @address;
-	return 1 if @address eq ':';
     } else {
 	$max = 8;
     }
@@ -491,16 +492,16 @@ sub valid_6address( $ ) {
     return 0 unless ( @address == $max ) || $address =~ /::/;
     return 0 if $address =~ /:::/ || $address =~ /::.*::/;
 
-    unless ( $address =~ /^::/ ) {
-	return 0 if $address =~ /^:/;
+    if ( $address =~ /^:/ ) {
+	unless ( $address eq '::' ) {
+	    return 0 if $address =~ /:$/ || $address =~ /^:.*::/;
+	}
+    } elsif ( $address =~ /:$/ ) {
+	return 0 if $address =~ /::.*:$/;
     }
 
-    unless ( $address =~ /::$/  ) {
-	return 0 if $address =~ /:$/;
-    }
-		 
     for my $a ( @address ) {
-	return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && length $a < 5 );
+	return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && oct "0x$a" < 65536 );
     }
 
     1;
@@ -549,27 +550,13 @@ sub validate_6net( $$ ) {
 sub normalize_6addr( $ ) {
     my $addr = shift;
 
-    if ( $addr eq '::' ) {
-	'0:0:0:0:0:0:0:0';
-    } else {
-	#
-	# Suppress leading zeros
-	#
-	$addr =~ s/^0+//;
-	$addr =~ s/:0+/:/g;
-	$addr =~ s/^:/0:/;
-	$addr =~ s/:$/:0/;
-
-	$addr =~ s/::/:0::/ while $addr =~ tr/:/:/ < 7;
-	#
-	# Note: "s/::/:0:/g" doesn't work here
-	#
-	1 while $addr =~ s/::/:0:/;
-
-	$addr =~ s/^0+:/0:/;
-	
-	$addr;
+    while ( $addr =~ tr/:/:/ < 6 ) {
+	$addr =~ s/::/:0::/;
     }
+
+    $addr =~ s/::/:0:/;
+
+    $addr;
 }
 
 sub validate_6range( $$ ) {
@@ -593,7 +580,7 @@ sub validate_6range( $$ ) {
 }
 
 sub validate_6host( $$ ) {
-    my ( $host, $allow_name )  = @_;
+    my ( $host, $allow_name )  = $_[0];
 
     if ( $host =~ /^(.*:.*)-(.*:.*)$/ ) {
 	validate_6range $1, $2;
@@ -627,6 +614,7 @@ my %ipv6_icmp_types = ( any                          => 'any',
 
 
 sub validate_icmp6( $ ) {
+    fatal_error "IPv6 ICMP not allowed in an IPv4 Rule" unless $family == F_IPV6;
     my $type = $_[0];
 
     my $value = $ipv6_icmp_types{$type};
@@ -641,63 +629,31 @@ sub validate_icmp6( $ ) {
 }
 
 sub ALLIP() {
-    $allip;
+    $family == F_IPV4 ? ALLIPv4 : ALLIPv6;
 }
 
 sub allip() {
-    @allip;
-}
+    $family == F_IPV4 ? ALLIPv4 : ALLIPv6;
+}    
 
 sub valid_address ( $ ) {
-    $valid_address->(@_);
+    $family == F_IPV4 ? valid_4address( $_[0] ) :  valid_6address( $_[0] );
 }
 
 sub validate_address ( $$ ) {
-    $validate_address->(@_);
+    $family == F_IPV4 ? validate_4address( $_[0], $_[1] ) :  validate_6address( $_[0], $_[1] );
 }
 
 sub validate_net ( $$ ) {
-    $validate_net->(@_);
+    $family == F_IPV4 ? validate_4net( $_[0], $_[1] ) :  validate_6net( $_[0], $_[1] );
 }
 
-sub validate_range ($$ ) {
-    $validate_range->(@_);
+sub validate_range ($$ ) { 
+    $family == F_IPV4 ? validate_4range( $_[0], $_[1] ) :  validate_6range( $_[0], $_[1] );
 }
 
-sub validate_host ($$ ) {
-    $validate_host->(@_);
-}
-
-#
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
-#
-sub initialize( $ ) {
-    my $family = shift;
-
-    if ( $family == F_IPV4 ) {
-	$allip            = ALLIPv4;
-	@allip            = @allipv4;
-	$valid_address    = \&valid_4address;
-	$validate_address = \&validate_4address;
-	$validate_net     = \&validate_4net;
-	$validate_range   = \&validate_4range;
-	$validate_host    = \&validate_4host;
-    } else {
-	$allip            = ALLIPv6;
-	@allip            = @allipv6;
-	$valid_address    = \&valid_6address;
-	$validate_address = \&validate_6address;
-	$validate_net     = \&validate_6net;
-	$validate_range   = \&validate_6range;
-	$validate_host    = \&validate_6host;
-    }
+sub validate_host ($$ ) { 
+    $family == F_IPV4 ? validate_4host( $_[0], $_[1] ) :  validate_6host( $_[0], $_[1] );
 }
 
 1;

Shorewall/Perl/Shorewall/Nat.pm

@@ -29,6 +29,7 @@ use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
+use Shorewall::IPAddrs;
 use Shorewall::Providers qw( lookup_provider );
 
 use strict;
@@ -36,19 +37,29 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_6';
+our $VERSION = '4.3_7';
 
 our @addresses_to_add;
 our %addresses_to_add;
 
 #
-# Called by the compiler
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function.
 #
+
 sub initialize() {
     @addresses_to_add = ();
     %addresses_to_add = ();
 }
 
+INIT {
+    initialize;
+}
+
 #
 # Handle IPSEC Options in a masq record
 #
@@ -150,7 +161,7 @@ sub process_one_masq( )
     # Handle IPSEC options, if any
     #
     if ( $ipsec ne '-' ) {
-	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless have_capability( 'POLICY_MATCH' );
+	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless $globals{ORIGINAL_POLICY_MATCH};
 
 	if ( $ipsec =~ /^yes$/i ) {
 	    $baserule .= '-m policy --pol ipsec --dir out ';
@@ -159,7 +170,7 @@ sub process_one_masq( )
 	} else {
 	    $baserule .= do_ipsec_options $ipsec;
 	}
-    } elsif ( have_ipsec ) {
+    } elsif ( $capabilities{POLICY_MATCH} ) {
 	$baserule .= '-m policy --pol none --dir out ';
     }
 
@@ -167,11 +178,12 @@ sub process_one_masq( )
     # Handle Protocol and Ports
     #
     $baserule .= do_proto $proto, $ports, '';
+
     #
     # Handle Mark
     #
-    $baserule .= do_test( $mark, $globals{TC_MASK} ) if $mark ne '-';
-    $baserule .= do_user( $user )                    if $user ne '-';
+    $baserule .= do_test( $mark, 0xFF) if $mark ne '-';
+    $baserule .= do_user( $user )      if $user ne '-';
 
     for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
@@ -195,7 +207,7 @@ sub process_one_masq( )
 	fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
 	unless ( $interfaceref->{root} ) {
-	    $rule .= match_dest_dev( $interface );
+	    $rule .= "-o $interface ";
 	    $interface = $interfaceref->{name};
 	}
 
@@ -204,7 +216,6 @@ sub process_one_masq( )
 	my $detectaddress = 0;
 	my $exceptionrule = '';
 	my $randomize     = '';
-	my $persistent    = '';
 	#
 	# Parse the ADDRESSES column
 	#
@@ -212,10 +223,7 @@ sub process_one_masq( )
 	    if ( $addresses eq 'random' ) {
 		$randomize = '--random ';
 	    } else {
-		$addresses =~ s/:persistent$// and $persistent = '--persistent ';
-		$addresses =~ s/:random$//     and $randomize  = '--random ';
-
-		require_capability 'PERSISTENT_SNAT', ':persistent', 's' if $persistent;
+		$addresses =~ s/:random$// and $randomize = '--random ';
 
 		if ( $addresses =~ /^SAME/ ) {
 		    fatal_error "The SAME target is no longer supported";
@@ -239,11 +247,7 @@ sub process_one_masq( )
 			if ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = '-j SNAT ';
 			    my ($ipaddr, $rest) = split ':', $addr;
-			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
-				validate_range( $1, $2 );
-			    } else {
-				validate_address $ipaddr, 0;
-			    }
+			    validate_address $ipaddr, 0;
 			    $addrlist .= "--to-source $addr ";
 			    $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			} else {
@@ -258,7 +262,6 @@ sub process_one_masq( )
 	    }
 
 	    $target .= $randomize;
-	    $target .= $persistent;
 	} else {
 	    $add_snat_aliases = 0;
 	}
@@ -290,6 +293,7 @@ sub process_one_masq( )
 		next if $addrs eq 'detect';
 		for my $addr ( ip_range_explicit $addrs ) {
 		    unless ( $addresses_to_add{$addr} ) {
+			emit "del_ip_addr $addr $interface" unless $config{RETAIN_ALIASES};
 			$addresses_to_add{$addr} = 1;
 			if ( defined $alias ) {
 			    push @addresses_to_add, $addr, "$interface:$alias";
@@ -367,12 +371,12 @@ sub do_one_nat( $$$$$ )
     fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
     unless ( $interfaceref->{root} ) {
-	$rulein  = match_source_dev $interface;
-	$ruleout = match_dest_dev $interface;
+	$rulein  = "-i $interface ";
+	$ruleout = "-o $interface ";
 	$interface = $interfaceref->{name};
     }
 
-    if ( have_ipsec ) {
+    if ( $capabilities{POLICY_MATCH} ) {
 	$policyin = ' -m policy --pol none --dir in';
 	$policyout =  '-m policy --pol none --dir out';
     }
@@ -402,6 +406,7 @@ sub do_one_nat( $$$$$ )
 	    push @addresses_to_add, ( $external , $fullinterface );
 	}
     }
+
 }
 
 #
@@ -459,8 +464,8 @@ sub setup_netmap() {
 	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = find_interface( $interface );
 
 	    unless ( $interfaceref->{root} ) {
-		$rulein  = match_source_dev $interface;
-		$ruleout = match_dest_dev $interface;
+		$rulein  = "-i $interface ";
+		$ruleout = "-o $interface ";
 		$interface = $interfaceref->{name};
 	    }
 
@@ -480,13 +485,12 @@ sub setup_netmap() {
 
 sub add_addresses () {
     if ( @addresses_to_add ) {
-	my @addrs = @addresses_to_add;
 	my $arg = '';
 	my $addresses = 0;
 
-	while ( @addrs ) {
-	    my $addr      = shift @addrs;
-	    my $interface = shift @addrs;
+	while ( @addresses_to_add ) {
+	    my $addr      = shift @addresses_to_add;
+	    my $interface = shift @addresses_to_add;
 	    $arg = "$arg $addr $interface";
 	    unless ( $config{RETAIN_ALIASES} ) {
 		emit '' unless $addresses++;

Shorewall/Perl/Shorewall/Policy.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -32,21 +32,31 @@ use Shorewall::Actions;
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains);
+our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains );
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.4_7';
+our $VERSION = '4.3_7';
 
 # @policy_chains is a list of references to policy chains in the filter table
 
 our @policy_chains;
 
 #
-# Called by the compiler
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function.
 #
+
 sub initialize() {
     @policy_chains = ();
 }
 
+INIT {
+    initialize;
+}
+
 #
 # Convert a chain into a policy chain.
 #
@@ -68,7 +78,7 @@ sub new_policy_chain($$$$)
 {
     my ($source, $dest, $policy, $optional) = @_;
 
-    my $chainref = new_chain( 'filter', rules_chain( ${source}, ${dest} ) );
+    my $chainref = new_chain( 'filter', "${source}2${dest}" );
 
     convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional );
 
@@ -119,7 +129,7 @@ use constant { OPTIONAL => 1 };
 
 sub add_or_modify_policy_chain( $$ ) {
     my ( $zone, $zone1 ) = @_;
-    my $chain    = rules_chain( ${zone}, ${zone1} );
+    my $chain    = "${zone}2${zone1}";
     my $chainref = $filter_table->{$chain};
 
     if ( $chainref ) {
@@ -130,7 +140,7 @@ sub add_or_modify_policy_chain( $$ ) {
     } else {
 	push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
     }
-}
+}    
 
 sub print_policy($$$$) {
     my ( $source, $dest, $policy , $chain ) = @_;
@@ -159,7 +169,7 @@ sub process_a_policy() {
     fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
 
     my $serverwild = ( "\L$server" eq 'all' );
-
+    
     fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );
 
     my ( $policy, $default, $remainder ) = split( /:/, $originalpolicy, 3 );
@@ -193,7 +203,7 @@ sub process_a_policy() {
 
     if ( defined $queue ) {
 	fatal_error "Invalid policy ($policy($queue))" unless $policy eq 'NFQUEUE';
-	require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' );
+	require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' ); 
 	my $queuenum = numeric_value( $queue );
 	fatal_error "Invalid NFQUEUE queue number ($queue)" unless defined( $queuenum) && $queuenum <= 65535;
 	$policy = "NFQUEUE --queue-num $queuenum";
@@ -211,7 +221,7 @@ sub process_a_policy() {
 	}
     }
 
-    my $chain = rules_chain( ${client}, ${server} );
+    my $chain = "${client}2${server}";
     my $chainref;
 
     if ( defined $filter_table->{$chain} ) {
@@ -234,7 +244,7 @@ sub process_a_policy() {
 	$chainref = new_policy_chain $client, $server, $policy, 0;
 	push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
     }
-
+    
     $chainref->{loglevel}  = validate_level( $loglevel ) if defined $loglevel && $loglevel ne '';
 
     if ( $synparams ne '' || $connlimit ne '' ) {
@@ -252,42 +262,27 @@ sub process_a_policy() {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy;
+		    set_policy_chain $client, $server, "${zone}2${zone1}", $chainref, $policy;
 		    print_policy $zone, $zone1, $policy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy;
+		set_policy_chain $client, $server, "${zone}2${server}", $chainref, $policy;
 		print_policy $zone, $server, $policy, $chain;
 	    }
 	}
     } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy;
+	    set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy;
 	    print_policy $client, $zone, $policy, $chain;
 	}
-
+	
     } else {
 	print_policy $client, $server, $policy, $chain;
     }
 }
 
-sub save_policies() {
-    for my $zone1 ( all_zones ) {
-	for my $zone2 ( all_zones ) {
-	    my $chainref  = $filter_table->{ rules_chain( $zone1, $zone2 ) };
-	    my $policyref = $filter_table->{ $chainref->{policychain} };
-
-	    if ( $policyref->{referenced} ) {
-		emit_unindented "$zone1 \t=>\t$zone2\t" . $policyref->{policy} . ' using chain ' . $policyref->{name};
-	    } elsif ( $zone1 ne $zone2 ) {
-		emit_unindented "$zone1 \t=>\t$zone2\t" . $policyref->{policy};
-	    }
-	}
-    }
-}	    
-
 sub validate_policy()
 {
     our %validpolicies = (
@@ -349,7 +344,7 @@ sub validate_policy()
 
     for $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{rules_chain( ${zone}, ${zone1} )}{policy};
+	    fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{"${zone}2${zone1}"}{policy};
 	}
     }
 }
@@ -361,8 +356,8 @@ sub policy_rules( $$$$$ ) {
     my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
 
     unless ( $target eq 'NONE' ) {
-	add_rule $chainref, "-d 224.0.0.0/4 -j RETURN" if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
-	add_jump $chainref, $default, 0 if $default && $default ne 'none';
+	add_rule $chainref, "-d 224.0.0.0/24 -j RETURN" if $dropmulticast && $target ne 'CONTINUE';
+	add_rule $chainref, "-j $default" if $default && $default ne 'none';
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
 
@@ -418,24 +413,13 @@ sub apply_policy_rules() {
 	my $provisional = $chainref->{provisional};
 	my $default     = $chainref->{default};
 	my $name        = $chainref->{name};
-	my $synparms    = $chainref->{synparms};
 
 	if ( $policy ne 'NONE' ) {
-	    unless ( $chainref->{referenced} || $provisional || $policy eq 'CONTINUE' ) {
-		if ( $config{OPTIMIZE} & 2 ) {
-		    #
-		    # This policy chain is empty and the only thing that we would put in it is
-		    # the policy-related stuff. Don't create it if all we are going to put in it
-		    # is a single jump. Generate_matrix() will just use the policy target when
-		    # needed.
-		    #
-		    ensure_filter_chain $name, 1 if $default ne 'none' || $loglevel || $synparms || $config{MULTICAST} || ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} );
-		} else {
-		    ensure_filter_chain $name, 1;
-		}
+	    if ( ! $chainref->{referenced} && ( ! $provisional && $policy ne 'CONTINUE' ) ) {
+		ensure_filter_chain $name, 1;
 	    }
 
-	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
+	    if ( $name =~ /^all2|2all$/ ) {
 		run_user_exit $chainref;
 		policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
 	    }
@@ -444,7 +428,7 @@ sub apply_policy_rules() {
 
     for my $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    my $chainref = $filter_table->{rules_chain( ${zone}, ${zone1} )};
+	    my $chainref = $filter_table->{"${zone}2${zone1}"};
 
 	    if ( $chainref->{referenced} ) {
 		run_user_exit $chainref;
@@ -470,7 +454,7 @@ sub complete_standard_chain ( $$$$ ) {
 
     run_user_exit $stdchainref;
 
-    my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
+    my $ruleschainref = $filter_table->{"${zone}2${zone2}"} || $filter_table->{all2all};
     my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
     my $policychainref;
 
@@ -498,24 +482,4 @@ sub setup_syn_flood_chains() {
     }
 }
 
-#
-# Optimize Policy chains with ACCEPT policy
-#
-sub optimize_policy_chains() {
-    for my $chainref ( grep $_->{policy} eq 'ACCEPT', @policy_chains ) {
-	optimize_chain ( $chainref );
-    }
-    #
-    # Often, fw->all has an ACCEPT policy. This code allows optimization in that case
-    #
-    my $outputrules = $filter_table->{OUTPUT}{rules};
-
-    if ( @{$outputrules} && $outputrules->[-1] =~ /-j ACCEPT/ ) {
-	optimize_chain( $filter_table->{OUTPUT} );
-    }
-
-    progress_message '  Policy chains optimized';
-    progress_message '';
-}
-
 1;

Shorewall/Perl/Shorewall/Proc.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -41,7 +41,7 @@ our @EXPORT = qw(
 		 setup_forwarding
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_7';
+our $VERSION = '4.3_12';
 
 #
 # ARP Filtering
@@ -56,35 +56,27 @@ sub setup_arp_filtering() {
 	save_progress_message "Setting up ARP filtering...";
 
 	for my $interface ( @$interfaces ) {
-	    my $value = get_interface_option $interface, 'arp_filter';
-	    my $optional = interface_is_optional $interface;
-                           
-	    $interface = get_physical $interface;
-
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter";
+	    my $value = get_interface_option $interface, 'arp_filter';
 
 	    emit ( '',
 		   "if [ -f $file ]; then",
 		   "    echo $value > $file");
 	    emit ( 'else',
-		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless $optional;
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
 	    emit   "fi\n";
 	}
 
 	for my $interface ( @$interfaces1 ) {
-	    my $value = get_interface_option $interface, 'arp_ignore';
-	    my $optional = interface_is_optional $interface;
-                           
-	    $interface = get_physical $interface;
-
 	    my $file  = "/proc/sys/net/ipv4/conf/$interface/arp_ignore";
+	    my $value = get_interface_option $interface, 'arp_ignore';
 
 	    assert( defined $value );
 
 	    emit ( "if [ -f $file ]; then",
 		   "    echo $value > $file");
 	    emit ( 'else',
-		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless $optional;
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
 	    emit   "fi\n";
 	}
     }
@@ -96,18 +88,16 @@ sub setup_arp_filtering() {
 sub setup_route_filtering() {
 
     my $interfaces = find_interfaces_by_option 'routefilter';
-    my $config     = $config{ROUTE_FILTER};
 
-    if ( @$interfaces || $config ) {
+    if ( @$interfaces || $config{ROUTE_FILTER} ) {
 
 	progress_message2 "$doing Kernel Route Filtering...";
 
 	save_progress_message "Setting up Route Filtering...";
 
-	my $val = '';
 
-	if ( $config{ROUTE_FILTER} ne '' ) {
-	    $val = $config eq 'on' ? 1 : $config eq 'off' ? 0 : $config;
+	if ( $config{ROUTE_FILTER} ) {
+	    my $val = $config{ROUTE_FILTER} eq 'on' ? 1 : 0;
 
 	    emit ( 'for file in /proc/sys/net/ipv4/conf/*; do',
 		   "    [ -f \$file/rp_filter ] && echo $val > \$file/rp_filter",
@@ -116,29 +106,25 @@ sub setup_route_filtering() {
 	}
 
 	for my $interface ( @$interfaces ) {
-	    my $value = get_interface_option $interface, 'routefilter';
-	    my $optional = interface_is_optional $interface;
-                           
-	    $interface = get_physical $interface;
-
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter";
+	    my $value = get_interface_option $interface, 'routefilter';
 
 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless $optional;
+		   "    error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless interface_is_optional( $interface);
 	    emit   "fi\n";
 	}
 
-	if ( have_capability( 'KERNELVERSION' ) < 20631 ) {
-	    emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
-	} elsif ( $val ne '' ) {
-	    emit "echo $val > /proc/sys/net/ipv4/conf/all/rp_filter";
+	emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
+
+	if ( $config{ROUTE_FILTER} eq 'on' ) {
+	    emit 'echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter';
+	} elsif (  $config{ROUTE_FILTER} eq 'off' ) {
+	    emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
 	}
 
-	emit "echo $val > /proc/sys/net/ipv4/conf/default/rp_filter" if $val ne '';
-
-	emit "[ -n \"\$g_noroutes\" ] || \$IP -4 route flush cache";
+	emit "[ -n \"\$NOROUTES\" ] || \$IP -4 route flush cache";
     }
 }
 
@@ -167,18 +153,14 @@ sub setup_martian_logging() {
 	}
 
 	for my $interface ( @$interfaces ) {
-	    my $value = get_interface_option $interface, 'logmartians';
-	    my $optional = interface_is_optional $interface;
-                           
-	    $interface = get_physical $interface;
-
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians";
+	    my $value = get_interface_option $interface, 'logmartians';
 
 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set Martian logging on $interface\"") unless $optional;
+		   "    error_message \"WARNING: Cannot set Martian logging on $interface\"") unless interface_is_optional( $interface);
 	    emit   "fi\n";
 	}
     }
@@ -198,17 +180,13 @@ sub setup_source_routing( $ ) {
 	save_progress_message 'Setting up Accept Source Routing...';
 
 	for my $interface ( @$interfaces ) {
-	    my $value = get_interface_option $interface, 'sourceroute';
-	    my $optional = interface_is_optional $interface;
-
-	    $interface = get_physical $interface;
-
 	    my $file = "/proc/sys/net/ipv$family/conf/$interface/accept_source_route";
+	    my $value = get_interface_option $interface, 'sourceroute';
 
 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless $optional;
+		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless interface_is_optional( $interface);
 	    emit   "fi\n";
 	}
     }
@@ -249,17 +227,13 @@ sub setup_forwarding( $$ ) {
 	    save_progress_message 'Setting up IPv6 Interface Forwarding...';
 
 	    for my $interface ( @$interfaces ) {
-		my $value = get_interface_option $interface, 'forward';
-		my $optional = interface_is_optional $interface;
-
-		$interface = get_physical $interface;
-
 		my $file = "/proc/sys/net/ipv6/conf/$interface/forwarding";
+		my $value = get_interface_option $interface, 'forward';
 
 		emit ( "if [ -f $file ]; then" ,
 		       "    echo $value > $file" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless $optional;
+		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless interface_is_optional( $interface);
 		emit   "fi\n";
 	    }
 

Shorewall/Perl/Shorewall/Providers.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_8';
+our $VERSION = '4.4_0';
 
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -59,20 +59,17 @@ our @providers;
 
 our $family;
 
-our $lastmark;
-
 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 
 #
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function.
 #
+
 sub initialize( $ ) {
     $family = shift;
 
@@ -92,13 +89,17 @@ sub initialize( $ ) {
     @providers = ();
 }
 
+INIT {
+    initialize( F_IPV4 );
+}
+
 #
 # Set up marking for 'tracked' interfaces.
 #
 sub setup_route_marking() {
-    my $mask = in_hex( $globals{PROVIDER_MASK} );
+    my $mask = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';
 
-    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
+    require_capability( $_ , 'the provider \'track\' option' , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
 
     add_rule $mangle_table->{$_} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
 
@@ -110,21 +111,33 @@ sub setup_route_marking() {
 
     for my $providerref ( @routemarked_providers ) {
 	my $interface = $providerref->{interface};
-	my $physical  = $providerref->{physical};
 	my $mark      = $providerref->{mark};
+	my $base      = uc chain_base $interface;
+
+	if ( $providerref->{optional} ) {
+	    if ( $providerref->{shared} ) {
+		add_commands( $chainref, qq(if [ interface_is_usable $interface -a -n "$providerref->{mac}" ]; then) );
+	    } else {
+		add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
+	    }
+		
+	    incr_cmd_level( $chainref );
+	}
 
 	unless ( $marked_interfaces{$interface} ) {
-	    add_jump $mangle_table->{PREROUTING} , $chainref,  0, "-i $physical -m mark --mark 0/$mask ";
-	    add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "! -i $physical -m mark --mark  $mark/$mask ";
+	    add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
+	    add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "! -i $interface -m mark --mark  $mark/$mask ";
 	    add_jump $mangle_table->{OUTPUT}     , $chainref2, 0, "-m mark --mark  $mark/$mask ";
 	    $marked_interfaces{$interface} = 1;
 	}
 
 	if ( $providerref->{shared} ) {
-	    add_rule $chainref, match_source_dev( $interface ) . "-m mac --mac-source $providerref->{mac} -j MARK --set-mark $providerref->{mark}";
+	    add_rule $chainref, " -i $interface -m mac --mac-source $providerref->{mac} -j MARK --set-mark $providerref->{mark}";
 	} else {
-	    add_rule $chainref, match_source_dev( $interface ) . "-j MARK --set-mark $providerref->{mark}";
+	    add_rule $chainref, " -i $interface -j MARK --set-mark $providerref->{mark}";
 	}
+
+	decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
     }
 
     add_rule $chainref, "-m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask";
@@ -132,15 +145,11 @@ sub setup_route_marking() {
 
 sub copy_table( $$$ ) {
     my ( $duplicate, $number, $realm ) = @_;
-    #
-    # Hack to work around problem in iproute
-    #
-    my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
 
     if ( $realm ) {
 	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
     } else {
-	emit  ( "\$IP -$family route show table $duplicate | ${filter}while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | while read net route; do" )
     }
 
     emit ( '    case $net in',
@@ -156,23 +165,11 @@ sub copy_table( $$$ ) {
 
 sub copy_and_edit_table( $$$$ ) {
     my ( $duplicate, $number, $copy, $realm) = @_;
-    #
-    # Hack to work around problem in iproute
-    #    
-    my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
-    #
-    # Map physical names in $copy to logical names
-    #
-    $copy = join( '|' , map( physical_name($_) , split( ',' , $copy ) ) );
-    #
-    # Shell and iptables use a different wildcard character
-    #
-    $copy =~ s/\+/*/;
 
     if ( $realm ) {
-	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
     } else {
-	emit  ( "\$IP -$family route show table $duplicate | ${filter}while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | while read net route; do" )
     }
 
     emit (  '    case $net in',
@@ -276,10 +273,9 @@ sub add_a_provider( ) {
     }
 
     fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
-    fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
-
-    my $physical    = get_physical $interface;
-    my $base        = uc chain_base $physical;
+    
+    my $provider    = chain_base $table;
+    my $base        = uc chain_base $interface;
     my $gatewaycase = '';
 
     if ( $gateway eq 'detect' ) {
@@ -295,15 +291,40 @@ sub add_a_provider( ) {
 	$gateway = '';
     }
 
-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local ) = 
-	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0 );
+    my $val = 0;
+    my $pref;
+
+    if ( $mark ne '-' ) {
+
+	$val = numeric_value $mark;
+
+	fatal_error "Invalid Mark Value ($mark)" unless defined $val;
+
+	verify_mark $mark;
+
+	if ( $val < 65535 ) {
+	    if ( $config{HIGH_ROUTE_MARKS} ) {
+		fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes" if $config{WIDE_TC_MARKS};
+		fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" if $val < 256;
+	    }
+	} else {
+	    fatal_error "Invalid Mark Value ($mark)" unless $config{HIGH_ROUTE_MARKS} && $config{WIDE_TC_MARKS};
+	}
+
+	for my $providerref ( values %providers  ) {
+	    fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
+	}
+
+	$pref = 10000 + $number - 1;
+
+    }
+
+    my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu ) = (0,0,0,0,$config{USE_DEFAULT_RT} ? 1 : 0,interface_is_optional( $interface ), '' );
 
     unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
 	    if ( $option eq 'track' ) {
 		$track = 1;
-	    } elsif ( $option eq 'notrack' ) {
-		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance' is not available in IPv6) if $family == F_IPV6;
 		$balance = $1;
@@ -337,43 +358,12 @@ sub add_a_provider( ) {
 		} else {
 		    $default = -1;
 		}
-	    } elsif ( $option eq 'local' ) {
-		$local = 1;
-		$track = 0           if $config{TRACK_PROVIDERS};
-		$default_balance = 0 if$config{USE_DEFAULT_RT}; 
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
 	}
     }
 
-    my $val = 0;
-    my $pref;
-
-    $mark = ( $lastmark += ( 1 << $config{PROVIDER_OFFSET} ) ) if $mark eq '-' && $track;
-
-    if ( $mark ne '-' ) {
-
-	$val = numeric_value $mark;
-
-	fatal_error "Invalid Mark Value ($mark)" unless defined $val && $val;
-
-	verify_mark $mark;
-
-	fatal_error "Invalid Mark Value ($mark)" unless ( $val & $globals{PROVIDER_MASK} ) == $val;
-
-	fatal_error "Provider MARK may not be specified when PROVIDER_BITS=0" unless $config{PROVIDER_BITS};
-
-	for my $providerref ( values %providers  ) {
-	    fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
-	}
-
-	$pref = 10000 + $number - 1;
-
-	$lastmark = $val;
-
-    }
-
     unless ( $loose ) {
 	warning_message q(The 'proxyarp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyarp' );
 	warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
@@ -385,7 +375,6 @@ sub add_a_provider( ) {
 			   number      => $number ,
 			   mark        => $val ? in_hex($val) : $val ,
 			   interface   => $interface ,
-			   physical    => $physical ,
 			   optional    => $optional ,
 			   gateway     => $gateway ,
 			   gatewaycase => $gatewaycase ,
@@ -409,29 +398,23 @@ sub add_a_provider( ) {
     my $realm = '';
 
     fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table};
-
+    
     if ( $shared ) {
 	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
 	$realm = "realm $number";
-	start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
+	start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$variable" ]; then) );
     } else {
 	if ( $optional ) {
-	    start_provider( $table, $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
+	    start_provider( $table, $number, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
 	} elsif ( $gatewaycase eq 'detect' ) {
-	    start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
+	    start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) );
 	} else {
-	    start_provider( $table, $number, "if interface_is_usable $physical; then" );
+	    start_provider( $table, $number, "if interface_is_usable $interface; then" );
 	}
-
+	
 	$provider_interfaces{$interface} = $table;
 
-	if ( $gatewaycase eq 'none' ) {
-	    if ( $local ) {
-		emit "run_ip route add local 0.0.0.0/0 dev $physical table $number";
-	    } else {
-		emit "run_ip route add default dev $physical table $number";
-	    }
-	}
+	emit "run_ip route add default dev $interface table $number" if $gatewaycase eq 'none';
     }
 
     if ( $mark ne '-' ) {
@@ -450,7 +433,8 @@ sub add_a_provider( ) {
 	    if ( $copy eq 'none' ) {
 		$copy = $interface;
 	    } else {
-		$copy = "$interface,$copy";
+		$copy =~ tr/,/|/;
+		$copy = "$interface|$copy";
 	    }
 
 	    copy_and_edit_table( $duplicate, $number ,$copy , $realm);
@@ -462,33 +446,28 @@ sub add_a_provider( ) {
 
     if ( $gateway ) {
 	$address = get_interface_address $interface unless $address;
-	emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $number $realm";
-	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $number $realm";
+	emit "run_ip route replace $gateway src $address dev $interface ${mtu}table $number $realm";
+	emit "run_ip route add default via $gateway src $address dev $interface ${mtu}table $number $realm";
     }
 
-    balance_default_route $balance , $gateway, $physical, $realm if $balance;
+    balance_default_route $balance , $gateway, $interface, $realm if $balance;
 
     if ( $default > 0 ) {
-	balance_fallback_route $default , $gateway, $physical, $realm;
+	balance_fallback_route $default , $gateway, $interface, $realm;
     } elsif ( $default ) {
 	emit '';
 	if ( $gateway ) {
-	    emit qq(run_ip route replace default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
-	    emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	    emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
+	    emit qq(echo "qt \$IP route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	} else {
-	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
-	    emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
+	    emit qq(echo "qt \$IP route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	}
     }
 
-    if ( $local ) {
-	fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
-	fatal_error "'track' not valid with 'local'"          if $track;
-	fatal_error "DUPLICATE not valid with 'local'"        if $duplicate ne '-';
-	fatal_error "MARK required with 'local'"              unless $mark;
-    } elsif ( $loose ) {
+    if ( $loose ) {
 	if ( $config{DELETE_THEN_ADD} ) {
-	    emit ( "\nfind_interface_addresses $physical | while read address; do",
+	    emit ( "\nfind_interface_addresses $interface | while read address; do",
 		   "    qt \$IP -$family rule del from \$address",
 		   'done'
 		 );
@@ -502,7 +481,7 @@ sub add_a_provider( ) {
 
 	emit "\nrulenum=0\n";
 
-	emit  ( "find_interface_addresses $physical | while read address; do" );
+	emit  ( "find_interface_addresses $interface | while read address; do" );
 	emit  (	"    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
 	emit  (	"    run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
 		"    echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_routing",
@@ -518,15 +497,15 @@ sub add_a_provider( ) {
 
     if ( $optional ) {
 	if ( $shared ) {
-	    emit ( "    error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Added\"" );
+	    emit ( "    error_message \"WARNING: Interface $interface is not usable -- Provider $table ($number) not Added\"" );
 	} else {
-	    emit ( "    error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Added\"" );
+	    emit ( "    error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Added\"" );
 	}
     } else {
 	if ( $shared ) {
 	    emit( "    fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Added\"" );
 	} else {
-	    emit( "    fatal_error \"Interface $physical is not usable -- Provider $table ($number) Cannot be Added\"" );
+	    emit( "    fatal_error \"Interface $interface is not usable -- Provider $table ($number) Cannot be Added\"" );
 	}
     }
 
@@ -537,32 +516,9 @@ sub add_a_provider( ) {
     progress_message "   Provider \"$currentline\" $done";
 }
 
-#
-# Begin an 'if' statement testing whether the passed interface is available
-#
-sub start_new_if( $ ) {
-    our $current_if = shift;
-
-    emit ( '', qq(if [ -n "\$SW_${current_if}_IS_USABLE" ]; then) );
-    push_indent;
-}
-  
-#
-# Complete any current 'if' statement in the output script
-#
-sub finish_current_if() {
-    if ( our $current_if ) {
-	pop_indent;
-	emit ( "fi\n" );
-	$current_if = '';
-    }
-}
-
 sub add_an_rtrule( ) {
     my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file';
 
-    our $current_if;
-
     unless ( $providers{$provider} ) {
 	my $found = 0;
 
@@ -584,7 +540,7 @@ sub add_an_rtrule( ) {
     fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-';
 
     if ( $dest eq '-' ) {
-	$dest = 'to ' . ALLIP;
+	$dest = 'to ' . ALLIP; 
     } else {
 	validate_net( $dest, 0 );
 	$dest = "to $dest";
@@ -597,7 +553,6 @@ sub add_an_rtrule( ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
 	    fatal_error "Invalid SOURCE" if defined $remainder;
 	    validate_net ( $source, 0 );
-	    $interface = physical_name $interface;
 	    $source = "iif $interface from $source";
 	} elsif ( $source =~ /\..*\..*/ ) {
 	    validate_net ( $source, 0 );
@@ -605,10 +560,9 @@ sub add_an_rtrule( ) {
 	} else {
 	    $source = "iif $source";
 	}
-    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ ) {
+    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ) {
 	my ($interface, $source ) = ($1, $2);
 	validate_net ($source, 0);
-	$interface = physical_name $interface;
 	$source = "iif $interface from $source";
     } elsif (  $source =~ /:.*:/ || $source =~ /\..*\..*/ ) {
 	validate_net ( $source, 0 );
@@ -621,21 +575,21 @@ sub add_an_rtrule( ) {
 
     $priority = "priority $priority";
 
-    finish_current_if, emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
+    emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
 
     my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} );
 
     if ( $optional ) {
-	my $base = uc chain_base( $providers{$provider}{physical} );
-	finish_current_if if $base ne $current_if;
-	start_new_if( $base ) unless $current_if;
-  } else {
-	finish_current_if;
+	my $base = uc chain_base( $providers{$provider}{interface} );
+	emit ( '', "if [ -n \$${base}_IS_USABLE ]; then" );
+	push_indent;
     }
 
     emit ( "run_ip rule add $source $dest $priority table $number",
 	   "echo \"qt \$IP -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" );
 
+    pop_indent, emit ( "fi\n" ) if $optional;
+
     progress_message "   Routing rule \"$currentline\" $done";
 }
 
@@ -648,12 +602,12 @@ sub setup_null_routing() {
     for ( rfc1918_networks ) {
 	emit( qq(run_ip route replace unreachable $_) );
 	emit( qq(echo "qt \$IP -$family route del unreachable $_" >> \${VARDIR}/undo_routing) );
-    }
+    } 
 }
 
 sub start_providers() {
     require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' , 's' );
-
+    
     emit  ( '#',
 	    '# Undo any changes made since the last time that we [re]started -- this will not restore the default route',
 	    '#',
@@ -665,7 +619,7 @@ sub start_providers() {
 	       '# Save current routing table database so that it can be restored later',
 	       '#',
 	       'cp /etc/iproute2/rt_tables ${VARDIR}/' );
-
+	
     }
 
     emit  ( '#',
@@ -676,9 +630,9 @@ sub start_providers() {
 	    '# Initialize the file that holds \'undo\' commands',
 	    '#',
 	    '> ${VARDIR}/undo_routing' );
-
+    
     save_progress_message 'Adding Providers...';
-
+    
     emit 'DEFAULT_ROUTE=';
     emit 'FALLBACK_ROUTE=';
     emit '';
@@ -709,7 +663,7 @@ sub finish_providers() {
 	} else {
 	    emit qq(    qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
 	}
-
+	
 	emit(   'fi',
 		'' );
     } else {
@@ -753,14 +707,12 @@ sub finish_providers() {
 sub setup_providers() {
     my $providers = 0;
 
-    $lastmark = 0;
-
     my $fn = open_file 'providers';
 
     first_entry sub() {
-	progress_message2 "$doing $fn...";
-	emit "\nif [ -z \"\$g_noroutes\" ]; then";
+	emit "\nif [ -z \"\$NOROUTES\" ]; then";
 	push_indent;
+	progress_message2 "$doing $fn...";
 	start_providers; };
 
     add_a_provider, $providers++ while read_a_line;
@@ -771,34 +723,31 @@ sub setup_providers() {
 	my $fn = open_file 'route_rules';
 
 	if ( $fn ) {
-	    our $current_if = '';
 
 	    first_entry "$doing $fn...";
 
 	    emit '';
-
+	    
 	    add_an_rtrule while read_a_line;
-
-	    finish_current_if;
 	}
 
 	setup_null_routing if $config{NULL_ROUTE_RFC1918};
 	emit "\nrun_ip route flush cache";
 	#
-	# This completes the if-block begun in the first_entry closure above
+	# This completes the if block begun in the first_entry closure
 	#
 	pop_indent;
 	emit "fi\n";
 
 	setup_route_marking if @routemarked_interfaces;
     } else {
-	emit "\nif [ -z \"\$g_noroutes\" ]; then";
+	emit "\nif [ -z \"\$NOROUTES\" ]; then";
 
 	push_indent;
-
+	
 	emit "\nundo_routing";
 	emit 'restore_default_route';
-
+	
 	if ( $config{NULL_ROUTE_RFC1918} ) {
 	    emit  ( '#',
 		    '# Initialize the file that holds \'undo\' commands',
@@ -835,21 +784,18 @@ sub lookup_provider( $ ) {
 }
 
 #
-# This function is called by the compiler when it is generating the detect_configuration() function.
+# This function is called by the compiler when it is generating the initialize() function.
 # The function emits code to set the ..._IS_USABLE interface variables appropriately for the
 # optional interfaces
 #
-# Returns true if there were optional interfaces
-#
 sub handle_optional_interfaces() {
 
     my $interfaces = find_interfaces_by_option 'optional';
 
     if ( @$interfaces ) {
 	for my $interface ( @$interfaces ) {
+	    my $base  = uc chain_base( $interface );
 	    my $provider = $provider_interfaces{$interface};
-	    my $physical = get_physical $interface;
-	    my $base     = uc chain_base( $physical );
 
 	    emit '';
 
@@ -860,24 +806,22 @@ sub handle_optional_interfaces() {
 		my $providerref = $providers{$provider};
 
 		if ( $providerref->{gatewaycase} eq 'detect' ) {
-		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
+		    emit qq(if interface_is_usable $interface && [ -n "$providerref->{gateway}" ]; then);
 		} else {
-		    emit qq(if interface_is_usable $physical; then);
+		    emit qq(if interface_is_usable $interface; then);
 		}
 	    } else {
 		#
 		# Not a provider interface
 		#
-		emit qq(if interface_is_usable $physical; then);
+		emit qq(if interface_is_usable $interface; then);
 	    }
 
-	    emit( "    SW_${base}_IS_USABLE=Yes" ,
+	    emit( "    ${base}_IS_USABLE=Yes" ,
 		  'else' ,
-		  "    SW_${base}_IS_USABLE=" ,
+		  "    ${base}_IS_USABLE=" ,
 		  'fi' );
 	}
-
-	1;
     }
 }
 
@@ -887,7 +831,7 @@ sub handle_optional_interfaces() {
 #
 sub handle_stickiness( $ ) {
     my $havesticky   = shift;
-    my $mask         = in_hex( $globals{PROVIDER_MASK} );
+    my $mask         = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';
     my $setstickyref = $mangle_table->{setsticky};
     my $setstickoref = $mangle_table->{setsticko};
     my $tcpreref     = $mangle_table->{tcpre};
@@ -897,18 +841,22 @@ sub handle_stickiness( $ ) {
 
     if ( $havesticky ) {
 	fatal_error "There are SAME tcrules but no 'track' providers" unless @routemarked_providers;
+	
 
 	for my $providerref ( @routemarked_providers ) {
-	    my $interface = $providerref->{physical};
+	    my $interface = $providerref->{interface};
 	    my $base      = uc chain_base $interface;
 	    my $mark      = $providerref->{mark};
-
+	
 	    for ( grep /-j sticky/, @{$tcpreref->{rules}} ) {
 		my $stickyref = ensure_mangle_chain 'sticky';
 		my ( $rule1, $rule2 );
 		my $list = sprintf "sticky%03d" , $sticky++;
-
+		
 		for my $chainref ( $stickyref, $setstickyref ) {
+
+		    add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
+
 		    if ( $chainref->{name} eq 'sticky' ) {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticky/-m recent --name $list --update --seconds 300 -j MARK --set-mark $mark/;
@@ -918,15 +866,18 @@ sub handle_stickiness( $ ) {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
 		    }
-
-		    $rule1 =~ s/-A tcpre //;
+		
+		    $rule1 =~ s/-A //;
 
 		    add_rule $chainref, $rule1;
 
 		    if ( $rule2 ) {
-			$rule2 =~ s/-A tcpre //;
+			$rule2 =~ s/-A //;
 			add_rule $chainref, $rule2;
 		    }
+
+		    decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
+		    
 		}
 	    }
 
@@ -936,6 +887,8 @@ sub handle_stickiness( $ ) {
 		my $stickoref = ensure_mangle_chain 'sticko';
 
 		for my $chainref ( $stickoref, $setstickoref ) {
+		    add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
+
 		    if ( $chainref->{name} eq 'sticko' ) {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticko/-m recent --name $list --rdest --update --seconds 300 -j MARK --set-mark $mark/;
@@ -945,15 +898,17 @@ sub handle_stickiness( $ ) {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
 		    }
-
-		    $rule1 =~ s/-A tcout //;
+		
+		    $rule1 =~ s/-A //;
 
 		    add_rule $chainref, $rule1;
 
 		    if ( $rule2 ) {
-			$rule2 =~ s/-A tcout //;
+			$rule2 =~ s/-A //;
 			add_rule $chainref, $rule2;
 		    }
+
+		    decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
 		}
 	    }
 	}
@@ -961,7 +916,7 @@ sub handle_stickiness( $ ) {
 
     if ( @routemarked_providers ) {
 	purge_jump $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
-	purge_jump $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};
+	purge_jump $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};	
     }
 }
 1;

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -35,27 +35,30 @@ our @EXPORT = qw(
 		  );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_4';
+our $VERSION = '4.3_7';
 
 our @proxyarp;
 
 our $family;
 
 #
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function.
 #
+
 sub initialize( $ ) {
     $family = shift;
     @proxyarp = ();
 }
 
+INIT {
+    initialize( F_IPV4 );
+}
+
 sub setup_one_proxy_arp( $$$$$ ) {
     my ( $address, $interface, $external, $haveroute, $persistent) = @_;
 
@@ -76,7 +79,7 @@ sub setup_one_proxy_arp( $$$$$ ) {
     }
 
     unless ( $haveroute ) {
-	emit "[ -n \"\$g_noroutes\" ] || run_ip route replace $address dev $interface";
+	emit "[ -n \"\$NOROUTES\" ] || run_ip route replace $address dev $interface";
 	$haveroute = 1 if $persistent;
     }
 
@@ -117,8 +120,6 @@ sub setup_proxy_arp() {
 		    $first_entry = 0;
 		}
 
-		$interface = get_physical $interface;
-
 		$set{$interface}  = 1;
 		$reset{$external} = 1 unless $set{$external};
 
@@ -145,14 +146,10 @@ sub setup_proxy_arp() {
 
 	    for my $interface ( @$interfaces ) {
 		my $value = get_interface_option $interface, 'proxyarp';
-		my $optional = interface_is_optional $interface;
-
-		$interface = get_physical $interface;
-
 		emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" ,
 		       "    echo $value > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless $optional;
+		       "    error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless interface_is_optional( $interface );
 		emit   "fi\n";
 	    }
 	}
@@ -164,14 +161,10 @@ sub setup_proxy_arp() {
 
 	    for my $interface ( @$interfaces ) {
 		my $value = get_interface_option $interface, 'proxyndp';
-		my $optional = interface_is_optional $interface;
-
-		$interface = get_physical $interface;
-
 		emit ( "if [ -f /proc/sys/net/ipv6/conf/$interface/proxy_ndp ] ; then" ,
 		   "    echo $value > /proc/sys/net/ipv6/conf/$interface/proxy_ndp" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Unable to set/reset Proxy NDP on $interface\"" ) unless $optional;
+		       "    error_message \"WARNING: Unable to set/reset Proxy NDP on $interface\"" ) unless interface_is_optional( $interface );
 		emit   "fi\n";
 	    }
 	}

Shorewall/Perl/Shorewall/Raw.pm

@@ -47,7 +47,7 @@ sub process_notrack_rule( $$$$$$ ) {
     $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
     $sports = ''    if $sports eq 'any' || $sports eq 'all';
 
-    ( my $zone, $source) = split /:/, $source, 2;
+    ( my $zone, $source) = split /:/, $source, 2;  
     my $zoneref  = find_zone $zone;
     my $chainref = ensure_raw_chain( notrack_chain $zone );
     my $restriction = $zone eq firewall_zone ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;

Shorewall/Perl/Shorewall/Tc.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #     Traffic Control is from tc4shorewall Version 0.5
 #     (c) 2005 Arne Bernin <arne@ucbering.de>
@@ -40,7 +40,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.4_8';
+our $VERSION = '4.3_12';
 
 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
@@ -79,6 +79,48 @@ use constant { NOMARK    => 0 ,
 	       HIGHMARK  => 2
 	       };
 
+our @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
+		 target    => 'CONNMARK --save-mark --mask' ,
+		 mark      => SMALLMARK ,
+		 mask      => '0xFF' ,
+		 connmark  => 1
+	       } ,
+	      { match     => sub ( $ ) { $_[0] eq 'RESTORE' },
+		target    => 'CONNMARK --restore-mark --mask' ,
+		mark      => SMALLMARK ,
+		mask      => '0xFF' ,
+		connmark  => 1
+		} ,
+	      { match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
+		target    => 'RETURN' ,
+		mark      => NOMARK ,
+		mask      => '' ,
+		connmark  => 0
+		} ,
+	      { match     => sub ( $ ) { $_[0] eq 'SAME' },
+		target    => 'sticky' ,
+		mark      => NOMARK ,
+		mask      => '' ,
+		connmark  => 0
+		} ,
+	      { match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
+		target    => 'IPMARK' ,
+		mark      => NOMARK,
+		mask      => '',
+		connmark  => 0
+	        } ,
+	      { match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
+		target    => 'MARK --or-mark' ,
+		mark      => HIGHMARK ,
+		mask      => '' } ,
+	      { match     => sub ( $ ) { $_[0] =~ '&.*' },
+		target    => 'MARK --and-mark ' ,
+		mark      => HIGHMARK ,
+		mask      => '' ,
+		connmark  => 0
+		}
+	      );
+
 our %flow_keys = ( 'src'            => 1,
 		   'dst'            => 1,
 		   'proto'          => 1,
@@ -111,7 +153,7 @@ our @deferred_rules;
 #
 # TCDevices Table
 #
-# %tcdevices { <interface> => {in_bandwidth  => <value> ,
+# %tcdevices { <interface> -> {in_bandwidth  => <value> ,
 #                              out_bandwidth => <value> ,
 #                              number        => <number>,
 #                              classify      => 0|1
@@ -121,8 +163,6 @@ our @deferred_rules;
 #                              nextclass     => <number>
 #                              occurs        => Has one or more occurring classes
 #                              qdisc         => htb|hfsc
-#                              guarantee     => <total RATE of classes seen so far>
-#                              name          => <interface>
 #                                               }
 #
 our @tcdevices;
@@ -130,7 +170,7 @@ our %tcdevices;
 our @devnums;
 our $devnum;
 our $sticky;
-our $ipp2p;
+
 
 #
 # TCClasses Table
@@ -146,7 +186,6 @@ our $ipp2p;
 #              occurs    => <number> # 0 means that this is a class generated by another class with occurs > 1
 #              parent    => <class number>
 #              leaf      => 0|1
-#              guarantee => <sum of rates of sub-classes>
 #              options   => { tos  => [ <value1> , <value2> , ... ];
 #                             tcp_ack => 1 ,
 #                             ...
@@ -163,15 +202,14 @@ our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 our $family;
 
 #
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function.
 #
+
 sub initialize( $ ) {
     $family   = shift;
     %classids = ();
@@ -183,14 +221,15 @@ sub initialize( $ ) {
     @devnums   = ();
     $devnum = 0;
     $sticky = 0;
-    $ipp2p  = 0;
+}
+
+INIT {
+    initialize( F_IPV4 );
 }
 
 sub process_tc_rule( ) {
     my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules file';
 
-    our @tccmd;
-
     if ( $originalmark eq 'COMMENT' ) {
 	process_comment;
 	return;
@@ -226,9 +265,9 @@ sub process_tc_rule( ) {
 		fatal_error "Invalid chain designator for source $fw" unless $tcsref->{fw};
 	    }
 
-	    $chain    = $tcsref->{chain}                       if $tcsref->{chain};
-	    $target   = $tcsref->{target}                      if $tcsref->{target};
-	    $mark     = "$mark/" . in_hex( $globals{TC_MASK} ) if $connmark = $tcsref->{connmark};
+	    $chain    = $tcsref->{chain}  if $tcsref->{chain};
+	    $target   = $tcsref->{target} if $tcsref->{target};
+	    $mark     = "$mark/0xFF"      if $connmark = $tcsref->{connmark};
 
 	    require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
 
@@ -246,6 +285,8 @@ sub process_tc_rule( ) {
 	}
     }
 
+    my $mask = 0xffff;
+
     my ($cmd, $rest) = split( '/', $mark, 2 );
 
     $list = '';
@@ -302,7 +343,7 @@ sub process_tc_rule( ) {
 				fatal_error "Invalid Mask ($m2)" unless defined $val && $val <= 0xffffffff;
 				$mask2 = $m2;
 			    }
-
+				
 			    if ( defined $s ) {
 				$val = numeric_value ($s);
 				fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val < 128;
@@ -311,41 +352,9 @@ sub process_tc_rule( ) {
 			} else {
 			    fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
 			}
-
+			    
 			$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
-		    } elsif ( $target eq 'TPROXY ' ) {
-			require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
-
-			fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
-			
-			$chain = 'tcpre';
-
-			$cmd =~ /TPROXY\((.+?)\)$/;
-
-			my $params = $1;
-
-			fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
-
-			( $mark, my $port, my $ip, my $bad ) = split ',', $params;
-
-			fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
-
-			if ( $port ) {
-			    $port = validate_port( 'tcp', $port );
-			} else {
-			    $port = 0;
-			}
-
-			$target .= "--on-port $port";
-			
-			if ( defined $ip && $ip ne '' ) {
-			    validate_address $ip, 1;
-			    $target .= " --on-ip $ip";
-			}
-
-			$target .= ' --tproxy-mark';	
 		    }
-			
 
 		    if ( $rest ) {
 			fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK;
@@ -367,10 +376,10 @@ sub process_tc_rule( ) {
 
 	    validate_mark $mark;
 
-	    if ( $config{PROVIDER_OFFSET} ) {
+	    if ( $config{HIGH_ROUTE_MARKS} ) {
 		my $val = numeric_value( $cmd );
 		fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
-		my $limit = $globals{TC_MASK};
+		my $limit = $config{WIDE_TC_MARKS} ? 65535 : 255;
 		fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
 		    if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
 	    }
@@ -379,12 +388,12 @@ sub process_tc_rule( ) {
 
     if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
 				     $restrictions{$chain} ,
-				     do_proto( $proto, $ports, $sports) .
-				     do_user( $user ) .
-				     do_test( $testval, $globals{TC_MASK} ) .
-				     do_length( $length ) .
-				     do_tos( $tos ) .
-				     do_connbytes( $connbytes ) .
+				     do_proto( $proto, $ports, $sports) . 
+				     do_user( $user ) . 
+				     do_test( $testval, $mask ) . 
+				     do_length( $length ) . 
+				     do_tos( $tos ) . 
+				     do_connbytes( $connbytes ) . 
 				     do_helper( $helper ),
 				     $source ,
 				     $dest ,
@@ -442,65 +451,6 @@ sub process_flow($) {
     $flow;
 }
 
-sub process_simple_device() {
-    my ( $device , $type , $bandwidth ) = split_line 1, 3, 'tcinterfaces';
-
-    fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
-    fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
-
-    my $number = in_hexp( $tcdevices{$device} = ++$devnum );
-
-    my $physical = physical_name $device;
-    my $dev      = chain_base( $physical );
-
-    if ( $type ne '-' ) {
-	if ( lc $type eq 'external' ) {
-	    $type = 'nfct-src';
-	} elsif ( lc $type eq 'internal' ) {
-	    $type = 'dst';
-	} else {
-	    fatal_error "Invalid TYPE ($type)";
-	}
-    }
-
-    $bandwidth = rate_to_kbit( $bandwidth );
-
-    emit "if interface_is_up $physical; then";
-
-    push_indent;
-
-    emit ( "${dev}_exists=Yes",
-	   "qt \$TC qdisc del dev $physical root",
-	   "qt \$TC qdisc del dev $physical ingress\n"	   
-	 );
-
-    emit ( "run_tc qdisc add dev $physical handle ffff: ingress",
-	   "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${bandwidth}kbit burst 10k drop flowid :1\n"
-	 ) if $bandwidth;
-	  
-    emit "run_tc qdisc add dev $physical root handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
-
-    for ( my $i = 1; $i <= 3; $i++ ) {
-	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
-	emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $number:$i";
-	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
-	emit '';
-    }
-
-    save_progress_message_short "   TC Device $physical defined.";
-    
-    pop_indent;
-    emit 'else';
-    push_indent;
-
-    emit qq(error_message "WARNING: Device $physical is not in the UP state -- traffic-shaping configuration skipped");
-    emit "${dev}_exists=";
-    pop_indent;
-    emit "fi\n";
- 
-    progress_message "  Simple tcdevice \"$currentline\" $done.";
-}    
-
 sub validate_tc_device( ) {
     my ( $device, $inband, $outband , $options , $redirected ) = split_line 3, 5, 'tcdevices';
 
@@ -559,13 +509,13 @@ sub validate_tc_device( ) {
     if ( @redirected ) {
 	fatal_error "IFB devices may not have IN-BANDWIDTH" if $inband ne '-' && $inband;
 	$classify = 1;
+    }	
 
-	for my $rdevice ( @redirected ) {
-	    fatal_error "Invalid device name ($rdevice)" if $rdevice =~ /[:+]/;
-	    my $rdevref = $tcdevices{$rdevice};
-	    fatal_error "REDIRECTED device ($rdevice) has not been defined in this file" unless $rdevref;
-	    fatal_error "IN-BANDWIDTH must be zero for REDIRECTED devices" if $rdevref->{in_bandwidth} ne '0kbit';
-	}
+    for my $rdevice ( @redirected ) {
+	fatal_error "Invalid device name ($rdevice)" if $rdevice =~ /[:+]/;
+	my $rdevref = $tcdevices{$rdevice};
+	fatal_error "REDIRECTED device ($rdevice) has not been defined in this file" unless $rdevref;
+	fatal_error "IN-BANDWIDTH must be zero for REDIRECTED devices" if $rdevref->{in_bandwidth} ne '0kbit';
     }
 
     $tcdevices{$device} = { in_bandwidth  => rate_to_kbit( $inband ) . 'kbit',
@@ -579,9 +529,6 @@ sub validate_tc_device( ) {
 			    default       => 0,
 			    nextclass     => 2,
 			    qdisc         => $qdisc,
-			    guarantee     => 0,
-			    name          => $device,
-			    physical      => physical_name $device
 			  } ,
 
     push @tcdevices, $device;
@@ -591,8 +538,8 @@ sub validate_tc_device( ) {
     progress_message "  Tcdevice \"$currentline\" $done.";
 }
 
-sub convert_rate( $$$$ ) {
-    my ($full, $rate, $column, $max) = @_;
+sub convert_rate( $$$ ) {
+    my ($full, $rate, $column) = @_;
 
     if ( $rate =~ /\bfull\b/ ) {
 	$rate =~ s/\bfull\b/$full/g;
@@ -606,14 +553,14 @@ sub convert_rate( $$$$ ) {
     }
 
     fatal_error "$column may not be zero" unless $rate;
-    fatal_error "$column ($_[1]) exceeds $max (${full}kbit)" if $rate > $full;
+    fatal_error "$column ($_[1]) exceeds OUT-BANDWIDTH" if $rate > $full;
 
     $rate;
 }
 
 sub convert_delay( $ ) {
     my $delay = shift;
-
+    
     return 0 unless $delay;
     return $1 if $delay =~ /^(\d+)(ms)?$/;
     fatal_error "Invalid Delay ($delay)";
@@ -652,7 +599,6 @@ sub validate_tc_class( ) {
     my $device = $devclass;
     my $occurs = 1;
     my $parentclass = 1;
-    my $parentref;
 
     if ( $devclass =~ /:/ ) {
 	( $device, my ($number, $subnumber, $rest ) )  = split /:/, $device, 4;
@@ -672,7 +618,7 @@ sub validate_tc_class( ) {
 		fatal_error "Invalid interface/class number ($devclass)" unless defined $classnumber && $classnumber;
 		$parentclass = $classnumber;
 		$classnumber = hex_value $subnumber;
-	    }
+	    } 
 
 	    fatal_error "Invalid interface/class number ($devclass)" unless defined $classnumber && $classnumber;
 	    fatal_error "Duplicate interface/class number ($devclass)" if defined $devnums[ $classnumber ];
@@ -684,11 +630,7 @@ sub validate_tc_class( ) {
 	fatal_error "Missing class NUMBER" if $devref->{classify};
     }
 
-    my $full    = rate_to_kbit $devref->{out_bandwidth};
-    my $ratemax = $full;
-    my $ceilmax = $full;
-    my $ratename = 'OUT-BANDWIDTH';
-    my $ceilname = 'OUT-BANDWIDTH';
+    my $full  = rate_to_kbit $devref->{out_bandwidth};
 
     my $tcref = $tcclasses{$device};
 
@@ -698,17 +640,15 @@ sub validate_tc_class( ) {
 	if ( $devref->{classify} ) {
 	    warning_message "INTERFACE $device has the 'classify' option - MARK value ($mark) ignored";
 	} else {
-	    fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};
+	    fatal_error "Invalid Mark ($mark)" unless $mark =~ /^([0-9]+|0x[0-9a-fA-F]+)$/ && numeric_value( $mark ) <= 0xff;
 
 	    $markval = numeric_value( $mark );
 	    fatal_error "Invalid MARK ($markval)" unless defined $markval;
 
-	    fatal_error "Invalid Mark ($mark)" unless $markval <= $globals{TC_MAX};
-
 	    if ( $classnumber ) {
 		fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
 	    } else {
-		$classnumber = $config{WIDE_TC_MARKS} ? $devref->{nextclass}++ : hex_value( $devnum . $markval );
+		$classnumber = $config{WIDE_TC_MARKS} ? $tcref->{nextclass}++ : hex_value( $devnum . $markval );
 		fatal_error "Duplicate MARK ($mark)" if $tcref->{$classnumber};
 	    }
 	}
@@ -720,53 +660,39 @@ sub validate_tc_class( ) {
 	#
 	# Nested Class
 	#
-	$parentref = $tcref->{$parentclass};
+	my $parentref = $tcref->{$parentclass};
 	fatal_error "Unknown Parent class ($parentclass)" unless $parentref && $parentref->{occurs} == 1;
 	fatal_error "The parent class ($parentclass) specifies UMAX and/or DMAX; it cannot serve as a parent" if $parentref->{dmax};
 	$parentref->{leaf} = 0;
-	$ratemax  = $parentref->{rate};
-	$ratename = q(the parent class's RATE);
-	$ceilmax = $parentref->{ceiling};
-	$ceilname = q(the parent class's CEIL);
     }
 
     my ( $umax, $dmax ) = ( '', '' );
 
     if ( $devref->{qdisc} eq 'hfsc' ) {
 	( my $trate , $dmax, $umax , my $rest ) = split ':', $rate , 4;
-
+	
 	fatal_error "Invalid RATE ($rate)" if defined $rest;
 
-	$rate = convert_rate ( $ratemax, $trate, 'RATE', $ratename );
+	$rate = convert_rate ( $full, $trate, 'RATE' );
 	$dmax = convert_delay( $dmax );
 	$umax = convert_size( $umax );
-	fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax;
+	fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax; 
     } else {
-	$rate = convert_rate ( $ratemax, $rate, 'RATE' , $ratename );
+	$rate = convert_rate ( $full, $rate, 'RATE' );
     }
 
-    if ( $parentref ) {
-	warning_message "Total RATE of sub classes ($parentref->{guarantee}kbits) exceeds RATE of parent class ($parentref->{rate}kbits)" if ( $parentref->{guarantee} += $rate ) > $parentref->{rate};
-    } else {
-	warning_message "Total RATE of classes ($devref->{guarantee}kbits) exceeds OUT-BANDWIDTH (${full}kbits)" if ( $devref->{guarantee} += $rate ) > $full;
-    }
-
-    fatal_error "Invalid PRIO ($prio)" unless defined numeric_value $prio;
-
-    $tcref->{$classnumber} = { tos       => [] ,
-			       rate      => $rate ,
-			       umax      => $umax ,
-			       dmax      => $dmax ,
-			       ceiling   => convert_rate( $ceilmax, $ceil, 'CEIL' , $ceilname ) ,
-			       priority  => $prio eq '-' ? 1 : $prio ,
-			       mark      => $markval ,
-			       flow      => '' ,
-			       pfifo     => 0,
-			       occurs    => 1,
-			       parent    => $parentclass,
-			       leaf      => 1,
-			       guarantee => 0,
-			       limit     => 127,
+    $tcref->{$classnumber} = { tos      => [] ,
+			       rate     => $rate ,
+			       umax     => $umax ,
+			       dmax     => $dmax ,
+			       ceiling  => convert_rate( $full, $ceil, 'CEIL' ) ,
+			       priority => $prio eq '-' ? 1 : $prio ,
+			       mark     => $markval ,
+			       flow     => '' ,
+			       pfifo    => 0,
+			       occurs   => 1,
+			       parent   => $parentclass,
+			       leaf     => 1,
 			     };
 
     $tcref = $tcref->{$classnumber};
@@ -807,18 +733,14 @@ sub validate_tc_class( ) {
 		fatal_error q(The 'occurs' option is only valid for IPv4)           if $family == F_IPV6;
 		fatal_error q(The 'occurs' option may not be used with 'classify')  if $devref->{classify};
 		fatal_error "Invalid 'occurs' ($val)"                               unless defined $occurs && $occurs > 1 && $occurs <= 256;
-		fatal_error "Invalid 'occurs' ($val)"                               if $occurs > $globals{TC_MAX};
+		fatal_error "Invalid 'occurs' ($val)"                               if $occurs > ( $config{WIDE_TC_MARKS} ? 8191 : 255 );
 		fatal_error q(Duplicate 'occurs')                                   if $tcref->{occurs} > 1;
 		fatal_error q(The 'occurs' option is not valid with 'default')      if $devref->{default} == $classnumber;
 		fatal_error q(The 'occurs' option is not valid with 'tos')          if @{$tcref->{tos}};
-		warning_message "MARK ($mark) is ignored on an occurring class"     if $mark ne '-';
+		warning_message "MARK ($mark) is ignored on an occurring class"     if $mark ne '-'; 
 
 		$tcref->{occurs} = $occurs;
 		$devref->{occurs} = 1;
-	    } elsif ( $option =~ /^limit=(\d+)$/ ) {
-		warning_message "limit ignored with pfifo queuing" if $tcref->{pfifo};
-		fatal_error "Invalid limit ($1)" if $1 < 3 || $1 > 128;
-		$tcref->{limit} = $1;
 	    } else {
 		fatal_error "Unknown option ($option)";
 	    }
@@ -827,7 +749,7 @@ sub validate_tc_class( ) {
 
     unless ( $devref->{classify} || $occurs > 1 ) {
 	fatal_error "Missing MARK" if $mark eq '-';
-	warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option"	if $devclass =~ /:/;
+	warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option"	if $devclass =~ /:/; 
     }
 
     $tcref->{flow}  = $devref->{flow}  unless $tcref->{flow};
@@ -847,7 +769,6 @@ sub validate_tc_class( ) {
 					       pfifo    => $tcref->{pfifo},
 					       occurs   => 0,
 					       parent   => $parentclass,
-					       limit    => $tcref->{limit},
 					     };
 	push @tcclasses, "$device:$classnumber";
     };
@@ -862,7 +783,7 @@ my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0x
 #
 sub process_tc_filter( ) {
     my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 2, 8, 'tcfilters file';
-
+    
     my ($device, $class, $rest ) = split /:/, $devclass, 3;
 
     fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest || ! ($device && $class );
@@ -884,7 +805,7 @@ sub process_tc_filter( ) {
     fatal_error "Unknown CLASS ($devclass)"                  unless $tcref && $tcref->{occurs};
     fatal_error "Filters may not specify an occurring CLASS" if $tcref->{occurs} > 1;
 
-    my $rule = "filter add dev $devref->{physical} protocol ip parent $devnum:0 prio 10 u32";
+    my $rule = "filter add dev $device protocol ip parent $devnum:0 prio 10 u32";
 
     if ( $source ne '-' ) {
 	my ( $net , $mask ) = decompose_net( $source );
@@ -913,13 +834,13 @@ sub process_tc_filter( ) {
 
 	$rule .= "\\\n  match ip tos $tosval $mask";
     }
-
+	
     if ( $length ne '-' ) {
 	my $len = numeric_value( $length ) || 0;
 	my $mask = $validlengths{$len};
 	fatal_error "Invalid LENGTH ($length)" unless $mask;
 	$rule .="\\\n   match u16 0x0000 $mask at 2";
-    }
+    }      
 
     my $protonumber = 0;
 
@@ -955,7 +876,7 @@ sub process_tc_filter( ) {
 	    $lasttnum = $tnum;
 	    $lastrule = $rule;
 
-	    emit( "\nrun_tc filter add dev $devref->{physical} parent $devnum:0 protocol ip prio 10 handle $tnum: u32 divisor 1" );
+	    emit( "\nrun_tc filter add dev $device parent $devnum:0 protocol ip prio 10 handle $tnum: u32 divisor 1" );
 	}
 	#
 	# And link to it using the current contents of $rule
@@ -965,10 +886,10 @@ sub process_tc_filter( ) {
 	#
 	# The rule to match the port(s) will be inserted into the new table
 	#
-	$rule     = "filter add dev $devref->{physical} protocol ip parent $devnum:0 prio 10 u32 ht $tnum:0";
+	$rule     = "filter add dev $device protocol ip parent $devnum:0 prio 10 u32 ht $tnum:0";
 
 	if ( $portlist eq '-' ) {
-	    fatal_error "Only TCP, UDP and SCTP may specify SOURCE PORT"
+	    fatal_error "Only TCP, UDP and SCTP may specify SOURCE PORT" 
 		unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP;
 
 	    for my $sportrange ( split_list $sportlist , 'port list' ) {
@@ -992,7 +913,7 @@ sub process_tc_filter( ) {
 		}
 	    }
 	} else {
-	    fatal_error "Only TCP, UDP, SCTP and ICMP may specify DEST PORT"
+	    fatal_error "Only TCP, UDP, SCTP and ICMP may specify DEST PORT" 
 		unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP || $protonumber == ICMP;
 
 	    for my $portrange ( split_list $portlist, 'port list' ) {
@@ -1013,7 +934,7 @@ sub process_tc_filter( ) {
 			my ( $port, $mask ) = ( shift @portlist, shift @portlist );
 
 			my $rule1;
-
+			
 			if ( $protonumber == TCP ) {
 			    $rule1 = join( ' ', 'match tcp dst', hex_value( $port ), "0x$mask" );
 			} elsif ( $protonumber == UDP ) {
@@ -1049,9 +970,9 @@ sub process_tc_filter( ) {
 					  "   flowid $devref->{number}:$class" );
 				}
 			    }
-			}
+			}   
 		    }
-		}
+		}    
 	    }
 	}
     }
@@ -1066,95 +987,7 @@ sub process_tc_filter( ) {
 
     emit '';
 
-}
-
-sub process_tc_priority() {
-    my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 1, 6, 'tcpri';
-
-    if ( $band eq 'COMMENT' ) {
-	process_comment;
-	return;
-    }
-
-    my $val = numeric_value $band;
-
-    fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
-
-    my $rule = do_helper( $helper ) . "-j MARK --set-mark $band";
-
-    $rule .= join('', '/', in_hex( $globals{TC_MASK} ) ) if have_capability( 'EXMARK' );
-
-    if ( $interface ne '-' ) {
-	fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $ports eq '-';
-
-	my $forwardref = $mangle_table->{tcfor};
-
-	add_rule( $forwardref ,
-		  join( '', match_source_dev( $interface) , $rule ) ,
-		  1 );
-    } else {
-	my $postref = $mangle_table->{tcpost};
-	
-	if ( $address ne '-' ) {
-	    fatal_error "Invalid combination of columns" unless $proto eq '-' && $ports eq '-';
-	    add_rule( $postref ,
-		      join( '', match_source_net( $address) , $rule ) ,
-		      1 );
-	} else {
-	    add_rule( $postref , 
-		      join( '', do_proto( $proto, $ports, '-' , 0 ) , $rule ) ,
-		      1 );
-
-	    if ( $ports ne '-' ) {
-		my $protocol = resolve_proto $proto;
-
-		if ( $proto =~ /^ipp2p/ ) {
-		    fatal_error "ipp2p may not be used when there are tracked providers and PROVIDER_OFFSET=0" if @routemarked_interfaces && $config{PROVIDER_OFFSET} == 0;
-		    $ipp2p = 1;
-		}
-
-		add_rule( $postref , 
-			  join( '' , do_proto( $proto, '-', $ports, 0 ) , $rule ) ,
-			  1 )
-		    unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
-	    }
-	}
-    }
-}
-
-sub setup_simple_traffic_shaping() {
-    my $interfaces;
-
-    save_progress_message "Setting up Traffic Control...";
-
-    my $fn = open_file 'tcinterfaces';
-
-    if ( $fn ) {
-	first_entry "$doing $fn...";
-	process_simple_device, $interfaces++ while read_a_line;
-    } else {
-	$fn = find_file 'tcinterfaces';
-    }
-
-    my $fn1 = open_file 'tcpri';
-
-    if ( $fn1 ) {
-	first_entry 
-	    sub { 
-		progress_message2 "$doing $fn1...";
-		warning_message "There are entries in $fn1 but $fn was empty" unless $interfaces;
-	    };
-
-	process_tc_priority while read_a_line;
-
-	clear_comment;
-
-	if ( $ipp2p ) {
-	    insert_rule1 $mangle_table->{tcpost} , 0 , '-m mark --mark 0/'   . in_hex( $globals{TC_MASK} ) . ' -j CONNMARK --restore-mark --ctmask ' . in_hex( $globals{TC_MASK} );
-	    add_rule     $mangle_table->{tcpost} ,     '-m mark ! --mark 0/' . in_hex( $globals{TC_MASK} ) . ' -j CONNMARK --save-mark --ctmask '    . in_hex( $globals{TC_MASK} );
-	}
-    }
-}
+}   
 
 sub setup_traffic_shaping() {
     our $lastrule = '';
@@ -1169,9 +1002,6 @@ sub setup_traffic_shaping() {
 	validate_tc_device while read_a_line;
     }
 
-    my $sfq = $devnum;
-    my $sfqinhex;
-
     $devnum = $devnum > 10 ? 10 : 1;
 
     $fn = open_file 'tcclasses';
@@ -1183,15 +1013,12 @@ sub setup_traffic_shaping() {
     }
 
     for my $device ( @tcdevices ) {
+	my $dev     = chain_base( $device );
 	my $devref  = $tcdevices{$device};
 	my $defmark = in_hexp ( $devref->{default} || 0 );
 	my $devnum  = in_hexp $devref->{number};
 	my $r2q     = int calculate_r2q $devref->{out_bandwidth};
 
-	$device = physical_name $device;
-
-	my $dev = chain_base( $device );
-
 	emit "if interface_is_up $device; then";
 
 	push_indent;
@@ -1274,14 +1101,12 @@ sub setup_traffic_shaping() {
 	my $classid  = join( ':', in_hexp $devicenumber, $classnum);
 	my $rate     = "$tcref->{rate}kbit";
 	my $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
-
-	$classids{$classid}=$device;
-	$device = physical_name $device;
-
 	my $dev      = chain_base $device;
 	my $priority = $tcref->{priority} << 8;
 	my $parent   = in_hexp $tcref->{parent};
 
+	$classids{$classid}=$device;
+
 	if ( $lastdevice ne $device ) {
 	    if ( $lastdevice ) {
 		pop_indent;
@@ -1294,7 +1119,7 @@ sub setup_traffic_shaping() {
 	}
 
 	emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" );
-
+	
 	if ( $devref->{qdisc} eq 'htb' ) {
 	    emit ( "run_tc class add dev $device parent $devref->{number}:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
 	} else {
@@ -1307,19 +1132,18 @@ sub setup_traffic_shaping() {
 		emit ( "run_tc class add dev $device parent $devref->{number}:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" );
 	    }
 	}
-
-	if ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
-	    $sfqinhex = in_hexp( ++$sfq);
-	    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
-	}
+	    
+	emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit 127 perturb 10" ) if $tcref->{leaf} && ! $tcref->{pfifo};
 	#
 	# add filters
 	#
 	unless ( $devref->{classify} ) {
-	    emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1;
+	    if ( $tcref->{occurs} == 1 ) {
+		emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid";
+	    }
 	}
 
-	emit "run_tc filter add dev $device protocol all prio 1 parent $sfqinhex: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
+	emit "run_tc filter add dev $device protocol all prio 1 parent $classnum: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
 	#
 	# options
 	#
@@ -1355,11 +1179,11 @@ sub setup_traffic_shaping() {
 #
 sub setup_tc() {
 
-    if ( $config{MANGLE_ENABLED} ) {
+    if ( $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED} ) {
 	ensure_mangle_chain 'tcpre';
 	ensure_mangle_chain 'tcout';
 
-	if ( have_capability( 'MANGLE_FORWARD' ) ) {
+	if ( $capabilities{MANGLE_FORWARD} ) {
 	    ensure_mangle_chain 'tcfor';
 	    ensure_mangle_chain 'tcpost';
 	}
@@ -1367,25 +1191,29 @@ sub setup_tc() {
 	my $mark_part = '';
 
 	if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) {
-	    $mark_part = '-m mark --mark 0/' . in_hex( $globals{PROVIDER_MASK} ) . ' ';
+	    $mark_part = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFF0000' : '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF';
 
-	    unless ( $config{TRACK_PROVIDERS} ) {
-		#
-		# This is overloading TRACK_PROVIDERS a bit but sending tracked packets through PREROUTING is a PITA for users
-		#
-		for my $interface ( @routemarked_interfaces ) {
-		    add_rule $mangle_table->{PREROUTING} , match_source_dev( $interface ) . "-j tcpre";
-		}
+	    for my $interface ( @routemarked_interfaces ) {
+		add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre";
 	    }
 	}
 
-	add_jump $mangle_table->{PREROUTING} , 'tcpre', 0, $mark_part;
-	add_jump $mangle_table->{OUTPUT} ,     'tcout', 0, $mark_part;
+	add_rule $mangle_table->{PREROUTING} , "$mark_part -j tcpre";
+	add_rule $mangle_table->{OUTPUT} ,     "$mark_part -j tcout";
 
-	if ( have_capability( 'MANGLE_FORWARD' ) ) {
-	    add_rule( $mangle_table->{FORWARD},     '-j MARK --set-mark 0' ) if have_capability 'MARK';
-	    add_jump $mangle_table->{FORWARD} ,     'tcfor',  0;
-	    add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0;
+	if ( $capabilities{MANGLE_FORWARD} ) {
+	    add_rule $mangle_table->{FORWARD} ,     '-j tcfor';
+	    add_rule $mangle_table->{POSTROUTING} , '-j tcpost';
+	}
+
+	if ( $config{HIGH_ROUTE_MARKS} ) {
+	    for my $chain qw(INPUT FORWARD) {
+		insert_rule1 $mangle_table->{$chain}, 0, $config{WIDE_TC_MARKS} ? '-j MARK --and-mark 0xFFFF' : '-j MARK --and-mark 0xFF';
+	    }
+	    #
+	    # In POSTROUTING, we only want to clear routing mark and not IPMARK.
+	    #
+	    insert_rule1 $mangle_table->{POSTROUTING}, 0, $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFFFF -j MARK --and-mark 0' : '-m mark --mark 0/0xFF -j MARK --and-mark 0';
 	}
     }
 
@@ -1394,61 +1222,12 @@ sub setup_tc() {
 	append_file $globals{TC_SCRIPT};
     } elsif ( $config{TC_ENABLED} eq 'Internal' ) {
 	setup_traffic_shaping;
-    } elsif ( $config{TC_ENABLED} eq 'Simple' ) {
-	setup_simple_traffic_shaping;
     }
 
     if ( $config{TC_ENABLED} ) {
-	our  @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
-			  target    => 'CONNMARK --save-mark --mask' ,
-			  mark      => SMALLMARK ,
-			  mask      => in_hex( $globals{TC_MASK} ) ,
-			  connmark  => 1
-			} ,
-			{ match     => sub ( $ ) { $_[0] eq 'RESTORE' },
-			  target    => 'CONNMARK --restore-mark --mask' ,
-			  mark      => SMALLMARK ,
-			  mask      => in_hex( $globals{TC_MASK} ) ,
-			  connmark  => 1
-			} ,
-			{ match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
-			  target    => 'RETURN' ,
-			  mark      => NOMARK ,
-			  mask      => '' ,
-			  connmark  => 0
-			} ,
-			{ match     => sub ( $ ) { $_[0] eq 'SAME' },
-			  target    => 'sticky' ,
-			  mark      => NOMARK ,
-			  mask      => '' ,
-			  connmark  => 0
-			} ,
-			{ match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
-			  target    => 'IPMARK' ,
-			  mark      => NOMARK,
-			  mask      => '',
-			  connmark  => 0
-			} ,
-			{ match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
-			  target    => 'MARK --or-mark' ,
-			  mark      => HIGHMARK ,
-			  mask      => '' } ,
-			{ match     => sub ( $ ) { $_[0] =~ '&.*' },
-			  target    => 'MARK --and-mark ' ,
-			  mark      => HIGHMARK ,
-			  mask      => '' ,
-			  connmark  => 0
-			} ,
-			{ match     => sub ( $ ) { $_[0] =~ /^TPROXY/ },
-			  target    => 'TPROXY',
-			  mark      => HIGHMARK,
-			  mask      => '',
-			  connmark  => '' },
-		      );
-
 	if ( my $fn = open_file 'tcrules' ) {
 
-	    first_entry "$doing $fn...";
+	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's'; } );
 
 	    process_tc_rule while read_a_line;
 

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.4_7';
+our $VERSION = '4.3_7';
 
 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@@ -83,10 +83,10 @@ sub setup_tunnels() {
 	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
-		$inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
-		$outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
+		$inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
+		$outchainref = ensure_filter_chain "${fw}2${zone}", 1;
 
-		unless ( have_ipsec ) {
+		unless ( $capabilities{POLICY_MATCH} ) {
 		    add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
 		    add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT";
 
@@ -239,8 +239,8 @@ sub setup_tunnels() {
 
 	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;
 
-	my $inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
-	my $outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
+	my $inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
+	my $outchainref = ensure_filter_chain "${fw}2${zone}", 1;
 
 	$gateway = ALLIP if $gateway eq '-';
 

Shorewall/Perl/Shorewall/Zones.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -60,8 +60,6 @@ our @EXPORT = qw( NOTHING
 		  interface_number
 		  find_interface
 		  known_interface
-		  get_physical
-		  physical_name
 		  have_bridges
 		  port_to_bridge
 		  source_port_to_bridge
@@ -72,11 +70,10 @@ our @EXPORT = qw( NOTHING
 		  validate_hosts_file
 		  find_hosts_by_option
 		  all_ipsets
-		  have_ipsec
 		 );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_7';
+our $VERSION = '4.4_0';
 
 #
 # IPSEC Option types
@@ -138,8 +135,7 @@ our %reservedName = ( all => 1,
 #
 #     %interfaces { <interface1> => { name        => <name of interface>
 #                                     root        => <name without trailing '+'>
-#                                     options     => { port => undef|1
-#                                                      <option1> = <val1> ,          #See %validinterfaceoptions
+#                                     options     => { <option1> = <val1> ,
 #                                                      ...
 #                                                    }
 #                                     zone        => <zone name>
@@ -147,7 +143,6 @@ our %reservedName = ( all => 1,
 #                                     bridge      => <bridge>
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
 #                                     number      => <ordinal position in the interfaces file>
-#                                     physical    => <physical interface name>
 #                                   }
 #                 }
 #
@@ -155,9 +150,7 @@ our @interfaces;
 our %interfaces;
 our @bport_zones;
 our %ipsets;
-our %physical;
 our $family;
-our $have_ipsec;
 
 use constant { FIREWALL => 1,
 	       IP       => 2,
@@ -170,44 +163,36 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       NUMERIC_IF_OPTION  => 4,
 	       OBSOLETE_IF_OPTION => 5,
 	       IPLIST_IF_OPTION   => 6,
-	       STRING_IF_OPTION   => 7,
-
 	       MASK_IF_OPTION     => 7,
-
+	       
 	       IF_OPTION_ZONEONLY => 8,
 	       IF_OPTION_HOST     => 16,
 	   };
 
 our %validinterfaceoptions;
 
-our %defaultinterfaceoptions = ( routefilter => 1 );
-
-our %maxoptionvalue = ( routefilter => 2, mss => 100000 );
-
 our %validhostoptions;
 
 #
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function or when compiling
+#                       for IPv6.
 #
+
 sub initialize( $ ) {
     $family = shift;
     @zones = ();
     %zones = ();
     $firewall_zone = '';
-    $have_ipsec = undef;
 
     @interfaces = ();
     %interfaces = ();
     @bport_zones = ();
     %ipsets = ();
-    %physical = ();
 
     if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
@@ -224,13 +209,12 @@ sub initialize( $ ) {
 				  optional    => SIMPLE_IF_OPTION,
 				  proxyarp    => BINARY_IF_OPTION,
 				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
-				  routefilter => NUMERIC_IF_OPTION ,
+				  routefilter => BINARY_IF_OPTION ,
 				  sourceroute => BINARY_IF_OPTION,
 				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  upnp        => SIMPLE_IF_OPTION,
 				  upnpclient  => SIMPLE_IF_OPTION,
 				  mss         => NUMERIC_IF_OPTION,
-				  physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -248,15 +232,14 @@ sub initialize( $ ) {
 				    dhcp        => SIMPLE_IF_OPTION,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
-				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
+				    nosmurfs    => SIMPLE_IF_OPTION,
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION,
-				    forward     => BINARY_IF_OPTION,
-				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
+				    forward     => NUMERIC_IF_OPTION,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -267,6 +250,10 @@ sub initialize( $ ) {
     }
 }
 
+INIT {
+    initialize( F_IPV4 );
+}
+
 #
 # Parse the passed option list and return a reference to a hash as follows:
 #
@@ -343,7 +330,7 @@ sub set_super( $ );
 
 sub set_super( $ ) {
     my $zoneref = shift;
-
+    
     unless ( $zoneref->{options}{super} ) {
 	$zoneref->{options}{super} = 1;
 	set_super( $zones{$_} ) for @{$zoneref->{parents}};
@@ -375,9 +362,9 @@ sub process_zone( \$ ) {
     fatal_error "Invalid zone name ($zone)"      unless $zone =~ /^[a-z]\w*$/i && length $zone <= $globals{MAXZONENAMELENGTH};
     fatal_error "Invalid zone name ($zone)"      if $reservedName{$zone} || $zone =~ /^all2|2all$/;
     fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone};
-
-    if ( $type =~ /^ip(v([46]))?$/i ) {
-	fatal_error "Invalid zone type ($type)" if $1 && $2 != $family;
+    
+    if ( $type =~ /ipv([46])?/i ) {
+	fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
 	$type = IP;
 	$$ip = 1;
     } elsif ( $type =~ /^ipsec([46])?$/i ) {
@@ -402,18 +389,17 @@ sub process_zone( \$ ) {
     }
 
     if ( $type eq IPSEC ) {
-	require_capability 'POLICY_MATCH' , 'IPSEC zones', '';
 	for ( @parents ) {
 	    unless ( $zones{$_}{type} == IPSEC ) {
 		set_super( $zones{$_} );
 	    }
 	}
     }
-
+    
     for ( $options, $in_options, $out_options ) {
 	$_ = '' if $_ eq '-';
     }
-
+    
     $zones{$zone} = { type       => $type,
 		      parents    => \@parents,
 		      bridge     => '',
@@ -428,9 +414,9 @@ sub process_zone( \$ ) {
 		      children   => [] ,
 		      hosts      => {}
 		    };
-
+    
     return $zone;
-
+    
 }
 #
 # Parse the zones file.
@@ -494,7 +480,7 @@ sub zone_report()
 
     if ( $family == F_IPV4 ) {
 	@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
-    } else {
+    } else { 
 	@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
     }
 
@@ -514,19 +500,17 @@ sub zone_report()
 		my $interfaceref = $hostref->{$type};
 
 		for my $interface ( sort keys %$interfaceref ) {
-		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
 		    for my $groupref ( @$arrayref ) {
 			my $hosts      = $groupref->{hosts};
+			my $exclusions = join ',', @{$groupref->{exclusions}};
 			if ( $hosts ) {
-			    my $grouplist  = join ',', ( @$hosts );
-			    my $exclusions = join ',', @{$groupref->{exclusions}};
+			    my $grouplist = join ',', ( @$hosts );
 			    $grouplist = join '!', ( $grouplist, $exclusions) if $exclusions;
-		
 			    if ( $family == F_IPV4 ) {
-				progress_message_nocompress "      $iref->{physical}:$grouplist";
+				progress_message_nocompress "      $interface:$grouplist";
 			    } else {
-				progress_message_nocompress "      $iref->{physical}:<$grouplist>";
+				progress_message_nocompress "      $interface:<$grouplist>";
 			    }
 			    $printed = 1;
 			}
@@ -544,16 +528,13 @@ sub zone_report()
     }
 }
 
-#
-# This function is called to create the contents of the ${VARDIR}/zones file
-#
 sub dump_zone_contents()
 {
     my @xlate;
 
     if ( $family == F_IPV4 ) {
 	@xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
-    } else {
+    } else { 
 	@xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
     }
 
@@ -573,21 +554,20 @@ sub dump_zone_contents()
 		my $interfaceref = $hostref->{$type};
 
 		for my $interface ( sort keys %$interfaceref ) {
-		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
 		    for my $groupref ( @$arrayref ) {
 			my $hosts     = $groupref->{hosts};
+			my $exclusions = join ',', @{$groupref->{exclusions}};
 
 			if ( $hosts ) {
-			    my $grouplist  = join ',', ( @$hosts );
-			    my $exclusions = join ',', @{$groupref->{exclusions}};
+			    my $grouplist = join ',', ( @$hosts );
 
 			    $grouplist = join '!', ( $grouplist, $exclusions ) if $exclusions;
 
 			    if ( $family == F_IPV4 ) {
-				$entry .= " $iref->{physical}:$grouplist";
+				$entry .= " $interface:$grouplist";
 			    } else {
-				$entry .= " $iref->{physical}:<$grouplist>";
+				$entry .= " $interface:<$grouplist>";
 			    }
 			}
 		    }
@@ -621,6 +601,7 @@ sub add_group_to_zone($$$$$)
     my $interfaceref;
     my $zoneref  = $zones{$zone};
     my $zonetype = $zoneref->{type};
+    my $ifacezone = $interfaces{$interface}{zone};
 
     $zoneref->{interfaces}{$interface} = 1;
 
@@ -628,7 +609,8 @@ sub add_group_to_zone($$$$$)
     my @exclusions = ();
     my $new = \@newnetworks;
     my $switched = 0;
-    my $allip    = 0;
+
+    $ifacezone = '' unless defined $ifacezone;
 
     for my $host ( @$networks ) {
 	$interfaces{$interface}{nets}++;
@@ -644,18 +626,14 @@ sub add_group_to_zone($$$$$)
 
 	unless ( $switched ) {
 	    if ( $type == $zonetype ) {
-		fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $interfaces{$interface}{zone} eq $zone;
-		if ( $host eq ALLIP ) {
-		    fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if @newnetworks;
-		    $interfaces{$interface}{zone} = $zone;
-		    $allip = 1;
-		}
+		fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $ifacezone eq $zone;
+		$ifacezone = $zone if $host eq ALLIP;
 	    }
 	}
 
 	if ( substr( $host, 0, 1 ) eq '+' ) {
 	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+[a-zA-Z]\w*$/;
-	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
+	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', ''); 
 	} else {
 	    validate_host $host, 0;
 	}
@@ -671,9 +649,7 @@ sub add_group_to_zone($$$$$)
     $typeref      = ( $hostsref->{$gtype}         || ( $hostsref->{$gtype} = {} ) );
     $interfaceref = ( $typeref->{$interface}      || ( $typeref->{$interface} = [] ) );
 
-    fatal_error "Duplicate Host Group ($interface:" . ALLIP . ") in zone $zone" if $allip && @$interfaceref;
-
-    $zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions ) || $options->{routeback};
+    $zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions );
 
     push @{$interfaceref}, { options => $options,
 			     hosts   => \@newnetworks,
@@ -732,8 +708,8 @@ sub firewall_zone() {
 #
 sub process_interface( $ ) {
     my $nextinum = $_[0];
-    my $netsref = '';
-    my ($zone, $originalinterface, $bcasts, $options ) = split_line 2, 4, 'interfaces file';
+    my $nets;
+    my ($zone, $originalinterface, $networks, $options ) = split_line 2, 4, 'interfaces file';
     my $zoneref;
     my $bridge = '';
 
@@ -746,21 +722,18 @@ sub process_interface( $ ) {
 	fatal_error "Firewall zone not allowed in ZONE column of interface record" if $zoneref->{type} == FIREWALL;
     }
 
-    $bcasts = '' if $bcasts eq '-';
+    $networks = '' if $networks eq '-';
     $options  = '' if $options  eq '-';
 
     my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;
 
     fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;
 
-    if ( defined $port && $port ne '' ) {
+    if ( defined $port ) {
 	fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
 	require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', '');
-	fatal_error "Your iptables is not recent enough to support bridge ports" unless have_capability( 'KLUDGEFREE' );
-
-	fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
+	fatal_error "Your iptables is not recent enough to support bridge ports" unless $capabilities{KLUDGEFREE};
 	fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
-
 	fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
 	fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT;
 
@@ -772,6 +745,10 @@ sub process_interface( $ ) {
 	    }
 	}
 
+	next if $port eq '';
+
+	fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
+
 	$bridge = $interface;
 	$interface = $port;
     } else {
@@ -790,17 +767,16 @@ sub process_interface( $ ) {
 	$root = $interface;
     }
 
-    my $physical = $interface;
     my $broadcasts;
 
-    unless ( $bcasts eq '' || $bcasts eq 'detect' ) {
-	my @broadcasts = split_list $bcasts, 'address';
-
+    unless ( $networks eq '' || $networks eq 'detect' ) {
+	my @broadcasts = split_list $networks, 'address';
+	
 	for my $address ( @broadcasts ) {
 	    fatal_error 'Invalid BROADCAST address' unless $address =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
 	}
 
-	if ( have_capability( 'ADDRTYPE' ) ) {
+	if ( $capabilities{ADDRTYPE} ) {
 	    warning_message 'Shorewall no longer uses broadcast addresses in rule generation when Address Type Match is available';
 	} else {
 	    $broadcasts = \@broadcasts;
@@ -816,7 +792,7 @@ sub process_interface( $ ) {
     if ( $options ) {
 
 	my %hostoptions = ( dynamic => 0 );
-
+	    
 	for my $option (split_list1 $options, 'option' ) {
 	    next if $option eq '-';
 
@@ -838,12 +814,12 @@ sub process_interface( $ ) {
 		$hostoptions{$option} = 1 if $hostopt;
 	    } elsif ( $type == BINARY_IF_OPTION ) {
 		$value = 1 unless defined $value;
-		fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
-		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard;
+		fatal_error "Option value for $option must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
+		fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard;
 		$options{$option} = $value;
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
-		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard;
+		fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard;
 		if ( $option eq 'arp_ignore' ) {
 		    if ( defined $value ) {
 			if ( $value =~ /^[1-3,8]$/ ) {
@@ -858,14 +834,14 @@ sub process_interface( $ ) {
 		    assert( 0 );
 		}
 	    } elsif ( $type == NUMERIC_IF_OPTION ) {
-		$value = $defaultinterfaceoptions{$option} unless defined $value;
-		fatal_error "The '$option' option requires a value" unless defined $value;
+		fatal_error "The $option option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
-		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
+		fatal_error "Invalid value ($value) for option $option" unless defined $numval;
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
-		fatal_error "The '$option' option requires a value" unless defined $value;
+		fatal_error "The $option option requires a value" unless defined $value;
+		fatal_error "Duplicate $option option" if $nets;
 		#
 		# Remove parentheses from address list if present
 		#
@@ -874,86 +850,50 @@ sub process_interface( $ ) {
 		# Add all IP to the front of a list if the list begins with '!'
 		#
 		$value = join ',' , ALLIP , $value if $value =~ /^!/;
-
-		if ( $option eq 'nets' ) {
-		    fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone;
-		    fatal_error "Duplicate $option option" if $netsref;
-		    if ( $value eq 'dynamic' ) {
-			require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
-			$hostoptions{dynamic} = 1;
-			#
-			# Defer remaining processing until we have the final physical interface name
-			#
-			$netsref = 'dynamic';
-		    } else {
-			$hostoptions{multicast} = 1;
-			#
-			# Convert into a Perl array reference
-			#
-			$netsref = [ split_list $value, 'address' ];
-		    }
-		    #
-		    # Assume 'broadcast'
-		    #
-		    $hostoptions{broadcast} = 1;
-		} else {
-		    assert(0);
-		}
-	    } elsif ( $type == STRING_IF_OPTION ) {
-		fatal_error "The '$option' option requires a value" unless defined $value;
-
-		if ( $option eq 'physical' ) {
-		    fatal_error "Invalid Physical interface name ($value)" unless $value =~ /^[\w.@%-]+\+?$/;
-
-		    fatal_error "Duplicate physical interface name ($value)" if ( $physical{$value} && ! $port );
-
-		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
-		    $physical = $value;
-		} else {
-		    assert(0);
-		}
+		
+		if ( $value eq 'dynamic' ) {
+		    require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
+		    $value = "+${zone}_${interface}";
+		    $hostoptions{dynamic} = 1;
+		    $ipsets{"${zone}_${interface}"} = 1;
+		}   
+		#
+		# Convert into a Perl array reference
+		#
+		$nets = [ split_list $value, 'address' ];
+		#
+		# Assume 'broadcast'
+		#
+		$hostoptions{broadcast} = 1;
 	    } else {
 		warning_message "Support for the $option interface option has been removed from Shorewall";
 	    }
 	}
 
-	if ( $netsref eq 'dynamic' ) {
-	    my $ipset = "${zone}_" . chain_base $physical;
-	    $netsref = [ "+$ipset" ];
-	    $ipsets{$ipset} = 1;
-	}
+	$zoneref->{options}{in_out}{routeback} = 1 if $zoneref && $options{routeback};
 
 	if ( $options{bridge} ) {
 	    require_capability( 'PHYSDEV_MATCH', 'The "bridge" option', 's');
 	    fatal_error "Bridges may not have wildcard names" if $wildcard;
-	    $options{routeback} = 1;
 	}
 
-	$zoneref->{options}{in_out}{routeback} = 1 if $zoneref && $options{routeback};
-
 	$hostoptionsref = \%hostoptions;
+
     }
 
-    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
-						       bridge     => $bridge ,
-						       nets       => 0 ,
-						       number     => $nextinum ,
-						       root       => $root ,
-						       broadcasts => $broadcasts ,
-						       options    => \%options ,
-						       zone       => '',
-						       physical   => $physical
-						     };
+    $interfaces{$interface} = { name       => $interface ,
+				bridge     => $bridge ,
+				nets       => 0 ,
+				number     => $nextinum ,
+				root       => $root ,
+				broadcasts => $broadcasts ,
+				options    => \%options };
 
-    if ( $zone ) {
-	$netsref ||= [ allip ];
-	add_group_to_zone( $zone, $zoneref->{type}, $interface, $netsref, $hostoptionsref );
-	add_group_to_zone( $zone, 
-			   $zoneref->{type}, 
-			   $interface, 
-			   [ IPv4_MULTICAST ], 
-			   { destonly => 1 } ) if $hostoptionsref->{multicast} && $interfaces{$interface}{zone} ne $zone;
-    } 
+    $nets = [ allip ] unless $nets; 
+
+    add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref ) if $zone;
+
+    $interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()
 
     progress_message "  Interface \"$currentline\" Validated";
 
@@ -1000,20 +940,6 @@ sub validate_interfaces_file( $ ) {
     fatal_error "No network interfaces defined" unless @interfaces;
 }
 
-#
-# Map the passed name to the corresponding physical name in the passed interface
-#
-sub map_physical( $$ ) {
-    my ( $name, $interfaceref ) = @_;
-    my $physical = $interfaceref->{physical};
-    
-    return $physical if $name eq $interfaceref->{name};
-
-    $physical =~ s/\+$//;
-
-    $physical . substr( $name, length  $interfaceref->{root} );
-}  
-
 #
 # Returns true if passed interface matches an entry in /etc/shorewall/interfaces
 #
@@ -1028,17 +954,13 @@ sub known_interface($)
 
     for my $i ( @interfaces ) {
 	$interfaceref = $interfaces{$i};
-	my $root = $interfaceref->{root};
-	if ( $i ne $root && substr( $interface, 0, length $root ) eq $root ) {
+	my $val = $interfaceref->{root};
+	next if $val eq $i;
+	if ( substr( $interface, 0, length $val ) eq $val ) {
 	    #
-	    # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces and we do not set the root;
+	    # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces.
 	    #
-	    return $interfaces{$interface} = { options  => $interfaceref->{options}, 
-					       bridge   => $interfaceref->{bridge} , 
-					       name     => $i , 
-					       number   => $interfaceref->{number} ,
-					       physical => map_physical( $interface, $interfaceref )
-					     };
+	    return $interfaces{$interface} = { options => $interfaceref->{options}, bridge => $interfaceref->{bridge} , name => $i , number => $interfaceref->{number} };
 	}
     }
 
@@ -1078,23 +1000,6 @@ sub find_interface( $ ) {
     $interfaceref;
 }
 
-#
-# Returns the physical interface associated with the passed logical name
-#
-sub get_physical( $ ) {
-    $interfaces{ $_[0] }->{physical};
-}
-
-#
-# This one doesn't insist that the passed name be the name of a configured interface
-#
-sub physical_name( $ ) {
-    my $device = shift;
-    my $devref = known_interface $device;
-
-    $devref ? $devref->{physical} : $device;
-}
-
 #
 # Returns true if there are bridge port zones defined in the config
 #
@@ -1135,11 +1040,7 @@ sub find_interfaces_by_option( $ ) {
     my @ints = ();
 
     for my $interface ( @interfaces ) {
-	my $interfaceref = $interfaces{$interface};
-	
-	next unless $interfaceref->{root};
-
-	my $optionsref = $interfaceref->{options};
+	my $optionsref = $interfaces{$interface}{options};
 	if ( $optionsref && defined $optionsref->{$option} ) {
 	    push @ints , $interface
 	}
@@ -1190,13 +1091,15 @@ sub process_host( ) {
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
-    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>\s*$/ || $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]\s*$/   ) {
-	$interface = $1;
-	$hosts = $2;
-	$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
-	fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
     } else {
-	fatal_error "Invalid HOST(S) column contents: $hosts";
+	if ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>\s*$/ ) {
+	    $interface = $1;
+	    $hosts = $2;
+	    $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
+	    fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
+	} else {
+	    fatal_error "Invalid HOST(S) column contents: $hosts";
+	}
     }
 
     if ( $type == BPORT ) {
@@ -1216,7 +1119,6 @@ sub process_host( ) {
 
 	for my $option ( @options ) {
 	    if ( $option eq 'ipsec' ) {
-		require_capability 'POLICY_MATCH' , q(The 'ipsec' option), 's';
 		$type = IPSEC;
 		$zoneref->{options}{complex} = 1;
 		$ipsec = 1;
@@ -1249,13 +1151,12 @@ sub process_host( ) {
 
     if ( $hosts eq 'dynamic' ) {
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
-	my $physical = physical_name $interface;
-	$hosts = "+${zone}_${physical}";
+	$hosts = "+${zone}_${interface}";
 	$optionsref->{dynamic} = 1;
-	$ipsets{"${zone}_${physical}"} = 1;
-
+	$ipsets{"${zone}_${interface}"} = 1;
+	
     }
-
+   
     add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref);
 
     progress_message "   Host \"$currentline\" validated";
@@ -1272,19 +1173,11 @@ sub validate_hosts_file()
 
     my $fn = open_file 'hosts';
 
-    first_entry "$doing $fn...";
+    first_entry "doing $fn...";
 
     $ipsec |= process_host while read_a_line;
 
-    $have_ipsec = $ipsec || haveipseczones;
-
-}
-
-#
-# Return an indication of whether IPSEC is present
-#
-sub have_ipsec() {
-    return defined $have_ipsec ? $have_ipsec : have_capability 'POLICY_MATCH';
+    $capabilities{POLICY_MATCH} = '' unless $ipsec || haveipseczones;
 }
 
 #

Shorewall/Perl/compiler.pl

@@ -36,7 +36,6 @@
 #         --log=<filename>            # Log file
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
-#         --preview                   # Preview the ruleset.
 #
 use strict;
 use FindBin;
@@ -45,6 +44,7 @@ use Shorewall::Compiler;
 use Getopt::Long;
 
 sub usage( $ ) {
+    my $returnval = shift @_;
 
     print STDERR 'usage: compiler.pl [ <option> ... ] [ <filename> ]
 
@@ -58,11 +58,10 @@ sub usage( $ ) {
     [ --log=<filename> ]
     [ --log-verbose={-1|0-2} ]
     [ --test ]
-    [ --preview ]
     [ --family={4|6} ]
 ';
 
-    exit shift @_;
+    $returnval;
 }
 
 #
@@ -79,7 +78,6 @@ my $log_verbose   = 0;
 my $help          = 0;
 my $test          = 0;
 my $family        = 4; # F_IPV4
-my $preview       = 0;
 
 Getopt::Long::Configure ('bundling');
 
@@ -100,7 +98,6 @@ my $result = GetOptions('h'               => \$help,
 			'l=s'             => \$log,
 			'log_verbosity=i' => \$log_verbose,
 			'test'            => \$test,
-			'preview'         => \$preview,
 			'f=i'             => \$family,
 			'family=i'        => \$family,
 		       );
@@ -108,15 +105,14 @@ my $result = GetOptions('h'               => \$help,
 usage(1) unless $result && @ARGV < 2;
 usage(0) if $help;
 
-compiler( script          => $ARGV[0] || '',
-	  directory       => $shorewall_dir,
-	  verbosity       => $verbose,
+compiler( object          => defined $ARGV[0] ? $ARGV[0] : '', 
+	  directory       => $shorewall_dir, 
+	  verbosity       => $verbose, 
 	  timestamp       => $timestamp,
-	  debug           => $debug,
+	  debug           => $debug, 
 	  export          => $export,
 	  chains          => $chains,
 	  log             => $log,
 	  log_verbosity   => $log_verbose,
 	  test            => $test,
-	  preview         => $preview,
 	  family          => $family );

Shorewall/Perl/prog.footer

@@ -1,6 +1,283 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer
 ###############################################################################
+#
+# Clear Proxy Arp
+#
+delete_proxyarp() {
+    if [ -f ${VARDIR}/proxyarp ]; then
+	while read address interface external haveroute; do
+	    qt arp -i $external -d $address pub
+	    [ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
+	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
+	    [ -f $f ] && echo 0 > $f
+	done < ${VARDIR}/proxyarp
+    fi
+
+    rm -f ${VARDIR}/proxyarp
+}
+
+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+
+    echo 1 > /proc/sys/net/ipv4/ip_forward
+
+    if [ -n "$DISABLE_IPV6" ]; then
+	if [ -x $IPTABLES ]; then
+    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
+	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
+	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
+	fi
+    fi
+
+    run_clear_exit
+
+    set_state "Cleared"
+
+    logger -p kern.info "$PRODUCT Cleared"
+}
+
+#
+# Issue a message and stop/restore the firewall
+#
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    stop_firewall
+    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+    exit 2
+}
+
+#
+# Issue a message and stop
+#
+startup_error() # $* = Error Message
+{
+    echo "   ERROR: $@: Firewall state not changed" >&2
+    case $COMMAND in
+        start)
+	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
+	    ;;
+	restart)
+	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
+	    ;;
+	restore)
+	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
+	    ;;
+    esac
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+
+	case $COMMAND in
+	    start)
+		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restart)
+		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restore)
+		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	esac
+    fi
+
+    kill $$
+    exit 2
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IPTABLES $@
+	status=$?
+	[ $status -ne 4 ] && break
+    done
+
+    if [ $status -ne 0 ]; then
+        error_message "ERROR: Command \"$IPTABLES $@\" Failed"
+	stop_firewall
+        exit 2
+    fi
+}
+
+#
+# Run iptables retrying exit status 4
+#
+do_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IPTABLES $@
+	status=$?
+	[ $status -ne 4 ] && return $status;
+    done
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_ip()
+{
+    if ! $IP -4 $@; then
+	error_message "ERROR: Command \"$IP -4 $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run tc and if an error occurs, stop/restore the firewall
+#
+run_tc() {
+    if ! $TC $@ ; then
+	error_message "ERROR: Command \"$TC $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Restore the rules generated by 'drop','reject','logdrop', etc.
+#
+restore_dynamic_rules() {
+    if [ -f ${VARDIR}/save ]; then
+	progress_message2 "Setting up dynamic rules..."
+	rangematch='source IP range'
+	while read target ignore1 ignore2 address ignore3 rest; do
+	    case $target in
+		DROP|reject|logdrop|logreject)
+		    case $rest in
+			$rangematch*)
+			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
+			    ;;
+			*)
+			    if [ -z "$rest" ]; then
+				run_iptables -A dynamic -s $address -j $target
+			    else
+				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
+			    fi
+			    ;;
+		    esac
+		    ;;
+	    esac
+	done < ${VARDIR}/save
+    fi
+}
+
+#
+# Get a list of all configured broadcast addresses on the system
+#
+get_all_bcasts()
+{
+    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
+}
+
+#
+# Run the .iptables_restore_input as a set of discrete iptables commands
+#
+debug_restore_input() {
+    local first second rest table chain
+    #
+    # Clear the ruleset 
+    #
+    qt1 $IPTABLES -t mangle -F
+    qt1 $IPTABLES -t mangle -X
+
+    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	qt1 $IPTABLES -t mangle -P $chain ACCEPT
+    done
+
+    qt1 $IPTABLES -t raw    -F
+    qt1 $IPTABLES -t raw    -X
+
+    for chain in PREROUTING OUTPUT; do
+	qt1 $IPTABLES -t raw -P $chain ACCEPT
+    done
+
+    run_iptables -t nat -F
+    run_iptables -t nat -X
+
+    for chain in PREROUTING POSTROUTING OUTPUT; do
+	qt1 $IPTABLES -t nat -P $chain ACCEPT
+    done
+
+    qt1 $IPTABLES -t filter -F
+    qt1 $IPTABLES -t filter -X
+
+    for chain in INPUT FORWARD OUTPUT; do
+	qt1 $IPTABLES -t filter -P $chain -P ACCEPT
+    done
+
+    while read first second rest; do
+	case $first in
+	    -*)
+		#
+		# We can't call run_iptables() here because the rules may contain quoted strings
+		#
+		eval $IPTABLES -t $table $first $second $rest
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    :*)
+		chain=${first#:}
+
+		if [ "x$second" = x- ]; then
+		    do_iptables -t $table -N $chain
+		else
+		    do_iptables -t $table -P $chain $second
+		fi
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    #
+	    # This grotesque hack with the table names works around a bug/feature with ash
+	    #
+	    '*'raw)
+		table=raw
+		;;
+	    '*'mangle)
+		table=mangle
+		;;
+	    '*'nat)
+		table=nat
+		;;
+	    '*'filter)
+		table=filter
+		;;
+	esac
+    done
+}
+
 #
 # Give Usage Information
 #
@@ -14,7 +291,7 @@ usage() {
 #
 # Start trace if first arg is "debug" or "trace"
 #
-if [ $# -gt 1 ]; then
+if [ $# -gt 1 ]; then 
     if [ "x$1" = "xtrace" ]; then
 	set -x
 	shift
@@ -23,23 +300,10 @@ if [ $# -gt 1 ]; then
 	shift
     fi
 fi
-#
-# Map VERBOSE to VERBOSITY for compatibility with old Shorewall-lite installations
-#
-[ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
-#
-# Map other old exported variables
-#
-g_purge=$PURGE
-g_noroutes=$NOROUTES
-g_timestamp=$TIMESTAMP
-g_recovering=$RECOVERING
 
 initialize
 
 if [ -n "$STARTUP_LOG" ]; then
-    touch $STARTUP_LOG
-    chmod 0600 $STARTUP_LOG
     if [ ${SHOREWALL_INIT_SCRIPT:-0} -eq 1 ]; then
 	#
 	# We're being run by a startup script that isn't redirecting STDOUT
@@ -62,78 +326,17 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    v*)
-			VERBOSITY=$(($VERBOSITY + 1 ))
+			VERBOSE=$(($VERBOSE + 1 ))
 			option=${option#v}
 			;;
 		    q*)
-			VERBOSITY=$(($VERBOSITY - 1 ))
+			VERBOSE=$(($VERBOSE - 1 ))
 			option=${option#q}
 			;;
 		    n*)
-			g_noroutes=Yes
+			NOROUTES=Yes
 			option=${option#n}
 			;;
-		    t*)
-			g_timestamp=Yes
-			option=${option#t}
-			;;			
-		    p*)
-			g_noroutes=Yes
-			option=${option#p}
-			;;
-		    r*)
-			g_recovering=Yes
-			option=${option#r}
-			;;
-		    V*)
-			option=${option#V}
-
-			if [ -z "$option" -a $# -gt 0 ]; then
-			    shift
-			    option=$1
-			fi
-
-			if [ -n "$option" ]; then
-			    case $option in
-				-1|0|1|2)
-				    VERBOSITY=$option
-				    option=
-				    ;;
-				*)
-				    startup_error "Invalid -V option value ($option)"
-				    ;;
-			    esac
-			else
-			    startup_error "Missing -V option value"
-			fi
-			;;
-		    R*)
-			option=${option#R}
-
-			if [ -z "$option" -a $# -gt 0 ]; then
-			    shift
-			    option=$1
-			fi
-
-			if [ -n "$option" ]; then
-			    case $option in
-				*/*)		    
-	    			    startup_error "-R must specify a simple file name: $option"
-				    ;;
-				.safe|.try|NONE)
-				    ;;
-				.*)
-				    error_message "ERROR: Reserved File Name: $RESTOREFILE"
-				    exit 2
-				    ;;
-			    esac
-			else
-			    startup_error "Missing -R option value"
-			fi
-
-			RESTOREFILE=$option
-			option=
-			;;
 		    *)
 			usage 1
 			;;
@@ -149,15 +352,16 @@ done
 
 COMMAND="$1"
 
+[ -n "${PRODUCT:=Shorewall}" ]
+
 case "$COMMAND" in
     start)
 	[ $# -ne 1 ] && usage 2
 	if shorewall_is_started; then
-	    error_message "$g_product is already Running"
+	    error_message "$PRODUCT is already Running"
 	    status=0
 	else
-	    progress_message3 "Starting $g_product...."
-	    detect_configuration
+	    progress_message3 "Starting $PRODUCT...."
 	    define_firewall
 	    status=$?
 	    [ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
@@ -166,8 +370,7 @@ case "$COMMAND" in
 	;;
     stop)
 	[ $# -ne 1 ] && usage 2
-	progress_message3 "Stopping $g_product...."
-	detect_configuration
+	progress_message3 "Stopping $PRODUCT...."
 	stop_firewall
 	status=0
 	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
@@ -175,7 +378,7 @@ case "$COMMAND" in
 	;;
     reset)
 	if ! shorewall_is_started ; then
-	    error_message "$g_product is not running"
+	    error_message "$PRODUCT is not running"
 	    status=2
 	elif [ $# -eq 1 ]; then
 	    $IPTABLES -Z
@@ -183,7 +386,7 @@ case "$COMMAND" in
 	    $IPTABLES -t mangle -Z
 	    date > ${VARDIR}/restarted
 	    status=0
-	    progress_message3 "$g_product Counters Reset"
+	    progress_message3 "$PRODUCT Counters Reset"
 	else
 	    shift
 	    status=0
@@ -205,13 +408,12 @@ case "$COMMAND" in
     restart)
 	[ $# -ne 1 ] && usage 2
 	if shorewall_is_started; then
-	    progress_message3 "Restarting $g_product...."
+	    progress_message3 "Restarting $PRODUCT...."
 	else
-	    error_message "$g_product is not running"
-	    progress_message3 "Starting $g_product...."
+	    error_message "$PRODUCT is not running"
+	    progress_message3 "Starting $PRODUCT...."
 	fi
 
-	detect_configuration
 	define_firewall
 	status=$?
 	if [ -n "$SUBSYSLOCK" ]; then
@@ -222,19 +424,17 @@ case "$COMMAND" in
     refresh)
 	[ $# -ne 1 ] && usage 2
 	if shorewall_is_started; then
-	    progress_message3 "Refreshing $g_product...."
-	    detect_configuration
+	    progress_message3 "Refreshing $PRODUCT...."
 	    define_firewall
 	    status=$?
 	    progress_message3 "done."
 	else
-	    echo "$g_product is not running" >&2
+	    echo "$PRODUCT is not running" >&2
 	    status=2
 	fi
 	;;
     restore)
 	[ $# -ne 1 ] && usage 2
-	detect_configuration
 	define_firewall
 	status=$?
 	if [ -n "$SUBSYSLOCK" ]; then
@@ -243,7 +443,7 @@ case "$COMMAND" in
 	;;
     clear)
 	[ $# -ne 1 ] && usage 2
-	progress_message3 "Clearing $g_product...."
+	progress_message3 "Clearing $PRODUCT...."
 	clear_firewall
 	status=0
 	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
@@ -251,13 +451,13 @@ case "$COMMAND" in
 	;;
     status)
 	[ $# -ne 1 ] && usage 2
-	echo "$g_product-$SHORWEALL_VERSION Status at $(hostname) - $(date)"
+	echo "$PRODUCT-$VERSION Status at $HOSTNAME - $(date)"
 	echo
 	if shorewall_is_started; then
-	    echo "$g_product is running"
+	    echo "$PRODUCT is running"
 	    status=0
 	else
-	    echo "$g_product is stopped"
+	    echo "$PRODUCT is stopped"
 	    status=4
 	fi
 
@@ -276,7 +476,7 @@ case "$COMMAND" in
 	;;
     version)
 	[ $# -ne 1 ] && usage 2
-	echo $SHOREWALL_VERSION
+	echo $VERSION
 	status=0
 	;;
     help)

Shorewall/Perl/prog.footer6

@@ -1,6 +1,244 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer6
 ###############################################################################
+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+
+    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+
+    run_clear_exit
+
+    set_state "Cleared"
+
+    logger -p kern.info "$PRODUCT Cleared"
+}
+
+#
+# Issue a message and stop/restore the firewall
+#
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    stop_firewall
+    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+    exit 2
+}
+
+#
+# Issue a message and stop
+#
+startup_error() # $* = Error Message
+{
+    echo "   ERROR: $@: Firewall state not changed" >&2
+    case $COMMAND in
+        start)
+	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
+	    ;;
+	restart)
+	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
+	    ;;
+	restore)
+	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
+	    ;;
+    esac
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+
+	case $COMMAND in
+	    start)
+		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restart)
+		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restore)
+		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	esac
+    fi
+
+    kill $$
+    exit 2
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IP6TABLES $@
+	status=$?
+	[ $status -ne 4 ] && break
+    done
+
+    if [ $status -ne 0 ]; then
+        error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
+	stop_firewall
+        exit 2
+    fi
+}
+
+#
+# Run iptables retrying exit status 4
+#
+do_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IP6TABLES $@
+	status=$?
+	[ $status -ne 4 ] && return $status;
+    done
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_ip()
+{
+    if ! $IP -6 $@; then
+	error_message "ERROR: Command \"$IP -6 $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run tc and if an error occurs, stop/restore the firewall
+#
+run_tc() {
+    if ! $TC $@ ; then
+	error_message "ERROR: Command \"$TC $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Restore the rules generated by 'drop','reject','logdrop', etc.
+#
+restore_dynamic_rules() {
+    if [ -f ${VARDIR}/save ]; then
+	progress_message2 "Setting up dynamic rules..."
+	rangematch='source IP range'
+	while read target ignore1 ignore2 address ignore3 rest; do
+	    case $target in
+		DROP|reject|logdrop|logreject)
+		    case $rest in
+			$rangematch*)
+			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
+			    ;;
+			*)
+			    if [ -z "$rest" ]; then
+				run_iptables -A dynamic -s $address -j $target
+			    else
+				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
+			    fi
+			    ;;
+		    esac
+		    ;;
+	    esac
+	done < ${VARDIR}/save
+    fi
+}
+
+#
+# Run the .iptables_restore_input as a set of discrete iptables commands
+#
+debug_restore_input() {
+    local first second rest table chain
+    #
+    # Clear the ruleset 
+    #
+    qt1 $IP6TABLES -t mangle -F
+    qt1 $IP6TABLES -t mangle -X
+
+    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	qt1 $IP6TABLES -t mangle -P $chain ACCEPT
+    done
+
+    qt1 $IP6TABLES -t raw    -F
+    qt1 $IP6TABLES -t raw    -X
+
+    for chain in PREROUTING OUTPUT; do
+	qt1 $IP6TABLES -t raw -P $chain ACCEPT
+    done
+
+    qt1 $IP6TABLES -t filter -F
+    qt1 $IP6TABLES -t filter -X
+
+    for chain in INPUT FORWARD OUTPUT; do
+	qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
+    done
+
+    while read first second rest; do
+	case $first in
+	    -*)
+		#
+		# We can't call run_iptables() here because the rules may contain quoted strings
+		#
+		eval $IP6TABLES -t $table $first $second $rest
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    :*)
+		chain=${first#:}
+
+		if [ "x$second" = x- ]; then
+		    do_iptables -t $table -N $chain
+		else
+		    do_iptables -t $table -P $chain $second
+		fi
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    #
+	    # This grotesque hack with the table names works around a bug/feature with ash
+	    #
+	    '*'raw)
+		table=raw
+		;;
+	    '*'mangle)
+		table=mangle
+		;;
+	    '*'nat)
+		table=nat
+		;;
+	    '*'filter)
+		table=filter
+		;;
+	esac
+    done
+}
+
 #
 # Give Usage Information
 #
@@ -14,7 +252,7 @@ usage() {
 #
 # Start trace if first arg is "debug" or "trace"
 #
-if [ $# -gt 1 ]; then
+if [ $# -gt 1 ]; then 
     if [ "x$1" = "xtrace" ]; then
 	set -x
 	shift
@@ -23,23 +261,10 @@ if [ $# -gt 1 ]; then
 	shift
     fi
 fi
-#
-# Map VERBOSE to VERBOSITY for compatibility with old Shorewall6-lite installations
-#
-[ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
-#
-# Map other old exported variables
-#
-g_purge=$PURGE
-g_noroutes=$NOROUTES
-g_timestamp=$TIMESTAMP
-g_recovering=$RECOVERING
 
 initialize
 
 if [ -n "$STARTUP_LOG" ]; then
-    touch $STARTUP_LOG
-    chmod 0600 $STARTUP_LOG
     if [ ${SHOREWALL_INIT_SCRIPT:-0} -eq 1 ]; then
 	#
 	# We're being run by a startup script that isn't redirecting STDOUT
@@ -62,77 +287,19 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    v*)
-			VERBOSITY=$(($VERBOSITY + 1 ))
+			VERBOSE=$(($VERBOSE + 1 ))
 			option=${option#v}
 			;;
 		    q*)
-			VERBOSITY=$(($VERBOSITY - 1 ))
+			VERBOSE=$(($VERBOSE - 1 ))
 			option=${option#q}
 			;;
 		    n*)
-			g_noroutes=Yes
+			NOROUTES=Yes
 			option=${option#n}
 			;;
-		    t*)
-			g_timestamp=Yes
-			option=${option#t}
-			;;			
-		    p*)
-			g_purge=Yes
-			option=${option#p}
-			;;
-		    r*)
-			g_recovering=Yes
-			option=${option#r}
-			;;
-		    V*)
-			option=${option#V}
-
-			if [ -z "$option" -a $# -gt 0 ]; then
-			    shift
-			    option=$1
-			fi
-
-			if [ -n "$option" ]; then
-			    case $option in
-				-1|0|1|2)
-				    VERBOSITY=$option
-				    option=
-				    ;;
-				*)
-				    startup_error "Invalid -V option value ($option)"
-				    ;;
-			    esac
-			else
-			    startup_error "Missing -V option value"
-			fi
-			;;
-		    R*)
-			option=${option#R}
-
-			if [ -z "$option" -a $# -gt 0 ]; then
-			    shift
-			    option=$1
-			fi
-
-			if [ -n "$option" ]; then
-			    case $option in
-				*/*)		    
-	    			    startup_error "-R must specify a simple file name: $option"
-				    ;;
-				.safe|.try|NONE)
-				    ;;
-				.*)
-				    error_message "ERROR: Reserved File Name: $RESTOREFILE"
-				    exit 2
-				    ;;
-			    esac
-			else
-			    startup_error "Missing -R option value"
-			fi
-
-			RESTOREFILE=$option
-			option=
+		    *)
+			usage 1
 			;;
 		esac
 	    done
@@ -146,20 +313,21 @@ done
 
 COMMAND="$1"
 
-kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+[ -n "${PRODUCT:=Shorewall6}" ]
+
+kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2> /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1)
 if [ $kernel -lt 20624 ]; then
-    error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
+    error_message "ERROR: $PRODUCT requires Linux kernel 2.6.24 or later"
     status=2
-else
+else 
     case "$COMMAND" in
 	start)
 	    [ $# -ne 1 ] && usage 2
 	    if shorewall6_is_started; then
-		error_message "$g_product is already Running"
+		error_message "$PRODUCT is already Running"
 		status=0
 	    else
-		progress_message3 "Starting $g_product...."
-		detect_configuration
+		progress_message3 "Starting $PRODUCT...."
 		define_firewall
 		status=$?
 		[ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
@@ -168,8 +336,7 @@ else
 	    ;;
 	stop)
 	    [ $# -ne 1 ] && usage 2
-	    progress_message3 "Stopping $g_product...."
-	    detect_configuration
+	    progress_message3 "Stopping $PRODUCT...."
 	    stop_firewall
 	    status=0
 	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
@@ -177,14 +344,14 @@ else
 	    ;;
 	reset)
 	    if ! shorewall6_is_started ; then
-		error_message "$g_product is not running"
+		error_message "$PRODUCT is not running"
 		status=2
 	    elif [ $# -eq 1 ]; then
 		$IP6TABLES -Z
 		$IP6TABLES -t mangle -Z
 		date > ${VARDIR}/restarted
 		status=0
-		progress_message3 "$g_product Counters Reset"
+		progress_message3 "$PRODUCT Counters Reset"
 	    else
 		shift
 		status=0
@@ -206,13 +373,12 @@ else
 	restart)
 	    [ $# -ne 1 ] && usage 2
 	    if shorewall6_is_started; then
-		progress_message3 "Restarting $g_product...."
+		progress_message3 "Restarting $PRODUCT...."
 	    else
-		error_message "$g_product is not running"
-		progress_message3 "Starting $g_product...."
+		error_message "$PRODUCT is not running"
+		progress_message3 "Starting $PRODUCT...."
 	    fi
 
-	    detect_configuration
 	    define_firewall
 	    status=$?
 	    if [ -n "$SUBSYSLOCK" ]; then
@@ -223,19 +389,17 @@ else
 	refresh)
 	    [ $# -ne 1 ] && usage 2
 	    if shorewall6_is_started; then
-		progress_message3 "Refreshing $g_product...."
-		detect_configuration
+		progress_message3 "Refreshing $PRODUCT...."
 		define_firewall
 		status=$?
 		progress_message3 "done."
 	    else
-		echo "$g_product is not running" >&2
+		echo "$PRODUCT is not running" >&2
 		status=2
 	    fi
 	    ;;
 	restore)
 	    [ $# -ne 1 ] && usage 2
-	    detect_configuration
 	    define_firewall
 	    status=$?
 	    if [ -n "$SUBSYSLOCK" ]; then
@@ -244,7 +408,7 @@ else
 	    ;;
 	clear)
 	    [ $# -ne 1 ] && usage 2
-	    progress_message3 "Clearing $g_product...."
+	    progress_message3 "Clearing $PRODUCT...."
 	    clear_firewall
 	    status=0
 	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
@@ -252,13 +416,13 @@ else
 	    ;;
 	status)
 	    [ $# -ne 1 ] && usage 2
-	    echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
+	    echo "$PRODUCT-$VERSION Status at $HOSTNAME - $(date)"
 	    echo
 	    if shorewall6_is_started; then
-		echo "$g_product is running"
+		echo "$PRODUCT is running"
 		status=0
 	    else
-		echo "$g_product is stopped"
+		echo "$PRODUCT is stopped"
 		status=4
 	    fi
 
@@ -277,7 +441,7 @@ else
 	    ;;
 	version)
 	    [ $# -ne 1 ] && usage 2
-	    echo $SHOREWALL_VERSION
+	    echo $VERSION
 	    status=0
 	    ;;
 	help)

Shorewall/Perl/prog.header

@@ -1,5 +1,3 @@
-#!/bin/sh
-#
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 1999-2009 - Tom Eastep (teastep@shorewall.net)
@@ -24,6 +22,14 @@
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header
 ################################################################################
+#
+# Message to stderr
+#
+error_message() # $* = Error Message
+{
+   echo "   $@" >&2
+}
+
 #
 # Conditionally produce message
 #
@@ -32,12 +38,12 @@ progress_message() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSE -gt 1 ]; then
+	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 
-    if [ $LOG_VERBOSITY -gt 1 ]; then
+    if [ $LOG_VERBOSE -gt 1 ]; then
         timestamp="$(date +'%b %_d %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
@@ -48,12 +54,12 @@ progress_message2() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSE -gt 0 ]; then
+	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 
-    if [ $LOG_VERBOSITY -gt 0 ]; then
+    if [ $LOG_VERBOSE -gt 0 ]; then
         timestamp="$(date +'%b %_d %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
@@ -64,17 +70,53 @@ progress_message3() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSE -ge 0 ]; then
+	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 
-    if [ $LOG_VERBOSITY -ge 0 ]; then
+    if [ $LOG_VERBOSE -ge 0 ]; then
         timestamp="$(date +'%b %_d %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
 }
 
+#
+# Split a colon-separated list into a space-separated list
+#
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    echo $*
+    IFS=$ifs
+}
+
+#
+# Search a list looking for a match -- returns zero if a match found
+# 1 otherwise
+#
+list_search() # $1 = element to search for , $2-$n = list
+{
+    local e
+    e=$1
+
+    while [ $# -gt 1 ]; do
+	shift
+	[ "x$e" = "x$1" ] && return 0
+    done
+
+    return 1
+}
+
+#
+# Suppress all output for a command
+#
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
 qt1()
 {
     local status
@@ -86,6 +128,35 @@ qt1()
     done
 }
 
+#
+# Determine if Shorewall is "running"
+#
+shorewall_is_started() {
+    qt1 $IPTABLES -L shorewall -n
+}
+
+#
+# Echos the fully-qualified name of the calling shell program
+#
+my_pathname() {
+    cd $(dirname $0)
+    echo $PWD/$(basename $0)
+}
+
+#
+# Source a user exit file if it exists
+#
+run_user_exit() # $1 = file name
+{
+    local user_exit
+    user_exit=$(find_file $1)
+
+    if [ -f $user_exit ]; then
+	progress_message "Processing $user_exit ..."
+	. $user_exit
+    fi
+}
+
 #
 # Set a standard chain's policy
 #
@@ -126,6 +197,243 @@ deleteallchains() {
     run_iptables -X
 }
 
+#
+# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
+#                         a space-separated list of directories to search for
+#                         the module and that 'moduleloader' contains the
+#                         module loader command.
+#
+loadmodule() # $1 = module name, $2 - * arguments
+{
+    local modulename
+    modulename=$1
+    local modulefile
+    local suffix
+
+    if ! list_search $modulename $DONT_LOAD $MODULES; then
+	shift
+
+	for suffix in $MODULE_SUFFIX ; do
+	    for directory in $moduledirectories; do
+		modulefile=$directory/${modulename}.${suffix}
+
+		if [ -f $modulefile ]; then
+		    case $moduleloader in
+			insmod)
+			    insmod $modulefile $*
+			    ;;
+			*)
+			    modprobe $modulename $*
+			    ;;
+		    esac
+		    break 2
+		fi
+	    done
+	done
+    fi
+}
+
+#
+# Reload the Modules
+#
+reload_kernel_modules() {
+
+    local save_modules_dir
+    save_modules_dir=$MODULESDIR
+    local directory
+    local moduledirectories
+    moduledirectories=
+    local moduleloader
+    moduleloader=modprobe
+    local uname
+
+    if ! qt mywhich modprobe; then
+	moduleloader=insmod
+    fi
+
+    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+
+    [ -z "$MODULESDIR" ] && \
+	uname=$(uname -r) && \
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+
+    MODULES=$(lsmod | cut -d ' ' -f1)
+
+    for directory in $(split $MODULESDIR); do
+	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
+    done
+
+    [ -n "$moduledirectories" ] && while read command; do
+	eval $command
+    done
+
+    MODULESDIR=$save_modules_dir
+}
+
+#
+# Load kernel modules required for Shorewall
+#
+load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
+{
+    local save_modules_dir
+    save_modules_dir=$MODULESDIR
+    local directory
+    local moduledirectories
+    moduledirectories=
+    local moduleloader
+    moduleloader=modprobe
+    local savemoduleinfo
+    savemoduleinfo=${1:-Yes} # So old compiled scripts still work
+    local uname
+
+    if ! qt mywhich modprobe; then
+	moduleloader=insmod
+    fi
+
+    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+
+    [ -z "$MODULESDIR" ] && \
+	uname=$(uname -r) && \
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+
+    for directory in $(split $MODULESDIR); do
+	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
+    done
+
+    modules=$(find_file modules)
+
+    if [ -f $modules -a -n "$moduledirectories" ]; then
+	MODULES=$(lsmod | cut -d ' ' -f1)
+	progress_message "Loading Modules..."
+	. $modules
+	if [ $savemoduleinfo = Yes ]; then
+	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
+	    cp -f $modules ${VARDIR}/.modules
+	fi
+    elif [ $savemoduleinfo = Yes ]; then
+	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+	> ${VARDIR}/.modulesdir
+	> ${VARDIR}/.modules
+    fi
+
+    MODULESDIR=$save_modules_dir
+}
+
+#
+#  Note: The following set of IP address manipulation functions have anomalous
+#        behavior when the shell only supports 32-bit signed arithmetic and
+#        the IP address is 128.0.0.0 or 128.0.0.1.
+#
+
+LEFTSHIFT='<<'
+
+#
+# Convert an IP address in dot quad format to an integer
+#
+decodeaddr() {
+    local x
+    local temp
+    temp=0
+    local ifs
+    ifs=$IFS
+
+    IFS=.
+
+    for x in $1; do
+	temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x ))
+    done
+
+    echo $temp
+
+    IFS=$ifs
+}
+
+#
+# convert an integer to dot quad format
+#
+encodeaddr() {
+    addr=$1
+    local x
+    local y
+    y=$(($addr & 255))
+
+    for x in 1 2 3 ; do
+	addr=$(($addr >> 8))
+	y=$(($addr & 255)).$y
+    done
+
+    echo $y
+}
+
+#
+# Netmask from CIDR
+#
+ip_netmask() {
+    local vlsm
+    vlsm=${1#*/}
+
+    [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
+}
+
+#
+# Network address from CIDR
+#
+ip_network() {
+    local decodedaddr
+    decodedaddr=$(decodeaddr ${1%/*})
+    local netmask
+    netmask=$(ip_netmask $1)
+
+    echo $(encodeaddr $(($decodedaddr & $netmask)))
+}
+
+#
+# The following hack is supplied to compensate for the fact that many of
+# the popular light-weight Bourne shell derivatives don't support XOR ("^").
+#
+ip_broadcast() {
+    local x
+    x=$(( 32 - ${1#*/} ))
+
+    [ $x -eq 32 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
+}
+
+#
+# Calculate broadcast address from CIDR
+#
+broadcastaddress() {
+    local decodedaddr
+    decodedaddr=$(decodeaddr ${1%/*})
+    local netmask
+    netmask=$(ip_netmask $1)
+    local broadcast
+    broadcast=$(ip_broadcast $1)
+
+    echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
+}
+
+#
+# Test for network membership
+#
+in_network() # $1 = IP address, $2 = CIDR network
+{
+    local netmask
+    netmask=$(ip_netmask $2)
+    #
+    # Use string comparison to work around a broken BusyBox ash in OpenWRT
+    #
+    test $(( $(decodeaddr $1) & $netmask)) = $(( $(decodeaddr ${2%/*}) & $netmask ))
+}
+
+#
+# Query NetFilter about the existence of a filter chain
+#
+chain_exists() # $1 = chain name
+{
+    qt1 $IPTABLES -L $1 -n
+}
+
 #
 # Find the value 'dev' in the passed arguments then echo the next value
 #
@@ -226,6 +534,32 @@ find_interface_by_address() {
     [ -n "$dev" ] && echo $dev
 }
 
+#
+# Find the interface with the passed MAC address
+#
+
+find_interface_by_mac() {
+    local mac
+    mac=$1
+    local first
+    local second
+    local rest
+    local dev
+
+    $IP link list | while read first second rest; do
+	case $first in
+	    *:)
+                dev=$second
+		;;
+	    *)
+	        if [ "$second" = $mac ]; then
+		    echo ${dev%:}
+		    return
+		fi
+	esac
+    done
+}
+
 #
 # Determine if Interface is up
 #
@@ -233,12 +567,45 @@ interface_is_up() {
     [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
 }
 
+#
+# Find interface address--returns the first IP address assigned to the passed
+# device
+#
+find_first_interface_address() # $1 = interface
+{
+    #
+    # get the line of output containing the first IP address
+    #
+    addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
+    #
+    # If there wasn't one, bail out now
+    #
+    [ -n "$addr" ] || startup_error "Can't determine the IP address of $1"
+    #
+    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+    # along with everything else on the line
+    #
+    echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
+}
+
+find_first_interface_address_if_any() # $1 = interface
+{
+    #
+    # get the line of output containing the first IP address
+    #
+    addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
+    #
+    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+    # along with everything else on the line
+    #
+    [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
+}
+
 #
 # Determine if interface is usable from a Netfilter prespective
 #
 interface_is_usable() # $1 = interface
 {
-    [ "$1" = lo ] && return 0
     interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && run_isusable_exit $1
 }
 
@@ -291,6 +658,71 @@ get_interface_bcasts() # $1 = interface
     $IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
 
+#
+# Internal version of 'which'
+#
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    echo $dir/$1
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+#
+# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
+#
+find_file()
+{
+    local saveifs
+    saveifs=
+    local directory
+
+    case $1 in
+	/*)
+	    echo $1
+	    ;;
+	*)
+	    for directory in $(split $CONFIG_PATH); do
+		if [ -f $directory/$1 ]; then
+		    echo $directory/$1
+		    return
+		fi
+	    done
+
+	    echo ${CONFDIR}/$1
+	    ;;
+    esac
+}
+
+#
+# Set the Shorewall state
+#
+set_state () # $1 = state
+{
+    echo "$1 ($(date))" > ${VARDIR}/state
+}
+
+#
+# Perform variable substitution on the passed argument and echo the result
+#
+expand() # $@ = contents of variable which may be the name of another variable
+{
+    eval echo \"$@\"
+}
+
+#
+# Function for including one file into another
+#
+INCLUDE() {
+    . $(find_file $(expand $@))
+}
+
 #
 # Delete IP address
 #
@@ -443,6 +875,16 @@ disable_ipv6() {
     fi
 }
 
+# Function to truncate a string -- It uses 'cut -b -<n>'
+# rather than ${v:first:last} because light-weight shells like ash and
+# dash do not support that form of expansion.
+#
+
+truncate() # $1 = length
+{
+    cut -b -${1}
+}
+
 #
 # Clear the current traffic shaping configuration
 #
@@ -508,7 +950,7 @@ get_device_mtu1() # $1 = device
 #
 undo_routing() {
 
-    if [ -z "$g_noroutes"  ]; then
+    if [ -z "$NOROUTES"  ]; then
 	#
 	# Restore rt_tables database
 	#
@@ -532,7 +974,7 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
-    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
+    if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
@@ -575,6 +1017,25 @@ restore_default_route() {
     return $result
 }
 
+#
+# Determine how to do "echo -e"
+#
+
+find_echo() {
+    local result
+
+    result=$(echo "a\tb")
+    [ ${#result} -eq 3 ] && { echo echo; return; }
+
+    result=$(echo -e "a\tb")
+    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
+
+    result=$(mywhich echo)
+    [ -n "$result" ] && { echo "$result -e"; return; }
+
+    echo echo
+}
+
 #
 # Determine the MAC address of the passed IP through the passed interface
 #
@@ -597,11 +1058,11 @@ find_mac() # $1 = IP address, $2 = interface
 }
 
 #
-# Flush the conntrack table if $g_purge is non-empty
+# Flush the conntrack table if $PURGE is non-empty
 #
 conditionally_flush_conntrack() {
 
-    if [ -n "$g_purge" ]; then
+    if [ -n "$PURGE" ]; then
 	if [ -n $(mywhich conntrack) ]; then
             conntrack -F
 	else
@@ -610,283 +1071,6 @@ conditionally_flush_conntrack() {
     fi
 }
 
-#
-# Clear Proxy Arp
-#
-delete_proxyarp() {
-    if [ -f ${VARDIR}/proxyarp ]; then
-	while read address interface external haveroute; do
-	    qt arp -i $external -d $address pub
-	    [ -z "${haveroute}${g_noroutes}" ] && qt $IP -4 route del $address dev $interface
-	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
-	    [ -f $f ] && echo 0 > $f
-	done < ${VARDIR}/proxyarp
-    fi
-
-    rm -f ${VARDIR}/proxyarp
-}
-
-#
-# Remove all Shorewall-added rules
-#
-clear_firewall() {
-    stop_firewall
-
-    setpolicy INPUT ACCEPT
-    setpolicy FORWARD ACCEPT
-    setpolicy OUTPUT ACCEPT
-
-    run_iptables -F
-
-    echo 1 > /proc/sys/net/ipv4/ip_forward
-
-    if [ -n "$DISABLE_IPV6" ]; then
-	if [ -x $IP6TABLES ]; then
-    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
-	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
-	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
-	fi
-    fi
-
-    run_clear_exit
-
-    set_state "Cleared"
-
-    logger -p kern.info "$g_product Cleared"
-}
-
-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSITY -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSITY -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IPTABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -4 $@; then
-	error_message "ERROR: Command \"$IP -4 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Restore the rules generated by 'drop','reject','logdrop', etc.
-#
-restore_dynamic_rules() {
-    if [ -f ${VARDIR}/save ]; then
-	progress_message2 "Setting up dynamic rules..."
-	rangematch='source IP range'
-	while read target ignore1 ignore2 address ignore3 rest; do
-	    case $target in
-		DROP|reject|logdrop|logreject)
-		    case $rest in
-			$rangematch*)
-			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
-			    ;;
-			*)
-			    if [ -z "$rest" ]; then
-				run_iptables -A dynamic -s $address -j $target
-			    else
-				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
-			    fi
-			    ;;
-		    esac
-		    ;;
-	    esac
-	done < ${VARDIR}/save
-    fi
-}
-
-#
-# Get a list of all configured broadcast addresses on the system
-#
-get_all_bcasts()
-{
-    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
-}
-
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset
-    #
-    qt1 $IPTABLES -t mangle -F
-    qt1 $IPTABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IPTABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t raw    -F
-    qt1 $IPTABLES -t raw    -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IPTABLES -t raw -P $chain ACCEPT
-    done
-
-    run_iptables -t nat -F
-    run_iptables -t nat -X
-
-    for chain in PREROUTING POSTROUTING OUTPUT; do
-	qt1 $IPTABLES -t nat -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t filter -F
-    qt1 $IPTABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IPTABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IPTABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 ################################################################################
 # End of functions in /usr/share/shorewall/prog.header
 ################################################################################

Shorewall/Perl/prog.header6

@@ -1,5 +1,3 @@
-#!/bin/sh
-#
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 1999-2009 - Tom Eastep (teastep@shorewall.net)
@@ -24,6 +22,14 @@
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header6
 ################################################################################
+#
+# Message to stderr
+#
+error_message() # $* = Error Message
+{
+   echo "   $@" >&2
+}
+
 #
 # Conditionally produce message
 #
@@ -32,12 +38,12 @@ progress_message() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSE -gt 1 ]; then
+	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 
-    if [ $LOG_VERBOSITY -gt 1 ]; then
+    if [ $LOG_VERBOSE -gt 1 ]; then
         timestamp="$(date +'%b %_d %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
@@ -48,12 +54,12 @@ progress_message2() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSE -gt 0 ]; then
+	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 
-    if [ $LOG_VERBOSITY -gt 0 ]; then
+    if [ $LOG_VERBOSE -gt 0 ]; then
         timestamp="$(date +'%b %_d %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
@@ -64,17 +70,77 @@ progress_message3() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSE -ge 0 ]; then
+	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 
-    if [ $LOG_VERBOSITY -ge 0 ]; then
+    if [ $LOG_VERBOSE -ge 0 ]; then
         timestamp="$(date +'%b %_d %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
 }
 
+#
+# Split a colon-separated list into a space-separated list
+#
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    echo $*
+    IFS=$ifs
+}
+
+#
+# Undo the effect of 'split()'
+#
+join()
+{
+    local f
+    local o
+    o=
+
+    for f in $* ; do
+        o="${o:+$o:}$f"
+    done
+
+    echo $o
+}
+
+#
+# Return the number of elements in a list
+#
+list_count() # $* = list
+{
+    return $#
+}
+
+#
+# Search a list looking for a match -- returns zero if a match found
+# 1 otherwise
+#
+list_search() # $1 = element to search for , $2-$n = list
+{
+    local e
+    e=$1
+
+    while [ $# -gt 1 ]; do
+	shift
+	[ "x$e" = "x$1" ] && return 0
+    done
+
+    return 1
+}
+
+#
+# Suppress all output for a command
+#
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
 qt1()
 {
     local status
@@ -86,6 +152,35 @@ qt1()
     done
 }
 
+#
+# Determine if Shorewall is "running"
+#
+shorewall6_is_started() {
+    qt1 $IP6TABLES -L shorewall -n
+}
+
+#
+# Echos the fully-qualified name of the calling shell program
+#
+my_pathname() {
+    cd $(dirname $0)
+    echo $PWD/$(basename $0)
+}
+
+#
+# Source a user exit file if it exists
+#
+run_user_exit() # $1 = file name
+{
+    local user_exit
+    user_exit=$(find_file $1)
+
+    if [ -f $user_exit ]; then
+	progress_message "Processing $user_exit ..."
+	. $user_exit
+    fi
+}
+
 #
 # Set a standard chain's policy
 #
@@ -118,6 +213,131 @@ deleteallchains() {
     run_iptables -X
 }
 
+#
+# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
+#                         a space-separated list of directories to search for
+#                         the module and that 'moduleloader' contains the
+#                         module loader command.
+#
+loadmodule() # $1 = module name, $2 - * arguments
+{
+    local modulename
+    modulename=$1
+    local modulefile
+    local suffix
+
+    if ! list_search $modulename $DONT_LOAD $MODULES; then
+	shift
+
+	for suffix in $MODULE_SUFFIX ; do
+	    for directory in $moduledirectories; do
+		modulefile=$directory/${modulename}.${suffix}
+
+		if [ -f $modulefile ]; then
+		    case $moduleloader in
+			insmod)
+			    insmod $modulefile $*
+			    ;;
+			*)
+			    modprobe $modulename $*
+			    ;;
+		    esac
+		    break 2
+		fi
+	    done
+	done
+    fi
+}
+
+#
+# Reload the Modules
+#
+reload_kernel_modules() {
+
+    local save_modules_dir
+    save_modules_dir=$MODULESDIR
+    local directory
+    local moduledirectories
+    moduledirectories=
+    local moduleloader
+    moduleloader=modprobe
+
+    if ! qt mywhich modprobe; then
+	moduleloader=insmod
+    fi
+
+    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+
+    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+    MODULES=$(lsmod | cut -d ' ' -f1)
+
+    for directory in $(split $MODULESDIR); do
+	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
+    done
+
+    [ -n "$moduledirectories" ] && while read command; do
+	eval $command
+    done
+
+    MODULESDIR=$save_modules_dir
+}
+
+#
+# Load kernel modules required for Shorewall6
+#
+load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
+{
+    local save_modules_dir
+    save_modules_dir=$MODULESDIR
+    local directory
+    local moduledirectories
+    moduledirectories=
+    local moduleloader
+    moduleloader=modprobe
+    local savemoduleinfo
+    savemoduleinfo=${1:-Yes} # So old compiled scripts still work
+
+    if ! qt mywhich modprobe; then
+	moduleloader=insmod
+    fi
+
+    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+
+    [ -z "$MODULESDIR" ] && \
+	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+
+    for directory in $(split $MODULESDIR); do
+	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
+    done
+
+    modules=$(find_file modules)
+
+    if [ -f $modules -a -n "$moduledirectories" ]; then
+	MODULES=$(lsmod | cut -d ' ' -f1)
+	progress_message "Loading Modules..."
+	. $modules
+	if [ $savemoduleinfo = Yes ]; then
+	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
+	    cp -f $modules ${VARDIR}/.modules
+	fi
+    elif [ $savemoduleinfo = Yes ]; then
+	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+	> ${VARDIR}/.modulesdir
+	> ${VARDIR}/.modules
+    fi
+
+    MODULESDIR=$save_modules_dir
+}
+
+#
+# Query NetFilter about the existence of a filter chain
+#
+chain_exists() # $1 = chain name
+{
+    qt1 $IP6TABLES -L $1 -n
+}
+
 #
 # Find the value 'dev' in the passed arguments then echo the next value
 #
@@ -180,6 +400,32 @@ find_default_interface() {
     done
 }
 
+#
+# Find the interface with the passed MAC address
+#
+
+find_interface_by_mac() {
+    local mac
+    mac=$1
+    local first
+    local second
+    local rest
+    local dev
+
+    $IP link list | while read first second rest; do
+	case $first in
+	    *:)
+                dev=$second
+		;;
+	    *)
+	        if [ "$second" = $mac ]; then
+		    echo ${dev%:}
+		    return
+		fi
+	esac
+    done
+}
+
 #
 # Determine if Interface is up
 #
@@ -187,12 +433,45 @@ interface_is_up() {
     [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
 }
 
+#
+# Find interface address--returns the first IP address assigned to the passed
+# device
+#
+find_first_interface_address() # $1 = interface
+{
+    #
+    # get the line of output containing the first IP address
+    #
+    addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1)
+    #
+    # If there wasn't one, bail out now
+    #
+    [ -n "$addr" ] || startup_error "Can't determine the IPv6 address of $1"
+    #
+    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+    # along with everything else on the line
+    #
+    echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
+}
+
+find_first_interface_address_if_any() # $1 = interface
+{
+    #
+    # get the line of output containing the first IP address
+    #
+    addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2.* global' | head -n1)
+    #
+    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+    # along with everything else on the line
+    #
+    [ -n "$addr" ] && echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' || echo ::
+}
+
 #
 # Determine if interface is usable from a Netfilter prespective
 #
 interface_is_usable() # $1 = interface
 {
-    [ "$1" = lo ] && return 0
     interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
 }
 
@@ -299,7 +578,7 @@ convert_to_anycast() {
     local l
 
     while read address; do
-	case $address in
+	case $address in 
 	    2*|3*)
 		vlsm=${address#*/}
 		vlsm=${vlsm:=128}
@@ -347,7 +626,7 @@ convert_to_anycast() {
 			badress=$address
 		    fi
 		    #
-		    # Note: at this point $address and $badress are the same except possibly for
+		    # Note: at this point $address and $badress are the same except possibly for 
 		    #       the contents of the last half-word
 		    #
 		    list_count $(split $address)
@@ -384,7 +663,7 @@ convert_to_anycast() {
 
 #
 # Generate a list of anycast addresses for a given interface
-#
+# 
 
 get_interface_acasts() # $1 = interface
 {
@@ -402,6 +681,71 @@ get_all_acasts()
     find_interface_full_addresses | convert_to_anycast | sort -u
 }
 
+#
+# Internal version of 'which'
+#
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    echo $dir/$1
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+#
+# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
+#
+find_file()
+{
+    local saveifs
+    saveifs=
+    local directory
+
+    case $1 in
+	/*)
+	    echo $1
+	    ;;
+	*)
+	    for directory in $(split $CONFIG_PATH); do
+		if [ -f $directory/$1 ]; then
+		    echo $directory/$1
+		    return
+		fi
+	    done
+
+	    echo ${CONFDIR}/$1
+	    ;;
+    esac
+}
+
+#
+# Set the Shorewall state
+#
+set_state () # $1 = state
+{
+    echo "$1 ($(date))" > ${VARDIR}/state
+}
+
+#
+# Perform variable substitution on the passed argument and echo the result
+#
+expand() # $@ = contents of variable which may be the name of another variable
+{
+    eval echo \"$@\"
+}
+
+#
+# Function for including one file into another
+#
+INCLUDE() {
+    . $(find_file $(expand $@))
+}
+
 #
 # Detect the gateway through an interface
 #
@@ -427,6 +771,20 @@ detect_gateway() # $1 = interface
     [ -n "$gateway" ] && echo $gateway
 }
 
+# Function to truncate a string -- It uses 'cut -b -<n>'
+# rather than ${v:first:last} because light-weight shells like ash and
+# dash do not support that form of expansion.
+#
+
+truncate() # $1 = length
+{
+    cut -b -${1}
+}
+
+#
+# Clear the current traffic shaping configuration
+#
+
 delete_tc1()
 {
     clear_one_tc() {
@@ -488,7 +846,7 @@ get_device_mtu1() # $1 = device
 #
 undo_routing() {
 
-    if [ -z "$g_noroutes"  ]; then
+    if [ -z "$NOROUTES"  ]; then
 	#
 	# Restore rt_tables database
 	#
@@ -512,7 +870,7 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
-    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
+    if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
@@ -575,11 +933,11 @@ find_echo() {
 }
 
 #
-# Flush the conntrack table if $g_purge is non-empty
+# Flush the conntrack table if $PURGE is non-empty
 #
 conditionally_flush_conntrack() {
 
-    if [ -n "$g_purge" ]; then
+    if [ -n "$PURGE" ]; then
 	if [ -n $(which conntrack) ]; then
             conntrack -F
 	else
@@ -588,244 +946,6 @@ conditionally_flush_conntrack() {
     fi
 }
 
-#
-# Remove all Shorewall-added rules
-#
-clear_firewall() {
-    stop_firewall
-
-    setpolicy INPUT ACCEPT
-    setpolicy FORWARD ACCEPT
-    setpolicy OUTPUT ACCEPT
-
-    run_iptables -F
-
-    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-
-    run_clear_exit
-
-    set_state "Cleared"
-
-    logger -p kern.info "$g_product Cleared"
-}
-
-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSITY -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSITY -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -6 $@; then
-	error_message "ERROR: Command \"$IP -6 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Restore the rules generated by 'drop','reject','logdrop', etc.
-#
-restore_dynamic_rules() {
-    if [ -f ${VARDIR}/save ]; then
-	progress_message2 "Setting up dynamic rules..."
-	rangematch='source IP range'
-	while read target ignore1 ignore2 address ignore3 rest; do
-	    case $target in
-		DROP|reject|logdrop|logreject)
-		    case $rest in
-			$rangematch*)
-			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
-			    ;;
-			*)
-			    if [ -z "$rest" ]; then
-				run_iptables -A dynamic -s $address -j $target
-			    else
-				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
-			    fi
-			    ;;
-		    esac
-		    ;;
-	    esac
-	done < ${VARDIR}/save
-    fi
-}
-
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset
-    #
-    qt1 $IP6TABLES -t mangle -F
-    qt1 $IP6TABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IP6TABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t raw    -F
-    qt1 $IP6TABLES -t raw    -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IP6TABLES -t raw -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t filter -F
-    qt1 $IP6TABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IP6TABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 ################################################################################
 # End of functions imported from /usr/share/shorewall/prog.header6
 ################################################################################

Shorewall/changelog.txt

@@ -1,232 +1,11 @@
-Changes in Shorewall 4.4.8
 
-1)  Correct handling of RATE LIMIT on NAT rules.
+Changes in Shorewall 4.4.0.1
 
-2)  Don't create a logging chain for rules with '-j RETURN'.
+1)  Updated release versions.
 
-3)  Avoid duplicate SFQ class numbers.
+2)  Fix log level in rules at the end of INPUT and OUTPUT
 
-4)  Fix low per-IP rate limits.
-
-5)  Fix Debian init script exit status
-
-6)  Fix NFQUEUE(queue-num) in policy
-
-7)  Implement -s option in install.sh
-
-8)  Add HKP Macro
-
-9)  Fix multiple policy matches with OPTIMIZE 4 and not KLUDGEFREE
-
-10) Eliminate up-cased variable names that aren't documented options.
-
-11) Don't show 'OLD' capabilities if they are not available.
-
-Changes in Shorewall 4.4.7
-
-1)  Backport optimization changes from 4.5.
-
-2)  Backport two new options from 4.5.
-
-3)  Backport TPROXY from 4.5
-
-4)  Add TC_PRIOMAP to shorewall*.conf
-
-5)  Implement LOAD_HELPERS_ONLY
-
-6)  Avoid excessive module loading with LOAD_HELPERS_ONLY=Yes
-
-7)  Fix case where MARK target is unavailable.
-
-8)  Change default to ADD_IP_ALIASES=No
-
-9)  Correct defects in generate_matrix().
-
-10) Fix and optimize 'nosmurfs'.
-
-11) Use 'OLD_HL_MATCH' to suppress use of 'flow' in Simple TC.
-
-Changes in Shorewall 4.4.6
-
-1)  Fix for rp_filter and kernel 2.6.31.
-
-2)  Add a hack to work around a bug in Lenny + xtables-addons
-
-3)  Re-enable SAVE_IPSETS
-
-4)  Allow both <...> and [...] for IPv6 Addresses.
-
-5)  Port mark geometry change from 4.5.
-
-6)  Add Macro patch from Tuomo Soini
-
-7)  Add 'show macro' command.
-
-8)  Add -r option to check.
-
-9)  Port simplified TC from 4.5.
-
-Changes in Shorewall 4.4.5
-
-1)  Fix 15-port limit removal change.
-
-2)  Fix handling of interfaces with the 'bridge' option.
-
-3)  Generate error for port number 0
-
-4)  Allow zone::serverport in rules DEST column.
-
-5)  Fix 'show policies' in Shorewall6.
-
-6)  Auto-load tc modules.
-
-7)  Allow LOGFILE=/dev/null
-
-8)  Fix shorewall6-lite/shorecap
-
-9) Fix MODULE_SUFFIX.
-
-10) Fix ENHANCED_REJECT detection for IPv4.
-
-11) Fix DONT_LOAD vs 'reload -c'
-
-12) Fix handling of SOURCE and DEST vs macros.
-
-13) Remove silly logic in expand_rule().
-
-14) Add current and limit to Conntrack Table Heading.
-
-Changes in Shorewall 4.4.4
-
-1)  Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.
-
-2)  Fix access to uninitialized variable.
-
-3)  Add logrotate scripts.
-
-4)  Allow long port lists in /etc/shorewall/routestopped.
-
-5)  Implement 'physical' interface option.
-
-6)  Implement ZONE2ZONE option.
-
-7)  Suppress duplicate COMMENT warnings.
-
-8)  Implement 'show policies' command.
-
-9)  Fix route_rule suppression for down provider.
-
-10) Suppress redundant tests for provider availability in route rules
-    processing.
-
-11) Implement the '-l' option to the 'show' command.
-
-12) Fix class number assignment when WIDE_TC_MARKS=Yes
-
-13) Allow wide marks in tcclasses when WIDE_TC_MARKS=Yes
-
-Changes in Shorewall 4.4.3
-
-1)  Move Debian INITLOG initialization to /etc/default/shorewall
-
-2)  Fix 'routeback' in /etc/shorewall/routestopped.
-
-3)  Rename 'object' to 'script' in compiler and config modules.
-
-4)  Correct RETAIN_ALIASES=No.
-
-5)  Fix detection of IP config.
-
-6)  Fix nested zones.
-
-7)  Move all function declarations from prog.footer to prog.header
-
-8)  Remove superfluous variables from generated script
-
-9)  Make 'track' the default.
-
-10)  Add TRACK_PROVIDERS option.
-
-11)  Fix IPv6 address parsing bug.
-
-12)  Add hack to work around iproute IPv6 bug in route handling
-
-13)  Correct messages issued when an optional provider is not usable.
-
-14)  Fix optional interfaces.
-
-15)  Add 'limit' option to tcclasses.
-
-Changes in Shorewall 4.4.2
-
-1)  BUGFIX: Correct detection of Persistent SNAT support
-
-2)  BUGFIX: Fix chain table initialization
-
-3)  BUGFIX: Validate routestopped file on 'check'
-
-4)  Let the Actions module add the builtin actions to
-    %Shorewall::Chains::targets. Much better modularization that way.
-
-5)  Some changes to make Lenny->Squeeze less painful.
-
-6)  Allow comments at the end of continued lines.
-
-7)  Call process_routestopped() during 'check' rather than
-    'compile_stop_firewall()'.
-
-8)  Don't look for an extension script for built-in actions.
-
-9)  Apply Jesse Shrieve's patch for SNAT range.
-
-10) Add -<family> to 'ip route del default' command.
-
-11) Add three new columns to macro body.
-
-12) Change 'wait4ifup' so that it requires no PATH
-
-13) Allow extension scripts for accounting chains.
-
-14) Allow per-ip LIMIT to work on ancient iptables releases.
-
-15) Add 'MARK' column to action body.
-
-Changes in Shorewall 4.4.1
-
-1)  Deleted extra 'use ...IPAddrs.pm' from Nat.pm.
-
-2)  Deleted superfluous export from Chains.pm.
-
-3)  Added support for --persistent.
-
-4)  Don't do module initialization in an INIT block.
-
-5)  Minor performance improvements.
-
-6)  Add 'clean' target to Makefile.
-
-7)  Redefine 'full' for sub-classes.
-
-8)  Fix log level in rules at the end of INPUT and OUTPUT chains.
-
-9)  Fix nested ipsec zones.
-
-10) Change one-interface sample to IP_FORWARDING=Off.
-
-11) Allow multicast to non-dynamic zones defined with nets=.
-
-12) Allow zones with nets= to be extended by /etc/shorewall/hosts
-    entries.
-
-13) Don't allow nets= in a multi-zone interface definition.
-
-14) Fix rule generated by MULTICAST=Yes
-
-15) Fix silly hole in zones file parsing.
-
-16) Tighen up zone membership checking.
-
-17) Combine portlist-spitting routines into a single function.
+3)  Correct handling of nested IPSEC chains.
 
 Changes in Shorewall 4.4.0
 
@@ -240,7 +19,7 @@ Changes in Shorewall 4.4.0
 
 5)  Fix 'upnpclient' with required interfaces.
 
-6)  Fix provider number in masq file.
+5)  Fix provider number in 
 
 Changes in Shorewall 4.4.0-RC2
 
@@ -446,8 +225,10 @@ Changes in Shorewall 4.3.5
 
 1)  Remove support for shorewall-shell.
 
-2)  Combine shorewall-common and shorewall-perl to produce shorewall.
+2)  Combine shorewall-common and shorewall-perl to product shorewall.
 
 3)  Add nets= OPTION in interfaces file.
 
+4)  Add SAME MARK/CLASSIFY target
+
 

Shorewall/configfiles/findgw

@@ -1,5 +1,5 @@
 #
-# Shorewall version 4 - Findgw File
+# Shorewall version 4 - Filegw File
 #
 # /etc/shorewall/findgw
 #

Shorewall/configfiles/shorewall.conf

@@ -32,9 +32,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=/var/log/shorewall-init.log
+STARTUP_LOG=
 
-LOG_VERBOSITY=2
+LOG_VERBOSITY=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -107,7 +107,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 IP_FORWARDING=On
 
-ADD_IP_ALIASES=No
+ADD_IP_ALIASES=Yes
 
 ADD_SNAT_ALIASES=No
 
@@ -117,8 +117,6 @@ TC_ENABLED=Internal
 
 TC_EXPERT=No
 
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -137,7 +135,7 @@ BLACKLISTNEWONLY=Yes
 
 DELAYBLACKLISTLOAD=No
 
-MODULE_SUFFIX=ko
+MODULE_SUFFIX=
 
 DISABLE_IPV6=No
 
@@ -191,18 +189,6 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=No
 
-TRACK_PROVIDERS=No
-
-ZONE2ZONE=2
-
-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall/configfiles/tcinterfaces

@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - Tcinterfaces File
-#
-# For information about entries in this file, type "man shorewall-tcinterfaces"
-#
-# See http://shorewall.net/simple_traffic_shaping.htm for additional
-# information.
-#
-###############################################################################
-#INTERFACE	TYPE		IN-BANDWIDTH
-

Shorewall/configfiles/tcpri

@@ -1,13 +0,0 @@
-#
-# Shorewall version 4 - Tcpri File
-#
-# For information about entries in this file, type "man shorewall-tcpri"
-#
-# See http://shorewall.net/simple_traffic_shaping.htm for additional
-# information.
-#
-###############################################################################
-#BAND	PROTO	PORT(S)		ADDRESS		IN-INTERFACE	HELPER
-
-
-

Shorewall/default.debian

@@ -21,9 +21,4 @@ startup=0
 
 OPTIONS=""
 
-#
-# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
-#
-INITLOG=/dev/null
-
 # EOF

Shorewall/helpers

@@ -1,63 +0,0 @@
-#
-# Shorewall version 4 - Helpers File
-#
-# /usr/share/shorewall/helpers
-#
-#	This file loads the kernel helper modules.
-#
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
-#
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
-#
-###############################################################################
-
-# Helpers
-#
-loadmodule ip_conntrack_amanda
-loadmodule ip_conntrack_ftp
-loadmodule ip_conntrack_h323
-loadmodule ip_conntrack_irc
-loadmodule ip_conntrack_netbios_ns
-loadmodule ip_conntrack_pptp
-loadmodule ip_conntrack_sip
-loadmodule ip_conntrack_tftp
-loadmodule ip_nat_amanda
-loadmodule ip_nat_ftp
-loadmodule ip_nat_h323
-loadmodule ip_nat_irc
-loadmodule ip_nat_pptp
-loadmodule ip_nat_sip
-loadmodule ip_nat_snmp_basic
-loadmodule ip_nat_tftp
-loadmodule ip_set
-loadmodule ip_set_iphash
-loadmodule ip_set_ipmap
-loadmodule ip_set_macipmap
-loadmodule ip_set_portmap
-#
-# 2.6.20+ helpers
-#
-loadmodule nf_conntrack_ftp
-loadmodule nf_conntrack_h323
-loadmodule nf_conntrack_irc
-loadmodule nf_conntrack_netbios_ns
-loadmodule nf_conntrack_netlink
-loadmodule nf_conntrack_pptp
-loadmodule nf_conntrack_proto_gre
-loadmodule nf_conntrack_proto_sctp
-loadmodule nf_conntrack_sip         sip_direct_media=0
-loadmodule nf_conntrack_tftp
-loadmodule nf_conntrack_sane
-loadmodule nf_nat_amanda
-loadmodule nf_nat_ftp
-loadmodule nf_nat_h323
-loadmodule nf_nat_irc
-loadmodule nf_nat
-loadmodule nf_nat_pptp
-loadmodule nf_nat_proto_gre
-loadmodule nf_nat_sip
-loadmodule nf_nat_snmp_basic
-loadmodule nf_nat_tftp

Shorewall/init.debian.sh

@@ -1,8 +1,8 @@
 #!/bin/sh
 ### BEGIN INIT INFO
 # Provides:          shorewall
-# Required-Start:    $network $remote_fs
-# Required-Stop:     $network $remote_fs
+# Required-Start:    $network
+# Required-Stop:     $network
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
@@ -15,11 +15,13 @@
 SRWL=/sbin/shorewall
 SRWL_OPTS="-tvv"
 WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
-test -n ${INITLOG:=/var/log/shorewall-init.log}
+# Note, set INITLOG to /dev/null if you want to
+# use Shorewall's STARTUP_LOG feature.
+INITLOG=/var/log/shorewall-init.log
 
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n "$INITLOG" || {
+test -n $INITLOG || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }
@@ -38,7 +40,6 @@ echo_notdone () {
 	  echo "not done (check $INITLOG)."
   fi
 
-  exit 1
 }
 
 not_configured () {
@@ -48,7 +49,7 @@ not_configured () {
 	then
 		echo ""
 		echo "Please read about Debian specific customization in"
-		echo "/usr/share/doc/shorewall/README.Debian.gz."
+		echo "/usr/share/doc/shorewall-common/README.Debian.gz."
 	fi
 	echo "#################"
 	exit 0

Shorewall/install.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2009,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.8-Beta2
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {
@@ -109,7 +109,6 @@ fi
 
 DEBIAN=
 CYGWIN=
-SPARSE=
 MANDIR=${MANDIR:-"/usr/share/man"}
 
 case $(uname) in
@@ -122,7 +121,6 @@ case $(uname) in
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	CYGWIN=Yes
-	SPARSE=Yes
 	;;
     *)
 	[ -z "$OWNER" ] && OWNER=root
@@ -141,9 +139,6 @@ while [ $# -gt 0 ] ; do
 	    echo "Shorewall Firewall Installer Version $VERSION"
 	    exit 0
 	    ;;
-	-s)
-	    SPARSE=Yes
-	    ;;
 	*)
 	    usage 1
 	    ;;
@@ -180,20 +175,15 @@ else
 	exit 1
     fi
 
-    if [ -n "$CYGWIN" ]; then
-	echo "Installing Cygwin-specific configuration..."
-    else
-	if [ -f /etc/debian_version ]; then
-	    echo "Installing Debian-specific configuration..."
+    if [ -z "$CYGWIN" ]; then
+	if [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
 	    DEBIAN=yes
-	    SPARSE=yes
 	elif [ -f /etc/slackware-version ] ; then
-	    echo "Installing Slackware-specific configuration..."
+	    echo "installing Slackware specific configuration..."
 	    DEST="/etc/rc.d"
 	    MANDIR="/usr/man"
 	    SLACKWARE=yes
 	elif [ -f /etc/arch-release ] ; then
-	    echo "Installing ArchLinux-specific configuration..."
 	    DEST="/etc/rc.d"
 	    INIT="shorewall"
 	    ARCHLINUX=yes
@@ -206,7 +196,7 @@ fi
 #
 cd "$(dirname $0)"
 
-echo "Installing Shorewall Version $VERSION"
+echo "Installing Shorewall-common Version $VERSION"
 
 #
 # Check for /etc/shorewall
@@ -252,12 +242,6 @@ mkdir -p ${PREFIX}/var/lib/shorewall
 chmod 755 ${PREFIX}/etc/shorewall
 chmod 755 ${PREFIX}/usr/share/shorewall
 chmod 755 ${PREFIX}/usr/share/shorewall/configfiles
-
-if [ -n "$PREFIX" ]; then
-    mkdir -p ${PREFIX}/etc/logrotate.d
-    chmod 755 ${PREFIX}/etc/logrotate.d
-fi
-    
 #
 # Install the config file
 #
@@ -286,7 +270,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/zones ${PREFIX}/usr/share/shorewall/configfiles/zones
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/zones ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/zones ]; then
     run_install $OWNERSHIP -m 0744 configfiles/zones ${PREFIX}/etc/shorewall/zones
     echo "Zones file installed as ${PREFIX}/etc/shorewall/zones"
 fi
@@ -319,7 +303,7 @@ echo "wait4ifup installed in ${PREFIX}/usr/share/shorewall/wait4ifup"
 #
 run_install $OWNERSHIP -m 0644 configfiles/policy ${PREFIX}/usr/share/shorewall/configfiles/policy
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/policy ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/policy ]; then
     run_install $OWNERSHIP -m 0600 configfiles/policy ${PREFIX}/etc/shorewall/policy
     echo "Policy file installed as ${PREFIX}/etc/shorewall/policy"
 fi
@@ -328,7 +312,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/interfaces ${PREFIX}/usr/share/shorewall/configfiles/interfaces
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/interfaces ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/interfaces ]; then
     run_install $OWNERSHIP -m 0600 configfiles/interfaces ${PREFIX}/etc/shorewall/interfaces
     echo "Interfaces file installed as ${PREFIX}/etc/shorewall/interfaces"
 fi
@@ -338,7 +322,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/hosts ${PREFIX}/usr/share/shorewall/configfiles/hosts
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/hosts ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/hosts ]; then
     run_install $OWNERSHIP -m 0600 configfiles/hosts ${PREFIX}/etc/shorewall/hosts
     echo "Hosts file installed as ${PREFIX}/etc/shorewall/hosts"
 fi
@@ -347,7 +331,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/rules ${PREFIX}/usr/share/shorewall/configfiles/rules
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/rules ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/rules ]; then
     run_install $OWNERSHIP -m 0600 configfiles/rules ${PREFIX}/etc/shorewall/rules
     echo "Rules file installed as ${PREFIX}/etc/shorewall/rules"
 fi
@@ -356,7 +340,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/nat ${PREFIX}/usr/share/shorewall/configfiles/nat
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/nat ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/nat ]; then
     run_install $OWNERSHIP -m 0600 configfiles/nat ${PREFIX}/etc/shorewall/nat
     echo "NAT file installed as ${PREFIX}/etc/shorewall/nat"
 fi
@@ -365,7 +349,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/netmap ${PREFIX}/usr/share/shorewall/configfiles/netmap
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/netmap ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/netmap ]; then
     run_install $OWNERSHIP -m 0600 configfiles/netmap ${PREFIX}/etc/shorewall/netmap
     echo "NETMAP file installed as ${PREFIX}/etc/shorewall/netmap"
 fi
@@ -385,7 +369,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/proxyarp ${PREFIX}/usr/share/shorewall/configfiles/proxyarp
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/proxyarp ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/proxyarp ]; then
     run_install $OWNERSHIP -m 0600 configfiles/proxyarp ${PREFIX}/etc/shorewall/proxyarp
     echo "Proxy ARP file installed as ${PREFIX}/etc/shorewall/proxyarp"
 fi
@@ -394,7 +378,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/routestopped ${PREFIX}/usr/share/shorewall/configfiles/routestopped
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/routestopped ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/routestopped ]; then
     run_install $OWNERSHIP -m 0600 configfiles/routestopped ${PREFIX}/etc/shorewall/routestopped
     echo "Stopped Routing file installed as ${PREFIX}/etc/shorewall/routestopped"
 fi
@@ -403,7 +387,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/maclist ${PREFIX}/usr/share/shorewall/configfiles/maclist
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/maclist ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/maclist ]; then
     run_install $OWNERSHIP -m 0600 configfiles/maclist ${PREFIX}/etc/shorewall/maclist
     echo "MAC list file installed as ${PREFIX}/etc/shorewall/maclist"
 fi
@@ -412,7 +396,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/masq ${PREFIX}/usr/share/shorewall/configfiles/masq
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/masq ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/masq ]; then
     run_install $OWNERSHIP -m 0600 configfiles/masq ${PREFIX}/etc/shorewall/masq
     echo "Masquerade file installed as ${PREFIX}/etc/shorewall/masq"
 fi
@@ -421,7 +405,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/notrack ${PREFIX}/usr/share/shorewall/configfiles/notrack
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/notrack ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/notrack ]; then
     run_install $OWNERSHIP -m 0600 configfiles/notrack ${PREFIX}/etc/shorewall/notrack
     echo "Notrack file installed as ${PREFIX}/etc/shorewall/notrack"
 fi
@@ -431,48 +415,22 @@ fi
 run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall/modules
 echo "Modules file installed as ${PREFIX}/usr/share/shorewall/modules"
 
-#
-# Install the Module Helpers file
-#
-run_install $OWNERSHIP -m 0600 helpers ${PREFIX}/usr/share/shorewall/helpers
-echo "Helper modules file installed as ${PREFIX}/usr/share/shorewall/helpers"
-
 #
 # Install the TC Rules file
 #
 run_install $OWNERSHIP -m 0644 configfiles/tcrules ${PREFIX}/usr/share/shorewall/configfiles/tcrules
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/tcrules ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcrules ]; then
     run_install $OWNERSHIP -m 0600 configfiles/tcrules ${PREFIX}/etc/shorewall/tcrules
     echo "TC Rules file installed as ${PREFIX}/etc/shorewall/tcrules"
 fi
 
-#
-# Install the TC Interfaces file
-#
-run_install $OWNERSHIP -m 0644 configfiles/tcinterfaces ${PREFIX}/usr/share/shorewall/configfiles/tcinterfaces
-
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/tcinterfaces ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tcinterfaces ${PREFIX}/etc/shorewall/tcinterfaces
-    echo "TC Interfaces file installed as ${PREFIX}/etc/shorewall/tcinterfaces"
-fi
-
-#
-# Install the TC Priority file
-#
-run_install $OWNERSHIP -m 0644 configfiles/tcpri ${PREFIX}/usr/share/shorewall/configfiles/tcpri
-
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/tcpri ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tcpri ${PREFIX}/etc/shorewall/tcpri
-    echo "TC Priority file installed as ${PREFIX}/etc/shorewall/tcpri"
-fi
-
 #
 # Install the TOS file
 #
 run_install $OWNERSHIP -m 0644 configfiles/tos ${PREFIX}/usr/share/shorewall/configfiles/tos
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/tos ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tos ]; then
     run_install $OWNERSHIP -m 0600 configfiles/tos ${PREFIX}/etc/shorewall/tos
     echo "TOS file installed as ${PREFIX}/etc/shorewall/tos"
 fi
@@ -481,7 +439,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/tunnels ${PREFIX}/usr/share/shorewall/configfiles/tunnels
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/tunnels ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tunnels ]; then
     run_install $OWNERSHIP -m 0600 configfiles/tunnels ${PREFIX}/etc/shorewall/tunnels
     echo "Tunnels file installed as ${PREFIX}/etc/shorewall/tunnels"
 fi
@@ -490,20 +448,11 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/blacklist ${PREFIX}/usr/share/shorewall/configfiles/blacklist
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/blacklist ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/blacklist ]; then
     run_install $OWNERSHIP -m 0600 configfiles/blacklist ${PREFIX}/etc/shorewall/blacklist
     echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
 fi
 #
-# Install the findgw file
-#
-run_install $OWNERSHIP -m 0644 configfiles/findgw ${PREFIX}/usr/share/shorewall/configfiles/findgw
-
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/findgw ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/findgw ${PREFIX}/etc/shorewall/findgw
-    echo "Find GW file installed as ${PREFIX}/etc/shorewall/findgw"
-fi
-#
 # Delete the Routes file
 #
 delete_file ${PREFIX}/etc/shorewall/routes
@@ -527,7 +476,7 @@ delete_file ${PREFIX}/usr/share/shorewall/xmodules
 #
 run_install $OWNERSHIP -m 0644 configfiles/providers ${PREFIX}/usr/share/shorewall/configfiles/providers
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/providers ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/providers ]; then
     run_install $OWNERSHIP -m 0600 configfiles/providers ${PREFIX}/etc/shorewall/providers
     echo "Providers file installed as ${PREFIX}/etc/shorewall/providers"
 fi
@@ -537,7 +486,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/route_rules ${PREFIX}/usr/share/shorewall/configfiles/route_rules
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/route_rules ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/route_rules ]; then
     run_install $OWNERSHIP -m 0600 configfiles/route_rules ${PREFIX}/etc/shorewall/route_rules
     echo "Routing rules file installed as ${PREFIX}/etc/shorewall/route_rules"
 fi
@@ -547,7 +496,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/tcclasses ${PREFIX}/usr/share/shorewall/configfiles/tcclasses
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/tcclasses ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcclasses ]; then
     run_install $OWNERSHIP -m 0600 configfiles/tcclasses ${PREFIX}/etc/shorewall/tcclasses
     echo "TC Classes file installed as ${PREFIX}/etc/shorewall/tcclasses"
 fi
@@ -557,7 +506,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/tcdevices ${PREFIX}/usr/share/shorewall/configfiles/tcdevices
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/tcdevices ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcdevices ]; then
     run_install $OWNERSHIP -m 0600 configfiles/tcdevices ${PREFIX}/etc/shorewall/tcdevices
     echo "TC Devices file installed as ${PREFIX}/etc/shorewall/tcdevices"
 fi
@@ -567,7 +516,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/tcfilters ${PREFIX}/usr/share/shorewall/configfiles/tcfilters
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/tcfilters ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcfilters ]; then
     run_install $OWNERSHIP -m 0600 configfiles/tcfilters ${PREFIX}/etc/shorewall/tcfilters
     echo "TC Filters file installed as ${PREFIX}/etc/shorewall/tcfilters"
 fi
@@ -582,7 +531,7 @@ echo "Default config path file installed as ${PREFIX}/usr/share/shorewall/config
 #
 run_install $OWNERSHIP -m 0644 configfiles/init ${PREFIX}/usr/share/shorewall/configfiles/init
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/init ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/init ]; then
     run_install $OWNERSHIP -m 0600 configfiles/init ${PREFIX}/etc/shorewall/init
     echo "Init file installed as ${PREFIX}/etc/shorewall/init"
 fi
@@ -591,7 +540,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/initdone ${PREFIX}/usr/share/shorewall/configfiles/initdone
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/initdone ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/initdone ]; then
     run_install $OWNERSHIP -m 0600 configfiles/initdone ${PREFIX}/etc/shorewall/initdone
     echo "Initdone file installed as ${PREFIX}/etc/shorewall/initdone"
 fi
@@ -600,7 +549,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/start ${PREFIX}/usr/share/shorewall/configfiles/start
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/start ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/start ]; then
     run_install $OWNERSHIP -m 0600 configfiles/start ${PREFIX}/etc/shorewall/start
     echo "Start file installed as ${PREFIX}/etc/shorewall/start"
 fi
@@ -609,7 +558,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/stop ${PREFIX}/usr/share/shorewall/configfiles/stop
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/stop ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/stop ]; then
     run_install $OWNERSHIP -m 0600 configfiles/stop ${PREFIX}/etc/shorewall/stop
     echo "Stop file installed as ${PREFIX}/etc/shorewall/stop"
 fi
@@ -618,7 +567,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/stopped ${PREFIX}/usr/share/shorewall/configfiles/stopped
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/stopped ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/stopped ]; then
     run_install $OWNERSHIP -m 0600 configfiles/stopped ${PREFIX}/etc/shorewall/stopped
     echo "Stopped file installed as ${PREFIX}/etc/shorewall/stopped"
 fi
@@ -627,7 +576,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/ecn ${PREFIX}/usr/share/shorewall/configfiles/ecn
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/ecn ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/ecn ]; then
     run_install $OWNERSHIP -m 0600 configfiles/ecn ${PREFIX}/etc/shorewall/ecn
     echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn"
 fi
@@ -636,7 +585,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/accounting ${PREFIX}/usr/share/shorewall/configfiles/accounting
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/accounting ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/accounting ]; then
     run_install $OWNERSHIP -m 0600 configfiles/accounting ${PREFIX}/etc/shorewall/accounting
     echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting"
 fi
@@ -645,7 +594,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/lib.private ${PREFIX}/usr/share/shorewall/configfiles/lib.private
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/lib.private ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/lib.private ]; then
     run_install $OWNERSHIP -m 0600 configfiles/lib.private ${PREFIX}/etc/shorewall/lib.private
     echo "Private library file installed as ${PREFIX}/etc/shorewall/lib.private"
 fi
@@ -654,7 +603,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/started ${PREFIX}/usr/share/shorewall/configfiles/started
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/started ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/started ]; then
     run_install $OWNERSHIP -m 0600 configfiles/started ${PREFIX}/etc/shorewall/started
     echo "Started file installed as ${PREFIX}/etc/shorewall/started"
 fi
@@ -663,7 +612,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/restored ${PREFIX}/usr/share/shorewall/configfiles/restored
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/restored ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/restored ]; then
     run_install $OWNERSHIP -m 0600 configfiles/restored ${PREFIX}/etc/shorewall/restored
     echo "Restored file installed as ${PREFIX}/etc/shorewall/restored"
 fi
@@ -672,7 +621,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/clear ${PREFIX}/usr/share/shorewall/configfiles/clear
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/clear ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/clear ]; then
     run_install $OWNERSHIP -m 0600 configfiles/clear ${PREFIX}/etc/shorewall/clear
     echo "Clear file installed as ${PREFIX}/etc/shorewall/clear"
 fi
@@ -681,7 +630,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/isusable ${PREFIX}/usr/share/shorewall/configfiles/isusable
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/isusable ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/isusable ]; then
     run_install $OWNERSHIP -m 0600 configfiles/isusable ${PREFIX}/etc/shorewall/isusable
     echo "Isusable file installed as ${PREFIX}/etc/shorewall/isusable"
 fi
@@ -690,7 +639,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/refresh ${PREFIX}/usr/share/shorewall/configfiles/refresh
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/refresh ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/refresh ]; then
     run_install $OWNERSHIP -m 0600 configfiles/refresh ${PREFIX}/etc/shorewall/refresh
     echo "Refresh file installed as ${PREFIX}/etc/shorewall/refresh"
 fi
@@ -699,7 +648,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/refreshed ${PREFIX}/usr/share/shorewall/configfiles/refreshed
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/refreshed ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/refreshed ]; then
     run_install $OWNERSHIP -m 0600 configfiles/refreshed ${PREFIX}/etc/shorewall/refreshed
     echo "Refreshed file installed as ${PREFIX}/etc/shorewall/refreshed"
 fi
@@ -708,7 +657,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/tcclear ${PREFIX}/usr/share/shorewall/configfiles/tcclear
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/tcclear ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcclear ]; then
     run_install $OWNERSHIP -m 0600 configfiles/tcclear ${PREFIX}/etc/shorewall/tcclear
     echo "Tcclear file installed as ${PREFIX}/etc/shorewall/tcclear"
 fi
@@ -723,7 +672,7 @@ echo "Standard actions file installed as ${PREFIX}/usr/shared/shorewall/actions.
 #
 run_install $OWNERSHIP -m 0644 configfiles/actions ${PREFIX}/usr/share/shorewall/configfiles/actions
 
-if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/actions ]; then
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/actions ]; then
     run_install $OWNERSHIP -m 0644 configfiles/actions ${PREFIX}/etc/shorewall/actions
     echo "Actions file installed as ${PREFIX}/etc/shorewall/actions"
 fi
@@ -733,7 +682,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 Makefile-lite ${PREFIX}/usr/share/shorewall/configfiles/Makefile
 
-if [ -z "$SPARSE" ]; then
+if [ -z "$CYGWIN" ]; then
     run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall/Makefile
     echo "Makefile installed as ${PREFIX}/etc/shorewall/Makefile"
 fi
@@ -834,16 +783,6 @@ cd ..
 
 echo "Man Pages Installed"
 
-if [ -d ${PREFIX}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall
-    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall"
-fi
-
-if [ -z "$PREFIX" ]; then
-    rm -rf /usr/share/shorewall-perl
-    rm -rf /usr/share/shorewall-shell
-fi
-
 if [ -z "$PREFIX" -a -n "$first_install" -a -z "$CYGWIN" ]; then
     if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall
@@ -851,7 +790,7 @@ if [ -z "$PREFIX" -a -n "$first_install" -a -z "$CYGWIN" ]; then
 	echo "shorewall will start automatically at boot"
 	echo "Set startup=1 in /etc/default/shorewall to enable"
 	touch /var/log/shorewall-init.log
-	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' /etc/shorewall/shorewall.conf
+	qt mywhich perl && perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' /etc/shorewall/shorewall.conf
     else
 	if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 	    if insserv /etc/init.d/shorewall ; then
@@ -884,4 +823,4 @@ fi
 #
 #  Report Success
 #
-echo "shorewall Version $VERSION Installed"
+echo "shorewall-common Version $VERSION Installed"

Shorewall/known_problems.txt

@@ -1 +1,16 @@
-There are no known problems in Shorewall 4.4.7.
+1)  If ULOG is specified as the LOG LEVEL in the all->all policy, the
+    rules at the end of the INPUT and OUTPUT chains still use the
+    LOG target rather than ULOG.
+
+    You can work around this problem by adding two additional policies
+    before the all->all one:
+
+    	   all 		$FW	DROP	ULOG
+	   $FW		all	REJECT	ULOG
+
+    This problem was corrected in Shorewall 4.4.0.1.
+
+2)  Use of CONTINUE policies with a nested IPSEC zone was broken in
+    some cases.
+
+    This problem was corrected in Shorewall 4.4.0.1.

Shorewall/lib.base

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Shorewall 4.4 -- /usr/share/shorewall/lib.base
+# Shorewall 4.2 -- /usr/share/shorewall/lib.base
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -24,17 +24,26 @@
 # This library contains the code common to all Shorewall components.
 #
 # - It is loaded by /sbin/shorewall.
+# - It is loaded by /usr/share/shorewall/firewall.
 # - It is released as part of Shorewall Lite where it is used by /sbin/shorewall-lite
 #   and /usr/share/shorewall-lite/shorecap.
 #
 
-SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40408
+SHOREWALL_LIBVERSION=40000
+SHOREWALL_CAPVERSION=40310
 
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
 [ -n "${CONFDIR:=/etc/shorewall}" ]
 
+#
+# Message to stderr
+#
+error_message() # $* = Error Message
+{
+   echo "   $@" >&2
+}
+
 #
 # Conditionally produce message
 #
@@ -43,8 +52,8 @@ progress_message() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSE -gt 1 ]; then
+	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 }
@@ -54,8 +63,8 @@ progress_message2() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSE -gt 0 ]; then
+	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 }
@@ -65,12 +74,40 @@ progress_message3() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSE -ge 0 ]; then
+	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 }
 
+#
+# Split a colon-separated list into a space-separated list
+#
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    echo $*
+    IFS=$ifs
+}
+
+#
+# Search a list looking for a match -- returns zero if a match found
+# 1 otherwise
+#
+list_search() # $1 = element to search for , $2-$n = list
+{
+    local e
+    e=$1
+
+    while [ $# -gt 1 ]; do
+	shift
+	[ "x$e" = "x$1" ] && return 0
+    done
+
+    return 1
+}
+
 #
 # Undo the effect of 'separate_list()'
 #
@@ -87,6 +124,167 @@ combine_list()
     echo $o
 }
 
+#
+# Suppress all output for a command
+#
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+#
+# Determine if Shorewall is "running"
+#
+shorewall_is_started() {
+    qt $IPTABLES -L shorewall -n
+}
+
+#
+# Echos the fully-qualified name of the calling shell program
+#
+my_pathname() {
+    cd $(dirname $0)
+    echo $PWD/$(basename $0)
+}
+
+#
+# Source a user exit file if it exists
+#
+run_user_exit() # $1 = file name
+{
+    local user_exit
+    user_exit=$(find_file $1)
+
+    if [ -f $user_exit ]; then
+	progress_message "Processing $user_exit ..."
+	. $user_exit
+    fi
+}
+
+#
+# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
+#                         a space-separated list of directories to search for
+#                         the module and that 'moduleloader' contains the
+#                         module loader command.
+#
+loadmodule() # $1 = module name, $2 - * arguments
+{
+    local modulename
+    modulename=$1
+    local modulefile
+    local suffix
+
+    if ! list_search $modulename $MODULES $DONT_LOAD ; then
+	shift
+
+	for suffix in $MODULE_SUFFIX ; do
+	    for directory in $moduledirectories; do
+		modulefile=$directory/${modulename}.${suffix}
+
+		if [ -f $modulefile ]; then
+		    case $moduleloader in
+			insmod)
+			    insmod $modulefile $*
+			    ;;
+			*)
+			    modprobe $modulename $*
+			    ;;
+		    esac
+		    break 2
+		fi
+	    done
+	done
+    fi
+}
+
+#
+# Reload the Modules
+#
+reload_kernel_modules() {
+
+    local save_modules_dir
+    save_modules_dir=$MODULESDIR
+    local directory
+    local moduledirectories
+    moduledirectories=
+    local moduleloader
+    moduleloader=modprobe
+    local uname
+
+    if ! qt mywhich modprobe; then
+	moduleloader=insmod
+    fi
+
+    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+
+
+    [ -z "$MODULESDIR" ] && \
+	uname=$(uname -r) && \
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+
+    MODULES=$(lsmod | cut -d ' ' -f1)
+
+    for directory in $(split $MODULESDIR); do
+	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
+    done
+
+    [ -n "$moduledirectories" ] && while read command; do
+	eval $command
+    done
+
+    MODULESDIR=$save_modules_dir
+}
+
+#
+# Load kernel modules required for Shorewall
+#
+load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
+{
+    local save_modules_dir
+    save_modules_dir=$MODULESDIR
+    local directory
+    local moduledirectories
+    moduledirectories=
+    local moduleloader
+    moduleloader=modprobe
+    local savemoduleinfo
+    savemoduleinfo=${1:-Yes} # So old compiled scripts still work
+    local uname
+
+    if ! qt mywhich modprobe; then
+	moduleloader=insmod
+    fi
+
+    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+
+    [ -z "$MODULESDIR" ] && \
+	uname=$(uname -r) && \
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+
+    for directory in $(split $MODULESDIR); do
+	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
+    done
+
+    modules=$(find_file modules)
+
+    if [ -f $modules -a -n "$moduledirectories" ]; then
+	MODULES=$(lsmod | cut -d ' ' -f1)
+	progress_message "Loading Modules..."
+	. $modules
+	if [ $savemoduleinfo = Yes ]; then
+	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
+	    cp -f $modules ${VARDIR}/.modules
+	fi
+    elif [ $savemoduleinfo = Yes ]; then
+	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+	> ${VARDIR}/.modulesdir	
+	> ${VARDIR}/.modules
+    fi
+
+    MODULESDIR=$save_modules_dir
+}
+
 #
 # Call this function to assert mutual exclusion with Shorewall. If you invoke the
 # /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
@@ -136,32 +334,12 @@ mutex_off()
 }
 
 #
-# Find the interface with the passed MAC address
+#  Note: The following set of IP address manipulation functions have anomalous
+#        behavior when the shell only supports 32-bit signed arithmetic and
+#        the IP address is 128.0.0.0 or 128.0.0.1.
 #
 
-find_interface_by_mac() {
-    local mac
-    mac=$1
-    local first
-    local second
-    local rest
-    local dev
-
-    $IP link list | while read first second rest; do
-	case $first in
-	    *:)
-                dev=$second
-		;;
-	    *)
-	        if [ "$second" = $mac ]; then
-		    echo ${dev%:}
-		    return
-		fi
-	esac
-    done
-}
-
-[ -z "$LEFTSHIFT" ] && . ${SHAREDIR}/lib.common
+LEFTSHIFT='<<'
 
 #
 # Validate an IP address
@@ -191,6 +369,44 @@ valid_address() {
     return 0
 }
 
+#
+# Convert an IP address in dot quad format to an integer
+#
+decodeaddr() {
+    local x
+    local temp
+    temp=0
+    local ifs
+    ifs=$IFS
+
+    IFS=.
+
+    for x in $1; do
+	temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x ))
+    done
+
+    echo $temp
+
+    IFS=$ifs
+}
+
+#
+# convert an integer to dot quad format
+#
+encodeaddr() {
+    addr=$1
+    local x
+    local y
+    y=$(($addr & 255))
+
+    for x in 1 2 3 ; do
+	addr=$(($addr >> 8))
+	y=$(($addr & 255)).$y
+    done
+
+    echo $y
+}
+
 #
 # Miserable Hack to work around broken BusyBox ash in OpenWRT
 #
@@ -291,6 +507,66 @@ ip_range_explicit() {
     done
 }
 
+#
+# Netmask from CIDR
+#
+ip_netmask() {
+    local vlsm
+    vlsm=${1#*/}
+
+    [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
+}
+
+#
+# Network address from CIDR
+#
+ip_network() {
+    local decodedaddr
+    decodedaddr=$(decodeaddr ${1%/*})
+    local netmask
+    netmask=$(ip_netmask $1)
+
+    echo $(encodeaddr $(($decodedaddr & $netmask)))
+}
+
+#
+# The following hack is supplied to compensate for the fact that many of
+# the popular light-weight Bourne shell derivatives don't support XOR ("^").
+#
+ip_broadcast() {
+    local x
+    x=$(( 32 - ${1#*/} ))
+
+    [ $x -eq 32 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
+}
+
+#
+# Calculate broadcast address from CIDR
+#
+broadcastaddress() {
+    local decodedaddr
+    decodedaddr=$(decodeaddr ${1%/*})
+    local netmask
+    netmask=$(ip_netmask $1)
+    local broadcast
+    broadcast=$(ip_broadcast $1)
+
+    echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
+}
+
+#
+# Test for network membership
+#
+in_network() # $1 = IP address, $2 = CIDR network
+{
+    local netmask
+    netmask=$(ip_netmask $2)
+    #
+    # We compare the values as strings rather than integers to work around broken BusyBox ash on OpenWRT
+    #
+    test $(( $(decodeaddr $1) & $netmask)) = $(( $(decodeaddr ${2%/*}) & $netmask ))
+}
+
 #
 # Netmask to VLSM
 #
@@ -314,6 +590,90 @@ ip_vlsm() {
     fi
 }
 
+#
+# Query NetFilter about the existence of a filter chain
+#
+chain_exists() # $1 = chain name
+{
+    qt $IPTABLES -L $1 -n
+}
+
+#
+# Find the interface with the passed MAC address
+#
+
+find_interface_by_mac() {
+    local mac
+    mac=$1 
+    local first 
+    local second
+    local rest
+    local dev
+
+    ip link list | while read first second rest; do
+	case $first in
+	    *:)
+                dev=$second
+		;;
+	    *)
+	        if [ "$second" = $mac ]; then
+		    echo ${dev%:}
+		    return
+		fi
+	esac
+    done
+}
+
+#
+# Find interface address--returns the first IP address assigned to the passed
+# device
+#
+find_first_interface_address() # $1 = interface
+{
+    #
+    # get the line of output containing the first IP address
+    #
+    addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
+    #
+    # If there wasn't one, bail out now
+    #
+    [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1"
+    #
+    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+    # along with everything else on the line
+    #
+    echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
+}
+
+find_first_interface_address_if_any() # $1 = interface
+{
+    #
+    # get the line of output containing the first IP address
+    #
+    addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
+    #
+    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+    # along with everything else on the line
+    #
+    [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
+}
+
+#
+# Internal version of 'which'
+#
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    echo $dir/$1
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
 #
 # Set default config path
 #
@@ -330,6 +690,32 @@ ensure_config_path() {
     fi
 }
 
+#
+# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
+#
+find_file()
+{
+    local saveifs
+    saveifs= 
+    local directory
+
+    case $1 in
+	/*)
+	    echo $1
+	    ;;
+	*)
+	    for directory in $(split $CONFIG_PATH); do
+		if [ -f $directory/$1 ]; then
+		    echo $directory/$1
+		    return
+		fi
+	    done
+
+	    echo ${CONFDIR}/$1
+	    ;;
+    esac
+}
+
 #
 # Get fully-qualified name of file
 #
@@ -364,11 +750,342 @@ resolve_file() # $1 = file name
     esac
 }
 
+#
+# Perform variable substitution on the passed argument and echo the result
+#
+expand() # $@ = contents of variable which may be the name of another variable
+{
+    eval echo \"$@\"
+}
+
+#
+# Function for including one file into another
+#
+INCLUDE() {
+    . $(find_file $(expand $@))
+}
+
+#
+# Set the Shorewall state
+#
+set_state () # $1 = state
+{
+    echo "$1 ($(date))" > ${VARDIR}/state
+}
+
+#
+# Determine which optional facilities are supported by iptables/netfilter
+#
+determine_capabilities() {
+    qt $IPTABLES -t nat    -L -n && NAT_ENABLED=Yes    || NAT_ENABLED=
+    qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
+
+    CONNTRACK_MATCH=
+    NEW_CONNTRACK_MATCH=
+    OLD_CONNTRACK_MATCH=
+    MULTIPORT=
+    XMULTIPORT=
+    POLICY_MATCH=
+    PHYSDEV_MATCH=
+    PHYSDEV_BRIDGE=
+    IPRANGE_MATCH=
+    RECENT_MATCH=
+    OWNER_MATCH=
+    IPSET_MATCH=
+    CONNMARK=
+    XCONNMARK=
+    CONNMARK_MATCH=
+    XCONNMARK_MATCH=
+    RAW_TABLE=
+    IPP2P_MATCH=
+    OLD_IPP2P_MATCH=
+    LENGTH_MATCH=
+    CLASSIFY_TARGET=
+    ENHANCED_REJECT=
+    USEPKTTYPE=
+    KLUDGEFREE=
+    MARK=
+    XMARK=
+    MANGLE_FORWARD=
+    COMMENTS=
+    ADDRTYPE=
+    TCPMSS_MATCH=
+    HASHLIMIT_MATCH=
+    NFQUEUE_TARGET=
+    REALM_MATCH=
+    HELPER_MATCH=
+    CONNLIMIT_MATCH=
+    TIME_MATCH=
+    GOTO_TARGET=
+    LOGMARK_TARGET=
+    IPMARK_TARGET=
+    LOG_TARGET=Yes
+
+    chain=fooX$$
+
+    [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
+
+    if [ -z "$IPTABLES" ]; then
+	echo "   ERROR: No executable iptables binary can be found on your PATH" >&2
+	exit 1
+    fi
+
+    qt $IPTABLES -F $chain
+    qt $IPTABLES -X $chain
+    if ! $IPTABLES -N $chain; then
+	echo "   ERROR: The command \"$IPTABLES -N $chain\" failed" >&2
+	exit 1
+    fi
+
+    chain1=${chain}1
+
+    qt $IPTABLES -F $chain1
+    qt $IPTABLES -X $chain1
+    if ! $IPTABLES -N $chain1; then
+	echo "   ERROR: The command \"$IPTABLES -N $chain1\" failed" >&2
+	exit 1
+    fi
+
+    if ! qt $IPTABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT; then
+	echo "   ERROR: Your kernel lacks connection tracking and/or state matching -- Shorewall will not run on this system" >&2
+	exit 1
+    fi
+
+    qt $IPTABLES -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
+
+    if [ -n "$CONNTRACK_MATCH" ]; then
+	qt $IPTABLES -A $chain -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes
+	qt $IPTABLES -A $chain -m conntrack ! --ctorigdst 1.2.3.4 || OLD_CONNTRACK_MATCH=Yes
+    fi
+
+    if qt $IPTABLES -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then
+	MULTIPORT=Yes
+	qt $IPTABLES -A $chain -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes
+    fi
+
+    qt $IPTABLES -A $chain -p tcp -m multiport --dports 21:22 -j ACCEPT           && XMULTIPORT=Yes
+    qt $IPTABLES -A $chain -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes
+
+    if qt $IPTABLES -A $chain -m physdev --physdev-out eth0 -j ACCEPT; then
+	PHYSDEV_MATCH=Yes
+	qt $IPTABLES -A $chain -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth0 -j ACCEPT && PHYSDEV_BRIDGE=Yes
+	if [ -z "${KLUDGEFREE}" ]; then
+	    qt $IPTABLES -A $chain -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT && KLUDGEFREE=Yes
+	fi
+    fi
+
+    if qt $IPTABLES -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then
+	IPRANGE_MATCH=Yes
+	if [ -z "${KLUDGEFREE}" ]; then
+	    qt $IPTABLES -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes
+	fi
+    fi
+
+    qt $IPTABLES -A $chain -m recent --update -j ACCEPT     && RECENT_MATCH=Yes
+    qt $IPTABLES -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
+
+    if qt $IPTABLES -A $chain -m connmark --mark 2  -j ACCEPT; then
+	CONNMARK_MATCH=Yes
+	qt $IPTABLES -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
+    fi
+
+    qt $IPTABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT       && IPP2P_MATCH=Yes
+    if [ -n "$IPP2P_MATCH" ]; then
+	qt $IPTABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && OLD_IPP2P_MATCH=Yes
+    fi
+
+    qt $IPTABLES -A $chain -m length --length 10:20 -j ACCEPT           && LENGTH_MATCH=Yes
+    qt $IPTABLES -A $chain -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
+
+    qt $IPTABLES -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes
+
+    if [ -n "$MANGLE_ENABLED" ]; then
+	qt $IPTABLES -t mangle -N $chain
+
+	if qt $IPTABLES -t mangle -A $chain -j MARK --set-mark 1; then
+	    MARK=Yes
+	    qt $IPTABLES -t mangle -A $chain -j MARK --and-mark 0xFF && XMARK=Yes
+	fi
+
+	if qt $IPTABLES -t mangle -A $chain -j CONNMARK --save-mark; then
+	    CONNMARK=Yes
+	    qt $IPTABLES -t mangle -A $chain -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes
+	fi
+
+	qt $IPTABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
+	qt $IPTABLES -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
+	qt $IPTABLES -t mangle -F $chain
+	qt $IPTABLES -t mangle -X $chain
+	qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
+    fi
+
+    qt $IPTABLES -t raw	   -L -n && RAW_TABLE=Yes
+
+    if qt mywhich ipset; then
+	qt ipset -X $chain # Just in case something went wrong the last time
+
+	if qt ipset -N $chain iphash ; then
+	    if qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
+		qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT
+		IPSET_MATCH=Yes
+	    fi
+	    qt ipset -X $chain
+	fi
+    fi
+
+    qt $IPTABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
+    qt $IPTABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
+    qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
+    qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
+    qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
+    qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
+    qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
+    qt $IPTABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
+    qt $IPTABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
+    qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
+    qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
+    qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
+
+    qt $IPTABLES -F $chain
+    qt $IPTABLES -X $chain
+    qt $IPTABLES -F $chain1
+    qt $IPTABLES -X $chain1
+
+    CAPVERSION=$SHOREWALL_CAPVERSION
+}
+
+report_capabilities() {
+    report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
+    {
+	local setting
+	setting=
+
+	[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
+
+	echo "  " $1: $setting
+    }
+
+    if [ $VERBOSE -gt 1 ]; then
+	echo "Shorewall has detected the following iptables/netfilter capabilities:"
+	report_capability "NAT" $NAT_ENABLED
+	report_capability "Packet Mangling" $MANGLE_ENABLED
+	report_capability "Multi-port Match" $MULTIPORT
+	[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
+	report_capability "Connection Tracking Match" $CONNTRACK_MATCH
+	if [ -n "$CONNTRACK_MATCH" ]; then
+	    report_capability "Extended Connection Tracking Match Support" $NEW_CONNTRACK_MATCH
+	    report_capability "Old Connection Tracking Match Syntax" $OLD_CONNTRACK_MATCH
+	fi
+	report_capability "Packet Type Match" $USEPKTTYPE
+	report_capability "Policy Match" $POLICY_MATCH
+	report_capability "Physdev Match" $PHYSDEV_MATCH
+	report_capability "Physdev-is-bridged Support" $PHYSDEV_BRIDGE
+	report_capability "Packet length Match" $LENGTH_MATCH
+	report_capability "IP range Match" $IPRANGE_MATCH
+	report_capability "Recent Match" $RECENT_MATCH
+	report_capability "Owner Match" $OWNER_MATCH
+	report_capability "Ipset Match" $IPSET_MATCH
+	report_capability "CONNMARK Target" $CONNMARK
+	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
+	report_capability "Connmark Match" $CONNMARK_MATCH
+	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
+	report_capability "Raw Table" $RAW_TABLE
+	report_capability "IPP2P Match" $IPP2P_MATCH
+	[ -n "$IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
+	report_capability "CLASSIFY Target" $CLASSIFY_TARGET
+	report_capability "Extended REJECT" $ENHANCED_REJECT
+	report_capability "Repeat match" $KLUDGEFREE
+	report_capability "MARK Target" $MARK
+	[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
+	report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
+	report_capability "Comments" $COMMENTS
+	report_capability "Address Type Match" $ADDRTYPE
+	report_capability "TCPMSS Match" $TCPMSS_MATCH
+	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
+	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
+	report_capability "Realm Match" $REALM_MATCH
+	report_capability "Helper Match" $HELPER_MATCH
+	report_capability "Connlimit Match" $CONNLIMIT_MATCH
+	report_capability "Time Match" $TIME_MATCH
+	report_capability "Goto Support" $GOTO_TARGET
+	report_capability "LOGMARK Target" $LOGMARK_TARGET
+	report_capability "IPMARK Target" $IPMARK_TARGET
+	report_capability "LOG Target" $LOG_TARGET
+    fi
+
+    [ -n "$PKTTYPE" ] || USEPKTTYPE=
+
+}
+
+report_capabilities1() {
+    report_capability1() # $1 = Capability
+    {
+	eval echo $1=\$$1
+    }
+
+    echo "#"
+    echo "# Shorewall $VERSION detected the following iptables/netfilter capabilities - $(date)"
+    echo "#"
+    report_capability1 NAT_ENABLED
+    report_capability1 MANGLE_ENABLED
+    report_capability1 MULTIPORT
+    report_capability1 XMULTIPORT
+    report_capability1 CONNTRACK_MATCH
+    report_capability1 NEW_CONNTRACK_MATCH
+    report_capability1 OLD_CONNTRACK_MATCH
+    report_capability1 USEPKTTYPE
+    report_capability1 POLICY_MATCH
+    report_capability1 PHYSDEV_MATCH
+    report_capability1 PHYSDEV_BRIDGE
+    report_capability1 LENGTH_MATCH
+    report_capability1 IPRANGE_MATCH
+    report_capability1 RECENT_MATCH
+    report_capability1 OWNER_MATCH
+    report_capability1 IPSET_MATCH
+    report_capability1 CONNMARK
+    report_capability1 XCONNMARK
+    report_capability1 CONNMARK_MATCH
+    report_capability1 XCONNMARK_MATCH
+    report_capability1 RAW_TABLE
+    report_capability1 IPP2P_MATCH
+    report_capability1 OLD_IPP2P_MATCH
+    report_capability1 CLASSIFY_TARGET
+    report_capability1 ENHANCED_REJECT
+    report_capability1 KLUDGEFREE
+    report_capability1 MARK
+    report_capability1 XMARK
+    report_capability1 MANGLE_FORWARD
+    report_capability1 COMMENTS
+    report_capability1 ADDRTYPE
+    report_capability1 TCPMSS_MATCH
+    report_capability1 HASHLIMIT_MATCH
+    report_capability1 NFQUEUE_TARGET
+    report_capability1 REALM_MATCH
+    report_capability1 HELPER_MATCH
+    report_capability1 CONNLIMIT_MATCH
+    report_capability1 TIME_MATCH
+    report_capability1 GOTO_TARGET
+    report_capability1 LOGMARK_TARGET
+    report_capability1 IPMARK_TARGET
+    report_capability1 LOG_TARGET
+    
+    echo CAPVERSION=$SHOREWALL_CAPVERSION
+}
+
 # Function to truncate a string -- It uses 'cut -b -<n>'
 # rather than ${v:first:last} because light-weight shells like ash and
 # dash do not support that form of expansion.
 #
 
+truncate() # $1 = length
+{
+    cut -b -${1}
+}
+
+#
+# Determine how to do "echo -e"
+#
+
 find_echo() {
     local result
 

Shorewall/lib.cli

@@ -1,10 +1,10 @@
 #!/bin/sh
 #
-# Shorewall 4.4 -- /usr/share/shorewall/lib.cli.
+# Shorewall 4.2 -- /usr/share/shorewall/lib.cli.
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -34,7 +34,6 @@ fatal_error() # $@ = Message
     exit 2
 }
 
-#
 # Display a chain if it exists
 #
 
@@ -152,10 +151,10 @@ syslog_circular_buffer() {
 #
 packet_log() # $1 = number of messages
 {
-    if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
+    if [ -n "$SHOWMACS" -o $VERBOSE -gt 2 ]; then
+	$LOGREAD | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
     else
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
+	$LOGREAD | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
     fi
 }
 
@@ -178,13 +177,9 @@ show_tc() {
 	fi
     }
 
-    if [ $# -gt 0 ]; then
-	show_one_tc $1
-    else
-	ip -o link list | while read inx interface details; do
-	    show_one_tc ${interface%:}
-	done
-    fi
+    ip -o link list | while read inx interface details; do
+	show_one_tc ${interface%:}
+    done
 
 }
 
@@ -218,7 +213,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	   #		     an 'interesting' packet count changes
 {
 
-    host=$(echo $g_hostname | sed 's/\..*$//')
+    host=$(echo $HOSTNAME | sed 's/\..*$//')
     oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
 
     if [ $1 -lt 0 ]; then
@@ -246,13 +241,13 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	if [ "$rejects" != "$oldrejects" ]; then
 	    oldrejects="$rejects"
 
-	    $g_ring_bell
+	    $RING_BELL
 
 	    packet_log 40
 
 	    if [ "$pause" = "Yes" ]; then
 		echo
-		echo $g_echo_n 'Enter any character to continue: '
+		echo $ECHO_N 'Enter any character to continue: '
 		read foo
 	    else
 		timed_read
@@ -268,70 +263,6 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 #
 # Save currently running configuration
 #
-do_save() {
-    local status
-    status=0
-
-    if [ -f ${VARDIR}/firewall ]; then
-	if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then
-	    cp -f ${VARDIR}/firewall $g_restorepath
-	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
-	    chmod +x $g_restorepath
-	    echo "   Currently-running Configuration Saved to $g_restorepath"
-	    run_user_exit save
-	else
-	    rm -f ${VARDIR}/restore-$$
-	    echo "   ERROR: Currently-running Configuration Not Saved" >&2
-	    status=1
-	fi
-    else
-	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
-	status=1
-    fi
-
-    case ${SAVE_IPSETS:=No} in 
-	[Yy]es)
-	    case ${IPSET:=ipset} in
-		*/*)
-		    if [ ! -x "$IPSET" ]; then
-			error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
-			IPSET=
-		    fi
-		    ;;
-		*)
-		    IPSET="$(mywhich $IPSET)"
-		    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
-		    ;;
-	    esac
-
-	    if [ -n "$IPSET" ]; then
-		if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
-                    #
-                    # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
-                    #
-		    hack='| grep -v /31'
-		else
-		    hack=
-		fi
-
-		if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
-                    #
-                    # Don't save an 'empty' file
-                    #
-		    grep -q '^-N' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
-		fi
-	    fi
-	    ;;
-	[Nn]o)
-	    ;;
-	*)
-	    error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
-	    ;;
-    esac
-
-    return $status
-}
-
 save_config() {
 
     local result
@@ -344,8 +275,8 @@ save_config() {
     if shorewall_is_started ; then
 	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
 
-	if [ -f $g_restorepath -a ! -x $g_restorepath ]; then
-	    echo "   ERROR: $g_restorepath exists and is not a saved $g_product configuration" >&2
+	if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
+	    echo "   ERROR: $RESTOREPATH exists and is not a saved $PRODUCT configuration" >&2
 	else
 	    case $RESTOREFILE in
 		capabilities|chains|default_route|firewall|firewall.conf|nat|proxyarp|restarted|rt_tables|save|state|undo_routing|zones)
@@ -354,15 +285,24 @@ save_config() {
 		*)
 		    validate_restorefile RESTOREFILE
 
-		    if chain_exists dynamic; then
-			if $IPTABLES -L dynamic -n > ${VARDIR}/save; then
-			    echo "   Dynamic Rules Saved"
-			    do_save
+		    if $IPTABLES -L dynamic -n > ${VARDIR}/save; then
+			echo "   Dynamic Rules Saved"
+			if [ -f ${VARDIR}/firewall ]; then
+			    if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then
+				cp -f ${VARDIR}/firewall $RESTOREPATH
+				mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
+				chmod +x $RESTOREPATH
+				echo "   Currently-running Configuration Saved to $RESTOREPATH"
+				run_user_exit save
+			    else
+			        rm -f ${VARDIR}/restore-$$
+				echo "   ERROR: Currently-running Configuration Not Saved" >&2
+			    fi
 			else
-		            echo "Error Saving the Dynamic Rules" >&2
+			    echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
 			fi
 		    else
-			do_save && rm -f ${VARDIR}/save
+		        echo "Error Saving the Dynamic Rules" >&2
 		    fi
 		    ;;
 	    esac
@@ -441,7 +381,7 @@ show_command() {
 	    if [ ${#macro} -gt 10 ]; then
 		echo "   $macro  ${foo#\#}"
 	    else
-		$g_echo_e "   $macro  \t${foo#\#}"
+		$ECHO_E "   $macro  \t${foo#\#}"
 	    fi
 	fi
     }
@@ -459,19 +399,19 @@ show_command() {
 			    option=
 			    ;;
 			v*)
-			    VERBOSITY=$(($VERBOSITY + 1 ))
+			    VERBOSE=$(($VERBOSE + 1 ))
 			    option=${option#v}
 			    ;;
 			x*)
-			    g_ipt_options="-xnv"
+			    IPT_OPTIONS="-xnv"
 			    option=${option#x}
 			    ;;
 			m*)
-			    g_showmacs=Yes
+			    SHOWMACS=Yes
 			    option=${option#m}
 			    ;;
 			f*)
-			    g_filemode=Yes
+			    FILEMODE=Yes
 			    option=${option#f}
 			    ;;
 			t)
@@ -490,10 +430,6 @@ show_command() {
 			    option=
 			    shift
 			    ;;
-			l*)
-			    g_ipt_options1="--line-numbers"
-			    option=${option#l}
-			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -507,64 +443,59 @@ show_command() {
 	esac
     done
 
-    g_ipt_options="$g_ipt_options $g_ipt_options1"
-
-    [ -n "$g_debugging" ] && set -x
+    [ -n "$debugging" ] && set -x
     case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
-	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-	    echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
+	    echo "$PRODUCT $version Connections at $HOSTNAME - $(date)"
 	    echo
 	    [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
 	    ;;
 	nat)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
+	    echo "$PRODUCT $version NAT Table at $HOSTNAME - $(date)"
 	    echo
 	    show_reset
-	    $IPTABLES -t nat -L $g_ipt_options
+	    $IPTABLES -t nat -L $IPT_OPTIONS
 	    ;;
 	raw)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
+	    echo "$PRODUCT $version RAW Table at $HOSTNAME - $(date)"
 	    echo
 	    show_reset
-	    $IPTABLES -t raw -L $g_ipt_options
+	    $IPTABLES -t raw -L $IPT_OPTIONS
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
+	    echo "$PRODUCT $version Mangle Table at $HOSTNAME - $(date)"
 	    echo
 	    show_reset
-	    $IPTABLES -t mangle -L $g_ipt_options
+	    $IPTABLES -t mangle -L $IPT_OPTIONS
 	    ;;
 	log)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
+	    echo "$PRODUCT $version Log ($LOGFILE) at $HOSTNAME - $(date)"
 	    echo
 	    show_reset
-	    host=$(echo $g_hostname | sed 's/\..*$//')
+	    host=$(echo $HOSTNAME | sed 's/\..*$//')
 	    packet_log 20
 	    ;;
 	tc)
-	    [ $# -gt 2 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
+	    [ $# -gt 1 ] && usage 1
+	    echo "$PRODUCT $version Traffic Control at $HOSTNAME - $(date)"
 	    echo
-	    shift
-	    show_tc $1
+	    show_tc
 	    ;;
 	classifiers|filters)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
+	    echo "$PRODUCT $version Classifiers at $HOSTNAME - $(date)"
 	    echo
 	    show_classifiers
 	    ;;
 	zones)
 	    [ $# -gt 1 ] && usage 1
 	    if [ -f ${VARDIR}/zones ]; then
-		echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
+		echo "$PRODUCT $version Zones at $HOSTNAME - $(date)"
 		echo
 		while read zone type hosts; do
 		    echo "$zone ($type)"
@@ -588,8 +519,8 @@ show_command() {
 	capabilities)
 	    [ $# -gt 1 ] && usage 1
 	    determine_capabilities
-	    VERBOSITY=2
-	    if [ -n "$g_filemode" ]; then
+	    VERBOSE=2
+	    if [ -n "$FILEMODE" ]; then
 		report_capabilities1
 	    else
 		report_capabilities
@@ -597,13 +528,13 @@ show_command() {
 	    ;;
 	ip)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)"
+	    echo "$PRODUCT $version IP at $HOSTNAME - $(date)"
 	    echo
 	    ip -4 addr list
 	    ;;
 	routing)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)"
+	    echo "$PRODUCT $version Routing at $HOSTNAME - $(date)"
 	    echo
 	    show_routing
 	    ;;
@@ -614,29 +545,23 @@ show_command() {
 	    ;;
 	chain)
 	    shift
-	    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)"
+	    echo "$PRODUCT $version $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $HOSTNAME - $(date)"
 	    echo
 	    show_reset
 	    if [ $# -gt 0 ]; then
 		for chain in $*; do
-		    $IPTABLES -t $table -L $chain $g_ipt_options
+		    $IPTABLES -t $table -L $chain $IPT_OPTIONS
 		    echo
 		done
 	    else
-		$IPTABLES -t $table -L $g_ipt_options
+		$IPTABLES -t $table -L $IPT_OPTIONS
 	    fi
 	    ;;
 	vardir)
 	    echo $VARDIR;
 	    ;;
-	policies)
-	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)"
-	    echo
-	    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
-	    ;;
 	*)
-	    if [ "$g_product" = Shorewall ]; then
+	    if [ "$PRODUCT" = Shorewall ]; then
 		case $1 in
 		    actions)
 			[ $# -gt 1 ] && usage 1
@@ -660,18 +585,6 @@ show_command() {
 			    grep -Ev '^\#|^$' ${SHAREDIR}/actions.std
 			fi
 
-			return
-			;;
-		    macro)
-			[ $# -ne 2 ] && usage 1
-			for directory in $(split $CONFIG_PATH); do
-			    if [ -f ${directory}/macro.$2 ]; then
-				echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
-				cat ${directory}/macro.$2
-				return
-			    fi
-			done
-			echo "   WARNING: Macro $2 not found" >&2
 			return
 			;;
 		    macros)
@@ -705,29 +618,29 @@ show_command() {
 		if [ $1 = dynamic -a $# -gt 1 ]; then
 		    shift
 		    [ $# -eq 1 ] || usage 1
-		    list_zone $1
+		    list_zone $2
 		    return;
                 fi
 
 		[ -n "$table_given" ] || for chain in $*; do
-		    if ! qt $IPTABLES -t $table -L $chain $g_ipt_options; then
-			error_message "ERROR: Chain '$chain' is not recognized by $IPTABLES."
+		    if ! qt $IPTABLES -t $table -L $chain $IPT_OPTIONS; then
+			echo "usage $(basename $0) show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|dynamic <zone>|filters|ip|log|macros|mangle|nat|routing|tc|zones} ] " >&2
 			exit 1
 		    fi
 		done
 		
-		echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
+		echo "$PRODUCT $version $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $HOSTNAME - $(date)"
 		echo
 		show_reset
 		for chain in $*; do
-		    $IPTABLES -t $table -L $chain $g_ipt_options
+		    $IPTABLES -t $table -L $chain $IPT_OPTIONS
 		    echo
 		done
 	    else
-		echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
+		echo "$PRODUCT $version $table Table at $HOSTNAME - $(date)"
 		echo
 		show_reset
-		$IPTABLES -t $table -L $g_ipt_options
+		$IPTABLES -t $table -L $IPT_OPTIONS
 	    fi
 	    ;;
     esac
@@ -753,17 +666,13 @@ dump_command() {
 			    option=
 			    ;;
 			x*)
-			    g_ipt_options="-xnv"
+			    IPT_OPTIONS="-xnv"
 			    option=${option#x}
 			    ;;
 			m*)
-			    g_showmacs=Yes
+			    SHOWMACS=Yes
 			    option=${option#m}
 			    ;;
-			l*)
-			    g_ipt_options1="--line-numbers"
-			    option=${option#l}
-			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -777,36 +686,31 @@ dump_command() {
 	esac
     done
 
-    g_ipt_options="$g_ipt_options $g_ipt_options1"
+    [ $VERBOSE -lt 2 ] && VERBOSE=2
 
-    [ $VERBOSITY -lt 2 ] && VERBOSITY=2
-
-    [ -n "$g_debugging" ] && set -x
+    [ -n "$debugging" ] && set -x
     [ $# -eq 0 ] || usage 1
     clear_term
-    echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)"
+    echo "$PRODUCT $version Dump at $HOSTNAME - $(date)"
     echo
     
     show_reset
-    host=$(echo $g_hostname | sed 's/\..*$//')
-    $IPTABLES -L $g_ipt_options
+    host=$(echo $HOSTNAME | sed 's/\..*$//')
+    $IPTABLES -L $IPT_OPTIONS
 
     heading "Log ($LOGFILE)"
     packet_log 20
 
     heading "NAT Table"
-    $IPTABLES -t nat -L $g_ipt_options
+    $IPTABLES -t nat -L $IPT_OPTIONS
 
     heading "Mangle Table"
-    $IPTABLES -t mangle -L $g_ipt_options
+    $IPTABLES -t mangle -L $IPT_OPTIONS
 
     heading "Raw Table"
-    $IPTABLES -t raw -L $g_ipt_options
+    $IPTABLES -t raw -L $IPT_OPTIONS
 
-    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-
-    heading "Conntrack Table ($count out of $max)"
+    heading "Conntrack Table"
     [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
 
     heading "IP Configuration"
@@ -883,7 +787,7 @@ restore_command() {
 			    option=
 			    ;;
 			n*)
-			    g_noroutes=Yes
+			    NOROUTES=Yes
 			    option=${option#n}
 			    ;;
 			*)
@@ -916,18 +820,20 @@ restore_command() {
 	exit 2
     fi
 
-    g_restorepath=${VARDIR}/$RESTOREFILE
+    RESTOREPATH=${VARDIR}/$RESTOREFILE
+
+    export NOROUTES
 
     [ -n "$nolock" ] || mutex_on
 
-    if [ -x $g_restorepath ]; then
+    if [ -x $RESTOREPATH ]; then
 	progress_message3 "Restoring Shorewall..."
 
-	run_it $g_restorepath restore && progress_message3 "$g_product restored from ${VARDIR}/$RESTOREFILE"
+	$SHOREWALL_SHELL $RESTOREPATH restore && progress_message3 "$PRODUCT restored from ${VARDIR}/$RESTOREFILE"
 
 	[ -n "$nolock" ] || mutex_off
     else
-	echo "File $g_restorepath: file not found"
+	echo "File $RESTOREPATH: file not found"
 	[ -n "$nolock" ] || mutex_off
 	exit 2
     fi
@@ -985,20 +891,20 @@ heading() {
 #
 make_verbose() {
     local v
-    v=$g_verbose_offset
+    v=$VERBOSE_OFFSET
     local option
     option=-
 
-    if [ -n "$g_use_verbosity" ]; then
-	echo "-v$g_use_verbosity"
-    elif [ $g_verbose_offset -gt 0 ]; then
+    if [ -n "$USE_VERBOSITY" ]; then
+	echo "-v$USE_VERBOSITY"
+    elif [ $VERBOSE_OFFSET -gt 0 ]; then
 	while [ $v -gt 0 ]; do
 	    option="${option}v"
 	    v=$(($v - 1))
 	done
 
 	echo $option
-    elif [ $g_verbose_offset -lt 0 ]; then
+    elif [ $VERBOSE_OFFSET -lt 0 ]; then
 	while [ $v -lt 0 ]; do
 	    option="${option}q"
 	    v=$(($v + 1))
@@ -1018,12 +924,6 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
     local finished
     finished=$2
 
-    if ! chain_exists dynamic; then
-	echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
-	[ -n "$nolock" ] || mutex_off
-	exit 2
-    fi
-
     shift 3
 
     while [ $# -gt 0 ]; do
@@ -1067,6 +967,12 @@ separate_list() {
 	    # There's been whining about us not catching embedded white space in
 	    # comma-separated lists. This is an attempt to snag some of the cases.
 	    #
+	    # The 'TERMINATOR' function will be set by the 'firewall' script to
+	    # either 'startup_error' or 'fatal_error' depending on the command and
+	    # command phase
+	    #
+            [ -n "$TERMINATOR" ] && \
+		$TERMINATOR "Invalid comma-separated list \"$@\""
             echo "WARNING -- invalid comma-separated list \"$@\"" >&2
 	    ;;
 	*\[*\]*)
@@ -1124,7 +1030,7 @@ add_command() {
     local interface host hostlist zone ipset
     if ! shorewall_is_started ; then
 	echo "Shorewall Not Started" >&2
-	exit 2
+	exit 2;
     fi
 
     case "$IPSET" in
@@ -1275,15 +1181,15 @@ hits_command() {
     [ $# -eq 0 ] || usage 1
 
     clear_term
-    echo "$g_product $SHOREWALL_VERSION Hits at $g_hostname - $(date)"
+    echo "$PRODUCT $version Hits at $HOSTNAME - $(date)"
     echo
 
     timeout=30
 
-    if $g_logread | grep -q "${today}IN=.* OUT=" ; then
+    if $LOGREAD | grep -q "${today}IN=.* OUT=" ; then
 	echo "   HITS IP	        DATE"
 	echo "   ---- --------------- ------"
-	$g_logread | grep "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3	\1/' | sort | uniq -c | sort -rn | while read count address month day; do
+	$LOGREAD | grep "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3	\1/' | sort | uniq -c | sort -rn | while read count address month day; do
 	    printf '%7d %-15s %3s %2d\n' $count $address $month $day
 	done
 
@@ -1291,7 +1197,7 @@ hits_command() {
 
 	echo "   HITS IP	        PORT"
 	echo "   ---- --------------- -----"
-	$g_logread | grep  "${today}IN=.* OUT=" | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2	\4/
+	$LOGREAD | grep  "${today}IN=.* OUT=" | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2	\4/
 						t
 						s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn | while read count address port; do
 	    printf '%7d %-15s %d\n' $count $address $port
@@ -1301,7 +1207,7 @@ hits_command() {
 
 	echo "   HITS DATE"
 	echo "   ---- ------"
-	$g_logread | grep  "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn | while read count month day; do
+	$LOGREAD | grep  "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn | while read count month day; do
 	    printf '%7d %3s %2d\n' $count $month $day
 	done
 
@@ -1309,7 +1215,7 @@ hits_command() {
 
 	echo "   HITS  PORT SERVICE(S)"
 	echo "   ---- ----- ----------"
-	$g_logread | grep "${today}IN=.* OUT=.*DPT" | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | while read count port ; do
+	$LOGREAD | grep "${today}IN=.* OUT=.*DPT" | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | while read count port ; do
 	    # List all services defined for the given port
 	    srv=$(grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | cut -f 1 -d' ' | sort -u)
 	    srv=$(echo $srv | sed 's/ /,/g')
@@ -1327,14 +1233,9 @@ hits_command() {
 # 'allow' command executor
 #
 allow_command() {
-    [ -n "$g_debugging" ] && set -x
+    [ -n "$debugging" ] && set -x
     [ $# -eq 1 ] && usage 1
     if shorewall_is_started ; then
-	if ! chain_exists dynamic; then
-	    echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
-	    exit 2
-	fi
-
 	[ -n "$nolock" ] || mutex_on
 	while [ $# -gt 1 ]; do
 	    shift
@@ -1365,7 +1266,7 @@ allow_command() {
 	done
 	[ -n "$nolock" ] || mutex_off
     else
-	error_message "ERROR: $g_product is not started"
+	error_message "ERROR: $PRODUCT is not started"
 	exit 2
     fi
 }
@@ -1389,15 +1290,15 @@ logwatch_command() {
 		while [ -n "$option" ]; do
 		    case $option in
 			v*)
-			    VERBOSITY=$(($VERBOSITY + 1 ))
+			    VERBOSE=$(($VERBOSE + 1 ))
 			    option=${option#v}
 			    ;;
 			q*)
-			    VERBOSITY=$(($VERBOSITY - 1 ))
+			    VERBOSE=$(($VERBOSE - 1 ))
 			    option=${option#q}
 			    ;;
 			m*)
-			    g_showmacs=Yes
+			    SHOWMACS=Yes
 			    option=${option#m}
 			    ;;
 			-)
@@ -1417,7 +1318,7 @@ logwatch_command() {
 	esac
     done
     
-    [ -n "$g_debugging" ] && set -x
+    [ -n "$debugging" ] && set -x
 
     if [ $# -eq 1 ]; then
 	logwatch $1
@@ -1427,338 +1328,3 @@ logwatch_command() {
 	usage 1
     fi
 }
-
-#
-# Determine which optional facilities are supported by iptables/netfilter
-#
-determine_capabilities() {
-    [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
-
-    if [ -z "$IPTABLES" ]; then
-	echo "   ERROR: No executable iptables binary can be found on your PATH" >&2
-	exit 1
-    fi
-
-    [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)
-
-    [ -n "$TC" -a -x "$TC" ] || TC=
-
-    qt $IPTABLES -t nat    -L -n && NAT_ENABLED=Yes    || NAT_ENABLED=
-    qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
-
-    CONNTRACK_MATCH=
-    NEW_CONNTRACK_MATCH=
-    OLD_CONNTRACK_MATCH=
-    MULTIPORT=
-    XMULTIPORT=
-    POLICY_MATCH=
-    PHYSDEV_MATCH=
-    PHYSDEV_BRIDGE=
-    IPRANGE_MATCH=
-    RECENT_MATCH=
-    OWNER_MATCH=
-    IPSET_MATCH=
-    CONNMARK=
-    XCONNMARK=
-    CONNMARK_MATCH=
-    XCONNMARK_MATCH=
-    RAW_TABLE=
-    IPP2P_MATCH=
-    OLD_IPP2P_MATCH=
-    LENGTH_MATCH=
-    CLASSIFY_TARGET=
-    ENHANCED_REJECT=
-    USEPKTTYPE=
-    KLUDGEFREE=
-    MARK=
-    XMARK=
-    EXMARK=
-    TPROXY_TARGET=
-    MANGLE_FORWARD=
-    COMMENTS=
-    ADDRTYPE=
-    TCPMSS_MATCH=
-    HASHLIMIT_MATCH=
-    NFQUEUE_TARGET=
-    REALM_MATCH=
-    HELPER_MATCH=
-    CONNLIMIT_MATCH=
-    TIME_MATCH=
-    GOTO_TARGET=
-    LOGMARK_TARGET=
-    IPMARK_TARGET=
-    LOG_TARGET=Yes
-    PERSISTENT_SNAT=
-    FLOW_FILTER=
-
-    chain=fooX$$
-
-    if [ -n "$NAT_ENABLED" ]; then
-	if qt $IPTABLES -t nat -N $chain; then
-	    qt $IPTABLES -t nat -A $chain -j SNAT --to-source 1.2.3.4 --persistent && PERSISTENT_SNAT=Yes
-	    qt $IPTABLES -t nat -F $chain
-	    qt $IPTABLES -t nat -X $chain
-	fi
-    fi
-
-    qt $IPTABLES -F $chain
-    qt $IPTABLES -X $chain
-    if ! $IPTABLES -N $chain; then
-	echo "   ERROR: The command \"$IPTABLES -N $chain\" failed" >&2
-	exit 1
-    fi
-
-    chain1=${chain}1
-
-    qt $IPTABLES -F $chain1
-    qt $IPTABLES -X $chain1
-    if ! $IPTABLES -N $chain1; then
-	echo "   ERROR: The command \"$IPTABLES -N $chain1\" failed" >&2
-	exit 1
-    fi
-
-    if ! qt $IPTABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT; then
-	echo "   ERROR: Your kernel lacks connection tracking and/or state matching -- Shorewall will not run on this system" >&2
-	exit 1
-    fi
-
-    qt $IPTABLES -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
-
-    if [ -n "$CONNTRACK_MATCH" ]; then
-	qt $IPTABLES -A $chain -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes
-	qt $IPTABLES -A $chain -m conntrack ! --ctorigdst 1.2.3.4 || OLD_CONNTRACK_MATCH=Yes
-    fi
-
-    if qt $IPTABLES -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then
-	MULTIPORT=Yes
-	qt $IPTABLES -A $chain -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes
-    fi
-
-    qt $IPTABLES -A $chain -p tcp -m multiport --dports 21:22 -j ACCEPT           && XMULTIPORT=Yes
-    qt $IPTABLES -A $chain -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes
-
-    if qt $IPTABLES -A $chain -m physdev --physdev-out eth0 -j ACCEPT; then
-	PHYSDEV_MATCH=Yes
-	qt $IPTABLES -A $chain -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth0 -j ACCEPT && PHYSDEV_BRIDGE=Yes
-	if [ -z "${KLUDGEFREE}" ]; then
-	    qt $IPTABLES -A $chain -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT && KLUDGEFREE=Yes
-	fi
-    fi
-
-    if qt $IPTABLES -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then
-	IPRANGE_MATCH=Yes
-	if [ -z "${KLUDGEFREE}" ]; then
-	    qt $IPTABLES -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes
-	fi
-    fi
-
-    qt $IPTABLES -A $chain -m recent --update -j ACCEPT     && RECENT_MATCH=Yes
-    qt $IPTABLES -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
-
-    if qt $IPTABLES -A $chain -m connmark --mark 2  -j ACCEPT; then
-	CONNMARK_MATCH=Yes
-	qt $IPTABLES -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
-    fi
-
-    qt $IPTABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT       && IPP2P_MATCH=Yes
-    if [ -n "$IPP2P_MATCH" ]; then
-	qt $IPTABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && OLD_IPP2P_MATCH=Yes
-    fi
-
-    qt $IPTABLES -A $chain -m length --length 10:20 -j ACCEPT           && LENGTH_MATCH=Yes
-    qt $IPTABLES -A $chain -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
-
-    qt $IPTABLES -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes
-
-    if [ -n "$MANGLE_ENABLED" ]; then
-	qt $IPTABLES -t mangle -N $chain
-
-	if qt $IPTABLES -t mangle -A $chain -j MARK --set-mark 1; then
-	    MARK=Yes
-	    qt $IPTABLES -t mangle -A $chain -j MARK --and-mark 0xFF && XMARK=Yes
-	    qt $IPTABLES -t mangle -A $chain -j MARK --set-mark 1/0xFF && EXMARK=Yes
-	fi
-
-	if qt $IPTABLES -t mangle -A $chain -j CONNMARK --save-mark; then
-	    CONNMARK=Yes
-	    qt $IPTABLES -t mangle -A $chain -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes
-	fi
-
-	qt $IPTABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
-	qt $IPTABLES -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
-	qt $IPTABLES -t mangle -A $chain -p tcp -j TPROXY --on-port 0 --tproxy-mark 1 && TPROXY_TARGET=Yes
-	qt $IPTABLES -t mangle -F $chain
-	qt $IPTABLES -t mangle -X $chain
-	qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
-    fi
-
-    qt $IPTABLES -t raw	   -L -n && RAW_TABLE=Yes
-
-    if qt mywhich ipset; then
-	qt ipset -X $chain # Just in case something went wrong the last time
-
-	if qt ipset -N $chain iphash ; then
-	    if qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
-		qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT
-		IPSET_MATCH=Yes
-	    fi
-	    qt ipset -X $chain
-	fi
-    fi
-
-    qt $IPTABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
-    qt $IPTABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
-    qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
-    qt $IPTABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
-    if [ -z "$HASHLIMIT_MATCH" ]; then
-	qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
-	HASHLIMIT_MATCH=$OLD_HL_MATCH
-    fi	
-    qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
-    qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
-    qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
-    qt $IPTABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
-    qt $IPTABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
-    qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
-    qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
-    qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
-
-    qt $IPTABLES -F $chain
-    qt $IPTABLES -X $chain
-    qt $IPTABLES -F $chain1
-    qt $IPTABLES -X $chain1
-
-    [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
-
-    CAPVERSION=$SHOREWALL_CAPVERSION
-    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
-}
-
-report_capabilities() {
-    report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
-    {
-	local setting
-	setting=
-
-	[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
-
-	echo "  " $1: $setting
-    }
-
-    if [ $VERBOSITY -gt 1 ]; then
-	echo "Shorewall has detected the following iptables/netfilter capabilities:"
-	report_capability "NAT" $NAT_ENABLED
-	report_capability "Packet Mangling" $MANGLE_ENABLED
-	report_capability "Multi-port Match" $MULTIPORT
-	[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
-	report_capability "Connection Tracking Match" $CONNTRACK_MATCH
-	if [ -n "$CONNTRACK_MATCH" ]; then
-	    report_capability "Extended Connection Tracking Match Support" $NEW_CONNTRACK_MATCH
-	    [ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax" $OLD_CONNTRACK_MATCH
-	fi
-	report_capability "Packet Type Match" $USEPKTTYPE
-	report_capability "Policy Match" $POLICY_MATCH
-	report_capability "Physdev Match" $PHYSDEV_MATCH
-	report_capability "Physdev-is-bridged Support" $PHYSDEV_BRIDGE
-	report_capability "Packet length Match" $LENGTH_MATCH
-	report_capability "IP range Match" $IPRANGE_MATCH
-	report_capability "Recent Match" $RECENT_MATCH
-	report_capability "Owner Match" $OWNER_MATCH
-	report_capability "Ipset Match" $IPSET_MATCH
-	report_capability "CONNMARK Target" $CONNMARK
-	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
-	report_capability "Connmark Match" $CONNMARK_MATCH
-	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
-	report_capability "Raw Table" $RAW_TABLE
-	report_capability "IPP2P Match" $IPP2P_MATCH
-	[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
-	report_capability "CLASSIFY Target" $CLASSIFY_TARGET
-	report_capability "Extended REJECT" $ENHANCED_REJECT
-	report_capability "Repeat match" $KLUDGEFREE
-	report_capability "MARK Target" $MARK
-	[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
-	[ -n "$XMARK" ] && report_capability "Extended MARK Target 2" $EXMARK
-	report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
-	report_capability "Comments" $COMMENTS
-	report_capability "Address Type Match" $ADDRTYPE
-	report_capability "TCPMSS Match" $TCPMSS_MATCH
-	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
-	[ -n "$OLD_HL_MATCH" ] && report_capability "Old Hashlimit Match" $OLD_HL_MATCH
-	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
-	report_capability "Realm Match" $REALM_MATCH
-	report_capability "Helper Match" $HELPER_MATCH
-	report_capability "Connlimit Match" $CONNLIMIT_MATCH
-	report_capability "Time Match" $TIME_MATCH
-	report_capability "Goto Support" $GOTO_TARGET
-	report_capability "LOGMARK Target" $LOGMARK_TARGET
-	report_capability "IPMARK Target" $IPMARK_TARGET
-	report_capability "LOG Target" $LOG_TARGET
-	report_capability "Persistent SNAT" $PERSISTENT_SNAT
-	report_capability "TPROXY Target" $TPROXY_TARGET
-	report_capability "FLOW Classifier" $FLOW_FILTER
-    fi
-
-    [ -n "$PKTTYPE" ] || USEPKTTYPE=
-
-}
-
-report_capabilities1() {
-    report_capability1() # $1 = Capability
-    {
-	eval echo $1=\$$1
-    }
-
-    echo "#"
-    echo "# Shorewall $SHOREWALL_VERSION detected the following iptables/netfilter capabilities - $(date)"
-    echo "#"
-    report_capability1 NAT_ENABLED
-    report_capability1 MANGLE_ENABLED
-    report_capability1 MULTIPORT
-    report_capability1 XMULTIPORT
-    report_capability1 CONNTRACK_MATCH
-    report_capability1 NEW_CONNTRACK_MATCH
-    report_capability1 OLD_CONNTRACK_MATCH
-    report_capability1 USEPKTTYPE
-    report_capability1 POLICY_MATCH
-    report_capability1 PHYSDEV_MATCH
-    report_capability1 PHYSDEV_BRIDGE
-    report_capability1 LENGTH_MATCH
-    report_capability1 IPRANGE_MATCH
-    report_capability1 RECENT_MATCH
-    report_capability1 OWNER_MATCH
-    report_capability1 IPSET_MATCH
-    report_capability1 CONNMARK
-    report_capability1 XCONNMARK
-    report_capability1 CONNMARK_MATCH
-    report_capability1 XCONNMARK_MATCH
-    report_capability1 RAW_TABLE
-    report_capability1 IPP2P_MATCH
-    report_capability1 OLD_IPP2P_MATCH
-    report_capability1 CLASSIFY_TARGET
-    report_capability1 ENHANCED_REJECT
-    report_capability1 KLUDGEFREE
-    report_capability1 MARK
-    report_capability1 XMARK
-    report_capability1 EXMARK
-    report_capability1 MANGLE_FORWARD
-    report_capability1 COMMENTS
-    report_capability1 ADDRTYPE
-    report_capability1 TCPMSS_MATCH
-    report_capability1 HASHLIMIT_MATCH
-    report_capability1 OLD_HL_MATCH
-    report_capability1 NFQUEUE_TARGET
-    report_capability1 REALM_MATCH
-    report_capability1 HELPER_MATCH
-    report_capability1 CONNLIMIT_MATCH
-    report_capability1 TIME_MATCH
-    report_capability1 GOTO_TARGET
-    report_capability1 LOGMARK_TARGET
-    report_capability1 IPMARK_TARGET
-    report_capability1 LOG_TARGET
-    report_capability1 PERSISTENT_SNAT
-    report_capability1 TPROXY_TARGET
-    report_capability1 FLOW_FILTER
-    
-    echo CAPVERSION=$SHOREWALL_CAPVERSION
-    echo KERNELVERSION=$KERNELVERSION
-}

Shorewall/lib.common

@@ -1,533 +0,0 @@
-#!/bin/sh
-#
-# Shorewall 4.4 -- /usr/share/shorewall/lib.common.
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
-#
-#	Complete documentation is available at http://shorewall.net
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# The purpose of is library is to hold those functions used by both the CLI and by the
-# generated firewall scripts. To avoid versioning issues, it is copied into generated
-# scripts rather than loaded at run-time.
-#
-
-#
-# Get the Shorewall version of the passed script
-#
-get_script_version() { # $1 = script
-    local temp
-    local version
-    local ifs
-    local digits
-
-    temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' )
-
-    if [ $? -ne 0 ]; then
-	version=0
-    else
-	ifs=$IFS
-	IFS=.
-	temp=$(echo $temp)
-	IFS=$ifs
-	digits=0
-	
-	for temp in $temp; do
-	    version=${version}$(printf '%02d' $temp)
-	    digits=$(($digits + 1))
-	    [ $digits -eq 3 ] && break
-	done
-    fi
-    
-    echo $version
-}
-  
-#
-# Do required exports or create the required option string and run the passed script using
-# $SHOREWALL_SHELL
-#
-run_it() {
-    local script
-    local options
-    local version
-
-    export VARDIR
-	
-    script=$1
-    shift
-
-    version=$(get_script_version $script)
-
-    if [ $version -lt 040408 ]; then
-	#
-	# Old script that doesn't understand 4.4.8 script options
-	#
-	export RESTOREFILE
-	export VERBOSITY
-	export NOROUTES=$g_noroutes
-	export PURGE=$g_purge
-	export TIMESTAMP=$g_timestamp
-	export RECOVERING=$g_recovering
- 
-	if [ "$g_product" != Shorewall ]; then
-	    #
-	    # Shorewall Lite
-	    #
-	    export LOGFORMAT
-	    export IPTABLES
-	fi
-    else
-	#
-	# 4.4.8 or later -- no additional exports required
-	#
-	options='-'
-
-	[ -n "$g_noroutes" ]   && options=${options}n
-	[ -n "$g_timestamp" ]  && options=${options}t
-	[ -n "$g_purge" ]      && options=${options}p
-	[ -n "$g_recovering" ] && options=${options}r
-
-	options="${options}V $VERBOSITY"
-
-	[ -n "$RESTOREFILE" ] && options="${options} -R $RESTOREFILE"
-    fi
-	
-    $SHOREWALL_SHELL $script $options $@
-}
-
-#
-# Message to stderr
-#
-error_message() # $* = Error Message
-{
-   echo "   $@" >&2
-}
-
-#
-# Split a colon-separated list into a space-separated list
-#
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    echo $*
-    IFS=$ifs
-}
-
-#
-# Search a list looking for a match -- returns zero if a match found
-# 1 otherwise
-#
-list_search() # $1 = element to search for , $2-$n = list
-{
-    local e
-    e=$1
-
-    while [ $# -gt 1 ]; do
-	shift
-	[ "x$e" = "x$1" ] && return 0
-    done
-
-    return 1
-}
-
-#
-# Suppress all output for a command
-#
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-#
-# Determine if Shorewall is "running"
-#
-shorewall_is_started() {
-    qt $IPTABLES -L shorewall -n
-}
-
-#
-# Echos the fully-qualified name of the calling shell program
-#
-my_pathname() {
-    cd $(dirname $0)
-    echo $PWD/$(basename $0)
-}
-
-#
-# Source a user exit file if it exists
-#
-run_user_exit() # $1 = file name
-{
-    local user_exit
-    user_exit=$(find_file $1)
-
-    if [ -f $user_exit ]; then
-	progress_message "Processing $user_exit ..."
-	. $user_exit
-    fi
-}
-
-#
-# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
-#                         a space-separated list of directories to search for
-#                         the module and that 'moduleloader' contains the
-#                         module loader command.
-#
-loadmodule() # $1 = module name, $2 - * arguments
-{
-    local modulename
-    modulename=$1
-    local modulefile
-    local suffix
-
-    if ! list_search $modulename $DONT_LOAD $MODULES; then
-	shift
-
-	for suffix in $MODULE_SUFFIX ; do
-	    for directory in $moduledirectories; do
-		modulefile=$directory/${modulename}.${suffix}
-
-		if [ -f $modulefile ]; then
-		    case $moduleloader in
-			insmod)
-			    insmod $modulefile $*
-			    ;;
-			*)
-			    modprobe $modulename $*
-			    ;;
-		    esac
-		    break 2
-		fi
-	    done
-	done
-    fi
-}
-
-#
-# Reload the Modules
-#
-reload_kernel_modules() {
-
-    local save_modules_dir
-    save_modules_dir=$MODULESDIR
-    local directory
-    local moduledirectories
-    moduledirectories=
-    local moduleloader
-    moduleloader=modprobe
-    local uname
-
-    if ! qt mywhich modprobe; then
-	moduleloader=insmod
-    fi
-
-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
-
-    [ -z "$MODULESDIR" ] && \
-	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
-
-    MODULES=$(lsmod | cut -d ' ' -f1)
-
-    for directory in $(split $MODULESDIR); do
-	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
-    done
-
-    [ -n "$moduledirectories" ] && while read command; do
-	eval $command
-    done
-
-    MODULESDIR=$save_modules_dir
-}
-
-#
-# Load kernel modules required for Shorewall
-#
-load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
-{
-    local save_modules_dir
-    save_modules_dir=$MODULESDIR
-    local directory
-    local moduledirectories
-    moduledirectories=
-    local moduleloader
-    moduleloader=modprobe
-    local savemoduleinfo
-    savemoduleinfo=${1:-Yes} # So old compiled scripts still work
-    local uname
-
-    if ! qt mywhich modprobe; then
-	moduleloader=insmod
-    fi
-
-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
-
-    [ -z "$MODULESDIR" ] && \
-	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
-
-    for directory in $(split $MODULESDIR); do
-	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
-    done
-
-    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
-
-    if [ -f $modules -a -n "$moduledirectories" ]; then
-	MODULES=$(lsmod | cut -d ' ' -f1)
-	progress_message "Loading Modules..."
-	. $modules
-	if [ $savemoduleinfo = Yes ]; then
-	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
-	    cp -f $modules ${VARDIR}/.modules
-	fi
-    elif [ $savemoduleinfo = Yes ]; then
-	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	> ${VARDIR}/.modulesdir
-	> ${VARDIR}/.modules
-    fi
-
-    MODULESDIR=$save_modules_dir
-}
-
-#
-#  Note: The following set of IP address manipulation functions have anomalous
-#        behavior when the shell only supports 32-bit signed arithmetic and
-#        the IP address is 128.0.0.0 or 128.0.0.1.
-#
-
-LEFTSHIFT='<<'
-
-#
-# Convert an IP address in dot quad format to an integer
-#
-decodeaddr() {
-    local x
-    local temp
-    temp=0
-    local ifs
-    ifs=$IFS
-
-    IFS=.
-
-    for x in $1; do
-	temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x ))
-    done
-
-    echo $temp
-
-    IFS=$ifs
-}
-
-#
-# convert an integer to dot quad format
-#
-encodeaddr() {
-    addr=$1
-    local x
-    local y
-    y=$(($addr & 255))
-
-    for x in 1 2 3 ; do
-	addr=$(($addr >> 8))
-	y=$(($addr & 255)).$y
-    done
-
-    echo $y
-}
-
-#
-# Netmask from CIDR
-#
-ip_netmask() {
-    local vlsm
-    vlsm=${1#*/}
-
-    [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
-}
-
-#
-# Network address from CIDR
-#
-ip_network() {
-    local decodedaddr
-    decodedaddr=$(decodeaddr ${1%/*})
-    local netmask
-    netmask=$(ip_netmask $1)
-
-    echo $(encodeaddr $(($decodedaddr & $netmask)))
-}
-
-#
-# The following hack is supplied to compensate for the fact that many of
-# the popular light-weight Bourne shell derivatives don't support XOR ("^").
-#
-ip_broadcast() {
-    local x
-    x=$(( 32 - ${1#*/} ))
-
-    [ $x -eq 32 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
-}
-
-#
-# Calculate broadcast address from CIDR
-#
-broadcastaddress() {
-    local decodedaddr
-    decodedaddr=$(decodeaddr ${1%/*})
-    local netmask
-    netmask=$(ip_netmask $1)
-    local broadcast
-    broadcast=$(ip_broadcast $1)
-
-    echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
-}
-
-#
-# Test for network membership
-#
-in_network() # $1 = IP address, $2 = CIDR network
-{
-    local netmask
-    netmask=$(ip_netmask $2)
-    #
-    # Use string comparison to work around a broken BusyBox ash in OpenWRT
-    #
-    test $(( $(decodeaddr $1) & $netmask)) = $(( $(decodeaddr ${2%/*}) & $netmask ))
-}
-
-#
-# Find interface address--returns the first IP address assigned to the passed
-# device
-#
-find_first_interface_address() # $1 = interface
-{
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
-    #
-    # If there wasn't one, bail out now
-    #
-    [ -n "$addr" ] || startup_error "Can't determine the IP address of $1"
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
-}
-
-find_first_interface_address_if_any() # $1 = interface
-{
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
-}
-
-#
-# Internal version of 'which'
-#
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-#
-# Query NetFilter about the existence of a filter chain
-#
-chain_exists() # $1 = chain name
-{
-    qt1 $IPTABLES -L $1 -n
-}
-
-#
-# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
-#
-find_file()
-{
-    local saveifs
-    saveifs=
-    local directory
-
-    case $1 in
-	/*)
-	    echo $1
-	    ;;
-	*)
-	    for directory in $(split $CONFIG_PATH); do
-		if [ -f $directory/$1 ]; then
-		    echo $directory/$1
-		    return
-		fi
-	    done
-
-	    echo ${CONFDIR}/$1
-	    ;;
-    esac
-}
-
-#
-# Set the Shorewall state
-#
-set_state () # $1 = state
-{
-    echo "$1 ($(date))" > ${VARDIR}/state
-}
-
-#
-# Perform variable substitution on the passed argument and echo the result
-#
-expand() # $@ = contents of variable which may be the name of another variable
-{
-    eval echo \"$@\"
-}
-
-#
-# Function for including one file into another
-#
-INCLUDE() {
-    . $(find_file $(expand $@))
-}
-
-# Function to truncate a string -- It uses 'cut -b -<n>'
-# rather than ${v:first:last} because light-weight shells like ash and
-# dash do not support that form of expansion.
-#
-
-truncate() # $1 = length
-{
-    cut -b -${1}
-}
-
-#################################################################################
-# End of lib.common
-#################################################################################

Shorewall/logrotate

@@ -1,5 +0,0 @@
-/var/log/shorewall-init.log {
-  missingok
-  notifempty
-  create 0600 root root
-}

Shorewall/modules

@@ -54,8 +54,6 @@ loadmodule xt_owner
 loadmodule xt_physdev
 loadmodule xt_pkttype
 loadmodule xt_tcpmss
-loadmodule xt_IPMARK
-loadmodule xt_TPROXY
 #
 # Helpers
 #

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
-%define version 4.4.8
-%define release 0Beta2
+%define version 4.4.0
+%define release 1
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -77,8 +77,6 @@ fi
 %attr(0644,root,root) %config(noreplace) /etc/shorewall/*
 %attr(0600,root,root) /etc/shorewall/Makefile
 
-%attr(0644,root,root) /etc/logrotate.d/shorewall
-
 %attr(0755,root,root) /sbin/shorewall
 
 %attr(0644,root,root) /usr/share/shorewall/version
@@ -89,10 +87,8 @@ fi
 %attr(-   ,root,root) /usr/share/shorewall/functions
 %attr(0644,root,root) /usr/share/shorewall/lib.base
 %attr(0644,root,root) /usr/share/shorewall/lib.cli
-%attr(0644,root,root) /usr/share/shorewall/lib.common
 %attr(0644,root,root) /usr/share/shorewall/macro.*
 %attr(0644,root,root) /usr/share/shorewall/modules
-%attr(0644,root,root) /usr/share/shorewall/helpers
 %attr(0644,root,root) /usr/share/shorewall/configpath
 %attr(0755,root,root) /usr/share/shorewall/wait4ifup
 
@@ -108,46 +104,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 
 %changelog
-* Sun Feb 28 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0Beta2
-* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0Beta1
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0base
-* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0RC2
-* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0RC1
-* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta4
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta3
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta2
-* Thu Jan 21 2010 Tom Eastep tom@shorewall.net
-- Add /usr/share/shorewall/helpers
-* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta1
-* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.6-0base
-* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.6-0Beta1
-* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.5-0base
-* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0base
-* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta2
-* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta1
-* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.3-0base
-* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.1-0base
+* Thu Aug 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-1
 * Sun Aug 09 2009 Tom Eastep tom@shorewall.net
 - Made Perl a dependency
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.8-Beta2
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {

Shorewall/wait4ifup

@@ -33,7 +33,7 @@
 #
 
 interface_is_up() {
-    [ -n "$(/sbin/ip link list dev $1 2> /dev/null | /bin/grep -e '[<,]UP[,>]')" ] 
+    [ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] 
 }
 
 case $# in
@@ -51,7 +51,7 @@ esac
 
 while [ $timeout -gt 0 ]; do
     interface_is_up $1 && exit 0
-    /bin/sleep 1
+    sleep 1
     timeout=$(( $timeout - 1 ))
 done
 

Shorewall6-lite/README.txt

@@ -1 +1 @@
-This is the Shorewall6-lite stable 4.4 branch of Git.
+This is the Shorewall6-lite development 4.3 branch of SVN.

Shorewall6-lite/default.debian

@@ -21,9 +21,4 @@ startup=0
 
 OPTIONS=""
 
-#
-# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
-#
-INITLOG=/dev/null
-
 # EOF

Shorewall6-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.8-Beta2
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {

Shorewall6-lite/init.debian.sh

@@ -2,8 +2,8 @@
 
 ### BEGIN INIT INFO
 # Provides:          shorewall6-lite
-# Required-Start:    $network $remote_fs
-# Required-Stop:     $network $remote_fs
+# Required-Start:    $network
+# Required-Stop:     $network
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
@@ -15,7 +15,9 @@
 
 SRWL=/sbin/shorewall6-lite
 SRWL_OPTS="-tvv"
-test -n ${INITLOG:=/var/log/shorewall6-lite-init.log}
+# Note, set INITLOG to /dev/null if you do not want to
+# keep logs of the firewall (not recommended)
+INITLOG=/var/log/shorewall6-lite-init.log
 
 [ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
 
@@ -23,7 +25,7 @@ export SHOREWALL_INIT_SCRIPT
 
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n "$INITLOG" || {
+test -n $INITLOG || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }
@@ -42,7 +44,6 @@ echo_notdone () {
 	  echo "not done (check $INITLOG)."
   fi
 
-  exit 1
 }
 
 not_configured () {

Shorewall6-lite/install.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.8-Beta2
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {
@@ -219,11 +219,6 @@ mkdir -p ${PREFIX}/var/lib/shorewall6-lite
 chmod 755 ${PREFIX}/etc/shorewall6-lite
 chmod 755 ${PREFIX}/usr/share/shorewall6-lite
 
-if [ -n "$PREFIX" ]; then
-    mkdir -p ${PREFIX}/etc/logrotate.d
-    chmod 755 ${PREFIX}/etc/logrotate.d
-fi
-
 #
 # Install the config file
 #
@@ -308,11 +303,6 @@ cd ..
 
 echo "Man Pages Installed"
 
-if [ -d ${PREFIX}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall6-lite
-    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall6-lite"
-fi
-
 #
 # Create the version file
 #

Shorewall6-lite/logrotate

@@ -1,5 +0,0 @@
-/var/log/shorewall6-init.log {
-  missingok
-  notifempty
-  create 0600 root root
-}

Shorewall6-lite/shorecap

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall.
 #
@@ -45,22 +45,21 @@
 #    used during firewall compilation, then the generated firewall program will likewise not
 #    require Shorewall to be installed.
 
-SHAREDIR=/usr/share/shorewall6-lite
-VARDIR=/var/lib/shorewall6-lite
-CONFDIR=/etc/shorewall6-lite
-g_product="Shorewall Lite"
+SHAREDIR=/usr/share/shorewall-lite
+VARDIR=/var/lib/shorewall-lite
+CONFDIR=/etc/shorewall-lite
+PRODUCT="Shorewall Lite"
 
-. /usr/share/shorewall6-lite/lib.base
-. /usr/share/shorewall6-lite/lib.cli
-. /usr/share/shorewall6-lite/configpath
+. /usr/share/shorewall-lite/lib.base
+. /usr/share/shorewall-lite/configpath
 
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
-SHOREWALL_VERSION=$(cat /usr/share/shorewall6-lite/version)
+VERSION=$(cat /usr/share/shorewall-lite/version)
 
-[ -n "$IP6TABLES" ] || IP6TABLES=$(mywhich iptables)
+[ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
 
-VERBOSITY=0
+VERBOSE=0
 load_kernel_modules No
 determine_capabilities
 report_capabilities1

Shorewall6-lite/shorewall6-lite

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall-lite.
 #
@@ -95,7 +95,7 @@ get_config() {
 
     if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
 	LOGREAD="logread | tac"
-    elif [ -r $LOGFILE ]; then
+    elif [ -f $LOGFILE ]; then
 	LOGREAD="tac $LOGFILE"
     else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
@@ -117,6 +117,8 @@ get_config() {
 
     [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
 
+    export LOGFORMAT
+
     if [ -n "$IP6TABLES" ]; then
 	if [ ! -x "$IP6TABLES" ]; then
 	    echo "   ERROR: The program specified in IP6TABLES does not exist or is not executable" >&2
@@ -125,11 +127,13 @@ get_config() {
     else
 	IP6TABLES=$(mywhich ip6tables 2> /dev/null)
 	if [ -z "$IP6TABLES" ] ; then
-	    echo "   ERROR: Can't find ip6tables executable" >&2
+	    echo "   ERROR: Can't find iptables executable" >&2
 	    exit 2
 	fi
     fi
 
+    export IP6TABLES
+
     if [ -n "$SHOREWALL_SHELL" ]; then
 	if [ ! -x "$SHOREWALL_SHELL" ]; then
 	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
@@ -141,33 +145,29 @@ get_config() {
 
     validate_restorefile RESTOREFILE
 
+    export RESTOREFILE
+
     [ -n "${VERBOSITY:=2}" ]
 
-    [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
+    [ -n "$USE_VERBOSITY" ] && VERBOSE=$USE_VERBOSITY || VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY))
 
-    g_hostname=$(hostname 2> /dev/null)
+    export VERBOSE
 
-    IP=$(mywhich ip 2> /dev/null)
-    if [ -z "$IP" ] ; then
-	echo "   ERROR: Can't find ip executable" >&2
-	exit 2
-    fi
+    [ -n "${HOSTNAME:=$(hostname)}" ]
 
-    IPSET=ipset
-    TC=tc
 }
 
 #
 # Verify that we have a compiled firewall script
 #
 verify_firewall_script() {
-    if [ ! -f $g_firewall ]; then
+    if [ ! -f $FIREWALL ]; then
 	echo "   ERROR: Shorewall6 Lite is not properly installed" >&2
-	if [ -L $g_firewall ]; then
-	    echo "          $g_firewall is a symbolic link to a" >&2
+	if [ -L $FIREWALL ]; then
+	    echo "          $FIREWALL is a symbolic link to a" >&2
 	    echo "          non-existant file" >&2
 	else
-	    echo "          The file $g_firewall does not exist" >&2
+	    echo "          The file $FIREWALL does not exist" >&2
 	fi
 	
 	exit 2
@@ -187,7 +187,7 @@ start_command() {
 	[ -n "$nolock" ] || mutex_on
 
 	if [ -x ${LITEDIR}/firewall ]; then
-	    run_it ${LITEDIR}/firewall $debugging start
+	    ${LITEDIR}/firewall $debugging start
 	    rc=$?
 	else
 	    error_message "${LITEDIR}/firewall is missing or is not executable"
@@ -219,12 +219,12 @@ start_command() {
 			    option=
 			    ;;
 			f*)
-			    g_fast=Yes
+			    FAST=Yes
 			    option=${option#f}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    g_purge=Yes
+			    PURGE=Yes
 			    option=${option%p}
 			    ;;
 			*)
@@ -244,24 +244,40 @@ start_command() {
 	0)
 	    ;;
 	*)
-	    usage 1	    ;;
+	    usage 1
+	    ;;
     esac
 
-    if [ -n "$g_fast" ]; then
+    export NOROUTES
+
+    if [ -n "$FAST" ]; then
 	if qt mywhich make; then
-	    export RESTOREFILE
-	    make -qf ${CONFDIR}/Makefile || g_fast=
+	    #
+	    # RESTOREFILE is exported by get_config()
+	    #
+	    make -qf ${CONFDIR}/Makefile || FAST=
 	fi
 
-	if [ -n "$g_fast" ]; then
+	if [ -n "$FAST" ]; then
 
-	    g_restorepath=${VARDIR}/$RESTOREFILE
+	    RESTOREPATH=${VARDIR}/$RESTOREFILE
+
+	    if [ -x $RESTOREPATH ]; then
+		if [ -x ${RESTOREPATH}-ipsets ]; then
+		    echo Restoring Ipsets...
+		    #
+		    # We must purge iptables to be sure that there are no
+		    # references to ipsets
+		    #
+		    iptables -F
+		    iptables -X
+		    $SHOREWALL_SHELL ${RESTOREPATH}-ipsets
+		fi
 
-	    if [ -x $g_restorepath ]; then
 		echo Restoring Shorewall6 Lite...
-		run_it $g_restorepath restore
+		$SHOREWALL_SHELL $RESTOREPATH restore
 		date > ${VARDIR}/restarted
-		progress_message3 Shorewall6 Lite restored from $g_restorepath
+		progress_message3 Shorewall6 Lite restored from $RESTOREPATH
 	    else
 		do_it
 	    fi
@@ -297,12 +313,12 @@ restart_command() {
 			    option=
 			    ;;
 			n*)
-			    g_noroutes=Yes
+			    NOROUTES=Yes
 			    option=${option#n}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    g_purge=Yes
+			    PURGE=Yes
 			    option=${option%p}
 			    ;;
 			*)
@@ -326,10 +342,12 @@ restart_command() {
 	    ;;
     esac
 
+    export NOROUTES
+
     [ -n "$nolock" ] || mutex_on
 
     if [ -x ${LITEDIR}/firewall ]; then
-	run_it ${LITEDIR}/firewall $debugging restart
+	$SHOREWALL_SHELL ${LITEDIR}/firewall $debugging restart
 	rc=$?
     else
 	error_message "${LITEDIR}/firewall is missing or is not executable"
@@ -349,26 +367,28 @@ usage() # $1 = exit status
     echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
     echo "where <command> is one of:"
     echo "   allow <address> ..."
-    echo "   clear [ -f ]"
+    echo "   clear"
     echo "   drop <address> ..."
     echo "   dump [ -x ]"
     echo "   forget [ <file name> ]"
     echo "   help"
-    echo "   load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
+    echo "   hits [ -t ]"
+    echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
+    echo "   ipdecimal { <address> | <integer> }"
+    echo "   iprange <address>-<address>"
     echo "   logdrop <address> ..."
     echo "   logreject <address> ..."
     echo "   logwatch [<refresh interval>]"
-    echo "   refresh [ <chain>... ]"
     echo "   reject <address> ..."
-    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -f ]"
+    echo "   reset"
+    echo "   restart [ -n ] [ -p ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|policies|raw|routing|tc|vardir|zones} ]"
-    echo "   start [ -f ] [ <directory> ]"
-    echo "   stop [ -f ]"
+    echo "   show [ -x ] [ -m ] [ -f ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|capabilities|classifiers|config|connections|filters|ip|log|mangle|nat|routing|tc|vardir|zones} ]"
+    echo "   start [ -f ] [ -n ] [ -p ]"
+    echo "   stop"
     echo "   status"
-    echo "   version [ -a ]"
+    echo "   version"
     echo
     exit $1
 }
@@ -390,14 +410,14 @@ if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
     shift
 fi
 
-g_ipt_options="-nv"
-g_fast=
-g_verbose_offset=0
-g_use_verbosity=
-g_noroutes=
-g_timestamp=
-g_recovering=
-g_purge=
+IPT_OPTIONS="-nv"
+FAST=
+VERBOSE_OFFSET=0
+USE_VERBOSITY=
+NOROUTES=
+EXPORT=
+export TIMESTAMP=
+noroutes=
 
 finished=0
 
@@ -416,48 +436,48 @@ while [ $finished -eq 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    x*)
-			g_ipt_options="-xnv"
+			IPT_OPTIONS="-xnv"
 			option=${option#x}
 			;;
 		    q*)
-			g_verbose_offset=$(($g_verbose_offset - 1 ))
+			VERBOSE_OFFSET=$(($VERBOSE_OFFSET - 1 ))
 			option=${option#q}
 			;;
 		    f*)
-			g_fast=Yes
+			FAST=Yes
 			option=${option#f}
 			;;
 		    v*)
 			option=${option#v}
 			case $option in 
 			    -1*)
-				g_use_verbosity=-1
+				USE_VERBOSITY=-1
 				option=${option#-1}
 				;;
 			    0*)
-				g_use_verbosity=0
+				USE_VERBOSITY=0
 				option=${option#0}
 				;;
 			    1*)
-				g_use_verbosity=1
+				USE_VERBOSITY=1
 				option=${option#1}
 				;;
 			    2*)
-				g_use_verbosity=2
+				USE_VERBOSITY=2
 				option=${option#2}
 				;;
 			    *)
-				g_verbose_offset=$(($g_verbose_offset + 1 ))
-				g_use_verbosity=
+				VERBOSE_OFFSET=$(($VERBOSE_OFFSET + 1 ))
+				USE_VERBOSITY=
 				;;
 			esac
 			;;
 		    n*)
-			g_noroutes=Yes
+			NOROUTES=Yes
 			option=${option#n}
 			;;
 		    t*)
-			g_timestamp=Yes
+			TIMESTAMP=Yes
 			option=${option#t}
 			;;
 		    -)
@@ -482,11 +502,12 @@ if [ $# -eq 0 ]; then
 fi
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+export PATH
 MUTEX_TIMEOUT=
 
 SHAREDIR=/usr/share/shorewall6-lite
 CONFDIR=/etc/shorewall6-lite
-g_product="Shorewall6 Lite"
+export PRODUCT="Shorewall6 Lite"
 
 [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]
 
@@ -494,10 +515,17 @@ g_product="Shorewall6 Lite"
 
 [ -d $VARDIR ] || mkdir -p $VARDIR || fatal_error "Unable to create $VARDIR"
 
-version_file=$SHAREDIR/version
+LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
+VERSION_FILE=$SHAREDIR/version
+HELP=$SHAREDIR/help
 
-for library in base cli; do
-    . ${SHAREDIR}/lib.$library
+for library in $LIBRARIES; do
+    if [ -f $library ]; then
+	. $library
+    else
+	echo "Installation error: $library does not exist!" >&2
+	exit 2
+    fi
 done
 
 ensure_config_path
@@ -517,6 +545,7 @@ else
 fi
 
 ensure_config_path
+export CONFIG_PATH
 
 LITEDIR=${VARDIR}
 
@@ -524,17 +553,17 @@ LITEDIR=${VARDIR}
 
 get_config
 
-g_firewall=$LITEDIR/firewall
+FIREWALL=$LITEDIR/firewall
 
-if [ -f $version_file ]; then
-    SHOREWALL_VERSION=$(cat $version_file)
+if [ -f $VERSION_FILE ]; then
+    version=$(cat $VERSION_FILE)
 else
     echo "   ERROR: Shorewall6 Lite is not properly installed" >&2
-    echo "          The file $SHOREWALL_VERSION_FILE does not exist" >&2
+    echo "          The file $VERSION_FILE does not exist" >&2
     exit 1
 fi
 
-banner="Shorewall6 Lite $SHOREWALL_VERSION Status at $g_hostname -"
+banner="Shorewall6 Lite $version Status at $HOSTNAME -"
 
 case $(echo -e) in
     -e*)
@@ -566,7 +595,8 @@ case "$COMMAND" in
     stop|reset|clear)
 	[ $# -ne 1 ] && usage 1
 	verify_firewall_script
-	run_it $g_firewall $debugging $nolock $COMMAND
+	export NOROUTES
+	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
 	;;
     restart)
 	shift
@@ -579,7 +609,7 @@ case "$COMMAND" in
     status)
 	[ $# -eq 1 ] || usage 1
 	[ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root"
-	echo "Shorewall6 Lite $SHOREWALL_VERSION Status at $g_hostname - $(date)"
+	echo "Shorewall6 Lite $version Status at $HOSTNAME - $(date)"
 	echo
 	if shorewall6_is_started ; then
 	    echo "Shorewall6 Lite is running"
@@ -613,7 +643,7 @@ case "$COMMAND" in
 	hits_command $@
 	;;
     version)
-	echo $SHOREWALL_VERSION Lite
+	echo $version Lite
 	;;
     logwatch)
 	logwatch_command $@
@@ -672,7 +702,7 @@ case "$COMMAND" in
 	    ;;
 	esac
 
-	g_restorepath=${VARDIR}/$RESTOREFILE
+	RESTOREPATH=${VARDIR}/$RESTOREFILE
 
 	[ "$nolock" ] || mutex_on
 
@@ -694,20 +724,20 @@ case "$COMMAND" in
 	esac
 
 
-	g_restorepath=${VARDIR}/$RESTOREFILE
+	RESTOREPATH=${VARDIR}/$RESTOREFILE
 
-	if [ -x $g_restorepath ]; then
+	if [ -x $RESTOREPATH ]; then
 
-	    if [ -x ${g_restorepath}-ipsets ]; then
-		rm -f ${g_restorepath}-ipsets
-		echo "    ${g_restorepath}-ipsets removed"
+	    if [ -x ${RESTOREPATH}-ipsets ]; then
+		rm -f ${RESTOREPATH}-ipsets
+		echo "    ${RESTOREPATH}-ipsets removed"
 	    fi
 
-	    rm -f $g_restorepath
-	    rm -f ${g_restorepath}-iptables
-	    echo "    $g_restorepath removed"
-	elif [ -f $g_restorepath ]; then
-	    echo "   $g_restorepath exists and is not a saved Shorewall6 configuration"
+	    rm -f $RESTOREPATH
+	    rm -f ${RESTOREPATH}-iptables
+	    echo "    $RESTOREPATH removed"
+	elif [ -f $RESTOREPATH ]; then
+	    echo "   $RESTOREPATH exists and is not a saved Shorewall6 configuration"
 	fi
 	rm -f ${VARDIR}/save
 	;;

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
-%define version 4.4.8
-%define release 0Beta2
+%define version 4.4.0
+%define release 1
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -70,8 +70,6 @@ fi
 %attr(0755,root,root) %dir /usr/share/shorewall6-lite
 %attr(0700,root,root) %dir /var/lib/shorewall6-lite
 
-%attr(0644,root,root) /etc/logrotate.d/shorewall6-lite
-
 %attr(0755,root,root) /sbin/shorewall6-lite
 
 %attr(0644,root,root) /usr/share/shorewall6-lite/version
@@ -79,7 +77,6 @@ fi
 %attr(-   ,root,root) /usr/share/shorewall6-lite/functions
 %attr(0644,root,root) /usr/share/shorewall6-lite/lib.base
 %attr(0644,root,root) /usr/share/shorewall6-lite/lib.cli
-%attr(0644,root,root) /usr/share/shorewall6-lite/lib.common
 %attr(0644,root,root) /usr/share/shorewall6-lite/modules
 %attr(0544,root,root) /usr/share/shorewall6-lite/shorecap
 %attr(0755,root,root) /usr/share/shorewall6-lite/wait4ifup
@@ -92,44 +89,8 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sun Feb 28 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0Beta2
-* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0Beta1
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0base
-* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0RC2
-* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0RC1
-* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta4
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta3
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta2
-* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta1
-* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.6-0base
-* Tue Jan 12 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.6-0Beta1
-* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.5-0base
-* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0base
-* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta2
-* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta1
-* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.3-0base
-* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.1-0base
+* Thu Aug 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-1
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0base
 * Tue Jul 28 2009 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.8-Beta2
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {

Shorewall6/Makefile

@@ -14,8 +14,4 @@ $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
 	    /sbin/shorewall6 -q restart 2>&1 | tail >&2; \
 	fi
 
-clean:
-	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
-.PHONY: clean
-
 # EOF

Shorewall6/README.txt

@@ -1 +1 @@
-This is the Shorewall6 stable 4.4 branch of Git.
+This is the Shorewall6 development 4.3 branch of SVN.

Shorewall6/action.Drop

@@ -22,7 +22,7 @@
 #
 # Reject 'auth'
 #
-Auth(REJECT)
+Auth/REJECT
 #
 # ACCEPT critical ICMP types
 #
@@ -35,7 +35,7 @@ dropInvalid
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
-SMB(DROP)
+SMB/DROP
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #

Shorewall6/action.Reject

@@ -18,7 +18,7 @@
 #
 # Don't log 'auth' -- REJECT
 #
-Auth(REJECT)
+Auth/REJECT
 #
 # ACCEPT critical ICMP types
 #
@@ -32,7 +32,7 @@ dropInvalid
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
-SMB(REJECT)
+SMB/REJECT
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #

Shorewall6/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.8-Beta2
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {

Shorewall6/helpers

@@ -1,36 +0,0 @@
-#
-# Shorewall6 version 4 - Helpers File
-#
-# /usr/share/shorewall6/helpers
-#
-#	This file loads the modules that may be needed by the firewall.
-#
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
-#
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
-#
-###############################################################################
-#
-# Helpers
-#
-loadmodule nf_conntrack_amanda
-loadmodule nf_conntrack_ftp
-loadmodule nf_conntrack_h323
-loadmodule nf_conntrack_irc
-loadmodule nf_conntrack_netbios_ns
-loadmodule nf_conntrack_netbios_ns
-loadmodule nf_conntrack_netlink
-loadmodule nf_conntrack_pptp
-loadmodule nf_conntrack_proto_sctp
-loadmodule nf_conntrack_proto_udplite
-loadmodule nf_conntrack_sane
-loadmodule nf_conntrack_sip         sip_direct_media=0
-loadmodule nf_conntrack_pptp
-loadmodule nf_conntrack_proto_gre
-loadmodule nf_conntrack_proto_sctp
-loadmodule nf_conntrack_sip
-loadmodule nf_conntrack_tftp
-loadmodule nf_conntrack_sane