Fix syntax error in the generated script

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Correct issues with debugging the generated script
2012-03-06 09:14:06 -08:00 · 2012-03-05 15:55:25 -08:00 · 2012-02-29 15:04:17 -08:00 · 2012-02-25 08:28:15 -08:00 · 2012-02-25 07:51:55 -08:00 · 2012-02-25 07:40:47 -08:00
24 changed files with 899 additions and 320 deletions
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -263,6 +263,15 @@ for f in lib.* ; do
    install_file $f ${DESTDIR}/usr/share/shorewall/$f 0644
    echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall/$f"
 done
+
+if [ -z "$MACHOST" ]; then
+    eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
+    eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
+else
+    eval sed -i \'\' -e \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
+    eval sed -i \'\' -e \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
+fi
+
 #
 # Symbolically link 'functions' to lib.base
 #
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -210,24 +210,30 @@ fi
 #
 # Install the Init Script
 #
-if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
-elif [ -n "$FEDORA" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
-#elif [ -n "$ARCHLINUX" ]; then
-#    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
+if [ -z "$SYSTEMD" ]; then
+    if [ -n "$DEBIAN" ]; then
+	install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
+    elif [ -n "$FEDORA" ]; then
+	install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
+    #elif [ -n "$ARCHLINUX" ]; then
+    #    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
+    else
+	install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
+    fi
+
+    echo  "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"
 else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
-fi
-
-echo  "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"
-
-#
-# Install the .service file
-#
-if [ -n "$SYSTEMD" ]; then
+    #
+    # Install the .service file
+    #
    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}/lib/systemd/system/shorewall-init.service
    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-init.service"
+    if [ -n "$DESTDIR" ]; then
+	mkdir -p ${DESTDIR}/sbin/
+	chmod 755 ${DESTDIR}/sbin/
+	run_install $OWNERSHIP -m 600 shorewall-init ${DESTDIR}/sbin/shorewall-init
+	echo "CLI installed as ${DESTDIR}/lib/systemd/system/shorewall-init.service"
+    fi
 fi

 #
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -0,0 +1,92 @@
+#! /bin/bash
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#########################################################################################
+if [ "$(id -u)" != "0" ]
+then
+  echo "You must be root to start, stop or restart \"Shorewall \"."
+  exit 1
+fi
+
+# check if shorewall-init is configured or not
+if [ -f "/etc/sysconfig/shorewall-init" ]; then
+    . /etc/sysconfig/shorewall-init
+    if [ -z "$PRODUCTS" ]; then
+        echo "ERROR: No products configured" >&2
+	exit 1
+    fi
+else
+    echo "ERROR: /etc/sysconfig/shorewall-init not found" >&2
+    exit 1
+fi
+
+# Initialize the firewall
+shorewall_start () {
+  local PRODUCT
+  local VARDIR
+
+  echo -n "Initializing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      VARDIR=/var/lib/$PRODUCT
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
+      if [ -x ${VARDIR}/firewall ]; then
+	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
+	      ${VARDIR}/firewall stop || exit 1
+	  fi
+      fi
+  done
+
+  return 0
+}
+
+# Clear the firewall
+shorewall_stop () {
+  local PRODUCT
+  local VARDIR
+
+  echo -n "Clearing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      VARDIR=/var/lib/$PRODUCT
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
+      if [ -x ${VARDIR}/firewall ]; then
+	  ${VARDIR}/firewall clear || exit 1
+      fi
+  done
+
+  return 0
+}
+
+case "$1" in
+  start)
+     shorewall_start
+     ;;
+  stop)
+     shorewall_stop
+     ;;
+  *)
+     echo "Usage: $0 {start|stop}"
+     exit 1
+esac
+
+exit 0
--- a/Shorewall-lite/init.sh
+++ b/Shorewall-lite/init.sh
@@ -76,10 +76,10 @@ command="$1"

 case "$command" in
    start)
-	exec /sbin/shorewall-lite $OPTIONS start $STARTOPTIONS $@
+	exec /sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec /sbin/shorewall-lite $OPTIONS restart $RESTARTOPTIONS $@
+	exec /sbin/shorewall-lite $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
 	exec /sbin/shorewall-lite $OPTIONS $command $@
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -238,8 +238,6 @@ delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules

 install_file $PRODUCT ${DESTDIR}/sbin/$PRODUCT 0544

-eval sed -i \'``s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/$PRODUCT
-
 echo "$Product control program installed in ${DESTDIR}/sbin/$PRODUCT"

 #
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -11,11 +11,27 @@
  <refnamediv>
    <refname>shorewall-lite</refname>

-    <refpurpose>Administration tool for Shoreline Firewall Lite
-    (Shorewall-lite)</refpurpose>
+    <refpurpose>Administration tool for Shoreline Firewall Lite (Shorewall
+    Lite)</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg rep="norepeat">-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>add</option></arg>
+
+      <arg choice="plain"
+      rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
+
+      <arg choice="plain"><replaceable>zone</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -37,11 +53,28 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>clear</option></arg>
+      <arg
+      choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
-      <command>shorewall</command>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg rep="norepeat">-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>delete</option></arg>
+
+      <arg choice="plain"
+      rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
+
+      <arg choice="plain"><replaceable>zone</replaceable></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@@ -50,7 +83,8 @@

      <arg choice="plain"><option>disable</option></arg>

-      <arg choice="plain"><replaceable>interface</replaceable></arg>
+      <arg choice="plain">{ <replaceable>interface</replaceable> |
+      <replaceable>provider</replaceable> }</arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -63,8 +97,7 @@

      <arg choice="plain"><option>drop</option></arg>

-      <arg choice="plain">{ <replaceable>interface</replaceable> |
-      <replaceable>provider</replaceable> }</arg>
+      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -78,11 +111,13 @@

      <arg><option>-x</option></arg>

+      <arg><option>-l</option></arg>
+
      <arg><option>-m</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
-      <command>shorewall</command>
+      <command>shorewall-lite</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@@ -98,7 +133,8 @@
    <cmdsynopsis>
      <command>shorewall-lite</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

@@ -124,7 +160,8 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>hits</option></arg>
+      <arg
+      choice="plain"><option>hits</option><arg><option>-t</option></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -158,6 +195,19 @@
      choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>iptrace</option></arg>
+
+      <arg choice="plain"><replaceable>iptables match
+      expression</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -198,6 +248,19 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>noiptrace</option></arg>
+
+      <arg choice="plain"><replaceable>iptables match
+      expression</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -219,8 +282,24 @@

      <arg>-<replaceable>options</replaceable></arg>

+      <arg choice="plain"><option>reset</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
      <arg
-      choice="plain"><option>restart</option><arg><option>-n</option></arg><arg><option>-p</option></arg></arg>
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>restart</option></arg>
+
+      <arg><option>-n</option></arg>
+
+      <arg><option>-p</option></arg>
+
+      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -260,8 +339,10 @@

      <arg><option>-x</option></arg>

+      <arg><option>-l</option></arg>
+
      <arg><option>-t</option>
-      {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>}</arg>
+      {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw|rawpost</option>}</arg>

      <arg><arg><option>chain</option></arg><arg choice="plain"
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
@@ -291,7 +372,7 @@
      <arg choice="plain"><option>show</option></arg>

      <arg
-      choice="req"><option>actions|classifiers|connections|config|zones</option></arg>
+      choice="req"><option>classifiers|connections|config|filters|ip|ipa|zones|policies|marks</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -305,7 +386,7 @@

      <arg><option>-x</option></arg>

-      <arg choice="req"><option>mangle|nat</option></arg>
+      <arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -346,7 +427,7 @@

      <arg><option>-n</option></arg>

-      <arg><option>-f</option><arg><option>-p</option></arg></arg>
+      <arg><option>-p</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -377,7 +458,8 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>version</option></arg>
+      <arg
+      choice="plain"><option>version</option><arg><option>-a</option></arg></arg>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -385,7 +467,7 @@
    <title>Description</title>

    <para>The shorewall-lite utility is used to control the Shoreline Firewall
-    (Shorewall) Lite.</para>
+    Lite (Shorewall Lite).</para>
  </refsect1>

  <refsect1>
@@ -393,12 +475,12 @@

    <para>The <option>trace</option> and <option>debug</option> options are
    used for debugging. See <ulink
-    url="http://www.shorewall.net/starting_and_stopping.htm#Trace">http://www.shorewall.net/starting_and_stopping.htm#Trace</ulink>.</para>
+    url="http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>

    <para>The nolock <option>option</option> prevents the command from
-    attempting to acquire the Shorewall Lite lockfile. It is useful if you
-    need to include <command>shorewall-lite</command> commands in the
-    <filename>started</filename> extension script.</para>
+    attempting to acquire the Shorewall-lite lockfile. It is useful if you
+    need to include <command>shorewall</command> commands in
+    <filename>/etc/shorewall/started</filename>.</para>

    <para>The <emphasis>options</emphasis> control the amount of output that
    the command produces. They consist of a sequence of the letters <emphasis
@@ -435,15 +517,17 @@
          defined in the <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
          file. A <emphasis>host-list</emphasis> is comma-separated list whose
-          elements are a host or network address.<caution>
-              <para>The <command>add</command> command is not very robust. If
-              there are errors in the <replaceable>host-list</replaceable>,
-              you may see a large number of error messages yet a subsequent
-              <command>shorewall show zones</command> command will indicate
-              that all hosts were added. If this happens, replace
-              <command>add</command> by <command>delete</command> and run the
-              same command again. Then enter the correct command.</para>
-            </caution></para>
+          elements are host or network addresses.</para>
+
+          <caution>
+            <para>The <command>add</command> command is not very robust. If
+            there are errors in the <replaceable>host-list</replaceable>, you
+            may see a large number of error messages yet a subsequent
+            <command>shorewall-lite show zones</command> command will indicate
+            that all hosts were added. If this happens, replace
+            <command>add</command> by <command>delete</command> and run the
+            same command again. Then enter the correct command.</para>
+          </caution>
        </listitem>
      </varlistentry>

@@ -463,10 +547,16 @@
        <term><emphasis role="bold">clear</emphasis></term>

        <listitem>
-          <para>Clear will remove all rules and chains installed by Shorewall
-          Lite. The firewall is then wide open and unprotected. Existing
-          connections are untouched. Clear is often used to see if the
-          firewall is causing connection problems.</para>
+          <para>Clear will remove all rules and chains installed by
+          Shorewall-lite. The firewall is then wide open and unprotected.
+          Existing connections are untouched. Clear is often used to see if
+          the firewall is causing connection problems.</para>
+
+          <para>If <option>-f</option> is given, the command will be processed
+          by the compiled script that executed the last successful <emphasis
+          role="bold">start</emphasis>, <emphasis
+          role="bold">restart</emphasis> or <emphasis
+          role="bold">refresh</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>

@@ -516,8 +606,11 @@
          <para>The <emphasis role="bold">-x</emphasis> option causes actual
          packet and byte counts to be displayed. Without that option, these
          counts are abbreviated. The <emphasis role="bold">-m</emphasis>
-          option causes any MAC addresses included in Shorewall Lite log
+          option causes any MAC addresses included in Shorewall-lite log
          messages to be displayed.</para>
+
+          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
+          number for each Netfilter rule to be displayed.</para>
        </listitem>
      </varlistentry>

@@ -541,7 +634,7 @@
          and /var/lib/shorewall-lite/save. If no
          <emphasis>filename</emphasis> is given then the file specified by
          RESTOREFILE in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) is
+          url="shorewall.conf.html">shorewall.conf</ulink>(5) is
          assumed.</para>
        </listitem>
      </varlistentry>
@@ -558,8 +651,9 @@
        <term><emphasis role="bold">hits</emphasis></term>

        <listitem>
-          <para>Generates several reports from Shorewall Lite log messages in
-          the current log file.</para>
+          <para>Generates several reports from Shorewall-lite log messages in
+          the current log file. If the <option>-t</option> option is included,
+          the reports are restricted to log messages generated today.</para>
        </listitem>
      </varlistentry>

@@ -582,12 +676,33 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">iptrace</emphasis></term>
+
+        <listitem>
+          <para>This is a low-level debugging command that causes iptables
+          TRACE log records to be created. See iptables(8) for details.</para>
+
+          <para>The <replaceable>iptables match expression</replaceable> must
+          be one or more matches that may appear in both the raw table OUTPUT
+          and raw table PREROUTING chains.</para>
+
+          <para>The trace records are written to the kernel's log buffer with
+          faciility = kernel and priority = warning, and they are routed from
+          there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
+          Shorewall-lite has no control over where the messages go; consult
+          your logging daemon's documentation.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">logdrop</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be logged then discarded.</para>
+          to be logged then discarded. Logging occurs at the log level
+          specified by the BLACKLIST_LOGLEVEL setting in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
        </listitem>
      </varlistentry>

@@ -595,9 +710,9 @@
        <term><emphasis role="bold">logwatch</emphasis></term>

        <listitem>
-          <para>Monitors the log file specified by theLOGFILE option in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) and
-          produces an audible alarm when new Shorewall Lite messages are
+          <para>Monitors the log file specified by the LOGFILE option in
+          <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5) and
+          produces an audible alarm when new Shorewall-lite messages are
          logged. The <emphasis role="bold">-m</emphasis> option causes the
          MAC address of each packet source to be displayed if that
          information is available. The
@@ -615,7 +730,22 @@

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be logged then rejected.</para>
+          to be logged then rejected. Logging occurs at the log level
+          specified by the BLACKLIST_LOGLEVEL setting in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">noiptrace</emphasis></term>
+
+        <listitem>
+          <para>This is a low-level debugging command that cancels a trace
+          started by a preceding <command>iptrace</command> command.</para>
+
+          <para>The <replaceable>iptables match expression</replaceable> must
+          be one given in the <command>iptrace</command> command being
+          cancelled.</para>
        </listitem>
      </varlistentry>

@@ -633,10 +763,10 @@

        <listitem>
          <para>Restart is similar to <emphasis role="bold">shorewall-lite
-          start</emphasis> but assumes that the firewall is already started.
-          Existing connections are maintained.</para>
+          start</emphasis> except that it assumes that the firewall is already
+          started. Existing connections are maintained.</para>

-          <para>The <option>-n</option> option causes Shorewall to avoid
+          <para>The <option>-n</option> option causes Shorewall-lite to avoid
          updating the routing table(s).</para>

          <para>The <option>-p</option> option causes the connection tracking
@@ -649,14 +779,14 @@
        <term><emphasis role="bold">restore</emphasis></term>

        <listitem>
-          <para>Restore Shorewall Lite to a state saved using the <emphasis
+          <para>Restore Shorewall-lite to a state saved using the <emphasis
          role="bold">shorewall-lite save</emphasis> command. Existing
          connections are maintained. The <emphasis>filename</emphasis> names
          a restore file in /var/lib/shorewall-lite created using <emphasis
          role="bold">shorewall-lite save</emphasis>; if no
-          <emphasis>filename</emphasis> is given then Shorewall Lite will be
+          <emphasis>filename</emphasis> is given then Shorewall-lite will be
          restored from the file specified by the RESTOREFILE option in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5).</para>
+          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>

@@ -667,11 +797,10 @@
          <para>The dynamic blacklist is stored in
          /var/lib/shorewall-lite/save. The state of the firewall is stored in
          /var/lib/shorewall-lite/<emphasis>filename</emphasis> for use by the
-          <emphasis role="bold">shorewall-lite restore</emphasis> and
-          <emphasis role="bold">shorewall-lite -f start</emphasis> commands.
-          If <emphasis>filename</emphasis> is not given then the state is
-          saved in the file specified by the RESTOREFILE option in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5).</para>
+          <emphasis role="bold">shorewall-lite restore</emphasis>. If
+          <emphasis>filename</emphasis> is not given then the state is saved
+          in the file specified by the RESTOREFILE option in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>

@@ -683,15 +812,6 @@
          arguments:</para>

          <variablelist>
-            <varlistentry>
-              <term><emphasis role="bold">actions</emphasis></term>
-
-              <listitem>
-                <para>Produces a report about the available actions (built-in,
-                standard and user-defined).</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">capabilities</emphasis></term>

@@ -704,8 +824,8 @@
            </varlistentry>

            <varlistentry>
-              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>
-              ... ]</term>
+              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
+              ]</term>

              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
@@ -721,20 +841,25 @@
                Netfilter table to display. The default is <emphasis
                role="bold">filter</emphasis>.</para>

+                <para>The <emphasis role="bold">-l</emphasis> option causes
+                the rule number for each Netfilter rule to be
+                displayed.</para>
+
                <para>If the <emphasis role="bold">t</emphasis> option and the
                <option>chain</option> keyword are both omitted and any of the
                listed <replaceable>chain</replaceable>s do not exist, a usage
-                message will be displayed.</para>
+                message is displayed.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">classifiers</emphasis></term>
+              <term><emphasis
+              role="bold">classifiers|filters</emphasis></term>

              <listitem>
                <para>Displays information about the packet classifiers
-                defined on the system 10-080213-8397as a result of traffic
-                shaping configuration.</para>
+                defined on the system as a result of traffic shaping
+                configuration.</para>
              </listitem>
            </varlistentry>

@@ -756,15 +881,44 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">mangle</emphasis></term>
+              <term><emphasis role="bold">ip</emphasis></term>

              <listitem>
-                <para>Displays the Netfilter mangle table using the command
-                <emphasis role="bold">iptables -t mangle -L -n
-                -v</emphasis>.The <emphasis role="bold">-x</emphasis> option
-                is passed directly through to iptables and causes actual
-                packet and byte counts to be displayed. Without this option,
-                those counts are abbreviated.</para>
+                <para>Displays the system's IPv4 configuration.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">ipa</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.17. Displays the per-IP
+                accounting counters (<ulink
+                url="manpages/shorewall-accounting.html">shorewall-accounting</ulink>
+                (5)).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">log</emphasis></term>
+
+              <listitem>
+                <para>Displays the last 20 Shorewall-lite messages from the
+                log file specified by the LOGFILE option in <ulink
+                url="shorewall.conf.html">shorewall.conf</ulink>(5). The
+                <emphasis role="bold">-m</emphasis> option causes the MAC
+                address of each packet source to be displayed if that
+                information is available.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">marks</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.26. Displays the various fields
+                in packet marks giving the min and max value (in both decimal
+                and hex) and the applicable mask (in hex).</para>
              </listitem>
            </varlistentry>

@@ -781,6 +935,39 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">policies</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.4. Displays the applicable policy
+                between each pair of zones. Note that implicit intrazone
+                ACCEPT policies are not displayed for zones associated with a
+                single network where that network doesn't specify
+                <option>routeback</option>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">routing</emphasis></term>
+
+              <listitem>
+                <para>Displays the system's IPv4 routing configuration.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">raw</emphasis></term>
+
+              <listitem>
+                <para>Displays the Netfilter raw table using the command
+                <emphasis role="bold">iptables -t raw -L -n -v</emphasis>.The
+                <emphasis role="bold">-x</emphasis> option is passed directly
+                through to iptables and causes actual packet and byte counts
+                to be displayed. Without this option, those counts are
+                abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">tc</emphasis></term>

@@ -794,8 +981,8 @@
              <term><emphasis role="bold">zones</emphasis></term>

              <listitem>
-                <para>Displays the current composition of the Shorewall Lite
-                zones on the system.</para>
+                <para>Displays the current composition of the Shorewall zones
+                on the system.</para>
              </listitem>
            </varlistentry>
          </variablelist>
@@ -806,17 +993,10 @@
        <term><emphasis role="bold">start</emphasis></term>

        <listitem>
-          <para>Start shorewall Lite. Existing connections through
+          <para>Start Shorewall Lite. Existing connections through
          shorewall-lite managed interfaces are untouched. New connections
          will be allowed only if they are allowed by the firewall rules or
-          policies. If <emphasis role="bold">-f</emphasis> is specified, the
-          saved configuration specified by the RESTOREFILE option in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) will
-          be restored if that saved configuration exists and has been modified
-          more recently than the files in /etc/shorewall.</para>
-
-          <para>The <option>-n</option> option causes Shorewall to avoid
-          updating the routing table(s).</para>
+          policies.</para>

          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
@@ -831,11 +1011,18 @@
          <para>Stops the firewall. All existing connections, except those
          listed in <ulink
          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
-          or permitted by the ADMINISABSENTMINDED option in shorewall.conf(5),
-          are taken down. The only new traffic permitted through the firewall
-          is from systems listed in <ulink
+          or permitted by the ADMINISABSENTMINDED option in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5), are taken down.
+          The only new traffic permitted through the firewall is from systems
+          listed in <ulink
          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
          or by ADMINISABSENTMINDED.</para>
+
+          <para>If <option>-f</option> is given, the command will be processed
+          by the compiled script that executed the last successful <emphasis
+          role="bold">start</emphasis>, <emphasis
+          role="bold">restart</emphasis> or <emphasis
+          role="bold">refresh</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>

@@ -852,7 +1039,9 @@
        <term><emphasis role="bold">version</emphasis></term>

        <listitem>
-          <para>Displays Shorewall-lite's version.</para>
+          <para>Displays Shorewall's version. The <option>-a</option> option
+          is included for compatibility with earlier Shorewall releases and is
+          ignored.</para>
        </listitem>
      </varlistentry>
    </variablelist>
@@ -871,13 +1060,13 @@
    url="http://www.shorewall.net/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>

    <para>shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
-    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -5856,11 +5856,14 @@ sub copy_options( $ ) {
 #
 # This function is called after the blacklist rules have been added to the canonical chains. It 
 # either copies the relevant interface option rules into each canonocal chain, or it inserts one
-# or more jumps to the relevant option chains.
+# or more jumps to the relevant option chains. The argument indicates whether blacklist rules are
+# present.
 #
 sub add_interface_options( $ ) {

    if ( $_[0] ) {
+	#
+	# We have blacklist rules.
 	my %input_chains;
 	my %forward_chains;

@@ -5887,7 +5890,7 @@ sub add_interface_options( $ ) {
 	    $chainref->{digest} = sha1 $digest;
 	}
 	#
-	# Insert all interface option rules into the rules chains
+	# Insert jumps to the interface chains into the rules chains
 	#
 	for my $zone1 ( off_firewall_zones ) {
 	    my @input_interfaces   = keys %{zone_interfaces( $zone1 )};
@@ -5927,7 +5930,9 @@ sub add_interface_options( $ ) {
 		    @forward_interfaces = ( $forward_interfaces[0] );
 		}
 	    }  
-	    
+	    #
+	    # Now insert the jumps
+	    #
 	    for my $zone2 ( all_zones ) {
 		my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
 		my $chain1ref;
@@ -5962,7 +5967,9 @@ sub add_interface_options( $ ) {
 		}
 	    }
 	}
-
+	#
+	# Now take care of jumps to the interface output option chains
+	#
 	for my $zone1 ( firewall_zone, vserver_zones ) {
 	    for my $zone2 ( off_firewall_zones ) {
 		my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
@@ -5981,7 +5988,7 @@ sub add_interface_options( $ ) {
 	}
    } else {
 	#
-	# Simply move the option chain rules to the interface chains
+	# No Blacklisting - simply move the option chain rules to the interface chains
 	#
 	for my $interface ( all_real_interfaces ) {
 	    my $chainref;
@@ -6406,7 +6413,7 @@ sub create_netfilter_load( $ ) {
    #
    emit(  'exec 3>&-',
 	   '',
-	   '[ -n "$DEBUG" ] && command=debug_restore_input || command=$' . $UTILITY,
+	   '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY,
 	   '',
 	   'progress_message2 "Running $command..."',
 	   '',
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -791,7 +791,7 @@ sub compiler {
    #
    # Process the rules file.
    #
-    process_rules;
+    process_rules( $convert );
    #
    # Add Tunnel rules.
    #
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -2525,11 +2525,13 @@ sub classic_blacklist() {
 #
 # Process the BLRules and Rules Files
 #
-sub process_rules() {
+sub process_rules( $ ) {
+    my $convert = shift;
+    my $blrules = 0;
    #
    # Generate jumps to the classic blacklist chains
    #
-    my $blrules = classic_blacklist;
+    $blrules = classic_blacklist unless $convert;
    #
    # Process the blrules file
    #
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -1814,7 +1814,7 @@ sub process_host( ) {
 	$interface = $1;
 	$hosts = $2;

-	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root};
+	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
    } else {
 	fatal_error "Invalid HOST(S) column contents: $hosts" 
    }
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -62,12 +62,14 @@ checkkernelversion() {
 #
 # Start trace if first arg is "debug" or "trace"
 #
+g_debug_iptables=
+
 if [ $# -gt 1 ]; then
    if [ "x$1" = "xtrace" ]; then
 	set -x
 	shift
    elif [ "x$1" = "xdebug" ]; then
-	DEBUG=Yes
+	g_debug_iptables=Yes
 	shift
    fi
 fi
--- a/Shorewall/init.sh
+++ b/Shorewall/init.sh
@@ -78,13 +78,13 @@ shift

 case "$command" in
    start)
-	exec /sbin/shorewall $OPTIONS start $STARTOPTIONS $@
+	exec /sbin/shorewall $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec /sbin/shorewall $OPTIONS restart $RESTARTOPTIONS $@
+	exec /sbin/shorewall $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec /sbin/shorewall $OPTIONS $command $@
+	exec /sbin/shorewall $OPTIONS $command
 	;;
    *)
 	usage
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -310,18 +310,9 @@ fi

 if [ -z "$CYGWIN" ]; then
   install_file $PRODUCT ${DESTDIR}/sbin/$PRODUCT 0755
-   if [ -z "$MACHOST" ]; then
-       eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/$PRODUCT
-       eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/$PRODUCT
-   else
-       eval sed -i \'\' -e \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/$PRODUCT
-       eval sed -i \'\' -e \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/$PRODUCT
-   fi
   echo "$PRODUCT control program installed in ${DESTDIR}/sbin/$PRODUCT"
 else
   install_file $PRODUCT ${DESTDIR}/bin/$PRODUCT 0755
-   eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/bin/$PRODUCT
-   eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/bin/$PRODUCT
   echo "$PRODUCT control program installed in ${DESTDIR}/bin/$PRODUCT"
 fi

--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -1579,7 +1579,7 @@ usage() # $1 = exit status
    echo "   status"
    echo "   stop"
    echo "   try <directory> [ <timeout> ]"
-    echo "   update [ -b ] [ -r ] [ -T ] [ <directory> ]"
+    echo "   update [ -a ] [ -b ] [ -r ] [ -T ] [ <directory> ]"
    echo "   version [ -a ]"
    echo
    exit $1
--- a/Shorewall/lib.core
+++ b/Shorewall/lib.core
@@ -510,6 +510,20 @@ debug_restore_input() {
 	qt1 $g_tool -t raw -P $chain ACCEPT
    done

+    qt1 $g_tool -t rawpost -F
+    qt1 $g_tool -t rawpost    -X
+
+    for chain in POSTROUTING; do
+	qt1 $g_tool -t rawpost -P $chain ACCEPT
+    done
+
+    qt1 $g_tool -t nat    -F
+    qt1 $g_tool -t nat    -X
+
+    for chain in PREROUTING POSTROUTING; do
+        qt1 $g_tool -t nat -P $chain ACCEPT
+    done
+
    qt1 $g_tool -t filter -F
    qt1 $g_tool -t filter -X

--- a/Shorewall/manpages/shorewall-blrules.xml
+++ b/Shorewall/manpages/shorewall-blrules.xml
@@ -40,7 +40,7 @@
      <varlistentry>
        <term><emphasis role="bold">ACTION- {<emphasis
        role="bold">ACCEPT</emphasis>|CONTINUE|DROP|A_DROP|REJECT|A_REJECT|<emphasis
-        role="bold">WHITELIES</emphasis>|<emphasis
+        role="bold">WHITELIST</emphasis>|<emphasis
        role="bold">LOG</emphasis>|<emphasis
        role="bold">QUEUE</emphasis>|<emphasis
        role="bold">NFQUEUE</emphasis>[<emphasis
@@ -292,10 +292,9 @@
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
    shoewall6-netmap(5),shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    shorewall-providers(5), shorewall-rtrules(5), shorewall-routestopped(5),
+    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -1243,7 +1243,7 @@
          directory is given, then Shorewall will look in that directory first
          when opening configuration files.</para>

-          <para>Begining with Shorewall 4.5.0, you may specify a different
+          <para>Beginning with Shorewall 4.5.0, you may specify a different
          <replaceable>timeout</replaceable> value using the
          <option>-t</option> option. The numeric
          <replaceable>timeout</replaceable> may optionally be followed by an
@@ -1265,7 +1265,7 @@
          Shorewall will look in that directory first when opening
          configuration files.</para>

-          <para>Begining with Shorewall 4.5.0, you may specify a different
+          <para>Beginning with Shorewall 4.5.0, you may specify a different
          <replaceable>timeout</replaceable> value using the
          <option>-t</option> option. The numeric
          <replaceable>timeout</replaceable> may optionally be followed by an
@@ -1600,7 +1600,7 @@
          role="bold">restore</emphasis> is performed after
          <replaceable>timeout</replaceable> seconds.</para>

-          <para>Begining with Shorewall 4.5.0, the numeric
+          <para>Beginning with Shorewall 4.5.0, the numeric
          <replaceable>timeout</replaceable> may optionally be followed by an
          <option>s</option>, <option>m</option> or <option>h</option> suffix
          (e.g., 5m) to specify seconds, minutes or hours respectively. If the
--- a/Shorewall6-lite/init.sh
+++ b/Shorewall6-lite/init.sh
@@ -76,10 +76,10 @@ command="$1"

 case "$command" in
    start)
-	exec /sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS $@
+	exec /sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec /sbin/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS $@
+	exec /sbin/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
 	exec /sbin/shorewall6-lite $OPTIONS $command $@
--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
@@ -11,11 +11,27 @@
  <refnamediv>
    <refname>shorewall6-lite</refname>

-    <refpurpose>Administration tool for Shoreline Firewall 6 Lite
-    (Shorewall6-lite)</refpurpose>
+    <refpurpose>Administration tool for Shoreline 6 Firewall Lite (Shorewall6
+    Lite)</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg rep="norepeat">-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>add</option></arg>
+
+      <arg choice="plain"
+      rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
+
+      <arg choice="plain"><replaceable>zone</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall6-lite</command>

@@ -37,11 +53,28 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>clear</option></arg>
+      <arg
+      choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
-      <command>shorewall</command>
+      <command>shorewall6-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg rep="norepeat">-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>delete</option></arg>
+
+      <arg choice="plain"
+      rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
+
+      <arg choice="plain"><replaceable>zone</replaceable></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@@ -78,11 +111,13 @@

      <arg><option>-x</option></arg>

+      <arg><option>-l</option></arg>
+
      <arg><option>-m</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
-      <command>shorewall</command>
+      <command>shorewall6-lite</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@@ -98,7 +133,8 @@
    <cmdsynopsis>
      <command>shorewall6-lite</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

@@ -124,7 +160,52 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>hits</option></arg>
+      <arg
+      choice="plain"><option>hits</option><arg><option>-t</option></arg></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>ipcalc</option></arg>
+
+      <group choice="req">
+        <arg choice="plain"><replaceable>address</replaceable>
+        <replaceable>mask</replaceable></arg>
+
+        <arg
+        choice="plain"><replaceable>address</replaceable>/<replaceable>vlsm</replaceable></arg>
+      </group>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>iprange</option></arg>
+
+      <arg
+      choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>iptrace</option></arg>
+
+      <arg choice="plain"><replaceable>iptables match
+      expression</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -167,6 +248,19 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>noiptrace</option></arg>
+
+      <arg choice="plain"><replaceable>iptables match
+      expression</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall6-lite</command>

@@ -188,8 +282,24 @@

      <arg>-<replaceable>options</replaceable></arg>

+      <arg choice="plain"><option>reset</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
      <arg
-      choice="plain"><option>restart</option><arg><option>-n</option></arg><arg><option>-p</option></arg></arg>
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>restart</option></arg>
+
+      <arg><option>-n</option></arg>
+
+      <arg><option>-p</option></arg>
+
+      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -229,8 +339,10 @@

      <arg><option>-x</option></arg>

+      <arg><option>-l</option></arg>
+
      <arg><option>-t</option>
-      {<option>filter</option>|<option>mangle</option>|<option>raw</option>}</arg>
+      {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw|rawpost</option>}</arg>

      <arg><arg><option>chain</option></arg><arg choice="plain"
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
@@ -260,7 +372,7 @@
      <arg choice="plain"><option>show</option></arg>

      <arg
-      choice="req"><option>actions|classifiers|connections|config|zones</option></arg>
+      choice="req"><option>classifiers|connections|config|filters|ip|ipa|zones|policies|marks</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -274,7 +386,7 @@

      <arg><option>-x</option></arg>

-      <arg choice="plain"><option>mangle</option></arg>
+      <arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -311,8 +423,11 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg
-      choice="plain"><option>start</option><arg>-<option>n</option></arg><arg>-<option>p</option></arg><arg>-<option>f</option></arg></arg>
+      <arg choice="plain"><option>start</option></arg>
+
+      <arg><option>-n</option></arg>
+
+      <arg><option>-p</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -343,7 +458,8 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>version</option></arg>
+      <arg
+      choice="plain"><option>version</option><arg><option>-a</option></arg></arg>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -351,7 +467,7 @@
    <title>Description</title>

    <para>The shorewall6-lite utility is used to control the Shoreline
-    Firewall 6 (Shorewall6) Lite.</para>
+    Firewall Lite (Shorewall Lite).</para>
  </refsect1>

  <refsect1>
@@ -359,19 +475,19 @@

    <para>The <option>trace</option> and <option>debug</option> options are
    used for debugging. See <ulink
-    url="http://www.shorewall.net/starting_and_stopping.htm#Trace">http://www.shorewall.net/starting_and_stopping.htm#Trace</ulink>.</para>
+    url="http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>

    <para>The nolock <option>option</option> prevents the command from
-    attempting to acquire the Shorewall6 Lite lockfile. It is useful if you
-    need to include <command>shorewall6-lite</command> commands in the
-    <filename>started</filename> extension script.</para>
+    attempting to acquire the shorewall6-lite lockfile. It is useful if you
+    need to include <command>shorewall</command> commands in
+    <filename>/etc/shorewall/started</filename>.</para>

    <para>The <emphasis>options</emphasis> control the amount of output that
    the command produces. They consist of a sequence of the letters <emphasis
    role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
    options are omitted, the amount of output is determined by the setting of
    the VERBOSITY parameter in <ulink
-    url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Each <emphasis
+    url="shorewall.conf.html">shorewall6.conf</ulink>(5). Each <emphasis
    role="bold">v</emphasis> adds one to the effective verbosity and each
    <emphasis role="bold">q</emphasis> subtracts one from the effective
    VERBOSITY. Anternately, <emphasis role="bold">v</emphasis> may be followed
@@ -390,6 +506,29 @@
    <para>The available commands are listed below.</para>

    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">add</emphasis></term>
+
+        <listitem>
+          <para>Adds a list of hosts or subnets to a dynamic zone usually used
+          with VPN's.</para>
+
+          <para>The <emphasis>interface</emphasis> argument names an interface
+          defined in the <ulink
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
+          file. A <emphasis>host-list</emphasis> is comma-separated list whose
+          elements are host or network addresses.<caution>
+              <para>The <command>add</command> command is not very robust. If
+              there are errors in the <replaceable>host-list</replaceable>,
+              you may see a large number of error messages yet a subsequent
+              <command>shorewall6-lite show zones</command> command will
+              indicate that all hosts were added. If this happens, replace
+              <command>add</command> by <command>delete</command> and run the
+              same command again. Then enter the correct command.</para>
+            </caution></para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">allow</emphasis></term>

@@ -406,10 +545,31 @@
        <term><emphasis role="bold">clear</emphasis></term>

        <listitem>
-          <para>Clear will remove all rules and chains installed by Shorewall6
-          Lite. The firewall is then wide open and unprotected. Existing
-          connections are untouched. Clear is often used to see if the
-          firewall is causing connection problems.</para>
+          <para>Clear will remove all rules and chains installed by
+          shorewall6-lite. The firewall is then wide open and unprotected.
+          Existing connections are untouched. Clear is often used to see if
+          the firewall is causing connection problems.</para>
+
+          <para>If <option>-f</option> is given, the command will be processed
+          by the compiled script that executed the last successful <emphasis
+          role="bold">start</emphasis>, <emphasis
+          role="bold">restart</emphasis> or <emphasis
+          role="bold">refresh</emphasis> command if that script exists.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">delete</emphasis></term>
+
+        <listitem>
+          <para>The delete command reverses the effect of an earlier <emphasis
+          role="bold">add</emphasis> command.</para>
+
+          <para>The <emphasis>interface</emphasis> argument names an interface
+          defined in the <ulink
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
+          file. A <emphasis>host-list</emphasis> is comma-separated list whose
+          elements are a host or network address.</para>
        </listitem>
      </varlistentry>

@@ -444,8 +604,11 @@
          <para>The <emphasis role="bold">-x</emphasis> option causes actual
          packet and byte counts to be displayed. Without that option, these
          counts are abbreviated. The <emphasis role="bold">-m</emphasis>
-          option causes any MAC addresses included in Shorewall6 Lite log
+          option causes any MAC addresses included in shorewall6-lite log
          messages to be displayed.</para>
+
+          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
+          number for each Netfilter rule to be displayed.</para>
        </listitem>
      </varlistentry>

@@ -469,7 +632,7 @@
          and /var/lib/shorewall6-lite/save. If no
          <emphasis>filename</emphasis> is given then the file specified by
          RESTOREFILE in <ulink
-          url="shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>(5) is
+          url="shorewall.conf.html">shorewall6.conf</ulink>(5) is
          assumed.</para>
        </listitem>
      </varlistentry>
@@ -486,8 +649,47 @@
        <term><emphasis role="bold">hits</emphasis></term>

        <listitem>
-          <para>Generates several reports from Shorewall6 Lite log messages in
-          the current log file.</para>
+          <para>Generates several reports from shorewall6-lite log messages in
+          the current log file. If the <option>-t</option> option is included,
+          the reports are restricted to log messages generated today.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">ipcalc</emphasis></term>
+
+        <listitem>
+          <para>Ipcalc displays the network address, broadcast address,
+          network in CIDR notation and netmask corresponding to the
+          input[s].</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">iprange</emphasis></term>
+
+        <listitem>
+          <para>Iprange decomposes the specified range of IP addresses into
+          the equivalent list of network/host addresses.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">iptrace</emphasis></term>
+
+        <listitem>
+          <para>This is a low-level debugging command that causes iptables
+          TRACE log records to be created. See iptables(8) for details.</para>
+
+          <para>The <replaceable>iptables match expression</replaceable> must
+          be one or more matches that may appear in both the raw table OUTPUT
+          and raw table PREROUTING chains.</para>
+
+          <para>The trace records are written to the kernel's log buffer with
+          faciility = kernel and priority = warning, and they are routed from
+          there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
+          shorewall6-lite has no control over where the messages go; consult
+          your logging daemon's documentation.</para>
        </listitem>
      </varlistentry>

@@ -496,7 +698,9 @@

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be logged then discarded.</para>
+          to be logged then discarded. Logging occurs at the log level
+          specified by the BLACKLIST_LOGLEVEL setting in <ulink
+          url="shorewall.conf.html">shorewall6.conf</ulink> (5).</para>
        </listitem>
      </varlistentry>

@@ -504,9 +708,9 @@
        <term><emphasis role="bold">logwatch</emphasis></term>

        <listitem>
-          <para>Monitors the log file specified by theLOGFILE option in <ulink
-          url="shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>(5) and
-          produces an audible alarm when new Shorewall6 Lite messages are
+          <para>Monitors the log file specified by the LOGFILE option in
+          <ulink url="shorewall.conf.html">shorewall6.conf</ulink>(5) and
+          produces an audible alarm when new shorewall6-lite messages are
          logged. The <emphasis role="bold">-m</emphasis> option causes the
          MAC address of each packet source to be displayed if that
          information is available. The
@@ -524,7 +728,22 @@

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be logged then rejected.</para>
+          to be logged then rejected. Logging occurs at the log level
+          specified by the BLACKLIST_LOGLEVEL setting in <ulink
+          url="shorewall.conf.html">shorewall6.conf</ulink> (5).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">noiptrace</emphasis></term>
+
+        <listitem>
+          <para>This is a low-level debugging command that cancels a trace
+          started by a preceding <command>iptrace</command> command.</para>
+
+          <para>The <replaceable>iptables match expression</replaceable> must
+          be one given in the <command>iptrace</command> command being
+          cancelled.</para>
        </listitem>
      </varlistentry>

@@ -542,10 +761,10 @@

        <listitem>
          <para>Restart is similar to <emphasis role="bold">shorewall6-lite
-          stop</emphasis> followed by <emphasis role="bold">shorewall6-lite
-          start</emphasis>. Existing connections are maintained.</para>
+          start</emphasis> except that it assumes that the firewall is already
+          started. Existing connections are maintained.</para>

-          <para>The <option>-n</option> option causes Shorewall6 to avoid
+          <para>The <option>-n</option> option causes shorewall6-lite to avoid
          updating the routing table(s).</para>

          <para>The <option>-p</option> option causes the connection tracking
@@ -558,14 +777,14 @@
        <term><emphasis role="bold">restore</emphasis></term>

        <listitem>
-          <para>Restore Shorewall6 Lite to a state saved using the <emphasis
+          <para>Restore shorewall6-lite to a state saved using the <emphasis
          role="bold">shorewall6-lite save</emphasis> command. Existing
          connections are maintained. The <emphasis>filename</emphasis> names
          a restore file in /var/lib/shorewall6-lite created using <emphasis
          role="bold">shorewall6-lite save</emphasis>; if no
-          <emphasis>filename</emphasis> is given then Shorewall6 Lite will be
+          <emphasis>filename</emphasis> is given then shorewall6-lite will be
          restored from the file specified by the RESTOREFILE option in <ulink
-          url="shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>(5).</para>
+          url="shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>

@@ -576,11 +795,10 @@
          <para>The dynamic blacklist is stored in
          /var/lib/shorewall6-lite/save. The state of the firewall is stored
          in /var/lib/shorewall6-lite/<emphasis>filename</emphasis> for use by
-          the <emphasis role="bold">shorewall6-lite restore</emphasis> and
-          <emphasis role="bold">shorewall6-lite -f start</emphasis> commands.
-          If <emphasis>filename</emphasis> is not given then the state is
-          saved in the file specified by the RESTOREFILE option in <ulink
-          url="shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>(5).</para>
+          the <emphasis role="bold">shorewall6-lite restore</emphasis>. If
+          <emphasis>filename</emphasis> is not given then the state is saved
+          in the file specified by the RESTOREFILE option in <ulink
+          url="shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>

@@ -592,15 +810,6 @@
          arguments:</para>

          <variablelist>
-            <varlistentry>
-              <term><emphasis role="bold">actions</emphasis></term>
-
-              <listitem>
-                <para>Produces a report about the available actions (built-in,
-                standard and user-defined).</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">capabilities</emphasis></term>

@@ -613,12 +822,12 @@
            </varlistentry>

            <varlistentry>
-              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>
-              ... ]</term>
+              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
+              ]</term>

              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
-                displayed using the <emphasis role="bold">ip6tables
+                displayed using the <emphasis role="bold">iptables
                -L</emphasis> <emphasis>chain</emphasis> <emphasis
                role="bold">-n -v</emphasis> command. If no
                <emphasis>chain</emphasis> is given, all of the chains in the
@@ -630,15 +839,20 @@
                Netfilter table to display. The default is <emphasis
                role="bold">filter</emphasis>.</para>

+                <para>The <emphasis role="bold">-l</emphasis> option causes
+                the rule number for each Netfilter rule to be
+                displayed.</para>
+
                <para>If the <emphasis role="bold">t</emphasis> option and the
                <option>chain</option> keyword are both omitted and any of the
                listed <replaceable>chain</replaceable>s do not exist, a usage
-                message will be displayed.</para>
+                message is displayed.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">classifiers</emphasis></term>
+              <term><emphasis
+              role="bold">classifiers|filters</emphasis></term>

              <listitem>
                <para>Displays information about the packet classifiers
@@ -659,21 +873,96 @@
              <term><emphasis role="bold">connections</emphasis></term>

              <listitem>
-                <para>Displays the IPv6 connections currently being tracked by
+                <para>Displays the IP connections currently being tracked by
                the firewall.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">mangle</emphasis></term>
+              <term><emphasis role="bold">ip</emphasis></term>

              <listitem>
-                <para>Displays the Netfilter mangle table using the command
-                <emphasis role="bold">ip6tables -t mangle -L -n
-                -v</emphasis>.The <emphasis role="bold">-x</emphasis> option
-                is passed directly through to iptables and causes actual
-                packet and byte counts to be displayed. Without this option,
-                those counts are abbreviated.</para>
+                <para>Displays the system's IPv4 configuration.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">ipa</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.17. Displays the per-IP
+                accounting counters (<ulink
+                url="manpages/shorewall-accounting.html">shorewall-accounting</ulink>
+                (5)).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">log</emphasis></term>
+
+              <listitem>
+                <para>Displays the last 20 shorewall6-lite messages from the
+                log file specified by the LOGFILE option in <ulink
+                url="shorewall.conf.html">shorewall6.conf</ulink>(5). The
+                <emphasis role="bold">-m</emphasis> option causes the MAC
+                address of each packet source to be displayed if that
+                information is available.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">marks</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.26. Displays the various fields
+                in packet marks giving the min and max value (in both decimal
+                and hex) and the applicable mask (in hex).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">nat</emphasis></term>
+
+              <listitem>
+                <para>Displays the Netfilter nat table using the command
+                <emphasis role="bold">iptables -t nat -L -n -v</emphasis>.The
+                <emphasis role="bold">-x</emphasis> option is passed directly
+                through to iptables and causes actual packet and byte counts
+                to be displayed. Without this option, those counts are
+                abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">policies</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.4. Displays the applicable policy
+                between each pair of zones. Note that implicit intrazone
+                ACCEPT policies are not displayed for zones associated with a
+                single network where that network doesn't specify
+                <option>routeback</option>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">routing</emphasis></term>
+
+              <listitem>
+                <para>Displays the system's IPv4 routing configuration.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">raw</emphasis></term>
+
+              <listitem>
+                <para>Displays the Netfilter raw table using the command
+                <emphasis role="bold">iptables -t raw -L -n -v</emphasis>.The
+                <emphasis role="bold">-x</emphasis> option is passed directly
+                through to iptables and causes actual packet and byte counts
+                to be displayed. Without this option, those counts are
+                abbreviated.</para>
              </listitem>
            </varlistentry>

@@ -690,8 +979,8 @@
              <term><emphasis role="bold">zones</emphasis></term>

              <listitem>
-                <para>Displays the current composition of the Shorewall6 Lite
-                zones on the system.</para>
+                <para>Displays the current composition of the Shorewall zones
+                on the system.</para>
              </listitem>
            </varlistentry>
          </variablelist>
@@ -702,17 +991,10 @@
        <term><emphasis role="bold">start</emphasis></term>

        <listitem>
-          <para>Start shorewall6 Lite. Existing connections through
+          <para>Start Shorewall Lite. Existing connections through
          shorewall6-lite managed interfaces are untouched. New connections
          will be allowed only if they are allowed by the firewall rules or
-          policies. If <emphasis role="bold">-f</emphasis> is specified, the
-          saved configuration specified by the RESTOREFILE option in <ulink
-          url="shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>(5) will
-          be restored if that saved configuration exists and has been modified
-          more recently than the files in /etc/shorewall6.</para>
-
-          <para>The <option>-n</option> option causes Shorewall6 to avoid
-          updating the routing table(s).</para>
+          policies.</para>

          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
@@ -726,12 +1008,19 @@
        <listitem>
          <para>Stops the firewall. All existing connections, except those
          listed in <ulink
-          url="shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
-          or permitted by the ADMINISABSENTMINDED option in
-          shorewall6.conf(5), are taken down. The only new traffic permitted
-          through the firewall is from systems listed in <ulink
-          url="shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
+          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
+          or permitted by the ADMINISABSENTMINDED option in <ulink
+          url="shorewall.conf.html">shorewall6.conf</ulink>(5), are taken
+          down. The only new traffic permitted through the firewall is from
+          systems listed in <ulink
+          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
          or by ADMINISABSENTMINDED.</para>
+
+          <para>If <option>-f</option> is given, the command will be processed
+          by the compiled script that executed the last successful <emphasis
+          role="bold">start</emphasis>, <emphasis
+          role="bold">restart</emphasis> or <emphasis
+          role="bold">refresh</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>

@@ -740,7 +1029,7 @@

        <listitem>
          <para>Produces a short report about the state of the
-          Shorewall6-configured firewall.</para>
+          Shorewall-configured firewall.</para>
        </listitem>
      </varlistentry>

@@ -748,7 +1037,9 @@
        <term><emphasis role="bold">version</emphasis></term>

        <listitem>
-          <para>Displays Shorewall6-lite's version.</para>
+          <para>Displays Shorewall's version. The <option>-a</option> option
+          is included for compatibility with earlier Shorewall releases and is
+          ignored.</para>
        </listitem>
      </varlistentry>
    </variablelist>
@@ -764,14 +1055,16 @@
    <title>See ALSO</title>

    <para><ulink
-    url="http://www.shorewall.net/starting_and_stopping_shorewall6.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
+    url="http://www.shorewall.net/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>

    <para>shorewall6-accounting(5), shorewall6-actions(5),
-    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
-    shorewall6-providers(5), shorewall6-route_rules(5),
+    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall_interfaces(5),
+    shorewall6-ipsets(5), shorewall6-maclist(5), shorewall6-masq(5),
+    shorewall6-netmap(5), shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-rtrules(5),
    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
-    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
-    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall6-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall6/init.sh
+++ b/Shorewall6/init.sh
@@ -77,10 +77,10 @@ command="$1"

 case "$command" in
    start)
-	exec /sbin/shorewall6 $OPTIONS start $STARTOPTIONS $@
+	exec /sbin/shorewall6 $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec /sbin/shorewall6 $OPTIONS restart $RESTARTOPTIONS $@
+	exec /sbin/shorewall6 $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
 	exec /sbin/shorewall6 $OPTIONS $command $@
--- a/Shorewall6/manpages/shorewall6-blrules.xml
+++ b/Shorewall6/manpages/shorewall6-blrules.xml
@@ -41,7 +41,7 @@
      <varlistentry>
        <term><emphasis role="bold">ACTION- {<emphasis
        role="bold">ACCEPT</emphasis>|CONTINUE|DROP|A_DROP|REJECT|A_REJECT|<emphasis
-        role="bold">WHITELIES</emphasis>|<emphasis
+        role="bold">WHITELIST</emphasis>|<emphasis
        role="bold">LOG</emphasis>|<emphasis
        role="bold">QUEUE</emphasis>|<emphasis
        role="bold">NFQUEUE</emphasis>[<emphasis
--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
@@ -1108,7 +1108,7 @@
          directory is given, then Shorewall6 will look in that directory
          first when opening configuration files.</para>

-          <para>Begining with Shorewall 4.5.0, you may specify a different
+          <para>Beginning with Shorewall 4.5.0, you may specify a different
          <replaceable>timeout</replaceable> value using the
          <option>-t</option> option. The numeric
          <replaceable>timeout</replaceable> may optionally be followed by an
@@ -1130,7 +1130,7 @@
          Shorewall6 will look in that directory first when opening
          configuration files.</para>

-          <para>Begining with Shorewall 4.5.0, you may specify a different
+          <para>Beginning with Shorewall 4.5.0, you may specify a different
          <replaceable>timeout</replaceable> value using the
          <option>-t</option> option. The numeric
          <replaceable>timeout</replaceable> may optionally be followed by an
@@ -1422,7 +1422,7 @@
          role="bold">restore</emphasis> is performed after
          <replaceable>timeout</replaceable> seconds.</para>

-          <para>Begining with Shorewall 4.5.0, the numeric
+          <para>Beginning with Shorewall 4.5.0, the numeric
          <replaceable>timeout</replaceable> may optionally be followed by an
          <option>s</option>, <option>m</option> or <option>h</option> suffix
          (e.g., 5m) to specify seconds, minutes or hours respectively. If the
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -5,7 +5,7 @@
  <!--/$Id$-->

  <articleinfo>
-    <title>Shorewall 4.5 Documentation</title>
+    <title>Shorewall 4.4/4.5 Documentation</title>

    <authorgroup>
      <author>
@@ -55,7 +55,7 @@
      <tgroup align="left" cols="3">
        <tbody>
          <row>
-            <entry></entry>
+            <entry/>

            <entry><ulink url="LXC.html">Linux Containers
            (LXC)</ulink></entry>
@@ -285,7 +285,7 @@

            <entry><ulink url="ports.htm">Port Information</ulink></entry>

-            <entry></entry>
+            <entry/>
          </row>

          <row>
@@ -294,7 +294,7 @@
            <entry><ulink url="PortKnocking.html">Port Knocking and Other Uses
            of the 'Recent Match'</ulink></entry>

-            <entry></entry>
+            <entry/>
          </row>

          <row>
@@ -303,7 +303,7 @@

            <entry><ulink url="PPTP.htm">PPTP</ulink></entry>

-            <entry></entry>
+            <entry/>
          </row>

          <row>
@@ -312,7 +312,7 @@

            <entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>

-            <entry></entry>
+            <entry/>
          </row>

          <row>
@@ -322,7 +322,7 @@
            <entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
            Guides</ulink></entry>

-            <entry></entry>
+            <entry/>
          </row>

          <row>
@@ -330,7 +330,7 @@

            <entry><ulink url="NewRelease.html">Release Model</ulink></entry>

-            <entry></entry>
+            <entry/>
          </row>

          <row>
@@ -339,7 +339,7 @@
            <entry><ulink
            url="shorewall_prerequisites.htm">Requirements</ulink></entry>

-            <entry></entry>
+            <entry/>
          </row>

          <row>
@@ -348,7 +348,7 @@
            <entry><ulink url="Shorewall_and_Routing.html">Routing and
            Shorewall</ulink></entry>

-            <entry></entry>
+            <entry/>
          </row>

          <row>
@@ -357,7 +357,7 @@
            <entry><ulink url="Multiple_Zones.html">Routing on One
            Interface</ulink></entry>

-            <entry></entry>
+            <entry/>
          </row>

          <row>
@@ -366,7 +366,7 @@

            <entry><ulink url="samba.htm">Samba</ulink></entry>

-            <entry></entry>
+            <entry/>
          </row>

          <row>
@@ -376,7 +376,7 @@
            <entry><ulink url="Shorewall-init.html">Shorewall
            Init</ulink></entry>

-            <entry></entry>
+            <entry/>
          </row>

          <row>
@@ -386,7 +386,7 @@
            <entry><ulink url="Shorewall-Lite.html">Shorewall
            Lite</ulink></entry>

-            <entry></entry>
+            <entry/>
          </row>
        </tbody>
      </tgroup>
--- a/docs/ReleaseModel.xml
+++ b/docs/ReleaseModel.xml
@@ -32,6 +32,8 @@

      <year>2010</year>

+      <year>2012</year>
+
      <holder>Thomas M. Eastep</holder>
    </copyright>

@@ -52,81 +54,64 @@
    <orderedlist>
      <listitem>
        <para>Releases have a three-level identification
-        <firstterm>x.y.z</firstterm> (e.g., 2.0.3).</para>
+        <firstterm>x.y.z</firstterm> (e.g., 4.5.0).</para>
      </listitem>

      <listitem>
        <para>The first two levels (<emphasis>x.y</emphasis>) designate the
-        <firstterm>Major Release Number</firstterm> (e.g., 2.0).</para>
+        <firstterm>major release number</firstterm> (e.g., 4.5).</para>
      </listitem>

      <listitem>
-        <para>The third level (<emphasis>z</emphasis>) designates the
-        <firstterm>Minor Release Number</firstterm>.</para>
+        <para>The third level (<emphasis>y</emphasis>) designates the
+        <firstterm>minor release Number</firstterm>.</para>
      </listitem>

      <listitem>
-        <para>Even numbered major releases (e.g., 1.4, 2.0, 2.2, ...) are
-        <firstterm>Stable Releases</firstterm>. No major new features are
-        added to stable releases and new minor releases of a stable release
-        will only contain bug fixes and simple low-risk enhancements.
-        Installing a new minor release for the major release that you are
-        currently running involves no migration issues unless you want to take
-        advantage of an enhancement (for example, if you are running 1.4.10
-        and I release 1.4.11, your current configuration is 100% compatible
-        with the new release).</para>
+        <para>Installing a new minor release involves no migration issues
+        unless you want to take advantage of an enhancement. For example, if
+        you are running 4.5.0 and I release 4.5.1, your current configuration
+        is 100% compatible with the new release.</para>
+      </listitem>
+
+      <listitem>
+        <para>A major release may have migration issues. These are listed in
+        the release notes and on the <ulink url="upgrade_issues.htm">upgrade
+        issues page</ulink>.</para>
      </listitem>

      <listitem>
        <para>Support is available through the <ulink
        url="http://sourceforge.net/mail/?group_id=22587">Mailing List</ulink>
-        for the two or three most recent Stable Releases. Three releases are
-        supported when the Shorewall release in the Stable Debian distribution
-        is two releases behind the current Shorewall development. In that
-        case, only the minor release in Stable is supported.</para>
+        for the two most recent Major Releases. Fixes will only be provided
+        for the last minor release in the previous Major Release. For example,
+        only 4.5.0 was released, the only fixes for major issues with 4.4.27
+        would be released for the 4.4 series.</para>
      </listitem>

      <listitem>
-        <para>Odd numbered major releases (e.g., 2.1, 2.3, ...) are
-        <firstterm>Development Releases</firstterm>. Development releases are
-        where new functionality is introduced. Documentation for new features
-        will be available but it may not be up to the standards of the stable
-        release documentation. Sites running Development Releases should be
-        prepared to play an active role in testing new features. Bug fixes and
-        problem resolution for the development release take a back seat to
-        support of the stable releases. Problem reports for the current
-        development release should be sent to the <ulink
-        url="mailto:shorewall-devel@lists.shorewall.net">Shorewall Development
-        Mailing List</ulink>.</para>
+        <para>Once a minor release has been announced, work begins on the next
+        minor release. Periodic Beta releases are made available through
+        announcements on the Shorewall Development and Shorewall User mailing
+        lists. Those Beta releases are numberd w.x.y-Beta1, ...Beta2, etc.
+        Support for the Beta releases is offered through the Shorewall
+        Development mailing list in the form of emailed patches. There is no
+        guarantee of compatability between one Beta release and the next as
+        features are tweaked.</para>
      </listitem>

      <listitem>
-        <para>When the level of functionality of the current development
-        release is judged adequate, the <firstterm>Beta period</firstterm> for
-        a new Stable release will begin. Beta releases have identifications of
-        the form <emphasis>x.y.0-BetaN</emphasis> where
-        <emphasis>x.y</emphasis> is the number of the next Stable Release and
-        <emphasis>N</emphasis>=1,2,3... . Betas are expected to occur roughly
-        once per year. Beta releases may contain new functionality not present
-        in the previous beta release (e.g., 2.2.0-Beta4 may contain
-        functionality not present in 2.2.0-Beta3). When I'm confident that the
-        current Beta release is stable, I will release the first
-        <firstterm>Release Candidate</firstterm>. Release candidates have
-        identifications of the form <emphasis>x.y.0-RCn</emphasis> where
-        <emphasis>x.y</emphasis> is the number of the next Stable Release and
-        <emphasis>n</emphasis>=1,2,3... . Release candidates contain no new
-        functionality -- they only contain bug fixes. When the stability of
-        the current release candidate is judged to be sufficient then that
-        release candidate will be released as the new stable release (e.g.,
-        2.2.0). At that time, the new stable release and the prior stable
-        release are those that are supported.</para>
+        <para>When the next minor release is functionally complete, one or
+        more <firstterm>release candidates</firstterm> are announced on the
+        Shorewall Development and Shorewall User mailing lists. These release
+        candidates are numbered w.x.y-RC1, ...-RC2, etc.</para>
      </listitem>

      <listitem>
        <para>What does it mean for a major release to be
-        <firstterm>supported</firstterm>? It means that I will answer
-        questions about the release and that if a bug is found, I will fix the
-        bug and include the fix in the next minor release.</para>
+        <firstterm>supported</firstterm>? It means that that if a bug is
+        found, we will fix the bug and include the fix in the next minor
+        release.</para>
      </listitem>

      <listitem>
@@ -135,16 +120,8 @@
        four-level identification <emphasis>x.y.z.N</emphasis> where x.y.z is
        the minor release being fixed and N = 1.2.3...</para>
      </listitem>
-
-      <listitem>
-        <para>Additionally, bug fixes may be made available in the form of a
-        <firstterm>patch release</firstterm>. Patch releases have four-level
-        identifications (e.g., 4.0.6.1); the first three identify the minor
-        release and the fourth identifies the patch level.</para>
-      </listitem>
    </orderedlist>

-    <para>The currently-supported major releases are and 4.0.10., 4.2.x. and
-    4.4.x.</para>
+    <para>The currently-supported major releases are 4.4 and 4.5.</para>
  </section>
 </article>
Author	SHA1	Message	Date
Tom Eastep	25760aa653	Fix syntax error in the generated script Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-06 09:14:06 -08:00
Tom Eastep	649f73a360	Correct issues with debugging the generated script a) Rename DEBUG to g_debug_iptablesb b) Clear all of the tables prior to handling iptables-restore input.	2012-03-05 15:55:25 -08:00
Tom Eastep	93df86c90a	Add /sbin/shorewall-init for use with service.d Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-29 15:04:17 -08:00
Tom Eastep	d4e21314d0	Update the release model web page Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-25 08:28:15 -08:00
Tom Eastep	428e67dc9e	Fix incorrect manpage Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-25 07:51:55 -08:00
Tom Eastep	d3f4f59e36	Attempt to fix incorrect manpage Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-25 07:40:47 -08:00
Roberto C. Sanchez	1983d314b8	FIx typos	2012-02-25 07:32:01 -08:00
Tom Eastep	4ae5ee20aa	Fix broken init scripts. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-21 15:24:08 -08:00
Tom Eastep	408340ada2	Merge branch '4.5.0' of ssh://shorewall.git.sourceforge.net/gitroot/shorewall/shorewall into 4.5.0	2012-02-18 13:26:01 -08:00
Tom Eastep	12b92acef1	Fix compiler crash from unknown interface Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-18 11:05:47 -08:00
Tom Eastep	966597ee9d	Correct usage text for 'update'. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-18 11:05:27 -08:00
Tom Eastep	98aa70bcae	Correct a typo in the blrules manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-18 11:05:11 -08:00
Tom Eastep	71a8ffca2e	Install the correct init script on Fedora	2012-02-17 13:47:49 -08:00
Tom Eastep	29fcb9b08f	Apply Simon Mater's patch for LIBEXEC/PERLLIB Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-13 12:57:07 -08:00
Tom Eastep	eef85fbcbc	Apply Simon Mater's patch for LIBEXEC/PERLLIB Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-13 07:02:48 -08:00
Tom Eastep	30cf344be0	Unify 4.4/4.5 documentation Index Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-12 11:47:08 -08:00
Tom Eastep	1b6c4e3fc4	Update the -lite manpages (long overdue) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-08 13:23:53 -08:00
Tom Eastep	09078cf6ad	Add comments to add_interface_options() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-07 14:20:11 -08:00
Tom Eastep	f5c09a9e2e	Restore 'update -b' functionality Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-07 07:40:35 -08:00