Correct FAQ 2a

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/COPYING

@@ -1,341 +0,0 @@
-		    GNU GENERAL PUBLIC LICENSE
-		       Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                          51 Franklin Street, Fifth Floor,
-			  Boston, MA 02110-1301 USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-			    Preamble
-
-  The licenses for most software are designed to take away your
-freedom to share and change it.  By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users.  This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it.  (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.)  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
-
-  To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have.  You must make sure that they, too, receive or can get the
-source code.  And you must show them these terms so they know their
-rights.
-
-  We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
-
-  Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software.  If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
-  Finally, any free program is threatened constantly by software
-patents.  We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary.  To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-		    GNU GENERAL PUBLIC LICENSE
-   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
-  0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License.  The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language.  (Hereinafter, translation is included without limitation in
-the term "modification".)  Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope.  The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
-
-  1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
-  2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
-    a) You must cause the modified files to carry prominent notices
-    stating that you changed the files and the date of any change.
-
-    b) You must cause any work that you distribute or publish, that in
-    whole or in part contains or is derived from the Program or any
-    part thereof, to be licensed as a whole at no charge to all third
-    parties under the terms of this License.
-
-    c) If the modified program normally reads commands interactively
-    when run, you must cause it, when started running for such
-    interactive use in the most ordinary way, to print or display an
-    announcement including an appropriate copyright notice and a
-    notice that there is no warranty (or else, saying that you provide
-    a warranty) and that users may redistribute the program under
-    these conditions, and telling the user how to view a copy of this
-    License.  (Exception: if the Program itself is interactive but
-    does not normally print such an announcement, your work based on
-    the Program is not required to print an announcement.)
-
-These requirements apply to the modified work as a whole.  If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works.  But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
-  3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
-
-    a) Accompany it with the complete corresponding machine-readable
-    source code, which must be distributed under the terms of Sections
-    1 and 2 above on a medium customarily used for software interchange; or,
-
-    b) Accompany it with a written offer, valid for at least three
-    years, to give any third party, for a charge no more than your
-    cost of physically performing source distribution, a complete
-    machine-readable copy of the corresponding source code, to be
-    distributed under the terms of Sections 1 and 2 above on a medium
-    customarily used for software interchange; or,
-
-    c) Accompany it with the information you received as to the offer
-    to distribute corresponding source code.  (This alternative is
-    allowed only for noncommercial distribution and only if you
-    received the program in object code or executable form with such
-    an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it.  For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable.  However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
-
-  4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License.  Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
-
-  5. You are not required to accept this License, since you have not
-signed it.  However, nothing else grants you permission to modify or
-distribute the Program or its derivative works.  These actions are
-prohibited by law if you do not accept this License.  Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
-  6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions.  You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
-  7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all.  For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices.  Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-
-  8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded.  In such case, this License incorporates
-the limitation as if written in the body of this License.
-
-  9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number.  If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation.  If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
-  10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission.  For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this.  Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
-			    NO WARRANTY
-
-  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
-  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
-		     END OF TERMS AND CONDITIONS
-
-	    How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) 19yy  <name of author>
-
-    This program is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 2 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
-    Gnomovision version 69, Copyright (C) 19yy name of author
-    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary.  Here is a sample; alter the names:
-
-  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
-  `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
-  <signature of Ty Coon>, 1 April 1989
-  Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs.  If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Library General
-Public License instead of this License.

Shorewall-core/INSTALL

@@ -1,24 +0,0 @@
-Shoreline Firewall (Shorewall) Version 4
------         ----
-
------------------------------------------------------------------------------
-
-     This program is free software; you can redistribute it and/or modify
-     it under the terms of Version 2 of the GNU General Public License
-     as published by the Free Software Foundation.
-
-     This program is distributed in the hope that it will be useful,
-     but WITHOUT ANY WARRANTY; without even the implied warranty of
-     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-     GNU General Public License for more details.
-
-     You should have received a copy of the GNU General Public License
-     along with this program; if not, write to the Free Software
-     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
----------------------------------------------------------------------------
-
-Please see http://www.shorewall.net/Install.htm for installation
-instructions.
-
-

Shorewall-core/install.sh

@@ -1,287 +0,0 @@
-#!/bin/sh
-#
-# Script to install Shoreline Firewall Core Modules
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
-#
-#       Shorewall documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-
-VERSION=xxx #The Build script inserts the actual version
-
-usage() # $1 = exit status
-{
-    ME=$(basename $0)
-    echo "usage: $ME"
-    echo "       $ME -v"
-    echo "       $ME -h"
-    echo "       $ME -s"
-    echo "       $ME -f"
-    exit $1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-run_install()
-{
-    if ! install $*; then
-	echo
-	echo "ERROR: Failed to install $*" >&2
-	exit 1
-    fi
-}
-
-cant_autostart()
-{
-    echo
-    echo  "WARNING: Unable to configure shorewall to start automatically at boot" >&2
-}
-
-delete_file() # $1 = file to delete
-{
-    rm -f $1
-}
-
-install_file() # $1 = source $2 = target $3 = mode
-{
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
-}
-
-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
-
-#
-# Parse the run line
-#
-# ARGS is "yes" if we've already parsed an argument
-#
-T="-T"
-
-[ -n "${LIBEXEC:=/usr/share}" ]
-[ -n "${PERLLIB:=/usr/share/shorewall}" ]
-MACHOST=
-
-case "$LIBEXEC" in
-    /*)
-	;;
-    *)
-	LIBEXEC=/usr/${LIBEXEC}
-	;;
-esac
-
-case "$PERLLIB" in
-    /*)
-	;;
-    *)
-	PERLLIB=/usr/${PERLLIB}
-	;;
-esac
-
-INSTALLD='-D'
-
-case $(uname) in
-    CYGWIN*)
-	if [ -z "$DESTDIR" ]; then
-	    DEST=
-	    INIT=
-	fi
-
-	OWNER=$(id -un)
-	GROUP=$(id -gn)
-	CYGWIN=Yes
-	;;
-    Darwin)
-	if [ -z "$DESTDIR" ]; then
-	    DEST=
-	    INIT=
-	fi
-
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=wheel
-	MAC=Yes
-        MACHOST=Yes
-	INSTALLD=
-	T=
-	;;
-    *)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=root
-	;;
-esac
-
-OWNERSHIP="-o $OWNER -g $GROUP"
-
-finished=0
-
-while [ $finished -eq 0 ]; do
-    option=$1
-
-    case "$option" in
-	-*)
-	    option=${option#-}
-	    
-	    while [ -n "$option" ]; do
-		case $option in
-		    h)
-			usage 0
-			;;
-		    v)
-			echo "Shorewall Firewall Installer Version $VERSION"
-			exit 0
-			;;
-		    a*)
-			ANNOTATED=Yes
-			option=${option#a}
-			;;
-		    p*)
-			ANNOTATED=
-			option=${option#p}
-			;;
-		    *)
-			usage 1
-			;;
-		esac
-	    done
-
-	    shift
-	    ;;
-	*)
-	    [ -n "$option" ] && usage 1
-	    finished=1
-	    ;;
-    esac
-done
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-
-#
-# Determine where to install the firewall script
-#
-
-if [ -n "$DESTDIR" ]; then
-    if [ -z "$CYGWIN" ]; then
-	if [ `id -u` != 0 ] ; then
-	    echo "Not setting file owner/group permissions, not running as root."
-	    OWNERSHIP=""
-	fi
-    fi
-
-    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
-
-    CYGWIN=
-    MAC=
-else
-    if [ -n "$CYGWIN" ]; then
-	echo "Installing Cygwin-specific configuration..."
-    elif [ -n "$MAC" ]; then
-	echo "Installing Mac-specific configuration..."
-    else
-	if [ -f /etc/debian_version ]; then
-	    echo "Installing Debian-specific configuration..."
-	    DEBIAN=yes
-	elif [ -f /etc/redhat-release ]; then
-	    echo "Installing Redhat/Fedora-specific configuration..."
-	    FEDORA=yes
-	elif [ -f /etc/slackware-version ] ; then
-	    echo "Installing Slackware-specific configuration..."
-	    DEST="/etc/rc.d"
-	    MANDIR="/usr/man"
-	    SLACKWARE=yes
-	elif [ -f /etc/arch-release ] ; then
-	    echo "Installing ArchLinux-specific configuration..."
-	    DEST="/etc/rc.d"
-	    INIT="shorewall"
-	    ARCHLINUX=yes
-	fi
-    fi
-fi
-
-#
-# Change to the directory containing this script
-#
-cd "$(dirname $0)"
-
-echo "Installing Shorewall Core Version $VERSION"
-
-#
-# Create /usr/share/shorewall
-#
-mkdir -p ${DESTDIR}${LIBEXEC}/shorewall
-chmod 755 ${DESTDIR}/usr/share/shorewall
-#
-# Install wait4ifup
-#
-install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup 0755
-
-echo
-echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup"
-
-#
-# Install the libraries
-#
-for f in lib.* ; do
-    install_file $f ${DESTDIR}/usr/share/shorewall/$f 0644
-    echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall/$f"
-done
-
-if [ -z "$MACHOST" ]; then
-    eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
-    eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
-else
-    eval sed -i \'\' -e \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
-    eval sed -i \'\' -e \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
-fi
-
-#
-# Symbolically link 'functions' to lib.base
-#
-ln -sf lib.base ${DESTDIR}/usr/share/shorewall/functions
-#
-# Create the version file
-#
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall/coreversion
-chmod 644 ${DESTDIR}/usr/share/shorewall/coreversion
-#
-#  Report Success
-#
-echo "Shorewall Core Version $VERSION Installed"

Shorewall-core/uninstall.sh

@@ -1,84 +0,0 @@
-#!/bin/sh
-#
-# Script to back uninstall Shoreline Firewall
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
-#
-#       Shorewall documentation is available at http://www.shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#    Usage:
-#
-#       You may only use this script to uninstall the version
-#       shown below. Simply run this script to remove Shorewall Firewall
-
-VERSION=xxx #The Build script inserts the actual version
-
-usage() # $1 = exit status
-{
-    ME=$(basename $0)
-    echo "usage: $ME"
-    exit $1
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-restore_file() # $1 = file to restore
-{
-    if [ -f ${1}-shorewall.bkout ]; then
-	if (mv -f ${1}-shorewall.bkout $1); then
-	    echo
-	    echo "$1 restored"
-        else
-	    exit 1
-        fi
-    fi
-}
-
-remove_file() # $1 = file to restore
-{
-    if [ -f $1 -o -L $1 ] ; then
-	rm -f $1
-	echo "$1 Removed"
-    fi
-}
-
-if [ -f /usr/share/shorewall/coreversion ]; then
-    INSTALLED_VERSION="$(cat /usr/share/shorewall/coreversion)"
-    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: Shorewall Core Version $INSTALLED_VERSION is installed"
-	echo "         and this is the $VERSION uninstaller."
-	VERSION="$INSTALLED_VERSION"
-    fi
-else
-    echo "WARNING: Shorewall Core Version $VERSION is not installed"
-    VERSION=""
-fi
-
-[ -n "${LIBEXEC:=/usr/share}" ]
-[ -n "${PERLLIB:=/usr/share/shorewall}" ]
-
-echo "Uninstalling Shorewall Core $VERSION"
-
-rm -rf /usr/share/shorewall
-
-echo "Shorewall Core Uninstalled"
-
-

Shorewall-init/install.sh

@@ -213,7 +213,7 @@ fi
 if [ -n "$DEBIAN" ]; then
     install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
 elif [ -n "$FEDORA" ]; then
-    install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
+    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
 #elif [ -n "$ARCHLINUX" ]; then
 #    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
 else

Shorewall-lite/default.debian

@@ -18,18 +18,9 @@ startup=0
 #
 # Startup options
 #
+
 OPTIONS=""
 
-#
-# Start options
-#
-STARTOPTIONS=""
-
-#
-# Restart options
-#
-RESTARTOPTIONS=""
-
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #
@@ -39,6 +30,7 @@ INITLOG=/dev/null
 # Set this to 1 to cause '/etc/init.d/shorewall-lite stop' to place the firewall in
 # a safe state rather than to open it
 #
+
 SAFESTOP=0
 
 # EOF

Shorewall-lite/init.debian.sh

@@ -80,7 +80,7 @@ fi
 # start the firewall
 shorewall_start () {
   echo -n "Starting \"Shorewall firewall\": "
-  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS start >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
@@ -98,7 +98,7 @@ shorewall_stop () {
 # restart the firewall
 shorewall_restart () {
   echo -n "Restarting \"Shorewall firewall\": "
-  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS restart >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 

Shorewall-lite/init.sh

@@ -76,13 +76,14 @@ command="$1"
 
 case "$command" in
     start)
-	exec /sbin/shorewall-lite $OPTIONS start $STARTOPTIONS $@
+	exec /sbin/shorewall-lite $OPTIONS $@
 	;;
-    restart|reload)
-	exec /sbin/shorewall-lite $OPTIONS restart $RESTARTOPTIONS $@
+    stop|restart|status)
+	exec /sbin/shorewall-lite $@
 	;;
-    status|stop)
-	exec /sbin/shorewall-lite $OPTIONS $command $@
+    reload)
+	shift
+	exec /sbin/shorewall-lite restart $@
 	;;
     *)
 	usage

Shorewall-lite/install.sh

@@ -72,7 +72,7 @@ run_install()
 cant_autostart()
 {
     echo
-    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
+    echo  "WARNING: Unable to configure shorewall to start automatically at boot" >&2
 }
 
 delete_file() # $1 = file to delete
@@ -85,19 +85,6 @@ install_file() # $1 = source $2 = target $3 = mode
     run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
 
-#
-# Change to the directory containing this script
-#
-cd "$(dirname $0)"
-
-if [ -f shorewall-lite ]; then
-    PRODUCT=shorewall-lite
-    Product="Shorewall Lite"
-else
-    PRODUCT=shorewall6-lite
-    Product="Shorewall6 Lite"
-fi
-
 [ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
 
 #
@@ -105,13 +92,16 @@ fi
 #
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
+# ARGS is "yes" if we've already parsed an argument
 #
+ARGS=""
+
 if [ -z "$DEST" ] ; then
 	DEST="/etc/init.d"
 fi
 
 if [ -z "$INIT" ] ; then
-	INIT="$PRODUCT"
+	INIT="shorewall-lite"
 fi
 
 while [ $# -gt 0 ] ; do
@@ -120,7 +110,7 @@ while [ $# -gt 0 ] ; do
 	    usage 0
 	    ;;
         -v)
-	    echo "$Product Firewall Installer Version $VERSION"
+	    echo "Shorewall Lite Firewall Installer Version $VERSION"
 	    exit 0
 	    ;;
 	*)
@@ -128,6 +118,7 @@ while [ $# -gt 0 ] ; do
 	    ;;
     esac
     shift
+    ARGS="yes"
 done
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -188,16 +179,11 @@ elif [ -f /etc/slackware-version ] ; then
     INIT="rc.firewall"
 elif [ -f /etc/arch-release ] ; then
       DEST="/etc/rc.d"
-      INIT="$PRODUCT"
+      INIT="shorewall-lite"
       ARCHLINUX=yes
 fi
 
 if [ -z "$DESTDIR" ]; then
-    if [ ! -f /usr/share/shorewall/coreversion ]; then
-	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
-	exit 1
-    fi
-
     if [ -f /lib/systemd/system ]; then
 	SYSTEMD=Yes
     fi
@@ -205,66 +191,68 @@ elif [ -n "$SYSTEMD" ]; then
     mkdir -p ${DESTDIR}/lib/systemd/system
 fi
 
-echo "Installing $Product Version $VERSION"
+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
+echo "Installing Shorewall Lite Version $VERSION"
 
 #
-# Check for /etc/$PRODUCT
+# Check for /etc/shorewall-lite
 #
-if [ -z "$DESTDIR" -a -d /etc/$PRODUCT ]; then
-    if [ ! -f /usr/share/shorewall/coreversion ]; then
-	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
-	exit 1
-    fi
-
-    [ -f /etc/$PRODUCT/shorewall.conf ] && \
-	mv -f /etc/$PRODUCT/shorewall.conf /etc/$PRODUCT/$PRODUCT.conf
+if [ -z "$DESTDIR" -a -d /etc/shorewall-lite ]; then
+    [ -f /etc/shorewall-lite/shorewall.conf ] && \
+	mv -f /etc/shorewall-lite/shorewall.conf /etc/shorewall-lite/shorewall-lite.conf
 else
-    rm -rf ${DESTDIR}/etc/$PRODUCT
-    rm -rf ${DESTDIR}/usr/share/$PRODUCT
-    rm -rf ${DESTDIR}/var/lib/$PRODUCT
-    [ "$LIBEXEC" = /usr/share ] || rm -rf /usr/share/$PRODUCT/wait4ifup /usr/share/$PRODUCT/shorecap
+    rm -rf ${DESTDIR}/etc/shorewall-lite
+    rm -rf ${DESTDIR}/usr/share/shorewall-lite
+    rm -rf ${DESTDIR}/var/lib/shorewall-lite
+    [ "$LIBEXEC" = share ] || rm -rf /usr/share/shorewall-lite/shorecap /usr/share/shorecap
 fi
 
 #
-# Check for /sbin/$PRODUCT
+# Check for /sbin/shorewall-lite
 #
-if [ -f ${DESTDIR}/sbin/$PRODUCT ]; then
+if [ -f ${DESTDIR}/sbin/shorewall-lite ]; then
     first_install=""
 else
     first_install="Yes"
 fi
 
-delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
+delete_file ${DESTDIR}/usr/share/shorewall-lite/xmodules
 
-install_file $PRODUCT ${DESTDIR}/sbin/$PRODUCT 0544
+install_file shorewall-lite ${DESTDIR}/sbin/shorewall-lite 0544
 
-echo "$Product control program installed in ${DESTDIR}/sbin/$PRODUCT"
+eval sed -i \'``s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall-lite
+
+echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite"
 
 #
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
+    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-lite 0544
 elif [ -n "$FEDORA" ]; then
-    install_file init.fedora.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
+    install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall-lite 0544
 elif [ -n "$ARCHLINUX" ]; then
     install_file init.archlinux.sh ${DESTDIR}/${DEST}/$INIT 0544
 else
     install_file init.sh ${DESTDIR}/${DEST}/$INIT 0544
 fi
 
-echo  "$Product script installed in ${DESTDIR}${DEST}/$INIT"
+echo  "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
 
 #
-# Create /etc/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
+# Create /etc/shorewall-lite, /usr/share/shorewall-lite and /var/lib/shorewall-lite if needed
 #
-mkdir -p ${DESTDIR}/etc/$PRODUCT
-mkdir -p ${DESTDIR}/usr/share/$PRODUCT
-mkdir -p ${DESTDIR}${LIBEXEC}/$PRODUCT
-mkdir -p ${DESTDIR}/var/lib/$PRODUCT
+mkdir -p ${DESTDIR}/etc/shorewall-lite
+mkdir -p ${DESTDIR}/usr/share/shorewall-lite
+mkdir -p ${DESTDIR}${LIBEXEC}/shorewall-lite
+mkdir -p ${DESTDIR}/var/lib/shorewall-lite
 
-chmod 755 ${DESTDIR}/etc/$PRODUCT
-chmod 755 ${DESTDIR}/usr/share/$PRODUCT
+chmod 755 ${DESTDIR}/etc/shorewall-lite
+chmod 755 ${DESTDIR}/usr/share/shorewall-lite
 
 if [ -n "$DESTDIR" ]; then
     mkdir -p ${DESTDIR}/etc/logrotate.d
@@ -275,74 +263,85 @@ fi
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
-    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/lib/systemd/system/$PRODUCT.service
-    echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
+    run_install $OWNERSHIP -m 600 shorewall-lite.service ${DESTDIR}/lib/systemd/system/shorewall-lite.service
+    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-lite.service"
 fi
 
 #
 # Install the config file
 #
-if [ ! -f ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf ]; then
-   install_file $PRODUCT.conf ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf 0744
-   echo "Config file installed as ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf"
+if [ ! -f ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf ]; then
+   run_install $OWNERSHIP -m 0744 shorewall-lite.conf ${DESTDIR}/etc/shorewall-lite
+   echo "Config file installed as ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf"
 fi
 
 if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall-lite/shorewall.conf
 fi
 
 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/$PRODUCT
-echo "Makefile installed as ${DESTDIR}/etc/$PRODUCT/Makefile"
+run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall-lite
+echo "Makefile installed as ${DESTDIR}/etc/shorewall-lite/Makefile"
 
 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/$PRODUCT/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/$PRODUCT/configpath"
+install_file configpath ${DESTDIR}/usr/share/shorewall-lite/configpath 0644
+echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall-lite/configpath"
 
 #
 # Install the libraries
 #
 for f in lib.* ; do
     if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/$PRODUCT/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/$PRODUCT/$f"
+	install_file $f ${DESTDIR}/usr/share/shorewall-lite/$f 0644
+	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall-lite/$f"
     fi
 done
 
-ln -sf lib.base ${DESTDIR}/usr/share/$PRODUCT/functions
+ln -sf lib.base ${DESTDIR}/usr/share/shorewall-lite/functions
 
-echo "Common functions linked through ${DESTDIR}/usr/share/$PRODUCT/functions"
+echo "Common functions linked through ${DESTDIR}/usr/share/shorewall-lite/functions"
 
 #
 # Install Shorecap
 #
 
-install_file shorecap ${DESTDIR}${LIBEXEC}/$PRODUCT/shorecap 0755
+install_file shorecap ${DESTDIR}${LIBEXEC}/shorewall-lite/shorecap 0755
 
 echo
-echo "Capability file builder installed in ${DESTDIR}${LIBEXEC}/$PRODUCT/shorecap"
+echo "Capability file builder installed in ${DESTDIR}${LIBEXEC}/shorewall-lite/shorecap"
+
+#
+# Install wait4ifup
+#
+
+if [ -f wait4ifup ]; then
+    install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall-lite/wait4ifup 0755
+
+    echo
+    echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall-lite/wait4ifup"
+fi
 
 #
 # Install the Modules files
 #
 
 if [ -f modules ]; then
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/$PRODUCT
-    echo "Modules file installed as ${DESTDIR}/usr/share/$PRODUCT/modules"
+    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall-lite
+    echo "Modules file installed as ${DESTDIR}/usr/share/shorewall-lite/modules"
 fi
 
 if [ -f helpers ]; then
-    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/$PRODUCT
-    echo "Helper modules file installed as ${DESTDIR}/usr/share/$PRODUCT/helpers"
+    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/shorewall-lite
+    echo "Helper modules file installed as ${DESTDIR}/usr/share/shorewall-lite/helpers"
 fi
 
 for f in modules.*; do
-    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}/usr/share/$PRODUCT/$f
-    echo "Module file $f installed as ${DESTDIR}/usr/share/$PRODUCT/$f"
+    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}/usr/share/shorewall-lite/$f
+    echo "Module file $f installed as ${DESTDIR}/usr/share/shorewall-lite/$f"
 done
 
 #
@@ -372,65 +371,62 @@ if [ -d manpages ]; then
 fi
 
 if [ -d ${DESTDIR}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/$PRODUCT
-    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/$PRODUCT"
+    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/shorewall-lite
+    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/shorewall-lite"
 fi
 
+
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/$PRODUCT/version
-chmod 644 ${DESTDIR}/usr/share/$PRODUCT/version
+echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-lite/version
+chmod 644 ${DESTDIR}/usr/share/shorewall-lite/version
 #
 # Remove and create the symbolic link to the init script
 #
 
 if [ -z "$DESTDIR" ]; then
-    rm -f /usr/share/$PRODUCT/init
-    ln -s ${DEST}/${INIT} /usr/share/$PRODUCT/init
+    rm -f /usr/share/shorewall-lite/init
+    ln -s ${DEST}/${INIT} /usr/share/shorewall-lite/init
 fi
 
-delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.common
-delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.cli
-delete_file ${DESTDIR}/usr/share/$PRODUCT/wait4ifup
-
 if [ -z "$DESTDIR" ]; then
-    touch /var/log/$PRODUCT-init.log
+    touch /var/log/shorewall-lite-init.log
 
     if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
-	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/$PRODUCT
+	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
 
-	    update-rc.d $PRODUCT defaults
+	    update-rc.d shorewall-lite defaults
 
 	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/$PRODUCT
+		insserv /etc/init.d/shorewall-lite
 	    else
-		ln -s ../init.d/$PRODUCT /etc/rcS.d/S40$PRODUCT
+		ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
 	    fi
 
-	    echo "$Product will start automatically at boot"
+	    echo "Shorewall Lite will start automatically at boot"
 	else
 	    if [ -n "$SYSTEMD" ]; then
-		if systemctl enable $PRODUCT; then
-		    echo "$Product will start automatically at boot"
+		if systemctl enable shorewall-lite; then
+		    echo "Shorewall Lite will start automatically at boot"
 		fi
 	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-		if insserv /etc/init.d/$PRODUCT ; then
-		    echo "$Product will start automatically at boot"
+		if insserv /etc/init.d/shorewall-lite ; then
+		    echo "Shorewall Lite will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-		if chkconfig --add $PRODUCT ; then
-		    echo "$Product will start automatically in run levels as follows:"
-		    chkconfig --list $PRODUCT
+		if chkconfig --add shorewall-lite ; then
+		    echo "Shorewall Lite will start automatically in run levels as follows:"
+		    chkconfig --list shorewall-lite
 		else
 		    cant_autostart
 		fi
 	    elif [ -x /sbin/rc-update ]; then
-		if rc-update add $PRODUCT default; then
-		    echo "$Product will start automatically at boot"
+		if rc-update add shorewall-lite default; then
+		    echo "Shorewall Lite will start automatically at boot"
 		else
 		    cant_autostart
 		fi
@@ -444,4 +440,4 @@ fi
 #
 #  Report Success
 #
-echo "$Product Version $VERSION Installed"
+echo "shorewall Lite Version $VERSION Installed"

Shorewall-lite/lib.base

@@ -1,34 +0,0 @@
-#
-# Shorewall 4.4 -- /usr/share/shorewall-lite/lib.base
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
-#
-#	Complete documentation is available at http://shorewall.net
-#
-#	This program is free software; you can redisribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# This library contains the code common to all Shorewall components.
-
-g_program=shorewall-lite
-g_family=4
-g_basedir=/usr/share/shorewall
-
-[ -n "${VARDIR:=/var/lib/$g_program}" ]
-[ -n "${SHAREDIR:=/usr/share/$g_program}" ]
-[ -n "${CONFDIR:=/etc/$g_program}" ]
-
-. /usr/share/shorewall/lib.base
-

Shorewall-lite/shorecap

@@ -55,7 +55,7 @@ g_base=shorewall
 g_basedir=/usr/share/shorewall-lite
 
 . /usr/share/shorewall-lite/lib.base
-. /usr/share/shorewall/lib.cli
+. /usr/share/shorewall-lite/lib.cli
 . /usr/share/shorewall-lite/configpath
 
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

Shorewall-lite/shorewall-lite

@@ -1,32 +0,0 @@
-#!/bin/sh
-#
-#     Shorewall Lite Packet Filtering Firewall Control Program - V4.5
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 - 
-#         Tom Eastep (teastep@shorewall.net)
-#
-#	Shorewall documentation is available at http://www.shorewall.net
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
-#
-################################################################################################
-g_program=shorewall-lite
-
-. /usr/share/shorewall/lib.cli
-
-shorewall_cli $@

Shorewall/Perl/Shorewall/Chains.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 4.5 -- /usr/share/shorewall/Shorewall/Chains.pm
+# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Chains.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -28,7 +28,6 @@ package Shorewall::Chains;
 require Exporter;
 
 use Scalar::Util 'reftype';
-use Digest::SHA1 qw(sha1);
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::IPAddrs;
@@ -66,7 +65,6 @@ our @EXPORT = qw(
 		    dont_delete
 		    dont_move
 		    get_action_logging
-		    add_interface_options
 
 		    %chain_table
 		    %helpers
@@ -100,9 +98,6 @@ our %EXPORT_TAGS = (
 				       ALL_RESTRICT
 				       ALL_COMMANDS
 				       NOT_RESTORE
-				       OPTIMIZE_POLICY_MASK
-				       OPTIMIZE_RULESET_MASK
-				       OPTIMIZE_MASK
 
 				       state_imatch
 				       initialize_chain_table
@@ -118,17 +113,14 @@ our %EXPORT_TAGS = (
 				       push_comment
 				       pop_comment
 				       forward_chain
-				       forward_option_chain
 				       rules_chain
 				       blacklist_chain
 				       zone_forward_chain
 				       use_forward_chain
 				       input_chain
-				       input_option_chain
 				       zone_input_chain
 				       use_input_chain
 				       output_chain
-				       output_option_chain
 				       prerouting_chain
 				       postrouting_chain
 				       zone_output_chain
@@ -141,9 +133,7 @@ our %EXPORT_TAGS = (
 				       snat_chain
 				       ecn_chain
 				       notrack_chain
-				       load_chain
 				       first_chains
-				       option_chains
 				       reserved_name
 				       find_chain
 				       ensure_chain
@@ -158,7 +148,6 @@ our %EXPORT_TAGS = (
 				       new_nat_chain
 				       optimize_chain
 				       check_optimization
-				       optimize_level0
 				       optimize_ruleset
 				       setup_zone_mss
 				       newexclusionchain
@@ -187,7 +176,6 @@ our %EXPORT_TAGS = (
 				       do_helper
 				       validate_helper
 				       do_headers
-				       do_probability
 				       do_condition
 				       have_ipset_rules
 				       record_runtime_address
@@ -209,6 +197,7 @@ our %EXPORT_TAGS = (
 				       do_ipsec
 				       log_rule
 				       expand_rule
+				       promote_blacklist_rules
 				       addnatjump
 				       set_chain_variables
 				       mark_firewall_not_started
@@ -265,6 +254,7 @@ our $VERSION = 'MODULEVERSION';
 #                                                               ]
 #                                               logchains    => { <key1> = <chainref1>, ... }
 #                                               references   => { <ref1> => <refs>, <ref2> => <refs>, ... }
+#                                               blacklist    => <number of blacklist rules at the head of the rules array> ( 0 or 1 )
 #                                               blacklistsection
 #                                                            => Chain was created by entries in the BLACKLIST section of the rules file
 #                                               action       => <action tuple that generated this chain>
@@ -350,16 +340,6 @@ my $ipset_rules;
 #
 use constant { ALL_COMMANDS => 1, NOT_RESTORE => 2 };
 
-#
-# Optimization masks
-#
-use constant { 
-	       OPTIMIZE_POLICY_MASK  => 0x02 , # Call optimize_policy_chains()
-	       OPTIMIZE_RULESET_MASK => 0x1C , # Call optimize_ruleset()
-	     };
-
-use constant { OPTIMIZE_MASK => OPTIMIZE_POLICY_MASK | OPTIMIZE_RULESET_MASK };
-
 #
 # These hashes hold the shell code to set shell variables. The key is the name of the variable; the value is the code to generate the variable's contents
 #
@@ -680,19 +660,11 @@ sub set_rule_option( $$$ ) {
     my $opttype = $opttype{$option} || MATCH;
 
     if ( exists $ruleref->{$option} ) {
-	assert( defined( my $value1 = $ruleref->{$option} ) );
+	assert( defined $ruleref->{$option} );
 
 	if ( $opttype == MATCH ) {
 	    assert( $globals{KLUDGEFREE} );
-
-	    unless ( reftype $value1 ) {
-		unless ( reftype $value ) {
-		    return if $value1 eq $value;
-		}
-
-		$ruleref->{$option} = [ $ruleref->{$option} ];
-	    }
-
+	    $ruleref->{$option} = [ $ruleref->{$option} ] unless reftype $ruleref->{$option};
 	    push @{$ruleref->{$option}}, ( reftype $value ? @$value : $value );
 	} elsif ( $opttype == EXCLUSIVE ) {
 	    $ruleref->{$option} .= ",$value";
@@ -1249,7 +1221,9 @@ sub delete_reference( $$ ) {
 #    Chain reference , Rule Number, Rule
 #
 # In the first function, the rule number is zero-relative. In the second function,
-# the rule number is one-relative.
+# the rule number is one-relative. In the first function, if the rule number is < 0, then
+# the rule is a jump to a blacklist chain (blacklst or blackout). The rule will be
+# inserted at the front of the chain and the chain's 'blacklist' member incremented.
 #
 sub insert_rule1($$$)
 {
@@ -1261,6 +1235,11 @@ sub insert_rule1($$$)
     assert( ! ( $ruleref->{cmdlevel} = $chainref->{cmdlevel}) );
     $ruleref->{mode} = CAT_MODE;
 
+    if ( $number < 0 ) {
+	$chainref->{blacklist}++;
+	$number = 0;
+    }
+
     splice( @{$chainref->{rules}}, $number, 0, $ruleref );
 
     trace( $chainref, 'I', ++$number, $ruleref ) if $debug;
@@ -1301,6 +1280,11 @@ sub insert_irule( $$$$;@ ) {
 	$ruleref->{comment} = $comment unless $ruleref->{comment};
     }
 
+    if ( $number < 0 ) {
+	$chainref->{blacklist}++;
+	$number = 0;
+    }
+
     splice( @{$chainref->{rules}}, $number, 0, $ruleref );
 
     trace( $chainref, 'I', ++$number, format_rule( $chainref, $ruleref ) ) if $debug;
@@ -1328,12 +1312,13 @@ sub clone_rule( $ ) {
 }
 
 # Do final work to 'delete' a chain. We leave it in the chain table but clear
-# the 'referenced', 'rules', and 'references' members.
+# the 'referenced', 'rules', 'references' and 'blacklist' members.
 #
 sub delete_chain( $ ) {
     my $chainref = shift;
 
     $chainref->{referenced}  = 0;
+    $chainref->{blacklist}   = 0;
     $chainref->{rules}       = [];
     $chainref->{references}  = {};
     trace( $chainref, 'X', undef, '' ) if $debug;
@@ -1403,7 +1388,7 @@ sub decrement_reference_count( $$ ) {
 #
 # The rules generated by interface options are added to the interfaces's input chain and
 # forward chain. Shorewall::Rules::generate_matrix() may decide to move those rules to
-# the head of a rules chain.
+# the head of a rules chain (behind any blacklist rule already there).
 #
 sub move_rules( $$ ) {
     my ($chain1, $chain2 ) = @_;
@@ -1414,12 +1399,15 @@ sub move_rules( $$ ) {
 	my $rules     = $chain2->{rules};
 	my $count     = @{$chain1->{rules}};
 	my $tableref  = $chain_table{$chain1->{table}};
+	my $blacklist = $chain2->{blacklist};
 	my $filtered;
 	my $filtered1 = $chain1->{filtered};
 	my $filtered2 = $chain2->{filtered};
 	my @filtered1;
 	my @filtered2;
 	my $rule;
+
+	assert( ! $chain1->{blacklist} );
 	#
 	# We allow '+' in chain names and '+' is an RE meta-character. Escape it.
 	#
@@ -1439,11 +1427,11 @@ sub move_rules( $$ ) {
 	push @filtered2 , shift @{$chain2->{rules}} while $filtered--;
 
 	if ( $debug ) {
-	    my $rule = $filtered2;
+	    my $rule = $blacklist + $filtered2;
 	    trace( $chain2, 'A', ++$rule, $_ ) for @{$chain1->{rules}};
 	}
 
-	unshift @$rules, @{$chain1->{rules}};
+	splice @$rules, $blacklist, 0, @{$chain1->{rules}};
 
 	$chain2->{referenced} = 1;
 
@@ -1451,9 +1439,16 @@ sub move_rules( $$ ) {
 	# In a firewall->x policy chain, multiple DHCP ACCEPT rules can be moved to the head of the chain.
 	# This hack avoids that.
 	#
-	shift @{$rules} while @{$rules} > 1 && $rules->[0]{dhcp} && $rules->[1]{dhcp};
+	if ( $blacklist ) {
+	    my $rule = shift @{$rules};
+	    shift @{$rules} while @{$rules} > 1 && $rules->[0]{dhcp} && $rules->[1]{dhcp};
+	    unshift @{$rules}, $rule;
+	} else {
+	    shift @{$rules} while @{$rules} > 1 && $rules->[0]{dhcp} && $rules->[1]{dhcp};
+	}
+
 	#
-	# Now insert the filter rules at the head of the chain
+	# Now insert the filter rules at the head of the chain (before blacklist rules)
 	#
 
 	if ( $filtered1 ) {
@@ -1497,6 +1492,8 @@ sub copy_rules( $$;$ ) {
     my $name1      = $chain1->{name};
     my $name       = $name1;
     my $name2      = $chain2->{name};
+    my $blacklist1 = $chain1->{blacklist};
+    my $blacklist2 = $chain2->{blacklist};
     my @rules1     = @{$chain1->{rules}};
     my $rules2     = $chain2->{rules};
     my $count      = @{$chain1->{rules}};
@@ -1505,6 +1502,22 @@ sub copy_rules( $$;$ ) {
     # We allow '+' in chain names and '+' is an RE meta-character. Escape it.
     #
     pop @$rules2 unless $nojump; # Delete the jump to chain1
+
+    if ( $blacklist2 && $blacklist1 ) {
+	#
+	# Chains2 already has a blacklist jump -- delete the one at the head of chain1's rule list
+	#
+	my $rule = shift @rules1;
+
+	my $chainb = $rule->{target};
+
+	assert( $chainb =~ /^black/ );
+
+	delete_reference $chain1, $chainb;
+
+	assert( ! --$chain1->{blacklist} );
+	$blacklist1 = 0;
+    }
     #
     # Chain2 is now a referent of all of Chain1's targets
     #
@@ -1512,6 +1525,17 @@ sub copy_rules( $$;$ ) {
 	increment_reference_count( $tableref->{$_->{target}}, $name2 ) if $_->{target};
     }
 
+    if ( $blacklist1 ) {
+	assert( $blacklist1 == 1 );
+
+	trace( $chain2, 'A', 1 , $rules1[0]) if $debug;
+
+ 	unshift @$rules2, shift @rules1;
+
+	$chain1->{blacklist} = 0;
+	$chain2->{blacklist} = 1;
+    }
+
     if ( $debug ) {
 	my $rule = @$rules2;
 	trace( $chain2, 'A', ++$rule, $_ ) for @rules1;
@@ -1521,7 +1545,7 @@ sub copy_rules( $$;$ ) {
 
     progress_message "  $count rules from $chain1->{name} appended to $chain2->{name}" if $count;
 
-    unless ( $nojump || --$chain1->{references}{$name2} ) {
+    unless ( --$chain1->{references}{$name2} ) {
 	delete $chain1->{references}{$name2};
 	delete_chain_and_references( $chain1 ) unless keys %{$chain1->{references}};
     }
@@ -1594,30 +1618,6 @@ sub use_forward_chain($$) {
     $interfaceref->{options}{use_forward_chain} && keys %{ zone_interfaces( $zone ) } > 1;
 }
 
-#
-# Input Option Chain for an interface
-#
-sub input_option_chain($) {
-    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_iop';
-}
-
-#
-# Output Option Chain for an interface
-#
-sub output_option_chain($) {
-    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_oop';
-}
-
-#
-# Forward Option Chain for an interface
-#
-sub forward_option_chain($) {
-    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_fop';
-}
-
 #
 # Input Chain for an interface
 #
@@ -1797,13 +1797,6 @@ sub notrack_chain( $ )
     $_[0] . '_notrk';
 }
 
-#
-# Load Chain for a provider
-#
-sub load_chain( $ ) {
-    '~' . $_[0];
-}
-
 #
 # SNAT Chain to an interface
 #
@@ -1832,16 +1825,6 @@ sub first_chains( $ ) #$1 = interface
     ( forward_chain( $c ), input_chain( $c ) );
 }
 
-#
-# Option chains for an interface
-#
-sub option_chains( $ ) #$1 = interface
-{
-    my $c = $_[0];
-
-    ( forward_option_chain( $c ), input_option_chain( $c ) );
-}
-
 #
 # Returns true if the passed name is that of a Shorewall-generated chain
 #
@@ -1867,6 +1850,7 @@ sub new_chain($$)
 		     log            => 1,
 		     cmdlevel       => 0,
 		     references     => {},
+		     blacklist      => 0,
 		     filtered       => 0
 		   };
 
@@ -2209,6 +2193,7 @@ sub new_builtin_chain($$$)
     $chainref->{policy}      = $policy;
     $chainref->{builtin}     = 1;
     $chainref->{dont_delete} = 1;
+    $chainref->{dont_move}   = 1;
     $chainref;
 }
 
@@ -2450,7 +2435,7 @@ sub initialize_chain_table($) {
 	#
 	# Create this chain early in case it is needed by Policy actions
 	#
-	new_standard_chain 'reject';
+	dont_move new_standard_chain 'reject';
     }
 }
 
@@ -2666,25 +2651,6 @@ sub check_optimization( $ ) {
 #
 # Perform Optimization
 #
-# When an unreferenced chain is found, itis deleted unless its 'dont_delete' flag is set.
-sub optimize_level0() {
-    for my $table ( qw/raw rawpost mangle nat filter/ ) {
-	next if $family == F_IPV6 && $table eq 'nat';
-	my $tableref = $chain_table{$table};
-	my @chains  = grep $_->{referenced}, values %$tableref;
-	my $chains  = @chains; 
-	
-	for my $chainref ( @chains ) {
-	    #
-	    # If the chain isn't branched to, then delete it
-	    #
-	    unless ( $chainref->{dont_delete} || keys %{$chainref->{references}} ) {
-		delete_chain $chainref if $chainref->{referenced};
-	    }
-	}
-    }
-}
-
 sub optimize_level4( $$ ) {
     my ( $table, $tableref ) = @_;
     my $progress = 1;
@@ -2692,6 +2658,7 @@ sub optimize_level4( $$ ) {
     #
     # Make repeated passes through each table looking for short chains (those with less than 2 entries)
     #
+    # When an unreferenced chain is found, itis deleted unless its 'dont_delete' flag is set.
     # When an empty chain is found, delete the references to it.
     # When a chain with a single entry is found, replace it's references by its contents
     #
@@ -2782,6 +2749,7 @@ sub optimize_level4( $$ ) {
 			    # Replace references to this chain with the target and add the matches
 			    #
 			    $progress = 1 if replace_references1 $chainref, $firstrule;
+			    
 			}
 		    }
 		}
@@ -2790,9 +2758,8 @@ sub optimize_level4( $$ ) {
     }
 
     #
-    # In this loop, we look for chains that end in an unconditional jump. The jump is replaced by
-    # the target's rules, provided that the target chain is short (< 4 rules) or has only one
-    # reference. This prevents multiple copies of long chains being created.
+    # In this loop, we look for chains that end in an unconditional jump. If the target of the jump
+    # is subject to deletion (dont_delete = false), the jump is replaced by target's rules.
     #
     $progress = 1;
 
@@ -2813,7 +2780,7 @@ sub optimize_level4( $$ ) {
 		# Last rule is a simple branch
 		my $targetref = $tableref->{$lastrule->{target}};
 
-		if ( $targetref && ( keys %{$targetref->{references}} < 2 || @{$targetref->{rules}} < 4 ) ) {
+		if ( $targetref && ! ( $targetref->{builtin} || $targetref->{dont_move} ) && ( keys %{$targetref->{references}} < 2 || @{$targetref->{rules}} < 4 ) ) {
 		    copy_rules( $targetref, $chainref );
 		    $progress = 1;
 		}
@@ -2852,7 +2819,7 @@ sub optimize_level8( $$$ ) {
 	    }
 	}
 
-	$chainref->{digest} = sha1 $digest;
+	$chainref->{digest} = $digest;
     }
 
     for my $chainref ( @chains ) {
@@ -4153,21 +4120,7 @@ sub do_headers( $ ) {
 	}
     }
 
-    "-m ipv6header ${invert}--header ${headers} ${soft} ";
-}
-
-sub do_probability( $ ) {
-    my $probability = shift;
-
-    return '' if $probability eq '-';
-
-    require_capability 'STATISTIC_MATCH', 'A non-empty PROBABILITY column', 's';
-
-    my $invert = $probability =~ s/^!// ? '! ' : "";
-    
-    fatal_error "Invalid PROBABILITY ($probability)" unless $probability =~ /^0?\.\d{1,8}$/;
-
-    "-m statistic --mode random --probability $probability ";
+    "-m ipv6header ${invert}--header ${headers} ${soft}";
 }
 
 #
@@ -5847,179 +5800,60 @@ sub expand_rule( $$$$$$$$$$;$ )
 }
 
 #
-# Returns true if the passed interface is associated with exactly one zone
+# Where a zone sharing a multi-zone interface has an 'in' blacklist rule, move the rule to the beginning of
+# the associated interface chain
 #
-sub copy_options( $ ) {
-    keys %{interface_zones( shift )} == 1;
-}
+sub promote_blacklist_rules() {
+    my $chainbref = $filter_table->{blacklst};
 
-#
-# This function is called after the blacklist rules have been added to the canonical chains. It 
-# either copies the relevant interface option rules into each canonocal chain, or it inserts one
-# or more jumps to the relevant option chains. The argument indicates whether blacklist rules are
-# present.
-#
-sub add_interface_options( $ ) {
+    return 1 unless $chainbref;
 
-    if ( $_[0] ) {
+    my $promoted = 1;
+
+    while ( $promoted ) {
+	$promoted = 0;
 	#
-	# We have blacklist rules.
-	my %input_chains;
-	my %forward_chains;
-
-	for my $interface ( all_real_interfaces ) {
-	    $input_chains{$interface}   = $filter_table->{input_option_chain $interface};
-	    $forward_chains{$interface} = $filter_table->{forward_option_chain $interface};
-	}
+	# Copy 'blacklst''s references since they will change in the following loop
 	#
-	# Generate a digest for each chain
-	#
-	for my $chainref ( values %input_chains, values %forward_chains ) {
-	    my $digest = '';
+	my @references = map $filter_table->{$_}, keys %{$chainbref->{references}};
 
-	    assert( $chainref );
+	for my $chain1ref ( @references ) {
+	    assert( $chain1ref->{blacklist} == 1 );
 
-	    for ( @{$chainref->{rules}} ) {
-		if ( $digest ) {
-		    $digest .= ' |' . format_rule( $chainref, $_, 1 );
-		} else {
-		    $digest = format_rule( $chainref, $_, 1 );
-		}
-	    }
+	    my $copied = 0;
+	    my $rule   = $chain1ref->{rules}[0];
+	    my $chain1 = $chain1ref->{name};
 
-	    $chainref->{digest} = sha1 $digest;
-	}
-	#
-	# Insert jumps to the interface chains into the rules chains
-	#
-	for my $zone1 ( off_firewall_zones ) {
-	    my @input_interfaces   = keys %{zone_interfaces( $zone1 )};
-	    my @forward_interfaces = @input_interfaces;
-	    
-	    if ( @input_interfaces > 1 ) {
-		#
-		# This zone has multiple interfaces - discover if all of the interfaces have the same 
-		# input and/or forward options
-		#
-		my $digest;
-	      INPUT:
-		{
-		    for ( @input_interfaces ) {
-			if ( defined $digest ) {
-			    last INPUT unless $input_chains{$_}->{digest} eq $digest;
-			} else {
-			    $digest = $input_chains{$_}->{digest};
-			}
-		    }
-
-		    @input_interfaces = ( $input_interfaces[0] );
-		}
-
-		$digest = undef;
-
-	      FORWARD:
-		{
-		    for ( @forward_interfaces ) {
-			if ( defined $digest ) {
-			    last FORWARD unless $forward_chains{$_}->{digest} eq $digest;
-			} else {
-			    $digest = $forward_chains{$_}->{digest};
-			}
-		    }
-
-		    @forward_interfaces = ( $forward_interfaces[0] );
-		}
-	    }  
-	    #
-	    # Now insert the jumps
-	    #
-	    for my $zone2 ( all_zones ) {
-		my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
-		my $chain1ref;
-	    
-		if ( zone_type( $zone2 ) & (FIREWALL | VSERVER ) ) {
-		    if ( @input_interfaces == 1 && copy_options( $input_interfaces[0] ) ) {
-			$chain1ref = $input_chains{$input_interfaces[0]};
-
-			if ( @{$chain1ref->{rules}}  ) {
-			    copy_rules $chain1ref, $chainref, 1;
-			    $chainref->{referenced} = 1;
-			}
-		    } else {
-			for my $interface ( @input_interfaces ) {
-			    $chain1ref = $input_chains{$interface};
-			    add_ijump ( $chainref , j => $chain1ref->{name}, @input_interfaces > 1 ? imatch_source_dev( $interface ) : () ) if @{$chain1ref->{rules}};
-			}
-		    }
-		} else {
-		    if ( @forward_interfaces == 1 && copy_options( $forward_interfaces[0] ) ) {
-			$chain1ref = $forward_chains{$forward_interfaces[0]};
-			if ( @{$chain1ref->{rules}} ) {
-			    copy_rules $chain1ref, $chainref, 1;
-			    $chainref->{referenced} = 1;
-			}
-		    } else {
-			for my $interface ( @forward_interfaces ) {
-			    $chain1ref = $forward_chains{$interface};
-			    add_ijump ( $chainref , j => $chain1ref->{name}, @forward_interfaces > 1 ? imatch_source_dev( $interface ) : () ) if  @{$chain1ref->{rules}};
-			}
+	    for my $chain2ref ( map $filter_table->{$_}, keys %{$chain1ref->{references}} ) {
+		unless ( $chain2ref->{builtin} ) {
+		    #
+		    # This is not INPUT or FORWARD -- we wouldn't want to move the
+		    # rule to the head of one of those chains
+		    $copied++;
+		    #
+		    # Copy the blacklist rule to the head of the parent chain (after any
+		    # filter rules) unless it already has a blacklist rule.
+		    #
+		    unless ( $chain2ref->{blacklist} ) {
+			splice @{$chain2ref->{rules}}, $chain2ref->{filtered}, 0, $rule;
+			add_reference $chain2ref, $chainbref;
+			$chain2ref->{blacklist} = 1;
 		    }
 		}
 	    }
-	}
-	#
-	# Now take care of jumps to the interface output option chains
-	#
-	for my $zone1 ( firewall_zone, vserver_zones ) {
-	    for my $zone2 ( off_firewall_zones ) {
-		my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
-		my @interfaces = keys %{zone_interfaces( $zone2 )};
-		my $chain1ref;
 
-		for my $interface ( @interfaces ) {
-		    $chain1ref = $filter_table->{output_option_chain $interface};
-
-		   if ( @{$chain1ref->{rules}} ) {
-			copy_rules( $chain1ref, $chainref, 1 );
-			$chainref->{referenced} = 1;
-		    }
-		}
-	    }
-	}
-    } else {
-	#
-	# No Blacklisting - simply move the option chain rules to the interface chains
-	#
-	for my $interface ( all_real_interfaces ) {
-	    my $chainref;
-	    my $chain1ref;
-
-	    $chainref = $filter_table->{input_option_chain $interface};
-	   
-	    if( @{$chainref->{rules}} ) {
-		move_rules $chainref, $chain1ref = $filter_table->{input_chain $interface};
-		set_interface_option( $interface, 'use_input_chain', 1 );
-	    }
-
-	    $chainref = $filter_table->{forward_option_chain $interface};
-
-	    if ( @{$chainref->{rules}} ) {
-		move_rules $chainref, $chain1ref = $filter_table->{forward_chain $interface};
-		set_interface_option( $interface, 'use_forward_chain' , 1 );
-	    }
-
-	    $chainref = $filter_table->{output_option_chain $interface};
-
-	   if ( @{$chainref->{rules}} ) {
-		move_rules $chainref, $chain1ref = $filter_table->{output_chain $interface};
-		set_interface_option( $interface, 'use_output_chain' , 1 );
+	    if ( $copied ) {
+		shift @{$chain1ref->{rules}};
+		$chain1ref->{blacklist} = 0;
+		delete_reference $chain1ref, $chainbref;
+		$promoted = 1;
 	    }
 	}
     }
 }
 
 #
-# The following functions generate the input to iptables-restore from the contents of the
+# The following code generates the input to iptables-restore from the contents of the
 # @rules arrays in the chain table entries.
 #
 # We always write the iptables-restore input into a file then pass the
@@ -6027,9 +5861,9 @@ sub add_interface_options( $ ) {
 # has (have) something to look at to determine the error
 #
 # We may have to generate part of the input at run-time. The rules array in each chain
-# table entry may contain both rules or shell source, determined by the contents of the 'mode'
-# member. We alternate between writing the rules into the temporary file to be passed to 
-# iptables-restore (CAT_MODE) and and writing shell source into the generated script (CMD_MODE).
+# table entry may contain both rules (begin with '-A') or shell source. We alternate between
+# writing the rules ('-A') into the temporary file to be passed to iptables-restore
+# (CAT_MODE) and and writing shell source into the generated script (CMD_MODE).
 #
 # The following two functions are responsible for the mode transitions.
 #

Shorewall/Perl/Shorewall/Compiler.pm

@@ -1,10 +1,10 @@
 #! /usr/bin/perl -w
 #
-#     The Shoreline Firewall Packet Filtering Firewall Compiler - V4.5
+#     The Shoreline Firewall Packet Filtering Firewall Compiler - V4.4
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -71,7 +71,7 @@ sub initialize_package_globals( $ ) {
 #
 # First stage of script generation.
 #
-#    Copy prog.header, lib.core and lib.common to the generated script.
+#    Copy prog.header and lib.common to the generated script.
 #    Generate the various user-exit jacket functions.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
@@ -95,7 +95,6 @@ sub generate_script_1( $ ) {
 		copy $globals{SHAREDIRPL} . 'prog.header6';
 	    }
 
-	    copy2 $globals{SHAREDIRPL} . '/lib.core', 0;
 	    copy2 $globals{SHAREDIRPL} . '/lib.common', 0;
 	}
 
@@ -474,7 +473,6 @@ sub generate_script_3($) {
     fi
 EOF
     pop_indent;
-    setup_load_distribution;
     setup_forwarding( $family , 1 );
     push_indent;
 
@@ -487,18 +485,14 @@ else
     if [ \$COMMAND = refresh ]; then
         chainlist_reload
 EOF
-    setup_load_distribution;
     setup_forwarding( $family , 0 );
 
-    emit( '        run_refreshed_exit' ,
-	  '        do_iptables -N shorewall' ,
-	  "        set_state Started $config_dir" ,
-	  '    else' ,
-	  '        setup_netfilter' );
-    
-    setup_load_distribution;
-
     emit<<"EOF";
+        run_refreshed_exit
+        do_iptables -N shorewall
+        set_state Started $config_dir
+    else
+        setup_netfilter
         conditionally_flush_conntrack
 EOF
     setup_forwarding( $family , 0 );
@@ -622,9 +616,14 @@ sub compiler {
     #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
     #
     get_configuration( $export , $update , $annotate );
-    #
-    # Create a temp file to hold the script
-    #
+
+    report_capabilities unless $config{LOAD_HELPERS_ONLY};
+
+    require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
+    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
+    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
+    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
+
     if ( $scriptfilename ) {
 	set_command( 'compile', 'Compiling', 'Compiled' );
 	create_temp_script( $scriptfilename , $export );
@@ -633,7 +632,7 @@ sub compiler {
     }
     #
     # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
-    # now when shorewall.conf has been processed and the capabilities have been determined.
+    # shorewall.conf has been processed and the capabilities have been determined.
     #
     initialize_chain_table(1);
     #
@@ -791,7 +790,7 @@ sub compiler {
     #
     # Process the rules file.
     #
-    process_rules( $convert );
+    process_rules;
     #
     # Add Tunnel rules.
     #
@@ -815,8 +814,6 @@ sub compiler {
 	#
 	generate_matrix;
 
-	optimize_level0;
-
 	if ( $config{OPTIMIZE} & 0x1E ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
@@ -859,7 +856,13 @@ sub compiler {
 	#
 	# Copy the footer to the script
 	#
-	copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;
+	unless ( $test ) {
+	    if ( $family == F_IPV4 ) {
+		copy $globals{SHAREDIRPL} . 'prog.footer';
+	    } else {
+		copy $globals{SHAREDIRPL} . 'prog.footer6';
+	    }
+	}
 
 	disable_script;
 	#
@@ -880,18 +883,16 @@ sub compiler {
 	    #
 	    generate_matrix;
 
-	    optimize_level0;
-
-	    if ( $config{OPTIMIZE} & OPTIMIZE_MASK ) {
+	    if ( $config{OPTIMIZE} & 0x1E ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
 		# Optimize Policy Chains
 		#
-		optimize_policy_chains if $config{OPTIMIZE} & OPTIMIZE_POLICY_MASK;
+		optimize_policy_chains if $config{OPTIMIZE} & 2;
 		#
 		# Ruleset Optimization
 		#
-		optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
+		optimize_ruleset if $config{OPTIMIZE} & 0x1C;
 	    }
 
 	    enable_script if $debug;

Shorewall/Perl/Shorewall/Config.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -136,7 +136,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $doing
 				       $done
 				       $currentline
-				       $currentfilename
 				       $debug
 				       %config
 				       %globals
@@ -289,9 +288,6 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 IPTABLES_S      => 'iptables -S',
 		 BASIC_FILTER    => 'Basic Filter',
 		 CT_TARGET       => 'CT Target',
-		 STATISTIC_MATCH => 
-		                    'Statistics Match',
-		 IMQ_TARGET      => 'IMQ Target',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -371,7 +367,7 @@ my @actparms;
 
 our $currentline;            # Current config file line image
 my  $currentfile;            # File handle reference
-our $currentfilename;        # File NAME
+my  $currentfilename;        # File NAME
 my  $currentlinenumber;      # Line number
 my  $perlscript;             # File Handle Reference to current temporary file being written by an in-line Perl script
 my  $perlscriptname;         # Name of that file.
@@ -409,15 +405,6 @@ use constant { MIN_VERBOSITY => -1,
 
 my %validlevels;             # Valid log levels.
 
-#
-# Deprecated options with their default values
-#
-my %deprecated = ( LOGRATE            => '' ,
-		   LOGBURST           => '' ,
-		   EXPORTPARAMS       => 'no',
-		   WIDE_TC_MARKS      => 'no',
-		   HIGH_ROUTE_MARKS   => 'no'
-		 );
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -465,7 +452,7 @@ sub initialize( $ ) {
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED  => 0,
 		    VERSION    => "4.4.22.1",
-		    CAPVERSION => 40501 ,
+		    CAPVERSION => 40427 ,
 		  );
     #
     # From shorewall.conf file
@@ -690,8 +677,6 @@ sub initialize( $ ) {
 	       IPTABLES_S => undef,
 	       BASIC_FILTER => undef,
 	       CT_TARGET => undef,
-	       STATISTIC_MATCH => undef,
-	       IMQ_TARGET => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@@ -986,10 +971,10 @@ sub emitstd {
 #
 # Write passed message to the script with newline but no indentation.
 #
-sub emit_unindented( $;$ ) {
+sub emit_unindented( $ ) {
     assert( $script_enabled );
 
-    print $script $_[1] ? "$_[0]" : "$_[0]\n" if $script;
+    print $script "$_[0]\n" if $script;
 }
 
 #
@@ -2773,14 +2758,6 @@ sub Ct_Target() {
     $ct_target;
 }
 
-sub Statistic_Match() {
-    qt1( "$iptables -A $sillyname -m statistic --mode nth --every 2 --packet 1" );
-}
-
-sub Imq_Target() {
-    qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" );
-}
-
 our %detect_capability =
     ( ACCOUNT_TARGET =>\&Account_Target,
       AUDIT_TARGET => \&Audit_Target,
@@ -2802,7 +2779,6 @@ our %detect_capability =
       HASHLIMIT_MATCH => \&Hashlimit_Match,
       HEADER_MATCH => \&Header_Match,
       HELPER_MATCH => \&Helper_Match,
-      IMQ_TARGET => \&Imq_Target,
       IPMARK_TARGET => \&IPMark_Target,
       IPP2P_MATCH => \&Ipp2p_Match,
       IPRANGE_MATCH => \&IPRange_Match,
@@ -2836,7 +2812,6 @@ our %detect_capability =
       RAWPOST_TABLE => \&Rawpost_Table,
       REALM_MATCH => \&Realm_Match,
       RECENT_MATCH => \&Recent_Match,
-      STATISTIC_MATCH => \&Statistic_Match,
       TCPMSS_MATCH => \&Tcpmss_Match,
       TIME_MATCH => \&Time_Match,
       TPROXY_TARGET => \&Tproxy_Target,
@@ -2973,8 +2948,6 @@ sub determine_capabilities() {
 	$capabilities{IPTABLES_S}      = detect_capability( 'IPTABLES_S' );
 	$capabilities{BASIC_FILTER}    = detect_capability( 'BASIC_FILTER' );
 	$capabilities{CT_TARGET}       = detect_capability( 'CT_TARGET' );
-	$capabilities{STATISTIC_MATCH} = detect_capability( 'STATISTIC_MATCH' );
-	$capabilities{IMQ_TARGET}      = detect_capability( 'IMQ_TARGET' );
 
 
 	qt1( "$iptables -F $sillyname" );
@@ -3097,7 +3070,16 @@ sub update_config_file( $ ) {
 	#
 	$fn = $annotate ? "$globals{SHAREDIR}/configfiles/${product}.conf.annotated" : "$globals{SHAREDIR}/configfiles/${product}.conf";
     }
-   if ( -f $fn ) {
+    #
+    # Deprecated options with their default values
+    #
+    my %deprecated = ( LOGRATE            => '' ,
+		       LOGBURST           => '' ,
+		       EXPORTPARAMS       => 'no',
+		       WIDE_TC_MARKS      => 'no',
+		       HIGH_ROUTE_MARKS   => 'no'
+		     );
+    if ( -f $fn ) {
 	my ( $template, $output );
 
 	open $template, '<' , $fn or fatal_error "Unable to open $fn: $!";
@@ -3216,9 +3198,6 @@ sub process_shorewall_conf( $$ ) {
 		    warning_message "Unknown configuration option ($var) ignored", next unless exists $config{$var};
 
 		    $config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val );
-		    
-		    warning_message "Option $var=$val is deprecated"
-			if $deprecated{$var} && supplied $val && lc $config{$var} ne $deprecated{$var};
 		} else {
 		    fatal_error "Unrecognized $product.conf entry";
 		}
@@ -3484,13 +3463,11 @@ sub add_param( $$ ) {
 sub export_params() {
     my $count = 0;
 
-    for my $param ( sort keys %params ) {
+    while ( my ( $param, $value ) = each %params ) {
 	#
 	# Don't export params added by the compiler
 	#
 	next if exists $compiler_params{$param};
-
-	my $value = $params{$param};
 	#
 	# Values in %params are generated from the output of 'export -p'.
 	# The different shells have different conventions for delimiting
@@ -3992,13 +3969,6 @@ sub get_configuration( $$$ ) {
     } else {
 	$config{LOCKFILE} = '';
     }
-
-    report_capabilities unless $config{LOAD_HELPERS_ONLY};
-
-    require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
-    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
-    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
-    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
 }
 
 #

Shorewall/Perl/Shorewall/Misc.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 4.5 -- /usr/share/shorewall/Shorewall/Misc.pm
+# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Misc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -698,6 +698,7 @@ sub add_common_rules ( $ ) {
 	add_rule_pair dont_delete( new_standard_chain( 'logdrop' ) ),   '' , 'DROP'   , $level ;
 	add_rule_pair dont_delete( new_standard_chain( 'logreject' ) ), '' , 'reject' , $level ;
 	$dynamicref = dont_optimize( new_standard_chain( 'dynamic' ) );
+	add_ijump $filter_table->{INPUT}, j => $dynamicref, @state;
 	add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
     }
 
@@ -752,8 +753,8 @@ sub add_common_rules ( $ ) {
 	$target1 = $target;
     }
 
-    for $interface ( all_real_interfaces ) {
-	ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface ), option_chains( $interface ), output_option_chain( $interface );
+    for $interface ( grep $_ ne '%vserver%', all_interfaces ) {
+	ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface );
 
 	my $interfaceref = find_interface $interface;
 
@@ -761,28 +762,33 @@ sub add_common_rules ( $ ) {
 
 	    my @filters = @{$interfaceref->{filter}};
 	
-	    $chainref = $filter_table->{forward_option_chain $interface};
+	    $chainref = $filter_table->{forward_chain $interface};
 	
 	    if ( @filters ) {
 		add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
+		$interfaceref->{options}{use_forward_chain} = 1;
 	    } elsif ( $interfaceref->{bridge} eq $interface ) {
 		add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_dest_dev( $interface ), @ipsec ), $chainref->{filtered}++
 		    unless( $config{ROUTE_FILTER} eq 'on' ||
 			    $interfaceref->{options}{routeback} ||
 			    $interfaceref->{options}{routefilter} ||
 			    $interfaceref->{physical} eq '+' );
+
+		$interfaceref->{options}{use_forward_chain} = 1;
 	    }
 
+	    add_ijump( $chainref, j => 'ACCEPT', state_imatch $faststate ), $chainref->{filtered}++ if $config{FASTACCEPT};
+	    add_ijump( $chainref, j => $dynamicref, @state ), $chainref->{filtered}++ if $dynamicref;
+
+	    $chainref = $filter_table->{input_chain $interface};
 	
 	    if ( @filters ) {
-		$chainref = $filter_table->{input_option_chain $interface};
 		add_ijump( $chainref , g => $target, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
+		$interfaceref->{options}{use_input_chain} = 1;
 	    }
 	
-	    for ( option_chains( $interface ) ) {
-		add_ijump( $filter_table->{$_}, j => $dynamicref, @state ) if $dynamicref;
-		add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate ) if $config{FASTACCEPT};
-	    }
+	    add_ijump( $chainref, j => 'ACCEPT', state_imatch $faststate ), $chainref->{filtered}++ if $config{FASTACCEPT};
+	    add_ijump( $chainref, j => $dynamicref, @state ), $chainref->{filtered}++ if $dynamicref;
 	}
     }
 
@@ -866,9 +872,12 @@ sub add_common_rules ( $ ) {
 	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
 
-	    for $chain ( option_chains $interface ) {
+	    for $chain ( first_chains $interface ) {
 		add_ijump( $filter_table->{$chain} , j => $target, @state, imatch_source_net( $hostref->[2] ), @policy );
 	    }
+
+	    set_interface_option $interface, 'use_input_chain', 1;
+	    set_interface_option $interface, 'use_forward_chain', 1;
 	}
     }
 
@@ -918,11 +927,14 @@ sub add_common_rules ( $ ) {
 	my $ports = $family == F_IPV4 ? '67:68' : '546:547';
 
 	for $interface ( @$list ) {
+	    set_interface_option $interface, 'use_input_chain', 1;
+	    set_interface_option $interface, 'use_forward_chain', 1;
+	    
 	    set_rule_option( add_ijump( $filter_table->{$_} , j => 'ACCEPT', p => "udp --dport $ports" ) ,
 			     'dhcp',
-			     1 ) for input_option_chain( $interface ), output_option_chain( $interface );
+			     1 ) for input_chain( $interface ), output_chain( $interface );
 
-	    add_ijump( $filter_table->{forward_option_chain $interface} ,
+	    add_ijump( $filter_table->{forward_chain $interface} ,
 		       j => 'ACCEPT', 
 		       p =>  "udp --dport $ports" ,
 		       imatch_dest_dev( $interface ) )
@@ -980,9 +992,11 @@ sub add_common_rules ( $ ) {
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
 	    my @policy     = have_ipsec ? ( policy => "--pol $hostref->[1] --dir in" ) : ();
 
-	    for $chain ( option_chains $interface ) {
+	    for $chain ( first_chains $interface ) {
 		add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
 	    }
+	    set_interface_option $interface, 'use_input_chain', 1;
+	    set_interface_option $interface, 'use_forward_chain', 1;
 	}
     }
 
@@ -1011,7 +1025,7 @@ sub add_common_rules ( $ ) {
 	    progress_message2 "$doing UPnP" unless $announced;
 
 	    for $interface ( @$list ) {
-		my $chainref = $filter_table->{input_option_chain $interface};
+		my $chainref = $filter_table->{input_chain $interface};
 		my $base     = uc chain_base get_physical $interface;
 		my $variable = get_interface_gateway $interface;
 
@@ -1160,9 +1174,12 @@ sub setup_mac_lists( $ ) {
 	    if ( $table eq 'filter' ) {
 		my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} );
 
-		for my $chain ( option_chains $interface ) {
+		for my $chain ( first_chains $interface ) {
 		    add_ijump $filter_table->{$chain} , j => $chainref, @source, @state, @policy;
 		}
+
+		set_interface_option $interface, 'use_input_chain', 1;
+		set_interface_option $interface, 'use_forward_chain', 1;
 	    } else {
 		my $chainref = source_exclusion( $hostref->[3], $mangle_table->{mac_chain $interface} );
 		add_ijump $mangle_table->{PREROUTING}, j => $chainref, imatch_source_dev( $interface ), @source, @state, @policy;
@@ -1367,7 +1384,6 @@ sub add_interface_jumps {
     our %output_jump_added;
     our %forward_jump_added;
     my  $lo_jump_added = 0;
-    my @interfaces = grep $_ ne '%vserver%', @_;
     #
     # Add Nat jumps
     #
@@ -1379,7 +1395,7 @@ sub add_interface_jumps {
     addnatjump 'POSTROUTING' , 'nat_out';
     addnatjump 'PREROUTING', 'dnat';
 
-    for my $interface ( @interfaces  ) {
+    for my $interface ( grep $_ ne '%vserver%', @_ ) {
 	addnatjump 'PREROUTING'  , input_chain( $interface )  , imatch_source_dev( $interface );
 	addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
 	addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface );
@@ -1393,7 +1409,7 @@ sub add_interface_jumps {
     #
     # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
     #
-    for my $interface ( @interfaces ) {
+    for my $interface ( grep $_ ne '%vserver%', @_ ) {
 	my $forwardref   = $filter_table->{forward_chain $interface};
 	my $inputref     = $filter_table->{input_chain $interface};
 	my $outputref    = $filter_table->{output_chain $interface};
@@ -1473,19 +1489,58 @@ sub generate_matrix() {
     my  %ipsec_jump_added   = ();
 
     progress_message2 'Generating Rule Matrix...';
-    progress_message  '  Handling complex zones...';
+    progress_message  '  Handling blacklisting and complex zones...';
 
     #
-    # Special processing for complex configurations
+    # Special processing for complex and/or blacklisting configurations
     #
     for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
+	my $simple  =  @zones <= 2 && ! $zoneref->{options}{complex};
+	#
+	# Handle blacklisting first
+	#
+	if ( $zoneref->{options}{in}{blacklist} ) {
+	    my $blackref = $filter_table->{blacklst};
+	    insert_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , -1, @state for firewall_zone, @vservers;
+
+	    if ( $simple ) {
+		#
+		# We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
+		#
+		for my $zone1 ( @zones ) {
+		    my $ruleschain    = rules_chain( $zone, $zone1 );
+		    my $ruleschainref = $filter_table->{$ruleschain};
+
+		    if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
+			insert_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, -1, @state );
+		    }
+		}
+	    }
+	}
+
+	if ( $zoneref->{options}{out}{blacklist} ) {
+	    my $blackref = $filter_table->{blackout};
+	    insert_ijump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , j => $blackref , -1, @state;
+
+	    for my $zone1 ( @zones, @vservers ) {
+		my $ruleschain    = rules_chain( $zone1, $zone );
+		my $ruleschainref = $filter_table->{$ruleschain};
+
+		if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
+		    insert_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, -1, @state );
+		}
+	    }
+	}
+
+	next if $simple;
 
-	next if  @zones <= 2 && ! $zoneref->{options}{complex};
 	#
-	# Complex zone or we have more than one non-firewall zone -- process_rules created a zone forwarding chain
+	# Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
 	#
-	my $frwd_ref = $filter_table->{zone_forward_chain( $zone )};
+	my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
+
+	insert_ijump( $frwd_ref , j => $filter_table->{blacklst}, -1, @state ) if $zoneref->{options}{in}{blacklist};
 
 	add_ijump( $frwd_ref , j => 'MARK --set-mark ' . in_hex( $zoneref->{mark} ) . '/' . in_hex( $globals{ZONE_MASK} ) ) if $zoneref->{mark};
 
@@ -1723,6 +1778,7 @@ sub generate_matrix() {
 			my $interfacechainref = $filter_table->{input_chain $interface};
 			my @interfacematch;
 			my $use_input;
+			my $blacklist = $zoneref->{options}{in}{blacklist};
 
 			if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
 			    $inputchainref = $interfacechainref;
@@ -1976,6 +2032,8 @@ sub generate_matrix() {
 
     add_interface_jumps @interfaces unless $interface_jumps_added;
 
+    promote_blacklist_rules;
+
     my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,
 		     nat=>     [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
 		     filter=>  [ qw/INPUT FORWARD OUTPUT/ ] );

Shorewall/Perl/Shorewall/Proc.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -308,7 +308,8 @@ sub setup_interface_proc( $ ) {
     }
 
     if ( @emitted ) {
-	emit( 'if [ $COMMAND = enable ]; then' );
+	emit( '',
+	      'if [ $COMMAND = enable ]; then' );
 	push_indent;
 	emit "$_" for @emitted;
 	pop_indent;

Shorewall/Perl/Shorewall/Providers.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010.2011,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010.2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -21,7 +21,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MAS 02110-1301 USA.
 #
 #   This module deals with the /etc/shorewall/providers,
-#   /etc/shorewall/rtrules and /etc/shorewall/routes files.
+#   /etc/shorewall/route_rules and /etc/shorewall/routes files.
 #
 package Shorewall::Providers;
 require Exporter;
@@ -38,9 +38,7 @@ our @EXPORT = qw( process_providers
 		  setup_providers
 		  @routemarked_interfaces
 		  handle_stickiness
-		  handle_optional_interfaces
-		  setup_load_distribution
-	       );
+		  handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
 our $VERSION = '4.4_24';
 
@@ -55,14 +53,11 @@ my  @routemarked_providers;
 my  %routemarked_interfaces;
 our @routemarked_interfaces;
 my  %provider_interfaces;
-my  @load_providers;
-my  @load_interfaces;
 
 my $balancing;
 my $fallback;
 my $first_default_route;
 my $first_fallback_route;
-my $maxload;
 
 my %providers;
 
@@ -87,17 +82,14 @@ use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 sub initialize( $ ) {
     $family = shift;
 
-    @routemarked_providers  = ();
+    @routemarked_providers = ();
     %routemarked_interfaces = ();
     @routemarked_interfaces = ();
     %provider_interfaces    = ();
-    @load_providers         = ();
-    @load_interfaces        = ();
-    $balancing              = 0;
-    $fallback               = 0;
-    $first_default_route    = 1;
-    $first_fallback_route   = 1;
-    $maxload                = 0;
+    $balancing           = 0;
+    $fallback            = 0;
+    $first_default_route  = 1;
+    $first_fallback_route = 1;
 
     %providers  = ( local   => { number => LOCAL_TABLE   , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
 		    main    => { number => MAIN_TABLE    , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
@@ -118,57 +110,33 @@ sub setup_route_marking() {
     add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;
 
     my $chainref  = new_chain 'mangle', 'routemark';
+    my $chainref1 = new_chain 'mangle', 'setsticky';
+    my $chainref2 = new_chain 'mangle', 'setsticko';
 
-    if ( @routemarked_providers ) {
-	my $chainref1 = new_chain 'mangle', 'setsticky';
-	my $chainref2 = new_chain 'mangle', 'setsticko';
+    my %marked_interfaces;
 
-	my %marked_interfaces;
+    for my $providerref ( @routemarked_providers ) {
+	my $interface = $providerref->{interface};
+	my $physical  = $providerref->{physical};
+	my $mark      = $providerref->{mark};
 
-	for my $providerref ( @routemarked_providers ) {
-	    my $interface = $providerref->{interface};
-	    my $physical  = $providerref->{physical};
-	    my $mark      = $providerref->{mark};
-
-	    unless ( $marked_interfaces{$interface} ) {
-		add_ijump $mangle_table->{PREROUTING} , j => $chainref,  i => $physical,     mark => "--mark 0/$mask";
-		add_ijump $mangle_table->{PREROUTING} , j => $chainref1, i => "! $physical", mark => "--mark  $mark/$mask";
-		add_ijump $mangle_table->{OUTPUT}     , j => $chainref2,                     mark => "--mark  $mark/$mask";
-		$marked_interfaces{$interface} = 1;
-	    }
-
-	    if ( $providerref->{shared} ) {
-		add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
-		decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
-	    } else {
-		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface );
-	    }
+	unless ( $marked_interfaces{$interface} ) {
+	    add_ijump $mangle_table->{PREROUTING} , j => $chainref,  i => $physical,     mark => "--mark 0/$mask";
+	    add_ijump $mangle_table->{PREROUTING} , j => $chainref1, i => "! $physical", mark => "--mark  $mark/$mask";
+	    add_ijump $mangle_table->{OUTPUT}     , j => $chainref2,                     mark => "--mark  $mark/$mask";
+	    $marked_interfaces{$interface} = 1;
 	}
 
-	add_ijump $chainref, j => 'CONNMARK', targetopts => "--save-mark --mask $mask", mark => "! --mark 0/$mask";
-    }
-
-    if ( @load_interfaces ) {
-	my $chainref1 = new_chain 'mangle', 'balance';
-	my @match;
-
-	add_ijump $chainref,               g => $chainref1, mark => "--mark 0/$mask";
-	add_ijump $mangle_table->{OUTPUT}, j => $chainref1, state_imatch( 'NEW,RELATED' ), mark => "--mark 0/$mask";
-
-	for my $physical ( @load_interfaces ) {
-
-	    my $chainref2 = new_chain( 'mangle', load_chain( $physical ) );
-
-	    dont_optimize $chainref2;
-	    dont_move     $chainref2;
-	    dont_delete   $chainref2;
-	
-  	    add_ijump ( $chainref1,
-			j => $chainref2 ,
-		        mark => "--mark 0/$mask" );
+	if ( $providerref->{shared} ) {
+	    add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
+	    add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
+	    decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
+	} else {
+	    add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface );
 	}
     }
+
+    add_ijump $chainref, j => 'CONNMARK', targetopts => "--save-mark --mask $mask", mark => "! --mark 0/$mask";
 }
 
 sub copy_table( $$$ ) {
@@ -398,8 +366,8 @@ sub process_a_provider() {
 	$gateway = '';
     }
 
-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local , $load ) =
-	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0      , 0 );
+    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local ) =
+	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0 );
 
     unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
@@ -440,9 +408,6 @@ sub process_a_provider() {
 		$local = 1;
 		$track = 0           if $config{TRACK_PROVIDERS};
 		$default_balance = 0 if $config{USE_DEFAULT_RT};
-	    } elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
-		$load = $1;
-		require_capability 'STATISTIC_MATCH', "load=$load", 's';
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
@@ -451,12 +416,6 @@ sub process_a_provider() {
 
     fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $balance && $default;
 
-    if ( $load ) {
-	fatal_error q(The 'balance=<weight>' and 'load=<load-factor>' options are mutually exclusive) if $balance > 1;
-	fatal_error q(The 'fallback=<weight>' and 'load=<load-factor>' options are mutually exclusive) if $default > 1;
-	$maxload += $load;
-    }
-
     if ( $local ) {
 	fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
 	fatal_error "'track' not valid with 'local'"          if $track;
@@ -529,7 +488,6 @@ sub process_a_provider() {
 			   duplicate   => $duplicate ,
 			   address     => $address ,
 			   local       => $local ,
-			   load        => $load ,
 			   rules       => [] ,
 			   routes      => [] ,
 			 };
@@ -548,8 +506,6 @@ sub process_a_provider() {
 	push @routemarked_providers, $providers{$table};
     }
 
-    push @load_interfaces, $physical if $load;
-
     push @providers, $table;
 
     progress_message "   Provider \"$currentline\" $done";
@@ -581,8 +537,6 @@ sub add_a_provider( $$ ) {
     my $duplicate   = $providerref->{duplicate};
     my $address     = $providerref->{address};
     my $local       = $providerref->{local};
-    my $load        = $providerref->{load};
-
     my $dev         = chain_base $physical;
     my $base        = uc $dev;
     my $realm = '';
@@ -610,22 +564,6 @@ sub add_a_provider( $$ ) {
 	}
     }
     
-    emit( qq(echo $load > \${VARDIR}/${physical}_load) ) if $load;
-
-    emit( '', 
-	  "cat <<EOF >> \${VARDIR}/undo_${table}_routing" );
-    
-    emit_unindented 'case \$COMMAND in';
-    emit_unindented '    enable|disable)';
-    emit_unindented '        ;;';
-    emit_unindented '    *)';
-    emit_unindented "        rm -f \${VARDIR}/${physical}_load" if $load;
-    emit_unindented <<"CEOF", 1;
-        rm -f \${VARDIR}/${physical}.status
-        ;;
-esac
-EOF
-CEOF
     #
     # /proc for this interface
     #
@@ -736,11 +674,8 @@ CEOF
 
     my ( $tbl, $weight );
 
-    emit( qq(echo 0 > \${VARDIR}/${physical}.status) );
-
     if ( $optional ) {
-	emit( '',
-	      'if [ $COMMAND = enable ]; then' );
+	emit( 'if [ $COMMAND = enable ]; then' );
 
 	push_indent;
 
@@ -764,12 +699,10 @@ CEOF
 		    emit qq(add_gateway "nexthop dev $physical $realm" ) . $tbl;
 		}
 	    }
-	    	} else {
+	} else {
 	    $weight = 1;
 	}
 
-	emit ( "distribute_load $maxload @load_interfaces" ) if $load;
-
 	unless ( $shared ) {
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}
@@ -778,13 +711,12 @@ CEOF
 
 	pop_indent;
  
-	emit( 'else' );
-	emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) ,
+	emit( 'else' ,
+	      qq(    echo $weight > \${VARDIR}/${physical}_weight) ,
 	      qq(    progress_message "   Provider $table ($number) Started"),
 	      qq(fi\n)
 	    );
     } else {
-	emit( qq(echo 0 > \${VARDIR}/${physical}.status) );
 	emit( qq(progress_message "Provider $table ($number) Started") );
     }
     
@@ -794,8 +726,6 @@ CEOF
 
     push_indent;
 
-    emit( qq(echo 1 > \${VARDIR}/${physical}.status) );
-
     if ( $optional ) {
 	if ( $shared ) {
 	    emit ( "error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Started\"" );	    
@@ -854,9 +784,6 @@ CEOF
 	emit (". $undo",
 	      "> $undo" );
 
-	emit ( '',
-	       "distribute_load $maxload @load_interfaces" ) if $load;
-
 	unless ( $shared ) {
 	    emit( '', 
 		  "qt \$TC qdisc del dev $physical root",
@@ -879,7 +806,7 @@ CEOF
 }
 
 sub add_an_rtrule( ) {
-    my ( $source, $dest, $provider, $priority, $originalmark ) = split_line 'rtrules file', { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 };
+    my ( $source, $dest, $provider, $priority, $originalmark ) = split_line 'route_rules file', { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 };
 
     our $current_if;
 
@@ -906,7 +833,7 @@ sub add_an_rtrule( ) {
     my $number = $providerref->{number};
 
     fatal_error "You may not add rules for the $provider provider" if $number == LOCAL_TABLE || $number == UNSPEC_TABLE;
-    fatal_error "You must specify either the source or destination in a rtrules entry" if $source eq '-' && $dest eq '-';
+    fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-';
 
     if ( $dest eq '-' ) {
 	$dest = 'to ' . ALLIP;
@@ -917,8 +844,6 @@ sub add_an_rtrule( ) {
 
     if ( $source eq '-' ) {
 	$source = 'from ' . ALLIP;
-    } elsif ( $source =~ s/^&// ) {
-	$source = 'from ' . record_runtime_address $source;
     } elsif ( $family == F_IPV4 ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
@@ -1069,20 +994,20 @@ sub start_providers() {
 }
 
 sub finish_providers() {
-    my $table = MAIN_TABLE;
-    
-    if ( $config{USE_DEFAULT_RT} ) {
-	emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE .    ' pref 999',
-	       'run_ip rule add from ' . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765',
-	       "\$IP -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766',
-	       qq(echo "qt \$IP -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE .    ' pref 32766" >> ${VARDIR}/undo_main_routing',
-	       qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE .    ' pref 999" >> ${VARDIR}/undo_main_routing',
-	       qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765" >> ${VARDIR}/undo_balance_routing',
-	       '' );
-	$table = BALANCE_TABLE;
-    }
-
     if ( $balancing ) {
+	my $table = MAIN_TABLE;
+
+	if ( $config{USE_DEFAULT_RT} ) {
+	    emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE .    ' pref 999',
+		   'run_ip rule add from ' . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765',
+		   "\$IP -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766',
+		   qq(echo "qt \$IP -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE .    ' pref 32766" >> ${VARDIR}/undo_main_routing',
+		   qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE .    ' pref 999" >> ${VARDIR}/undo_main_routing',
+		   qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765" >> ${VARDIR}/undo_balance_routing',
+		   '' );
+	    $table = BALANCE_TABLE;
+	}
+
 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
 	if ( $family == F_IPV4 ) {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
@@ -1170,15 +1095,7 @@ sub process_providers( $ ) {
     }
 
     if ( $providers ) {
-	my $fn = open_file( 'route_rules' );
-
-	if ( $fn ){
-	    if ( -f ( my $fn1 = find_file 'rtrules' ) ) {
-		warning_message "Both $fn and $fn1 exists: $fn1 will be ignored";
-	    }
-	} else {
-	    $fn = open_file( 'rtrules' );
-	}
+	my $fn = open_file 'route_rules';
 
 	if ( $fn ) {
 	    first_entry "$doing $fn...";
@@ -1226,7 +1143,7 @@ EOF
 	    emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then", 
 		   "        start_provider_$provider",
 		   '    else',
-		   "        startup_error \"Interface $providerref->{physical} is already enabled\"",
+		   '        startup_error "Interface $g_interface is already enabled"',
 		   '    fi',
 		   '    ;;'
 		 );
@@ -1262,7 +1179,7 @@ EOF
 	      "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then", 
 	      "        stop_provider_$provider",
 	      '    else',
-	      "        startup_error \"Interface $providerref->{physical} is already disabled\"",
+	      '        startup_error "Interface $g_interface is already disabled"',
 	      '    fi',
 	      '    ;;'
 	    ) if $providerref->{optional};
@@ -1305,7 +1222,7 @@ sub setup_providers() {
 	pop_indent;
 	emit "fi\n";
 
-	setup_route_marking if @routemarked_interfaces || @load_interfaces;
+	setup_route_marking if @routemarked_interfaces;
     } else {
 	emit "\nif [ -z \"\$g_noroutes\" ]; then";
 
@@ -1577,17 +1494,10 @@ sub handle_stickiness( $ ) {
 	}
     }
 
-    if ( @routemarked_providers || @load_interfaces ) {
+    if ( @routemarked_providers ) {
 	delete_jumps $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
 	delete_jumps $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};
     }
 }
 
-sub setup_load_distribution() {
-    emit ( '',
-	   "        distribute_load $maxload @load_interfaces" ,
-	   '' 
-	 ) if @load_interfaces;
-}
-
 1;

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -84,7 +84,7 @@ sub setup_one_proxy_arp( $$$$$$$ ) {
 	    emit "[ -n \"\$g_noroutes\" ] || run_ip route replace $address/32 dev $physical";
 	} else {
 	    emit( 'if [ -z "$g_noroutes" ]; then',
-		  "    qt \$IP -6 route del $address/128 dev $physical",
+		  "    qt \$IP -6 route del $address/128 dev $physical".
 		  "    run_ip route add $address/128 dev $physical",
 		  'fi'
 		);

Shorewall/Perl/Shorewall/Rules.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -116,6 +116,7 @@ my %auditpolicies = ( ACCEPT => 1,
 		      DROP   => 1,
 		      REJECT => 1
 		    );
+
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -144,7 +145,8 @@ sub initialize( $ ) {
     #
     # These are set to 1 as sections are encountered.
     #
-    %sections = ( ALL         => 0,
+    %sections = ( BLACKLIST   => 0,
+		  ALL         => 0,
 		  ESTABLISHED => 0,
 		  RELATED     => 0,
 		  NEW         => 0
@@ -676,6 +678,8 @@ sub complete_standard_chain ( $$$$ ) {
     policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
 }
 
+sub require_audit($$;$);
+
 #
 # Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
 #
@@ -740,7 +744,7 @@ sub ensure_rules_chain( $ )
 
     my $chainref = $filter_table->{$chain};
 
-    $chainref = new_chain( 'filter', $chain ) unless $chainref;
+    $chainref = dont_move( new_chain( 'filter', $chain ) ) unless $chainref;
 
     unless ( $chainref->{referenced} ) {
 	if ( $section =~/^(NEW|DONE)$/ ) {
@@ -1427,7 +1431,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ );
 
 #
 # Populate an action invocation chain. As new action tuples are encountered,
-# the function will be called recursively by process_rule1().
+# the function will be called recursively by process_rules_common().
 #
 sub process_action( $) {
     my $chainref = shift;
@@ -1715,7 +1719,9 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	#
 	fatal_error "Macro invocations nested too deeply" if ++$macro_nest_level > MAX_MACRO_NEST_LEVEL;
 
-	$current_param = $param unless $param eq '' || $param eq 'PARAM';
+	if ( $param ne '' ) {
+	    $current_param = $param unless $param eq 'PARAM';
+	}
 
 	my $generated = process_macro( $basictarget,
 				       $chainref,
@@ -1757,7 +1763,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
     #
     # We can now dispense with the postfix character
     #
-    fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[\+\-!]$// && $blacklist;
+    fatal_error "The +, - and ! modifiers are not allowed in the bllist file or in the BLACKLIST section" if $action =~ s/[\+\-!]$// && $blacklist;
     #
     # Handle actions
     #
@@ -1823,7 +1829,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 			  CONTINUE => sub { $action = 'RETURN'; } ,
 
 			  WHITELIST => sub { 
-			      fatal_error "'WHITELIST' may only be used in the blrules file" unless $blacklist; 
+			      fatal_error "'WHITELIST' may only be used in the blrules file and in the 'BLACKLIST' section" unless $blacklist; 
 			      $action = 'RETURN';
 			  } ,
 
@@ -2017,9 +2023,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 
     unless ( $section eq 'NEW' || $inaction ) {
 	if ( $config{FASTACCEPT} ) {
-	    fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless 
-		$section eq 'BLACKLIST' ||
-		( $section eq 'RELATED' && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} ) )
+	    fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless $section eq 'RELATED' && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} )
 	}
 
 	fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
@@ -2306,15 +2310,15 @@ sub process_section ($) {
     fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
     $sections{$sect} = 1;
 
-    if ( $sect eq 'BLACKLIST' ) {
-	fatal_error "The BLACKLIST section has been eliminated. Please move your BLACKLIST rules to the 'blrules' file";
+    if ( $sect eq 'ALL' ) {
+	$sections{BLACKLIST} = 1;
     } elsif ( $sect eq 'ESTABLISHED' ) {
-	$sections{ALL} = 1;
+	$sections{'BLACKLIST','ALL'} = ( 1, 1);
     } elsif ( $sect eq 'RELATED' ) {
-	@sections{'ALL','ESTABLISHED'} = ( 1, 1);
+	@sections{'BLACKLIST','ALL','ESTABLISHED'} = ( 1, 1, 1);
 	finish_section 'ESTABLISHED';
     } elsif ( $sect eq 'NEW' ) {
-	@sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 );
+	@sections{'BLACKLIST','ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1, 1 );
 	finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
     }
 
@@ -2459,93 +2463,18 @@ sub process_rule ( ) {
 }
 
 #
-# Add jumps to the blacklst and blackout chains
+# Process the Rules File
 #
-sub classic_blacklist() {
-    my $fw       = firewall_zone;
-    my @zones    = off_firewall_zones;
-    my @vservers = vserver_zones;
-    my @state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
-    my $result;
-    
-    for my $zone ( @zones ) {
-	my $zoneref = find_zone( $zone );
-	my $simple  =  @zones <= 2 && ! $zoneref->{options}{complex};
-	
-	if ( $zoneref->{options}{in}{blacklist} ) {
-	    my $blackref = $filter_table->{blacklst};
-	    add_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , @state for firewall_zone, @vservers;
-
-	    if ( $simple ) {
-		#
-		# We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
-		#
-		for my $zone1 ( @zones ) {
-		    my $ruleschain    = rules_chain( $zone, $zone1 );
-		    my $ruleschainref = $filter_table->{$ruleschain};
-
-		    if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
-			add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
-		    }
-		}
-	    }
-
-	    $result = 1;
-	}
-
-	if ( $zoneref->{options}{out}{blacklist} ) {
-	    my $blackref = $filter_table->{blackout};
-	    add_ijump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , j => $blackref , @state;
-
-	    for my $zone1 ( @zones, @vservers ) {
-		my $ruleschain    = rules_chain( $zone1, $zone );
-		my $ruleschainref = $filter_table->{$ruleschain};
-
-		if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
-		    add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
-		}
-	    }
-
-	    $result = 1;
-	}
-
-	unless ( $simple ) {
-	    #
-	    # Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
-	    #
-	    my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
-
-	    add_ijump( $frwd_ref , j => $filter_table->{blacklst}, @state ) if $zoneref->{options}{in}{blacklist};
-	}
-    }
-
-    $result;
-}
-
-#
-# Process the BLRules and Rules Files
-#
-sub process_rules( $ ) {
-    my $convert = shift;
-    my $blrules = 0;
-    #
-    # Generate jumps to the classic blacklist chains
-    #
-    $blrules = classic_blacklist unless $convert;
-    #
-    # Process the blrules file
-    #
-    $section = 'BLACKLIST';
-
+sub process_rules() {
     my $fn = open_file 'blrules';
 
     if ( $fn ) {
 	first_entry( sub () {
 			 my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
-			 my  $audit       = $disposition =~ /^A_/;
-			 my  $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
+			 my $audit       = $disposition =~ /^A_/;
+			 my $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
 
-			 progress_message2 "$doing $currentfilename...";
+			 progress_message2 "$doing $fn...";
 
 			 if ( supplied $level ) {
 			     ensure_blacklog_chain( $target, $disposition, $level, $audit );
@@ -2556,18 +2485,19 @@ sub process_rules( $ ) {
 			 } elsif ( have_capability 'AUDIT_TARGET' ) {
 			     verify_audit( 'A_' . $disposition );
 			 }
+		     } );
 	
-			 $blrules = 1;
-		     }
-		   );
+	$section = 'BLACKLIST';
 
 	process_rule while read_a_line;
+	    
+	$section = '';
+
+	if ( my $chainref = $filter_table->{A_blacklog} ) {
+	    $chainref->{referenced} = 0 unless %{$chainref->{references}};
+	}
     }
 
-    $section = '';
-
-    add_interface_options( $blrules );
-
     $fn = open_file 'rules';
 
     if ( $fn ) {

Shorewall/Perl/Shorewall/Tc.pm

@@ -194,15 +194,8 @@ sub initialize( $ ) {
 }
 
 sub process_tc_rule( ) {
-    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability );
-    if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability ) =
-	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 };
-	$headers = '-';
-    } else {
-	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability ) = 
-	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 };
-    }
+    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers ) = 
+	split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12 };
 
     our @tccmd;
 
@@ -247,10 +240,8 @@ sub process_tc_rule( ) {
 	    } else {
 		$chain = 'tcout';
 	    }
-
 	    $source = '';
 	} elsif ( $source =~ s/^($fw):// ) {
-	    fatal_error ":F is not allowed when the SOURCE is the firewall" if ( $designator || '' ) eq 'F';
 	    $chain = 'tcout';
 	}
     }
@@ -460,10 +451,6 @@ sub process_tc_rule( ) {
 			} else {
 			    $target .= " --hl-set $param";
 			}
-		    } elsif ( $target eq 'IMQ' ) {
-			assert( $cmd =~ /^IMQ\((\d+)\)$/ );
-			require_capability 'IMQ_TARGET', 'IMQ', 's';
-			$target .= " --todev $1";
 		    }
 
 		    if ( $rest ) {
@@ -509,8 +496,7 @@ sub process_tc_rule( ) {
 				     do_tos( $tos ) .
 				     do_connbytes( $connbytes ) .
 				     do_helper( $helper ) .
-				     do_headers( $headers ) .
-				     do_probability( $probability ) ,
+				     do_headers( $headers ) ,
 				     $source ,
 				     $dest ,
 				     '' ,
@@ -1981,13 +1967,7 @@ sub setup_tc() {
 			  mark      => NOMARK,
 			  mask      => '',
 			  connmark  => 0
-			},
-			{ match     => sub( $ ) { $_[0] =~ /^IMQ\(\d+\)$/ },
-			  target    => 'IMQ',
-			  mark      => NOMARK,
-			  mask      => '',
-			  connmark  => 0
-			},
+			} 
 		      );
 
 	if ( my $fn = open_file 'tcrules' ) {

Shorewall/Perl/Shorewall/Zones.pm

@@ -61,7 +61,6 @@ our @EXPORT = qw( NOTHING
 		  chain_base
 		  validate_interfaces_file
 		  all_interfaces
-		  all_real_interfaces
 		  all_bridges
 		  interface_number
 		  find_interface
@@ -611,14 +610,11 @@ sub zone_report()
 		for my $interface ( sort keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
-
 		    for my $groupref ( @$arrayref ) {
 			my $hosts      = $groupref->{hosts};
-
 			if ( $hosts ) {
 			    my $grouplist  = join ',', ( @$hosts );
 			    my $exclusions = join ',', @{$groupref->{exclusions}};
-
 			    $grouplist = join '!', ( $grouplist, $exclusions) if $exclusions;
 
 			    if ( $family == F_IPV4 ) {
@@ -629,6 +625,7 @@ sub zone_report()
 			    $printed = 1;
 			}
 		    }
+
 		}
 	    }
 	}
@@ -664,7 +661,6 @@ sub dump_zone_contents() {
 		for my $interface ( sort keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
-
 		    for my $groupref ( @$arrayref ) {
 			my $hosts     = $groupref->{hosts};
 
@@ -1309,13 +1305,6 @@ sub all_interfaces() {
     @interfaces;
 }
 
-#
-# Return all non-vserver interfaces
-#
-sub all_real_interfaces() {
-    grep $_ ne '%vserver%', @interfaces;
-}
-
 #
 # Return a list of bridges
 #
@@ -1814,7 +1803,7 @@ sub process_host( ) {
 	$interface = $1;
 	$hosts = $2;
 
-	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
+	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root};
     } else {
 	fatal_error "Invalid HOST(S) column contents: $hosts" 
     }

Shorewall/Perl/getparams

@@ -28,11 +28,23 @@
 #      $3 = Address family (4 o4 6)
 #
 if [ "$3" = 6 ]; then
-    g_program=shorewall6
+    SHAREDIR=/usr/share/shorewall6
+    CONFDIR=/etc/shorewall6
+    g_product="Shorewall6"
+    g_family=6
+    g_tool=
+    g_basedir=/usr/share/shorewall
 else
     g_program=shorewall
+    SHAREDIR=/usr/share/shorewall
+    CONFDIR=/etc/shorewall
+    g_product="Shorewall"
+    g_family=4
+    g_tool=
+    g_basedir=/usr/share/shorewall
 fi
 
+. /usr/share/shorewall/lib.base
 . /usr/share/shorewall/lib.cli
 
 CONFIG_PATH="$2"

Shorewall/Perl/prog.footer

@@ -31,31 +31,6 @@ usage() {
     echo "   -R <file>        Override RESTOREFILE setting"
     exit $1
 }
-
-checkkernelversion() {
-    local kernel
-
-    if [ $g_family -eq 6 ]; then
-	kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
-
-	case "$kernel" in 
-	    *.*.*)
-		kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
-		;;
-	    *)
-		kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
-		;;
-	esac
-
-	if [ $kernel -lt 20624 ]; then
-	    error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
-	    return 1
-	fi
-    fi
-
-    return 0
-}
-
 ################################################################################
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
@@ -72,7 +47,7 @@ if [ $# -gt 1 ]; then
     fi
 fi
 #
-# Map VERBOSE to VERBOSITY for compatibility with old Shorewall[6]-lite installations
+# Map VERBOSE to VERBOSITY for compatibility with old Shorewall-lite installations
 #
 [ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
 #
@@ -200,66 +175,61 @@ COMMAND="$1"
 case "$COMMAND" in
     start)
 	[ $# -ne 1 ] && usage 2
-	if product_is_started; then
+	if shorewall_is_started; then
 	    error_message "$g_product is already Running"
 	    status=0
 	else
 	    progress_message3 "Starting $g_product...."
-	    if checkkernelversion; then
-		detect_configuration
-		define_firewall
-		status=$?
-		if [ $status -eq 0 ]; then
-		    [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
-		    progress_message3 "done."
-		fi
+	    detect_configuration
+	    define_firewall
+	    status=$?
+	    if [ $status -eq 0 ]; then
+		[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
+		progress_message3 "done."
 	    fi
 	fi
 	;;
     stop)
 	[ $# -ne 1 ] && usage 2
-	if checkkernelversion; then
-	    progress_message3 "Stopping $g_product...."
-	    detect_configuration
-	    stop_firewall
-	    status=0
-	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
-	    progress_message3 "done."
-	fi
+	progress_message3 "Stopping $g_product...."
+	detect_configuration
+	stop_firewall
+	status=0
+	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+	progress_message3 "done."
 	;;
     reset)
-	if ! product_is_started ; then
+	if ! shorewall_is_started ; then
 	    error_message "$g_product is not running"
 	    status=2
-	elif checkkernelversion; then
-	    if [ $# -eq 1 ]; then
-		$IP6TABLES -Z
-		$IP6TABLES -t mangle -Z
-		date > ${VARDIR}/restarted
-		status=0
-		progress_message3 "$g_product Counters Reset"
-	    else
-		shift
-		status=0
-		for chain in $@; do
-		    if chain_exists $chain; then
-			if qt $IP6TABLES -Z $chain; then
-			    progress_message3 "Filter $chain Counters Reset"
-			else
-			    error_message "ERROR: Reset of chain $chain failed"
-			    status=2
-			    break
-			fi
+	elif [ $# -eq 1 ]; then
+	    $IPTABLES -Z
+	    $IPTABLES -t nat -Z
+	    $IPTABLES -t mangle -Z
+	    date > ${VARDIR}/restarted
+	    status=0
+	    progress_message3 "$g_product Counters Reset"
+	else
+	    shift
+	    status=0
+	    for chain in $@; do
+		if chain_exists $chain; then
+		    if qt $IPTABLES -Z $chain; then
+			progress_message3 "Filter $chain Counters Reset"
 		    else
-			error_message "WARNING: Filter Chain $chain does not exist"
+			error_message "ERROR: Reset of chain $chain failed"
+			status=2
+			break
 		    fi
-		done
-	    fi
+		else
+		    error_message "WARNING: Filter Chain $chain does not exist"
+		fi
+	    done
 	fi
 	;;
     restart)
 	[ $# -ne 1 ] && usage 2
-	if product_is_started; then
+	if shorewall_is_started; then
 	    progress_message3 "Restarting $g_product...."
 	else
 	    error_message "$g_product is not running"
@@ -267,27 +237,22 @@ case "$COMMAND" in
 	    COMMAND=start
 	fi
 
-	if checkkernelversion; then
-	    detect_configuration
-	    define_firewall
-	    status=$?
-	    if [ -n "$SUBSYSLOCK" ]; then
- 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
-            fi
-
-	    [ $status -eq 0 ] && progress_message3 "done."
+	detect_configuration
+	define_firewall
+	status=$?
+	if [ -n "$SUBSYSLOCK" ]; then
+	    [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
 	fi
+	[ $status -eq 0 ] && progress_message3 "done."
 	;;
     refresh)
 	[ $# -ne 1 ] && usage 2
-	if product_is_started; then
+	if shorewall_is_started; then
 	    progress_message3 "Refreshing $g_product...."
-	    if checkkernelversion; then
-		detect_configuration
-		define_firewall
-		status=$?
-		[ $status -eq 0 ] && progress_message3 "done."
-	    fi
+	    detect_configuration
+	    define_firewall
+	    status=$?
+	    [ $status -eq 0 ] && progress_message3 "done."
 	else
 	    echo "$g_product is not running" >&2
 	    status=2
@@ -295,25 +260,20 @@ case "$COMMAND" in
 	;;
     restore)
 	[ $# -ne 1 ] && usage 2
-	if checkkernelversion; then
-	    detect_configuration
-	    define_firewall
-	    status=$?
-	    if [ -n "$SUBSYSLOCK" ]; then
- 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
-            fi
-	    [ $status -eq 0 ] && progress_message3 "done."
-	fi
+	detect_configuration
+	define_firewall
+	status=$?
+	if [ -n "$SUBSYSLOCK" ]; then
+ 	    [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
+        fi
 	;;
     clear)
 	[ $# -ne 1 ] && usage 2
 	progress_message3 "Clearing $g_product...."
-	if checkkernelversion; then
-	    clear_firewall
-	    status=0
-	    if [ -n "$SUBSYSLOCK" ]; then
-		rm -f $SUBSYSLOCK
-	    fi
+	clear_firewall
+	status=0
+	if [ $status -eq 0 ]; then
+	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
 	    progress_message3 "done."
 	fi
 	;;
@@ -321,7 +281,7 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
 	echo
-	if product_is_started; then
+	if shorewall_is_started; then
 	    echo "$g_product is running"
 	    status=0
 	else
@@ -332,7 +292,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|Clear*)
+		Stopped*|lClear*)
 		    status=3
 		    ;;
 	    esac
@@ -346,14 +306,14 @@ case "$COMMAND" in
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	updown $1
-	status=0
+	updown $@
+	status=0;
 	;;
     enable)
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	if product_is_started; then
+	if shorewall_is_started; then
 	    detect_configuration
 	    enable_provider $1
 	fi
@@ -363,7 +323,7 @@ case "$COMMAND" in
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	if product_is_started; then
+	if shorewall_is_started; then
 	    detect_configuration
 	    disable_provider $1
 	fi

Shorewall/Perl/prog.footer6

@@ -0,0 +1,381 @@
+###############################################################################
+# Code imported from /usr/share/shorewall/prog.footer6
+###############################################################################
+#
+# Give Usage Information
+#
+usage() {
+    echo "Usage: $0 [ options ] <command>"
+    echo
+    echo "<command> is one of:"
+    echo "   start"
+    echo "   stop"
+    echo "   clear"
+    echo "   disable <interface>"
+    echo "   down <interface>"
+    echo "   enable <interface>"
+    echo "   reset"
+    echo "   refresh"
+    echo "   restart"
+    echo "   status"
+    echo "   up <interface>"
+    echo "   version"
+    echo
+    echo "Options are:"
+    echo
+    echo "   -v and -q        Standard Shorewall verbosity controls"
+    echo "   -n               Don't unpdate routing configuration"
+    echo "   -p               Purge Conntrack Table"
+    echo "   -t               Timestamp progress Messages"
+    echo "   -V <verbosity>   Set verbosity explicitly"
+    echo "   -R <file>        Override RESTOREFILE setting"
+    exit $1
+}
+
+checkkernelversion() {
+    local kernel
+
+    kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
+
+    case "$kernel" in 
+	*.*.*)
+	    kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+	    ;;
+	*)
+	    kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
+	    ;;
+    esac
+
+    if [ $kernel -lt 20624 ]; then
+	error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
+	return 1
+    else
+	return 0
+    fi
+}
+################################################################################
+# E X E C U T I O N    B E G I N S   H E R E				       #
+################################################################################
+#
+# Start trace if first arg is "debug" or "trace"
+#
+if [ $# -gt 1 ]; then
+    if [ "x$1" = "xtrace" ]; then
+	set -x
+	shift
+    elif [ "x$1" = "xdebug" ]; then
+	DEBUG=Yes
+	shift
+    fi
+fi
+#
+# Map VERBOSE to VERBOSITY for compatibility with old Shorewall6-lite installations
+#
+[ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
+#
+# Map other old exported variables
+#
+g_purge=$PURGE
+g_noroutes=$NOROUTES
+g_timestamp=$TIMESTAMP
+g_recovering=$RECOVERING
+
+initialize
+
+if [ -n "$STARTUP_LOG" ]; then
+    touch $STARTUP_LOG
+    chmod 0600 $STARTUP_LOG
+    if [ ${SHOREWALL_INIT_SCRIPT:-0} -eq 1 ]; then
+	#
+	# We're being run by a startup script that isn't redirecting STDOUT
+	# Redirect it to the log
+	#
+	exec 2>>$STARTUP_LOG
+    fi
+fi
+
+finished=0
+
+while [ $finished -eq 0 -a $# -gt 0 ]; do
+    option=$1
+    case $option in
+	-*)
+	    option=${option#-}
+
+	    [ -z "$option" ] && usage 1
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    v*)
+			[ $VERBOSITY -lt 2 ] && VERBOSITY=$(($VERBOSITY + 1 ))
+			option=${option#v}
+			;;
+		    q*)
+			[ $VERBOSITY -gt -1 ] && VERBOSITY=$(($VERBOSITY - 1 ))
+			option=${option#q}
+			;;
+		    n*)
+			g_noroutes=Yes
+			option=${option#n}
+			;;
+		    t*)
+			g_timestamp=Yes
+			option=${option#t}
+			;;
+		    p*)
+			g_purge=Yes
+			option=${option#p}
+			;;
+		    r*)
+			g_recovering=Yes
+			option=${option#r}
+			;;
+		    V*)
+			option=${option#V}
+
+			if [ -z "$option" -a $# -gt 0 ]; then
+			    shift
+			    option=$1
+			fi
+
+			if [ -n "$option" ]; then
+			    case $option in
+				-1|0|1|2)
+				    VERBOSITY=$option
+				    option=
+				    ;;
+				*)
+				    startup_error "Invalid -V option value ($option)"
+				    ;;
+			    esac
+			else
+			    startup_error "Missing -V option value"
+			fi
+			;;
+		    R*)
+			option=${option#R}
+
+			if [ -z "$option" -a $# -gt 0 ]; then
+			    shift
+			    option=$1
+			fi
+
+			if [ -n "$option" ]; then
+			    case $option in
+				*/*)
+	    			    startup_error "-R must specify a simple file name: $option"
+				    ;;
+				.safe|.try|NONE)
+				    ;;
+				.*)
+				    error_message "ERROR: Reserved File Name: $RESTOREFILE"
+				    exit 2
+				    ;;
+			    esac
+			else
+			    startup_error "Missing -R option value"
+			fi
+
+			RESTOREFILE=$option
+			option=
+			;;
+		esac
+	    done
+	    shift
+	    ;;
+	*)
+	    finished=1
+            ;;
+    esac
+done
+
+COMMAND="$1"
+
+
+case "$COMMAND" in
+    start)
+	[ $# -ne 1 ] && usage 2
+	if shorewall6_is_started; then
+	    error_message "$g_product is already Running"
+	    status=0
+	else
+	    progress_message3 "Starting $g_product...."
+	    if checkkernelversion; then
+		detect_configuration
+		define_firewall
+		status=$?
+		if [ $status -eq 0 ]; then
+		    [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
+		    progress_message3 "done."
+		fi
+	    fi
+	fi
+	;;
+    stop)
+	[ $# -ne 1 ] && usage 2
+	if checkkernelversion; then
+	    progress_message3 "Stopping $g_product...."
+	    detect_configuration
+	    stop_firewall
+	    status=0
+	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+	    progress_message3 "done."
+	fi
+	;;
+    reset)
+	if ! shorewall6_is_started ; then
+	    error_message "$g_product is not running"
+	    status=2
+	elif checkkernelversion; then
+	    if [ $# -eq 1 ]; then
+		$IP6TABLES -Z
+		$IP6TABLES -t mangle -Z
+		date > ${VARDIR}/restarted
+		status=0
+		progress_message3 "$g_product Counters Reset"
+	    else
+		shift
+		status=0
+		for chain in $@; do
+		    if chain_exists $chain; then
+			if qt $IP6TABLES -Z $chain; then
+			    progress_message3 "Filter $chain Counters Reset"
+			else
+			    error_message "ERROR: Reset of chain $chain failed"
+			    status=2
+			    break
+			fi
+		    else
+			error_message "WARNING: Filter Chain $chain does not exist"
+		    fi
+		done
+	    fi
+	fi
+	;;
+    restart)
+	[ $# -ne 1 ] && usage 2
+	if shorewall6_is_started; then
+	    progress_message3 "Restarting $g_product...."
+	else
+	    error_message "$g_product is not running"
+	    progress_message3 "Starting $g_product...."
+	    COMMAND=start
+	fi
+
+	if checkkernelversion; then
+	    detect_configuration
+	    define_firewall
+	    status=$?
+	    if [ -n "$SUBSYSLOCK" ]; then
+ 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
+            fi
+
+	    [ $status -eq 0 ] && progress_message3 "done."
+	fi
+	;;
+    refresh)
+	[ $# -ne 1 ] && usage 2
+	if shorewall6_is_started; then
+	    progress_message3 "Refreshing $g_product...."
+	    if checkkernelversion; then
+		detect_configuration
+		define_firewall
+		status=$?
+		[ $status -eq 0 ] && progress_message3 "done."
+	    fi
+	else
+	    echo "$g_product is not running" >&2
+	    status=2
+	fi
+	;;
+    restore)
+	[ $# -ne 1 ] && usage 2
+	if checkkernelversion; then
+	    detect_configuration
+	    define_firewall
+	    status=$?
+	    if [ -n "$SUBSYSLOCK" ]; then
+ 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
+            fi
+	    [ $status -eq 0 ] && progress_message3 "done."
+	fi
+	;;
+    clear)
+	[ $# -ne 1 ] && usage 2
+	progress_message3 "Clearing $g_product...."
+	if checkkernelversion; then
+	    clear_firewall
+	    status=0
+	    if [ -n "$SUBSYSLOCK" ]; then
+		rm -f $SUBSYSLOCK
+	    fi
+	    progress_message3 "done."
+	fi
+	;;
+    status)
+	[ $# -ne 1 ] && usage 2
+	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
+	echo
+	if shorewall6_is_started; then
+	    echo "$g_product is running"
+	    status=0
+	else
+	    echo "$g_product is stopped"
+	    status=4
+	fi
+
+	if [ -f ${VARDIR}/state ]; then
+	    state="$(cat ${VARDIR}/state)"
+	    case $state in
+		Stopped*|Clear*)
+		    status=3
+		    ;;
+	    esac
+	else
+	    state=Unknown
+	fi
+	echo "State:$state"
+	echo
+	;;
+    up|down)
+	[ $# -eq 1 ] && exit 0
+	shift
+	[ $# -ne 1 ] && usage 2
+	updown $1
+	status=0
+	;;
+    enable)
+	[ $# -eq 1 ] && exit 0
+	shift
+	[ $# -ne 1 ] && usage 2
+	if shorewall6_is_started; then
+	    detect_configuration
+	    enable_provider $1
+	fi
+	status=0
+	;;
+    disable)
+	[ $# -eq 1 ] && exit 0
+	shift
+	[ $# -ne 1 ] && usage 2
+	if shorewall6_is_started; then
+	    detect_configuration
+	    disable_provider $1
+	fi
+	status=0
+	;;
+    version)
+	[ $# -ne 1 ] && usage 2
+	echo $SHOREWALL_VERSION
+	status=0
+	;;
+    help)
+	[ $# -ne 1 ] && usage 2
+	usage 0
+	;;
+    *)
+	usage 2
+	;;
+esac
+
+exit $status

Shorewall/Perl/prog.header

@@ -27,6 +27,90 @@
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header
 ################################################################################
+#
+# Conditionally produce message
+#
+progress_message() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 1 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+
+    if [ $LOG_VERBOSITY -gt 1 ]; then
+        timestamp="$(date +'%b %_d %T') "
+        echo "${timestamp}$@" >> $STARTUP_LOG
+    fi
+}
+
+progress_message2() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+
+    if [ $LOG_VERBOSITY -gt 0 ]; then
+        timestamp="$(date +'%b %_d %T') "
+        echo "${timestamp}$@" >> $STARTUP_LOG
+    fi
+}
+
+progress_message3() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -ge 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%b %_d %T') "
+        echo "${timestamp}$@" >> $STARTUP_LOG
+    fi
+}
+
+#
+# Set a standard chain's policy
+#
+setpolicy() # $1 = name of chain, $2 = policy
+{
+    run_iptables -P $1 $2
+}
+
+#
+# Generate a list of all network interfaces on the system
+#
+find_all_interfaces() {
+    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+}
+
+#
+# Generate a list of all network interfaces on the system that have an ipv4 address
+#
+find_all_interfaces1() {
+    ${IP:-ip} -4 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+}
+
+#
+# Find the value 'dev' in the passed arguments then echo the next value
+#
+
+find_device() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xdev ] && echo $2 && return
+	shift
+    done
+}
+
 #
 # Find the value 'weight' in the passed arguments then echo the next value
 #
@@ -38,6 +122,40 @@ find_weight() {
     done
 }
 
+#
+# Find the value 'via' in the passed arguments then echo the next value
+#
+
+find_gateway() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xvia ] && echo $2 && return
+	shift
+    done
+}
+
+#
+# Find the value 'mtu' in the passed arguments then echo the next value
+#
+
+find_mtu() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xmtu ] && echo $2 && return
+	shift
+    done
+}
+
+#
+# Find the value 'peer' in the passed arguments then echo the next value up to
+# "/"
+#
+
+find_peer() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xpeer ] && echo ${2%/*} && return
+	shift
+    done
+}
+
 #
 # Find the interfaces that have a route to the passed address - the default
 # route is not used.
@@ -60,6 +178,23 @@ find_rt_interface() {
     done
 }
 
+#
+# Try to find the gateway through an interface looking for 'nexthop'
+
+find_nexthop() # $1 = interface
+{
+    echo $(find_gateway `$IP -4 route list | grep "[[:space:]]nexthop.* $1"`)
+}
+
+#
+# Find the default route's interface
+#
+find_default_interface() {
+    $IP -4 route list | while read first rest; do
+	[ "$first" = default ] && echo $(find_device $rest) && return
+    done
+}
+
 #
 # Echo the name of the interface(s) that will be used to send to the
 # passed address
@@ -76,6 +211,31 @@ find_interface_by_address() {
     [ -n "$dev" ] && echo $dev
 }
 
+#
+# Determine if Interface is up
+#
+interface_is_up() {
+    [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
+}
+
+#
+# Determine if interface is usable from a Netfilter prespective
+#
+interface_is_usable() # $1 = interface
+{
+    [ "$1" = lo ] && return 0
+    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && run_isusable_exit $1
+}
+
+#
+# Find interface addresses--returns the set of addresses assigned to the passed
+# device
+#
+find_interface_addresses() # $1 = interface
+{
+    $IP -f inet addr show $1 2> /dev/null | grep inet\  | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
+}
+
 #
 #  echo the list of networks routed out of a given interface
 #
@@ -268,6 +428,178 @@ disable_ipv6() {
     fi
 }
 
+#
+# Clear the current traffic shaping configuration
+#
+
+delete_tc1()
+{
+    clear_one_tc() {
+        $TC qdisc del dev $1 root 2> /dev/null
+        $TC qdisc del dev $1 ingress 2> /dev/null
+
+    }
+
+    run_tcclear_exit
+
+    run_ip link list | \
+    while read inx interface details; do
+        case $inx in
+            [0-9]*)
+                clear_one_tc ${interface%:}
+                ;;
+            *)
+                ;;
+        esac
+    done
+}
+
+#
+# Detect a device's MTU -- echos the passed device's MTU
+#
+get_device_mtu() # $1 = device
+{
+    local output
+    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
+
+    if [ -n "$output" ]; then
+	echo $(find_mtu $output)
+    else
+	echo 1500
+    fi
+}
+
+#
+# Version of the above that doesn't generate any output for MTU 1500.
+# Generates 'mtu <mtu+>' otherwise, where <mtu+> is the device's MTU + 100
+#
+get_device_mtu1() # $1 = device
+{
+    local output
+    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
+    local mtu
+
+    if [ -n "$output" ]; then
+	mtu=$(find_mtu $output)
+	if [ -n "$mtu" ]; then
+	    [ $mtu = 1500 ] || echo mtu $(($mtu + 100))
+	fi
+    fi
+
+}
+
+#
+# Undo changes to routing
+#
+undo_routing() {
+    local undofiles
+    local f
+
+    if [ -z "$g_noroutes"  ]; then
+	#
+	# Restore rt_tables database
+	#
+	if [ -f ${VARDIR}/rt_tables ]; then
+	    [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
+	    rm -f ${VARDIR}/rt_tables
+	fi
+	#
+	# Restore the rest of the routing table
+	#
+	undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
+
+	if [ -n "$undofiles" ]; then
+	    for f in $undofiles; do
+		. $f
+	    done
+
+	    rm -f $undofiles
+
+            progress_message "Shorewall-generated routing tables and routing rules removed"
+	fi
+    fi
+
+}
+
+#
+# Save the default route
+#
+save_default_route() {
+    awk \
+    'BEGIN        {defroute=0;};
+     /^default /  {defroute=1; print; next};
+     /nexthop/    {if (defroute == 1 ) {print ; next} };
+                  { defroute=0; };'
+}
+
+#
+# Restore the default route that was in place before the initial 'shorewall start'
+#
+replace_default_route() # $1 = USE_DEFAULT_RT
+{
+    #
+    # default_route and result are inherited from the caller
+    #
+    if [ -n "$default_route" ]; then
+	case "$default_route" in
+	    *metric*)
+	        #
+	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
+	        #
+		[ -n "$1" ] && qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
+		default_route=
+		;;
+	    *)
+		qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
+		result=0
+		default_route=
+		;;
+	esac
+    fi
+}
+
+restore_default_route() # $1 = USE_DEFAULT_RT
+{
+    local result
+    result=1
+
+    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
+	local default_route
+	default_route=
+	local route
+
+	while read route ; do
+	    case $route in
+		default*)
+		    replace_default_route $1
+		    default_route="$default_route $route"
+		    ;;
+		*)
+		    default_route="$default_route $route"
+		    ;;
+	    esac
+	done < ${VARDIR}/default_route
+
+	replace_default_route $1
+	
+	if [ $result = 1 ]; then
+	    #
+	    # We didn't restore a default route with metric 0
+	    #
+	    if $IP -4 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
+	       #
+	       # But we added a default route with metric 0
+	       #
+	       qt $IP -4 route del default metric 0 && progress_message "Default route with metric 0 deleted"
+	    fi
+	fi
+
+	rm -f ${VARDIR}/default_route
+    fi
+
+    return $result
+}
+
 #
 # Add an additional gateway to the default route
 #
@@ -343,6 +675,20 @@ find_mac() # $1 = IP address, $2 = interface
     fi
 }
 
+#
+# Flush the conntrack table if $g_purge is non-empty
+#
+conditionally_flush_conntrack() {
+
+    if [ -n "$g_purge" ]; then
+	if [ -n $(mywhich conntrack) ]; then
+            conntrack -F
+	else
+            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
+	fi
+    fi
+}
+
 #
 # Clear Proxy Arp
 #
@@ -389,6 +735,124 @@ clear_firewall() {
     logger -p kern.info "$g_product Cleared"
 }
 
+#
+# Issue a message and stop/restore the firewall
+#
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    stop_firewall
+    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+    exit 2
+}
+
+#
+# Issue a message and stop
+#
+startup_error() # $* = Error Message
+{
+    echo "   ERROR: $@: Firewall state not changed" >&2
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    case $COMMAND in
+        start)
+	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    ;;
+	restart)
+	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    ;;
+	restore)
+	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    ;;
+    esac
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%_b %d %T') "
+
+	case $COMMAND in
+	    start)
+		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restart)
+		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restore)
+		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	esac
+    fi
+
+    kill $$
+    exit 2
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IPTABLES $@
+	status=$?
+	[ $status -ne 4 ] && break
+    done
+
+    if [ $status -ne 0 ]; then
+        error_message "ERROR: Command \"$IPTABLES $@\" Failed"
+	stop_firewall
+        exit 2
+    fi
+}
+
+#
+# Run iptables retrying exit status 4
+#
+do_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IPTABLES $@
+	status=$?
+	[ $status -ne 4 ] && return $status;
+    done
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_ip()
+{
+    if ! $IP -4 $@; then
+	error_message "ERROR: Command \"$IP -4 $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run tc and if an error occurs, stop/restore the firewall
+#
+run_tc() {
+    if ! $TC $@ ; then
+	error_message "ERROR: Command \"$TC $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
 #
 # Get a list of all configured broadcast addresses on the system
 #
@@ -397,6 +861,97 @@ get_all_bcasts()
     $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
 
+#
+# Run the .iptables_restore_input as a set of discrete iptables commands
+#
+debug_restore_input() {
+    local first second rest table chain
+    #
+    # Clear the ruleset
+    #
+    qt1 $IPTABLES -t mangle -F
+    qt1 $IPTABLES -t mangle -X
+
+    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	qt1 $IPTABLES -t mangle -P $chain ACCEPT
+    done
+
+    qt1 $IPTABLES -t raw     -F
+    qt1 $IPTABLES -t raw     -X
+    qt1 $IPTABLES -t rawpost -F
+    qt1 $IPTABLES -t rawpost -X
+
+    for chain in PREROUTING OUTPUT; do
+	qt1 $IPTABLES -t raw -P $chain ACCEPT
+    done
+
+    qt1 $iptables -T rawpost -P POSTROUTING ACCEPT
+
+    run_iptables -t nat -F
+    run_iptables -t nat -X
+
+    for chain in PREROUTING POSTROUTING OUTPUT; do
+	qt1 $IPTABLES -t nat -P $chain ACCEPT
+    done
+
+    qt1 $IPTABLES -t filter -F
+    qt1 $IPTABLES -t filter -X
+
+    for chain in INPUT FORWARD OUTPUT; do
+	qt1 $IPTABLES -t filter -P $chain -P ACCEPT
+    done
+
+    while read first second rest; do
+	case $first in
+	    -*)
+		#
+		# We can't call run_iptables() here because the rules may contain quoted strings
+		#
+		eval $IPTABLES -t $table $first $second $rest
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    :*)
+		chain=${first#:}
+
+		if [ "x$second" = x- ]; then
+		    do_iptables -t $table -N $chain
+		else
+		    do_iptables -t $table -P $chain $second
+		fi
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    #
+	    # This grotesque hack with the table names works around a bug/feature with ash
+	    #
+	    '*'raw)
+		table=raw
+		;;
+	    '*'rawpost)
+		table=rawpost
+		;;
+	    '*'mangle)
+		table=mangle
+		;;
+	    '*'nat)
+		table=nat
+		;;
+	    '*'filter)
+		table=filter
+		;;
+	esac
+    done
+}
+
 ################################################################################
 # End of functions in /usr/share/shorewall/prog.header
 ################################################################################

Shorewall/Perl/prog.header6

@@ -27,6 +27,166 @@
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header6
 ################################################################################
+#
+# Conditionally produce message
+#
+progress_message() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 1 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+
+    if [ $LOG_VERBOSITY -gt 1 ]; then
+        timestamp="$(date +'%b %_d %T') "
+        echo "${timestamp}$@" >> $STARTUP_LOG
+    fi
+}
+
+progress_message2() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+
+    if [ $LOG_VERBOSITY -gt 0 ]; then
+        timestamp="$(date +'%b %_d %T') "
+        echo "${timestamp}$@" >> $STARTUP_LOG
+    fi
+}
+
+progress_message3() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -ge 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%b %_d %T') "
+        echo "${timestamp}$@" >> $STARTUP_LOG
+    fi
+}
+
+#
+# Set a standard chain's policy
+#
+setpolicy() # $1 = name of chain, $2 = policy
+{
+    run_iptables -P $1 $2
+}
+
+#
+# Generate a list of all network interfaces on the system
+#
+find_all_interfaces() {
+    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+}
+
+#
+# Generate a list of all network interfaces on the system that have an ipv6 address
+#
+find_all_interfaces1() {
+    ${IP:-ip} -6 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+}
+
+#
+# Find the value 'dev' in the passed arguments then echo the next value
+#
+
+find_device() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xdev ] && echo $2 && return
+	shift
+    done
+}
+
+#
+# Find the value 'via' in the passed arguments then echo the next value
+#
+
+find_gateway() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xvia ] && echo $2 && return
+	shift
+    done
+}
+
+#
+# Find the value 'mtu' in the passed arguments then echo the next value
+#
+
+find_mtu() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xmtu ] && echo $2 && return
+	shift
+    done
+}
+
+#
+# Find the value 'peer' in the passed arguments then echo the next value up to
+# "/"
+#
+
+find_peer() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xpeer ] && echo ${2%/*} && return
+	shift
+    done
+}
+
+#
+# Try to find the gateway through an interface looking for 'nexthop'
+
+find_nexthop() # $1 = interface
+{
+    echo $(find_gateway `$IP -6 route list | grep "[[:space:]]nexthop.* $1"`)
+}
+
+#
+# Find the default route's interface
+#
+find_default_interface() {
+    $IP -6 route list | while read first rest; do
+	[ "$first" = default ] && echo $(find_device $rest) && return
+    done
+}
+
+#
+# Determine if Interface is up
+#
+interface_is_up() {
+    [ -n "$($IP -6 link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
+}
+
+#
+# Determine if interface is usable from a Netfilter prespective
+#
+interface_is_usable() # $1 = interface
+{
+    [ "$1" = lo ] && return 0
+    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
+}
+
+#
+# Find interface addresses--returns the set of addresses assigned to the passed
+# device
+#
+find_interface_addresses() # $1 = interface
+{
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
+}
+
 #
 # Get all interface addresses with VLSMs
 #
@@ -36,6 +196,64 @@ find_interface_full_addresses() # $1 = interface
     $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
 }
 
+#
+# Add an additional gateway to the default route
+#
+add_gateway() # $1 = Delta $2 = Table Number
+{
+    local route
+    local weight
+    local delta
+    local dev
+    
+    run_ip route add default scope global table $2 $1
+}
+
+#
+# Remove a gateway from the default route
+#
+delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
+{
+    local route
+    local gateway
+    local dev
+
+    route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
+    gateway=$1
+  
+    dev=$(find_device $route)
+    [ "$dev" = "$3" ] && run_ip route delete default table $2
+}
+
+#
+#  echo the list of networks routed out of a given interface
+#
+get_routed_networks() # $1 = interface name, $2-n = Fatal error message
+{
+    local address
+    local rest
+
+    $IP -6 route show dev $1 2> /dev/null |
+	while read address rest; do
+	    case "$address" in
+		default)
+		    if [ $# -gt 1 ]; then
+			shift
+			fatal_error "$@"
+		    else
+			echo "WARNING: default route ignored on interface $1" >&2
+		    fi
+		    ;;
+		multicast|broadcast|prohibit|nat|throw|nexthop)
+		    ;;
+		[2-9]*)
+		    [ "$address" = "${address%/*}" ] && address="${address}/128"
+		    echo $address
+		    ;;
+	    esac
+        done
+}
+
 #
 # Normalize an IPv6 Address by compressing out consecutive zero elements
 #
@@ -220,33 +438,172 @@ detect_gateway() # $1 = interface
     [ -n "$gateway" ] && echo $gateway
 }
 
-#
-# Add an additional gateway to the default route
-#
-add_gateway() # $1 = Delta $2 = Table Number
+delete_tc1()
 {
-    local route
-    local weight
-    local delta
-    local dev
+    clear_one_tc() {
+        $TC qdisc del dev $1 root 2> /dev/null
+        $TC qdisc del dev $1 ingress 2> /dev/null
 
-    run_ip route add default scope global table $2 $1
+    }
+
+    run_tcclear_exit
+
+    run_ip link list | \
+    while read inx interface details; do
+        case $inx in
+            [0-9]*)
+                clear_one_tc ${interface%:}
+                ;;
+            *)
+                ;;
+        esac
+    done
 }
 
 #
-# Remove a gateway from the default route
+# Detect a device's MTU -- echos the passed device's MTU
 #
-delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
+get_device_mtu() # $1 = device
 {
-    local route
-    local gateway
-    local dev
+    local output
+    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
 
-    route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
-    gateway=$1
+    if [ -n "$output" ]; then
+	echo $(find_mtu $output)
+    else
+	echo 1500
+    fi
+}
 
-    dev=$(find_device $route)
-    [ "$dev" = "$3" ] && run_ip route delete default table $2
+#
+# Version of the above that doesn't generate any output for MTU 1500.
+# Generates 'mtu <mtu+>' otherwise, where <mtu+> is the device's MTU + 100
+#
+get_device_mtu1() # $1 = device
+{
+    local output
+    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
+    local mtu
+
+    if [ -n "$output" ]; then
+	mtu=$(find_mtu $output)
+	if [ -n "$mtu" ]; then
+	    [ $mtu = 1500 ] || echo mtu $(($mtu + 100))
+	fi
+    fi
+
+}
+
+#
+# Undo changes to routing
+#
+undo_routing() {
+    local undofiles
+    local f
+
+    if [ -z "$g_noroutes"  ]; then
+	#
+	# Restore rt_tables database
+	#
+	if [ -f ${VARDIR}/rt_tables ]; then
+	    [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
+	    rm -f ${VARDIR}/rt_tables
+	fi
+	#
+	# Restore the rest of the routing table
+	#
+	undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
+
+	if [ -n "$undofiles" ]; then
+	    for f in $undofiles; do
+		. $f
+	    done
+
+	    rm -f $undofiles
+
+            progress_message "Shorewall6-generated routing tables and routing rules removed"
+	fi
+    fi
+
+}
+
+#
+# Save the default route
+#
+save_default_route() {
+    awk \
+    'BEGIN        {defroute=0;};
+     /^default /  {defroute=1; print; next};
+     /nexthop/    {if (defroute == 1 ) {print ; next} };
+                  { defroute=0; };'
+}
+
+#
+# Restore the default route that was in place before the initial 'shorewall start'
+#
+replace_default_route() # $1 = USE_DEFAULT_RT
+{
+    #
+    # default_route and result are inherited from the caller
+    #
+    if [ -n "$default_route" ]; then
+	case "$default_route" in
+	    *metric*)
+	        #
+	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
+	        #
+		[ -n "$1" ] && qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
+		default_route=
+		;;
+	    *)
+		qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
+		result=0
+		default_route=
+		;;
+	esac
+    fi
+}
+
+restore_default_route() # $1 = USE_DEFAULT_RT
+{
+    local result
+    result=1
+
+    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
+	local default_route
+	default_route=
+	local route
+
+	while read route ; do
+	    case $route in
+		default*)
+		    replace_default_route $1
+		    default_route="$default_route $route"
+		    ;;
+		*)
+		    default_route="$default_route $route"
+		    ;;
+	    esac
+	done < ${VARDIR}/default_route
+
+	replace_default_route $1
+	
+	if [ $result = 1 ]; then
+	    #
+	    # We didn't restore a default route with metric 0
+	    #
+	    if $IP -6 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
+	       #
+	       # But we added a default route with metric 0
+	       #
+	       qt $IP -6 route del default metric 0 && progress_message "Default route with metric 0 deleted"
+	    fi
+	fi
+
+	rm -f ${VARDIR}/default_route
+    fi
+
+    return $result
 }
 
 #
@@ -268,6 +625,20 @@ find_echo() {
     echo echo
 }
 
+#
+# Flush the conntrack table if $g_purge is non-empty
+#
+conditionally_flush_conntrack() {
+
+    if [ -n "$g_purge" ]; then
+	if [ -n $(which conntrack) ]; then
+            conntrack -F
+	else
+            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
+	fi
+    fi
+}
+
 #
 # Clear Proxy NDP
 #
@@ -306,6 +677,204 @@ clear_firewall() {
     logger -p kern.info "$g_product Cleared"
 }
 
+#
+# Issue a message and stop/restore the firewall
+#
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+
+    if [ $LOG_VERBOSITY -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    stop_firewall
+    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+    exit 2
+}
+
+#
+# Issue a message and stop
+#
+startup_error() # $* = Error Message
+{
+    echo "   ERROR: $@: Firewall state not changed" >&2
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    case $COMMAND in
+        start)
+	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    ;;
+	restart)
+	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    ;;
+	restore)
+	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    ;;
+    esac
+
+    if [ $LOG_VERBOSITY -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+
+	case $COMMAND in
+	    start)
+		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restart)
+		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restore)
+		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	esac
+    fi
+
+    kill $$
+    exit 2
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IP6TABLES $@
+	status=$?
+	[ $status -ne 4 ] && break
+    done
+
+    if [ $status -ne 0 ]; then
+        error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
+	stop_firewall
+        exit 2
+    fi
+}
+
+#
+# Run iptables retrying exit status 4
+#
+do_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IP6TABLES $@
+	status=$?
+	[ $status -ne 4 ] && return $status;
+    done
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_ip()
+{
+    if ! $IP -6 $@; then
+	error_message "ERROR: Command \"$IP -6 $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run tc and if an error occurs, stop/restore the firewall
+#
+run_tc() {
+    if ! $TC $@ ; then
+	error_message "ERROR: Command \"$TC $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run the .iptables_restore_input as a set of discrete iptables commands
+#
+debug_restore_input() {
+    local first second rest table chain
+    #
+    # Clear the ruleset
+    #
+    qt1 $IP6TABLES -t mangle -F
+    qt1 $IP6TABLES -t mangle -X
+
+    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	qt1 $IP6TABLES -t mangle -P $chain ACCEPT
+    done
+
+    qt1 $IP6TABLES -t raw    -F
+    qt1 $IP6TABLES -t raw    -X
+
+    for chain in PREROUTING OUTPUT; do
+	qt1 $IP6TABLES -t raw -P $chain ACCEPT
+    done
+
+    qt1 $IP6TABLES -t filter -F
+    qt1 $IP6TABLES -t filter -X
+
+    for chain in INPUT FORWARD OUTPUT; do
+	qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
+    done
+
+    while read first second rest; do
+	case $first in
+	    -*)
+		#
+		# We can't call run_iptables() here because the rules may contain quoted strings
+		#
+		eval $IP6TABLES -t $table $first $second $rest
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    :*)
+		chain=${first#:}
+
+		if [ "x$second" = x- ]; then
+		    do_iptables -t $table -N $chain
+		else
+		    do_iptables -t $table -P $chain $second
+		fi
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    #
+	    # This grotesque hack with the table names works around a bug/feature with ash
+	    #
+	    '*'raw)
+		table=raw
+		;;
+	    '*'rawpost)
+		table=rawpost
+		;;
+	    '*'mangle)
+		table=mangle
+		;;
+	    '*'nat)
+		table=nat
+		;;
+	    '*'filter)
+		table=filter
+		;;
+	esac
+    done
+}
+
 ################################################################################
 # End of functions imported from /usr/share/shorewall/prog.header6
 ################################################################################

Shorewall/configfiles/route_rules

@@ -1,7 +1,7 @@
 #
-# Shorewall version 4 - route rules File
+# Shorewall version 4 - route_rules File
 #
-# For information about entries in this file, type "man shorewall-rtrules"
+# For information about entries in this file, type "man shorewall-route_rules"
 #
 # For additional information, see http://www.shorewall.net/MultiISP.html
 ####################################################################################

Shorewall/configfiles/rules

@@ -9,6 +9,7 @@
 ######################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION BLACKLIST
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED

Shorewall/configfiles/tcrules

@@ -9,7 +9,6 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-######################################################################################################################################
-#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY
+######################################################################################################################
+#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER
 #						PORT(S)	PORT(S)
-

Shorewall/default.debian

@@ -16,20 +16,11 @@ startup=0
 #    wait_interface=
 
 #
-# Global start/restart/stop options
+# Startup options
 #
+
 OPTIONS=""
 
-#
-# Start options
-#
-STARTOPTIONS=""
-
-#
-# Restart options
-#
-RESTARTOPTIONS=""
-
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #
@@ -39,6 +30,7 @@ INITLOG=/dev/null
 # Set this to 1 to cause '/etc/init.d/shorewall stop' to place the firewall in
 # a safe state rather than to open it
 #
+
 SAFESTOP=0
 
 # EOF

Shorewall/init.debian.sh

@@ -86,7 +86,7 @@ wait_for_pppd () {
 shorewall_start () {
   echo -n "Starting \"Shorewall firewall\": "
   wait_for_pppd
-  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS start >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
@@ -104,7 +104,7 @@ shorewall_stop () {
 # restart the firewall
 shorewall_restart () {
   echo -n "Restarting \"Shorewall firewall\": "
-  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS restart >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 

Shorewall/init.sh

@@ -74,17 +74,17 @@ export SHOREWALL_INIT_SCRIPT=1
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
 command="$1"
-shift
 
 case "$command" in
-    start)
-	exec /sbin/shorewall $OPTIONS start $STARTOPTIONS $@
+    start|restart|stop)
+	exec /sbin/shorewall $OPTIONS $@
 	;;
-    restart|reload)
-	exec /sbin/shorewall $OPTIONS restart $RESTARTOPTIONS $@
+    stop|restart|status)
+	exec /sbin/shorewall $@
 	;;
-    status|stop)
-	exec /sbin/shorewall $OPTIONS $command $@
+    reload)
+	shift
+	exec /sbin/shorewall $OPTIONS restart $@
 	;;
     *)
 	usage

Shorewall/lib.base

@@ -1,9 +1,9 @@
 #
-# Shorewall 4.5 -- /usr/share/shorewall/lib.base
+# Shorewall 4.4 -- /usr/share/shorewall/lib.base
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999-2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -27,49 +27,14 @@
 #   and /usr/share/shorewall[6]-lite/shorecap.
 #
 
-SHOREWALL_LIBVERSION=40500
-SHOREWALL_CAPVERSION=40501
+SHOREWALL_LIBVERSION=40407
+SHOREWALL_CAPVERSION=40427
 
 [ -n "${g_program:=shorewall}" ]
-
-case $g_program in
-    shorewall)
-	SHAREDIR=/usr/share/shorewall
-	CONFDIR=/etc/shorewall
-	g_product="Shorewall"
-	g_family=4
-	g_tool=
-	g_basedir=/usr/share/shorewall
-	g_lite=
-	;;
-    shorewall6)
-	SHAREDIR=/usr/share/shorewall6
-	CONFDIR=/etc/shorewall6
-	g_product="Shorewall6"
-	g_family=6
-	g_tool=
-	g_basedir=/usr/share/shorewall
-	g_lite=
-	;;
-    shorewall-lite)
-	SHAREDIR=/usr/share/shorewall-lite
-	CONFDIR=/etc/shorewall-lite
-	g_product="Shorewall Lite"
-	g_family=4
-	g_tool=iptables
-	g_basedir=/usr/share/shorewall-lite
-	g_lite=Yes
-	;;
-    shorewall6-lite)
-	SHAREDIR=/usr/share/shorewall6-lite
-	CONFDIR=/etc/shorewall6-lite
-	g_product="Shorewall6 Lite"
-	g_family=6
-	g_tool=ip6tables
-	g_basedir=/usr/share/shorewall6-lite
-	g_lite=Yes
-	;;
-esac
+[ -n "${VARDIR:=/var/lib/$g_program}" ]
+[ -n "${SHAREDIR:=/usr/share/$g_program}" ]
+[ -n "${CONFDIR:=/etc/$g_program}" ]
+[ -n "${g_family:=4}" ]
 
 #
 # Conditionally produce message
@@ -186,7 +151,33 @@ mutex_off()
     rm -f ${LOCKFILE:=${VARDIR}/lock}
 }
 
-[ -z "$LEFTSHIFT" ] && . /usr/share/shorewall/lib.common
+#
+# Find the interface with the passed MAC address
+#
+
+find_interface_by_mac() {
+    local mac
+    mac=$1
+    local first
+    local second
+    local rest
+    local dev
+
+    $IP link list | while read first second rest; do
+	case $first in
+	    *:)
+                dev=$second
+		;;
+	    *)
+	        if [ "$second" = $mac ]; then
+		    echo ${dev%:}
+		    return
+		fi
+	esac
+    done
+}
+
+[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
 
 #
 # Validate an IP address

Shorewall/lib.cli

@@ -1,9 +1,9 @@
 #
-# Shorewall 4.5 -- /usr/share/shorewall/lib.cli.
+# Shorewall 4.4 -- /usr/share/shorewall/lib.cli.
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999-2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -23,7 +23,7 @@
 # This library contains the command processing code common to /sbin/shorewall[6] and
 # /sbin/shorewall[6]-lite.
 #
-. /usr/share/shorewall/lib.base
+
 #
 # Fatal Error
 #
@@ -410,34 +410,6 @@ save_config() {
 
 }
 
-#
-# Recent Linux systems seem to like to print a randomly-ordered
-# view of routing tables. This hack sorts the output into the
-# order we all know and love
-#
-sort_routes() {
-    local dest 
-    local rest
-    local crvsn
-
-    while read dest rest; do
-	if [ -n "$dest" ]; then
-	    case "$dest" in
-		default)
-		    echo "00 $dest $rest"
-		    ;;
-		*/*)
-		    crvsn=${dest#*/}
-		    printf "%02d %s\n" $crvsn "$dest $rest"
-		    ;;
-		*)
-		    echo "32 $dest $rest"
-		    ;;
-	    esac
-	fi
-    done | sort -r | while read dest rest; do echo $rest; done
-}
-
 #
 # Show routing configuration
 #
@@ -452,7 +424,7 @@ show_routing() {
 	    if [ $g_family -eq 6 ]; then
 		ip -$g_family -o route list table $table | fgrep -v cache
 	    else
-		ip -4 -o route list table $table | sort_routes
+		ip -4 route list table $table
 	    fi
 	done
 
@@ -462,11 +434,7 @@ show_routing() {
 	fi
     else
 	heading "Routing Table"
-	if [ $g_family -eq 6 ]; then
-	    ip -$g_family -o route list | fgrep -v cache
-	else
-	    ip -4 -o route list table $table | sort_routes
-	fi
+	ip -$g_family route list
     fi
 }
 
@@ -542,16 +510,14 @@ version_command() {
 
     [ $# -gt 0 ] && usage 1
 
-    if [ -n "$all" ]; then
-	echo "shorewall-core: $(cat /usr/share/shorewall/coreversion)"
+    echo $SHOREWALL_VERSION
 
+    if [ -n "$all" ]; then
 	for product in shorewall shorewall6 shorewall-lite shorewall6-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
+	    if [ $product != $g_program -a -f /usr/share/$product/version ]; then
 		echo "$product: $(cat /usr/share/$product/version)"
 	    fi
 	done
-    else
-	echo $SHOREWALL_VERSION
     fi
 }
 
@@ -1327,26 +1293,12 @@ show_proc() # $1 = name of a file
 }
 
 read_yesno_with_timeout() {
-    local timeout
-    timeout=${1:-60}
-
-    case $timeout in
-	*s)
-	    ;;
-	*m)
-	    timeout=$((${timeout%m} * 60))
-	    ;;
-	*h)
-	    timeout=$((${timeout%h} * 3600))
-	    ;;
-    esac
-
-    read -t $timeout yn 2> /dev/null
+    read -t 60 yn 2> /dev/null
     if [ $? -eq 2 ]
     then
 	# read doesn't support timeout
 	test -x /bin/bash || return 2 # bash is not installed so the feature is not available
-	/bin/bash -c "read -t $timeout yn ; if [ \"\$yn\" == \"y\" ] ; then exit 0 ; else exit 1 ; fi" # invoke bash and use its version of read
+	/bin/bash -c 'read -t 60 yn ; if [ "$yn" == "y" ] ; then exit 0 ; else exit 1 ; fi' # invoke bash and use its version of read
 	return $?
     else
 	# read supports timeout
@@ -1955,8 +1907,6 @@ determine_capabilities() {
     IPTABLES_S=
     BASIC_FILTER=
     CT_TARGET=
-    STATISTIC_MATCH=
-    IMQ_TARGET=
 
     chain=fooX$$
 
@@ -2084,7 +2034,6 @@ determine_capabilities() {
 	qt $g_tool -t mangle -F $chain
 	qt $g_tool -t mangle -X $chain
 	qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
-	qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes
     fi
 
     qt $g_tool -t raw	    -L -n && RAW_TABLE=Yes
@@ -2155,7 +2104,6 @@ determine_capabilities() {
     qt $g_tool -A $chain -j ULOG && ULOG_TARGET=Yes
     qt $g_tool -A $chain -j NFLOG && NFLOG_TARGET=Yes
     qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
-    qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes
 
     if [ $g_family -eq 4 ]; then
 	qt $g_tool -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
@@ -2265,8 +2213,6 @@ report_capabilities() {
 	report_capability "AUDIT Target" $AUDIT_TARGET
 	report_capability "ipset V5" $IPSET_V5
 	report_capability "Condition Match" $CONDITION_MATCH
-	report_capability "Statistic Match" $STATISTIC_MATCH
-	report_capability "IMQ Target" $IMQ_TARGET
 	
 	if [ $g_family -eq 4 ]; then
 	    report_capability "iptables -S" $IPTABLES_S
@@ -2352,8 +2298,6 @@ report_capabilities1() {
     report_capability1 IPTABLES_S
     report_capability1 BASIC_FILTER
     report_capability1 CT_TARGET
-    report_capability1 STATISTIC_MATCH
-    report_capability1 IMQ_TARGET
 
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION
@@ -2572,7 +2516,7 @@ get_config() {
 
     ensure_config_path
 
-    config=$(find_file ${g_program}.conf)
+    config=$(find_file ${g_base}-lite.conf)
     
     if [ -f $config ]; then
 	if [ -r $config ]; then
@@ -2807,7 +2751,7 @@ restart_command() {
 			    option=${option#n}
 			    ;;
 			p*)
-			    [ -n "$(mywhich conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
+			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
 			    g_purge=Yes
 			    option=${option%p}
 			    ;;
@@ -2900,51 +2844,7 @@ usage() # $1 = exit status
     exit $1
 }
 
-#
-# This is the main entry point into the CLI. It directly handles all commands supported
-# by both the full and lite versions. Note, however, that functions such as start_command()
-# appear in both this library and it lib.cli-std. The ones in cli-std overload the ones
-# here if that lib is loaded below.
-#
 shorewall_cli() {
-    g_debugging=
-
-    if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
-	g_debugging=$1
-	shift
-    fi
-
-    g_nolock=
-
-    if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
-	g_nolock=nolock
-	shift
-    fi
-
-    g_noroutes=
-    g_purge=
-    g_ipt_options="-nv"
-    g_fast=
-    g_verbose_offset=0
-    g_use_verbosity=
-    g_debug=
-    g_export=
-    g_refreshchains=:none:
-    g_confess=
-    g_update=
-    g_convert=
-    g_annotate=
-    g_recovering=
-    g_timestamp=
-    g_libexec=/usr/share
-    g_perllib=/usr/share/shorewall
-    g_shorewalldir=
-
-    VERBOSE=
-    VERBOSITY=
-
-    [ -n "$g_lite" ] || . /usr/share/shorewall/lib.cli-std
-
     finished=0
 
     while [ $finished -eq 0 ]; do

Shorewall/lib.cli-std

@@ -1,9 +1,9 @@
 #
-# Shorewall 4.5 -- /usr/share/shorewall/lib.cli-std.
+# Shorewall 4.4 -- /usr/share/shorewall/lib.cli-std.
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999-2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -1003,8 +1003,6 @@ safe_commands() {
     local finished
     finished=0
     local command
-    local timeout
-    timeout=60
 
     # test is the shell supports timed read
     read -t 0 junk 2> /dev/null
@@ -1029,13 +1027,6 @@ safe_commands() {
 			    g_noroutes=Yes
 			    option=${option#n}
 			    ;;
-			t)
-			    [ $# -eq 1 ] && fatal_error "The -t option requires a timeout value"
-			    echo $2 | egrep -q '[[:digit:]]+[smh]' || fatal_error "The timeout value must be numeric, optionally followed by a suffix (s, m or h)"
-			    timeout=$2
-			    option=
-			    shift;
-			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1118,7 +1109,7 @@ safe_commands() {
 
 	echo -n "Do you want to accept the new firewall configuration? [y/n] "
 
-	if read_yesno_with_timeout $timeout ; then
+	if read_yesno_with_timeout; then
 	    echo "New configuration has been accepted"
 	else
 	    if [ "$command" = "restart" ]; then
@@ -1199,8 +1190,13 @@ try_command() {
 	    ;;
 	2)
 	    handle_directory $1
-	    echo $2 | egrep -q '[[:digit:]]+[smh]' || fatal_error "The timeout value must be numeric, optionally followed by a suffix (s, m or h)"
 	    timeout=$2
+	    case $timeout in
+		*[!0-9]*)
+                    echo "   ERROR: Invalid timeout ($timeout)" >&2;
+		    exit 1
+		    ;;
+	    esac
 	    ;;
 	*)
 	    usage 1
@@ -1549,8 +1545,8 @@ usage() # $1 = exit status
     echo "   reset [ <chain> ... ]"
     echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ <directory> ]"
     echo "   restore [ -n ] [ <file name> ]"
-    echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
-    echo "   safe-start [ -t <timeout> ] [ <directory> ]"
+    echo "   safe-restart [ <directory> ]"
+    echo "   safe-start [ <directory> ]"
     echo "   save [ <file name> ]"
     echo "   show [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
     echo "   show actions"
@@ -1579,7 +1575,7 @@ usage() # $1 = exit status
     echo "   status"
     echo "   stop"
     echo "   try <directory> [ <timeout> ]"
-    echo "   update [ -a ] [ -b ] [ -r ] [ -T ] [ <directory> ]"
+    echo "   update [ -b ] [ -r ] [ -T ] [ <directory> ]"
     echo "   version [ -a ]"
     echo
     exit $1

Shorewall/lib.common

@@ -1,9 +1,9 @@
 #
-# Shorewall 4.5 -- /usr/share/shorewall/lib.common.
+# Shorewall 4.4 -- /usr/share/shorewall/lib.common.
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2010-2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -24,50 +24,6 @@
 # generated firewall scripts. To avoid versioning issues, it is copied into generated
 # scripts rather than loaded at run-time.
 #
-#########################################################################################
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
 
 #
 # Get the Shorewall version of the passed script
@@ -587,7 +543,7 @@ find_first_interface_address() # $1 = interface
 	#
 	# get the line of output containing the first IP address
 	#
-	addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
+	addr=$(${IP:-ip} -$g_family addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
 	#
 	# If there wasn't one, bail out now
 	#

Shorewall/lib.core

@@ -1,618 +0,0 @@
-#
-# Shorewall 4.5 -- /usr/share/shorewall/lib.core.
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010-2012 - Tom Eastep (teastep@shorewall.net)
-#
-#	Complete documentation is available at http://shorewall.net
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# The purpose of this library is to hold those functions used by the generated
-# scripts (both IPv4 and IPv6 -- the functions that are specific to one or the other
-# are found in prog.header and prog.header6).
-#
-#########################################################################################
-#
-# Conditionally produce message
-#
-progress_message() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -gt 1 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-progress_message2() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -gt 0 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-progress_message3() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-#
-# Set a standard chain's policy
-#
-setpolicy() # $1 = name of chain, $2 = policy
-{
-    run_iptables -P $1 $2
-}
-
-#
-# Generate a list of all network interfaces on the system
-#
-find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
-}
-
-#
-# Generate a list of all network interfaces on the system that have an ipvX address
-#
-find_all_interfaces1() {
-    ${IP:-ip} -$g_family addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
-}
-
-#
-# Find the value 'dev' in the passed arguments then echo the next value
-#
-
-find_device() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xdev ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the value 'via' in the passed arguments then echo the next value
-#
-
-find_gateway() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xvia ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the value 'mtu' in the passed arguments then echo the next value
-#
-
-find_mtu() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xmtu ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the value 'peer' in the passed arguments then echo the next value up to
-# "/"
-#
-
-find_peer() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xpeer ] && echo ${2%/*} && return
-	shift
-    done
-}
-
-#
-# Try to find the gateway through an interface looking for 'nexthop'
-
-find_nexthop() # $1 = interface
-{
-    echo $(find_gateway `$IP -$g_family route list | grep "[[:space:]]nexthop.* $1"`)
-}
-
-#
-# Find the default route's interface
-#
-find_default_interface() {
-    $IP -$g_family route list | while read first rest; do
-	[ "$first" = default ] && echo $(find_device $rest) && return
-    done
-}
-
-#
-# Determine if Interface is up
-#
-interface_is_up() {
-    [ -n "$($IP -$g_family link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
-}
-
-#
-# Determine if interface is usable from a Netfilter perspective
-#
-interface_is_usable() # $1 = interface
-{
-    [ "$1" = lo ] && return 0
-    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
-}
-
-#
-# Find interface addresses--returns the set of addresses assigned to the passed
-# device
-#
-find_interface_addresses() # $1 = interface
-{
-    if [ $g_family -eq 4 ]; then
-	$IP -f inet addr show $1 2> /dev/null | grep inet\  | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
-    else
-	$IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
-    fi
-}
-
-#
-#  echo the list of networks routed out of a given interface
-#
-get_routed_networks() # $1 = interface name, $2-n = Fatal error message
-{
-    local address
-    local rest
-    local mask
-
-    [ $g_family -eq 4 ] && mask=32 || mask=128
-    
-
-    $IP -$g_family route show dev $1 2> /dev/null |
-	while read address rest; do
-	    case "$address" in
-		default)
-		    if [ $# -gt 1 ]; then
-			shift
-			fatal_error "$@"
-		    else
-			echo "WARNING: default route ignored on interface $1" >&2
-		    fi
-		    ;;
-		multicast|broadcast|prohibit|nat|throw|nexthop)
-		    ;;
-		[2-3]*)
-		    [ "$address" = "${address%/*}" ] && address="${address}/${mask}"
-		    echo $address
-		    ;;
-		*)
-		    if [ $g_family -eq 4 ]; then
-			[ "$address" = "${address%/*}" ] && address="${address}/${mask}"
-			echo $address
-		    fi
-		    ;;
-	    esac
-        done
-}
-
-#
-# Clear the current traffic shaping configuration
-#
-
-delete_tc1()
-{
-    clear_one_tc() {
-        $TC qdisc del dev $1 root 2> /dev/null
-        $TC qdisc del dev $1 ingress 2> /dev/null
-
-    }
-
-    run_tcclear_exit
-
-    run_ip link list | \
-    while read inx interface details; do
-        case $inx in
-            [0-9]*)
-                clear_one_tc ${interface%:}
-                ;;
-            *)
-                ;;
-        esac
-    done
-}
-
-#
-# Detect a device's MTU -- echos the passed device's MTU
-#
-get_device_mtu() # $1 = device
-{
-    local output
-    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
-
-    if [ -n "$output" ]; then
-	echo $(find_mtu $output)
-    else
-	echo 1500
-    fi
-}
-
-#
-# Version of the above that doesn't generate any output for MTU 1500.
-# Generates 'mtu <mtu+>' otherwise, where <mtu+> is the device's MTU + 100
-#
-get_device_mtu1() # $1 = device
-{
-    local output
-    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
-    local mtu
-
-    if [ -n "$output" ]; then
-	mtu=$(find_mtu $output)
-	if [ -n "$mtu" ]; then
-	    [ $mtu = 1500 ] || echo mtu $(($mtu + 100))
-	fi
-    fi
-
-}
-
-#
-# Undo changes to routing
-#
-undo_routing() {
-    local undofiles
-    local f
-
-    if [ -z "$g_noroutes"  ]; then
-	#
-	# Restore rt_tables database
-	#
-	if [ -f ${VARDIR}/rt_tables ]; then
-	    [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
-	    rm -f ${VARDIR}/rt_tables
-	fi
-	#
-	# Restore the rest of the routing table
-	#
-	undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
-
-	if [ -n "$undofiles" ]; then
-	    for f in $undofiles; do
-		. $f
-	    done
-
-	    rm -f $undofiles
-
-            progress_message "Shorewall-generated routing tables and routing rules removed"
-	fi
-    fi
-
-}
-
-#
-# Save the default route
-#
-save_default_route() {
-    awk \
-    'BEGIN        {defroute=0;};
-     /^default /  {defroute=1; print; next};
-     /nexthop/    {if (defroute == 1 ) {print ; next} };
-                  { defroute=0; };'
-}
-
-#
-# Restore the default route that was in place before the initial 'shorewall start'
-#
-replace_default_route() # $1 = USE_DEFAULT_RT
-{
-    #
-    # default_route and result are inherited from the caller
-    #
-    if [ -n "$default_route" ]; then
-	case "$default_route" in
-	    *metric*)
-	        #
-	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
-	        #
-		[ -n "$1" ] && qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
-		default_route=
-		;;
-	    *)
-		qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
-		result=0
-		default_route=
-		;;
-	esac
-    fi
-}
-
-restore_default_route() # $1 = USE_DEFAULT_RT
-{
-    local result
-    result=1
-
-    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
-	local default_route
-	default_route=
-	local route
-
-	while read route ; do
-	    case $route in
-		default*)
-		    replace_default_route $1
-		    default_route="$default_route $route"
-		    ;;
-		*)
-		    default_route="$default_route $route"
-		    ;;
-	    esac
-	done < ${VARDIR}/default_route
-
-	replace_default_route $1
-	
-	if [ $result = 1 ]; then
-	    #
-	    # We didn't restore a default route with metric 0
-	    #
-	    if $IP -$g_family -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
-	       #
-	       # But we added a default route with metric 0
-	       #
-	       qt $IP -$g_family route del default metric 0 && progress_message "Default route with metric 0 deleted"
-	    fi
-	fi
-
-	rm -f ${VARDIR}/default_route
-    fi
-
-    return $result
-}
-
-#
-# Flush the conntrack table if $g_purge is non-empty
-#
-conditionally_flush_conntrack() {
-
-    if [ -n "$g_purge" ]; then
-	if [ -n $(mywhich conntrack) ]; then
-            conntrack -F
-	else
-            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-	fi
-    fi
-}
-
-#
-# Issue a message and stop/restore the firewall.
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Run iptables/ip6tables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$g_tool $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$g_tool $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables/ip6tables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$g_tool $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run ip and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -$g_family $@; then
-	error_message "ERROR: Command \"$IP -$g_family $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset
-    #
-    qt1 $g_tool -t mangle -F
-    qt1 $g_tool -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $g_tool -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $g_tool -t raw    -F
-    qt1 $g_tool -t raw    -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $g_tool -t raw -P $chain ACCEPT
-    done
-
-    qt1 $g_tool -t filter -F
-    qt1 $g_tool -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $g_tool -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $g_tool -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$g_tool $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$g_tool $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'rawpost)
-		table=rawpost
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
-interface_up() {
-    return $(cat ${VARDIR}/$1.status)
-}
-
-distribute_load() {
-    local interface
-    local totalload
-    local load
-    local maxload
-
-    maxload=$1
-    shift
-
-    totalload=0
-
-    for interface in $@; do
-	if interface_up $interface; then
-	    load=$(cat ${VARDIR}/${interface}_load)
-	    eval ${interface}_load=$load
-	    totalload=$( bc <<EOF
-scale=8
-$totalload + $load
-EOF
-)
-	fi
-    done
-
-    if [ $totalload ]; then
-	for interface in $@; do
-	    qt $g_tool -t mangle -F ~$interface
-	    eval load=\$${interface}_load
-	
-	    if [ -n "$load" ]; then
-		load=$(bc <<EOF
-scale=8
-( $load / $totalload ) * $maxload
-EOF
-)
-		totalload=$(bc <<EOF
-scale=8
-$totalload - $load
-EOF
-)
-		run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $load
-	    fi
-	done
-    fi
-}

Shorewall/shorewall

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V4.5
+#     Shorewall Packet Filtering Firewall Control Program - V4.4
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -25,8 +25,89 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
-g_program=shorewall
+g_debugging=
 
-. /usr/share/shorewall/lib.cli
+if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
+    g_debugging=$1
+    shift
+fi
+
+g_nolock=
+
+if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
+    g_nolock=nolock
+    shift
+fi
+
+g_noroutes=
+g_purge=
+g_ipt_options="-nv"
+g_fast=
+g_verbose_offset=0
+g_use_verbosity=
+g_debug=
+g_export=
+g_refreshchains=:none:
+g_confess=
+g_update=
+g_convert=
+g_annotate=
+g_recovering=
+g_timestamp=
+g_libexec=/usr/share
+g_perllib=/usr/share/shorewall
+g_shorewalldir=
+
+VERBOSE=
+VERBOSITY=
+
+g_program=$(basename $0)
+
+if [ $g_program = shorewall6 ]; then
+    SHAREDIR=/usr/share/shorewall6
+    CONFDIR=/etc/shorewall6
+    g_product="Shorewall6"
+    g_family=6
+    g_tool=
+    g_basedir=/usr/share/shorewall
+    g_lite=
+elif [ $g_program = shorewall6-lite ]; then
+    SHAREDIR=/usr/share/shorewall6-lite
+    CONFDIR=/etc/shorewall6-lite
+    g_product="Shorewall6 Lite"
+    g_family=6
+    g_base=shorewall6
+    g_tool=ip6tables
+    g_basedir=/usr/share/shorewall6-lite
+    g_lite=Yes
+elif [ $g_program = shorewall-lite ]; then
+    SHAREDIR=/usr/share/shorewall-lite
+    CONFDIR=/etc/shorewall-lite
+    g_product="Shorewall Lite"
+    g_family=4
+    g_base=shorewall
+    g_tool=iptables
+    g_basedir=/usr/share/shorewall-lite
+    g_lite=Yes
+else
+    g_program=shorewall
+    SHAREDIR=/usr/share/shorewall
+    CONFDIR=/etc/shorewall
+    g_product="Shorewall"
+    g_family=4
+    g_tool=
+    g_basedir=/usr/share/shorewall
+    g_lite=
+fi
+
+if [ -z "$g_lite" ]; then
+    for library in base cli cli-std; do
+	. /usr/share/shorewall/lib.$library
+    done
+else
+    for library in base cli; do
+	. ${SHAREDIR}/lib.$library
+    done
+fi
 
 shorewall_cli $@

Shorewall/uninstall.sh

@@ -107,24 +107,13 @@ fi
 rm -f /sbin/shorewall
 rm -f /sbin/shorewall-*.bkout
 
-rm -rf /usr/share/shorewall/version
 rm -rf /etc/shorewall
 rm -rf /etc/shorewall-*.bkout
 rm -rf /var/lib/shorewall
 rm -rf /var/lib/shorewall-*.bkout
 rm -rf $PERLLIB}/Shorewall/*
 rm -rf ${LIBEXEC}/shorewall
-rm -rf /usr/share/shorewall/configfiles/
-rm -rf /usr/share/shorewall/Samples/
-rm -rf /usr/share/shorewall/Shorewall/
-rm -f  /usr/share/shorewall/lib.cli-std
-rm -f  /usr/share/shorewall/lib.core
-rm -f  /usr/share/shorewall/compiler.pl
-rm -f  /usr/share/shorewall/prog.*
-rm -f  /usr/share/shorewall/module*
-rm -f  /usr/share/shorewall/helpers
-rm -f  /usr/share/shorewall/action*
-rm -f  /usr/share/shorewall/init
+rm -rf /usr/share/shorewall
 rm -rf /usr/share/shorewall-*.bkout
 
 for f in /usr/share/man/man5/shorewall* /usr/share/man/man8/shorewall*; do

Shorewall6-lite/default.debian

@@ -18,18 +18,9 @@ startup=0
 #
 # Startup options
 #
+
 OPTIONS=""
 
-#
-# Start options
-#
-STARTOPTIONS=""
-
-#
-# Restart options
-#
-RESTARTOPTIONS=""
-
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #
@@ -39,6 +30,7 @@ INITLOG=/dev/null
 # Set this to 1 to cause '/etc/init.d/shorewall6-lite stop' to place the firewall in
 # a safe state rather than to open it
 #
+
 SAFESTOP=0
 
 # EOF

Shorewall6-lite/init.debian.sh

@@ -81,7 +81,7 @@ fi
 # start the firewall
 shorewall6_start () {
   echo -n "Starting \"Shorewall6 Lite firewall\": "
-  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS start >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
@@ -99,7 +99,7 @@ shorewall6_stop () {
 # restart the firewall
 shorewall6_restart () {
   echo -n "Restarting \"Shorewall6 Lite firewall\": "
-  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS restart >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }