Restore SAVE_IPSET functionality

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/install.sh

@@ -30,8 +30,6 @@ usage() # $1 = exit status
     echo "usage: $ME"
     echo "       $ME -v"
     echo "       $ME -h"
-    echo "       $ME -s"
-    echo "       $ME -f"
     exit $1
 }
 
@@ -87,6 +85,13 @@ install_file() # $1 = source $2 = target $3 = mode
     run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
 
+cd "$(dirname $0)"
+
+#
+# Load packager's settings if any
+#
+[ -f ../shorewall-pkg.config ] && . ../shorewall-pkg.config
+
 [ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
 
 #
@@ -98,13 +103,13 @@ T="-T"
 
 [ -n "${LIBEXEC:=/usr/share}" ]
 [ -n "${PERLLIB:=/usr/share/shorewall}" ]
-MACHOST=
 
 case "$LIBEXEC" in
     /*)
 	;;
     *)
-	LIBEXEC=/usr/${LIBEXEC}
+	echo "The LIBEXEC setting must be an absolute path name" >&2
+	exit 1
 	;;
 esac
 
@@ -112,14 +117,41 @@ case "$PERLLIB" in
     /*)
 	;;
     *)
-	PERLLIB=/usr/${PERLLIB}
+	echo "The PERLLIB setting must be an absolute path name" >&2
+	exit 1
 	;;
 esac
 
 INSTALLD='-D'
 
-case $(uname) in
-    CYGWIN*)
+if [ -z "$BUILD" ]; then
+    case $(uname) in
+	cygwin*)
+	    BUILD=cygwin
+	    ;;
+	Darwin)
+	    BUILD=apple
+	    ;;
+	*)
+	    if [ -f /etc/debian_version ]; then
+		BUILD=debian
+	    elif [ -f /etc/redhat-release ]; then
+		BUILD=redhat
+	    elif [ -f /etc/slackware-version ] ; then
+		BUILD=slackware
+	    elif [ -f /etc/SuSE-release ]; then
+		BUILD=suse
+	    elif [ -f /etc/arch-release ] ; then
+		BUILD=archlinux
+	    else
+		BUILD=linux
+	    fi
+	    ;;
+    esac
+fi
+
+case $BUILD in
+    cygwin*)
 	if [ -z "$DESTDIR" ]; then
 	    DEST=
 	    INIT=
@@ -127,18 +159,16 @@ case $(uname) in
 
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
-	CYGWIN=Yes
 	;;
-    Darwin)
+    apple)
 	if [ -z "$DESTDIR" ]; then
 	    DEST=
 	    INIT=
+	    SPARSE=Yes
 	fi
 
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=wheel
-	MAC=Yes
-        MACHOST=Yes
 	INSTALLD=
 	T=
 	;;
@@ -168,14 +198,6 @@ while [ $finished -eq 0 ]; do
 			echo "Shorewall Firewall Installer Version $VERSION"
 			exit 0
 			;;
-		    a*)
-			ANNOTATED=Yes
-			option=${option#a}
-			;;
-		    p*)
-			ANNOTATED=
-			option=${option#p}
-			;;
 		    *)
 			usage 1
 			;;
@@ -197,43 +219,30 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 # Determine where to install the firewall script
 #
 
+[ -n "$HOST" ] || HOST=$BUILD
+
+case "$HOST" in
+    cygwin)
+	echo "Installing Cygwin-specific configuration..."
+	;;
+    apple)
+	echo "Installing Mac-specific configuration...";
+	;;
+    debian|redhat|slackware|archlinux|linux|suse)
+	;;
+    *)
+	echo "ERROR: Unknown HOST \"$HOST\"" >&2
+	exit 1;
+	;;
+esac
+
 if [ -n "$DESTDIR" ]; then
-    if [ -z "$CYGWIN" ]; then
+    if [ $BUILD != cygwin ]; then
 	if [ `id -u` != 0 ] ; then
 	    echo "Not setting file owner/group permissions, not running as root."
 	    OWNERSHIP=""
 	fi
     fi
-
-    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
-
-    CYGWIN=
-    MAC=
-else
-    if [ -n "$CYGWIN" ]; then
-	echo "Installing Cygwin-specific configuration..."
-    elif [ -n "$MAC" ]; then
-	echo "Installing Mac-specific configuration..."
-    else
-	if [ -f /etc/debian_version ]; then
-	    echo "Installing Debian-specific configuration..."
-	    DEBIAN=yes
-	elif [ -f /etc/redhat-release ]; then
-	    echo "Installing Redhat/Fedora-specific configuration..."
-	    FEDORA=yes
-	elif [ -f /etc/slackware-version ] ; then
-	    echo "Installing Slackware-specific configuration..."
-	    DEST="/etc/rc.d"
-	    MANDIR="/usr/man"
-	    SLACKWARE=yes
-	elif [ -f /etc/arch-release ] ; then
-	    echo "Installing ArchLinux-specific configuration..."
-	    DEST="/etc/rc.d"
-	    INIT="shorewall"
-	    ARCHLINUX=yes
-	fi
-    fi
 fi
 
 #
@@ -247,7 +256,12 @@ echo "Installing Shorewall Core Version $VERSION"
 # Create /usr/share/shorewall
 #
 mkdir -p ${DESTDIR}${LIBEXEC}/shorewall
-chmod 755 ${DESTDIR}/usr/share/shorewall
+chmod 755 ${DESTDIR}${LIBEXEC}/shorewall
+
+if [ $LIBEXEC != /usr/shorewall/ ]; then
+    mkdir -p ${DESTDIR}/usr/share/shorewall
+    chmod 755 ${DESTDIR}/usr/share/shorewall
+fi
 #
 # Install wait4ifup
 #
@@ -264,7 +278,7 @@ for f in lib.* ; do
     echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall/$f"
 done
 
-if [ -z "$MACHOST" ]; then
+if [ $BUILD != apple ]; then
     eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
     eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
 else

Shorewall-core/lib.cli

@@ -1112,7 +1112,7 @@ do_dump_command() {
 	echo "   Shorewall $(cat /usr/share/shorewall/version)"
 	echo
     fi
-    
+    show_status
     show_reset
     host=$(echo $g_hostname | sed 's/\..*$//')
     $g_tool -L $g_ipt_options
@@ -1957,6 +1957,8 @@ determine_capabilities() {
     CT_TARGET=
     STATISTIC_MATCH=
     IMQ_TARGET=
+    DSCP_MATCH=
+    DSCP_TARGET=
 
     chain=fooX$$
 
@@ -2081,10 +2083,14 @@ determine_capabilities() {
 	qt $g_tool -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
 	qt $g_tool -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
 	qt $g_tool -t mangle -A $chain -p tcp -j TPROXY --on-port 0 --tproxy-mark 1 && TPROXY_TARGET=Yes
+	qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes
+	qt $g_tool -t mangle -A $chain -m dscp --dscp 0 && DSCP_MATCH=Yes
+	qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
+
 	qt $g_tool -t mangle -F $chain
 	qt $g_tool -t mangle -X $chain
+	
 	qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
-	qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes
     fi
 
     qt $g_tool -t raw	    -L -n && RAW_TABLE=Yes
@@ -2267,6 +2273,8 @@ report_capabilities() {
 	report_capability "Condition Match" $CONDITION_MATCH
 	report_capability "Statistic Match" $STATISTIC_MATCH
 	report_capability "IMQ Target" $IMQ_TARGET
+	report_capability "DSCP Match" $DSCP_MATCH
+	report_capability "DSCP Target" $DSCP_TARGET
 	
 	if [ $g_family -eq 4 ]; then
 	    report_capability "iptables -S" $IPTABLES_S
@@ -2354,14 +2362,14 @@ report_capabilities1() {
     report_capability1 CT_TARGET
     report_capability1 STATISTIC_MATCH
     report_capability1 IMQ_TARGET
+    report_capability1 DSCP_MATCH
+    report_capability1 DSCP_TARGET
 
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION
 }
 
-status_command() {
-    echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)"
-    echo
+show_status() {
     if product_is_started ; then
 	echo "$g_product is running"
 	status=0
@@ -2381,6 +2389,12 @@ status_command() {
 	state=Unknown
     fi
     echo "State:$state"
+}
+
+status_command() {
+    echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)"
+    echo
+    show_status
     echo
     exit $status
 }

Shorewall-init/install.sh

@@ -86,21 +86,14 @@ install_file() # $1 = source $2 = target $3 = mode
     run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
 
-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
+cd "$(dirname $0)"
 
-# DEST is the SysVInit script directory
-# INIT is the name of the script in the $DEST directory
-# ARGS is "yes" if we've already parsed an argument
 #
-ARGS=""
+# Load packager's settings if any
+#
+[ -f ../shorewall-pkg.config ] && . ../shorewall-pkg.config
 
-if [ -z "$DEST" ] ; then
-	DEST="/etc/init.d"
-fi
-
-if [ -z "$INIT" ] ; then
-	INIT="shorewall-init"
-fi
+[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
 
 while [ $# -gt 0 ] ; do
     case "$1" in
@@ -116,7 +109,6 @@ while [ $# -gt 0 ] ; do
 	    ;;
     esac
     shift
-    ARGS="yes"
 done
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -127,75 +119,112 @@ case "$LIBEXEC" in
     /*)
 	;;
     *)
-	LIBEXEC=/usr/${LIBEXEC}
+	echo "The LIBEXEC setting must be an absolute path name" >&2
+	exit 1
 	;;
 esac
 
-#
-# Determine where to install the firewall script
-#
+INITFILE="shorewall-init"
 
-case $(uname) in
-    Darwin)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=wheel
+if [ -z "$BUILD" ]; then
+    case $(uname) in
+	cygwin*)
+	    BUILD=cygwin
+	    ;;
+	Darwin)
+	    BUILD=apple
+	    ;;
+	*)
+	    if [ -f /etc/debian_version ]; then
+		BUILD=debian
+	    elif [ -f /etc/redhat-release ]; then
+		BUILD=redhat
+	    elif [ -f /etc/SuSE-release ]; then
+		BUILD=suse
+	    elif [ -f /etc/slackware-version ] ; then
+		BUILD=slackware
+	    elif [ -f /etc/arch-release ] ; then
+		BUILD=archlinux
+	    else
+		BUILD=linux
+	    fi
+	    ;;
+    esac
+fi
+
+[ -n "$OWNER" ] || OWNER=$(id -un)
+[ -n "$GROUP" ] || GROUP=$(id -gn)
+
+case $BUILD in
+    apple)
 	T=
-	;;	
+	;;
+    debian|redhat|suse|slackware|archlinux)
+	;;
     *)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=root
+	[ -n "$BUILD" ] && echo "ERROR: Unknown BUILD environment ($BUILD)" >&2 || echo "ERROR: Unknown BUILD environment"
+	exit 1
 	;;
 esac
 
 OWNERSHIP="-o $OWNER -g $GROUP"
 
+[ -n "$HOST" ] || HOST=$BUILD
+
+case "$HOST" in
+    debian)
+	echo "Installing Debian-specific configuration..."
+	SPARSE=yes
+	;;
+    redhat|redhat)
+	echo "Installing Redhat/Fedora-specific configuration..."
+	[ -n "$INITDIR" ] || INITDIR=/etc/rc.d/init.d
+	;;
+    slackware)
+	echo "Shorewall-init is currently not supported on Slackware" >&2
+	exit 1
+	;;
+    archlinux)
+	echo "Shorewall-init is currently not supported on Arch Linux" >&2
+	exit 1
+	;;
+    suse|suse)
+	echo "Installing SuSE-specific configuration..."
+	;;
+    linux)
+	echo "ERROR: Shorewall-init is not supported on this system" >&2
+	;;
+    *)
+	echo "ERROR: Unsupported HOST distribution: \"$HOST\"" >&2
+	exit 1;
+	;;
+esac
+
+[ -z "$TARGET" ] && TARGET=$HOST
+
+if [ -z "$INITDIR" -a -n "$INITFILE" ] ; then
+    INITDIR="/etc/init.d"
+fi
+
 if [ -n "$DESTDIR" ]; then
     if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
     fi
     
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
-elif [ -f /etc/debian_version ]; then
-    DEBIAN=yes
-elif [ -f /etc/SuSE-release ]; then
-    SUSE=Yes
-elif [ -f /etc/redhat-release ]; then
-    FEDORA=Yes
-elif [ -f /etc/slackware-version ] ; then
-    echo "Shorewall-init is currently not supported on Slackware" >&2
-    exit 1
-#   DEST="/etc/rc.d"
-#   INIT="rc.firewall"
-elif [ -f /etc/arch-release ] ; then
-    echo "Shorewall-init is currently not supported on Arch Linux" >&2
-    exit 1
-#   DEST="/etc/rc.d"
-#   INIT="shorewall-init"
-#   ARCHLINUX=yes
-elif [ -d /etc/sysconfig/network-scripts/ ]; then
-    #
-    # Assume RedHat-based
-    #
-    REDHAT=Yes
-else
-    echo "Unknown distribution: Shorewall-init support is not available" >&2
-    exit 1
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
 fi
 
 if [ -z "$DESTDIR" ]; then
-    if [ -f /lib/systemd/system ]; then
+    if [ -d /lib/systemd/system ]; then
 	SYSTEMD=Yes
+	INITFILE=
     fi
 elif [ -n "$SYSTEMD" ]; then
     mkdir -p ${DESTDIR}/lib/systemd/system
+    INITFILE=
 fi
 
-#
-# Change to the directory containing this script
-#
-cd "$(dirname $0)"
-
 echo "Installing Shorewall Init Version $VERSION"
 
 #
@@ -207,27 +236,36 @@ else
     first_install="Yes"
 fi
 
-#
-# Install the Init Script
-#
-if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
-elif [ -n "$FEDORA" ]; then
-    install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
-#elif [ -n "$ARCHLINUX" ]; then
-#    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
-else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
+if [ -n "$INITFILE" ]; then
+    #
+    # Install the Init Script
+    #
+    case $TARGET in
+	debian)
+	    install_file init.debian.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+	redhat)
+	    install_file init.fedora.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+	*)
+	    install_file init.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+    esac
+
+    echo  "Shorewall-init script installed in ${DESTDIR}${INITDIR}/${INITFILE}"
 fi
-
-echo  "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"
-
 #
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
     run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}/lib/systemd/system/shorewall-init.service
     echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-init.service"
+    if [ -n "$DESTDIR" ]; then
+	mkdir -p ${DESTDIR}/sbin/
+        chmod 755 ${DESTDIR}/sbin
+    fi
+    run_install $OWNERSHIP -m 700 shorewall-init ${DESTDIR}/sbin/shorewall-init
+    echo "CLI installed as ${DESTDIR}/sbin/shorewall-init"
 fi
 
 #
@@ -247,10 +285,10 @@ chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
 #
 if [ -z "$DESTDIR" ]; then
     rm -f /usr/share/shorewall-init/init
-    ln -s ${DEST}/${INIT} /usr/share/shorewall-init/init
+    ln -s ${INITDIR}/${INITFILE} /usr/share/shorewall-init/init
 fi
 
-if [ -n "$DEBIAN" ]; then
+if [ $HOST = debian ]; then
     if [ -n "${DESTDIR}" ]; then
 	mkdir -p ${DESTDIR}/etc/network/if-up.d/
 	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
@@ -268,7 +306,7 @@ else
 	mkdir -p ${DESTDIR}/etc/sysconfig
 
 	if [ -z "$RPM" ]; then
-	    if [ -n "$SUSE" ]; then
+	    if [ $HOST = suse ]; then
 		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
 		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
 	    else
@@ -294,24 +332,30 @@ if [ -d ${DESTDIR}/etc/NetworkManager ]; then
     install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
 fi
 
-if [ -n "$DEBIAN" ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-    install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
-elif [ -n "$SUSE" ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
-    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
-elif [ -n "$REDHAT" ]; then
-    if [ -f ${DESTDIR}/sbin/ifup-local -o -f ${DESTDIR}/sbin/ifdown-local ]; then
-	echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; up/down events will not be handled"
-    else
-	install_file ifupdown.sh ${DESTDIR}/sbin/ifup-local 0544
-	install_file ifupdown.sh ${DESTDIR}/sbin/ifdown-local 0544
-    fi
-fi
+case $HOST in
+    debian)
+	install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
+	install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+	;;
+    suse)
+	if [ -z "$RPM" ]; then
+	    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
+	    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
+	fi
+	;;
+    redhat)
+	if [ -f ${DESTDIR}/sbin/ifup-local -o -f ${DESTDIR}/sbin/ifdown-local ]; then
+	    echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; up/down events will not be handled"
+	elif [ -z "$DESTDIR" ]; then
+	    install_file ifupdown.sh ${DESTDIR}/sbin/ifup-local 0544
+	    install_file ifupdown.sh ${DESTDIR}/sbin/ifdown-local 0544
+	fi
+	;;
+esac
 
 if [ -z "$DESTDIR" ]; then
     if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
+	if [ $HOST = debian ]; then
 	    
 	    update-rc.d shorewall-init defaults
 
@@ -340,7 +384,7 @@ if [ -z "$DESTDIR" ]; then
 		else
 		    cant_autostart
 		fi
-	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
+	    else
 		cant_autostart
 	    fi
 
@@ -348,7 +392,7 @@ if [ -z "$DESTDIR" ]; then
     fi
 else
     if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
+	if [ $HOST = debian ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi
@@ -360,31 +404,33 @@ else
 fi
 
 if [ -f ${DESTDIR}/etc/ppp ]; then
-    if [ -n "$DEBIAN" ] -o -n "$SUSE" ]; then
-	for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-	    mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
-	    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
-	done
-    elif [ -n "$REDHAT" ]; then
-	#
-	# Must use the dreaded ip_xxx.local file
-	#
-	for file in ip-up.local ip-down.local; do
-	    FILE=${DESTDIR}/etc/ppp/$file
-	    if [ -f $FILE ]; then
-		if fgrep -q Shorewall-based $FILE ; then
-		    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
+    case $HOST in
+	debian|suse)
+	    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
+		mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
+		cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
+	    done
+	    ;;
+	redhat)
+	    #
+	    # Must use the dreaded ip_xxx.local file
+	    #
+	    for file in ip-up.local ip-down.local; do
+		FILE=${DESTDIR}/etc/ppp/$file
+		if [ -f $FILE ]; then
+		    if fgrep -q Shorewall-based $FILE ; then
+			cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
+		    else
+			echo "$FILE already exists -- ppp devices will not be handled"
+			break
+		    fi
 		else
-		    echo "$FILE already exists -- ppp devices will not be handled"
-		    break
+		    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
 		fi
-	    else
-		cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
-	    fi
-	done
-    fi
+	    done
+	    ;;
+    esac
 fi
-
 #
 #  Report Success
 #

Shorewall-init/shorewall-init

@@ -0,0 +1,97 @@
+#! /bin/bash
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#########################################################################################
+# check if shorewall-init is configured or not
+if [ -f "/etc/sysconfig/shorewall-init" ]; then
+    . /etc/sysconfig/shorewall-init
+    if [ -z "$PRODUCTS" ]; then
+        echo "ERROR: No products configured" >&2
+	exit 1
+    fi
+else
+    echo "ERROR: /etc/sysconfig/shorewall-init not found" >&2
+    exit 1
+fi
+
+# Initialize the firewall
+shorewall_start () {
+  local PRODUCT
+  local VARDIR
+
+  echo -n "Initializing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      VARDIR=/var/lib/$PRODUCT
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
+      if [ -x ${VARDIR}/firewall ]; then
+	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
+	      ${VARDIR}/firewall stop || exit 1
+	  fi
+      fi
+  done
+
+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+      ipset -R < "$SAVE_IPSETS"
+  fi
+
+  return 0
+}
+
+# Clear the firewall
+shorewall_stop () {
+  local PRODUCT
+  local VARDIR
+
+  echo -n "Clearing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      VARDIR=/var/lib/$PRODUCT
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
+      if [ -x ${VARDIR}/firewall ]; then
+	  ${VARDIR}/firewall clear || exit 1
+      fi
+  done
+
+  if [ -n "$SAVE_IPSETS" ]; then
+      mkdir -p $(dirname "$SAVE_IPSETS")
+      if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+      fi
+  fi
+
+  return 0
+}
+
+case "$1" in
+  start)
+     shorewall_start
+     ;;
+  stop)
+     shorewall_stop
+     ;;
+  *)
+     echo "Usage: $0 {start|stop}"
+     exit 1
+esac
+
+exit 0

Shorewall-lite/init.sh

@@ -76,10 +76,10 @@ command="$1"
 
 case "$command" in
     start)
-	exec /sbin/shorewall-lite $OPTIONS start $STARTOPTIONS $@
+	exec /sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
 	;;
     restart|reload)
-	exec /sbin/shorewall-lite $OPTIONS restart $RESTARTOPTIONS $@
+	exec /sbin/shorewall-lite $OPTIONS restart $RESTARTOPTIONS
 	;;
     status|stop)
 	exec /sbin/shorewall-lite $OPTIONS $command $@

Shorewall-lite/install.sh

@@ -90,6 +90,11 @@ install_file() # $1 = source $2 = target $3 = mode
 #
 cd "$(dirname $0)"
 
+#
+# Load packager's settings if any
+#
+[ -f ../shorewall-pkg.config ] && . ../shorewall-pkg.config
+
 if [ -f shorewall-lite ]; then
     PRODUCT=shorewall-lite
     Product="Shorewall Lite"
@@ -103,17 +108,6 @@ fi
 #
 # Parse the run line
 #
-# DEST is the SysVInit script directory
-# INIT is the name of the script in the $DEST directory
-#
-if [ -z "$DEST" ] ; then
-	DEST="/etc/init.d"
-fi
-
-if [ -z "$INIT" ] ; then
-	INIT="$PRODUCT"
-fi
-
 while [ $# -gt 0 ] ; do
     case "$1" in
 	-h|help|?)
@@ -138,31 +132,56 @@ case "$LIBEXEC" in
     /*)
 	;;
     *)
-	LIBEXEC=/usr/${LIBEXEC}
+	echo "The LIBEXEC setting must be an absolute path name" >&2
+	exit 1
 	;;
 esac
 
 #
 # Determine where to install the firewall script
 #
-CYGWIN=
+cygwin=
 INSTALLD='-D'
+INITFILE=$PRODUCT
 T='-T'
 
-case $(uname) in
-    CYGWIN*)
-	if [ -z "$DESTDIR" ]; then
-	    DEST=
-	    INIT=
-	fi
+if [ -z "$BUILD" ]; then
+    case $(uname) in
+	cygwin*)
+	    BUILD=cygwin
+	    ;;
+	Darwin)
+	    BUILD=apple
+	    ;;
+	*)
+	    if [ -f /etc/debian_version ]; then
+		BUILD=debian
+	    elif [ -f /etc/redhat-release ]; then
+		BUILD=redhat
+	    elif [ -f /etc/SuSE-release ]; then
+		BUILD=suse
+	    elif [ -f /etc/slackware-version ] ; then
+		BUILD=slackware
+	    elif [ -f /etc/arch-release ] ; then
+		BUILD=archlinux
+	    else
+		BUILD=linux
+	    fi
+	    ;;
+    esac
+fi
 
+case $BUILD in
+    cygwin*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
-    Darwin)
+    apple)
+	[ -z "$OWNER" ] && OWNER=root
+	[ -z "$GROUP" ] && GROUP=wheel
 	INSTALLD=
 	T=
-	;;	   
+	;;
     *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
@@ -171,6 +190,45 @@ esac
 
 OWNERSHIP="-o $OWNER -g $GROUP"
 
+[ -n "$HOST" ] || HOST=$BUILD
+
+case "$HOST" in
+    cygwin)
+	echo "$PRODUCT is not supported on Cygwin" >&2
+	exit 1
+	;;
+    apple)
+	echo "$PRODUCT is not supported on OS X" >&2
+	exit 1
+	;;
+    debian)
+	echo "Installing Debian-specific configuration..."
+	SPARSE=yes
+	;;
+    redhat)
+	echo "Installing Redhat/Fedora-specific configuration..."
+	[ -n "$INITDIR" ]  || INITDIR=/etc/rc.d/init.d
+	;;
+    slackware)
+	echo "Installing Slackware-specific configuration..."
+	[ -n "$INITDIR" ]  || INITDIR="/etc/rc.d"
+	[ -n "$INITFILE" ] || INITFILE="rc.firewall"
+	[ -n "$MANDIR=" ]  || MANDIR=/usr/man
+	;;
+    archlinux)
+	echo "Installing ArchLinux-specific configuration..."
+	[ -n "$INITDIR" ]  || INITDIR="/etc/rc.d"
+	;;
+    linux|suse)
+	;;
+    *)
+	echo "ERROR: Unknown HOST \"$HOST\"" >&2
+	exit 1;
+	;;
+esac
+
+[ -z "$INITDIR" ] && INITDIR="/etc/init.d"
+
 if [ -n "$DESTDIR" ]; then
     if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
@@ -178,21 +236,13 @@ if [ -n "$DESTDIR" ]; then
     fi
     
     install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
-elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
-    DEBIAN=yes
-elif [ -f /etc/redhat-release ]; then
-    FEDORA=yes
-elif [ -f /etc/slackware-version ] ; then
-    DEST="/etc/rc.d"
-    INIT="rc.firewall"
-elif [ -f /etc/arch-release ] ; then
-      DEST="/etc/rc.d"
-      INIT="$PRODUCT"
-      ARCHLINUX=yes
-fi
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${DESTFILE}
 
-if [ -z "$DESTDIR" ]; then
+    if [ -n "$SYSTEMD" ]; then
+	mkdir -p ${DESTDIR}/lib/systemd/system
+	INITFILE=
+    fi
+else
     if [ ! -f /usr/share/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
 	exit 1
@@ -200,9 +250,8 @@ if [ -z "$DESTDIR" ]; then
 
     if [ -f /lib/systemd/system ]; then
 	SYSTEMD=Yes
+	INITFILE=
     fi
-elif [ -n "$SYSTEMD" ]; then
-    mkdir -p ${DESTDIR}/lib/systemd/system
 fi
 
 echo "Installing $Product Version $VERSION"
@@ -222,7 +271,7 @@ else
     rm -rf ${DESTDIR}/etc/$PRODUCT
     rm -rf ${DESTDIR}/usr/share/$PRODUCT
     rm -rf ${DESTDIR}/var/lib/$PRODUCT
-    [ "$LIBEXEC" = /usr/share ] || rm -rf /usr/share/$PRODUCT/wait4ifup /usr/share/$PRODUCT/shorecap
+    [ "$LIBEXEC" = /usr/share ] || rm -rf ${DESTDIR}/usr/share/$PRODUCT/wait4ifup ${DESTDIR}/usr/share/$PRODUCT/shorecap
 fi
 
 #
@@ -240,21 +289,6 @@ install_file $PRODUCT ${DESTDIR}/sbin/$PRODUCT 0544
 
 echo "$Product control program installed in ${DESTDIR}/sbin/$PRODUCT"
 
-#
-# Install the Firewall Script
-#
-if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
-elif [ -n "$FEDORA" ]; then
-    install_file init.fedora.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
-elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}/${DEST}/$INIT 0544
-else
-    install_file init.sh ${DESTDIR}/${DEST}/$INIT 0544
-fi
-
-echo  "$Product script installed in ${DESTDIR}${DEST}/$INIT"
-
 #
 # Create /etc/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
@@ -269,8 +303,28 @@ chmod 755 ${DESTDIR}/usr/share/$PRODUCT
 if [ -n "$DESTDIR" ]; then
     mkdir -p ${DESTDIR}/etc/logrotate.d
     chmod 755 ${DESTDIR}/etc/logrotate.d
+    mkdir -p ${DESTDIR}${INITDIR}
+    chmod 755 ${DESTDIR}${INITDIR}
 fi
 
+if [ -n "$INITFILE" ]; then
+    case $TARGET in
+	debian)
+	    install_file init.debian.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+	redhat)
+	    install_file init.fedora.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+	archlinux)
+	    install_file init.archlinux.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+	*)
+	    install_file init.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+    esac
+
+    echo  "$Product init script installed in ${DESTDIR}${INITDIR}/${INITFILE}"
+fi
 #
 # Install the .service file
 #
@@ -287,7 +341,7 @@ if [ ! -f ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf ]; then
    echo "Config file installed as ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf"
 fi
 
-if [ -n "$ARCHLINUX" ] ; then
+if [ $HOST = archlinux ] ; then
    sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf
 fi
 
@@ -387,7 +441,7 @@ chmod 644 ${DESTDIR}/usr/share/$PRODUCT/version
 
 if [ -z "$DESTDIR" ]; then
     rm -f /usr/share/$PRODUCT/init
-    ln -s ${DEST}/${INIT} /usr/share/$PRODUCT/init
+    ln -s ${INITDIR}/${INITFILE} /usr/share/$PRODUCT/init
 fi
 
 delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.common
@@ -398,7 +452,7 @@ if [ -z "$DESTDIR" ]; then
     touch /var/log/$PRODUCT-init.log
 
     if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
+	if [ $HOST = debian ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/$PRODUCT
 
 	    update-rc.d $PRODUCT defaults
@@ -434,7 +488,7 @@ if [ -z "$DESTDIR" ]; then
 		else
 		    cant_autostart
 		fi
-	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
+	    elif [ "$INITFILE" != rc.firewall ]; then #Slackware starts this automatically
 		cant_autostart
 	    fi
 	fi

Shorewall-lite/manpages/shorewall-lite.xml

@@ -517,15 +517,17 @@
           defined in the <ulink
           url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
           file. A <emphasis>host-list</emphasis> is comma-separated list whose
-          elements are host or network addresses.<caution>
-              <para>The <command>add</command> command is not very robust. If
-              there are errors in the <replaceable>host-list</replaceable>,
-              you may see a large number of error messages yet a subsequent
-              <command>shorewall-lite show zones</command> command will
-              indicate that all hosts were added. If this happens, replace
-              <command>add</command> by <command>delete</command> and run the
-              same command again. Then enter the correct command.</para>
-            </caution></para>
+          elements are host or network addresses.</para>
+
+          <caution>
+            <para>The <command>add</command> command is not very robust. If
+            there are errors in the <replaceable>host-list</replaceable>, you
+            may see a large number of error messages yet a subsequent
+            <command>shorewall-lite show zones</command> command will indicate
+            that all hosts were added. If this happens, replace
+            <command>add</command> by <command>delete</command> and run the
+            same command again. Then enter the correct command.</para>
+          </caution>
         </listitem>
       </varlistentry>
 

Shorewall/Perl/Shorewall/Accounting.pm

@@ -322,7 +322,7 @@ sub process_accounting_rule( ) {
 	}
     }
 
-    dont_optimize( $chainref ) if $target eq 'RETURN';
+    set_optflags( $chainref, DONT_OPTIMIZE ) if $target eq 'RETURN';
 
     if ( $jumpchainref ) {
 	if ( $asection ) {
@@ -407,7 +407,7 @@ sub setup_accounting() {
 		}
 
 		if ( $tableref->{accounting} ) {
-		    dont_optimize( 'accounting' );
+		    set_optflags( 'accounting' , DONT_OPTIMIZE );
 		    for my $chain ( qw/INPUT FORWARD/ ) {
 			insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
 		    }
@@ -429,7 +429,7 @@ sub setup_accounting() {
 		    insert_ijump( $tableref->{POSTROUTING}, j => 'accountpost', 0 );
 		}
 	    } elsif ( $tableref->{accounting} ) {
-		dont_optimize( 'accounting' );
+		set_optflags( 'accounting' , DONT_OPTIMIZE );
 		for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
 		    insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
 		}

Shorewall/Perl/Shorewall/Chains.pm

@@ -36,6 +36,10 @@ use strict;
 
 our @ISA = qw(Exporter);
 our @EXPORT = qw(
+		    DONT_OPTIMIZE
+		    DONT_DELETE
+		    DONT_MOVE
+
 		    add_rule
 		    add_irule
 		    add_jump
@@ -62,6 +66,11 @@ our @EXPORT = qw(
 		    require_audit
 		    newlogchain
 		    log_rule_limit
+		    allow_optimize
+		    allow_delete
+		    allow_move
+		    set_optflags
+		    reset_optflags
 		    dont_optimize
 		    dont_delete
 		    dont_move
@@ -189,6 +198,7 @@ our %EXPORT_TAGS = (
 				       do_headers
 				       do_probability
 				       do_condition
+				       do_dscp
 				       have_ipset_rules
 				       record_runtime_address
 				       conditional_rule
@@ -228,6 +238,7 @@ our %EXPORT_TAGS = (
 				       create_chainlist_reload
 				       create_stop_load
 				       %targets
+				       %dscpmap
 				     ) ],
 		   );
 
@@ -246,9 +257,7 @@ our $VERSION = 'MODULEVERSION';
 #                                               builtin      => undef|1 -- If 1, one of Netfilter's built-in chains.
 #                                               manual       => undef|1 -- If 1, a manual chain.
 #                                               accounting   => undef|1 -- If 1, an accounting chain
-#                                               dont_optimize=> undef|1 -- Don't optimize away if this chain is 'short'
-#                                               dont_delete  => undef|1 -- Don't delete if this chain is not referenced
-#                                               dont_move    => undef|1 -- Don't copy the rules of this chain somewhere else
+#                                               optflags     => <optimization flags>
 #                                               log          => <logging rule number for use when LOGRULENUMBERS>
 #                                               policy       => <policy>
 #                                               policychain  => <name of policy chain> -- self-reference if this is a policy chain
@@ -360,6 +369,32 @@ use constant {
 
 use constant { OPTIMIZE_MASK => OPTIMIZE_POLICY_MASK | OPTIMIZE_RULESET_MASK };
 
+use constant { DONT_OPTIMIZE => 1 , DONT_DELETE => 2, DONT_MOVE => 4 };
+
+our %dscpmap = ( CS0  => 0x00,
+		 CS1  => 0x08,
+		 CS2  => 0x10,
+		 CS3  => 0x18,
+		 CS4  => 0x20,
+		 CS5  => 0x28,
+		 CS6  => 0x30,
+		 CS7  => 0x38,
+		 BE   => 0x00,
+		 AF11 => 0x0a,
+		 AF12 => 0x0c,
+		 AF13 => 0x0e,
+		 AF21 => 0x12,
+		 AF22 => 0x14,
+		 AF23 => 0x16,
+		 AF31 => 0x1a,
+		 AF32 => 0x1c,
+		 AF33 => 0x1e,
+		 AF41 => 0x22,
+		 AF42 => 0x24,
+		 AF43 => 0x26,
+		 EF   => 0x2e,
+	       );
+
 #
 # These hashes hold the shell code to set shell variables. The key is the name of the variable; the value is the code to generate the variable's contents
 #
@@ -1151,7 +1186,7 @@ sub push_matches {
 	}
     }
 
-    $dont_optimize;
+    DONT_OPTIMIZE if $dont_optimize;
 }
 
 sub push_irule( $$$;@ ) {
@@ -1180,7 +1215,7 @@ sub push_irule( $$$;@ ) {
     $chainref->{referenced} = 1;
 
     unless ( $ruleref->{simple} = ! @matches ) {
-	$chainref->{dont_optimize} = 1 if push_matches( $ruleref, @matches );
+	$chainref->{optflags} |= push_matches( $ruleref, @matches );
     }
 
     push @{$chainref->{rules}}, $ruleref;
@@ -1294,7 +1329,7 @@ sub insert_irule( $$$$;@ ) {
     }
 
     unless ( $ruleref->{simple} = ! @matches ) {
-	$chainref->{dont_optimize} = 1 if push_matches( $ruleref, @matches );
+	$chainref->{optflags} |= push_matches( $ruleref, @matches );
     }
 
     if ( $comment ) {
@@ -1867,7 +1902,8 @@ sub new_chain($$)
 		     log            => 1,
 		     cmdlevel       => 0,
 		     references     => {},
-		     filtered       => 0
+		     filtered       => 0,
+		     optflags       => 0,
 		   };
 
     trace( $chainref, 'N', undef, '' ) if $debug;
@@ -1928,7 +1964,7 @@ sub add_jump( $$$;$$$ ) {
 
     my $param = $goto_ok && $toref && have_capability( 'GOTO_TARGET' ) ? 'g' : 'j';
 
-    $fromref->{dont_optimize} = 1 if $predicate =~ /! -[piosd] /;
+    $fromref->{optflags} |= DONT_OPTIMIZE if $predicate =~ /! -[piosd] /;
 
     if ( defined $index ) {
 	assert( ! $expandports );
@@ -2052,49 +2088,70 @@ sub delete_jumps ( $$ ) {
     }
 }
 
-#
-# Set the dont_optimize flag for a chain
-#
-sub dont_optimize( $ ) {
-    my $chain = shift;
+sub reset_optflags( $$ ) {
+    my ( $chain, $flags ) = @_;
 
     my $chainref = reftype $chain ? $chain : $filter_table->{$chain};
 
-    $chainref->{dont_optimize} = 1;
+    $chainref->{optflags} ^= $flags;
+
+    trace( $chainref, '!O', undef, '' ) if $debug;
+
+    $chainref;
+}
+
+sub set_optflags( $$ ) {
+    my ( $chain, $flags ) = @_;
+
+    my $chainref = reftype $chain ? $chain : $filter_table->{$chain};
+
+    $chainref->{optflags} |= $flags;
 
     trace( $chainref, '!O', undef, '' ) if $debug;
 
     $chainref;
 }
 
+#
+# Reset the dont_optimize flag for a chain
+#
+sub allow_optimize( $ ) {
+    reset_optflags( shift, DONT_OPTIMIZE );
+}
+
+#
+# Reset the dont_delete flags for a chain
+#
+sub allow_delete( $ ) {
+    reset_optflags( shift, DONT_DELETE );
+}
+
+#
+# Reset the dont_move flag for a chain
+#
+sub allow_move( $ ) {
+    reset_optflags( shift, DONT_MOVE );
+}
+
+#
+# Set the dont_optimize flag for a chain
+#
+sub dont_optimize( $ ) {
+    set_optflags( shift, DONT_OPTIMIZE );
+}
+
 #
 # Set the dont_optimize and dont_delete flags for a chain
 #
 sub dont_delete( $ ) {
-    my $chain = shift;
-
-    my $chainref = reftype $chain ? $chain : $filter_table->{$chain};
-
-    $chainref->{dont_optimize} = $chainref->{dont_delete} = 1;
-
-    trace( $chainref, '!OD', undef, '' ) if $debug;
-
-    $chainref;
+    set_optflags( shift, DONT_OPTIMIZE | DONT_DELETE );
 }
 
 #
 # Set the dont_move flag for a chain
 #
 sub dont_move( $ ) {
-    my $chain = shift;
-
-    my $chainref = reftype $chain ? $chain : $filter_table->{$chain};
-
-    $chainref->{dont_move} = 1;
-
-    trace( $chainref, '!M', undef, '' ) if $debug;
-
-    $chainref;
+    set_optflags( shift, DONT_MOVE );
 }
 
 #
@@ -2136,7 +2193,7 @@ sub ensure_accounting_chain( $$$ )
 	$chainref->{restriction} = $restriction;
 	$chainref->{restricted}  = NO_RESTRICT;
 	$chainref->{ipsec}       = $ipsec;
-	$chainref->{dont_optimize} = 1 unless $config{OPTIMIZE_ACCOUNTING};
+	$chainref->{optflags}   |= DONT_OPTIMIZE unless $config{OPTIMIZE_ACCOUNTING};
 
 	unless ( $chain eq 'accounting' ) {
 	    my $file = find_file $chain;
@@ -2208,7 +2265,7 @@ sub new_builtin_chain($$$)
     $chainref->{referenced}  = 1;
     $chainref->{policy}      = $policy;
     $chainref->{builtin}     = 1;
-    $chainref->{dont_delete} = 1;
+    $chainref->{optflags}    = DONT_DELETE;
     $chainref;
 }
 
@@ -2636,7 +2693,7 @@ sub conditionally_copy_rules( $$ ) {
 
     my $targetref = $chain_table{$chainref->{table}}{$basictarget};
 
-    if ( $targetref && ! $targetref->{dont_move} ) {
+    if ( $targetref && ! ( $targetref->{optflags} & DONT_MOVE ) ) {
 	#
 	# Move is safe -- start with an empty rule list
 	#
@@ -2678,7 +2735,7 @@ sub optimize_level0() {
 	    #
 	    # If the chain isn't branched to, then delete it
 	    #
-	    unless ( $chainref->{dont_delete} || keys %{$chainref->{references}} ) {
+	    unless ( $chainref->{optflags} & DONT_DELETE || keys %{$chainref->{references}} ) {
 		delete_chain $chainref if $chainref->{referenced};
 	    }
 	}
@@ -2696,7 +2753,7 @@ sub optimize_level4( $$ ) {
     # When a chain with a single entry is found, replace it's references by its contents
     #
     # The search continues until no short chains remain
-    # Chains with 'dont_optimize = 1' are exempted from optimization
+    # Chains with 'DONT_OPTIMIZE' are exempted from optimization
     #
     while ( $progress ) {
 	$progress = 0;
@@ -2708,15 +2765,16 @@ sub optimize_level4( $$ ) {
 	progress_message "\n Table $table pass $passes, $chains referenced chains, level 4a...";
 
 	for my $chainref ( @chains ) {
+	    my $optflags = $chainref->{optflags};
 	    #
 	    # If the chain isn't branched to, then delete it
 	    #
-	    unless ( $chainref->{dont_delete} || keys %{$chainref->{references}} ) {
+	    unless ( ( $optflags & DONT_DELETE ) || keys %{$chainref->{references}} ) {
 		delete_chain $chainref if $chainref->{referenced};
 		next;
 	    }
 
-	    unless ( $chainref->{dont_optimize} ) {
+	    unless ( $optflags & DONT_OPTIMIZE ) {
 		my $numrules = @{$chainref->{rules}};
 
 		if ( $numrules == 0 ) {
@@ -2727,7 +2785,7 @@ sub optimize_level4( $$ ) {
 			#
 			# Built-in -- mark it 'dont_optimize' so we ignore it in follow-on passes
 			#
-			$chainref->{dont_optimize} = 1;
+			$chainref->{optflags} |= DONT_OPTIMIZE;
 		    } else {
 			#
 			# Not a built-in -- we can delete it and it's references
@@ -2758,7 +2816,7 @@ sub optimize_level4( $$ ) {
 				#
 				# Target was a built-in. Ignore this chain in follow-on passes
 				#
-				$chainref->{dont_optimize} = 1;
+				$chainref->{optflags} |= DONT_OPTIMIZE;
 			    }
 			} else {
 			    #
@@ -2774,9 +2832,9 @@ sub optimize_level4( $$ ) {
 			if ( $chainref->{builtin} || ! $globals{KLUDGEFREE} ) {
 			    #
 			    # This case requires a new rule merging algorithm. Ignore this chain for
-			    # now.
+			    # now on.
 			    #
-			    $chainref->{dont_optimize} = 1;
+			    $chainref->{optflags} |= DONT_OPTIMIZE;
 			} else {
 			    #
 			    # Replace references to this chain with the target and add the matches
@@ -2866,7 +2924,7 @@ sub optimize_level8( $$$ ) {
 	#
 	for my $chainref1 ( @chains1 ) {
 	    next unless @{$chainref1->{rules}};
-	    next if $chainref1->{dont_delete};
+	    next if $chainref1->{optflags} & DONT_DELETE;
 	    if ( $chainref->{digest} eq $chainref1->{digest} ) {
 		progress_message "  Chain $chainref1->{name} combined with $chainref->{name}";
 		replace_references $chainref1, $chainref->{name}, undef;
@@ -4186,6 +4244,26 @@ sub do_condition( $ ) {
     "-m condition ${invert}--condition $condition "
 }
 
+#
+# Generate a -m dscp match
+#
+sub do_dscp( $ ) {
+    my $dscp = shift;
+
+    return '' if $dscp eq '-';
+
+    require_capability 'DSCP_MATCH', 'A non-empty DSCP column', 's';
+
+    my $invert = $dscp =~ s/^!// ? '! ' : '';
+    my $value  = numeric_value( $dscp );
+
+    $value = $dscpmap{$value} unless defined $value;
+
+    fatal_error( "Invalid DSCP ($dscp)" ) unless defined $value && $value < 0x2f && ! ( $value & 1 );
+
+    "-m dscp ${invert}--dscp $value ";
+}
+
 #
 # Match Source Interface
 #
@@ -4313,6 +4391,13 @@ sub get_set_flags( $$ ) {
     } elsif ( $setname =~ /^(.*)\[((src|dst)(,(src|dst))*)\]$/ ) {
 	$setname = $1;
 	$options = $2;
+
+	my @options = split /,/, $options;
+	my %typemap = ( src => 'Source', dst => 'Destination' );
+
+	for ( @options ) {
+	    warning_messsage( "The '$_' ipset flag is used in a $typemap{$option} column" ), last unless $_ eq $option;
+	}
     }
 
     $setname =~ s/^\+//;
@@ -4324,7 +4409,6 @@ sub get_set_flags( $$ ) {
 
 	$ipset_exists{$setname} = 1; # Suppress subsequent checks/warnings
     }
-
     fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z]\w*/;
 
     have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options ";
@@ -4337,11 +4421,21 @@ sub have_ipset_rules() {
 
 sub get_interface_address( $ );
 
-sub record_runtime_address( $ ) {
-    my $interface = shift;
+sub record_runtime_address( $$;$ ) {
+    my ( $addrtype, $interface, $protect ) = @_;
     fatal_error "Unknown interface address variable (&$interface)" unless known_interface( $interface );
     fatal_error "Invalid interface address variable (&$interface)" if $interface =~ /\+$/;
-    get_interface_address( $interface ) . ' ';
+
+    my $addr;
+
+    if ( $addrtype eq '&' ) {
+	$addr = get_interface_address( $interface );
+    } else {
+	$addr = get_interface_gateway( $interface, $protect );
+    }
+
+    $addr . ' ';
+   
 }
 
 #
@@ -4353,12 +4447,19 @@ sub record_runtime_address( $ ) {
 sub conditional_rule( $$ ) {
     my ( $chainref, $address ) = @_;
 
-    if ( $address =~ /^!?&(.+)$/ ) {
-	my $interface = $1;
+    if ( $address =~ /^!?([&%])(.+)$/ ) {
+	my ($type, $interface) = ($1, $2);
 	if ( my $ref = known_interface $interface ) {
 	    if ( $ref->{options}{optional} ) {
-		my $variable = get_interface_address( $interface );
-		add_commands( $chainref , "if [ $variable != " . NILIP . ' ]; then' );
+		my $variable;
+		if ( $type eq '&' ) {
+		    $variable = get_interface_address( $interface );
+		    add_commands( $chainref , "if [ $variable != " . NILIP . ' ]; then' );
+		} else {
+		    $variable = get_interface_gateway( $interface );
+		    add_commands( $chainref , qq(if [ -n "$variable" ]; then) );
+		}
+
 		incr_cmd_level $chainref;
 		return 1;
 	    }
@@ -4422,16 +4523,16 @@ sub match_source_net( $;$\$ ) {
     }
 
     if ( $net =~ s/^!// ) {
-	if ( $net =~ /^&(.+)/ ) {
-	    return '! -s ' . record_runtime_address $1;
+	if ( $net =~ /^([&%])(.+)/ ) {
+	    return '! -s ' . record_runtime_address $1, $2;
 	}
 
 	validate_net $net, 1;
 	return "! -s $net ";
     }
 
-    if ( $net =~ /^&(.+)/ ) {
-	return '-s ' . record_runtime_address $1;
+    if ( $net =~ /^([&%])(.+)/ ) {
+	return '-s ' . record_runtime_address $1, $2;
     }
 
     validate_net $net, 1;
@@ -4476,16 +4577,16 @@ sub imatch_source_net( $;$\$ ) {
     }
 
     if ( $net =~ s/^!// ) {
-	if ( $net =~ /^&(.+)/ ) {
-	    return  ( s => '! ' . record_runtime_address $1 );
+	if ( $net =~ /^([&%])(.+)/ ) {
+	    return  ( s => '! ' . record_runtime_address( $1, $2, 1 ) );
 	}
 
 	validate_net $net, 1;
 	return ( s => "! $net " );
     }
 
-    if ( $net =~ /^&(.+)/ ) {
-	return ( s =>  record_runtime_address $1 );
+    if ( $net =~ /^([&%])(.+)/ ) {
+	return ( s =>  record_runtime_address( $1, $2, 1 ) );
     }
 
     validate_net $net, 1;
@@ -4525,16 +4626,16 @@ sub match_dest_net( $ ) {
     }
 
     if ( $net =~ s/^!// ) {
-	if ( $net =~ /^&(.+)/ ) {
-	    return '! -d ' . record_runtime_address $1;
+	if ( $net =~ /^([&%])(.+)/ ) {
+	    return '! -d ' . record_runtime_address $1, $2;
 	}
 	
 	validate_net $net, 1;
 	return "! -d $net ";
     }
 
-    if ( $net =~ /^&(.+)/ ) {
-	return '-d ' . record_runtime_address $1;
+    if ( $net =~ /^([&%])(.+)/ ) {
+	return '-d ' . record_runtime_address $1, $2;
     }
 
     validate_net $net, 1;
@@ -4572,16 +4673,16 @@ sub imatch_dest_net( $ ) {
     }
 
     if ( $net =~ s/^!// ) {
-	if ( $net =~ /^&(.+)/ ) {
-	    return ( d => '! ' . record_runtime_address $1 );
+	if ( $net =~ /^([&%])(.+)/ ) {
+	    return ( d => '! ' . record_runtime_address( $1, $2, 1 ) );
 	}
 	
 	validate_net $net, 1;
 	return ( d => "! $net " );
     }
 
-    if ( $net =~ /^&(.+)/ ) {
-	return ( d => record_runtime_address $1 );
+    if ( $net =~ /^([&%])(.+)/ ) {
+	return ( d => record_runtime_address( $1, $2, 1 ) );
     }
 
     validate_net $net, 1;
@@ -4599,7 +4700,7 @@ sub match_orig_dest ( $ ) {
 
     if ( $net =~ s/^!// ) {
 	if ( $net =~ /^&(.+)/ ) {
-	    $net = record_runtime_address $1;
+	    $net = record_runtime_address '&', $1;
 	} else {
 	    validate_net $net, 1;
 	}
@@ -4607,7 +4708,7 @@ sub match_orig_dest ( $ ) {
 	have_capability( 'OLD_CONNTRACK_MATCH' ) ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net ";
     } else {
 	if ( $net =~ /^&(.+)/ ) {
-	    $net = record_runtime_address $1;
+	    $net = record_runtime_address '&', $1;
 	} else {
 	    validate_net $net, 1;
 	}
@@ -5055,8 +5156,8 @@ sub interface_gateway( $ ) {
 #
 # Record that the ruleset requires the gateway address on the passed interface
 #
-sub get_interface_gateway ( $ ) {
-    my ( $logical ) = $_[0];
+sub get_interface_gateway ( $;$ ) {
+    my ( $logical, $protect ) = @_;
 
     my $interface = get_physical $logical;
     my $variable = interface_gateway( $interface );
@@ -5073,7 +5174,7 @@ sub get_interface_gateway ( $ ) {
 );
     }
 
-    "\$$variable";
+    $protect ? "\${$variable:-" . NILIP . '}' : "\$$variable";
 }
 
 #
@@ -5383,7 +5484,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    } else {
 		$inets = $source;
 	    }
-	} elsif ( $source =~ /(?:\+|&|~|\..*\.)/ ) {
+	} elsif ( $source =~ /(?:\+|&|%|~|\..*\.)/ ) {
 	    $inets = $source;
 	} else {
 	    $iiface = $source;
@@ -5468,7 +5569,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    if ( $dest =~ /^(.+?):(.+)$/ ) {
 		$diface = $1;
 		$dnets  = $2;
-	    } elsif ( $dest =~ /\+|&|~|\..*\./ ) {
+	    } elsif ( $dest =~ /\+|&|%|~|\..*\./ ) {
 		$dnets = $dest;
 	    } else {
 		$diface = $dest;

Shorewall/Perl/Shorewall/Config.pm

@@ -292,6 +292,8 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 STATISTIC_MATCH => 
 		                    'Statistics Match',
 		 IMQ_TARGET      => 'IMQ Target',
+		 DSCP_MATCH      => 'DSCP Match',
+		 DSCP_TARGET     => 'DSCP Target',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -389,8 +391,8 @@ my  $toolNAME;               # Tool name in CAPS
 our $product;                # Name of product that will run the generated script
 our $Product;                # $product with initial cap.
 
-my $sillyname;               # Name of temporary filter chains for testing capabilities
-my $sillyname1;
+our $sillyname;              # Name of temporary filter chains for testing capabilities
+our $sillyname1;
 my $iptables;                # Path to iptables/ip6tables
 my $tc;                      # Path to tc
 my $ip;                      # Path to ip
@@ -419,6 +421,11 @@ my %deprecated = ( LOGRATE            => '' ,
 		   HIGH_ROUTE_MARKS   => 'no'
 		 );
 #
+# Deprecated options that are eliminated via update
+#
+my %converted = ( WIDE_TC_MARKS => 1,
+		  HIGH_ROUTE_MARKS => 1 );
+#
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
 #
@@ -692,6 +699,8 @@ sub initialize( $ ) {
 	       CT_TARGET => undef,
 	       STATISTIC_MATCH => undef,
 	       IMQ_TARGET => undef,
+	       DSCP_MATCH => undef,
+	       DSCP_TARGET => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@@ -2778,7 +2787,15 @@ sub Statistic_Match() {
 }
 
 sub Imq_Target() {
-    qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" );
+    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" );
+}
+
+sub Dscp_Match() {
+    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -m dscp --dscp 0" );
+}
+
+sub Dscp_Target() {
+    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j DSCP --set-dscp 0" );
 }
 
 our %detect_capability =
@@ -2794,6 +2811,8 @@ our %detect_capability =
       CONNMARK_MATCH => \&Connmark_Match,
       CONNTRACK_MATCH => \&Conntrack_Match,
       CT_TARGET => \&Ct_Target,
+      DSCP_MATCH => \&Dscp_Match,
+      DSCP_TARGET => \&Dscp_Target,
       ENHANCED_REJECT => \&Enhanced_Reject,
       EXMARK => \&Exmark,
       FLOW_FILTER => \&Flow_Filter,
@@ -2941,11 +2960,6 @@ sub determine_capabilities() {
 	$capabilities{IPMARK_TARGET}   = detect_capability( 'IPMARK_TARGET' );
 	$capabilities{TPROXY_TARGET}   = detect_capability( 'TPROXY_TARGET' );
 
-	if ( $capabilities{MANGLE_ENABLED} ) {
-	    qt1( "$iptables -t mangle -F $sillyname" );
-	    qt1( "$iptables -t mangle -X $sillyname" );
-	}
-
 	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
 	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
 	$capabilities{RAWPOST_TABLE}   = detect_capability( 'RAWPOST_TABLE' );
@@ -2975,6 +2989,8 @@ sub determine_capabilities() {
 	$capabilities{CT_TARGET}       = detect_capability( 'CT_TARGET' );
 	$capabilities{STATISTIC_MATCH} = detect_capability( 'STATISTIC_MATCH' );
 	$capabilities{IMQ_TARGET}      = detect_capability( 'IMQ_TARGET' );
+	$capabilities{DSCP_MATCH}      = detect_capability( 'DSCP_MATCH' );
+	$capabilities{DSCP_TARGET}     = detect_capability( 'DSCP_TARGET' );
 
 
 	qt1( "$iptables -F $sillyname" );
@@ -2982,6 +2998,16 @@ sub determine_capabilities() {
 	qt1( "$iptables -F $sillyname1" );
 	qt1( "$iptables -X $sillyname1" );
 
+	if ( $capabilities{MANGLE_ENABLED} ) {
+	    qt1( "$iptables -t mangle -F $sillyname" );
+	    qt1( "$iptables -t mangle -X $sillyname" );
+	}
+
+	if ( $capabilities{NAT_ENABLED} ) {
+	    qt1( "$iptables -t nat -F $sillyname" );
+	    qt1( "$iptables -t nat -X $sillyname" );
+	}
+
 	$sillyname = $sillyname1 = undef;
     }
 }
@@ -3145,7 +3171,7 @@ sub update_config_file( $ ) {
 
 	my $heading_printed;
 
-	for ( keys %deprecated ) {
+	for ( grep ! $converted{$_} , keys %deprecated ) {
 	    if ( supplied( my $val = $config{$_} ) ) {
 		if ( lc $val ne $deprecated{$_} ) {
 		    unless ( $heading_printed ) {
@@ -3181,7 +3207,7 @@ EOF
 		progress_message3 "No update required to configuration file $configfile; $configfile.bak not saved";
 	    } else {
 		warning_message "Unable to unlink $configfile.bak";
-		progress_message3 "No update required to configuration file $configfile; $configfile.b";
+		progress_message3 "No update required to configuration file $configfile";
 	    }
 
 	    exit 0 unless -f find_file 'blacklist';

Shorewall/Perl/Shorewall/Misc.pm

@@ -216,8 +216,8 @@ sub setup_blacklist() {
     # for 'refresh' to work properly.
     #
     if ( @$zones || @$zones1 ) {
-	$chainref  = dont_delete new_standard_chain 'blacklst' if @$zones;
-	$chainref1 = dont_delete new_standard_chain 'blackout' if @$zones1;
+	$chainref  = set_optflags( new_standard_chain( 'blacklst' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones;
+	$chainref1 = set_optflags( new_standard_chain( 'blackout' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones1;
 
 	if ( supplied $level ) {
 	    $target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
@@ -695,9 +695,9 @@ sub add_common_rules ( $ ) {
     my $rejectref = $filter_table->{reject};
 
     if ( $config{DYNAMIC_BLACKLIST} ) {
-	add_rule_pair dont_delete( new_standard_chain( 'logdrop' ) ),   '' , 'DROP'   , $level ;
-	add_rule_pair dont_delete( new_standard_chain( 'logreject' ) ), '' , 'reject' , $level ;
-	$dynamicref = dont_optimize( new_standard_chain( 'dynamic' ) );
+	add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level );
+	add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level );
+	$dynamicref =  set_optflags( new_standard_chain( 'dynamic' ) ,  DONT_OPTIMIZE );
 	add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
     }
 
@@ -994,7 +994,7 @@ sub add_common_rules ( $ ) {
 	if ( @$list ) {
 	    progress_message2 "$doing UPnP";
 
-	    $chainref = dont_optimize new_nat_chain( 'UPnP' );
+	    $chainref = set_optflags( new_nat_chain( 'UPnP' ), DONT_OPTIMIZE );
 
 	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
 
@@ -1013,9 +1013,10 @@ sub add_common_rules ( $ ) {
 	    for $interface ( @$list ) {
 		my $chainref = $filter_table->{input_option_chain $interface};
 		my $base     = uc chain_base get_physical $interface;
-		my $variable = get_interface_gateway $interface;
+		my $optional = interface_is_optional( $interface );
+		my $variable = get_interface_gateway( $interface, ! $optional );
 
-		if ( interface_is_optional $interface ) {
+		if ( $optional ) {
 		    add_commands( $chainref,
 				  qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
 		    incr_cmd_level( $chainref );

Shorewall/Perl/Shorewall/Nat.pm

@@ -54,8 +54,8 @@ sub initialize() {
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = 
-	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7 };
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition ) = 
+	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8 };
 
     if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
@@ -88,7 +88,7 @@ sub process_one_masq( )
 	$interfacelist = $1;
     } elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
 	my ( $one, $two ) = ( $1, $2 );
-	if ( $2 =~ /\./ ) {
+	if ( $2 =~ /\./ || $2 =~ /^%/ ) {
 	    $interfacelist = $one;
 	    $destnets = $two;
 	}
@@ -117,9 +117,9 @@ sub process_one_masq( )
     }
 
     #
-    # Handle Protocol and Ports
+    # Handle Protocol, Ports and Condition
     #
-    $baserule .= do_proto $proto, $ports, '';
+    $baserule .= do_proto( $proto, $ports, '' ) . do_condition( $condition );
     #
     # Handle Mark
     #
@@ -195,7 +195,7 @@ sub process_one_masq( )
 			    if ( $conditional = conditional_rule( $chainref, $addr ) ) {
 				$addrlist .= '--to-source ' . get_interface_address $1;
 			    } else {
-				$addrlist .= '--to-source ' . record_runtime_address $1;
+				$addrlist .= '--to-source ' . record_runtime_address( '&', $1 );
 			    }
 			} elsif ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = 'SNAT ';

Shorewall/Perl/Shorewall/Providers.pm

@@ -160,9 +160,7 @@ sub setup_route_marking() {
 
 	    my $chainref2 = new_chain( 'mangle', load_chain( $physical ) );
 
-	    dont_optimize $chainref2;
-	    dont_move     $chainref2;
-	    dont_delete   $chainref2;
+	    set_optflags( $chainref2, DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE );
 	
   	    add_ijump ( $chainref1,
 			j => $chainref2 ,
@@ -918,7 +916,7 @@ sub add_an_rtrule( ) {
     if ( $source eq '-' ) {
 	$source = 'from ' . ALLIP;
     } elsif ( $source =~ s/^&// ) {
-	$source = 'from ' . record_runtime_address $source;
+	$source = 'from ' . record_runtime_address '&', $source;
     } elsif ( $family == F_IPV4 ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );

Shorewall/Perl/Shorewall/Rules.pm

@@ -963,7 +963,7 @@ sub createlogactionchain( $$$$$ ) {
 
     unless ( $targets{$action} & BUILTIN ) {
 
-	dont_optimize $chainref;
+	set_optflags( $chainref, DONT_OPTIMIZE );
 
 	my $file = find_file $chain;
 
@@ -997,7 +997,7 @@ sub createsimpleactionchain( $ ) {
 
     unless ( $targets{$action} & BUILTIN ) {
 
-	dont_optimize $chainref;
+	set_optflags( $chainref, DONT_OPTIMIZE );
 
 	my $file = find_file $action;
 
@@ -1306,7 +1306,7 @@ sub allowInvalid ( $$$$ ) {
 }
 
 sub forwardUPnP ( $$$$ ) {
-    my $chainref = dont_optimize 'forwardUPnP';
+    my $chainref = set_optflags( 'forwardUPnP', DONT_OPTIMIZE );
 
     add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
 }
@@ -2238,7 +2238,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	    }
 	}
 
-	dont_move( dont_optimize( $nonat_chain ) ) if $tgt eq 'RETURN';
+	set_optflags( $nonat_chain, DONT_MOVE | DONT_OPTIMIZE ) if $tgt eq 'RETURN';
 
 	expand_rule( $nonat_chain ,
 		     PREROUTE_RESTRICT ,
@@ -2262,7 +2262,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	    $action = $usedactions{$normalized_target}{name};
 	    $loglevel = '';
 	} else {
-	    dont_move( dont_optimize ( $chainref ) ) if $action eq 'RETURN';
+	    set_optflags( $chainref , DONT_MOVE | DONT_OPTIMIZE ) if $action eq 'RETURN';
 	}
 
 	if ( $origdest ) {

Shorewall/Perl/Shorewall/Tc.pm

@@ -194,14 +194,14 @@ sub initialize( $ ) {
 }
 
 sub process_tc_rule( ) {
-    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability );
+    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp );
     if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability ) =
-	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 };
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp ) =
+	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 };
 	$headers = '-';
     } else {
-	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability ) = 
-	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 };
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) = 
+	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 };
     }
 
     our @tccmd;
@@ -239,6 +239,153 @@ sub process_tc_rule( ) {
     my $device   = '';
     my $fw       = firewall_zone;
     my $list;
+    my $restriction = 0;
+    my $cmd;
+    my $rest;
+
+    my %processtcc = ( sticky => sub() {
+			                  if ( $chain eq 'tcout' ) {
+					      $target = 'sticko';
+					  } else {
+					      fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
+					  }
+
+					  $restriction = DESTIFACE_DISALLOW;
+
+					  ensure_mangle_chain($target);
+
+					  $sticky++;
+				      },
+		       IPMARK => sub() {
+			                  my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );
+
+					  require_capability 'IPMARK_TARGET', 'IPMARK', 's';
+
+					  if ( $cmd =~ /^IPMARK\((.+?)\)$/ ) {
+					      my $params = $1;
+					      my $val;
+
+					      my ( $sd, $m1, $m2, $s , $bad ) = split ',', $params;
+
+					      fatal_error "Invalid IPMARK parameters ($params)" if $bad;
+					      fatal_error "Invalid IPMARK parameter ($sd)" unless ( $sd eq 'src' || $sd eq 'dst' );
+					      $srcdst = $sd;
+
+					      if ( supplied $m1 ) {
+						  $val = numeric_value ($m1);
+						  fatal_error "Invalid Mask ($m1)" unless defined $val && $val && $val <= 0xffffffff;
+						  $mask1 = in_hex ( $val & 0xffffffff );
+					      }
+
+					      if ( supplied $m2 ) {
+						  $val = numeric_value ($m2);
+						  fatal_error "Invalid Mask ($m2)" unless defined $val && $val <= 0xffffffff;
+						  $mask2 = in_hex ( $val & 0xffffffff );
+					      }
+
+					      if ( defined $s ) {
+						  $val = numeric_value ($s);
+						  fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val >= 0 && $val < 128;
+						  $shift = $s;
+					      }			    
+					  } else {
+					      fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
+					  }
+
+					  $target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
+				      },
+		       TPROXY => sub() {
+			                  require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
+
+			                  fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
+
+					  $chain = 'tcpre';
+
+					  $cmd =~ /TPROXY\((.+?)\)$/;
+
+					  my $params = $1;
+
+					  fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
+
+					  ( $mark, my $port, my $ip, my $bad ) = split ',', $params;
+
+					  fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
+
+					  if ( $port ) {
+					      $port = validate_port( 'tcp', $port );
+					  } else {
+					      $port = 0;
+					  }
+
+					  $target .= " --on-port $port";
+
+					  if ( supplied $ip ) {
+					      if ( $family == F_IPV6 ) {
+						  $ip = $1 if $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/;
+					      }
+
+					      validate_address $ip, 1;
+					      $target .= " --on-ip $ip";
+					  }
+
+					  $target .= ' --tproxy-mark';
+				      },
+		       TTL => sub() {
+			                  fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
+					  fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest;
+					  fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' );
+
+					  $chain = 'tcfor';
+
+					  $cmd =~ /^TTL\(([-+]?\d+)\)$/;
+
+					  my $param =  $1;
+
+					  fatal_error "Invalid TTL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+
+					  if ( $1 =~ /^\+/ ) {
+					      $target .= " --ttl-inc $param";
+					  } elsif ( $1 =~ /\-/ ) {
+					      $target .= " --ttl-dec $param";
+					  } else {
+					      $target .= " --ttl-set $param";
+					  }
+				      },
+		       HL => sub() {
+			                  fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4;
+					  fatal_error "Invalid HL specification( $cmd/$rest )" if $rest;
+					  fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' );
+
+					  $chain = 'tcfor';
+
+					  $cmd =~ /^HL\(([-+]?\d+)\)$/;
+
+					  my $param =  $1;
+
+					  fatal_error "Invalid HL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+
+					  if ( $1 =~ /^\+/ ) {
+					      $target .= " --hl-inc $param";
+					  } elsif ( $1 =~ /\-/ ) {
+					      $target .= " --hl-dec $param";
+					  } else {
+					      $target .= " --hl-set $param";
+					  }
+				      },
+		       IMQ => sub() {
+			                  assert( $cmd =~ /^IMQ\((\d+)\)$/ );
+					  require_capability 'IMQ_TARGET', 'IMQ', 's';
+					  $target .= " --todev $1";
+				      },
+		       DSCP => sub() {
+			                  assert( $cmd =~ /^DSCP\((\w+)\)$/ );
+					  require_capability 'DSCP_TARGET', 'The DSCP action', 's'; 
+					  my $dscp = numeric_value( $1);
+					  $dscp = $dscpmap{$1} unless defined $dscp;
+					  fatal_error( "Invalid DSCP ($1)" ) unless defined $dscp && $dscp < 0x2f && ! ( $dscp & 1 );
+					  $target .= ' --set-dscp ' . in_hex( $dscp );
+				      }
+		     );
 
     if ( $source ) {
 	if ( $source eq $fw ) {
@@ -312,12 +459,10 @@ sub process_tc_rule( ) {
 	}
     }
 
-    my ($cmd, $rest) = split( '/', $mark, 2 );
+    ($cmd, $rest) = split( '/', $mark, 2 );
 
     $list = '';
 
-    my $restriction = 0;
-
     unless ( $classid ) {
       MARK:
 	{
@@ -336,134 +481,8 @@ sub process_tc_rule( ) {
 			$mark =~ s/^[|&]//;
 		    }
 
-		    if ( $target eq 'sticky' ) {
-			if ( $chain eq 'tcout' ) {
-			    $target = 'sticko';
-			} else {
-			    fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
-			}
-
-			$restriction = DESTIFACE_DISALLOW;
-
-			ensure_mangle_chain($target);
-
-			$sticky++;
-		    } elsif ( $target eq 'IPMARK' ) {
-			my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );
-
-			require_capability 'IPMARK_TARGET', 'IPMARK', 's';
-
-			if ( $cmd =~ /^IPMARK\((.+?)\)$/ ) {
-			    my $params = $1;
-			    my $val;
-
-			    my ( $sd, $m1, $m2, $s , $bad ) = split ',', $params;
-
-			    fatal_error "Invalid IPMARK parameters ($params)" if $bad;
-			    fatal_error "Invalid IPMARK parameter ($sd)" unless ( $sd eq 'src' || $sd eq 'dst' );
-			    $srcdst = $sd;
-
-			    if ( supplied $m1 ) {
-				$val = numeric_value ($m1);
-				fatal_error "Invalid Mask ($m1)" unless defined $val && $val && $val <= 0xffffffff;
-				$mask1 = in_hex ( $val & 0xffffffff );
-			    }
-
-			    if ( supplied $m2 ) {
-				$val = numeric_value ($m2);
-				fatal_error "Invalid Mask ($m2)" unless defined $val && $val <= 0xffffffff;
-				$mask2 = in_hex ( $val & 0xffffffff );
-			    }
-
-			    if ( defined $s ) {
-				$val = numeric_value ($s);
-				fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val >= 0 && $val < 128;
-				$shift = $s;
-			    }			    
-			} else {
-			    fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
-			}
-
-			$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
-		    } elsif ( $target eq 'TPROXY' ) {
-			require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
-
-			fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
-
-			$chain = 'tcpre';
-
-			$cmd =~ /TPROXY\((.+?)\)$/;
-
-			my $params = $1;
-
-			fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
-
-			( $mark, my $port, my $ip, my $bad ) = split ',', $params;
-
-			fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
-
-			if ( $port ) {
-			    $port = validate_port( 'tcp', $port );
-			} else {
-			    $port = 0;
-			}
-
-			$target .= " --on-port $port";
-
-			if ( supplied $ip ) {
-			    if ( $family == F_IPV6 ) {
-				$ip = $1 if $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/;
-			    }
-
-			    validate_address $ip, 1;
-			    $target .= " --on-ip $ip";
-			}
-
-			$target .= ' --tproxy-mark';
-		    } elsif ( $target eq 'TTL' ) {
-			fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
-			fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest;
-			fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' );
-
-			$chain = 'tcfor';
-
-			$cmd =~ /^TTL\(([-+]?\d+)\)$/;
-
-			my $param =  $1;
-
-			fatal_error "Invalid TTL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
-
-			if ( $1 =~ /^\+/ ) {
-			    $target .= " --ttl-inc $param";
-			} elsif ( $1 =~ /\-/ ) {
-			    $target .= " --ttl-dec $param";
-			} else {
-			    $target .= " --ttl-set $param";
-			}
-		    } elsif ( $target eq 'HL' ) {
-			fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4;
-			fatal_error "Invalid HL specification( $cmd/$rest )" if $rest;
-			fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' );
-
-			$chain = 'tcfor';
-
-			$cmd =~ /^HL\(([-+]?\d+)\)$/;
-
-			my $param =  $1;
-
-			fatal_error "Invalid HL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
-
-			if ( $1 =~ /^\+/ ) {
-			    $target .= " --hl-inc $param";
-			} elsif ( $1 =~ /\-/ ) {
-			    $target .= " --hl-dec $param";
-			} else {
-			    $target .= " --hl-set $param";
-			}
-		    } elsif ( $target eq 'IMQ' ) {
-			assert( $cmd =~ /^IMQ\((\d+)\)$/ );
-			require_capability 'IMQ_TARGET', 'IMQ', 's';
-			$target .= " --todev $1";
+		    if ( my $f = $processtcc{$target} ) {
+			$f->();
 		    }
 
 		    if ( $rest ) {
@@ -510,7 +529,8 @@ sub process_tc_rule( ) {
 				     do_connbytes( $connbytes ) .
 				     do_helper( $helper ) .
 				     do_headers( $headers ) .
-				     do_probability( $probability ) ,
+				     do_probability( $probability ) .
+				     do_dscp( $dscp ),
 				     $source ,
 				     $dest ,
 				     '' ,
@@ -855,7 +875,7 @@ sub validate_tc_device( ) {
 			    pfifo         => $pfifo,
 			    tablenumber   => 1 ,
 			    redirected    => \@redirected,
-			    default       => 0,
+			    default       => undef,
 			    nextclass     => 2,
 			    qdisc         => $qdisc,
 			    guarantee     => 0,
@@ -998,6 +1018,7 @@ sub validate_tc_class( ) {
 	}
     } else {
 	fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
+	$markval = '-';
     }
 
     if ( $parentclass != 1 ) {
@@ -1114,8 +1135,10 @@ sub validate_tc_class( ) {
     }
 
     unless ( $devref->{classify} || $occurs > 1 ) {
-	fatal_error "Missing MARK" if $mark eq '-';
-	warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option"	if $devclass =~ /:/;
+	if ( $mark ne '-' ) {
+	    fatal_error "Missing MARK" if $mark eq '-';
+	    warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option"	if $devclass =~ /:/;
+	}
     }
 
     $tcref->{flow}  = $devref->{flow}  unless $tcref->{flow};
@@ -1596,7 +1619,7 @@ sub process_traffic_shaping() {
 	my $devnum  = in_hexp $devref->{number};
 	my $r2q     = int calculate_r2q $devref->{out_bandwidth};
 
-	fatal_error "No default class defined for device $devname" unless $devref->{default};
+	fatal_error "No default class defined for device $devname" unless defined $devref->{default};
 
 	my $device = physical_name $devname;
 
@@ -1708,7 +1731,7 @@ sub process_traffic_shaping() {
 		#
 		# add filters
 		#
-		unless ( $devref->{classify} ) {
+		unless ( $mark eq '-' ) {
 		    emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1;
 		}
 
@@ -1988,6 +2011,12 @@ sub setup_tc() {
 			  mask      => '',
 			  connmark  => 0
 			},
+			{ match     => sub( $ ) { $_[0] =~ /^DSCP\(\w+\)$/ },
+			  target    => 'DSCP',
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			},
 		      );
 
 	if ( my $fn = open_file 'tcrules' ) {

Shorewall/Perl/Shorewall/Zones.pm

@@ -227,6 +227,25 @@ my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 );
 
 my %validhostoptions;
 
+my %validzoneoptions = ( mss          => NUMERIC,
+			 nomark       => NOTHING,
+			 blacklist    => NOTHING,
+			 strict       => NOTHING,
+			 next         => NOTHING,
+			 reqid        => NUMERIC,
+			 spi          => NUMERIC,
+			 proto        => IPSECPROTO,
+			 mode         => IPSECMODE,
+			 "tunnel-src" => NETWORK,
+			 "tunnel-dst" => NETWORK,
+		       );
+
+use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
+#
+# Hash of options that have their own key in the returned hash.
+#
+my %zonekey = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );
+
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -329,25 +348,6 @@ sub initialize( $$ ) {
 #
 sub parse_zone_option_list($$\$$)
 {
-    my %validoptions = ( mss          => NUMERIC,
-			 nomark       => NOTHING,
-			 blacklist    => NOTHING,
-			 strict       => NOTHING,
-			 next         => NOTHING,
-			 reqid        => NUMERIC,
-			 spi          => NUMERIC,
-			 proto        => IPSECPROTO,
-			 mode         => IPSECMODE,
-			 "tunnel-src" => NETWORK,
-			 "tunnel-dst" => NETWORK,
-		       );
-
-    use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
-    #
-    # Hash of options that have their own key in the returned hash.
-    #
-    my %key = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );
-
     my ( $list, $zonetype, $complexref, $column ) = @_;
     my %h;
     my $options = '';
@@ -367,7 +367,7 @@ sub parse_zone_option_list($$\$$)
 		$e   = $1;
 	    }
 
-	    $fmt = $validoptions{$e};
+	    $fmt = $validzoneoptions{$e};
 
 	    fatal_error "Invalid Option ($e)" unless $fmt;
 
@@ -378,7 +378,7 @@ sub parse_zone_option_list($$\$$)
 		fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
 	    }
 
-	    my $key = $key{$e};
+	    my $key = $zonekey{$e};
 
 	    if ( $key ) {
 		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype & ( FIREWALL | VSERVER) );
@@ -403,7 +403,7 @@ sub parse_zone_option_list($$\$$)
 #
 # Set the super option on the passed zoneref and propagate to its parents
 #
-sub set_super( $ );
+sub set_super( $ ); #required for recursion
 
 sub set_super( $ ) {
     my $zoneref = shift;
@@ -769,13 +769,13 @@ sub add_group_to_zone($$$$$)
 
     my $gtype = $type & IPSEC ? 'ipsec' : 'ip';
 
-    $hostsref     = ( $zoneref->{hosts}           || ( $zoneref->{hosts} = {} ) );
-    $typeref      = ( $hostsref->{$gtype}         || ( $hostsref->{$gtype} = {} ) );
-    $interfaceref = ( $typeref->{$interface}      || ( $typeref->{$interface} = [] ) );
+    $hostsref     = ( $zoneref->{hosts}      ||= {} );
+    $typeref      = ( $hostsref->{$gtype}    ||= {} );
+    $interfaceref = ( $typeref->{$interface} ||= [] );
 
     fatal_error "Duplicate Host Group ($interface:" . ALLIP . ") in zone $zone" if $allip && @$interfaceref;
 
-    $zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions ) || $options->{routeback};
+    $zoneref->{options}{complex} = 1 if @$interfaceref || @newnetworks > 1 || @exclusions || $options->{routeback};
 
     push @{$interfaceref}, { options => $options,
 			     hosts   => \@newnetworks,
@@ -912,10 +912,27 @@ sub process_interface( $$ ) {
     my ( $nextinum, $export ) = @_;
     my $netsref   = '';
     my $filterref = [];
-    my ($zone, $originalinterface, $bcasts, $options ) = split_line 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 };
+    my ($zone, $originalinterface, $bcasts, $options );
     my $zoneref;
     my $bridge = '';
+    our $format;
 
+    if ( $format == 1 ) {
+	($zone, $originalinterface, $bcasts, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 }, { COMMENT => 0, FORMAT => 2 };
+    } else {
+	($zone, $originalinterface, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, options => 2 }, { COMMENT => 0, FORMAT => 2 };
+	$bcasts = '-';
+    }
+
+    if ( $zone eq 'FORMAT' ) {
+	if ( $originalinterface =~ /^([12])$/ ) {
+	    $format = $1;
+	    return;
+	}
+
+	fatal_error "Invalid FORMAT ($1)";
+    }
+	
     if ( $zone eq '-' ) {
 	$zone = '';
     } else {
@@ -1185,7 +1202,8 @@ sub process_interface( $$ ) {
 # Parse the interfaces file.
 #
 sub validate_interfaces_file( $ ) {
-    my $export = shift;
+    my  $export = shift;
+    our $format = 1;
     
     my @ifaces;
     my $nextinum = 1;
@@ -1915,7 +1933,6 @@ sub validate_hosts_file()
     $have_ipsec = $ipsec || haveipseczones;
 
     $_->{options}{complex} ||= ( keys %{$_->{interfaces}} > 1 ) for values %zones;
-
 }
 
 #

Shorewall/action.Invalid

@@ -49,7 +49,7 @@ my $target           = require_audit ( $action , $audit );
 log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
 add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID ";
 
-$chainref->{dont_optimize} = 0;
+allow_optimize( $chainref );
 
 1;
 

Shorewall/action.NotSyn

@@ -49,7 +49,7 @@ my $target           = require_audit ( $action , $audit );
 log_rule_limit $level, $chainref, 'NotSyn' , $action, '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
 add_jump $chainref , $target, 0, '-p 6 ! --syn ';
 
-$chainref->{dont_optimize} = 0;
+allow_optimize( $chainref );
 
 1;
 

Shorewall/configfiles/interfaces

@@ -7,4 +7,8 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
+FORMAT 1
 #ZONE	INTERFACE	BROADCAST	OPTIONS
+
+FORMAT 2
+#ZONE		INTERFACE		OPTIONS

Shorewall/configfiles/masq

@@ -6,6 +6,6 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
-#############################################################################################
-#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
+######################################################################################################
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH
 #											GROUP

Shorewall/configfiles/tcrules

@@ -9,7 +9,7 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-######################################################################################################################################
-#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY
+##########################################################################################################################################
+#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY DSCP
 #						PORT(S)	PORT(S)
 

Shorewall/init.sh

@@ -78,13 +78,13 @@ shift
 
 case "$command" in
     start)
-	exec /sbin/shorewall $OPTIONS start $STARTOPTIONS $@
+	exec /sbin/shorewall $OPTIONS start $STARTOPTIONS
 	;;
     restart|reload)
-	exec /sbin/shorewall $OPTIONS restart $RESTARTOPTIONS $@
+	exec /sbin/shorewall $OPTIONS restart $RESTARTOPTIONS
 	;;
     status|stop)
-	exec /sbin/shorewall $OPTIONS $command $@
+	exec /sbin/shorewall $OPTIONS $command
 	;;
     *)
 	usage

Shorewall/install.sh

@@ -92,6 +92,11 @@ install_file() # $1 = source $2 = target $3 = mode
 
 cd "$(dirname $0)"
 
+#
+# Load packager's settings if any
+#
+[ -f ../shorewall-pkg.config ] && . ../shorewall-pkg.config
+
 if [ -f shorewall ]; then
     PRODUCT=shorewall
     Product=Shorewall
@@ -105,26 +110,15 @@ fi
 #
 # Parse the run line
 #
-# DEST is the SysVInit script directory
-# INIT is the name of the script in the $DEST directory
 #
 T="-T"
 
-if [ -z "$DEST" ] ; then
-	DEST="/etc/init.d"
-fi
-
-if [ -z "$INIT" ] ; then
-	INIT="$PRODUCT"
-fi
-
 ANNOTATED=
-CYGWIN=
-MAC=
-MACHOST=
 MANDIR=${MANDIR:-"/usr/share/man"}
 SPARSE=
 INSTALLD='-D'
+INITFILE="$PRODUCT"
+
 [ -n "${LIBEXEC:=/usr/share}" ]
 [ -n "${PERLLIB:=/usr/share/shorewall}" ]
 
@@ -132,7 +126,8 @@ case "$LIBEXEC" in
     /*)
 	;;
     *)
-	LIBEXEC=/usr/${LIBEXEC}
+	echo "The LIBEXEC setting must be an absolute path name" >&2
+	exit 1
 	;;
 esac
 
@@ -140,33 +135,45 @@ case "$PERLLIB" in
     /*)
 	;;
     *)
-	PERLLIB=/usr/${PERLLIB}
+	echo "The PERLLIB setting must be an absolute path name" >&2
+	exit 1
 	;;
 esac
 
-case $(uname) in
-    CYGWIN*)
-	if [ -z "$DESTDIR" ]; then
-	    DEST=
-	    INIT=
-	fi
+if [ -z "$BUILD" ]; then
+    case $(uname) in
+	cygwin*)
+	    BUILD=cygwin
+	    ;;
+	Darwin)
+	    BUILD=apple
+	    ;;
+	*)
+	    if [ -f /etc/debian_version ]; then
+		BUILD=debian
+	    elif [ -f /etc/redhat-release ]; then
+		BUILD=redhat
+	    elif [ -f /etc/slackware-version ] ; then
+		BUILD=slackware
+	    elif [ -f /etc/SuSE-release ]; then
+		BUILD=suse
+	    elif [ -f /etc/arch-release ] ; then
+		BUILD=archlinux
+	    else
+		BUILD=linux
+	    fi
+	    ;;
+    esac
+fi
 
+case $BUILD in
+    cygwin*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
-	CYGWIN=Yes
-	SPARSE=Yes
 	;;
-    Darwin)
-	if [ -z "$DESTDIR" ]; then
-	    DEST=
-	    INIT=
-	    SPARSE=Yes
-	fi
-
+    apple)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=wheel
-	MAC=Yes
-	MACHOST=Yes
 	INSTALLD=
 	T=
 	;;
@@ -229,8 +236,64 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 # Determine where to install the firewall script
 #
 
+if [ $PRODUCT = shorewall ]; then
+    #
+    # Verify that Perl is installed
+    #
+    if ! perl -c Perl/compiler.pl; then
+	echo "ERROR: $Product $VERSION requires Perl which either is not installed or is not able to compile the $Product perl code" >&2
+	echo "       Try perl -c $PWD/Perl/compiler.pl" >&2
+	exit 1
+    fi
+fi
+
+[ -n "$HOST" ] || HOST=$BUILD
+
+case "$HOST" in
+    cygwin)
+	echo "Installing Cygwin-specific configuration..."
+	INITFILE=
+	;;
+    apple)
+	echo "Installing Mac-specific configuration...";
+	INITFILE=
+	;;
+    debian)
+	echo "Installing Debian-specific configuration..."
+	SPARSE=yes
+	;;
+    redhat)
+	echo "Installing Redhat/Fedora-specific configuration..."
+	[ -n "$INITDIR" ]  || INITDIR="/etc/rc.d/init.d"
+	;;
+    suse)
+	echo "Installing SuSE-specific configuration...";
+	;;
+    slackware)
+	echo "Installing Slackware-specific configuration..."
+	[ -n "$INITDIR" ]  || INITDIR="/etc/rc.d"
+	[ -n "$MANDIR" ]   || MANDIR="/usr/man"
+	[ -n "$INITFILE" ] || INITFILE="rc.firewall"
+	;;
+    archlinux)
+	echo "Installing ArchLinux-specific configuration..."
+	[ -n "$INITDIR" ]  || INITDIR="/etc/rc.d"
+	[ -n "$INITFILE" ] || INITFILE="$PRODUCT"
+	;;
+    linux)
+	;;
+    *)
+	echo "ERROR: Unknown HOST \"$HOST\"" >&2
+	exit 1;
+	;;
+esac
+
+if [ -z "$INITDIR" -a -n "$INITFILE" ] ; then
+    INITDIR="/etc/init.d"
+fi
+
 if [ -n "$DESTDIR" ]; then
-    if [ -z "$CYGWIN" ]; then
+    if [ $BUILD != cygwin ]; then
 	if [ `id -u` != 0 ] ; then
 	    echo "Not setting file owner/group permissions, not running as root."
 	    OWNERSHIP=""
@@ -238,58 +301,20 @@ if [ -n "$DESTDIR" ]; then
     fi
 
     install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
-
-    CYGWIN=
-    MAC=
-else
-    if [ $PRODUCT = shorewall ]; then
-        #
-        # Verify that Perl is installed
-        #
-	if ! perl -c Perl/compiler.pl; then
-	    echo "ERROR: $Product $VERSION requires Perl which either is not installed or is not able to compile the $Product perl code" >&2
-	    echo "       Try perl -c $PWD/Perl/compiler.pl" >&2
-	    exit 1
-	fi
-    else
-	[ -x /usr/share/shorewall/compiler.pl ] || \
-	    { echo "   ERROR: Shorewall >= 4.3.5 is not installed" >&2; exit 1; }
-    fi
-
-    if [ -n "$CYGWIN" ]; then
-	echo "Installing Cygwin-specific configuration..."
-    elif [ -n "$MAC" ]; then
-	echo "Installing Mac-specific configuration..."
-    else
-	if [ -f /etc/debian_version ]; then
-	    echo "Installing Debian-specific configuration..."
-	    DEBIAN=yes
-	    SPARSE=yes
-	elif [ -f /etc/redhat-release ]; then
-	    echo "Installing Redhat/Fedora-specific configuration..."
-	    FEDORA=yes
-	elif [ -f /etc/slackware-version ] ; then
-	    echo "Installing Slackware-specific configuration..."
-	    DEST="/etc/rc.d"
-	    MANDIR="/usr/man"
-	    SLACKWARE=yes
-	    INIT="rc.firewall"
-	elif [ -f /etc/arch-release ] ; then
-	    echo "Installing ArchLinux-specific configuration..."
-	    DEST="/etc/rc.d"
-	    INIT="$PRODUCT"
-	    ARCHLINUX=yes
-	fi
-    fi
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
+elif [ $PRODUCT != shorewall ]; then
+    [ -x ${LIBEXEC}/shorewall/compiler.pl ] || \
+	{ echo "   ERROR: Shorewall >= 4.5.0 is not installed" >&2; exit 1; }
 fi
 
 if [ -z "$DESTDIR" ]; then
     if [ -f /lib/systemd/system ]; then
 	SYSTEMD=Yes
+	INITFILE=
     fi
 elif [ -n "$SYSTEMD" ]; then
     mkdir -p ${DESTDIR}/lib/systemd/system
+    INITFILE=
 fi
 
 echo "Installing $Product Version $VERSION"
@@ -308,7 +333,7 @@ if [ -z "${DESTDIR}" -a $PRODUCT = shorewall -a ! -f /usr/share/$PRODUCT/corever
     exit 1
 fi
 
-if [ -z "$CYGWIN" ]; then
+if [ $HOST != cygwin ]; then
    install_file $PRODUCT ${DESTDIR}/sbin/$PRODUCT 0755
    echo "$PRODUCT control program installed in ${DESTDIR}/sbin/$PRODUCT"
 else
@@ -319,20 +344,27 @@ fi
 #
 # Install the Firewall Script
 #
-if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
-elif [ -n "$FEDORA" ]; then
-    install_file init.fedora.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
-elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
-elif [ -n "$SLACKWARE" -a $PRODUCT = shorewall ]; then
-	install_file init.slackware.firewall.sh ${DESTDIR}${DEST}/rc.firewall 0644
-	install_file init.slackware.$PRODUCT.sh ${DESTDIR}${DEST}/rc.$PRODUCT 0644
-elif [ -n "$INIT" ]; then
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
-fi
+if [ -n "$INITFILE" ]; then
+    case $HOST in
+	debian)
+	    install_file init.debian.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+	redhat)
+	    install_file init.fedora.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+	slackware)
+            if [ $PRODUCT = shorewall ]; then
+		install_file init.slackware.firewall.sh ${DESTDIR}${DEST}/rc.firewall 0644
+		install_file init.slackware.$PRODUCT.sh ${DESTDIR}${DEST}/rc.$PRODUCT 0644
+	    fi
+	    ;;
+	*)
+	    install_file init.sh ${DESTDIR}${INITDIR}/$INITFILE 0544
+	    ;;
+    esac
 
-[ -n "$INIT" ] && echo  "$Product script installed in ${DESTDIR}${DEST}/$INIT"
+    echo  "$Product script installed in ${DESTDIR}${INITDIR}/$INITFILE"
+fi
 
 #
 # Create /etc/$PRODUCT and /var/lib/$PRODUCT if needed
@@ -427,7 +459,7 @@ run_install $OWNERSHIP -m 0644 $PRODUCT.conf.annotated ${DESTDIR}/usr/share/$PRO
 if [ ! -f ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf ]; then
    run_install $OWNERSHIP -m 0644 $PRODUCT.conf${suffix} ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf
 
-   if [ -n "$DEBIAN" ] && mywhich perl; then
+   if [ $HOST = debian ] && mywhich perl; then
        #
        # Make a Debian-like $PRODUCT.conf
        #
@@ -438,7 +470,7 @@ if [ ! -f ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf ]; then
 fi
 
 
-if [ -n "$ARCHLINUX" ] ; then
+if [ $HOST = archlinux ] ; then
    sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf
 fi
 
@@ -582,7 +614,7 @@ run_install $OWNERSHIP -m 0644 maclist.annotated ${DESTDIR}/usr/share/$PRODUCT/c
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/$PRODUCT/maclist ]; then
     run_install $OWNERSHIP -m 0600 maclist${suffix} ${DESTDIR}/etc/$PRODUCT/maclist
-    echo "MAC list file installed as ${DESTDIR}/etc/$PRODUCT/maclist"
+    echo "mac list file installed as ${DESTDIR}/etc/$PRODUCT/maclist"
 fi
 
 if [ -f masq ]; then
@@ -1048,7 +1080,7 @@ chmod 644 ${DESTDIR}/usr/share/$PRODUCT/version
 
 if [ -z "$DESTDIR" ]; then
     rm -f /usr/share/$PRODUCT/init
-    ln -s ${DEST}/${INIT} /usr/share/$PRODUCT/init
+    ln -s ${INITDIR}/${INITFILE} /usr/share/$PRODUCT/init
 fi
 
 #
@@ -1080,8 +1112,8 @@ if [ -d ${DESTDIR}/etc/logrotate.d ]; then
     echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/$PRODUCT"
 fi
 
-if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
-    if [ -n "$DEBIAN" ]; then
+if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
+    if [ $HOST = debian ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/$PRODUCT
 
 	update-rc.d $PRODUCT defaults
@@ -1117,7 +1149,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
 	    else
 		cant_autostart
 	    fi
-	elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
+	elif [ "$INITFILE" != rc.f ]; then #Slackware starts this automatically
 	    cant_autostart
 	fi
     fi

Shorewall/manpages/shorewall-masq.xml

@@ -35,8 +35,8 @@
       <para>If you have more than one ISP link, adding entries to this file
       will <emphasis role="bold">not</emphasis> force connections to go out
       through a particular link. You must use entries in <ulink
-      url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
-      PREROUTING entries in <ulink
+      url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or PREROUTING
+      entries in <ulink
       url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5) to do
       that.</para>
     </warning>
@@ -88,7 +88,8 @@
           addresses to indicate that you only want to change the source IP
           address for packets being sent to those particular destinations.
           Exclusion is allowed (see <ulink
-          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) as
+          are ipset names preceded by a plus sign '+';</para>
 
           <para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
           entry then include the ":" but omit the digit:</para>
@@ -149,6 +150,10 @@
 
           <para>In that example traffic from eth1 would be masqueraded unless
           it came from 192.168.1.4 or 196.168.32.0/27</para>
+
+          <para>The preferred way to specify the SOURCE is to supply one or
+          more host or network addresses separated by comma. You may use ipset
+          names preceded by a plus sign (+) to specify a set of hosts.</para>
         </listitem>
       </varlistentry>
 
@@ -467,6 +472,43 @@
           </variablelist>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SWITCH -
+        [!]<replaceable>switch-name</replaceable></emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.1 and allows enabling and disabling the
+          rule without requiring <command>shorewall restart</command>.</para>
+
+          <para>The rule is enabled if the value stored in
+          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
+          is 1. The rule is disabled if that file contains 0 (the default). If
+          '!' is supplied, the test is inverted such that the rule is enabled
+          if the file contains 0. <replaceable>switch-name</replaceable> must
+          begin with a letter and be composed of letters, decimal digits,
+          underscores or hyphens. Switch names must be 30 characters or less
+          in length.</para>
+
+          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
+          turn a switch <emphasis role="bold">on</emphasis>:</para>
+
+          <simplelist>
+            <member><command>echo 1 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
+
+          <simplelist>
+            <member><command>echo 0 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>Switch settings are retained over <command>shorewall
+          restart</command>.</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
@@ -548,6 +590,19 @@
           </warning>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>Example 6:</term>
+
+        <listitem>
+          <para>Connections leaving on eth0 and destined to any host defined
+          in the ipset <emphasis>myset</emphasis> should have the source IP
+          address changed to 206.124.146.177.</para>
+
+          <programlisting>        #INTERFACE              SOURCE          ADDRESS
+        eth0:+myset[dst]        -               206.124.146.177</programlisting>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 

Shorewall/manpages/shorewall-tcrules.xml

@@ -468,6 +468,41 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               <replaceable>number</replaceable>. Requires IMQ Target support
               in your kernel and iptables.</para>
             </listitem>
+
+            <listitem>
+              <para><emphasis
+              role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
+
+              <para>Added in Shorewall 4.5.1. Sets the
+              <firstterm>Differentiated Services Code Point</firstterm> field
+              in the IP header. The <replaceable>dscp</replaceable> value may
+              be given as an even number (hex or decimal) or as the name of a
+              DSCP class. Valid class names and their associated hex numeric
+              values are:</para>
+
+              <programlisting>    CS0  =&gt; 0x00
+    CS1  =&gt; 0x08
+    CS2  =&gt; 0x10
+    CS3  =&gt; 0x18
+    CS4  =&gt; 0x20
+    CS5  =&gt; 0x28
+    CS6  =&gt; 0x30
+    CS7  =&gt; 0x38
+    BE   =&gt; 0x00
+    AF11 =&gt; 0x0a
+    AF12 =&gt; 0x0c
+    AF13 =&gt; 0x0e
+    AF21 =&gt; 0x12
+    AF22 =&gt; 0x14
+    AF23 =&gt; 0x16
+    AF31 =&gt; 0x1a
+    AF32 =&gt; 0x1c
+    AF33 =&gt; 0x1e
+    AF41 =&gt; 0x22
+    AF42 =&gt; 0x24
+    AF43 =&gt; 0x26
+    EF   =&gt; 0x2e</programlisting>
+            </listitem>
           </orderedlist>
         </listitem>
       </varlistentry>
@@ -840,7 +875,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
 
       <varlistentry>
         <term><emphasis role="bold">PROBABILITY</emphasis> -
-        [probability]</term>
+        [<replaceable>probability</replaceable>]</term>
 
         <listitem>
           <para>Added in Shorewall 4.5.0. When non-empty, requires the
@@ -852,6 +887,44 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
           at up to 8 decimal points of precision.</para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DSCP -</emphasis>
+        [[!]<replaceable>dscp</replaceable>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.1. When non-empty, match packets whose
+          <firstterm>Differentiated Service Code Point</firstterm> field
+          matches the supplied value (when '!' is given, the rule matches
+          packets whose DSCP field does not match the supplied value). The
+          <replaceable>dscp</replaceable> value may be given as an even number
+          (hex or decimal) or as the name of a DSCP class. Valid class names
+          and their associated hex numeric values are:</para>
+
+          <programlisting>    CS0  =&gt; 0x00
+    CS1  =&gt; 0x08
+    CS2  =&gt; 0x10
+    CS3  =&gt; 0x18
+    CS4  =&gt; 0x20
+    CS5  =&gt; 0x28
+    CS6  =&gt; 0x30
+    CS7  =&gt; 0x38
+    BE   =&gt; 0x00
+    AF11 =&gt; 0x0a
+    AF12 =&gt; 0x0c
+    AF13 =&gt; 0x0e
+    AF21 =&gt; 0x12
+    AF22 =&gt; 0x14
+    AF23 =&gt; 0x16
+    AF31 =&gt; 0x1a
+    AF32 =&gt; 0x1c
+    AF33 =&gt; 0x1e
+    AF41 =&gt; 0x22
+    AF42 =&gt; 0x24
+    AF43 =&gt; 0x26
+    EF   =&gt; 0x2e</programlisting>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 

Shorewall/manpages/shorewall.xml

@@ -1243,7 +1243,7 @@
           directory is given, then Shorewall will look in that directory first
           when opening configuration files.</para>
 
-          <para>Begining with Shorewall 4.5.0, you may specify a different
+          <para>Beginning with Shorewall 4.5.0, you may specify a different
           <replaceable>timeout</replaceable> value using the
           <option>-t</option> option. The numeric
           <replaceable>timeout</replaceable> may optionally be followed by an
@@ -1265,7 +1265,7 @@
           Shorewall will look in that directory first when opening
           configuration files.</para>
 
-          <para>Begining with Shorewall 4.5.0, you may specify a different
+          <para>Beginning with Shorewall 4.5.0, you may specify a different
           <replaceable>timeout</replaceable> value using the
           <option>-t</option> option. The numeric
           <replaceable>timeout</replaceable> may optionally be followed by an
@@ -1600,7 +1600,7 @@
           role="bold">restore</emphasis> is performed after
           <replaceable>timeout</replaceable> seconds.</para>
 
-          <para>Begining with Shorewall 4.5.0, the numeric
+          <para>Beginning with Shorewall 4.5.0, the numeric
           <replaceable>timeout</replaceable> may optionally be followed by an
           <option>s</option>, <option>m</option> or <option>h</option> suffix
           (e.g., 5m) to specify seconds, minutes or hours respectively. If the

Shorewall/uninstall.sh

@@ -112,7 +112,7 @@ rm -rf /etc/shorewall
 rm -rf /etc/shorewall-*.bkout
 rm -rf /var/lib/shorewall
 rm -rf /var/lib/shorewall-*.bkout
-rm -rf $PERLLIB}/Shorewall/*
+rm -rf ${PERLLIB}/Shorewall/*
 rm -rf ${LIBEXEC}/shorewall
 rm -rf /usr/share/shorewall/configfiles/
 rm -rf /usr/share/shorewall/Samples/

Shorewall6-lite/init.sh

@@ -76,10 +76,10 @@ command="$1"
 
 case "$command" in
     start)
-	exec /sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS $@
+	exec /sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS
 	;;
     restart|reload)
-	exec /sbin/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS $@
+	exec /sbin/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS
 	;;
     status|stop)
 	exec /sbin/shorewall6-lite $OPTIONS $command $@

Shorewall6/configfiles/interfaces

@@ -7,4 +7,8 @@
 # http://www.shorewall.net/manpages6/shorewall6-interfaces.html
 #
 ###############################################################################
+FORMAT 1
 #ZONE	INTERFACE	ANYCAST		OPTIONS
+
+FORMAT 2
+#ZONE		INTERFACE		OPTIONS

Shorewall6/configfiles/tcrules

@@ -9,6 +9,6 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-##############################################################################################################################################
-#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER	HEADERS    PROBABILITY
+###################################################################################################################################################
+#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER	HEADERS    PROBABILITY DSCP
 #						PORT(S)	PORT(S)

Shorewall6/init.sh

@@ -77,10 +77,10 @@ command="$1"
 
 case "$command" in
     start)
-	exec /sbin/shorewall6 $OPTIONS start $STARTOPTIONS $@
+	exec /sbin/shorewall6 $OPTIONS start $STARTOPTIONS
 	;;
     restart|reload)
-	exec /sbin/shorewall6 $OPTIONS restart $RESTARTOPTIONS $@
+	exec /sbin/shorewall6 $OPTIONS restart $RESTARTOPTIONS
 	;;
     status|stop)
 	exec /sbin/shorewall6 $OPTIONS $command $@

Shorewall6/manpages/shorewall6-tcrules.xml

@@ -365,6 +365,41 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               <replaceable>number</replaceable>. Requires IMQ Target support
               in your kernel and ip6tables.</para>
             </listitem>
+
+            <listitem>
+              <para><emphasis
+              role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
+
+              <para>Added in Shorewall 4.5.1. Sets the
+              <firstterm>Differentiated Services Code Point</firstterm> field
+              in the IP header. The <replaceable>dscp</replaceable> value may
+              be given as an even number (hex or decimal) or as the name of a
+              DSCP class. Valid class names and their associated hex numeric
+              values are:</para>
+
+              <programlisting>    CS0  =&gt; 0x00
+    CS1  =&gt; 0x08
+    CS2  =&gt; 0x10
+    CS3  =&gt; 0x18
+    CS4  =&gt; 0x20
+    CS5  =&gt; 0x28
+    CS6  =&gt; 0x30
+    CS7  =&gt; 0x38
+    BE   =&gt; 0x00
+    AF11 =&gt; 0x0a
+    AF12 =&gt; 0x0c
+    AF13 =&gt; 0x0e
+    AF21 =&gt; 0x12
+    AF22 =&gt; 0x14
+    AF23 =&gt; 0x16
+    AF31 =&gt; 0x1a
+    AF32 =&gt; 0x1c
+    AF33 =&gt; 0x1e
+    AF41 =&gt; 0x22
+    AF42 =&gt; 0x24
+    AF43 =&gt; 0x26
+    EF   =&gt; 0x2e</programlisting>
+            </listitem>
           </orderedlist>
         </listitem>
       </varlistentry>

Shorewall6/manpages/shorewall6.xml

@@ -1108,7 +1108,7 @@
           directory is given, then Shorewall6 will look in that directory
           first when opening configuration files.</para>
 
-          <para>Begining with Shorewall 4.5.0, you may specify a different
+          <para>Beginning with Shorewall 4.5.0, you may specify a different
           <replaceable>timeout</replaceable> value using the
           <option>-t</option> option. The numeric
           <replaceable>timeout</replaceable> may optionally be followed by an
@@ -1130,7 +1130,7 @@
           Shorewall6 will look in that directory first when opening
           configuration files.</para>
 
-          <para>Begining with Shorewall 4.5.0, you may specify a different
+          <para>Beginning with Shorewall 4.5.0, you may specify a different
           <replaceable>timeout</replaceable> value using the
           <option>-t</option> option. The numeric
           <replaceable>timeout</replaceable> may optionally be followed by an
@@ -1422,7 +1422,7 @@
           role="bold">restore</emphasis> is performed after
           <replaceable>timeout</replaceable> seconds.</para>
 
-          <para>Begining with Shorewall 4.5.0, the numeric
+          <para>Beginning with Shorewall 4.5.0, the numeric
           <replaceable>timeout</replaceable> may optionally be followed by an
           <option>s</option>, <option>m</option> or <option>h</option> suffix
           (e.g., 5m) to specify seconds, minutes or hours respectively. If the

docs/Anatomy.xml

@@ -106,7 +106,7 @@
 
       <para>The <filename>/sbin/shorewall</filename> shell program is used to
       interact with Shorewall. See <ulink
-      url="manpages/shorewall.html">shorewall</ulink>(8). </para>
+      url="manpages/shorewall.html">shorewall</ulink>(8).</para>
     </section>
 
     <section id="share-shorewall">

docs/Documentation_Index.xml

@@ -223,8 +223,8 @@
 
             <entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>
 
-            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
-            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
+            <entry><ulink url="upgrade_issues.htm">Upgrade
+            Issues</ulink></entry>
           </row>
 
           <row>
@@ -234,7 +234,8 @@
             <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
             Shorewall</ulink></entry>
 
-            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
+            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
+            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
           </row>
 
           <row>
@@ -245,7 +246,7 @@
             <entry><ulink url="PacketMarking.html">Packet
             Marking</ulink></entry>
 
-            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
+            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
           </row>
 
           <row>
@@ -255,8 +256,7 @@
             <entry><ulink url="PacketHandling.html">Packet Processing in a
             Shorewall-based Firewall</ulink></entry>
 
-            <entry><ulink url="blacklisting_support.htm#whitelisting">White
-            List Creation</ulink></entry>
+            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
           </row>
 
           <row>
@@ -264,8 +264,8 @@
 
             <entry><ulink url="ping.html">'Ping' Management</ulink></entry>
 
-            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
-            DomU</ulink></entry>
+            <entry><ulink url="blacklisting_support.htm#whitelisting">White
+            List Creation</ulink></entry>
           </row>
 
           <row>
@@ -275,8 +275,8 @@
             <entry><ulink url="two-interface.htm#DNAT">Port
             Forwarding</ulink></entry>
 
-            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
-            Xen Dom0</ulink></entry>
+            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
+            DomU</ulink></entry>
           </row>
 
           <row>
@@ -285,7 +285,8 @@
 
             <entry><ulink url="ports.htm">Port Information</ulink></entry>
 
-            <entry/>
+            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
+            Xen Dom0</ulink></entry>
           </row>
 
           <row>

docs/Install.xml

@@ -24,6 +24,8 @@
 
       <year>2009</year>
 
+      <year>2012</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -135,11 +137,31 @@
   <section id="Install_Tarball">
     <title>Install using tarball</title>
 
+    <para>Beginning with Shorewall-4.5.0, the Shorewall packages depend on
+    Shorewall-core. So the first step is to install that package:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>unpack the tarballs:<programlisting><command>tar -jxf shorewall-core-4.5.0.tar.bz2</command></programlisting></para>
+      </listitem>
+
+      <listitem>
+        <para>cd to the shorewall directory (the version is encoded in the
+        directory name as in <quote>shorewall-core-4.5.0</quote>).</para>
+      </listitem>
+
+      <listitem>
+        <para>Type:</para>
+
+        <programlisting><command>./install.sh </command></programlisting>
+      </listitem>
+    </orderedlist>
+
     <para>To install Shorewall using the tarball and install script:</para>
 
     <orderedlist>
       <listitem>
-        <para>unpack the tarballs:<programlisting><command>tar -jxf shorewall-4.3.5.tar.bz2</command></programlisting></para>
+        <para>unpack the tarballs:<programlisting><command>tar -jxf shorewall-4.5.0.tar.bz2</command></programlisting></para>
       </listitem>
 
       <listitem>
@@ -241,6 +263,9 @@
             <para>Beginning with Shorewall 4.4.20, you can specify an absolute
             path name for LIBEXEC, in which case the listed executables will
             be installed in ${LIBEXEC}/shorewall*.</para>
+
+            <para>Beginning with Shorewall 4.5.1, you must specify an absolute
+            pathname for LIBEXEC.</para>
           </listitem>
         </varlistentry>
 
@@ -258,10 +283,302 @@
             <para>Beginning with Shorewall 4.4.20, you can specify an absolute
             path name for PERLLIB, in which case the Shorewall Perl modules
             will be installed in ${PERLLIB}/Shorewall/.</para>
+
+            <para>Beginning with Shorewall 4.5.1, you must specify an absolute
+            pathname for PERLLIB.</para>
           </listitem>
         </varlistentry>
       </variablelist>
     </section>
+
+    <section>
+      <title>Default Install Locations</title>
+
+      <para>The default install locations are distribution dependent as shown
+      in the following sections. These are the locations that are chosen by
+      the install.sh scripts.</para>
+
+      <section>
+        <title>All Distributions</title>
+
+        <informaltable>
+          <tgroup cols="2">
+            <tbody>
+              <row>
+                <entry><emphasis role="bold">COMPONENT</emphasis></entry>
+
+                <entry><emphasis role="bold">LOCATION</emphasis></entry>
+              </row>
+
+              <row>
+                <entry>man pages</entry>
+
+                <entry>/usr/share/man/ (may ve overridden using
+                MANDIR)</entry>
+              </row>
+
+              <row>
+                <entry>Shorewall Perl Modules</entry>
+
+                <entry>/usr/share/shorewall/ (may be overridden using
+                PERLLIB)</entry>
+              </row>
+
+              <row>
+                <entry>Executable helper scripts (compiler.pl, getparams,
+                wait4ifup)</entry>
+
+                <entry>/usr/share/shorewall/ (may be overridden using
+                LIBEXEC)</entry>
+              </row>
+
+              <row>
+                <entry>ifupdown.sh (from Shorewall-init)</entry>
+
+                <entry>/usr/share/shorewall-init/ (may be overridden using
+                LIBEXEC)</entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+      </section>
+
+      <section>
+        <title>Debian</title>
+
+        <informaltable>
+          <tgroup cols="2">
+            <tbody>
+              <row>
+                <entry><emphasis role="bold">COMPONENT</emphasis></entry>
+
+                <entry><emphasis role="bold">LOCATION</emphasis></entry>
+              </row>
+
+              <row>
+                <entry>CLI programs</entry>
+
+                <entry>/sbin/<replaceable>product</replaceable></entry>
+              </row>
+
+              <row>
+                <entry>Distribution-specific configuration file</entry>
+
+                <entry>/etc/default/<replaceable>product</replaceable></entry>
+              </row>
+
+              <row>
+                <entry>Init Scripts</entry>
+
+                <entry>/etc/init.d/<replaceable>product</replaceable></entry>
+              </row>
+
+              <row>
+                <entry>ifupdown scripts from Shorewall-init</entry>
+
+                <entry>/etc/network/if-up.d/shorewall,
+                /etc/network/if-post-down.d/shorewall</entry>
+              </row>
+
+              <row>
+                <entry>ppp ifupdown scripts from Shorewall-init</entry>
+
+                <entry>/etc/ppp/ip-up.d/shorewall,
+                /etc/ppp/ip-down.d/shorewall /etc/ppp/ipv6-up.d/shorewall
+                /etc/ppp/ipv6-down.d/shorewall</entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+      </section>
+
+      <section>
+        <title>Redhat and Derivatives</title>
+
+        <informaltable>
+          <tgroup cols="2">
+            <tbody>
+              <row>
+                <entry><emphasis role="bold">COMPONENT</emphasis></entry>
+
+                <entry><emphasis role="bold">LOCATION</emphasis></entry>
+              </row>
+
+              <row>
+                <entry>CLI programs</entry>
+
+                <entry>/sbin/<replaceable>product</replaceable></entry>
+              </row>
+
+              <row>
+                <entry>Distribution-specific configuration file</entry>
+
+                <entry>/etc/sysconfig/<replaceable>product</replaceable></entry>
+              </row>
+
+              <row>
+                <entry>Init Scripts</entry>
+
+                <entry>/etc/rc.d/init.d/<replaceable>product</replaceable></entry>
+              </row>
+
+              <row>
+                <entry>ifupdown scripts from Shorewall-init</entry>
+
+                <entry>/sbin/ifup-local, /sbin/ifdown-local</entry>
+              </row>
+
+              <row>
+                <entry>ppp ifupdown scripts from Shorewall-init</entry>
+
+                <entry>/etc/ppp/ip-up.local, /etc/ppp/ip-down.local</entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+      </section>
+
+      <section>
+        <title>SuSE</title>
+
+        <informaltable>
+          <tgroup cols="2">
+            <tbody>
+              <row>
+                <entry><emphasis role="bold">COMPONENT</emphasis></entry>
+
+                <entry><emphasis role="bold">LOCATION</emphasis></entry>
+              </row>
+
+              <row>
+                <entry>CLI programs</entry>
+
+                <entry>/sbin/<replaceable>product</replaceable></entry>
+              </row>
+
+              <row>
+                <entry>Distribution-specific configuration file</entry>
+
+                <entry>/etc/sysconfig/<replaceable>product</replaceable></entry>
+              </row>
+
+              <row>
+                <entry>Init Scripts</entry>
+
+                <entry>/etc/init.d/<replaceable>product</replaceable></entry>
+              </row>
+
+              <row>
+                <entry>ifupdown scripts from Shorewall-init</entry>
+
+                <entry>/etc/sysconfig/network/if-up.d/shorewall,
+                /etc/sysconfig/network/if-down.d/shorewall</entry>
+              </row>
+
+              <row>
+                <entry>ppp ifupdown scripts from Shorewall-init</entry>
+
+                <entry>/etc/ppp/ip-up.d/shorewall,
+                /etc/ppp/ip-down.d/shorewall /etc/ppp/ipv6-up.d/shorewall
+                /etc/ppp/ipv6-down.d/shorewall</entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+      </section>
+
+      <section>
+        <title>Cygwin</title>
+
+        <informaltable>
+          <tgroup cols="2">
+            <tbody>
+              <row>
+                <entry><emphasis role="bold">COMPONENT</emphasis></entry>
+
+                <entry><emphasis role="bold">LOCATION</emphasis></entry>
+              </row>
+
+              <row>
+                <entry>CLI programs</entry>
+
+                <entry>/bin/<replaceable>product</replaceable></entry>
+              </row>
+
+              <row>
+                <entry>Distribution-specific configuration file</entry>
+
+                <entry>N/A</entry>
+              </row>
+
+              <row>
+                <entry>Init Scripts</entry>
+
+                <entry>N/A</entry>
+              </row>
+
+              <row>
+                <entry>ifupdown scripts from Shorewall-init</entry>
+
+                <entry>N/A</entry>
+              </row>
+
+              <row>
+                <entry>ppp ifupdown scripts from Shorewall-init</entry>
+
+                <entry>N/A</entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+      </section>
+
+      <section>
+        <title>OS X</title>
+
+        <informaltable>
+          <tgroup cols="2">
+            <tbody>
+              <row>
+                <entry><emphasis role="bold">COMPONENT</emphasis></entry>
+
+                <entry><emphasis role="bold">LOCATION</emphasis></entry>
+              </row>
+
+              <row>
+                <entry>CLI programs</entry>
+
+                <entry>/sbin/<replaceable>product</replaceable></entry>
+              </row>
+
+              <row>
+                <entry>Distribution-specific configuration file</entry>
+
+                <entry>N/A</entry>
+              </row>
+
+              <row>
+                <entry>Init Scripts</entry>
+
+                <entry>N/A</entry>
+              </row>
+
+              <row>
+                <entry>ifupdown scripts from Shorewall-init</entry>
+
+                <entry>N/A</entry>
+              </row>
+
+              <row>
+                <entry>ppp ifupdown scripts from Shorewall-init</entry>
+
+                <entry>N/A</entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+      </section>
+    </section>
   </section>
 
   <section id="Debian">
@@ -406,17 +723,37 @@ Pin-Priority: 700</programlisting><emphasis role="bold"><emphasis>Then
         issues</ulink> for specific instructions.</para>
       </important></para>
 
+    <para>If you are upgrading to version 4.5.0 or later, you must first
+    install or upgrade the Shorewall-core package:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>unpack the tarballs:<programlisting><command>tar -jxf shorewall-core-4.5.0.tar.bz2</command></programlisting></para>
+      </listitem>
+
+      <listitem>
+        <para>cd to the shorewall directory (the version is encoded in the
+        directory name as in <quote>shorewall-core-4.5.0</quote>).</para>
+      </listitem>
+
+      <listitem>
+        <para>Type:</para>
+
+        <programlisting><command>./install.sh </command></programlisting>
+      </listitem>
+    </orderedlist>
+
     <para>If you already have Shorewall installed and are upgrading to a new
     version using the tarball:</para>
 
     <orderedlist>
       <listitem>
-        <para>unpack the tarball:<programlisting><command>tar -jxf shorewall-4.3.5.tar.bz2</command></programlisting></para>
+        <para>unpack the tarball:<programlisting><command>tar -jxf shorewall-4.5.0.tar.bz2</command></programlisting></para>
       </listitem>
 
       <listitem>
         <para>cd to the shorewall-perl directory (the version is encoded in
-        the directory name as in <quote>shorewall-4.3.5</quote>).</para>
+        the directory name as in <quote>shorewall-4.5.0</quote>).</para>
       </listitem>
 
       <listitem>

docs/Introduction.xml

@@ -16,7 +16,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2003-2009</year>
+      <year>2003-2012</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -385,9 +385,14 @@ ACCEPT     net           $FW       tcp        22</programlisting>
   <section id="Packages">
     <title>Shorewall Packages</title>
 
-    <para>Shorewall 4.3 and later consists of four packages.</para>
+    <para>Shorewall 4.5 and later consists of six packages.</para>
 
     <orderedlist>
+      <listitem>
+        <para><emphasis role="bold">Shorewall-core</emphasis>. All of the
+        other packages depend on this one.</para>
+      </listitem>
+
       <listitem>
         <para><emphasis role="bold">Shorewall</emphasis>. This package must be
         installed on at least one system in your network. It contains
@@ -417,6 +422,13 @@ ACCEPT     net           $FW       tcp        22</programlisting>
         scripts are generated. These scripts are copied to the firewall
         systems where they run under the control of Shorewall6-lite.</para>
       </listitem>
+
+      <listitem>
+        <para><emphasis role="bold">Shorewall-init</emphasis>. May be
+        installed with any of the other firewall packages. Allows the firewall
+        to be close prior to bringing up network interfaces. It can also react
+        to interface up/down events.</para>
+      </listitem>
     </orderedlist>
   </section>
 

docs/ReleaseModel.xml

@@ -32,6 +32,8 @@
 
       <year>2010</year>
 
+      <year>2012</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -52,81 +54,64 @@
     <orderedlist>
       <listitem>
         <para>Releases have a three-level identification
-        <firstterm>x.y.z</firstterm> (e.g., 2.0.3).</para>
+        <firstterm>x.y.z</firstterm> (e.g., 4.5.0).</para>
       </listitem>
 
       <listitem>
         <para>The first two levels (<emphasis>x.y</emphasis>) designate the
-        <firstterm>Major Release Number</firstterm> (e.g., 2.0).</para>
+        <firstterm>major release number</firstterm> (e.g., 4.5).</para>
       </listitem>
 
       <listitem>
-        <para>The third level (<emphasis>z</emphasis>) designates the
-        <firstterm>Minor Release Number</firstterm>.</para>
+        <para>The third level (<emphasis>y</emphasis>) designates the
+        <firstterm>minor release Number</firstterm>.</para>
       </listitem>
 
       <listitem>
-        <para>Even numbered major releases (e.g., 1.4, 2.0, 2.2, ...) are
-        <firstterm>Stable Releases</firstterm>. No major new features are
-        added to stable releases and new minor releases of a stable release
-        will only contain bug fixes and simple low-risk enhancements.
-        Installing a new minor release for the major release that you are
-        currently running involves no migration issues unless you want to take
-        advantage of an enhancement (for example, if you are running 1.4.10
-        and I release 1.4.11, your current configuration is 100% compatible
-        with the new release).</para>
+        <para>Installing a new minor release involves no migration issues
+        unless you want to take advantage of an enhancement. For example, if
+        you are running 4.5.0 and I release 4.5.1, your current configuration
+        is 100% compatible with the new release.</para>
+      </listitem>
+
+      <listitem>
+        <para>A major release may have migration issues. These are listed in
+        the release notes and on the <ulink url="upgrade_issues.htm">upgrade
+        issues page</ulink>.</para>
       </listitem>
 
       <listitem>
         <para>Support is available through the <ulink
         url="http://sourceforge.net/mail/?group_id=22587">Mailing List</ulink>
-        for the two or three most recent Stable Releases. Three releases are
-        supported when the Shorewall release in the Stable Debian distribution
-        is two releases behind the current Shorewall development. In that
-        case, only the minor release in Stable is supported.</para>
+        for the two most recent Major Releases. Fixes will only be provided
+        for the last minor release in the previous Major Release. For example,
+        only 4.5.0 was released, the only fixes for major issues with 4.4.27
+        would be released for the 4.4 series.</para>
       </listitem>
 
       <listitem>
-        <para>Odd numbered major releases (e.g., 2.1, 2.3, ...) are
-        <firstterm>Development Releases</firstterm>. Development releases are
-        where new functionality is introduced. Documentation for new features
-        will be available but it may not be up to the standards of the stable
-        release documentation. Sites running Development Releases should be
-        prepared to play an active role in testing new features. Bug fixes and
-        problem resolution for the development release take a back seat to
-        support of the stable releases. Problem reports for the current
-        development release should be sent to the <ulink
-        url="mailto:shorewall-devel@lists.shorewall.net">Shorewall Development
-        Mailing List</ulink>.</para>
+        <para>Once a minor release has been announced, work begins on the next
+        minor release. Periodic Beta releases are made available through
+        announcements on the Shorewall Development and Shorewall User mailing
+        lists. Those Beta releases are numberd w.x.y-Beta1, ...Beta2, etc.
+        Support for the Beta releases is offered through the Shorewall
+        Development mailing list in the form of emailed patches. There is no
+        guarantee of compatability between one Beta release and the next as
+        features are tweaked.</para>
       </listitem>
 
       <listitem>
-        <para>When the level of functionality of the current development
-        release is judged adequate, the <firstterm>Beta period</firstterm> for
-        a new Stable release will begin. Beta releases have identifications of
-        the form <emphasis>x.y.0-BetaN</emphasis> where
-        <emphasis>x.y</emphasis> is the number of the next Stable Release and
-        <emphasis>N</emphasis>=1,2,3... . Betas are expected to occur roughly
-        once per year. Beta releases may contain new functionality not present
-        in the previous beta release (e.g., 2.2.0-Beta4 may contain
-        functionality not present in 2.2.0-Beta3). When I'm confident that the
-        current Beta release is stable, I will release the first
-        <firstterm>Release Candidate</firstterm>. Release candidates have
-        identifications of the form <emphasis>x.y.0-RCn</emphasis> where
-        <emphasis>x.y</emphasis> is the number of the next Stable Release and
-        <emphasis>n</emphasis>=1,2,3... . Release candidates contain no new
-        functionality -- they only contain bug fixes. When the stability of
-        the current release candidate is judged to be sufficient then that
-        release candidate will be released as the new stable release (e.g.,
-        2.2.0). At that time, the new stable release and the prior stable
-        release are those that are supported.</para>
+        <para>When the next minor release is functionally complete, one or
+        more <firstterm>release candidates</firstterm> are announced on the
+        Shorewall Development and Shorewall User mailing lists. These release
+        candidates are numbered w.x.y-RC1, ...-RC2, etc.</para>
       </listitem>
 
       <listitem>
         <para>What does it mean for a major release to be
-        <firstterm>supported</firstterm>? It means that I will answer
-        questions about the release and that if a bug is found, I will fix the
-        bug and include the fix in the next minor release.</para>
+        <firstterm>supported</firstterm>? It means that that if a bug is
+        found, we will fix the bug and include the fix in the next minor
+        release.</para>
       </listitem>
 
       <listitem>
@@ -135,16 +120,8 @@
         four-level identification <emphasis>x.y.z.N</emphasis> where x.y.z is
         the minor release being fixed and N = 1.2.3...</para>
       </listitem>
-
-      <listitem>
-        <para>Additionally, bug fixes may be made available in the form of a
-        <firstterm>patch release</firstterm>. Patch releases have four-level
-        identifications (e.g., 4.0.6.1); the first three identify the minor
-        release and the fourth identifies the patch level.</para>
-      </listitem>
     </orderedlist>
 
-    <para>The currently-supported major releases are and 4.0.10., 4.2.x. and
-    4.4.x.</para>
+    <para>The currently-supported major releases are 4.4 and 4.5.</para>
   </section>
 </article>

docs/configuration_file_basics.xml

@@ -190,9 +190,9 @@
         </listitem>
 
         <listitem>
-          <para><filename>/etc/shorewall/rtrules</filename> - Defines
-          routing rules to be used in conjunction with the routing tables
-          defined in <filename>/etc/shorewall/providers</filename>.</para>
+          <para><filename>/etc/shorewall/rtrules</filename> - Defines routing
+          rules to be used in conjunction with the routing tables defined in
+          <filename>/etc/shorewall/providers</filename>.</para>
         </listitem>
 
         <listitem>
@@ -1287,6 +1287,11 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
         <para><ulink url="Macros.html">Macro</ulink> files</para>
       </listitem>
 
+      <listitem>
+        <para><ulink
+        url="manpages/shorewall-nat.html">shorewall-nat</ulink>(5)</para>
+      </listitem>
+
       <listitem>
         <para><ulink
         url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
@@ -1324,8 +1329,88 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
     </itemizedlist>
 
     <para>For optional interfaces, if the interface is not usable at the time
-    that the firewall starts the all-zero address will be used (0.0.0.0 in
-    IPv4 and :: in IPv6), resulting in no packets matching the rule.</para>
+    that the firewall starts, one of two approaches are taken, depending on
+    the context:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>the all-zero address will be used (0.0.0.0 in IPv4 and :: in
+        IPv6), resulting in no packets matching the rule (or all packets if
+        used with exclusion).</para>
+      </listitem>
+
+      <listitem>
+        <para>the entire rule is omitted from the ruleset.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Beginning with Shorewall 4.5.1, <firstterm>Run-time Gateway
+    Variables</firstterm> in the form of a percent sign ('%') followed by a
+    logical interface name are also supported. These are expanded at run-time
+    to the gateway through the named interface. For optional interfaces, if
+    the interface is not usable at the time that the firewall starts, the nil
+    address will be used (0.0.0.0 in IPv4 and :: in IPv6), resulting in no
+    packets matching the rule. Run-time gateway variables may be used in the
+    SOURCE and DEST columns of the following configuration files:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para><ulink
+        url="manapges/shorewall-accounting.html">shorewall-accounting</ulink>
+        (5)</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink url="Actions.html">Action</ulink> files</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink
+        url="manpages/shorewall-accounting.html">shorewall-blacklist</ulink>
+        (5)</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink url="Macros.html">Macro</ulink> files</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink
+        url="manpages/shorewall-nat.html">shorewall-nat</ulink>(5) (As a
+        qualifier to the INTERFACE).</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink
+        url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink
+        url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>
+        (5)</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink url="manpages/shorewall-tos.html">shorewall-tos</ulink>
+        (5)</para>
+      </listitem>
+    </itemizedlist>
+
+    <variablelist>
+      <varlistentry>
+        <term>Example:</term>
+
+        <listitem>
+          <para><emphasis role="bold">%eth0</emphasis> would represent the IP
+          address of the gateway out of eth0.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>If there is no gateway out of the named interface, the nil IP
+    address is used (0.0.0.0 in IPv4 and :: in IPv6). That way, the generated
+    rule will match no packets (or all packets if used with exclusion).</para>
 
     <para>Beginning with Shorewall 4.4.27, you may also use options in <ulink
     url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) (e.g.,
@@ -1333,7 +1418,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
 
     <note>
       <para>When an option is set to 'No' in shorewall.conf, the corresponding
-      shell variable is will be empty.</para>
+      shell variable will be empty.</para>
     </note>
 
     <note>

docs/upgrade_issues.xml

@@ -31,9 +31,11 @@
 
       <year>2009</year>
 
+      <year>2012</year>
+
       <holder>Thomas M. Eastep</holder>
 
-      <holder></holder>
+      <holder/>
     </copyright>
 
     <legalnotice>
@@ -74,6 +76,44 @@
     zones.</para>
   </section>
 
+  <section>
+    <title>Versions &gt;= 4.5.0</title>
+
+    <orderedlist>
+      <listitem>
+        <para>Shorewall, Shorewall6, Shorewall-lite and Shorewall6-lite now
+        depend on the new package Shorewall-core. If you use the Shorewall
+        installers, you must install Shorewall-core prior to installing or
+        upgrading any of the other packages.</para>
+      </listitem>
+
+      <listitem>
+        <para>The BLACKLIST section of the rules file has been eliminated. If
+        you have entries in that file section, you must move them to the
+        blrules file.</para>
+      </listitem>
+
+      <listitem>
+        <para>This version of Shorewall requires the Digest::SHA1 Perl
+        module.</para>
+
+        <simplelist>
+          <member>Debian: libdigest-sha1-perl</member>
+
+          <member>Fedora: perl-Digest-SHA1</member>
+
+          <member>OpenSuSE: perl-Digest-SHA1</member>
+        </simplelist>
+      </listitem>
+
+      <listitem>
+        <para>The generated firewall script now maintains the
+        /var/lib/shorewall[6][-lite]/interface.status files used by SWPING and
+        by LSM.</para>
+      </listitem>
+    </orderedlist>
+  </section>
+
   <section>
     <title>Versions &gt;= 4.4.0</title>
 
@@ -318,7 +358,7 @@
       </listitem>
 
       <listitem>
-        <para> Beginning with Shorewall 4.4.17, the EXPORTPARAMS option is
+        <para>Beginning with Shorewall 4.4.17, the EXPORTPARAMS option is
         deprecated. With EXPORTPARAMS=No, the variables set by <ulink
         url="manpages/shorewall-params.html">/etc/shorewall/params</ulink>
         (<ulink