Correct typo in Chains.pm

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/install.sh

@@ -27,14 +27,18 @@ VERSION=xxx #The Build script inserts the actual version
 usage() # $1 = exit status
 {
     ME=$(basename $0)
-    echo "usage: $ME"
+    echo "usage: $ME [ <configuration-file> ] "
     echo "       $ME -v"
     echo "       $ME -h"
-    echo "       $ME -s"
-    echo "       $ME -f"
     exit $1
 }
 
+fatal_error() 
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 split() {
     local ifs
     ifs=$IFS
@@ -87,39 +91,117 @@ install_file() # $1 = source $2 = target $3 = mode
     run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
 
+require() 
+{
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
+}
+
+cd "$(dirname $0)"
+
 [ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
 
 #
 # Parse the run line
 #
-# ARGS is "yes" if we've already parsed an argument
+finished=0
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "Shorewall Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
+
+local file
 #
+# Read the RC file
+#
+if [ $# -eq 0 ]; then
+    #
+    # Load packager's settings if any
+    #
+    if [ -n "${DESTDIR}" -a -f ../shorewall-pkg.config ]; then
+	. ../shorewall-pkg.config || exit 1
+    elif [ -f ~/.shorewallrc ]; then
+	. ~/.shorewallrc || exit 1
+	file=~/.shorewallrc
+    fi
+elif [ $# -eq 1 ]; then
+    file=$1
+    case $file in
+	/*|.*)
+	    ;;
+	*)
+	    file=./$file
+	    ;;
+    esac
+
+    . $file
+else
+    usage 1
+fi
+
+for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARDIR; do
+    require $var
+done
+
+[ "${INITFILE}" != 'none/' ] && require INITSOURCE && require INITDIR
+
 T="-T"
 
-[ -n "${LIBEXEC:=/usr/share}" ]
-[ -n "${PERLLIB:=/usr/share/shorewall}" ]
-MACHOST=
-
-case "$LIBEXEC" in
-    /*)
-	;;
-    *)
-	LIBEXEC=/usr/${LIBEXEC}
-	;;
-esac
-
-case "$PERLLIB" in
-    /*)
-	;;
-    *)
-	PERLLIB=/usr/${PERLLIB}
-	;;
-esac
-
 INSTALLD='-D'
 
-case $(uname) in
-    CYGWIN*)
+if [ -z "$BUILD" ]; then
+    case $(uname) in
+	cygwin*)
+	    BUILD=cygwin
+	    ;;
+	Darwin)
+	    BUILD=apple
+	    ;;
+	*)
+	    if [ -f /etc/debian_version ]; then
+		BUILD=debian
+	    elif [ -f /etc/redhat-release ]; then
+		BUILD=redhat
+	    elif [ -f /etc/slackware-version ] ; then
+		BUILD=slackware
+	    elif [ -f /etc/SuSE-release ]; then
+		BUILD=suse
+	    elif [ -f /etc/arch-release ] ; then
+		BUILD=archlinux
+	    else
+		BUILD=linux
+	    fi
+	    ;;
+    esac
+fi
+
+case $BUILD in
+    cygwin*)
 	if [ -z "$DESTDIR" ]; then
 	    DEST=
 	    INIT=
@@ -127,18 +209,16 @@ case $(uname) in
 
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
-	CYGWIN=Yes
 	;;
-    Darwin)
+    apple)
 	if [ -z "$DESTDIR" ]; then
 	    DEST=
 	    INIT=
+	    SPARSE=Yes
 	fi
 
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=wheel
-	MAC=Yes
-        MACHOST=Yes
 	INSTALLD=
 	T=
 	;;
@@ -150,137 +230,94 @@ esac
 
 OWNERSHIP="-o $OWNER -g $GROUP"
 
-finished=0
-
-while [ $finished -eq 0 ]; do
-    option=$1
-
-    case "$option" in
-	-*)
-	    option=${option#-}
-	    
-	    while [ -n "$option" ]; do
-		case $option in
-		    h)
-			usage 0
-			;;
-		    v)
-			echo "Shorewall Firewall Installer Version $VERSION"
-			exit 0
-			;;
-		    a*)
-			ANNOTATED=Yes
-			option=${option#a}
-			;;
-		    p*)
-			ANNOTATED=
-			option=${option#p}
-			;;
-		    *)
-			usage 1
-			;;
-		esac
-	    done
-
-	    shift
-	    ;;
-	*)
-	    [ -n "$option" ] && usage 1
-	    finished=1
-	    ;;
-    esac
-done
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-
 #
 # Determine where to install the firewall script
 #
 
+[ -n "$HOST" ] || HOST=$BUILD
+
+case "$HOST" in
+    cygwin)
+	echo "Installing Cygwin-specific configuration..."
+	;;
+    apple)
+	echo "Installing Mac-specific configuration...";
+	;;
+    debian|redhat|slackware|archlinux|linux|suse)
+	;;
+    *)
+	echo "ERROR: Unknown HOST \"$HOST\"" >&2
+	exit 1;
+	;;
+esac
+
+if [ -z "$file" ]; then
+    if $HOST = linux; then
+	file=shorewallrc.default
+    else
+	file=$shorewallrc.${HOST}
+    fi
+
+    echo "You have not specified a configuration file and ~/.shorewallrc does not exist" >&2
+    echo "Shorewall-core $VERSION has determined that the $file configuration is appropriate for your system" >&2
+    echo "Please review the settings in that file. If you wish to change them, make a copy and modify the copy" >&2
+    echo "Then re-run install.sh passing either $file or the name of your modified copy" >&2
+    echo "" >&2
+    echo "Example:" >&2
+    echo "" >&2
+    echo "   ./install.sh $file" &>2
+fi
+
 if [ -n "$DESTDIR" ]; then
-    if [ -z "$CYGWIN" ]; then
+    if [ $BUILD != cygwin ]; then
 	if [ `id -u` != 0 ] ; then
 	    echo "Not setting file owner/group permissions, not running as root."
 	    OWNERSHIP=""
 	fi
     fi
-
-    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
-
-    CYGWIN=
-    MAC=
-else
-    if [ -n "$CYGWIN" ]; then
-	echo "Installing Cygwin-specific configuration..."
-    elif [ -n "$MAC" ]; then
-	echo "Installing Mac-specific configuration..."
-    else
-	if [ -f /etc/debian_version ]; then
-	    echo "Installing Debian-specific configuration..."
-	    DEBIAN=yes
-	elif [ -f /etc/redhat-release ]; then
-	    echo "Installing Redhat/Fedora-specific configuration..."
-	    FEDORA=yes
-	elif [ -f /etc/slackware-version ] ; then
-	    echo "Installing Slackware-specific configuration..."
-	    DEST="/etc/rc.d"
-	    MANDIR="/usr/man"
-	    SLACKWARE=yes
-	elif [ -f /etc/arch-release ] ; then
-	    echo "Installing ArchLinux-specific configuration..."
-	    DEST="/etc/rc.d"
-	    INIT="shorewall"
-	    ARCHLINUX=yes
-	fi
-    fi
 fi
 
-#
-# Change to the directory containing this script
-#
-cd "$(dirname $0)"
-
 echo "Installing Shorewall Core Version $VERSION"
 
 #
 # Create /usr/share/shorewall
 #
-mkdir -p ${DESTDIR}${LIBEXEC}/shorewall
-chmod 755 ${DESTDIR}/usr/share/shorewall
+mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall
+chmod 755 ${DESTDIR}${LIBEXECDIR}/shorewall
+
+mkdir -p ${DESTDIR}${SHAREDIR}/shorewall
+chmod 755 ${DESTDIR}${SHAREDIR}/shorewall
 #
 # Install wait4ifup
 #
-install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup 0755
+install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755
 
 echo
-echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup"
+echo "wait4ifup installed in ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup"
 
 #
 # Install the libraries
 #
 for f in lib.* ; do
-    install_file $f ${DESTDIR}/usr/share/shorewall/$f 0644
-    echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall/$f"
+    install_file $f ${DESTDIR}${SHAREDIR}/shorewall/$f 0644
+    echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
 done
 
-if [ -z "$MACHOST" ]; then
-    eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
-    eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
-else
-    eval sed -i \'\' -e \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
-    eval sed -i \'\' -e \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
-fi
-
 #
 # Symbolically link 'functions' to lib.base
 #
-ln -sf lib.base ${DESTDIR}/usr/share/shorewall/functions
+ln -sf lib.base ${DESTDIR}${SHAREDIR}/shorewall/functions
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall/coreversion
-chmod 644 ${DESTDIR}/usr/share/shorewall/coreversion
+echo "$VERSION" > ${DESTDIR}${SHAREDIR}/shorewall/coreversion
+chmod 644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
+
+cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc
+
+if [ -z "${DESTDIR}" ]; then
+    [ -f ~/.shorewallrc ] || cp $file ~/.shorewallrc
+fi
 #
 #  Report Success
 #

Shorewall-core/lib.base

@@ -32,41 +32,57 @@ SHOREWALL_CAPVERSION=40501
 
 [ -n "${g_program:=shorewall}" ]
 
+if [ -z "$g_readrc" ]; then
+    if [ -f ~/.shorewallrc ]; then
+	. ~/.shorewallrc || exit 1
+    else
+	SHAREDIR=/usr/share
+	CONFDIR=/etc
+	SBINDIR=/sbin
+	LIBEXECDIR=/usr/share
+    fi
+
+    g_libexec="$LIBEXECDIR"
+    g_sharedir="$SHAREDIR"
+    g_sbindir="$SBINDIR"
+    g_readrc=1
+fi
+
 case $g_program in
     shorewall)
-	SHAREDIR=/usr/share/shorewall
-	CONFDIR=/etc/shorewall
+	SHAREDIR=${SHAREDIR}/shorewall
+	CONFDIR=${CONFDIR}/shorewall
 	g_product="Shorewall"
 	g_family=4
 	g_tool=
-	g_basedir=/usr/share/shorewall
+	g_basedir=${SHAREDIR}/shorewall
 	g_lite=
 	;;
     shorewall6)
-	SHAREDIR=/usr/share/shorewall6
-	CONFDIR=/etc/shorewall6
+	SHAREDIR=${SHAREDIR}/shorewall6
+	CONFDIR=${CONFDIR}/shorewall6
 	g_product="Shorewall6"
 	g_family=6
 	g_tool=
-	g_basedir=/usr/share/shorewall
+	g_basedir=${SHAREDIR}/shorewall
 	g_lite=
 	;;
     shorewall-lite)
-	SHAREDIR=/usr/share/shorewall-lite
-	CONFDIR=/etc/shorewall-lite
+	SHAREDIR=${SHAREDIR}/shorewall-lite
+	CONFDIR=${CONFDIR}/shorewall-lite
 	g_product="Shorewall Lite"
 	g_family=4
 	g_tool=iptables
-	g_basedir=/usr/share/shorewall-lite
+	g_basedir=${SHAREDIR}/shorewall-lite
 	g_lite=Yes
 	;;
     shorewall6-lite)
-	SHAREDIR=/usr/share/shorewall6-lite
-	CONFDIR=/etc/shorewall6-lite
+	SHAREDIR=${SHAREDIR}/shorewall6-lite
+	CONFDIR=${CONFDIR}/shorewall6-lite
 	g_product="Shorewall6 Lite"
 	g_family=6
 	g_tool=ip6tables
-	g_basedir=/usr/share/shorewall6-lite
+	g_basedir=${SHAREDIR}/shorewall6-lite
 	g_lite=Yes
 	;;
 esac
@@ -186,7 +202,7 @@ mutex_off()
     rm -f ${LOCKFILE:=${VARDIR}/lock}
 }
 
-[ -z "$LEFTSHIFT" ] && . /usr/share/shorewall/lib.common
+[ -z "$LEFTSHIFT" ] && . ${g_sharedir}/shorewall/lib.common
 
 #
 # Validate an IP address

Shorewall-core/lib.cli

@@ -23,7 +23,25 @@
 # This library contains the command processing code common to /sbin/shorewall[6] and
 # /sbin/shorewall[6]-lite.
 #
-. /usr/share/shorewall/lib.base
+
+if [ -z "$g_readrc" ]; then
+    if [ -f ~/.shorewallrc ]; then
+	. ~/.shorewallrc || exit 1
+    else
+	SHAREDIR=/usr/share
+	CONFDIR=${CONFDIR}
+	SBINDIR=/sbin
+	LIBEXECDIR=/usr/share
+    fi
+
+    g_libexec="$LIBEXECDIR"
+    g_sharedir="$SHAREDIR"
+    g_sbindir="$SBINDIR"
+    g_readrc=1
+fi
+
+. ${SHAREDIR}/shorewall/lib.base
+
 #
 # Fatal Error
 #
@@ -543,11 +561,11 @@ version_command() {
     [ $# -gt 0 ] && usage 1
 
     if [ -n "$all" ]; then
-	echo "shorewall-core: $(cat /usr/share/shorewall/coreversion)"
+	echo "shorewall-core: $(cat $g_sharedir/shorewall/coreversion)"
 
 	for product in shorewall shorewall6 shorewall-lite shorewall6-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
+	    if [ -f $g_sharedir/$product/version ]; then
+		echo "$product: $(cat $g_sharedir/$product/version)"
 	    fi
 	done
     else
@@ -842,11 +860,13 @@ show_command() {
 		echo "CONFIG_PATH=$CONFIG_PATH"
 		echo "VARDIR=$VARDIR"
 		echo "LIBEXEC=$g_libexec"
+		echo "SBINDIR=$g_sbindir"
 		[ -n "$g_lite" ] && ${VARDIR} ne /var/lib/$program && echo "LITEDIR=${VARDIR}"
 	    else
 		echo "Default CONFIG_PATH is $CONFIG_PATH"
 		echo "Default VARDIR is /var/lib/$g_program"
 		echo "LIBEXEC is $g_libexec"
+		echo "SBINDIR is $g_sbindir"
 		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR is ${VARDIR}"
 	    fi
 	    ;;
@@ -1112,7 +1132,7 @@ do_dump_command() {
 	echo "   Shorewall $(cat /usr/share/shorewall/version)"
 	echo
     fi
-    
+    show_status
     show_reset
     host=$(echo $g_hostname | sed 's/\..*$//')
     $g_tool -L $g_ipt_options
@@ -1957,6 +1977,8 @@ determine_capabilities() {
     CT_TARGET=
     STATISTIC_MATCH=
     IMQ_TARGET=
+    DSCP_MATCH=
+    DSCP_TARGET=
 
     chain=fooX$$
 
@@ -2081,10 +2103,14 @@ determine_capabilities() {
 	qt $g_tool -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
 	qt $g_tool -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
 	qt $g_tool -t mangle -A $chain -p tcp -j TPROXY --on-port 0 --tproxy-mark 1 && TPROXY_TARGET=Yes
+	qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes
+	qt $g_tool -t mangle -A $chain -m dscp --dscp 0 && DSCP_MATCH=Yes
+	qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
+
 	qt $g_tool -t mangle -F $chain
 	qt $g_tool -t mangle -X $chain
+	
 	qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
-	qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes
     fi
 
     qt $g_tool -t raw	    -L -n && RAW_TABLE=Yes
@@ -2203,79 +2229,81 @@ report_capabilities() {
 
     if [ $VERBOSITY -gt 1 ]; then
 	echo "$g_product has detected the following iptables/netfilter capabilities:"
-	report_capability "NAT" $NAT_ENABLED
-	report_capability "Packet Mangling" $MANGLE_ENABLED
-	report_capability "Multi-port Match" $MULTIPORT
-	[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
-	report_capability "Connection Tracking Match" $CONNTRACK_MATCH
+	report_capability "NAT (NAT_ENABLED)" $NAT_ENABLED
+	report_capability "Packet Mangling (MANGLE_ENABLED)" $MANGLE_ENABLED
+	report_capability "Multi-port Match (MULTIPORT)" $MULTIPORT
+	[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match (XMULIPORT)" $XMULTIPORT
+	report_capability "Connection Tracking Match (CONNTRACK_MATCH)" $CONNTRACK_MATCH
 	if [ -n "$CONNTRACK_MATCH" ]; then
-	    report_capability "Extended Connection Tracking Match Support" $NEW_CONNTRACK_MATCH
-	    [ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax" $OLD_CONNTRACK_MATCH
+	    report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
+	    [ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH
 	fi
-	report_capability "Packet Type Match" $USEPKTTYPE
-	report_capability "Policy Match" $POLICY_MATCH
-	report_capability "Physdev Match" $PHYSDEV_MATCH
-	report_capability "Physdev-is-bridged Support" $PHYSDEV_BRIDGE
-	report_capability "Packet length Match" $LENGTH_MATCH
-	report_capability "IP range Match" $IPRANGE_MATCH
-	report_capability "Recent Match" $RECENT_MATCH
-	report_capability "Owner Match" $OWNER_MATCH
+	report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE
+	report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH
+	report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH
+	report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE
+	report_capability "Packet length Match (LENGTH_MATCH)" $LENGTH_MATCH
+	report_capability "IP range Match(IPRANGE_MATCH)" $IPRANGE_MATCH
+	report_capability "Recent Match (RECENT_MATCH)" $RECENT_MATCH
+	report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
 	if [ -n "$IPSET_MATCH" ]; then
-	    report_capability "Ipset Match" $IPSET_MATCH
-	    [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
+	    report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
+	    [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)" $OLD_IPSET_MATCH
 	fi
-	report_capability "CONNMARK Target" $CONNMARK
-	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
-	report_capability "Connmark Match" $CONNMARK_MATCH
-	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
-	report_capability "Raw Table" $RAW_TABLE
-	report_capability "Rawpost Table" $RAWPOST_TABLE
-	report_capability "IPP2P Match" $IPP2P_MATCH
-	[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
-	report_capability "CLASSIFY Target" $CLASSIFY_TARGET
-	report_capability "Extended REJECT" $ENHANCED_REJECT
-	report_capability "Repeat match" $KLUDGEFREE
-	report_capability "MARK Target" $MARK
-	[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
-	[ -n "$XMARK" ] && report_capability "Extended MARK Target 2" $EXMARK
-	report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
-	report_capability "Comments" $COMMENTS
-	report_capability "Address Type Match" $ADDRTYPE
-	report_capability "TCPMSS Match" $TCPMSS_MATCH
-	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
-	[ -n "$OLD_HL_MATCH" ] && report_capability "Old Hashlimit Match" $OLD_HL_MATCH
-	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
-	report_capability "Realm Match" $REALM_MATCH
-	report_capability "Helper Match" $HELPER_MATCH
-	report_capability "Connlimit Match" $CONNLIMIT_MATCH
-	report_capability "Time Match" $TIME_MATCH
-	report_capability "Goto Support" $GOTO_TARGET
-	report_capability "LOGMARK Target" $LOGMARK_TARGET
-	report_capability "IPMARK Target" $IPMARK_TARGET
-	report_capability "LOG Target" $LOG_TARGET
-	report_capability "ULOG Target" $ULOG_TARGET
-	report_capability "NFLOG Target" $NFLOG_TARGET
-	report_capability "Persistent SNAT" $PERSISTENT_SNAT
-	report_capability "TPROXY Target" $TPROXY_TARGET
-	report_capability "FLOW Classifier" $FLOW_FILTER
-	report_capability "fwmark route mask" $FWMARK_RT_MASK
-	report_capability "Mark in any table" $MARK_ANYWHERE
-	report_capability "Header Match" $HEADER_MATCH
-        report_capability "ACCOUNT Target" $ACCOUNT_TARGET
-	report_capability "AUDIT Target" $AUDIT_TARGET
-	report_capability "ipset V5" $IPSET_V5
-	report_capability "Condition Match" $CONDITION_MATCH
-	report_capability "Statistic Match" $STATISTIC_MATCH
-	report_capability "IMQ Target" $IMQ_TARGET
+	report_capability "CONNMARK Target (CONNMARK)" $CONNMARK
+	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target (XCONNMARK)" $XCONNMARK
+	report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH
+	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH
+	report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE
+	report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE
+	report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH
+	[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH
+	report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET
+	report_capability "Extended REJECT (ENHANCED_REJECT)" $ENHANCED_REJECT
+	report_capability "Repeat match (KLUDGEFREE)" $KLUDGEFREE
+	report_capability "MARK Target (MARK)" $MARK
+	[ -n "$MARK" ] && report_capability "Extended MARK Target (XMARK)" $XMARK
+	[ -n "$XMARK" ] && report_capability "Extended MARK Target 2 (EXMARK)" $EXMARK
+	report_capability "Mangle FORWARD Chain (MANGLE_FORWARD)" $MANGLE_FORWARD
+	report_capability "Comments (COMMENTS)" $COMMENTS
+	report_capability "Address Type Match (ADDRTYPE)" $ADDRTYPE
+	report_capability "TCPMSS Match (TCPMSS_MATCH)" $TCPMSS_MATCH
+	report_capability "Hashlimit Match (HASHLIMIT_MATCH)" $HASHLIMIT_MATCH
+	[ -n "$OLD_HL_MATCH" ] && report_capability "Old Hashlimit Match (OLD_HL_MATCH)" $OLD_HL_MATCH
+	report_capability "NFQUEUE Target (NFQUEUE_TARGET)" $NFQUEUE_TARGET
+	report_capability "Realm Match (REALM_MATCH)" $REALM_MATCH
+	report_capability "Helper Match (HELPER_MATCH)" $HELPER_MATCH
+	report_capability "Connlimit Match (CONNLIMIT_MATCH)" $CONNLIMIT_MATCH
+	report_capability "Time Match (TIME_MATCH)" $TIME_MATCH
+	report_capability "Goto Support (GOTO_TARGET)" $GOTO_TARGET
+	report_capability "LOGMARK Target (LOGMARK_TARGET)" $LOGMARK_TARGET
+	report_capability "IPMARK Target (IPMARK_TARGET)" $IPMARK_TARGET
+	report_capability "LOG Target (LOG_TARGET)" $LOG_TARGET
+	report_capability "ULOG Target (ULOG_TARGET)" $ULOG_TARGET
+	report_capability "NFLOG Target (NFLOG_TARGET)" $NFLOG_TARGET
+	report_capability "Persistent SNAT (PERSISTENT_SNAT)" $PERSISTENT_SNAT
+	report_capability "TPROXY Target (TPROXY_TARGET)" $TPROXY_TARGET
+	report_capability "FLOW Classifier (FLOW_FILTER)" $FLOW_FILTER
+	report_capability "fwmark route mask (FWMARK_RT_MASK)" $FWMARK_RT_MASK
+	report_capability "Mark in any table (MARK_ANYWHERE)" $MARK_ANYWHERE
+	report_capability "Header Match (HEADER_MATCH)" $HEADER_MATCH
+        report_capability "ACCOUNT Target (ACCOUNT_TARGET)" $ACCOUNT_TARGET
+	report_capability "AUDIT Target (AUDIT_TARGET)" $AUDIT_TARGET
+	report_capability "ipset V5 (IPSET_V5)" $IPSET_V5
+	report_capability "Condition Match (CONDITION_MATCH)" $CONDITION_MATCH
+	report_capability "Statistic Match (STATISTIC_MATCH)" $STATISTIC_MATCH
+	report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
+	report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
+	report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
 	
 	if [ $g_family -eq 4 ]; then
-	    report_capability "iptables -S" $IPTABLES_S
+	    report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
 	else
-	    report_capability "ip6tables -S" $IPTABLES_S
+	    report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
 	fi
 
-	report_capability "Basic Filter" $BASIC_FILTER
-	report_capability "CT Target" $CT_TARGET
+	report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
+	report_capability "CT Target (CT_TARGET)" $CT_TARGET
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -2354,14 +2382,14 @@ report_capabilities1() {
     report_capability1 CT_TARGET
     report_capability1 STATISTIC_MATCH
     report_capability1 IMQ_TARGET
+    report_capability1 DSCP_MATCH
+    report_capability1 DSCP_TARGET
 
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION
 }
 
-status_command() {
-    echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)"
-    echo
+show_status() {
     if product_is_started ; then
 	echo "$g_product is running"
 	status=0
@@ -2381,6 +2409,12 @@ status_command() {
 	state=Unknown
     fi
     echo "State:$state"
+}
+
+status_command() {
+    echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)"
+    echo
+    show_status
     echo
     exit $status
 }
@@ -2936,14 +2970,12 @@ shorewall_cli() {
     g_annotate=
     g_recovering=
     g_timestamp=
-    g_libexec=/usr/share
-    g_perllib=/usr/share/shorewall
     g_shorewalldir=
 
     VERBOSE=
     VERBOSITY=
 
-    [ -n "$g_lite" ] || . /usr/share/shorewall/lib.cli-std
+    [ -n "$g_lite" ] || . ${g_sharedir}/shorewall/lib.cli-std
 
     finished=0
 

Shorewall-core/shorewallrc.apple

@@ -0,0 +1,20 @@
+#
+# Apple OS X Shorewall 4.5 rc file
+#
+BUILD=apple
+HOST=apple
+USR=/usr
+SHAREDIR=${USR}/share
+LIBEXECDIR=${USR}/share
+PERLLIBDIR=${USR}/share/shorewall
+CONFDIR=/etc
+SBINDIR=/sbin
+MANDIR=${SHAREDIR}/man
+INITDIR=
+INITFILE=
+INITSOURCE=
+ANNOTATED=
+SYSTEMD=
+SYSCONFDIR=
+SPARSE=Yes
+VARDIR=/var/lib

Shorewall-core/shorewallrc.archlinux

@@ -0,0 +1,19 @@
+#
+# Archlinux Shorewall 4.5 rc file
+#
+BUILD=archlinux
+HOST=archlinux
+USR=/usr
+SHAREDIR=${USR}/share
+LIBEXECDIR=${USR}/share
+PERLLIBDIR=${USR}/share/shorewall
+CONFDIR=/etc
+SBINDIR=/sbin
+MANDIR=${SHAREDIR}/man
+INITDIR=/etc/rc.d
+INITFILE=$PRODUCT
+INITSOURCE=init.sh
+ANNOTATED=
+SYSCONFDIR=
+SYSTEMD=
+VARDIR=/var/lib

Shorewall-core/shorewallrc.cygwin

@@ -0,0 +1,20 @@
+#
+# Cygwin Shorewall 4.5 rc file
+#
+BUILD=cygwin
+HOST=cygwin
+USR=/usr
+SHAREDIR=${USR}/share
+LIBEXECDIR=${USR}/share
+PERLLIBDIR=${USR}/share/shorewall
+CONFDIR=/etc
+SBINDIR=/bin
+MANDIR=${SHAREDIR}/man
+INITDIR=/etc/init.d
+INITFILE=
+INITSOURCE=
+ANNOTATED=
+SYSTEMD=
+SYSCONFDIR=
+SPARSE=Yes
+VARDIR=/var/lib

Shorewall-core/shorewallrc.debian

@@ -0,0 +1,21 @@
+#
+# Debian Shorewall 4.5 rc file
+#
+BUILD=                                  #Default is to detect the build system
+HOST=debian
+USR=/usr
+SHAREDIR=${USR}/share
+LIBEXECDIR=${USR}/share
+PERLLIBDIR=${USR}/share/shorewall
+CONFDIR=/etc
+SBINDIR=/sbin
+MANDIR=${USR}/man
+INITDIR=/etc/init.d
+INITFILE=$PRODUCT
+INITSOURCE=init.debian.sh
+ANNOTATED=
+SYSCONFFILE=default.debian
+SYSCONFDIR=/etc/default
+SYSTEMD=
+SPARSE=Yes
+VARDIR=/var/lib

Shorewall-core/shorewallrc.default

@@ -0,0 +1,21 @@
+#
+# Default Shorewall 4.5 rc file
+#
+HOST=                                   #Default is to detect the host system
+BUILD=                                  #Default is to detect the build system
+USR=/usr
+SHAREDIR=${USR}/share
+LIBEXECDIR=${USR}/share
+PERLLIBDIR=${USR}/share/shorewall
+CONFDIR=/etc
+SBINDIR=/sbin
+MANDIR=${USR}/man
+INITDIR=etc/init.d
+INITFILE=$PRODUCT
+INITSOURCE=init.sh
+ANNOTATED=
+SYSTEMD=
+SYSCONFFILE=
+SYSCONFDIR=
+SPARSE=
+VARDIR=/var/lib

Shorewall-core/shorewallrc.redhat

@@ -0,0 +1,21 @@
+#
+# RedHat/FedoraShorewall 4.5 rc file
+#
+BUILD=                                  #Default is to detect the build system
+HOST=redhat
+USR=/usr
+SHAREDIR=${USR}/share
+LIBEXECDIR=${USR}/share
+PERLLIBDIR=/usr/share/shorewall
+CONFDIR=/etc
+SBINDIR=/sbin
+MANDIR=${SHAREDIR}/man
+INITDIR=/etc/rc.d/init.d
+INITFILE=$PRODUCT
+INITSOURCE=init.fedora.sh
+ANNOTATED=
+SYSTEMD=/lib/systemd/system
+SYSCONFFILE=sysconfig
+SYSCONFDIR=/etc/sysconfig/
+SPARSE=
+VARDIR=/var/lib

Shorewall-core/shorewallrc.slackware

@@ -0,0 +1,22 @@
+#
+# Slackware Shorewall 4.5 rc file
+#
+BUILD=slackware
+HOST=slackware
+USR=/usr
+SHAREDIR=${USR}/share
+LIBEXECDIR=${USR}/share
+PERLLIBDIR=${USR}/share/shorewall
+CONFDIR=/etc
+SBINDIR=/sbin
+MANDIR=${USR}/man
+INITDIR=/etc/rc.d
+INITSOURCE=init.slackware.firewall
+INITFILE=rc.firewall
+AUXINITSOURCE=init.slackware.$PRODUCT
+AUXINITFILE=rc.$PRODUCT
+SYSTEMD=
+SYSCONFFILE=
+SYSCONFDIR=
+ANNOTATED=
+VARDIR=/var/lib

Shorewall-core/shorewallrc.suse

@@ -0,0 +1,21 @@
+#
+# SuSE Shorewall 4.5 rc file
+#
+BUILD=                                  #Default is to detect the build system
+HOST=suse
+USR=/usr
+CONFDIR=/etc
+SHAREDIR=${USR}/share
+LIBEXECDIR=${USR}/libexec
+PERLLIBDIR=${USR}/share/shorewall
+SBINDIR=/sbin
+MANDIR=${SHAREDIR}/man/
+INITDIR=/etc/init.d
+INITFILE=$PRODUCT
+INITSOURCE=init.sh
+ANNOTATED=
+SYSTEMD=
+SYSCONFFILE=
+SYSCONFDIR=/etc/sysconfig/
+SPARSE=
+VARDIR=/var/lib

Shorewall-core/uninstall.sh

@@ -60,6 +60,10 @@ remove_file() # $1 = file to restore
     fi
 }
 
+if [ -f ~/.shorewallrc ]; then
+    . ~/shorewallrc || exit 1
+fi
+
 if [ -f /usr/share/shorewall/coreversion ]; then
     INSTALLED_VERSION="$(cat /usr/share/shorewall/coreversion)"
     if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
@@ -72,12 +76,9 @@ else
     VERSION=""
 fi
 
-[ -n "${LIBEXEC:=/usr/share}" ]
-[ -n "${PERLLIB:=/usr/share/shorewall}" ]
-
 echo "Uninstalling Shorewall Core $VERSION"
 
-rm -rf /usr/share/shorewall
+rm -rf ${SHAREDIR}/shorewall
 
 echo "Shorewall Core Uninstalled"
 

Shorewall-init/ifupdown.sh

@@ -182,10 +182,8 @@ else
 fi
 
 for PRODUCT in $PRODUCTS; do
-    VARDIR=/var/lib/$PRODUCT
-    [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir
     if [ -x $VARDIR/firewall ]; then
-	  ( . /usr/share/$PRODUCT/lib.base
+	  ( . ${SHAREDIR}/shorewall/lib.base
 	    mutex_on
 	    ${VARDIR}/firewall -V0 $COMMAND $INTERFACE || echo_notdone
 	    mutex_off

Shorewall-init/init.debian.sh

@@ -62,10 +62,19 @@ not_configured () {
 	exit 0
 }
 
+#determine where the files were installed
+if [ -f ~/.shorewallrc ]; then
+    . ~/.shorewallrc || exit 1
+    SRWL=${SBIN}/shorewall-init
+else
+    CONFDIR=/etc
+    SYSCONFDIR=/etc/default
+fi
+
 # check if shorewall-init is configured or not
-if [ -f "/etc/default/shorewall-init" ]
+if [ -f "$SYSCONFDIR/shorewall-init" ]
 then
-	. /etc/default/shorewall-init
+	. $SYSCONFDIR/shorewall-init
 	if [ -z "$PRODUCTS" ]
 	then
 		not_configured

Shorewall-init/init.sh

@@ -53,6 +53,12 @@ else
 	exit 0
 fi
 
+if [ ~/.shorewallrc ]; then
+    . ~/.shorewallrc || exit 1
+else
+    VARDIR=/var/lib
+fi
+
 # Initialize the firewall
 shorewall_start () {
   local PRODUCT
@@ -60,10 +66,8 @@ shorewall_start () {
 
   echo -n "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      VARDIR=/var/lib/$PRODUCT
-      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
       if [ -x ${VARDIR}/firewall ]; then
-	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
+	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
 	      ${VARDIR}/firewall stop || echo_notdone
 	  fi
       fi
@@ -83,8 +87,6 @@ shorewall_stop () {
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      VARDIR=/var/lib/$PRODUCT
-      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
       if [ -x ${VARDIR}/firewall ]; then
 	  ${VARDIR}/firewall clear || exit 1
       fi

Shorewall-init/install.sh

@@ -28,12 +28,18 @@ VERSION=xxx #The Build script inserts the actual version.
 usage() # $1 = exit status
 {
     ME=$(basename $0)
-    echo "usage: $ME"
+    echo "usage: $ME [ <configuration-file> ]"
     echo "       $ME -v"
     echo "       $ME -h"
     exit $1
 }
 
+fatal_error() 
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 split() {
     local ifs
     ifs=$IFS
@@ -76,9 +82,9 @@ cant_autostart()
     echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
 }
 
-delete_file() # $1 = file to delete
+require() 
 {
-    rm -f $1
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
 
 install_file() # $1 = source $2 = target $3 = mode
@@ -86,148 +92,199 @@ install_file() # $1 = source $2 = target $3 = mode
     run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
 
-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
+cd "$(dirname $0)"
+
+PRODUCT=shorewall-init
 
-# DEST is the SysVInit script directory
-# INIT is the name of the script in the $DEST directory
-# ARGS is "yes" if we've already parsed an argument
 #
-ARGS=""
+# Parse the run line
+#
+finished=0
 
-if [ -z "$DEST" ] ; then
-	DEST="/etc/init.d"
-fi
-
-if [ -z "$INIT" ] ; then
-	INIT="shorewall-init"
-fi
-
-while [ $# -gt 0 ] ; do
+while [ $finished -eq 0 ] ; do
     case "$1" in
-	-h|help|?)
-	    usage 0
-	    ;;
-        -v)
-	    echo "Shorewall Init Installer Version $VERSION"
-	    exit 0
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "Shorewall-init Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
 	    ;;
 	*)
-	    usage 1
+	    finished=1
 	    ;;
     esac
-    shift
-    ARGS="yes"
+done
+
+local file
+#
+# Read the RC file
+#
+if [ $# -eq 0 ]; then
+    #
+    # Load packager's settings if any
+    #
+    if [ -n "${DESTDIR}" -a -f ../shorewall-pkg.config ]; then
+	. ../shorewall-pkg.config || exit 1
+    elif [ -f ~/.shorewallrc ]; then
+	. ~/.shorewallrc || exit 1
+	file=~/.shorewallrc
+    else
+	fatal_error "No configuration file specified and ~/.shorewallrc not found"
+    fi
+elif [ $# -eq 1 ]; then
+    file=$1
+    case $file in
+	/*|.*)
+	    ;;
+	*)
+	    file=./$file
+	    ;;
+    esac
+
+    . $file
+else
+    usage 1
+fi
+
+for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARDIR; do
+    require $var
 done
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
-[ -n "${LIBEXEC:=/usr/share}" ]
+if [ -z "$BUILD" ]; then
+    case $(uname) in
+	cygwin*)
+	    BUILD=cygwin
+	    ;;
+	Darwin)
+	    BUILD=apple
+	    ;;
+	*)
+	    if [ -f /etc/debian_version ]; then
+		BUILD=debian
+	    elif [ -f /etc/redhat-release ]; then
+		BUILD=redhat
+	    elif [ -f /etc/SuSE-release ]; then
+		BUILD=suse
+	    elif [ -f /etc/slackware-version ] ; then
+		BUILD=slackware
+	    elif [ -f /etc/arch-release ] ; then
+		BUILD=archlinux
+	    else
+		BUILD=linux
+	    fi
+	    ;;
+    esac
+fi
 
-case "$LIBEXEC" in
-    /*)
-	;;
-    *)
-	LIBEXEC=/usr/${LIBEXEC}
-	;;
-esac
+[ -n "$OWNER" ] || OWNER=$(id -un)
+[ -n "$GROUP" ] || GROUP=$(id -gn)
 
-#
-# Determine where to install the firewall script
-#
-
-case $(uname) in
-    Darwin)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=wheel
+case $BUILD in
+    apple)
 	T=
-	;;	
+	;;
+    debian|redhat|suse|slackware|archlinux)
+	;;
     *)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=root
+	[ -n "$BUILD" ] && echo "ERROR: Unknown BUILD environment ($BUILD)" >&2 || echo "ERROR: Unknown BUILD environment"
+	exit 1
 	;;
 esac
 
 OWNERSHIP="-o $OWNER -g $GROUP"
 
+[ -n "$HOST" ] || HOST=$BUILD
+
+case "$HOST" in
+    debian)
+	echo "Installing Debian-specific configuration..."
+	;;
+    redhat|redhat)
+	echo "Installing Redhat/Fedora-specific configuration..."
+	;;
+    slackware)
+	echo "Shorewall-init is currently not supported on Slackware" >&2
+	exit 1
+	;;
+    archlinux)
+	echo "Shorewall-init is currently not supported on Arch Linux" >&2
+	exit 1
+	;;
+    suse|suse)
+	echo "Installing SuSE-specific configuration..."
+	;;
+    linux)
+	echo "ERROR: Shorewall-init is not supported on this system" >&2
+	;;
+    *)
+	echo "ERROR: Unsupported HOST distribution: \"$HOST\"" >&2
+	exit 1;
+	;;
+esac
+
+[ -z "$TARGET" ] && TARGET=$HOST
+
 if [ -n "$DESTDIR" ]; then
     if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
     fi
     
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
-elif [ -f /etc/debian_version ]; then
-    DEBIAN=yes
-elif [ -f /etc/SuSE-release ]; then
-    SUSE=Yes
-elif [ -f /etc/redhat-release ]; then
-    FEDORA=Yes
-elif [ -f /etc/slackware-version ] ; then
-    echo "Shorewall-init is currently not supported on Slackware" >&2
-    exit 1
-#   DEST="/etc/rc.d"
-#   INIT="rc.firewall"
-elif [ -f /etc/arch-release ] ; then
-    echo "Shorewall-init is currently not supported on Arch Linux" >&2
-    exit 1
-#   DEST="/etc/rc.d"
-#   INIT="shorewall-init"
-#   ARCHLINUX=yes
-elif [ -d /etc/sysconfig/network-scripts/ ]; then
-    #
-    # Assume RedHat-based
-    #
-    REDHAT=Yes
-else
-    echo "Unknown distribution: Shorewall-init support is not available" >&2
-    exit 1
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
 fi
 
-if [ -z "$DESTDIR" ]; then
-    if [ -f /lib/systemd/system ]; then
-	SYSTEMD=Yes
-    fi
-elif [ -n "$SYSTEMD" ]; then
-    mkdir -p ${DESTDIR}/lib/systemd/system
-fi
-
-#
-# Change to the directory containing this script
-#
-cd "$(dirname $0)"
-
 echo "Installing Shorewall Init Version $VERSION"
 
 #
 # Check for /usr/share/shorewall-init/version
 #
-if [ -f ${DESTDIR}/usr/share/shorewall-init/version ]; then
+if [ -f ${DESTDIR}${SHAREDIR}/shorewall-init/version ]; then
     first_install=""
 else
     first_install="Yes"
 fi
 
 #
-# Install the Init Script
+# Install the Firewall Script
 #
-if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
-elif [ -n "$FEDORA" ]; then
-    install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
-#elif [ -n "$ARCHLINUX" ]; then
-#    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
-else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
-fi
+if [ -n "$INITFILE" ]; then
+    install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
+    
+    if [ -n "${AUXINITSOURCE}" ]; then
+	install_file $INITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
+    fi
 
-echo  "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"
+    echo  "Shorewall-init script installed in ${DESTDIR}${INITDIR}/$INITFILE"
+fi
 
 #
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
-    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}/lib/systemd/system/shorewall-init.service
-    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-init.service"
+    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}${SYSTEMD}/shorewall-init.service
+    echo "Service file installed as ${DESTDIR}${SYSTEMD}/shorewall-init.service"
+    if [ -n "$DESTDIR" ]; then
+	mkdir -p ${DESTDIR}${SBINDIR}
+        chmod 755 ${DESTDIR}${SBINDIR}
+    fi
+    run_install $OWNERSHIP -m 700 shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init
+    echo "CLI installed as ${DESTDIR}${SBINDIR}/shorewall-init"
 fi
 
 #
@@ -247,10 +304,10 @@ chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
 #
 if [ -z "$DESTDIR" ]; then
     rm -f /usr/share/shorewall-init/init
-    ln -s ${DEST}/${INIT} /usr/share/shorewall-init/init
+    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
 fi
 
-if [ -n "$DEBIAN" ]; then
+if [ $HOST = debian ]; then
     if [ -n "${DESTDIR}" ]; then
 	mkdir -p ${DESTDIR}/etc/network/if-up.d/
 	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
@@ -268,7 +325,7 @@ else
 	mkdir -p ${DESTDIR}/etc/sysconfig
 
 	if [ -z "$RPM" ]; then
-	    if [ -n "$SUSE" ]; then
+	    if [ $HOST = suse ]; then
 		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
 		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
 	    else
@@ -286,32 +343,38 @@ fi
 # Install the ifupdown script
 #
 
-mkdir -p ${DESTDIR}${LIBEXEC}/shorewall-init
+mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
 
-install_file ifupdown.sh ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown 0544
+install_file ifupdown.sh ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
 
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
     install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
 fi
 
-if [ -n "$DEBIAN" ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-    install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
-elif [ -n "$SUSE" ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
-    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
-elif [ -n "$REDHAT" ]; then
-    if [ -f ${DESTDIR}/sbin/ifup-local -o -f ${DESTDIR}/sbin/ifdown-local ]; then
-	echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; up/down events will not be handled"
-    else
-	install_file ifupdown.sh ${DESTDIR}/sbin/ifup-local 0544
-	install_file ifupdown.sh ${DESTDIR}/sbin/ifdown-local 0544
-    fi
-fi
+case $HOST in
+    debian)
+	install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
+	install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+	;;
+    suse)
+	if [ -z "$RPM" ]; then
+	    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
+	    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
+	fi
+	;;
+    redhat)
+	if [ -f ${DESTDIR}${SBINDIR}/ifup-local -o -f ${DESTDIR}${SBINDIR}/ifdown-local ]; then
+	    echo "WARNING: ${SBINDIR}/ifup-local and/or ${SBINDIR}/ifdown-local already exist; up/down events will not be handled"
+	elif [ -z "$DESTDIR" ]; then
+	    install_file ifupdown.sh ${DESTDIR}${SBINDIR}/ifup-local 0544
+	    install_file ifupdown.sh ${DESTDIR}${SBINDIR}/ifdown-local 0544
+	fi
+	;;
+esac
 
 if [ -z "$DESTDIR" ]; then
     if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
+	if [ $HOST = debian ]; then
 	    
 	    update-rc.d shorewall-init defaults
 
@@ -321,34 +384,33 @@ if [ -z "$DESTDIR" ]; then
 		if systemctl enable shorewall-init; then
 		    echo "Shorewall Init will start automatically at boot"
 		fi
-	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+	    elif [ -x ${SBINDIR}/insserv -o -x /usr${SBINDIR}/insserv ]; then
 		if insserv /etc/init.d/shorewall-init ; then
 		    echo "Shorewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
-	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+	    elif [ -x ${SBINDIR}/chkconfig -o -x /usr${SBINDIR}/chkconfig ]; then
 		if chkconfig --add shorewall-init ; then
 		    echo "Shorewall Init will start automatically in run levels as follows:"
 		    chkconfig --list shorewall-init
 		else
 		    cant_autostart
 		fi
-	    elif [ -x /sbin/rc-update ]; then
+	    elif [ -x ${SBINDIR}/rc-update ]; then
 		if rc-update add shorewall-init default; then
 		    echo "Shorewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
-	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
+	    else
 		cant_autostart
 	    fi
-
 	fi
     fi
 else
     if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
+	if [ $HOST = debian ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi
@@ -360,31 +422,33 @@ else
 fi
 
 if [ -f ${DESTDIR}/etc/ppp ]; then
-    if [ -n "$DEBIAN" ] -o -n "$SUSE" ]; then
-	for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-	    mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
-	    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
-	done
-    elif [ -n "$REDHAT" ]; then
-	#
-	# Must use the dreaded ip_xxx.local file
-	#
-	for file in ip-up.local ip-down.local; do
-	    FILE=${DESTDIR}/etc/ppp/$file
-	    if [ -f $FILE ]; then
-		if fgrep -q Shorewall-based $FILE ; then
-		    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
+    case $HOST in
+	debian|suse)
+	    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
+		mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
+		cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
+	    done
+	    ;;
+	redhat)
+	    #
+	    # Must use the dreaded ip_xxx.local file
+	    #
+	    for file in ip-up.local ip-down.local; do
+		FILE=${DESTDIR}/etc/ppp/$file
+		if [ -f $FILE ]; then
+		    if fgrep -q Shorewall-based $FILE ; then
+			cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
+		    else
+			echo "$FILE already exists -- ppp devices will not be handled"
+			break
+		    fi
 		else
-		    echo "$FILE already exists -- ppp devices will not be handled"
-		    break
+		    cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
 		fi
-	    else
-		cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
-	    fi
-	done
-    fi
+	    done
+	    ;;
+    esac
 fi
-
 #
 #  Report Success
 #

Shorewall-init/shorewall-init

@@ -0,0 +1,103 @@
+#! /bin/bash
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#########################################################################################
+if [ -f ~/.shorewallrc ]; then
+    . ~/.shorewallrc || exit 1
+else
+    echo "ERROR: ./.shorewallrc not found" >&2
+fi
+
+# check if shorewall-init is configured or not
+if [ -f "$SYSCONFDIR/shorewall-init" ]; then
+    . $SYSCONFDIR/shorewall-init
+    if [ -z "$PRODUCTS" ]; then
+        echo "ERROR: No products configured" >&2
+	exit 1
+    fi
+else
+    echo "ERROR: /etc/sysconfig/shorewall-init not found" >&2
+    exit 1
+fi
+
+# Initialize the firewall
+shorewall_start () {
+  local PRODUCT
+  local VARDIR
+
+  echo -n "Initializing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      VARDIR=/var/lib/$PRODUCT
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
+      if [ -x ${VARDIR}/firewall ]; then
+	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
+	      ${VARDIR}/firewall stop || exit 1
+	  fi
+      fi
+  done
+
+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+      ipset -R < "$SAVE_IPSETS"
+  fi
+
+  return 0
+}
+
+# Clear the firewall
+shorewall_stop () {
+  local PRODUCT
+  local VARDIR
+
+  echo -n "Clearing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      VARDIR=/var/lib/$PRODUCT
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
+      if [ -x ${VARDIR}/firewall ]; then
+	  ${VARDIR}/firewall clear || exit 1
+      fi
+  done
+
+  if [ -n "$SAVE_IPSETS" ]; then
+      mkdir -p $(dirname "$SAVE_IPSETS")
+      if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+      fi
+  fi
+
+  return 0
+}
+
+case "$1" in
+  start)
+     shorewall_start
+     ;;
+  stop)
+     shorewall_stop
+     ;;
+  *)
+     echo "Usage: $0 {start|stop}"
+     exit 1
+esac
+
+exit 0

Shorewall-init/uninstall.sh

@@ -40,6 +40,27 @@ qt()
     "$@" >/dev/null 2>&1
 }
 
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
 remove_file() # $1 = file to restore
 {
     if [ -f $1 -o -L $1 ] ; then
@@ -48,8 +69,31 @@ remove_file() # $1 = file to restore
     fi
 }
 
-if [ -f /usr/share/shorewall-init/version ]; then
-    INSTALLED_VERSION="$(cat /usr/share/shorewall-init/version)"
+if [ -f ~/.shorewallrc ]; then
+    . ~/shorewallrc || exit 1
+else
+    [ -n "${LIBEXEC:=/usr/share}" ]
+    [ -n "${PERLLIB:=/usr/share/shorewall}" ]
+    [ -n "${CONFDIR:=/etc}" ]
+    
+    if [ -z "$SYSCONFDIR" ]; then
+	if [ -d /etc/default ]; then
+	    SYSCONFDIR=/etc/default
+	else
+	    SYSCONFDIR=/etc/sysconfig
+	fi
+    fi
+
+    [ -n "${SBINDIR:=/sbin}" ]
+    [ -n "${SHAREDIR:=/usr/share}" ]
+    [ -n "${VARDIR:=/var/lib}" ]
+    [ -n "${INITFILE:=shorewall}" ]
+    [ -n "${INITDIR:=/etc/init.d}" ]
+    [ -n "${MANDIR:=/usr/share/man}" ]
+fi
+
+if [ -f ${SHAREDIR}/shorewall-init/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-init/version)"
     if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall Init Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
@@ -60,56 +104,55 @@ else
     VERSION=""
 fi
 
-[ -n "${LIBEXEC:=/usr/share}" ]
+[ -n "${LIBEXEC:=${SHAREDIR}}" ]
 
 echo "Uninstalling Shorewall Init $VERSION"
 
-INITSCRIPT=/etc/init.d/shorewall-init
+INITSCRIPT=${CONFDIR}/init.d/shorewall-init
 
-if [ -n "$INITSCRIPT" ]; then
-    if [ -x /usr/sbin/updaterc.d ]; then
+if [ -f "$INITSCRIPT" ]; then
+    if mywhich updaterc.d ; then
 	updaterc.d shorewall-init remove
-    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+    elif mywhich insserv ; then
         insserv -r $INITSCRIPT
-    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+    elif mywhich chkconfig ; then
 	chkconfig --del $(basename $INITSCRIPT)
-    elif [ -x /sbin/systemctl ]; then
+    elif mywhich systemctl ; then
 	systemctl disable shorewall-init
-    else
-	rm -f /etc/rc*.d/*$(basename $INITSCRIPT)
     fi
 
     remove_file $INITSCRIPT
 fi
 
-[ "$(readlink -m -q /sbin/ifup-local)"   = /usr/share/shorewall-init ] && remove_file /sbin/ifup-local
-[ "$(readlink -m -q /sbin/ifdown-local)" = /usr/share/shorewall-init ] && remove_file /sbin/ifdown-local
+[ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
+[ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
 
-remove_file /etc/default/shorewall-init
-remove_file /etc/sysconfig/shorewall-init
+remove_file ${CONFDIR}/default/shorewall-init
+remove_file ${CONFDIR}/sysconfig/shorewall-init
 
-remove_file /etc/NetworkManager/dispatcher.d/01-shorewall
+remove_file ${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall
 
-remove_file /etc/network/if-up.d/shorewall
-remove_file /etc/network/if-down.d/shorewall
+remove_file ${CONFDIR}/network/if-up.d/shorewall
+remove_file ${CONFDIR}/network/if-down.d/shorewall
 
-remove_file /etc/sysconfig/network/if-up.d/shorewall
-remove_file /etc/sysconfig/network/if-down.d/shorewall
-remove_file /lib/systemd/system/shorewall.service
+remove_file ${CONFDIR}/sysconfig/network/if-up.d/shorewall
+remove_file ${CONFDIR}/sysconfig/network/if-down.d/shorewall
 
-if [ -d /etc/ppp ]; then
+[ -n "$SYSTEMD" ] && remove_file ${SYSTEMD}/shorewall.service
+
+if [ -d ${CONFDIR}/ppp ]; then
     for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-	remove_file /etc/ppp/$directory/shorewall
+	remove_file ${CONFDIR}/ppp/$directory/shorewall
     done
 
     for file in if-up.local if-down.local; do
-	if fgrep -q Shorewall-based /etc/ppp/$FILE; then
-	    remove_file /etc/ppp/$FILE
+	if fgrep -q Shorewall-based ${CONFDIR}/ppp/$FILE; then
+	    remove_file ${CONFDIR}/ppp/$FILE
 	fi
     done
 fi
 
-rm -rf /usr/share/shorewall-init
+rm -rf ${SHAREDIR}/shorewall-init
 rm -rf ${LIBEXEC}/shorewall-init
 
 echo "Shorewall Init Uninstalled"

Shorewall-lite/Makefile

@@ -12,7 +12,7 @@ $(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
 	then \
 	    /sbin/shorewall-lite -q save >/dev/null; \
 	else \
-	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; \
+	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; exit 1; \
 	fi
 
 # EOF

Shorewall-lite/init.debian.sh

@@ -57,17 +57,27 @@ not_configured () {
 	exit 0
 }
 
+#determine where the files were installed
+if [ -f ~/.shorewallrc ]; then
+    . ~/.shorewallrc || exit 1
+    SRWL=${SBIN}/shorewall-lite
+else
+    CONFDIR=/etc
+    SYSCONFDIR=/etc/default
+fi
+
 # parse the shorewall params file in order to use params in
 # /etc/default/shorewall
-if [ -f "/etc/shorewall-lite/params" ]
+
+if [ -f "$CONFDIR/shorewall-lite/params" ]
 then
-	. /etc/shorewall-lite/params
+	. $CONFDIR/shorewall-lite/params
 fi
 
 # check if shorewall is configured or not
-if [ -f "/etc/default/shorewall-lite" ]
+if [ -f "$SYSCONFDIR/shorewall-lite" ]
 then
-	. /etc/default/shorewall-lite
+	. $SYSCONFDIR/shorewall-lite
 	SRWL_OPTS="$SRWL_OPTS $OPTIONS"
 	if [ "$startup" != "1" ]
 	then

Shorewall-lite/init.sh

@@ -61,10 +61,16 @@ usage() {
 # Get startup options (override default)
 ################################################################################
 OPTIONS=
-if [ -f /etc/sysconfig/shorewall ]; then
-    . /etc/sysconfig/shorewall
-elif [ -f /etc/default/shorewall ] ; then
-    . /etc/default/shorewall
+
+if [ ~/.shorewallrc ]; then
+    . ~/.shorewallrc || exit 1
+else
+    SBIN=/sbin
+    SYSCONFDIR=/etc/sysconfig
+fi
+
+if [ -f ${SYSCONFDIR}/shorewall-lite ]; then
+    . ${SYSCONFDIR}/shorewall-lite
 fi
 
 SHOREWALL_INIT_SCRIPT=1
@@ -76,13 +82,13 @@ command="$1"
 
 case "$command" in
     start)
-	exec /sbin/shorewall-lite $OPTIONS start $STARTOPTIONS $@
+	exec ${SBIN}/shorewall-lite $OPTIONS start $STARTOPTIONS
 	;;
     restart|reload)
-	exec /sbin/shorewall-lite $OPTIONS restart $RESTARTOPTIONS $@
+	exec ${SBIN}/shorewall-lite $OPTIONS restart $RESTARTOPTIONS
 	;;
     status|stop)
-	exec /sbin/shorewall-lite $OPTIONS $command $@
+	exec ${SBIN}/shorewall-lite $OPTIONS $command $@
 	;;
     *)
 	usage

Shorewall-lite/install.sh

@@ -27,12 +27,18 @@ VERSION=xxx #The Build script inserts the actual version
 usage() # $1 = exit status
 {
     ME=$(basename $0)
-    echo "usage: $ME"
+    echo "usage: $ME [ <configuration-file> ]"
     echo "       $ME -v"
     echo "       $ME -h"
     exit $1
 }
 
+fatal_error() 
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 split() {
     local ifs
     ifs=$IFS
@@ -85,6 +91,11 @@ install_file() # $1 = source $2 = target $3 = mode
     run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
 
+require() 
+{
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
+}
+
 #
 # Change to the directory containing this script
 #
@@ -103,66 +114,118 @@ fi
 #
 # Parse the run line
 #
-# DEST is the SysVInit script directory
-# INIT is the name of the script in the $DEST directory
-#
-if [ -z "$DEST" ] ; then
-	DEST="/etc/init.d"
-fi
+finished=0
 
-if [ -z "$INIT" ] ; then
-	INIT="$PRODUCT"
-fi
-
-while [ $# -gt 0 ] ; do
+while [ $finished -eq 0 ] ; do
     case "$1" in
-	-h|help|?)
-	    usage 0
-	    ;;
-        -v)
-	    echo "$Product Firewall Installer Version $VERSION"
-	    exit 0
+	-*)
+	    option=${option#-}
+	    
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
 	    ;;
 	*)
-	    usage 1
+	    finished=1
 	    ;;
     esac
-    shift
 done
 
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+local file
+#
+# Read the RC file
+#
+if [ $# -eq 0 ]; then
+    #
+    # Load packager's settings if any
+    #
+    if [ -n "${DESTDIR}" -a -f ../shorewall-pkg.config ]; then
+	. ../shorewall-pkg.config || exit 1
+    elif [ -f ~/.shorewallrc ]; then
+	. ~/.shorewallrc || exit 1
+	file=~/.shorewallrc
+    else
+	fatal_error "No configuration file specified and ~/.shorewallrc not found"
+    fi
+elif [ $# -eq 1 ]; then
+    file=$1
+    case $file in
+	/*|.*)
+	    ;;
+	*)
+	    file=./$file
+	    ;;
+    esac
 
-[ -n "${LIBEXEC:=/usr/share}" ]
+    . $file
+else
+    usage 1
+fi
 
-case "$LIBEXEC" in
-    /*)
-	;;
-    *)
-	LIBEXEC=/usr/${LIBEXEC}
-	;;
-esac
+for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARDIR; do
+    require $var
+done
+
+PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}
 
 #
 # Determine where to install the firewall script
 #
-CYGWIN=
+cygwin=
 INSTALLD='-D'
+INITFILE=$PRODUCT
 T='-T'
 
-case $(uname) in
-    CYGWIN*)
-	if [ -z "$DESTDIR" ]; then
-	    DEST=
-	    INIT=
-	fi
+if [ -z "$BUILD" ]; then
+    case $(uname) in
+	cygwin*)
+	    BUILD=cygwin
+	    ;;
+	Darwin)
+	    BUILD=apple
+	    ;;
+	*)
+	    if [ -f ${CONFDIR}/debian_version ]; then
+		BUILD=debian
+	    elif [ -f ${CONFDIR}/redhat-release ]; then
+		BUILD=redhat
+	    elif [ -f ${CONFDIR}/SuSE-release ]; then
+		BUILD=suse
+	    elif [ -f ${CONFDIR}/slackware-version ] ; then
+		BUILD=slackware
+	    elif [ -f ${CONFDIR}/arch-release ] ; then
+		BUILD=archlinux
+	    else
+		BUILD=linux
+	    fi
+	    ;;
+    esac
+fi
 
+case $BUILD in
+    cygwin*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
-    Darwin)
+    apple)
+	[ -z "$OWNER" ] && OWNER=root
+	[ -z "$GROUP" ] && GROUP=wheel
 	INSTALLD=
 	T=
-	;;	   
+	;;
     *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
@@ -171,28 +234,53 @@ esac
 
 OWNERSHIP="-o $OWNER -g $GROUP"
 
+[ -n "$HOST" ] || HOST=$BUILD
+
+case "$HOST" in
+    cygwin)
+	echo "$PRODUCT is not supported on Cygwin" >&2
+	exit 1
+	;;
+    apple)
+	echo "$PRODUCT is not supported on OS X" >&2
+	exit 1
+	;;
+    debian)
+	echo "Installing Debian-specific configuration..."
+	;;
+    redhat)
+	echo "Installing Redhat/Fedora-specific configuration..."
+	;;
+    slackware)
+	echo "Installing Slackware-specific configuration..."
+	;;
+    archlinux)
+	echo "Installing ArchLinux-specific configuration..."
+	;;
+    linux|suse)
+	;;
+    *)
+	echo "ERROR: Unknown HOST \"$HOST\"" >&2
+	exit 1;
+	;;
+esac
+
+[ -z "$INITDIR" ] && INITDIR="${CONFDIR}/init.d"
+
 if [ -n "$DESTDIR" ]; then
     if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
     fi
     
-    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
-elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
-    DEBIAN=yes
-elif [ -f /etc/redhat-release ]; then
-    FEDORA=yes
-elif [ -f /etc/slackware-version ] ; then
-    DEST="/etc/rc.d"
-    INIT="rc.firewall"
-elif [ -f /etc/arch-release ] ; then
-      DEST="/etc/rc.d"
-      INIT="$PRODUCT"
-      ARCHLINUX=yes
-fi
+    install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR}
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
 
-if [ -z "$DESTDIR" ]; then
+    if [ -n "$SYSTEMD" ]; then
+	mkdir -p ${DESTDIR}/lib/systemd/system
+	INITFILE=
+    fi
+else
     if [ ! -f /usr/share/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
 	exit 1
@@ -200,35 +288,34 @@ if [ -z "$DESTDIR" ]; then
 
     if [ -f /lib/systemd/system ]; then
 	SYSTEMD=Yes
+	INITFILE=
     fi
-elif [ -n "$SYSTEMD" ]; then
-    mkdir -p ${DESTDIR}/lib/systemd/system
 fi
 
 echo "Installing $Product Version $VERSION"
 
 #
-# Check for /etc/$PRODUCT
+# Check for ${CONFDIR}/$PRODUCT
 #
-if [ -z "$DESTDIR" -a -d /etc/$PRODUCT ]; then
+if [ -z "$DESTDIR" -a -d ${CONFDIR}/$PRODUCT ]; then
     if [ ! -f /usr/share/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
 	exit 1
     fi
 
-    [ -f /etc/$PRODUCT/shorewall.conf ] && \
-	mv -f /etc/$PRODUCT/shorewall.conf /etc/$PRODUCT/$PRODUCT.conf
+    [ -f ${CONFDIR}/$PRODUCT/shorewall.conf ] && \
+	mv -f ${CONFDIR}/$PRODUCT/shorewall.conf ${CONFDIR}/$PRODUCT/$PRODUCT.conf
 else
-    rm -rf ${DESTDIR}/etc/$PRODUCT
+    rm -rf ${DESTDIR}${CONFDIR}/$PRODUCT
     rm -rf ${DESTDIR}/usr/share/$PRODUCT
     rm -rf ${DESTDIR}/var/lib/$PRODUCT
-    [ "$LIBEXEC" = /usr/share ] || rm -rf /usr/share/$PRODUCT/wait4ifup /usr/share/$PRODUCT/shorecap
+    [ "$LIBEXECDIR" = /usr/share ] || rm -rf ${DESTDIR}/usr/share/$PRODUCT/wait4ifup ${DESTDIR}/usr/share/$PRODUCT/shorecap
 fi
 
 #
-# Check for /sbin/$PRODUCT
+# Check for ${SBINDIR}/$PRODUCT
 #
-if [ -f ${DESTDIR}/sbin/$PRODUCT ]; then
+if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then
     first_install=""
 else
     first_install="Yes"
@@ -236,113 +323,118 @@ fi
 
 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
 
-install_file $PRODUCT ${DESTDIR}/sbin/$PRODUCT 0544
+install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
 
-echo "$Product control program installed in ${DESTDIR}/sbin/$PRODUCT"
+echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 
 #
-# Install the Firewall Script
+# Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
-if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
-elif [ -n "$FEDORA" ]; then
-    install_file init.fedora.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
-elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}/${DEST}/$INIT 0544
-else
-    install_file init.sh ${DESTDIR}/${DEST}/$INIT 0544
-fi
-
-echo  "$Product script installed in ${DESTDIR}${DEST}/$INIT"
-
-#
-# Create /etc/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
-#
-mkdir -p ${DESTDIR}/etc/$PRODUCT
+mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}/usr/share/$PRODUCT
-mkdir -p ${DESTDIR}${LIBEXEC}/$PRODUCT
+mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}/var/lib/$PRODUCT
 
-chmod 755 ${DESTDIR}/etc/$PRODUCT
+chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}/usr/share/$PRODUCT
 
 if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}/etc/logrotate.d
-    chmod 755 ${DESTDIR}/etc/logrotate.d
+    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
+    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
+    mkdir -p ${DESTDIR}${INITDIR}
+    chmod 755 ${DESTDIR}${INITDIR}
 fi
 
+if [ -n "$INITFILE" ]; then
+    case $TARGET in
+	debian)
+	    install_file init.debian.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+	redhat)
+	    install_file init.fedora.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+	archlinux)
+	    install_file init.archlinux.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+	*)
+	    install_file init.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+    esac
+
+    echo  "$Product init script installed in ${DESTDIR}${INITDIR}/${INITFILE}"
+fi
 #
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
-    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/lib/systemd/system/$PRODUCT.service
+    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/${SYSTEMD}/$PRODUCT.service
     echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
 fi
 
 #
 # Install the config file
 #
-if [ ! -f ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf ]; then
-   install_file $PRODUCT.conf ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf 0744
-   echo "Config file installed as ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf"
+if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf ]; then
+   install_file $PRODUCT.conf ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf 0744
+   echo "Config file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf"
 fi
 
-if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf
+if [ $HOST = archlinux ] ; then
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
 fi
 
 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/$PRODUCT
-echo "Makefile installed as ${DESTDIR}/etc/$PRODUCT/Makefile"
+run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}${CONFDIR}/$PRODUCT
+echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
 
 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/$PRODUCT/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/$PRODUCT/configpath"
+install_file configpath ${DESTDIR}${SHAREDIR}/$PRODUCT/configpath 0644
+echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/configpath"
 
 #
 # Install the libraries
 #
 for f in lib.* ; do
     if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/$PRODUCT/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/$PRODUCT/$f"
+	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+	echo "Library ${f#*.} file installed as ${DESTDIR}/${SHAREDIR}/$PRODUCT/$f"
     fi
 done
 
-ln -sf lib.base ${DESTDIR}/usr/share/$PRODUCT/functions
+ln -sf lib.base ${DESTDIR}${SHAREDIR}/$PRODUCT/functions
 
-echo "Common functions linked through ${DESTDIR}/usr/share/$PRODUCT/functions"
+echo "Common functions linked through ${DESTDIR}${SHAREDIR}/$PRODUCT/functions"
 
 #
 # Install Shorecap
 #
 
-install_file shorecap ${DESTDIR}${LIBEXEC}/$PRODUCT/shorecap 0755
+install_file shorecap ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap 0755
 
 echo
-echo "Capability file builder installed in ${DESTDIR}${LIBEXEC}/$PRODUCT/shorecap"
+echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap"
 
 #
 # Install the Modules files
 #
 
 if [ -f modules ]; then
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/$PRODUCT
-    echo "Modules file installed as ${DESTDIR}/usr/share/$PRODUCT/modules"
+    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}${SHAREDIR}/$PRODUCT
+    echo "Modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/modules"
 fi
 
 if [ -f helpers ]; then
-    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/$PRODUCT
-    echo "Helper modules file installed as ${DESTDIR}/usr/share/$PRODUCT/helpers"
+    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}${SHAREDIR}/$PRODUCT
+    echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
 fi
 
 for f in modules.*; do
-    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}/usr/share/$PRODUCT/$f
-    echo "Module file $f installed as ${DESTDIR}/usr/share/$PRODUCT/$f"
+    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f
+    echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
 done
 
 #
@@ -352,18 +444,18 @@ done
 if [ -d manpages ]; then
     cd manpages
 
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}/usr/share/man/man5/ ${DESTDIR}/usr/share/man/man8/
+    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${SHAREDIR}/man/man5/ ${DESTDIR}${SHAREDIR}/man/man8/
 
     for f in *.5; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man5/$f.gz"
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man5/$f.gz
+	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man5/$f.gz"
     done
 
     for f in *.8; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man8/$f.gz"
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man8/$f.gz
+	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man8/$f.gz"
     done
 
     cd ..
@@ -371,73 +463,73 @@ if [ -d manpages ]; then
     echo "Man Pages Installed"
 fi
 
-if [ -d ${DESTDIR}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/$PRODUCT
-    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/$PRODUCT"
+if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
+    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
 fi
 
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/$PRODUCT/version
-chmod 644 ${DESTDIR}/usr/share/$PRODUCT/version
+echo "$VERSION" > ${DESTDIR}${SHAREDIR}/$PRODUCT/version
+chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 #
 # Remove and create the symbolic link to the init script
 #
 
 if [ -z "$DESTDIR" ]; then
-    rm -f /usr/share/$PRODUCT/init
-    ln -s ${DEST}/${INIT} /usr/share/$PRODUCT/init
+    rm -f ${SHAREDIR}/$PRODUCT/init
+    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
 fi
 
-delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.common
-delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.cli
-delete_file ${DESTDIR}/usr/share/$PRODUCT/wait4ifup
+delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.common
+delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.cli
+delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/wait4ifup
 
-if [ -z "$DESTDIR" ]; then
-    touch /var/log/$PRODUCT-init.log
+if [ -n "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
+    if [ ${DESTDIR} ]; then
+	mkdir -p ${DESTDIR}${SYSCONFDIR}
+	chmod 755 ${DESTDIR}${SYSCONFDIR}
+    fi
 
-    if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
-	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/$PRODUCT
-
-	    update-rc.d $PRODUCT defaults
-
-	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/$PRODUCT
-	    else
-		ln -s ../init.d/$PRODUCT /etc/rcS.d/S40$PRODUCT
-	    fi
+    run_install $OWNERSHIP -m 0644 default.debian ${DESTDIR}${SYSCONFDIR}/${PRODUCT}
+    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+fi
 
+if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
+    if mywhich update-rc.d ; then
+	echo "$PRODUCT will start automatically at boot"
+	echo "Set startup=1 in ${SYSCONFDIR}/$PRODUCT to enable"
+	touch /var/log/$PRODUCT-init.log
+	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/${PRODUCT}/${PRODUCT}.conf
+    elif [ -n "$SYSTEMD" ]; then
+	if systemctl enable $PRODUCT; then
 	    echo "$Product will start automatically at boot"
-	else
-	    if [ -n "$SYSTEMD" ]; then
-		if systemctl enable $PRODUCT; then
-		    echo "$Product will start automatically at boot"
-		fi
-	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-		if insserv /etc/init.d/$PRODUCT ; then
-		    echo "$Product will start automatically at boot"
-		else
-		    cant_autostart
-		fi
-	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-		if chkconfig --add $PRODUCT ; then
-		    echo "$Product will start automatically in run levels as follows:"
-		    chkconfig --list $PRODUCT
-		else
-		    cant_autostart
-		fi
-	    elif [ -x /sbin/rc-update ]; then
-		if rc-update add $PRODUCT default; then
-		    echo "$Product will start automatically at boot"
-		else
-		    cant_autostart
-		fi
-	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
-		cant_autostart
-	    fi
 	fi
+    elif mywhich insserv; then
+	if insserv ${INITDIR}/${INITFILE} ; then
+	    echo "$PRODUCT will start automatically at boot"
+	    echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/${PRODUCT}.conf to enable"
+	else
+	    cant_autostart
+	fi
+    elif mywhich chkconfig; then
+	if chkconfig --add $PRODUCT ; then
+	    echo "$PRODUCT will start automatically in run levels as follows:"
+	    echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/${PRODUCT}.conf to enable"
+	    chkconfig --list $PRODUCT
+	else
+	    cant_autostart
+	fi
+    elif mywhich rc-update ; then
+	if rc-update add $PRODUCT default; then
+	    echo "$PRODUCT will start automatically at boot"
+	    echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/$PRODUCT.conf to enable"
+	else
+	    cant_autostart
+	fi
+    elif [ "$INITFILE" != rc.${PRODUCT} ]; then #Slackware starts this automatically
+	cant_autostart
     fi
 fi
 

Shorewall-lite/manpages/shorewall-lite.xml

@@ -517,15 +517,17 @@
           defined in the <ulink
           url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
           file. A <emphasis>host-list</emphasis> is comma-separated list whose
-          elements are host or network addresses.<caution>
-              <para>The <command>add</command> command is not very robust. If
-              there are errors in the <replaceable>host-list</replaceable>,
-              you may see a large number of error messages yet a subsequent
-              <command>shorewall-lite show zones</command> command will
-              indicate that all hosts were added. If this happens, replace
-              <command>add</command> by <command>delete</command> and run the
-              same command again. Then enter the correct command.</para>
-            </caution></para>
+          elements are host or network addresses.</para>
+
+          <caution>
+            <para>The <command>add</command> command is not very robust. If
+            there are errors in the <replaceable>host-list</replaceable>, you
+            may see a large number of error messages yet a subsequent
+            <command>shorewall-lite show zones</command> command will indicate
+            that all hosts were added. If this happens, replace
+            <command>add</command> by <command>delete</command> and run the
+            same command again. Then enter the correct command.</para>
+          </caution>
         </listitem>
       </varlistentry>
 

Shorewall-lite/shorewall-lite

@@ -27,6 +27,22 @@
 ################################################################################################
 g_program=shorewall-lite
 
-. /usr/share/shorewall/lib.cli
+if [ -f ~/.shorewallrc ]; then
+    . ~/.shorewallrc || exit 1
+else
+    SHAREDIR=/usr/share
+    CONFDIR=${CONFDIR}
+    SBINDIR=/sbin
+    VARDIR=/var/lib
+    LIBEXECDIR=/usr/share
+
+fi
+
+g_libexec="$LIBEXECDIR"
+g_sharedir="$SHAREDIR"
+g_sbindir="$SBINDIR"
+g_readrc=1
+
+. $g_sharedir/shorewall/lib.cli
 
 shorewall_cli $@

Shorewall-lite/uninstall.sh

@@ -40,16 +40,25 @@ qt()
     "$@" >/dev/null 2>&1
 }
 
-restore_file() # $1 = file to restore
-{
-    if [ -f ${1}-shorewall.bkout ]; then
-	if (mv -f ${1}-shorewall-lite.bkout $1); then
-	    echo
-	    echo "$1 restored"
-        else
-	    exit 1
-        fi
-    fi
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
 }
 
 remove_file() # $1 = file to restore
@@ -60,8 +69,31 @@ remove_file() # $1 = file to restore
     fi
 }
 
-if [ -f /usr/share/shorewall-lite/version ]; then
-    INSTALLED_VERSION="$(cat /usr/share/shorewall-lite/version)"
+if [ -f ~/.shorewallrc ]; then
+    . ~/shorewallrc || exit 1
+else
+    [ -n "${LIBEXEC:=/usr/share}" ]
+    [ -n "${PERLLIB:=/usr/share/shorewall}" ]
+    [ -n "${CONFDIR:=/etc}" ]
+    
+    if [ -z "$SYSCONFDIR" ]; then
+	if [ -d /etc/default ]; then
+	    SYSCONFDIR=/etc/default
+	else
+	    SYSCONFDIR=/etc/sysconfig
+	fi
+    fi
+
+    [ -n "${SBINDIR:=/sbin}" ]
+    [ -n "${SHAREDIR:=/usr/share}" ]
+    [ -n "${VARDIR:=/var/lib}" ]
+    [ -n "${INITFILE:=shorewall}" ]
+    [ -n "${INITDIR:=/etc/init.d}" ]
+    [ -n "${MANDIR:=/usr/share/man}" ]
+fi
+
+if [ -f ${SHAREDIR}/shorewall-lite/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-lite/version)"
     if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall Lite Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
@@ -72,49 +104,40 @@ else
     VERSION=""
 fi
 
-[ -n "${LIBEXEC:=/usr/share}" ]
-
 echo "Uninstalling Shorewall Lite $VERSION"
 
-if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall ]; then
-   /sbin/shorewall-lite clear
+if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
+   shorewall-lite clear
 fi
 
-if [ -L /usr/share/shorewall-lite/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall-lite/init)
-else
-    FIREWALL=/etc/init.d/shorewall-lite
+if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
+    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
+elIF [ -n "$INITFILE" ]; then
+    FIREWALL=${INITDIR}/${INITFILE}
 fi
 
-if [ -n "$FIREWALL" ]; then
-    if [ -x /usr/sbin/updaterc.d ]; then
+if [ -f "$FIREWALL" ]; then
+    if mywhich updaterc.d ; then
 	updaterc.d shorewall-lite remove
-    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+    elif if mywhich insserv ; then
         insserv -r $FIREWALL
-    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+    elif [ mywhich chkconfig ; then
 	chkconfig --del $(basename $FIREWALL)
-    elif [ -x /sbin/systemctl ]; then
+    elif mywhich systemctl ; then
 	systemctl disable shorewall-lite
-    else
-	rm -f /etc/rc*.d/*$(basename $FIREWALL)
     fi
 
     remove_file $FIREWALL
-    rm -f ${FIREWALL}-*.bkout
 fi
 
-rm -f /sbin/shorewall-lite
-rm -f /sbin/shorewall-lite-*.bkout
+rm -f ${SBINDIR}/shorewall-lite
 
-rm -rf /etc/shorewall-lite
-rm -rf /etc/shorewall-lite-*.bkout
-rm -rf /var/lib/shorewall-lite
-rm -rf /var/lib/shorewall-lite-*.bkout
-rm -rf /usr/share/shorewall-lite
+rm -rf ${SBINDIR}/shorewall-lite
+rm -rf ${VARDIR}/shorewall-lite
+rm -rf ${SHAREDIR}/shorewall-lite
 rm -rf ${LIBEXEC}/shorewall-lite
-rm -rf /usr/share/shorewall-lite-*.bkout
-rm -f  /etc/logrotate.d/shorewall-lite
-rm -f  /lib/systemd/system/shorewall-lite.service
+rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
+[ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall-lite.service
 
 echo "Shorewall Lite Uninstalled"
 

Shorewall/Macros/macro.BLACKLIST

@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - blacklist Macro
+#
+# /usr/share/shorewall/macro.blacklist
+#
+#	This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+$BLACKLIST_DISPOSITION:$BLACKLIST_LOGLEVEL

Shorewall/Makefile

@@ -2,6 +2,7 @@
 VARDIR=$(shell /sbin/shorewall show vardir)
 CONFDIR=/etc/shorewall
 RESTOREFILE?=firewall
+
 all: $(VARDIR)/${RESTOREFILE}
 
 $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
@@ -11,11 +12,12 @@ $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
 	then \
 	    /sbin/shorewall -q save >/dev/null; \
 	else \
-	    /sbin/shorewall -q restart 2>&1 | tail >&2; \
+	    /sbin/shorewall -q restart 2>&1 | tail >&2; exit 1; \
 	fi
 
 clean:
 	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
+
 .PHONY: clean
 
 # EOF

Shorewall/Perl/.project

@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<projectDescription>
-	<name>Shorewall</name>
-	<comment></comment>
-	<projects>
-	</projects>
-	<buildSpec>
-		<buildCommand>
-			<name>org.epic.perleditor.perlbuilder</name>
-			<arguments>
-			</arguments>
-		</buildCommand>
-	</buildSpec>
-	<natures>
-		<nature>org.epic.perleditor.perlnature</nature>
-	</natures>
-</projectDescription>

Shorewall/Perl/Shorewall/Accounting.pm

@@ -322,7 +322,7 @@ sub process_accounting_rule( ) {
 	}
     }
 
-    dont_optimize( $chainref ) if $target eq 'RETURN';
+    set_optflags( $chainref, DONT_OPTIMIZE ) if $target eq 'RETURN';
 
     if ( $jumpchainref ) {
 	if ( $asection ) {
@@ -407,7 +407,7 @@ sub setup_accounting() {
 		}
 
 		if ( $tableref->{accounting} ) {
-		    dont_optimize( 'accounting' );
+		    set_optflags( 'accounting' , DONT_OPTIMIZE );
 		    for my $chain ( qw/INPUT FORWARD/ ) {
 			insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
 		    }
@@ -429,7 +429,7 @@ sub setup_accounting() {
 		    insert_ijump( $tableref->{POSTROUTING}, j => 'accountpost', 0 );
 		}
 	    } elsif ( $tableref->{accounting} ) {
-		dont_optimize( 'accounting' );
+		set_optflags( 'accounting' , DONT_OPTIMIZE );
 		for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
 		    insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
 		}

Shorewall/Perl/Shorewall/Chains.pm

@@ -36,6 +36,10 @@ use strict;
 
 our @ISA = qw(Exporter);
 our @EXPORT = qw(
+		    DONT_OPTIMIZE
+		    DONT_DELETE
+		    DONT_MOVE
+
 		    add_rule
 		    add_irule
 		    add_jump
@@ -62,6 +66,11 @@ our @EXPORT = qw(
 		    require_audit
 		    newlogchain
 		    log_rule_limit
+		    allow_optimize
+		    allow_delete
+		    allow_move
+		    set_optflags
+		    reset_optflags
 		    dont_optimize
 		    dont_delete
 		    dont_move
@@ -182,6 +191,7 @@ our %EXPORT_TAGS = (
 				       do_time
 				       do_user
 				       do_length
+				       decode_tos
 				       do_tos
 				       do_connbytes
 				       do_helper
@@ -189,6 +199,7 @@ our %EXPORT_TAGS = (
 				       do_headers
 				       do_probability
 				       do_condition
+				       do_dscp
 				       have_ipset_rules
 				       record_runtime_address
 				       conditional_rule
@@ -228,6 +239,7 @@ our %EXPORT_TAGS = (
 				       create_chainlist_reload
 				       create_stop_load
 				       %targets
+				       %dscpmap
 				     ) ],
 		   );
 
@@ -246,9 +258,7 @@ our $VERSION = 'MODULEVERSION';
 #                                               builtin      => undef|1 -- If 1, one of Netfilter's built-in chains.
 #                                               manual       => undef|1 -- If 1, a manual chain.
 #                                               accounting   => undef|1 -- If 1, an accounting chain
-#                                               dont_optimize=> undef|1 -- Don't optimize away if this chain is 'short'
-#                                               dont_delete  => undef|1 -- Don't delete if this chain is not referenced
-#                                               dont_move    => undef|1 -- Don't copy the rules of this chain somewhere else
+#                                               optflags     => <optimization flags>
 #                                               log          => <logging rule number for use when LOGRULENUMBERS>
 #                                               policy       => <policy>
 #                                               policychain  => <name of policy chain> -- self-reference if this is a policy chain
@@ -360,6 +370,37 @@ use constant {
 
 use constant { OPTIMIZE_MASK => OPTIMIZE_POLICY_MASK | OPTIMIZE_RULESET_MASK };
 
+use constant { DONT_OPTIMIZE => 1 , DONT_DELETE => 2, DONT_MOVE => 4 };
+
+our %dscpmap = ( CS0  => 0x00,
+		 CS1  => 0x08,
+		 CS2  => 0x10,
+		 CS3  => 0x18,
+		 CS4  => 0x20,
+		 CS5  => 0x28,
+		 CS6  => 0x30,
+		 CS7  => 0x38,
+		 BE   => 0x00,
+		 AF11 => 0x0a,
+		 AF12 => 0x0c,
+		 AF13 => 0x0e,
+		 AF21 => 0x12,
+		 AF22 => 0x14,
+		 AF23 => 0x16,
+		 AF31 => 0x1a,
+		 AF32 => 0x1c,
+		 AF33 => 0x1e,
+		 AF41 => 0x22,
+		 AF42 => 0x24,
+		 AF43 => 0x26,
+		 EF   => 0x2e,
+	       );
+
+our %tosmap = ( 'Minimize-Delay'       => 0x10,
+		'Maximize-Throughput'  => 0x08,
+		'Maximize-Reliability' => 0x04,
+		'Minimize-Cost'        => 0x02,
+		'Normal-Service'       => 0x00 );
 #
 # These hashes hold the shell code to set shell variables. The key is the name of the variable; the value is the code to generate the variable's contents
 #
@@ -683,17 +724,19 @@ sub set_rule_option( $$$ ) {
 	assert( defined( my $value1 = $ruleref->{$option} ) );
 
 	if ( $opttype == MATCH ) {
-	    assert( $globals{KLUDGEFREE} );
+	    if ( $globals{KLUDGEFREE} ) {
+		unless ( reftype $value1 ) {
+		    unless ( reftype $value ) {
+			return if $value1 eq $value;
+		    }
 
-	    unless ( reftype $value1 ) {
-		unless ( reftype $value ) {
-		    return if $value1 eq $value;
+		    $ruleref->{$option} = [ $ruleref->{$option} ];
 		}
 
-		$ruleref->{$option} = [ $ruleref->{$option} ];
+		push @{$ruleref->{$option}}, ( reftype $value ? @$value : $value );
+	    } else {
+		$ruleref->{$option} = join(' ', $value1, $value );
 	    }
-
-	    push @{$ruleref->{$option}}, ( reftype $value ? @$value : $value );
 	} elsif ( $opttype == EXCLUSIVE ) {
 	    $ruleref->{$option} .= ",$value";
 	} elsif ( $opttype == UNIQUE ) {
@@ -1151,7 +1194,7 @@ sub push_matches {
 	}
     }
 
-    $dont_optimize;
+    DONT_OPTIMIZE if $dont_optimize;
 }
 
 sub push_irule( $$$;@ ) {
@@ -1180,7 +1223,7 @@ sub push_irule( $$$;@ ) {
     $chainref->{referenced} = 1;
 
     unless ( $ruleref->{simple} = ! @matches ) {
-	$chainref->{dont_optimize} = 1 if push_matches( $ruleref, @matches );
+	$chainref->{optflags} |= push_matches( $ruleref, @matches );
     }
 
     push @{$chainref->{rules}}, $ruleref;
@@ -1294,7 +1337,7 @@ sub insert_irule( $$$$;@ ) {
     }
 
     unless ( $ruleref->{simple} = ! @matches ) {
-	$chainref->{dont_optimize} = 1 if push_matches( $ruleref, @matches );
+	$chainref->{optflags} |= push_matches( $ruleref, @matches );
     }
 
     if ( $comment ) {
@@ -1867,7 +1910,8 @@ sub new_chain($$)
 		     log            => 1,
 		     cmdlevel       => 0,
 		     references     => {},
-		     filtered       => 0
+		     filtered       => 0,
+		     optflags       => 0,
 		   };
 
     trace( $chainref, 'N', undef, '' ) if $debug;
@@ -1928,7 +1972,7 @@ sub add_jump( $$$;$$$ ) {
 
     my $param = $goto_ok && $toref && have_capability( 'GOTO_TARGET' ) ? 'g' : 'j';
 
-    $fromref->{dont_optimize} = 1 if $predicate =~ /! -[piosd] /;
+    $fromref->{optflags} |= DONT_OPTIMIZE if $predicate =~ /! -[piosd] /;
 
     if ( defined $index ) {
 	assert( ! $expandports );
@@ -2052,49 +2096,70 @@ sub delete_jumps ( $$ ) {
     }
 }
 
-#
-# Set the dont_optimize flag for a chain
-#
-sub dont_optimize( $ ) {
-    my $chain = shift;
+sub reset_optflags( $$ ) {
+    my ( $chain, $flags ) = @_;
 
     my $chainref = reftype $chain ? $chain : $filter_table->{$chain};
 
-    $chainref->{dont_optimize} = 1;
+    $chainref->{optflags} ^= $flags;
+
+    trace( $chainref, '!O', undef, '' ) if $debug;
+
+    $chainref;
+}
+
+sub set_optflags( $$ ) {
+    my ( $chain, $flags ) = @_;
+
+    my $chainref = reftype $chain ? $chain : $filter_table->{$chain};
+
+    $chainref->{optflags} |= $flags;
 
     trace( $chainref, '!O', undef, '' ) if $debug;
 
     $chainref;
 }
 
+#
+# Reset the dont_optimize flag for a chain
+#
+sub allow_optimize( $ ) {
+    reset_optflags( shift, DONT_OPTIMIZE );
+}
+
+#
+# Reset the dont_delete flags for a chain
+#
+sub allow_delete( $ ) {
+    reset_optflags( shift, DONT_DELETE );
+}
+
+#
+# Reset the dont_move flag for a chain
+#
+sub allow_move( $ ) {
+    reset_optflags( shift, DONT_MOVE );
+}
+
+#
+# Set the dont_optimize flag for a chain
+#
+sub dont_optimize( $ ) {
+    set_optflags( shift, DONT_OPTIMIZE );
+}
+
 #
 # Set the dont_optimize and dont_delete flags for a chain
 #
 sub dont_delete( $ ) {
-    my $chain = shift;
-
-    my $chainref = reftype $chain ? $chain : $filter_table->{$chain};
-
-    $chainref->{dont_optimize} = $chainref->{dont_delete} = 1;
-
-    trace( $chainref, '!OD', undef, '' ) if $debug;
-
-    $chainref;
+    set_optflags( shift, DONT_OPTIMIZE | DONT_DELETE );
 }
 
 #
 # Set the dont_move flag for a chain
 #
 sub dont_move( $ ) {
-    my $chain = shift;
-
-    my $chainref = reftype $chain ? $chain : $filter_table->{$chain};
-
-    $chainref->{dont_move} = 1;
-
-    trace( $chainref, '!M', undef, '' ) if $debug;
-
-    $chainref;
+    set_optflags( shift, DONT_MOVE );
 }
 
 #
@@ -2136,7 +2201,7 @@ sub ensure_accounting_chain( $$$ )
 	$chainref->{restriction} = $restriction;
 	$chainref->{restricted}  = NO_RESTRICT;
 	$chainref->{ipsec}       = $ipsec;
-	$chainref->{dont_optimize} = 1 unless $config{OPTIMIZE_ACCOUNTING};
+	$chainref->{optflags}   |= DONT_OPTIMIZE unless $config{OPTIMIZE_ACCOUNTING};
 
 	unless ( $chain eq 'accounting' ) {
 	    my $file = find_file $chain;
@@ -2208,7 +2273,7 @@ sub new_builtin_chain($$$)
     $chainref->{referenced}  = 1;
     $chainref->{policy}      = $policy;
     $chainref->{builtin}     = 1;
-    $chainref->{dont_delete} = 1;
+    $chainref->{optflags}    = DONT_DELETE;
     $chainref;
 }
 
@@ -2636,7 +2701,7 @@ sub conditionally_copy_rules( $$ ) {
 
     my $targetref = $chain_table{$chainref->{table}}{$basictarget};
 
-    if ( $targetref && ! $targetref->{dont_move} ) {
+    if ( $targetref && ! ( $targetref->{optflags} & DONT_MOVE ) ) {
 	#
 	# Move is safe -- start with an empty rule list
 	#
@@ -2678,7 +2743,7 @@ sub optimize_level0() {
 	    #
 	    # If the chain isn't branched to, then delete it
 	    #
-	    unless ( $chainref->{dont_delete} || keys %{$chainref->{references}} ) {
+	    unless ( $chainref->{optflags} & DONT_DELETE || keys %{$chainref->{references}} ) {
 		delete_chain $chainref if $chainref->{referenced};
 	    }
 	}
@@ -2696,7 +2761,7 @@ sub optimize_level4( $$ ) {
     # When a chain with a single entry is found, replace it's references by its contents
     #
     # The search continues until no short chains remain
-    # Chains with 'dont_optimize = 1' are exempted from optimization
+    # Chains with 'DONT_OPTIMIZE' are exempted from optimization
     #
     while ( $progress ) {
 	$progress = 0;
@@ -2708,15 +2773,16 @@ sub optimize_level4( $$ ) {
 	progress_message "\n Table $table pass $passes, $chains referenced chains, level 4a...";
 
 	for my $chainref ( @chains ) {
+	    my $optflags = $chainref->{optflags};
 	    #
 	    # If the chain isn't branched to, then delete it
 	    #
-	    unless ( $chainref->{dont_delete} || keys %{$chainref->{references}} ) {
+	    unless ( ( $optflags & DONT_DELETE ) || keys %{$chainref->{references}} ) {
 		delete_chain $chainref if $chainref->{referenced};
 		next;
 	    }
 
-	    unless ( $chainref->{dont_optimize} ) {
+	    unless ( $optflags & DONT_OPTIMIZE ) {
 		my $numrules = @{$chainref->{rules}};
 
 		if ( $numrules == 0 ) {
@@ -2727,7 +2793,7 @@ sub optimize_level4( $$ ) {
 			#
 			# Built-in -- mark it 'dont_optimize' so we ignore it in follow-on passes
 			#
-			$chainref->{dont_optimize} = 1;
+			$chainref->{optflags} |= DONT_OPTIMIZE;
 		    } else {
 			#
 			# Not a built-in -- we can delete it and it's references
@@ -2758,7 +2824,7 @@ sub optimize_level4( $$ ) {
 				#
 				# Target was a built-in. Ignore this chain in follow-on passes
 				#
-				$chainref->{dont_optimize} = 1;
+				$chainref->{optflags} |= DONT_OPTIMIZE;
 			    }
 			} else {
 			    #
@@ -2774,9 +2840,9 @@ sub optimize_level4( $$ ) {
 			if ( $chainref->{builtin} || ! $globals{KLUDGEFREE} ) {
 			    #
 			    # This case requires a new rule merging algorithm. Ignore this chain for
-			    # now.
+			    # now on.
 			    #
-			    $chainref->{dont_optimize} = 1;
+			    $chainref->{optflags} |= DONT_OPTIMIZE;
 			} else {
 			    #
 			    # Replace references to this chain with the target and add the matches
@@ -2866,7 +2932,7 @@ sub optimize_level8( $$$ ) {
 	#
 	for my $chainref1 ( @chains1 ) {
 	    next unless @{$chainref1->{rules}};
-	    next if $chainref1->{dont_delete};
+	    next if $chainref1->{optflags} & DONT_DELETE;
 	    if ( $chainref->{digest} eq $chainref1->{digest} ) {
 		progress_message "  Chain $chainref1->{name} combined with $chainref->{name}";
 		replace_references $chainref1, $chainref->{name}, undef;
@@ -3190,6 +3256,16 @@ sub set_mss( $$$ ) {
 #
 # Interate over all zones with 'mss=' settings adding TCPMSS rules as appropriate.
 #
+sub imatch_source_dev( $;$ );
+sub imatch_dest_dev( $;$ );
+sub imatch_source_net( $;$\$ );
+sub imatch_dest_net( $ );
+
+sub newmsschain( ) {
+    my $seq = $chainseq{filter}++;
+    "~mss${seq}";
+}
+
 sub setup_zone_mss() {
     for my $zone ( all_zones ) {
 	my $zoneref = find_zone( $zone );
@@ -3197,6 +3273,29 @@ sub setup_zone_mss() {
 	set_mss( $zone, $zoneref->{options}{in_out}{mss}, ''     ) if $zoneref->{options}{in_out}{mss};
 	set_mss( $zone, $zoneref->{options}{in}{mss},     '_in'  ) if $zoneref->{options}{in}{mss};
 	set_mss( $zone, $zoneref->{options}{out}{mss},    '_out' ) if $zoneref->{options}{out}{mss};
+
+	my $hosts = find_zone_hosts_by_option( $zone, 'mss' );
+
+	for my $hostref ( @$hosts ) {
+	    my $mss         = $hostref->[4];
+	    my @mssmatch    = have_capability( 'TCPMSS_MATCH' ) ? ( tcpmss => "--mss $mss:" ) : ();
+	    my @sourcedev   = imatch_source_dev $hostref->[0];
+	    my @destdev     = imatch_dest_dev   $hostref->[0];
+	    my @source      = imatch_source_net $hostref->[2];
+	    my @dest        = imatch_dest_net   $hostref->[2];
+	    my @ipsecin     = (have_ipsec ? ( policy => "--pol $hostref->[1] --dir in"  ) : () );
+	    my @ipsecout    = (have_ipsec ? ( policy => "--pol $hostref->[1] --dir out" ) : () );
+
+	    my $chainref = new_chain 'filter', newmsschain;
+	    my $target   = source_exclusion( $hostref->[3], $chainref );
+
+	    add_ijump $chainref, j => 'TCPMSS', targetopts => "--set-mss $mss", p => 'tcp --tcp-flags SYN,RST SYN';
+
+	    for my $zone1 ( all_zones ) {
+		add_ijump ensure_chain( 'filter', rules_chain( $zone, $zone1 ) ),  j => $target , @sourcedev, @source, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @ipsecin ;
+		add_ijump ensure_chain( 'filter', rules_chain( $zone1, $zone ) ),  j => $target , @destdev,   @dest,   p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @ipsecout ;	    
+	    }
+	}
     }
 }
 
@@ -3957,7 +4056,7 @@ sub do_time( $ ) {
 	    }
 	} elsif ( $element =~ /^(datestart|datestop)=(\d{4}(-\d{2}(-\d{2}(T\d{1,2}(:\d{1,2}){0,2})?)?)?)$/ ) {
 	    $result .= "--$1 $2 ";
-	} elsif ( $element =~ /^(utc|localtz)$/ ) {
+	} elsif ( $element =~ /^(utc|localtz|kerneltz)$/ ) {
 	    $result .= "--$1 ";
 	} else {
 	    fatal_error "Invalid time element ($element)";
@@ -4011,13 +4110,56 @@ sub do_user( $ ) {
     $rule;
 }
 
+
+
 #
 # Create a "-m tos" match for the passed TOS
 #
-sub do_tos( $ ) {
-    my $tos = $_[0];
+# This helper is also used during tos file processing
+#
+sub decode_tos( $$ ) {
+    my ( $tos, $set ) = @_;
 
-    $tos ne '-' ? "-m tos --tos $tos " : '';
+    if ( $tos eq '-' ) {
+	fatal_error [ '',                                            # 0
+		      'A value must be supplied in the TOS column',  # 1
+		      'Invalid TOS() parameter (-)',                 # 2
+		    ]->[$set] if $set;
+	return '';
+    }
+
+    my $mask = 0xff;
+    my $value;
+
+    if ( $tos =~ m"^(.+)/(.+)$" ) {
+	$value = numeric_value $1;
+	$mask  = numeric_value $2;
+    } elsif ( ! defined ( $value = numeric_value( $tos ) ) ) {
+	$value = $tosmap{$tos};
+	$mask  = '';
+    }
+
+    fatal_error( [ 'Invalid TOS column value',
+		   'Invalid TOS column value',
+		   'Invalid TOS() parameter', ]->[$set] . " ($tos)" )
+	unless ( defined $value &&
+		 $value <= 0xff &&
+		 ( $mask eq '' ||
+		   ( defined $mask &&
+		     $mask <= 0xff ) ) );
+
+    unless ( $mask eq '' ) {
+	warning_message "Unmatchable TOS ($tos)" unless $set || $value & $mask;
+    }
+
+    $tos = $mask ? in_hex( $value) . '/' . in_hex( $mask ) . ' ' : in_hex( $value ) . ' ';
+
+    $set ? " --set-tos $tos" : "-m tos --tos $tos ";
+
+}
+
+sub do_tos( $ ) {
+    decode_tos( $_[0], 0 );
 }
 
 my %dir = ( O => 'original' ,
@@ -4098,8 +4240,33 @@ sub do_helper( $ ) {
 sub do_length( $ ) {
     my $length = $_[0];
 
+    return '' if $length eq '-';
+
     require_capability( 'LENGTH_MATCH' , 'A Non-empty LENGTH' , 's' );
-    $length ne '-' ? "-m length --length $length " : '';
+
+    my ( $max, $min );
+
+    if ( $length =~ /^\d+$/ ) {
+	fatal_error "Invalid LENGTH ($length)" unless $length < 65536;
+	$min = $max = $1;
+    } else {
+	if ( $length =~ /^:(\d+)$/ ) {
+	    $min = 0;
+	    $max = $1;
+	} elsif ( $length =~ /^(\d+):$/ ) {
+	    $min = $1;
+	    $max = 65535;
+	} elsif ( $length =~ /^(\d+):(\d+)$/ ) {
+	    $min = $1;
+	    $max = $2;
+	} else {
+	    fatal_error "Invalid LENGTH ($length)";
+	}
+
+	fatal_error "First length must be < second length" unless $min < $max;
+    }
+
+    "-m length --length $length ";
 }
 
 #
@@ -4186,6 +4353,26 @@ sub do_condition( $ ) {
     "-m condition ${invert}--condition $condition "
 }
 
+#
+# Generate a -m dscp match
+#
+sub do_dscp( $ ) {
+    my $dscp = shift;
+
+    return '' if $dscp eq '-';
+
+    require_capability 'DSCP_MATCH', 'A non-empty DSCP column', 's';
+
+    my $invert = $dscp =~ s/^!// ? '! ' : '';
+    my $value  = numeric_value( $dscp );
+
+    $value = $dscpmap{$value} unless defined $value;
+
+    fatal_error( "Invalid DSCP ($dscp)" ) unless defined $value && $value < 0x2f && ! ( $value & 1 );
+
+    "-m dscp ${invert}--dscp $value ";
+}
+
 #
 # Match Source Interface
 #
@@ -4313,16 +4500,27 @@ sub get_set_flags( $$ ) {
     } elsif ( $setname =~ /^(.*)\[((src|dst)(,(src|dst))*)\]$/ ) {
 	$setname = $1;
 	$options = $2;
+
+	my @options = split /,/, $options;
+	my %typemap = ( src => 'Source', dst => 'Destination' );
+
+	if ( $config{IPSET_WARNINGS} ) {
+	    for ( @options ) {
+		warning_message( "The '$_' ipset flag is used in a $typemap{$option} column" ), last unless $_ eq $option;
+	    }
+	}
     }
 
     $setname =~ s/^\+//;
 
-    unless ( $export || $> != 0 ) {
-	unless ( $ipset_exists{$setname} ) {
-	    warning_message "Ipset $setname does not exist" unless qt "ipset -L $setname";
-	}
+    if ( $config{IPSET_WARNINGS} ) {
+	unless ( $export || $> != 0 ) {
+	    unless ( $ipset_exists{$setname} ) {
+		warning_message "Ipset $setname does not exist" unless qt "ipset -L $setname";
+	    }
 
-	$ipset_exists{$setname} = 1; # Suppress subsequent checks/warnings
+	    $ipset_exists{$setname} = 1; # Suppress subsequent checks/warnings
+	}
     }
 
     fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z]\w*/;
@@ -4337,11 +4535,21 @@ sub have_ipset_rules() {
 
 sub get_interface_address( $ );
 
-sub record_runtime_address( $ ) {
-    my $interface = shift;
+sub record_runtime_address( $$;$ ) {
+    my ( $addrtype, $interface, $protect ) = @_;
     fatal_error "Unknown interface address variable (&$interface)" unless known_interface( $interface );
     fatal_error "Invalid interface address variable (&$interface)" if $interface =~ /\+$/;
-    get_interface_address( $interface ) . ' ';
+
+    my $addr;
+
+    if ( $addrtype eq '&' ) {
+	$addr = get_interface_address( $interface );
+    } else {
+	$addr = get_interface_gateway( $interface, $protect );
+    }
+
+    $addr . ' ';
+   
 }
 
 #
@@ -4353,12 +4561,19 @@ sub record_runtime_address( $ ) {
 sub conditional_rule( $$ ) {
     my ( $chainref, $address ) = @_;
 
-    if ( $address =~ /^!?&(.+)$/ ) {
-	my $interface = $1;
+    if ( $address =~ /^!?([&%])(.+)$/ ) {
+	my ($type, $interface) = ($1, $2);
 	if ( my $ref = known_interface $interface ) {
 	    if ( $ref->{options}{optional} ) {
-		my $variable = get_interface_address( $interface );
-		add_commands( $chainref , "if [ $variable != " . NILIP . ' ]; then' );
+		my $variable;
+		if ( $type eq '&' ) {
+		    $variable = get_interface_address( $interface );
+		    add_commands( $chainref , "if [ $variable != " . NILIP . ' ]; then' );
+		} else {
+		    $variable = get_interface_gateway( $interface );
+		    add_commands( $chainref , qq(if [ -n "$variable" ]; then) );
+		}
+
 		incr_cmd_level $chainref;
 		return 1;
 	    }
@@ -4422,16 +4637,16 @@ sub match_source_net( $;$\$ ) {
     }
 
     if ( $net =~ s/^!// ) {
-	if ( $net =~ /^&(.+)/ ) {
-	    return '! -s ' . record_runtime_address $1;
+	if ( $net =~ /^([&%])(.+)/ ) {
+	    return '! -s ' . record_runtime_address $1, $2;
 	}
 
 	validate_net $net, 1;
 	return "! -s $net ";
     }
 
-    if ( $net =~ /^&(.+)/ ) {
-	return '-s ' . record_runtime_address $1;
+    if ( $net =~ /^([&%])(.+)/ ) {
+	return '-s ' . record_runtime_address $1, $2;
     }
 
     validate_net $net, 1;
@@ -4476,16 +4691,16 @@ sub imatch_source_net( $;$\$ ) {
     }
 
     if ( $net =~ s/^!// ) {
-	if ( $net =~ /^&(.+)/ ) {
-	    return  ( s => '! ' . record_runtime_address $1 );
+	if ( $net =~ /^([&%])(.+)/ ) {
+	    return  ( s => '! ' . record_runtime_address( $1, $2, 1 ) );
 	}
 
 	validate_net $net, 1;
 	return ( s => "! $net " );
     }
 
-    if ( $net =~ /^&(.+)/ ) {
-	return ( s =>  record_runtime_address $1 );
+    if ( $net =~ /^([&%])(.+)/ ) {
+	return ( s =>  record_runtime_address( $1, $2, 1 ) );
     }
 
     validate_net $net, 1;
@@ -4525,16 +4740,16 @@ sub match_dest_net( $ ) {
     }
 
     if ( $net =~ s/^!// ) {
-	if ( $net =~ /^&(.+)/ ) {
-	    return '! -d ' . record_runtime_address $1;
+	if ( $net =~ /^([&%])(.+)/ ) {
+	    return '! -d ' . record_runtime_address $1, $2;
 	}
 	
 	validate_net $net, 1;
 	return "! -d $net ";
     }
 
-    if ( $net =~ /^&(.+)/ ) {
-	return '-d ' . record_runtime_address $1;
+    if ( $net =~ /^([&%])(.+)/ ) {
+	return '-d ' . record_runtime_address $1, $2;
     }
 
     validate_net $net, 1;
@@ -4572,16 +4787,16 @@ sub imatch_dest_net( $ ) {
     }
 
     if ( $net =~ s/^!// ) {
-	if ( $net =~ /^&(.+)/ ) {
-	    return ( d => '! ' . record_runtime_address $1 );
+	if ( $net =~ /^([&%])(.+)/ ) {
+	    return ( d => '! ' . record_runtime_address( $1, $2, 1 ) );
 	}
 	
 	validate_net $net, 1;
 	return ( d => "! $net " );
     }
 
-    if ( $net =~ /^&(.+)/ ) {
-	return ( d => record_runtime_address $1 );
+    if ( $net =~ /^([&%])(.+)/ ) {
+	return ( d => record_runtime_address( $1, $2, 1 ) );
     }
 
     validate_net $net, 1;
@@ -4599,7 +4814,7 @@ sub match_orig_dest ( $ ) {
 
     if ( $net =~ s/^!// ) {
 	if ( $net =~ /^&(.+)/ ) {
-	    $net = record_runtime_address $1;
+	    $net = record_runtime_address '&', $1;
 	} else {
 	    validate_net $net, 1;
 	}
@@ -4607,7 +4822,7 @@ sub match_orig_dest ( $ ) {
 	have_capability( 'OLD_CONNTRACK_MATCH' ) ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net ";
     } else {
 	if ( $net =~ /^&(.+)/ ) {
-	    $net = record_runtime_address $1;
+	    $net = record_runtime_address '&', $1;
 	} else {
 	    validate_net $net, 1;
 	}
@@ -4623,10 +4838,10 @@ sub match_ipsec_in( $$ ) {
     my ( $zone , $hostref ) = @_;
     my @match;
     my $zoneref    = find_zone( $zone );
-    my $optionsref = $zoneref->{options};
 
-    unless ( $optionsref->{super} || $zoneref->{type} == VSERVER ) {
+    unless ( $zoneref->{super} || $zoneref->{type} == VSERVER ) {
 	my $match = '--dir in --pol ';
+	my $optionsref = $zoneref->{options};
 
 	if ( $zoneref->{type} & IPSEC ) {
 	    $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
@@ -5055,8 +5270,8 @@ sub interface_gateway( $ ) {
 #
 # Record that the ruleset requires the gateway address on the passed interface
 #
-sub get_interface_gateway ( $ ) {
-    my ( $logical ) = $_[0];
+sub get_interface_gateway ( $;$ ) {
+    my ( $logical, $protect ) = @_;
 
     my $interface = get_physical $logical;
     my $variable = interface_gateway( $interface );
@@ -5073,7 +5288,7 @@ sub get_interface_gateway ( $ ) {
 );
     }
 
-    "\$$variable";
+    $protect ? "\${$variable:-" . NILIP . '}' : "\$$variable";
 }
 
 #
@@ -5383,7 +5598,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    } else {
 		$inets = $source;
 	    }
-	} elsif ( $source =~ /(?:\+|&|~|\..*\.)/ ) {
+	} elsif ( $source =~ /(?:\+|&|%|~|\..*\.)/ ) {
 	    $inets = $source;
 	} else {
 	    $iiface = $source;
@@ -5468,7 +5683,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    if ( $dest =~ /^(.+?):(.+)$/ ) {
 		$diface = $1;
 		$dnets  = $2;
-	    } elsif ( $dest =~ /\+|&|~|\..*\./ ) {
+	    } elsif ( $dest =~ /\+|&|%|~|\..*\./ ) {
 		$dnets = $dest;
 	    } else {
 		$diface = $dest;
@@ -6213,15 +6428,23 @@ sub ensure_ipset( $ ) {
 
     if ( $family == F_IPV4 ) {
 	if ( have_capability 'IPSET_V5' ) {
-	    emit ( "    qt \$IPSET -L $set -n || \$IPSET -N $_ hash:ip family inet" );
+	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
+		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:ip set") ,
+		   qq(        \$IPSET -N $set hash:ip family inet") ,
+		   qq(    fi) );
 	} else {
-	    emit ( "    qt \$IPSET -L $set -n || \$IPSET -N $_ iphash" );
+	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
+		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
+		   qq(        \$IPSET -N $set iphash") ,
+		   qq(    fi) );
 	}
     } else {
-	emit ( "    qt \$IPSET -L $set -n || \$IPSET -N $_ hash:ip family inet6" );
+	emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
+	       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:ip set") ,
+	       qq(        \$IPSET -N $set hash:ip family inet6) ,
+	       qq(    fi) );
     }
 }
-    
 
 sub load_ipsets() {
 
@@ -6281,7 +6504,7 @@ sub load_ipsets() {
 	} else {
 	    ensure_ipset( $_ ) for @ipsets;
 	}
-	
+
 	if ( @ipsets ) {
 	    emit ( 'elif [ "$COMMAND" = restart ]; then' );
 	    ensure_ipset( $_ ) for @ipsets;
@@ -6293,7 +6516,7 @@ sub load_ipsets() {
 	    ensure_ipset( $_ ) for @ipsets;
 	    emit( '' );
 	}
-	
+
 	if ( $family == F_IPV4 ) {
 	    emit ( '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
 		   '        #',
@@ -6413,7 +6636,7 @@ sub create_netfilter_load( $ ) {
     #
     emit(  'exec 3>&-',
 	   '',
-	   '[ -n "$DEBUG" ] && command=debug_restore_input || command=$' . $UTILITY,
+	   '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY,
 	   '',
 	   'progress_message2 "Running $command..."',
 	   '',

Shorewall/Perl/Shorewall/Compiler.pm

@@ -71,7 +71,7 @@ sub initialize_package_globals( $ ) {
 #
 # First stage of script generation.
 #
-#    Copy prog.header, lib.core and lib.common to the generated script.
+#    Copy lib.core and lib.common to the generated script.
 #    Generate the various user-exit jacket functions.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
@@ -89,13 +89,7 @@ sub generate_script_1( $ ) {
 
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
 
-	    if ( $family == F_IPV4 ) {
-		copy $globals{SHAREDIRPL} . 'prog.header';
-	    } else {
-		copy $globals{SHAREDIRPL} . 'prog.header6';
-	    }
-
-	    copy2 $globals{SHAREDIRPL} . '/lib.core', 0;
+	    copy  $globals{SHAREDIRPL} . '/lib.core', 0;
 	    copy2 $globals{SHAREDIRPL} . '/lib.common', 0;
 	}
 
@@ -166,15 +160,17 @@ sub generate_script_2() {
 	emit( 'g_family=4' );
 
 	if ( $export ) {
-	    emit ( 'SHAREDIR=/usr/share/shorewall-lite',
-		   'CONFDIR=/etc/shorewall-lite',
+	    emit ( 'SHAREDIR=$SHAREDIR/shorewall-lite',
+		   'CONFDIR=$CONFDIR/shorewall-lite',
+		   'VARDIR=$VARDIR/shorewall-lite',
 		   'g_product="Shorewall Lite"',
 		   'g_program=shorewall-lite',
 		   'g_basedir=/usr/share/shorewall-lite',
 		 );
 	} else {
-	    emit ( 'SHAREDIR=/usr/share/shorewall',
-		   'CONFDIR=/etc/shorewall',
+	    emit ( 'SHAREDIR=$SHAREDIR/shorewall',
+		   'CONFDIR=$CONFDIR/shorewall',
+		   'VARDIR=$VARDIR/shorewall',
 		   'g_product=Shorewall',
 		   'g_program=shorewall',
 		   'g_basedir=/usr/share/shorewall',
@@ -184,8 +180,9 @@ sub generate_script_2() {
 	emit( 'g_family=6' );
 
 	if ( $export ) {
-	    emit ( 'SHAREDIR=/usr/share/shorewall6-lite',
-		   'CONFDIR=/etc/shorewall6-lite',
+	    emit ( 'SHAREDIR=/$SHAREDIR/shorewall6-lite',
+		   'CONFDIR=$CONFDIR/shorewall6-lite',
+		   'VARDIR=$VARDIR/shorewall6-lite',
 		   'g_product="Shorewall6 Lite"',
 		   'g_program=shorewall6-lite',
 		   'g_basedir=/usr/share/shorewall6',
@@ -193,6 +190,7 @@ sub generate_script_2() {
 	} else {
 	    emit ( 'SHAREDIR=/usr/share/shorewall6',
 		   'CONFDIR=/etc/shorewall6',
+		   'VARDIR=$VARDIR/shorewall6',
 		   'g_product=Shorewall6',
 		   'g_program=shorewall6',
 		   'g_basedir=/usr/share/shorewall'
@@ -709,10 +707,6 @@ sub compiler {
     # Proxy Arp/Ndp
     #
     setup_proxy_arp;
-    #
-    # Handle MSS settings in the zones file
-    #
-    setup_zone_mss;
 
     if ( $scriptfilename || $debug ) {
 	emit 'return 0';

Shorewall/Perl/Shorewall/Config.pm

@@ -141,6 +141,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       %config
 				       %globals
 				       %config_files
+				       %shorewallrc
 
 				       @auditoptions
 
@@ -292,6 +293,8 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 STATISTIC_MATCH => 
 		                    'Statistics Match',
 		 IMQ_TARGET      => 'IMQ Target',
+		 DSCP_MATCH      => 'DSCP Match',
+		 DSCP_TARGET     => 'DSCP Target',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -389,8 +392,8 @@ my  $toolNAME;               # Tool name in CAPS
 our $product;                # Name of product that will run the generated script
 our $Product;                # $product with initial cap.
 
-my $sillyname;               # Name of temporary filter chains for testing capabilities
-my $sillyname1;
+our $sillyname;              # Name of temporary filter chains for testing capabilities
+our $sillyname1;
 my $iptables;                # Path to iptables/ip6tables
 my $tc;                      # Path to tc
 my $ip;                      # Path to ip
@@ -419,6 +422,23 @@ my %deprecated = ( LOGRATE            => '' ,
 		   HIGH_ROUTE_MARKS   => 'no'
 		 );
 #
+# Deprecated options that are eliminated via update
+#
+my %converted = ( WIDE_TC_MARKS => 1,
+		  HIGH_ROUTE_MARKS => 1 );
+#
+# Variables involved in ?IF, ?ELSE ?ENDIF processing
+#
+my $omitting;
+my @ifstack;
+my $ifstack;
+#
+# From .shorewallrc
+#
+our %shorewallrc;
+
+sub process_shorewallrc();
+#
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
 #
@@ -451,13 +471,16 @@ sub initialize( $ ) {
     $tempfile       = '';      # Temporary File Name
     $sillyname      = 
     $sillyname1     = '';      # Temporary ipchains
+    $omitting       = 0;
+    $ifstack        = 0;
+    @ifstack        = ();
 
     #
     # Misc Globals
     #
-    %globals  =   ( SHAREDIRPL => '/usr/share/shorewall/' ,
-		    CONFDIR    => '/etc/shorewall',     # Run-time configuration directory
-		    CONFIGDIR  => '',                  # Compile-time configuration directory (location of $product.conf)
+    %globals  =   ( SHAREDIRPL => '' ,
+		    CONFDIR    => '',         # Run-time configuration directory
+		    CONFIGDIR  => '',         # Compile-time configuration directory (location of $product.conf)
 		    LOGPARMS   => '',
 		    TC_SCRIPT  => '',
 		    EXPORT     => 0,
@@ -551,6 +574,7 @@ sub initialize( $ ) {
 	  MAPOLDACTIONS => undef,
 	  FASTACCEPT => undef,
 	  IMPLICIT_CONTINUE => undef,
+	  IPSET_WARNINGS => undef,
 	  HIGH_ROUTE_MARKS => undef,
 	  USE_ACTIONS=> undef,
 	  OPTIMIZE => undef,
@@ -692,6 +716,8 @@ sub initialize( $ ) {
 	       CT_TARGET => undef,
 	       STATISTIC_MATCH => undef,
 	       IMQ_TARGET => undef,
+	       DSCP_MATCH => undef,
+	       DSCP_TARGET => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@@ -725,15 +751,24 @@ sub initialize( $ ) {
 
     @actparms = ();
 
+    %shorewallrc = (
+		    SHAREDIR => '/usr/share/',
+		    CONFDIR  => '/etc/',
+		    );
+
+    process_shorewallrc;
+
+    $globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";
+
     if ( $family == F_IPV4 ) {
-	$globals{SHAREDIR}      = '/usr/share/shorewall';
-	$globals{CONFDIR}       = '/etc/shorewall';
+	$globals{SHAREDIR}      = "$shorewallrc{SHAREDIR}/shorewall";
+	$globals{CONFDIR}       = "$shorewallrc{CONFDIR}/shorewall";
 	$globals{PRODUCT}       = 'shorewall';
 	$config{IPTABLES}       = undef;
 	$validlevels{ULOG}      = 'ULOG';
     } else {
-	$globals{SHAREDIR}      = '/usr/share/shorewall6';
-	$globals{CONFDIR}       = '/etc/shorewall6';
+	$globals{SHAREDIR}      = "$shorewallrc{SHAREDIR}/shorewall6";
+	$globals{CONFDIR}       = "$shorewallrc{CONFDIR}/shorewall6";
 	$globals{PRODUCT}       = 'shorewall6';
 	$config{IP6TABLES}      = undef;
     }
@@ -747,7 +782,7 @@ my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
 sub warning_message
 {
     my $linenumber = $currentlinenumber || 1;
-    my $currentlineinfo = $currentfile ?  " : $currentfilename (line $linenumber)" : '';
+    my $currentlineinfo = $currentfile ?  " : $currentfilename " . ( $linenumber eq 'EOF' ? '(EOF)' : "(line $linenumber)" ) : '';
     our @localtime;
 
     $| = 1; #Reset output buffering (flush any partially filled buffers).
@@ -803,7 +838,7 @@ sub cleanup() {
 #
 sub fatal_error	{
     my $linenumber = $currentlinenumber || 1;
-    my $currentlineinfo = $currentfile ?  " : $currentfilename (line $linenumber)" : '';
+    my $currentlineinfo = $currentfile ?  " : $currentfilename " . ( $linenumber eq 'EOF' ? '(EOF)' : "(line $linenumber)" ) : '';
 
     $| = 1; #Reset output buffering (flush any partially filled buffers).
 
@@ -1450,6 +1485,7 @@ sub do_open_file( $ ) {
     my $fname = $_[0];
     open $currentfile, '<', $fname or fatal_error "Unable to open $fname: $!";
     $currentlinenumber = 0;
+    $ifstack           = @ifstack;
     $currentfilename   = $fname;
 }
 
@@ -1462,6 +1498,7 @@ sub open_file( $ ) {
 	$first_entry = 0;
 	do_open_file $fname;;
     } else {
+	$ifstack = @ifstack;
 	'';
     }
 }
@@ -1472,10 +1509,17 @@ sub open_file( $ ) {
 sub pop_include() {
     my $arrayref = pop @includestack;
 
+    unless ( $ifstack == @ifstack ) {
+	my $lastref = $ifstack[-1];
+	$currentlinenumber = 'EOF';
+	fatal_error qq(Missing "?ENDIF" to match ?IF at line number $lastref->[2])
+    }
+
     if ( $arrayref ) {
-	( $currentfile, $currentfilename, $currentlinenumber ) = @$arrayref;
+	( $currentfile, $currentfilename, $currentlinenumber, $ifstack ) = @$arrayref;
     } else {
-	$currentfile = undef;
+	$currentfile       = undef;
+	$currentlinenumber = 'EOF';
     }
 }
 
@@ -1496,6 +1540,61 @@ sub close_file() {
     }
 }
 
+sub process_conditional( $$$ ) {
+    my ( $omitting, $line, $linenumber ) = @_;
+
+    print "CD===> $currentline\n" if $debug;
+
+    fatal_error "Invalid compiler directive ($line)" unless $line =~ /^\s*\?(IF\s+|ELSE|ENDIF)(.*)$/;
+    
+    my ($keyword, $rest) = ( $1, $2 );
+
+    $rest = '' unless supplied $rest;
+    $rest =~ s/\s*$//;
+
+    my ( $lastkeyword, $prioromit, $lastomit, $lastlinenumber ) = @ifstack ? @{$ifstack[-1]} : ('', 0, 0, 0 );
+
+    if ( $keyword =~ /^IF/ ) {
+	fatal_error "Missing IF variable" unless $rest;
+	my $invert = $rest =~ s/^!\s*//;
+
+	fatal_error "Invalid IF variable ($rest)" unless ($rest =~ s/^\$// || $rest =~ /^__/ ) && $rest =~ /^\w+$/;
+
+	push @ifstack, [ 'IF', $lastomit, $omitting, $linenumber ];
+
+	if ( $rest eq '__IPV6' ) {
+	    $omitting = $family == F_IPV4;
+	} elsif ( $rest eq '__IPV4' ) {
+	    $omitting = $family == F_IPV6;
+	} else {
+	    my $cap = $rest;
+
+	    $cap =~ s/^__//;
+
+	    $omitting = ! ( exists $ENV{$rest}    ? $ENV{$rest}    : 
+			    exists $params{$rest} ? $params{$rest} : 
+			    exists $config{$rest} ? $config{$rest} :
+			    exists $capdesc{$cap} ? have_capability $cap : 0 );
+	}
+
+	$omitting = ! $omitting if $invert;
+
+	$omitting ||= $lastomit; #?IF cannot transition from omitting -> not omitting
+    } elsif ( $keyword eq 'ELSE' ) {
+	fatal_error "Invalid ?ELSE" unless $rest eq '';
+	fatal_error "?ELSE has no matching ?IF" unless @ifstack > $ifstack && $lastkeyword eq 'IF';
+	$omitting = ! $omitting unless $lastomit;
+	$ifstack[-1] = [ 'ELSE', $prioromit, $omitting, $lastlinenumber ];
+    } else {
+	fatal_error "Invalid ?ENDIF" unless $rest eq '';
+	fatal_error q(Unexpected "?ENDIF" without matching ?IF or ?ELSE) if @ifstack <= $ifstack;
+	$omitting = $prioromit;
+	pop @ifstack;
+    }
+
+    $omitting;
+}   
+
 #
 # Functions for copying a file into the script
 #
@@ -1503,12 +1602,27 @@ sub copy( $ ) {
     assert( $script_enabled );
 
     if ( $script ) {
-	my $file = $_[0];
+	my $file         = $_[0];
+	my $omitting     = 0;
+	my $save_ifstack = $ifstack;
+	my $lineno       = 0;
+
+	$ifstack = @ifstack;
 
 	open IF , $file or fatal_error "Unable to open $file: $!";
 
 	while ( <IF> ) {
 	    chomp;
+
+	    $lineno++;
+
+	    if ( /^\s*\?/ ) {
+		$omitting = process_conditional( $omitting, $_, $lineno );
+		next;
+	    }
+
+	    next if $omitting;
+
 	    if ( /^\s*$/ ) {
 		print $script "\n" unless $lastlineblank;
 		$lastlineblank = 1;
@@ -1524,6 +1638,14 @@ sub copy( $ ) {
 	    }
 	}
 
+	if ( $ifstack < @ifstack ) {
+	    $currentlinenumber = 'EOF';
+	    $currentfilename   = $file;
+	    fatal_error "Missing ?ENDIF to match the ?IF at line $ifstack[-1]->[3]";
+	} else {
+	    $ifstack = $save_ifstack;
+	}
+
 	close IF;
     }
 }
@@ -1538,6 +1660,7 @@ sub copy1( $ ) {
 
     if ( $script || $debug ) {
 	my ( $do_indent, $here_documents ) = ( 1, '');
+	my $save_ifstack = $ifstack;
 
 	open_file( $_[0] );
 	
@@ -1547,6 +1670,11 @@ sub copy1( $ ) {
 
 		chomp;
 
+		if ( /^\s*\?/ ) {
+		    $omitting = process_conditional( $omitting, $_, $currentlinenumber );
+		    next;
+		}
+
 		if ( /^${here_documents}\s*$/ ) {
 		    if ( $script ) {
 			print $script $here_documents if $here_documents;
@@ -1598,7 +1726,7 @@ sub copy1( $ ) {
 			fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
 
 			if ( -s _ ) {
-			    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+			    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack ];
 			    $currentfile = undef;
 			    do_open_file $filename;
 			} else {
@@ -1629,6 +1757,13 @@ sub copy1( $ ) {
 		}
 	    }
 
+	    if ( $ifstack < @ifstack ) {
+		$currentlinenumber = 'EOF';
+		fatal_error "Missing ?ENDIF to match the ?IF at line $ifstack[-1]->[3]";
+	    } else {
+		$ifstack = $save_ifstack;
+	    }
+
 	    close_file;
 	}
     }
@@ -1649,10 +1784,14 @@ sub copy2( $$ ) {
 
     if ( $script || $trace ) {
 	my $file = $_[0];
+	my $omitting     = 0;
+	my $save_ifstack = $ifstack;
+	my $lineno       = 0;
 
 	open IF , $file or fatal_error "Unable to open $file: $!";
 
 	while ( <IF> ) {
+	    $lineno++;
 	    $empty = 0, last unless /^#/;
 	}
 
@@ -1666,7 +1805,16 @@ EOF
 	    emit( $_ ) unless /^\s*$/;
 
 	    while ( <IF> ) {
+		$lineno++;
 		chomp;
+
+		if ( /^\s*\?/ ) {
+		    $omitting = process_conditional( $omitting, $_, $lineno );
+		    next;
+		}
+
+		next if $omitting;
+
 		if ( /^\s*$/ ) {
 		    unless ( $lastlineblank ) {
 			print $script "\n" if $script;
@@ -1694,8 +1842,6 @@ EOF
 		}
 	    }
 
-	    close IF;
-
 	    unless ( $lastlineblank ) {
 		print $script "\n" if $script;
 		print "GS----->\n" if $trace;
@@ -1705,6 +1851,17 @@ EOF
 		  "#   End of imports from $file",
 		  '################################################################################' );
 	}
+
+	if ( $ifstack < @ifstack ) {
+	    $currentfilename   = $file;
+	    $currentlinenumber = 'EOF';
+	    fatal_error "Missing ?ENDIF to match the ?IF at line $ifstack[-1]->[3]";
+	} else {
+	    $ifstack = $save_ifstack;
+	}
+
+	close IF;
+
     }
 }
 
@@ -1714,7 +1871,7 @@ EOF
 #
 sub push_open( $ ) {
 
-    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack ];
     my @a = @includestack;
     push @openstack, \@a;
     @includestack = ();
@@ -1789,7 +1946,7 @@ sub embedded_shell( $ ) {
 
 	while ( <$currentfile> ) {
 	    $currentlinenumber++;
-	    last if $last = s/^\s*END(\s+SHELL)?\s*;?//;
+	    last if $last = s/^\s*\??END(\s+SHELL)?\s*;?//;
 	    $command .= $_;
 	}
 
@@ -1799,12 +1956,13 @@ sub embedded_shell( $ ) {
 
     $command .= q(');
 
-    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack ];
     $currentfile = undef;
     open $currentfile , '-|', $command or fatal_error qq(Shell Command failed);
     $currentfilename = "SHELL\@$currentfilename:$currentlinenumber";
     $currentline = '';
     $currentlinenumber = 0;
+    $ifstack = @ifstack;
 }
 
 sub embedded_perl( $ ) {
@@ -1823,7 +1981,7 @@ sub embedded_perl( $ ) {
 
 	while ( <$currentfile> ) {
 	    $currentlinenumber++;
-	    last if $last = s/^\s*END(\s+PERL)?\s*;?//;
+	    last if $last = s/^\s*\??END(\s+PERL)?\s*;?//;
 	    $command .= $_;
 	}
 
@@ -1855,7 +2013,7 @@ sub embedded_perl( $ ) {
 
 	$perlscript = undef;
 
-	push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+	push @includestack, [ $currentfile, $currentfilename, $currentlinenumber , $ifstack ];
 	$currentfile = undef;
 
 	open $currentfile, '<', $perlscriptname or fatal_error "Unable to open Perl Script $perlscriptname";
@@ -1867,6 +2025,7 @@ sub embedded_perl( $ ) {
 	$currentfilename = "PERL\@$currentfilename:$linenumber";
 	$currentline = '';
 	$currentlinenumber = 0;
+	$ifstack = @ifstack;
     }
 }
 
@@ -1937,7 +2096,7 @@ sub set_action_param( $$ ) {
 #
 # Expand Shell Variables in the passed buffer using %params and @actparms
 #
-sub expand_variables( \$ ) {
+sub expand_variables( \$;$ ) {
     my ( $lineref, $count ) = ( $_[0], 0 );
     #                    $1      $2   $3      -     $4
     while ( $$lineref =~ m( ^(.*?) \$({)? (\w+) (?(2)}) (.*)$ )x ) {
@@ -1951,6 +2110,8 @@ sub expand_variables( \$ ) {
 	    $val = $actparms[$var];
 	} elsif ( exists $params{$var} ) {
 	    $val = $params{$var};
+	} elsif ( $_[1] && exists $shorewallrc{$var} ) {
+	    $val = $shorewallrc{$var}
 	} else {
 	    fatal_error "Undefined shell variable (\$$var)" unless exists $config{$var};
 	    $val = $config{$var};
@@ -1971,6 +2132,7 @@ sub expand_variables( \$ ) {
 #   - Handle embedded SHELL and PERL scripts
 #   - Expand shell variables from %params and %ENV.
 #   - Handle INCLUDE <filename>
+#   - Handle ?IF, ?ELSE, ?ENDIF
 #
 
 sub read_a_line(;$$$) {
@@ -2021,15 +2183,29 @@ sub read_a_line(;$$$) {
 		$first_entry = 0;
 	    }
 	    #
+	    # Handle conditionals
+	    #
+	    if ( $currentline =~ /^\s*\?/ ) {
+		$omitting = process_conditional( $omitting, $currentline, $currentlinenumber );
+		$currentline='';
+		next;
+	    }		
+		    
+	    if ( $omitting ) {
+		print "OMIT=> $currentline\n" if $debug;
+		$currentline='';
+		next;
+	    }
+	    #
 	    # Must check for shell/perl before doing variable expansion
 	    #
 	    if ( $embedded_enabled ) {
-		if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) {
+		if ( $currentline =~ s/^\s*\??(BEGIN\s+)?SHELL\s*;?// ) {
 		    embedded_shell( $1 );
 		    next;
 		}
 
-		if ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) {
+		if ( $currentline =~ s/^\s*\??(BEGIN\s+)?PERL\s*\;?// ) {
 		    embedded_perl( $1 );
 		    next;
 		}
@@ -2041,7 +2217,7 @@ sub read_a_line(;$$$) {
 	    #
 	    expand_variables( $currentline ) if $expand_variables;
 
-	    if ( $currentline =~ /^\s*INCLUDE\s/ ) {
+	    if ( $currentline =~ /^\s*\??INCLUDE\s/ ) {
 
 		my @line = split ' ', $currentline;
 
@@ -2054,7 +2230,7 @@ sub read_a_line(;$$$) {
 		fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
 
 		if ( -s _ ) {
-		    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+		    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack ];
 		    $currentfile = undef;
 		    do_open_file $filename;
 		} else {
@@ -2068,6 +2244,11 @@ sub read_a_line(;$$$) {
 	    }
 	}
 
+	if ( @ifstack ) {
+	    $currentlinenumber = 'EOF';
+	    fatal_error "Missing ?ENDIF to match the ?IF at line $ifstack[-1]->[3]";
+	}
+
 	close_file;
     }
 }
@@ -2092,6 +2273,25 @@ sub read_a_line1() {
     }
 }
 
+sub process_shorewallrc() {
+    my $home = $ENV{HOME} || `echo ~`;
+
+    $shorewallrc{PRODUCT} = $family == F_IPV4 ? 'shorewall' : 'shorewall6';
+
+    if ( $home && open_file "$home/.shorewallrc" ) {
+	while ( read_a_line1 ) {
+	    if ( $currentline =~ /^([a-zA-Z]\w*)=(.*)$/ ) {
+		my ($var, $val) = ($1, $2);
+		$val = $1 if $val =~ /^\"([^\"]*)\"$/;
+		expand_variables($val, 1 ) if supplied $val;
+		$shorewallrc{$var} = $val;
+	    } else {
+		fatal_error "Unrecognized shorewallrc entry";
+	    }
+	}
+    }
+}
+
 #
 # Provide the passed default value for the passed configuration variable
 #
@@ -2778,7 +2978,15 @@ sub Statistic_Match() {
 }
 
 sub Imq_Target() {
-    qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" );
+    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" );
+}
+
+sub Dscp_Match() {
+    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -m dscp --dscp 0" );
+}
+
+sub Dscp_Target() {
+    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j DSCP --set-dscp 0" );
 }
 
 our %detect_capability =
@@ -2794,6 +3002,8 @@ our %detect_capability =
       CONNMARK_MATCH => \&Connmark_Match,
       CONNTRACK_MATCH => \&Conntrack_Match,
       CT_TARGET => \&Ct_Target,
+      DSCP_MATCH => \&Dscp_Match,
+      DSCP_TARGET => \&Dscp_Target,
       ENHANCED_REJECT => \&Enhanced_Reject,
       EXMARK => \&Exmark,
       FLOW_FILTER => \&Flow_Filter,
@@ -2941,11 +3151,6 @@ sub determine_capabilities() {
 	$capabilities{IPMARK_TARGET}   = detect_capability( 'IPMARK_TARGET' );
 	$capabilities{TPROXY_TARGET}   = detect_capability( 'TPROXY_TARGET' );
 
-	if ( $capabilities{MANGLE_ENABLED} ) {
-	    qt1( "$iptables -t mangle -F $sillyname" );
-	    qt1( "$iptables -t mangle -X $sillyname" );
-	}
-
 	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
 	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
 	$capabilities{RAWPOST_TABLE}   = detect_capability( 'RAWPOST_TABLE' );
@@ -2975,6 +3180,8 @@ sub determine_capabilities() {
 	$capabilities{CT_TARGET}       = detect_capability( 'CT_TARGET' );
 	$capabilities{STATISTIC_MATCH} = detect_capability( 'STATISTIC_MATCH' );
 	$capabilities{IMQ_TARGET}      = detect_capability( 'IMQ_TARGET' );
+	$capabilities{DSCP_MATCH}      = detect_capability( 'DSCP_MATCH' );
+	$capabilities{DSCP_TARGET}     = detect_capability( 'DSCP_TARGET' );
 
 
 	qt1( "$iptables -F $sillyname" );
@@ -2982,6 +3189,16 @@ sub determine_capabilities() {
 	qt1( "$iptables -F $sillyname1" );
 	qt1( "$iptables -X $sillyname1" );
 
+	if ( $capabilities{MANGLE_ENABLED} ) {
+	    qt1( "$iptables -t mangle -F $sillyname" );
+	    qt1( "$iptables -t mangle -X $sillyname" );
+	}
+
+	if ( $capabilities{NAT_ENABLED} ) {
+	    qt1( "$iptables -t nat -F $sillyname" );
+	    qt1( "$iptables -t nat -X $sillyname" );
+	}
+
 	$sillyname = $sillyname1 = undef;
     }
 }
@@ -3002,7 +3219,7 @@ sub ensure_config_path() {
 
     my $f = "$globals{SHAREDIR}/configpath";
 
-    $globals{CONFDIR} = "/usr/share/$product/configfiles/" if $> != 0;
+    $globals{CONFDIR} = "$shorewallrc{SHAREDIR}/$product/configfiles/" if $> != 0;
 
     unless ( $config{CONFIG_PATH} ) {
 	fatal_error "$f does not exist" unless -f $f;
@@ -3145,7 +3362,7 @@ sub update_config_file( $ ) {
 
 	my $heading_printed;
 
-	for ( keys %deprecated ) {
+	for ( grep ! $converted{$_} , keys %deprecated ) {
 	    if ( supplied( my $val = $config{$_} ) ) {
 		if ( lc $val ne $deprecated{$_} ) {
 		    unless ( $heading_printed ) {
@@ -3181,7 +3398,7 @@ EOF
 		progress_message3 "No update required to configuration file $configfile; $configfile.bak not saved";
 	    } else {
 		warning_message "Unable to unlink $configfile.bak";
-		progress_message3 "No update required to configuration file $configfile; $configfile.b";
+		progress_message3 "No update required to configuration file $configfile";
 	    }
 
 	    exit 0 unless -f find_file 'blacklist';
@@ -3209,7 +3426,7 @@ sub process_shorewall_conf( $$ ) {
 	    #
 	    # Don't expand shell variables or allow embedded scripting
 	    #
-	    while ( read_a_line( 0, 0 ) ) {
+	    while ( read_a_line1 ) {
 		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
 		    my ($var, $val) = ($1, $2);
 
@@ -3355,6 +3572,8 @@ sub unsupported_yes_no_warning( $ ) {
 sub get_params() {
     my $fn = find_file 'params';
 
+    my %reserved = ( COMMAND => 1, CONFDIR => 1, SHAREDIR => 1, VARDIR => 1 );
+
     if ( -f $fn ) {
 	progress_message2 "Processing $fn ...";
 
@@ -3458,6 +3677,13 @@ sub get_params() {
 	    }
 	}
 
+	for ( keys %params ) {
+	    unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' ) {
+		fatal_error "The variable name $_ is reserved and may not be set in the params file"
+		    if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_};
+	    }
+	}
+
 	if ( $debug ) {
 	    print "PARAMS:\n";
 	    my $value;
@@ -3758,6 +3984,7 @@ sub get_configuration( $$$ ) {
     default_yes_no 'EXPORTMODULES'              , '';
     default_yes_no 'LEGACY_FASTSTART'           , 'Yes';
     default_yes_no 'USE_PHYSICAL_NAMES'         , '';
+    default_yes_no 'IPSET_WARNINGS'             , 'Yes';
 
     require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
 
@@ -4035,8 +4262,9 @@ sub append_file( $;$$ ) {
 		#
 		# Include progress message -- Pretend progress_message call was in the file
 		#
+		my $name = $globals{EXPORT} ? "$file user exit" : $user_exit;
 		$result = 1;
-		save_progress_message "Processing $user_exit ...";
+		save_progress_message "Processing $name ...";
 		copy1 $user_exit;
 	    }
 	}

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -76,6 +76,7 @@ our @EXPORT = qw( ALLIPv4
 		  proto_name
 		  validate_port
 		  validate_portpair
+		  validate_portpair1
 		  validate_port_list
 		  validate_icmp
 		  validate_icmp6
@@ -371,6 +372,7 @@ sub validate_port( $$ ) {
 
 sub validate_portpair( $$ ) {
     my ($proto, $portpair) = @_;
+    my $what;
 
     fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1;
 
@@ -379,16 +381,57 @@ sub validate_portpair( $$ ) {
 
     my @ports = split /:/, $portpair, 2;
 
-    $_ = validate_port( $proto, $_) for ( grep $_, @ports );
+    my $protonum = resolve_proto( $proto ) || 0;
+
+    $_ = validate_port( $protonum, $_) for grep $_, @ports;
 
     if ( @ports == 2 ) {
+	$what = 'port range';
 	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
+    } else {
+	$what = 'port';
     }
 
+    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless 
+	defined $protonum && ( $protonum == TCP  ||
+			       $protonum == UDP  ||
+			       $protonum == SCTP ||
+			       $protonum == DCCP );
     join ':', @ports;
 
 }
 
+sub validate_portpair1( $$ ) {
+    my ($proto, $portpair) = @_;
+    my $what;
+
+    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
+
+    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
+
+    my @ports = split /-/, $portpair, 2;
+
+    my $protonum = resolve_proto( $proto ) || 0;
+
+    $_ = validate_port( $protonum, $_) for grep $_, @ports;
+
+    if ( @ports == 2 ) {
+	$what = 'port range';
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
+    } else {
+	$what = 'port';
+    }
+
+    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless 
+	defined $protonum && ( $protonum == TCP  ||
+			       $protonum == UDP  ||
+			       $protonum == SCTP ||
+			       $protonum == DCCP );
+    join '-', @ports;
+
+}
+
 sub validate_port_list( $$ ) {
     my $result = '';
     my ( $proto, $list ) = @_;

Shorewall/Perl/Shorewall/Misc.pm

@@ -67,18 +67,17 @@ sub process_tos() {
     my $chain    = have_capability( 'MANGLE_FORWARD' ) ? 'fortos'  : 'pretos';
     my $stdchain = have_capability( 'MANGLE_FORWARD' ) ? 'FORWARD' : 'PREROUTING';
 
-    my %tosoptions = ( 'minimize-delay'       => 0x10 ,
-		       'maximize-throughput'  => 0x08 ,
-		       'maximize-reliability' => 0x04 ,
-		       'minimize-cost'        => 0x02 ,
-		       'normal-service'       => 0x00 );
-
-    if ( my $fn = open_file 'tos' ) {
+   if ( my $fn = open_file 'tos' ) {
 	my $first_entry = 1;
 
 	my ( $pretosref, $outtosref );
 
-	first_entry( sub { progress_message2 "$doing $fn..."; $pretosref = ensure_chain 'mangle' , $chain; $outtosref = ensure_chain 'mangle' , 'outtos'; } );
+	first_entry( sub { progress_message2 "$doing $fn..."; 
+			   warning_message "Use of the tos file is deprecated in favor of the TOS target in tcrules";
+			   $pretosref = ensure_chain 'mangle' , $chain; 
+			   $outtosref = ensure_chain 'mangle' , 'outtos';
+		       }
+		   );
 
 	while ( read_a_line ) {
 
@@ -86,14 +85,7 @@ sub process_tos() {
 
 	    $first_entry = 0;
 
-	    fatal_error 'A value must be supplied in the TOS column' if $tos eq '-';
-
-	    if ( defined ( my $tosval = $tosoptions{"\L$tos"} ) ) {
-		$tos = $tosval;
-	    } else {
-		my $val = numeric_value( $tos );
-		fatal_error "Invalid TOS value ($tos)" unless defined( $val ) && $val < 0x1f;
-	    }
+	    $tos = decode_tos( $tos , 1 );
 
 	    my $chainref;
 
@@ -129,7 +121,7 @@ sub process_tos() {
 		$src ,
 		$dst ,
 		'' ,
-		"TOS --set-tos $tos" ,
+		'TOS' . $tos ,
 		'' ,
 		'TOS' ,
 		'';
@@ -216,8 +208,8 @@ sub setup_blacklist() {
     # for 'refresh' to work properly.
     #
     if ( @$zones || @$zones1 ) {
-	$chainref  = dont_delete new_standard_chain 'blacklst' if @$zones;
-	$chainref1 = dont_delete new_standard_chain 'blackout' if @$zones1;
+	$chainref  = set_optflags( new_standard_chain( 'blacklst' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones;
+	$chainref1 = set_optflags( new_standard_chain( 'blackout' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones1;
 
 	if ( supplied $level ) {
 	    $target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
@@ -695,9 +687,9 @@ sub add_common_rules ( $ ) {
     my $rejectref = $filter_table->{reject};
 
     if ( $config{DYNAMIC_BLACKLIST} ) {
-	add_rule_pair dont_delete( new_standard_chain( 'logdrop' ) ),   '' , 'DROP'   , $level ;
-	add_rule_pair dont_delete( new_standard_chain( 'logreject' ) ), '' , 'reject' , $level ;
-	$dynamicref = dont_optimize( new_standard_chain( 'dynamic' ) );
+	add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level );
+	add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level );
+	$dynamicref =  set_optflags( new_standard_chain( 'dynamic' ) ,  DONT_OPTIMIZE );
 	add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
     }
 
@@ -994,7 +986,7 @@ sub add_common_rules ( $ ) {
 	if ( @$list ) {
 	    progress_message2 "$doing UPnP";
 
-	    $chainref = dont_optimize new_nat_chain( 'UPnP' );
+	    $chainref = set_optflags( new_nat_chain( 'UPnP' ), DONT_OPTIMIZE );
 
 	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
 
@@ -1013,9 +1005,10 @@ sub add_common_rules ( $ ) {
 	    for $interface ( @$list ) {
 		my $chainref = $filter_table->{input_option_chain $interface};
 		my $base     = uc chain_base get_physical $interface;
-		my $variable = get_interface_gateway $interface;
+		my $optional = interface_is_optional( $interface );
+		my $variable = get_interface_gateway( $interface, ! $optional );
 
-		if ( interface_is_optional $interface ) {
+		if ( $optional ) {
 		    add_commands( $chainref,
 				  qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
 		    incr_cmd_level( $chainref );
@@ -1481,7 +1474,7 @@ sub generate_matrix() {
     for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
 	
-	next if  @zones <= 2 && ! $zoneref->{options}{complex};
+	next if  @zones <= 2 && ! $zoneref->{complex};
 	#
 	# Complex zone or we have more than one non-firewall zone -- process_rules created a zone forwarding chain
 	#
@@ -1560,13 +1553,12 @@ sub generate_matrix() {
 	my $source_hosts_ref = $zoneref->{hosts};
 	my $chain1           = rules_target firewall_zone , $zone;
 	my $chain2           = rules_target $zone, firewall_zone;
-	my $complex          = $zoneref->{options}{complex} || 0;
 	my $type             = $zoneref->{type};
 	my $frwd_ref         = $filter_table->{zone_forward_chain $zone};
 	my $chain            = 0;
 	my $dnatref          = ensure_chain 'nat' , dnat_chain( $zone );
 	my $notrackref       = ensure_chain 'raw' , notrack_chain( $zone );
-	my $nested           = $zoneref->{options}{nested};
+	my $nested           = @{$zoneref->{parents}};
 	my $parenthasnat     = 0;
 	my $parenthasnotrack = 0;
 

Shorewall/Perl/Shorewall/Nat.pm

@@ -54,8 +54,8 @@ sub initialize() {
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = 
-	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7 };
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition ) = 
+	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8 };
 
     if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
@@ -88,7 +88,7 @@ sub process_one_masq( )
 	$interfacelist = $1;
     } elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
 	my ( $one, $two ) = ( $1, $2 );
-	if ( $2 =~ /\./ ) {
+	if ( $2 =~ /\./ || $2 =~ /^%/ ) {
 	    $interfacelist = $one;
 	    $destnets = $two;
 	}
@@ -117,9 +117,9 @@ sub process_one_masq( )
     }
 
     #
-    # Handle Protocol and Ports
+    # Handle Protocol, Ports and Condition
     #
-    $baserule .= do_proto $proto, $ports, '';
+    $baserule .= do_proto( $proto, $ports, '' ) . do_condition( $condition );
     #
     # Handle Mark
     #
@@ -195,7 +195,7 @@ sub process_one_masq( )
 			    if ( $conditional = conditional_rule( $chainref, $addr ) ) {
 				$addrlist .= '--to-source ' . get_interface_address $1;
 			    } else {
-				$addrlist .= '--to-source ' . record_runtime_address $1;
+				$addrlist .= '--to-source ' . record_runtime_address( '&', $1 );
 			    }
 			} elsif ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = 'SNAT ';
@@ -210,9 +210,7 @@ sub process_one_masq( )
 			} else {
 			    my $ports = $addr; 
 			    $ports =~ s/^://;
-			    my $portrange = $ports;
-			    $portrange =~ s/-/:/;
-			    validate_portpair( $proto, $portrange );
+			    validate_portpair1( $proto, $ports );
 			    $addrlist .= "--to-ports $ports ";
 			    $exceptionrule = do_proto( $proto, '', '' );
 			}

Shorewall/Perl/Shorewall/Providers.pm

@@ -160,9 +160,7 @@ sub setup_route_marking() {
 
 	    my $chainref2 = new_chain( 'mangle', load_chain( $physical ) );
 
-	    dont_optimize $chainref2;
-	    dont_move     $chainref2;
-	    dont_delete   $chainref2;
+	    set_optflags( $chainref2, DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE );
 	
   	    add_ijump ( $chainref1,
 			j => $chainref2 ,
@@ -918,7 +916,7 @@ sub add_an_rtrule( ) {
     if ( $source eq '-' ) {
 	$source = 'from ' . ALLIP;
     } elsif ( $source =~ s/^&// ) {
-	$source = 'from ' . record_runtime_address $source;
+	$source = 'from ' . record_runtime_address '&', $source;
     } elsif ( $family == F_IPV4 ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );

Shorewall/Perl/Shorewall/Rules.pm

@@ -963,7 +963,7 @@ sub createlogactionchain( $$$$$ ) {
 
     unless ( $targets{$action} & BUILTIN ) {
 
-	dont_optimize $chainref;
+	set_optflags( $chainref, DONT_OPTIMIZE );
 
 	my $file = find_file $chain;
 
@@ -997,7 +997,7 @@ sub createsimpleactionchain( $ ) {
 
     unless ( $targets{$action} & BUILTIN ) {
 
-	dont_optimize $chainref;
+	set_optflags( $chainref, DONT_OPTIMIZE );
 
 	my $file = find_file $action;
 
@@ -1306,7 +1306,7 @@ sub allowInvalid ( $$$$ ) {
 }
 
 sub forwardUPnP ( $$$$ ) {
-    my $chainref = dont_optimize 'forwardUPnP';
+    my $chainref = set_optflags( 'forwardUPnP', DONT_OPTIMIZE );
 
     add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
 }
@@ -2238,7 +2238,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	    }
 	}
 
-	dont_move( dont_optimize( $nonat_chain ) ) if $tgt eq 'RETURN';
+	set_optflags( $nonat_chain, DONT_MOVE | DONT_OPTIMIZE ) if $tgt eq 'RETURN';
 
 	expand_rule( $nonat_chain ,
 		     PREROUTE_RESTRICT ,
@@ -2262,7 +2262,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	    $action = $usedactions{$normalized_target}{name};
 	    $loglevel = '';
 	} else {
-	    dont_move( dont_optimize ( $chainref ) ) if $action eq 'RETURN';
+	    set_optflags( $chainref , DONT_MOVE | DONT_OPTIMIZE ) if $action eq 'RETURN';
 	}
 
 	if ( $origdest ) {
@@ -2458,6 +2458,12 @@ sub process_rule ( ) {
     progress_message qq(   Rule "$thisline" $done);
 }
 
+sub intrazone_allowed( $$ ) {
+    my ( $zone, $zoneref ) = @_;
+
+    $zoneref->{complex} && $filter_table->{rules_chain( $zone, $zone )}{policy} ne 'NONE';
+}
+
 #
 # Add jumps to the blacklst and blackout chains
 #
@@ -2470,7 +2476,7 @@ sub classic_blacklist() {
     
     for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
-	my $simple  =  @zones <= 2 && ! $zoneref->{options}{complex};
+	my $simple  =  @zones <= 2 && ! $zoneref->{complex};
 	
 	if ( $zoneref->{options}{in}{blacklist} ) {
 	    my $blackref = $filter_table->{blacklst};
@@ -2484,7 +2490,7 @@ sub classic_blacklist() {
 		    my $ruleschain    = rules_chain( $zone, $zone1 );
 		    my $ruleschainref = $filter_table->{$ruleschain};
 
-		    if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
+		    if ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) {
 			add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
 		    }
 		}
@@ -2501,7 +2507,7 @@ sub classic_blacklist() {
 		my $ruleschain    = rules_chain( $zone1, $zone );
 		my $ruleschainref = $filter_table->{$ruleschain};
 
-		if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
+		if ( ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) ) {
 		    add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
 		}
 	    }
@@ -2568,6 +2574,11 @@ sub process_rules( $ ) {
 
     add_interface_options( $blrules );
 
+    #
+    # Handle MSS settings in the zones file
+    #
+    setup_zone_mss;
+
     $fn = open_file 'rules';
 
     if ( $fn ) {

Shorewall/Perl/Shorewall/Tc.pm

@@ -194,14 +194,14 @@ sub initialize( $ ) {
 }
 
 sub process_tc_rule( ) {
-    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability );
+    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp );
     if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability ) =
-	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 };
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp ) =
+	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 };
 	$headers = '-';
     } else {
-	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability ) = 
-	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 };
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) = 
+	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 };
     }
 
     our @tccmd;
@@ -239,6 +239,157 @@ sub process_tc_rule( ) {
     my $device   = '';
     my $fw       = firewall_zone;
     my $list;
+    my $restriction = 0;
+    my $cmd;
+    my $rest;
+
+    my %processtcc = ( sticky => sub() {
+			                  if ( $chain eq 'tcout' ) {
+					      $target = 'sticko';
+					  } else {
+					      fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
+					  }
+
+					  $restriction = DESTIFACE_DISALLOW;
+
+					  ensure_mangle_chain($target);
+
+					  $sticky++;
+				      },
+		       IPMARK => sub() {
+			                  my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );
+
+					  require_capability 'IPMARK_TARGET', 'IPMARK', 's';
+
+					  if ( $cmd =~ /^IPMARK\((.+?)\)$/ ) {
+					      my $params = $1;
+					      my $val;
+
+					      my ( $sd, $m1, $m2, $s , $bad ) = split ',', $params;
+
+					      fatal_error "Invalid IPMARK parameters ($params)" if $bad;
+					      fatal_error "Invalid IPMARK parameter ($sd)" unless ( $sd eq 'src' || $sd eq 'dst' );
+					      $srcdst = $sd;
+
+					      if ( supplied $m1 ) {
+						  $val = numeric_value ($m1);
+						  fatal_error "Invalid Mask ($m1)" unless defined $val && $val && $val <= 0xffffffff;
+						  $mask1 = in_hex ( $val & 0xffffffff );
+					      }
+
+					      if ( supplied $m2 ) {
+						  $val = numeric_value ($m2);
+						  fatal_error "Invalid Mask ($m2)" unless defined $val && $val <= 0xffffffff;
+						  $mask2 = in_hex ( $val & 0xffffffff );
+					      }
+
+					      if ( defined $s ) {
+						  $val = numeric_value ($s);
+						  fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val >= 0 && $val < 128;
+						  $shift = $s;
+					      }			    
+					  } else {
+					      fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
+					  }
+
+					  $target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
+				      },
+		       TPROXY => sub() {
+			                  require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
+
+			                  fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
+
+					  $chain = 'tcpre';
+
+					  $cmd =~ /TPROXY\((.+?)\)$/;
+
+					  my $params = $1;
+
+					  fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
+
+					  ( $mark, my $port, my $ip, my $bad ) = split ',', $params;
+
+					  fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
+
+					  if ( $port ) {
+					      $port = validate_port( 'tcp', $port );
+					  } else {
+					      $port = 0;
+					  }
+
+					  $target .= " --on-port $port";
+
+					  if ( supplied $ip ) {
+					      if ( $family == F_IPV6 ) {
+						  $ip = $1 if $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/;
+					      }
+
+					      validate_address $ip, 1;
+					      $target .= " --on-ip $ip";
+					  }
+
+					  $target .= ' --tproxy-mark';
+				      },
+		       TTL => sub() {
+			                  fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
+					  fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest;
+					  fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' );
+
+					  $chain = 'tcfor';
+
+					  $cmd =~ /^TTL\(([-+]?\d+)\)$/;
+
+					  my $param =  $1;
+
+					  fatal_error "Invalid TTL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+
+					  if ( $1 =~ /^\+/ ) {
+					      $target .= " --ttl-inc $param";
+					  } elsif ( $1 =~ /\-/ ) {
+					      $target .= " --ttl-dec $param";
+					  } else {
+					      $target .= " --ttl-set $param";
+					  }
+				      },
+		       HL => sub() {
+			                  fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4;
+					  fatal_error "Invalid HL specification( $cmd/$rest )" if $rest;
+					  fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' );
+
+					  $chain = 'tcfor';
+
+					  $cmd =~ /^HL\(([-+]?\d+)\)$/;
+
+					  my $param =  $1;
+
+					  fatal_error "Invalid HL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+
+					  if ( $1 =~ /^\+/ ) {
+					      $target .= " --hl-inc $param";
+					  } elsif ( $1 =~ /\-/ ) {
+					      $target .= " --hl-dec $param";
+					  } else {
+					      $target .= " --hl-set $param";
+					  }
+				      },
+		       IMQ => sub() {
+			                  assert( $cmd =~ /^IMQ\((\d+)\)$/ );
+					  require_capability 'IMQ_TARGET', 'IMQ', 's';
+					  $target .= " --todev $1";
+				      },
+		       DSCP => sub() {
+			                  assert( $cmd =~ /^DSCP\((\w+)\)$/ );
+					  require_capability 'DSCP_TARGET', 'The DSCP action', 's'; 
+					  my $dscp = numeric_value( $1 );
+					  $dscp = $dscpmap{$1} unless defined $dscp;
+					  fatal_error( "Invalid DSCP ($1)" ) unless defined $dscp && $dscp <= 0x38 && ! ( $dscp & 1 );
+					  $target .= ' --set-dscp ' . in_hex( $dscp );
+				      },
+		       TOS => sub() {
+			                  assert( $cmd =~ /^TOS\((.+)\)$/ );
+					  $target .= decode_tos( $1 , 2 );
+				      },
+		     );
 
     if ( $source ) {
 	if ( $source eq $fw ) {
@@ -312,12 +463,15 @@ sub process_tc_rule( ) {
 	}
     }
 
-    my ($cmd, $rest) = split( '/', $mark, 2 );
+    if ( $mark =~ /^TOS/ ) {
+	$cmd = $mark;
+	$rest = '';
+    } else {
+	($cmd, $rest) = split( '/', $mark, 2 );
+    }
 
     $list = '';
 
-    my $restriction = 0;
-
     unless ( $classid ) {
       MARK:
 	{
@@ -336,134 +490,8 @@ sub process_tc_rule( ) {
 			$mark =~ s/^[|&]//;
 		    }
 
-		    if ( $target eq 'sticky' ) {
-			if ( $chain eq 'tcout' ) {
-			    $target = 'sticko';
-			} else {
-			    fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
-			}
-
-			$restriction = DESTIFACE_DISALLOW;
-
-			ensure_mangle_chain($target);
-
-			$sticky++;
-		    } elsif ( $target eq 'IPMARK' ) {
-			my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );
-
-			require_capability 'IPMARK_TARGET', 'IPMARK', 's';
-
-			if ( $cmd =~ /^IPMARK\((.+?)\)$/ ) {
-			    my $params = $1;
-			    my $val;
-
-			    my ( $sd, $m1, $m2, $s , $bad ) = split ',', $params;
-
-			    fatal_error "Invalid IPMARK parameters ($params)" if $bad;
-			    fatal_error "Invalid IPMARK parameter ($sd)" unless ( $sd eq 'src' || $sd eq 'dst' );
-			    $srcdst = $sd;
-
-			    if ( supplied $m1 ) {
-				$val = numeric_value ($m1);
-				fatal_error "Invalid Mask ($m1)" unless defined $val && $val && $val <= 0xffffffff;
-				$mask1 = in_hex ( $val & 0xffffffff );
-			    }
-
-			    if ( supplied $m2 ) {
-				$val = numeric_value ($m2);
-				fatal_error "Invalid Mask ($m2)" unless defined $val && $val <= 0xffffffff;
-				$mask2 = in_hex ( $val & 0xffffffff );
-			    }
-
-			    if ( defined $s ) {
-				$val = numeric_value ($s);
-				fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val >= 0 && $val < 128;
-				$shift = $s;
-			    }			    
-			} else {
-			    fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
-			}
-
-			$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
-		    } elsif ( $target eq 'TPROXY' ) {
-			require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
-
-			fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
-
-			$chain = 'tcpre';
-
-			$cmd =~ /TPROXY\((.+?)\)$/;
-
-			my $params = $1;
-
-			fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
-
-			( $mark, my $port, my $ip, my $bad ) = split ',', $params;
-
-			fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
-
-			if ( $port ) {
-			    $port = validate_port( 'tcp', $port );
-			} else {
-			    $port = 0;
-			}
-
-			$target .= " --on-port $port";
-
-			if ( supplied $ip ) {
-			    if ( $family == F_IPV6 ) {
-				$ip = $1 if $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/;
-			    }
-
-			    validate_address $ip, 1;
-			    $target .= " --on-ip $ip";
-			}
-
-			$target .= ' --tproxy-mark';
-		    } elsif ( $target eq 'TTL' ) {
-			fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
-			fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest;
-			fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' );
-
-			$chain = 'tcfor';
-
-			$cmd =~ /^TTL\(([-+]?\d+)\)$/;
-
-			my $param =  $1;
-
-			fatal_error "Invalid TTL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
-
-			if ( $1 =~ /^\+/ ) {
-			    $target .= " --ttl-inc $param";
-			} elsif ( $1 =~ /\-/ ) {
-			    $target .= " --ttl-dec $param";
-			} else {
-			    $target .= " --ttl-set $param";
-			}
-		    } elsif ( $target eq 'HL' ) {
-			fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4;
-			fatal_error "Invalid HL specification( $cmd/$rest )" if $rest;
-			fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' );
-
-			$chain = 'tcfor';
-
-			$cmd =~ /^HL\(([-+]?\d+)\)$/;
-
-			my $param =  $1;
-
-			fatal_error "Invalid HL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
-
-			if ( $1 =~ /^\+/ ) {
-			    $target .= " --hl-inc $param";
-			} elsif ( $1 =~ /\-/ ) {
-			    $target .= " --hl-dec $param";
-			} else {
-			    $target .= " --hl-set $param";
-			}
-		    } elsif ( $target eq 'IMQ' ) {
-			assert( $cmd =~ /^IMQ\((\d+)\)$/ );
-			require_capability 'IMQ_TARGET', 'IMQ', 's';
-			$target .= " --todev $1";
+		    if ( my $f = $processtcc{$target} ) {
+			$f->();
 		    }
 
 		    if ( $rest ) {
@@ -510,7 +538,8 @@ sub process_tc_rule( ) {
 				     do_connbytes( $connbytes ) .
 				     do_helper( $helper ) .
 				     do_headers( $headers ) .
-				     do_probability( $probability ) ,
+				     do_probability( $probability ) .
+				     do_dscp( $dscp ),
 				     $source ,
 				     $dest ,
 				     '' ,
@@ -855,7 +884,7 @@ sub validate_tc_device( ) {
 			    pfifo         => $pfifo,
 			    tablenumber   => 1 ,
 			    redirected    => \@redirected,
-			    default       => 0,
+			    default       => undef,
 			    nextclass     => 2,
 			    qdisc         => $qdisc,
 			    guarantee     => 0,
@@ -998,6 +1027,7 @@ sub validate_tc_class( ) {
 	}
     } else {
 	fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
+	$markval = '-';
     }
 
     if ( $parentclass != 1 ) {
@@ -1009,7 +1039,7 @@ sub validate_tc_class( ) {
 	fatal_error "Unknown Parent class ($parentnum)" unless $parentref && $parentref->{occurs} == 1;
 	fatal_error "The class ($parentnum) specifies UMAX and/or DMAX; it cannot serve as a parent" if $parentref->{dmax};
 	fatal_error "The class ($parentnum) specifies flow; it cannot serve as a parent"             if $parentref->{flow};
-	fatal_error "The default class ($parentnum) may not have sub-classes"                        if $devref->{default} == $parentclass;
+	fatal_error "The default class ($parentnum) may not have sub-classes"                        if ( $devref->{default} || 0 ) == $parentclass;
 	$parentref->{leaf} = 0;
 	$ratemax  = $parentref->{rate};
 	$ratename = q(the parent class's RATE);
@@ -1114,8 +1144,10 @@ sub validate_tc_class( ) {
     }
 
     unless ( $devref->{classify} || $occurs > 1 ) {
-	fatal_error "Missing MARK" if $mark eq '-';
-	warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option"	if $devclass =~ /:/;
+	if ( $mark ne '-' ) {
+	    fatal_error "Missing MARK" if $mark eq '-';
+	    warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option"	if $devclass =~ /:/;
+	}
     }
 
     $tcref->{flow}  = $devref->{flow}  unless $tcref->{flow};
@@ -1596,7 +1628,7 @@ sub process_traffic_shaping() {
 	my $devnum  = in_hexp $devref->{number};
 	my $r2q     = int calculate_r2q $devref->{out_bandwidth};
 
-	fatal_error "No default class defined for device $devname" unless $devref->{default};
+	fatal_error "No default class defined for device $devname" unless defined $devref->{default};
 
 	my $device = physical_name $devname;
 
@@ -1708,7 +1740,7 @@ sub process_traffic_shaping() {
 		#
 		# add filters
 		#
-		unless ( $devref->{classify} ) {
+		unless ( $mark eq '-' ) {
 		    emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1;
 		}
 
@@ -1988,6 +2020,18 @@ sub setup_tc() {
 			  mask      => '',
 			  connmark  => 0
 			},
+			{ match     => sub( $ ) { $_[0] =~ /^DSCP\(\w+\)$/ },
+			  target    => 'DSCP',
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			},
+			{ match     => sub( $ ) { $_[0] =~ /^TOS\(.+\)$/ },
+			  target    => 'TOS',
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			},
 		      );
 
 	if ( my $fn = open_file 'tcrules' ) {

Shorewall/Perl/Shorewall/Zones.pm

@@ -83,6 +83,7 @@ our @EXPORT = qw( NOTHING
 		  compile_updown
 		  validate_hosts_file
 		  find_hosts_by_option
+		  find_zone_hosts_by_option
 		  find_zones_by_option
 		  all_ipsets
 		  have_ipsec
@@ -113,11 +114,10 @@ use constant { IN_OUT     => 1,
 #
 #     @zones contains the ordered list of zones with sub-zones appearing before their parents.
 #
-#     %zones{<zone1> => {type = >      <zone type>       FIREWALL, IP, IPSEC, BPORT;
-#                        options =>    { complex => 0|1
-#                                        nested  => 0|1
-#                                        super   => 0|1
-#                                        in_out  => < policy match string >
+#     %zones{<zone1> => {type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
+#                        complex =>    0|1
+#                        super   =>    0|1
+#                        options =>    { in_out  => < policy match string >
 #                                        in      => < policy match string >
 #                                        out     => < policy match string >
 #                                      }
@@ -227,6 +227,25 @@ my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 );
 
 my %validhostoptions;
 
+my %validzoneoptions = ( mss          => NUMERIC,
+			 nomark       => NOTHING,
+			 blacklist    => NOTHING,
+			 strict       => NOTHING,
+			 next         => NOTHING,
+			 reqid        => NUMERIC,
+			 spi          => NUMERIC,
+			 proto        => IPSECPROTO,
+			 mode         => IPSECMODE,
+			 "tunnel-src" => NETWORK,
+			 "tunnel-dst" => NETWORK,
+		       );
+
+use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
+#
+# Hash of options that have their own key in the returned hash.
+#
+my %zonekey = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );
+
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -290,6 +309,7 @@ sub initialize( $$ ) {
 			     broadcast => 1,
 			     destonly => 1,
 			     sourceonly => 1,
+			     mss => 1,
 			    );
 	%zonetypes = ( 1 => 'firewall', 2 => 'ipv4', 4 => 'bport4', 8 => 'ipsec4', 16 => 'vserver' );
     } else {
@@ -316,6 +336,7 @@ sub initialize( $$ ) {
 			     maclist => 1,
 			     routeback => 1,
 			     tcpflags => 1,
+			     mss => 1,
 			    );
 	%zonetypes = ( 1 => 'firewall', 2 => 'ipv6', 4 => 'bport6', 8 => 'ipsec4', 16 => 'vserver' );
     }
@@ -329,25 +350,6 @@ sub initialize( $$ ) {
 #
 sub parse_zone_option_list($$\$$)
 {
-    my %validoptions = ( mss          => NUMERIC,
-			 nomark       => NOTHING,
-			 blacklist    => NOTHING,
-			 strict       => NOTHING,
-			 next         => NOTHING,
-			 reqid        => NUMERIC,
-			 spi          => NUMERIC,
-			 proto        => IPSECPROTO,
-			 mode         => IPSECMODE,
-			 "tunnel-src" => NETWORK,
-			 "tunnel-dst" => NETWORK,
-		       );
-
-    use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
-    #
-    # Hash of options that have their own key in the returned hash.
-    #
-    my %key = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );
-
     my ( $list, $zonetype, $complexref, $column ) = @_;
     my %h;
     my $options = '';
@@ -367,7 +369,7 @@ sub parse_zone_option_list($$\$$)
 		$e   = $1;
 	    }
 
-	    $fmt = $validoptions{$e};
+	    $fmt = $validzoneoptions{$e};
 
 	    fatal_error "Invalid Option ($e)" unless $fmt;
 
@@ -378,7 +380,7 @@ sub parse_zone_option_list($$\$$)
 		fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
 	    }
 
-	    my $key = $key{$e};
+	    my $key = $zonekey{$e};
 
 	    if ( $key ) {
 		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype & ( FIREWALL | VSERVER) );
@@ -403,13 +405,13 @@ sub parse_zone_option_list($$\$$)
 #
 # Set the super option on the passed zoneref and propagate to its parents
 #
-sub set_super( $ );
+sub set_super( $ ); #required for recursion
 
 sub set_super( $ ) {
     my $zoneref = shift;
 
-    unless ( $zoneref->{options}{super} ) {
-	$zoneref->{options}{super} = 1;
+    unless ( $zoneref->{super} ) {
+	$zoneref->{super} = 1;
 	set_super( $zones{$_} ) for @{$zoneref->{parents}};
     }
 }
@@ -487,10 +489,9 @@ sub process_zone( \$ ) {
 				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex , IN_OUT ) ,
 						    in      => parse_zone_option_list( $in_options , $type , $complex , IN ) ,
 						    out     => parse_zone_option_list( $out_options , $type , $complex , OUT ) ,
-						    complex => ( $type & IPSEC || $complex ) ,
-						    nested  => @parents > 0 ,
-						    super   => 0 ,
 						  } ,
+				    super      => 0 ,
+				    complex    => ( $type & IPSEC || $complex ) ,
 				    interfaces => {} ,
 				    children   => [] ,
 				    hosts      => {}
@@ -506,7 +507,7 @@ sub process_zone( \$ ) {
 		fatal_error "Zone mark overflow - please increase the setting of ZONE_BITS" if $zonemark >= $zonemarklimit;
 		$mark      = $zonemark;
 		$zonemark += $zonemarkincr;
-		$zoneref->{options}{complex} = 1;
+		$zoneref->{complex} = 1;
 	    }
 	}
 
@@ -516,7 +517,6 @@ sub process_zone( \$ ) {
 	    progress_message_nocompress "   Zone $zone:\tmark value " . in_hex( $zoneref->{mark} = $mark );
 	}
     }
-	
 
     if ( $zoneref->{options}{in_out}{blacklist} ) {
 	for ( qw/in out/ ) {
@@ -769,13 +769,13 @@ sub add_group_to_zone($$$$$)
 
     my $gtype = $type & IPSEC ? 'ipsec' : 'ip';
 
-    $hostsref     = ( $zoneref->{hosts}           || ( $zoneref->{hosts} = {} ) );
-    $typeref      = ( $hostsref->{$gtype}         || ( $hostsref->{$gtype} = {} ) );
-    $interfaceref = ( $typeref->{$interface}      || ( $typeref->{$interface} = [] ) );
+    $hostsref     = ( $zoneref->{hosts}      ||= {} );
+    $typeref      = ( $hostsref->{$gtype}    ||= {} );
+    $interfaceref = ( $typeref->{$interface} ||= [] );
 
     fatal_error "Duplicate Host Group ($interface:" . ALLIP . ") in zone $zone" if $allip && @$interfaceref;
 
-    $zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions ) || $options->{routeback};
+    $zoneref->{complex} = 1 if @$interfaceref || @newnetworks > 1 || @exclusions || $options->{routeback};
 
     push @{$interfaceref}, { options => $options,
 			     hosts   => \@newnetworks,
@@ -838,7 +838,7 @@ sub all_parent_zones() {
 }
 
 sub complex_zones() {
-    grep( $zones{$_}{options}{complex} , @zones );
+    grep( $zones{$_}{complex} , @zones );
 }
 
 sub vserver_zones() {
@@ -912,10 +912,27 @@ sub process_interface( $$ ) {
     my ( $nextinum, $export ) = @_;
     my $netsref   = '';
     my $filterref = [];
-    my ($zone, $originalinterface, $bcasts, $options ) = split_line 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 };
+    my ($zone, $originalinterface, $bcasts, $options );
     my $zoneref;
     my $bridge = '';
+    our $format;
 
+    if ( $format == 1 ) {
+	($zone, $originalinterface, $bcasts, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 }, { COMMENT => 0, FORMAT => 2 };
+    } else {
+	($zone, $originalinterface, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, options => 2 }, { COMMENT => 0, FORMAT => 2 };
+	$bcasts = '-';
+    }
+
+    if ( $zone eq 'FORMAT' ) {
+	if ( $originalinterface =~ /^([12])$/ ) {
+	    $format = $1;
+	    return;
+	}
+
+	fatal_error "Invalid FORMAT ($1)";
+    }
+	
     if ( $zone eq '-' ) {
 	$zone = '';
     } else {
@@ -1185,7 +1202,8 @@ sub process_interface( $$ ) {
 # Parse the interfaces file.
 #
 sub validate_interfaces_file( $ ) {
-    my $export = shift;
+    my  $export = shift;
+    our $format = 1;
     
     my @ifaces;
     my $nextinum = 1;
@@ -1820,7 +1838,7 @@ sub process_host( ) {
     }
 
     if ( $hosts =~ /^!?\+/ ) {
-	$zoneref->{options}{complex} = 1;
+	$zoneref->{complex} = 1;
 	fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
 	fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
     }
@@ -1844,12 +1862,16 @@ sub process_host( ) {
 	    if ( $option eq 'ipsec' ) {
 		require_capability 'POLICY_MATCH' , q(The 'ipsec' option), 's';
 		$type = IPSEC;
-		$zoneref->{options}{complex} = 1;
+		$zoneref->{complex} = 1;
 		$ipsec = $interfaceref->{ipsec} = 1;
 	    } elsif ( $option eq 'norfc1918' ) {
 		warning_message "The 'norfc1918' host option is no longer supported"
 	    } elsif ( $option eq 'blacklist' ) {
 		$zoneref->{options}{in}{blacklist} = 1;
+	    } elsif ( $option =~ /^mss=(\d+)$/ ) {
+		fatal_error "Invalid mss ($1)" unless $1 >= 500;
+		$options{mss} = $1;
+		$zoneref->{options}{complex} = 1;
 	    } elsif ( $validhostoptions{$option}) {
 		fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type & VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
 		$options{$option} = 1;
@@ -1914,8 +1936,7 @@ sub validate_hosts_file()
 
     $have_ipsec = $ipsec || haveipseczones;
 
-    $_->{options}{complex} ||= ( keys %{$_->{interfaces}} > 1 ) for values %zones;
-
+    $_->{complex} ||= ( keys %{$_->{interfaces}} > 1 ) for values %zones;
 }
 
 #
@@ -1927,7 +1948,7 @@ sub have_ipsec() {
 
 #
 # Returns a reference to a array of host entries. Each entry is a
-# reference to an array containing ( interface , polciy match type {ipsec|none} , network , exclusions );
+# reference to an array containing ( interface , polciy match type {ipsec|none} , network , exclusions, value );
 #
 sub find_hosts_by_option( $ ) {
     my $option = $_[0];
@@ -1937,9 +1958,9 @@ sub find_hosts_by_option( $ ) {
 	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
 	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 		for my $host ( @{$arrayref} ) {
-		    if ( $host->{options}{$option} ) {
+		    if ( my $value = $host->{options}{$option} ) {
 			for my $net ( @{$host->{hosts}} ) {
-			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}];
+			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ];
 			}
 		    }
 		}
@@ -1956,6 +1977,30 @@ sub find_hosts_by_option( $ ) {
     \@hosts;
 }
 
+#
+# As above but for a single zone
+#
+sub find_zone_hosts_by_option( $$ ) {
+    my ($zone, $option ) = @_;
+    my @hosts;
+
+    unless ( $zones{$zone}{type} & FIREWALL ) {
+	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
+	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
+		for my $host ( @{$arrayref} ) {
+		    if ( my $value = $host->{options}{$option} ) {
+			for my $net ( @{$host->{hosts}} ) {
+			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ];
+			}
+		    }
+		}
+	    }
+	}
+    }
+
+    \@hosts;
+}
+
 #
 # Returns a reference to a list of zones with the passed in/out option
 #

Shorewall/Perl/getparams

@@ -33,7 +33,22 @@ else
     g_program=shorewall
 fi
 
-. /usr/share/shorewall/lib.cli
+if [ -f ~/.shorewallrc ]; then
+    . ~/.shorewallrc || exit 1
+else
+    SHAREDIR=/usr/share
+    CONFDIR=${CONFDIR}
+    SBINDIR=/sbin
+    VARDIR=/var/lib
+    LIBEXECDIR=/usr/share
+fi
+
+g_libexec="$LIBEXECDIR"
+g_sharedir="$SHAREDIR"
+g_sbindir="$SBINDIR"
+g_readrc=1
+
+. $g_sharedir/shorewall/lib.cli
 
 CONFIG_PATH="$2"
 

Shorewall/Perl/macro.BLACKLIST

@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - blacklist Macro
+#
+# /usr/share/shorewall/macro.blacklist
+#
+#	This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+$BLACKLIST_DISPOSITION:$BLACKLIST_LOGLEVEL

Shorewall/Perl/prog.footer

@@ -62,12 +62,14 @@ checkkernelversion() {
 #
 # Start trace if first arg is "debug" or "trace"
 #
+g_debug_iptables=
+
 if [ $# -gt 1 ]; then
     if [ "x$1" = "xtrace" ]; then
 	set -x
 	shift
     elif [ "x$1" = "xdebug" ]; then
-	DEBUG=Yes
+	g_debug_iptables=Yes
 	shift
     fi
 fi
@@ -83,6 +85,14 @@ g_noroutes=$NOROUTES
 g_timestamp=$TIMESTAMP
 g_recovering=$RECOVERING
 
+if [ -f ~/.shorewallrc ]; then
+    . ~/.shorewallrc || exit 1
+else
+    CONFDIR=/etc
+    SHAREDIR=/usr/share
+    VARDIR=/var/lib
+fi
+
 initialize
 
 if [ -n "$STARTUP_LOG" ]; then

Shorewall/Perl/prog.header

@@ -1,402 +0,0 @@
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 1999-2011 - Tom Eastep (teastep@shorewall.net)
-#
-#	Options are:
-#
-#	    -n				  Don't alter Routing
-#	    -v and -q			  Standard Shorewall Verbosity control
-#           -t                            Timestamp progress messages
-#           -p                            Purge conntrack table
-#           -r                            Recover from failed start/restart
-#           -V <verbosity>                Set verbosity level explicitly
-#           -R <restore>                  Overrides RESTOREFILE setting
-#
-#	Commands are:
-#
-#	   start			  Starts the firewall
-#          refresh                        Refresh the firewall
-#	   restart			  Restarts the firewall
-#	   reload			  Reload the firewall
-#	   clear			  Removes all firewall rules
-#	   stop				  Stops the firewall
-#	   status			  Displays firewall status
-#	   version			  Displays the version of Shorewall that
-#	   				  generated this program
-#
-################################################################################
-# Functions imported from /usr/share/shorewall/prog.header
-################################################################################
-#
-# Find the value 'weight' in the passed arguments then echo the next value
-#
-
-find_weight() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xweight ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the interfaces that have a route to the passed address - the default
-# route is not used.
-#
-
-find_rt_interface() {
-    $IP -4 route list | while read addr rest; do
-	case $addr in
-	    */*)
-		in_network ${1%/*} $addr && echo $(find_device $rest)
-		;;
-	    default)
-		;;
-	    *)
-		if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
-		    echo $(find_device $rest)
-		fi
-		;;
-	esac
-    done
-}
-
-#
-# Echo the name of the interface(s) that will be used to send to the
-# passed address
-#
-
-find_interface_by_address() {
-    local dev
-    dev="$(find_rt_interface $1)"
-    local first
-    local rest
-
-    [ -z "$dev" ] && dev=$(find_default_interface)
-
-    [ -n "$dev" ] && echo $dev
-}
-
-#
-#  echo the list of networks routed out of a given interface
-#
-get_routed_networks() # $1 = interface name, $2-n = Fatal error message
-{
-    local address
-    local rest
-
-    $IP -4 route show dev $1 2> /dev/null |
-	while read address rest; do
-	    case "$address" in
-		default)
-		    if [ $# -gt 1 ]; then
-			shift
-			fatal_error "$@"
-		    else
-			echo "WARNING: default route ignored on interface $1" >&2
-		    fi
-		    ;;
-		multicast|broadcast|prohibit|nat|throw|nexthop)
-		    ;;
-		*)
-		    [ "$address" = "${address%/*}" ] && address="${address}/32"
-		    echo $address
-		    ;;
-	    esac
-        done
-}
-
-#
-# Get the broadcast addresses associated with an interface
-#
-get_interface_bcasts() # $1 = interface
-{
-    local addresses
-    addresses=
-
-    $IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
-}
-
-#
-# Delete IP address
-#
-del_ip_addr() # $1 = address, $2 = interface
-{
-    [ $(find_first_interface_address_if_any $2) = $1 ] || qtnoin $IP addr del $1 dev $2
-}
-
-# Add IP Aliases
-#
-add_ip_aliases() # $* = List of addresses
-{
-    local local
-    local addresses
-    local external
-    local interface
-    local inet
-    local cidr
-    local rest
-    local val
-    local arping
-    arping=$(mywhich arping)
-
-    address_details()
-    {
-	#
-	# Folks feel uneasy if they don't see all of the same
-	# decoration on these IP addresses that they see when their
-	# distro's net config tool adds them. In an attempt to reduce
-	# the anxiety level, we have the following code which sets
-	# the VLSM and BRD from an existing address in the same networks
-	#
-	# Get all of the lines that contain inet addresses with broadcast
-	#
-	$IP -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do
-	    case $cidr in
-		*/*)
-		    if in_network $external $cidr; then
-			echo "/${cidr#*/} brd $(broadcastaddress $cidr)"
-			break
-		    fi
-		    ;;
-	    esac
-	done
-    }
-
-    do_one()
-    {
-	val=$(address_details)
-
-	$IP addr add ${external}${val} dev $interface $label
-	[ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external
-	echo "$external $interface" >> $VARDIR/nat
-	[ -n "$label" ] && label="with $label"
-	progress_message "   IP Address $external added to interface $interface $label"
-    }
-
-    progress_message "Adding IP Addresses..."
-
-    while [ $# -gt 0 ]; do
-	external=$1
-	interface=$2
-	label=
-
-	if [ "$interface" != "${interface%:*}" ]; then
-	    label="${interface#*:}"
-	    interface="${interface%:*}"
-	    label="label $interface:$label"
-	fi
-
-	shift 2
-
-	list_search $external $(find_interface_addresses $interface) || do_one
-    done
-}
-
-#
-# Detect the gateway through a PPP or DHCP-configured interface
-#
-detect_dynamic_gateway() { # $1 = interface
-    local interface
-    interface=$1
-    local GATEWAYS
-    GATEWAYS=
-    local gateway
-
-    gateway=$(run_findgw_exit $1);
-
-    if [ -z "$gateway" ]; then
-	gateway=$( find_peer $($IP addr list $interface ) )
-    fi
-
-    if [ -z "$gateway" -a -f /var/lib/dhcpcd/dhcpcd-${1}.info ]; then
-	eval $(grep ^GATEWAYS=  /var/lib/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
-	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
-    fi
-
-    if [ -z "$gateway" -a -f /var/lib/dhcp/dhclient-${1}.lease ]; then
-	gateway=$(grep 'option routers' /var/lib/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
-    fi
-
-    [ -n "$gateway" ] && echo $gateway
-}
-
-#
-# Detect the gateway through an interface
-#
-detect_gateway() # $1 = interface
-{
-    local interface
-    interface=$1
-    local gateway
-    #
-    # First assume that this is some sort of dynamic interface
-    #
-    gateway=$( detect_dynamic_gateway $interface )
-    #
-    # Maybe there's a default route through this gateway already
-    #
-    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
-    #
-    # Last hope -- is there a load-balancing route through the interface?
-    #
-    [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
-    #
-    # Be sure we found one
-    #
-    [ -n "$gateway" ] && echo $gateway
-}
-
-#
-# Disable IPV6
-#
-disable_ipv6() {
-    local foo
-    foo="$($IP -f inet6 addr list 2> /dev/null)"
-
-    if [ -n "$foo" ]; then
-	if [ -x "$IP6TABLES" ]; then
-	    $IP6TABLES -P FORWARD DROP
-	    $IP6TABLES -P INPUT DROP
-	    $IP6TABLES -P OUTPUT DROP
-	    $IP6TABLES -F
-	    $IP6TABLES -X
-	    $IP6TABLES -A OUTPUT -o lo -j ACCEPT
-	    $IP6TABLES -A INPUT -i lo -j ACCEPT
-	else
-	    error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
-	fi
-    fi
-}
-
-#
-# Add an additional gateway to the default route
-#
-add_gateway() # $1 = Delta $2 = Table Number
-{
-    local route
-    local weight
-    local delta
-    local dev
-    
-    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`
-
-    if [ -z "$route" ]; then
-	run_ip route add default scope global table $2 $1
-    else
-	delta=$1
-
-	if ! echo $route | fgrep -q ' nexthop '; then
-	    route=`echo $route | sed 's/via/nexthop via/'`
-	    dev=$(find_device $route)
-	    if [ -f ${VARDIR}/${dev}_weight ]; then
-		weight=`cat ${VARDIR}/${dev}_weight`
-		route="$route weight $weight"
-	    fi
-	fi
-
-	run_ip route replace default scope global table $2 $route $delta
-    fi
-}
-
-#
-# Remove a gateway from the default route
-#
-delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
-{
-    local route
-    local gateway
-    local dev
-
-    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
-    gateway=$1
-  
-    if [ -n "$route" ]; then
-	if echo $route | fgrep -q ' nexthop '; then
-	    gateway="nexthop $gateway"
-	    eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
-	    run_ip route replace table $2 $route
-	else
-	    dev=$(find_device $route)
-	    [ "$dev" = "$3" ] && run_ip route delete default table $2
-	fi
-    fi
-}
-
-#
-# Determine the MAC address of the passed IP through the passed interface
-#
-find_mac() # $1 = IP address, $2 = interface
-{
-    if interface_is_usable $2 ; then
-	qt ping -nc 1 -t 2 -I $2 $1
-
-	local result
-	result=$($IP neigh list |  awk "/^$1 / {print \$5}")
-
-	case $result in
-	    \<*\>)
-		;;
-	    *)
-		[ -n "$result" ] && echo $result
-		;;
-	esac
-    fi
-}
-
-#
-# Clear Proxy Arp
-#
-delete_proxyarp() {
-    if [ -f ${VARDIR}/proxyarp ]; then
-	while read address interface external haveroute; do
-	    qtnoin $IP -4 neigh del proxy $address dev $external
-	    [ -z "${haveroute}${g_noroutes}" ] && qtnoin $IP -4 route del $address/32 dev $interface
-	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
-	    [ -f $f ] && echo 0 > $f
-	done < ${VARDIR}/proxyarp
-
-	rm -f ${VARDIR}/proxyarp
-    fi
-}
-
-#
-# Remove all Shorewall-added rules
-#
-clear_firewall() {
-    stop_firewall
-
-    setpolicy INPUT ACCEPT
-    setpolicy FORWARD ACCEPT
-    setpolicy OUTPUT ACCEPT
-
-    run_iptables -F
-    qt $IPTABLES -t raw -F
-
-    echo 1 > /proc/sys/net/ipv4/ip_forward
-
-    if [ -n "$DISABLE_IPV6" ]; then
-	if [ -x $IP6TABLES ]; then
-    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
-	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
-	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
-	fi
-    fi
-
-    run_clear_exit
-
-    set_state "Cleared"
-
-    logger -p kern.info "$g_product Cleared"
-}
-
-#
-# Get a list of all configured broadcast addresses on the system
-#
-get_all_bcasts()
-{
-    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
-}
-
-################################################################################
-# End of functions in /usr/share/shorewall/prog.header
-################################################################################

Shorewall/Perl/prog.header6

@@ -1,311 +0,0 @@
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 1999-2011- Tom Eastep (teastep@shorewall.net)
-#
-#	Options are:
-#
-#	    -n				  Don't alter Routing
-#	    -v and -q			  Standard Shorewall Verbosity control
-#           -t                            Timestamp progress messages
-#           -p                            Purge conntrack table
-#           -r                            Recover from failed start/restart
-#           -V <verbosity>                Set verbosity level explicitly
-#           -R <restore>                  Overrides RESTOREFILE setting
-#
-#	Commands are:
-#
-#	   start			  Starts the firewall
-#          refresh                        Refresh the firewall
-#	   restart			  Restarts the firewall
-#	   reload			  Reload the firewall
-#	   clear			  Removes all firewall rules
-#	   stop				  Stops the firewall
-#	   status			  Displays firewall status
-#	   version			  Displays the version of Shorewall that
-#	   				  generated this program
-#
-################################################################################
-# Functions imported from /usr/share/shorewall/prog.header6
-################################################################################
-#
-# Get all interface addresses with VLSMs
-#
-
-find_interface_full_addresses() # $1 = interface
-{
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
-}
-
-#
-# Normalize an IPv6 Address by compressing out consecutive zero elements
-#
-normalize_address() # $1 = valid IPv6 Address
-{
-    local address
-    address=$1
-    local j
-
-    while true; do
-	case $address in
-	    ::*)
-		address=0$address
-		;;
-	    *::*)
-		list_count $(split $address)
-
-		j=$?
-
-		if [ $j -eq 7 ]; then
-		    address=${address%::*}:0:${address#*::}
-		elif [ $j -eq 8 ]; then
-		    $address=${address%::*}:${address#*::}
-		    break 2
-		else
-		    address=${address%::*}:0::${address#*::}
-		fi
-		;;
-	    *)
-		echo $address
-		break 2
-		;;
-	esac
-    done
-}
-
-#
-# Reads correctly-formed and fully-qualified host and subnet addresses from STDIN. For each
-# that defines a /120 or larger network, it sends to STDOUT:
-#
-#    The corresponding subnet-router anycast address (all host address bits are zero)
-#    The corresponding anycast addresses defined by RFC 2526 (the last 128 addresses in the subnet)
-#
-convert_to_anycast() {
-    local address
-    local badress
-    local vlsm
-    local host
-    local o
-    local m
-    m=
-    local z
-    z=65535
-    local l
-
-    while read address; do
-	case $address in
-	    2*|3*)
-		vlsm=${address#*/}
-		vlsm=${vlsm:=128}
-
-		if [ $vlsm -le 120 ]; then
-	            #
-	            # Defines a viable subnet -- first get the subnet-router anycast address
-	            #
-		    host=$((128 - $vlsm))
-
-		    address=$(normalize_address ${address%/*})
-
-		    while [ $host -ge 16 ]; do
-			address=${address%:*}
-			host=$(($host - 16))
-		    done
-
-		    if [ $host -gt 0 ]; then
-			#
-			# VLSM is not a multiple of 16
-			#
-			host=$((16 - $host))
-			o=$((0x${address##*:}))
-			m=0
-			while [ $host -gt 0 ]; do
-			    m=$((($m >> 1) | 0x8000))
-			    z=$(($z >> 1))
-			    host=$(($host - 1))
-			done
-
-			o=$(($o & $m))
-
-			badress=${address%:*}
-
-			address=$badress:$(printf %04x $o)
-
-			z=$(($o | $z))
-
-			if [ $vlsm -gt 112 ]; then
-			    z=$(($z & 0xff80))
-			fi
-
-			badress=$badress:$(printf %04x $z)
-		    else
-			badress=$address
-		    fi
-		    #
-		    # Note: at this point $address and $badress are the same except possibly for
-		    #       the contents of the last half-word
-		    #
-		    list_count $(split $address)
-
-		    l=$?
-		    #
-		    # Now generate the anycast addresses defined by RFC 2526
-		    #
-		    if [ $l -lt 8 ]; then
-			#
-			# The subnet-router address
-			#
-			echo $address::
-
-		    	while [ $l -lt 8 ]; do
-			    badress=$badress:ffff
-			    l=$(($l + 1 ))
-			done
-		    else
-			#
-			# The subnet-router address
-			#
-			echo $address
-		    fi
-		    #
-		    # And the RFC 2526 addresses
-		    #
-		    echo $badress/121
-		fi
-		;;
-	esac
-    done
-}
-
-#
-# Generate a list of anycast addresses for a given interface
-#
-
-get_interface_acasts() # $1 = interface
-{
-    local addresses
-    addresses=
-
-    find_interface_full_addresses $1 | convert_to_anycast | sort -u
-}
-
-#
-# Get a list of all configured anycast addresses on the system
-#
-get_all_acasts()
-{
-    find_interface_full_addresses | convert_to_anycast | sort -u
-}
-
-#
-# Detect the gateway through an interface
-#
-detect_gateway() # $1 = interface
-{
-    local interface
-    interface=$1
-    #
-    # First assume that this is some sort of point-to-point interface
-    #
-    gateway=$( find_peer $($IP -6 addr list $interface ) )
-    #
-    # Maybe there's a default route through this gateway already
-    #
-    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -6 route list dev $interface | grep '^default'))
-    #
-    # Last hope -- is there a load-balancing route through the interface?
-    #
-    [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
-    #
-    # Be sure we found one
-    #
-    [ -n "$gateway" ] && echo $gateway
-}
-
-#
-# Add an additional gateway to the default route
-#
-add_gateway() # $1 = Delta $2 = Table Number
-{
-    local route
-    local weight
-    local delta
-    local dev
-    
-    run_ip route add default scope global table $2 $1
-}
-
-#
-# Remove a gateway from the default route
-#
-delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
-{
-    local route
-    local gateway
-    local dev
-
-    route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
-    gateway=$1
-  
-    dev=$(find_device $route)
-    [ "$dev" = "$3" ] && run_ip route delete default table $2
-}
-
-#
-# Determine how to do "echo -e"
-#
-
-find_echo() {
-    local result
-
-    result=$(echo "a\tb")
-    [ ${#result} -eq 3 ] && { echo echo; return; }
-
-    result=$(echo -e "a\tb")
-    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
-
-    result=$(which echo)
-    [ -n "$result" ] && { echo "$result -e"; return; }
-
-    echo echo
-}
-
-#
-# Clear Proxy NDP
-#
-delete_proxyndp() {
-    if [ -f ${VARDIR}/proxyndp ]; then
-	while read address interface external haveroute; do
-	    qt $IP -6 neigh del proxy $address dev $external
-	    [ -z "${haveroute}${g_noroutes}" ] && qt $IP -6 route del $address/128 dev $interface
-	    f=/proc/sys/net/ipv6/conf/$interface/proxy_ndp
-	    [ -f $f ] && echo 0 > $f
-	done < ${VARDIR}/proxyndp
-
-	rm -f ${VARDIR}/proxyndp
-    fi
-}
-
-#
-# Remove all Shorewall-added rules
-#
-clear_firewall() {
-    stop_firewall
-
-    setpolicy INPUT ACCEPT
-    setpolicy FORWARD ACCEPT
-    setpolicy OUTPUT ACCEPT
-
-    run_iptables -F
-    qt $IP6TABLES -t raw -F
-
-    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-
-    run_clear_exit
-
-    set_state "Cleared"
-
-    logger -p kern.info "$g_product Cleared"
-}
-
-################################################################################
-# End of functions imported from /usr/share/shorewall/prog.header6
-################################################################################

Shorewall/Samples/Universal/shorewall.conf

@@ -138,6 +138,8 @@ FORWARD_CLEAR_MARK=
 
 IMPLICIT_CONTINUE=No
 
+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On
 
 KEEP_RT_TABLES=No

Shorewall/Samples/one-interface/shorewall.conf

@@ -149,6 +149,8 @@ FORWARD_CLEAR_MARK=
 
 IMPLICIT_CONTINUE=No
 
+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=Off
 
 KEEP_RT_TABLES=No

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -147,6 +147,8 @@ FORWARD_CLEAR_MARK=
 
 IMPLICIT_CONTINUE=No
 
+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On
 
 KEEP_RT_TABLES=No

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -150,6 +150,8 @@ FORWARD_CLEAR_MARK=
 
 IMPLICIT_CONTINUE=No
 
+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On
 
 KEEP_RT_TABLES=No

Shorewall/action.Invalid

@@ -49,7 +49,7 @@ my $target           = require_audit ( $action , $audit );
 log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
 add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID ";
 
-$chainref->{dont_optimize} = 0;
+allow_optimize( $chainref );
 
 1;
 

Shorewall/action.NotSyn

@@ -49,7 +49,7 @@ my $target           = require_audit ( $action , $audit );
 log_rule_limit $level, $chainref, 'NotSyn' , $action, '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
 add_jump $chainref , $target, 0, '-p 6 ! --syn ';
 
-$chainref->{dont_optimize} = 0;
+allow_optimize( $chainref );
 
 1;
 

Shorewall/configfiles/interfaces

@@ -7,4 +7,8 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
+FORMAT 1
 #ZONE	INTERFACE	BROADCAST	OPTIONS
+
+FORMAT 2
+#ZONE		INTERFACE		OPTIONS

Shorewall/configfiles/masq

@@ -6,6 +6,6 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
-#############################################################################################
-#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
+######################################################################################################
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH
 #											GROUP

Shorewall/configfiles/shorewall.conf

@@ -138,6 +138,8 @@ FORWARD_CLEAR_MARK=
 
 IMPLICIT_CONTINUE=No
 
+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On
 
 KEEP_RT_TABLES=No

Shorewall/configfiles/tcrules

@@ -9,7 +9,7 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-######################################################################################################################################
-#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY
+##########################################################################################################################################
+#ACTION	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY DSCP
 #						PORT(S)	PORT(S)
 

Shorewall/configfiles/tos

@@ -4,5 +4,5 @@
 # For information about entries in this file, type "man shorewall-tos"
 #
 ###############################################################################
-#SOURCE		DEST		PROTOCOL	SOURCE	DEST	TOS	MARK
+#SOURCE		DEST		PROTOCOL	DEST	SOURCE	TOS	MARK
 #						PORTS	PORTS

Shorewall/init.debian.sh

@@ -11,7 +11,6 @@
 ### END INIT INFO
 
 
-
 SRWL=/sbin/shorewall
 SRWL_OPTS="-tvv"
 WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
@@ -54,10 +53,18 @@ not_configured () {
 	exit 0
 }
 
+#determine where the files were installed
+if [ -f ~/.shorewallrc ]; then
+    . ~/.shorewallrc || exit 1
+    SRWL=${SBIN}/shorewall
+else
+    SYSCONFDIR=/etc/default
+fi
+
 # check if shorewall is configured or not
-if [ -f "/etc/default/shorewall" ]
+if [ -f "${SYSCONFDIR}/shorewall" ]
 then
-	. /etc/default/shorewall
+	. ${SYSCONFDIR}/shorewall
 	SRWL_OPTS="$SRWL_OPTS $OPTIONS"
 	if [ "$startup" != "1" ]
 	then

Shorewall/init.sh

@@ -54,7 +54,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
 # Give Usage Information						       #
 ################################################################################
 usage() {
-    echo "Usage: $0 start|stop|reload|restart|status"
+    echo "Usage: $0 start|stop|reload|restart|status" > &2
     exit 1
 }
 
@@ -62,10 +62,16 @@ usage() {
 # Get startup options (override default)
 ################################################################################
 OPTIONS="-v0"
-if [ -f /etc/sysconfig/shorewall ]; then
-    . /etc/sysconfig/shorewall
-elif [ -f /etc/default/shorewall ] ; then
-    . /etc/default/shorewall
+
+if [ ~/.shorewallrc ]; then
+    . ~/.shorewallrc || exit 1
+else
+    SBIN=/sbin
+    SYSCONFDIR=/etc/sysconfig
+fi
+
+if [ -f ${SYSCONFDIR}/shorewall ]; then
+    . ${SYSCONFDIR}/shorewall
 fi
 
 export SHOREWALL_INIT_SCRIPT=1
@@ -78,13 +84,13 @@ shift
 
 case "$command" in
     start)
-	exec /sbin/shorewall $OPTIONS start $STARTOPTIONS $@
+	exec $SBIN/shorewall $OPTIONS start $STARTOPTIONS
 	;;
     restart|reload)
-	exec /sbin/shorewall $OPTIONS restart $RESTARTOPTIONS $@
+	exec $SBIN/shorewall $OPTIONS restart $RESTARTOPTIONS
 	;;
     status|stop)
-	exec /sbin/shorewall $OPTIONS $command $@
+	exec $SBIN/shorewall $OPTIONS $command
 	;;
     *)
 	usage

Shorewall/lib.cli-std

@@ -239,7 +239,7 @@ get_config() {
 	LOG_VERBOSITY=-1
     fi
 
-    if [ -n "$SHOREWALL_SHELL" ]; then
+    if [ -n "$SHOREWALL_SHELL" -a -z "$g_export" ]; then
 	if [ ! -x "$SHOREWALL_SHELL" ]; then
 	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
 	    SHOREWALL_SHELL=/bin/sh
@@ -1353,11 +1353,13 @@ reload_command() # $* = original arguments less the command.
 	    ;;
     esac
 
-    temp=$(rsh_command /sbin/${g_program}-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
+    config=$(rsh_command ${g_program}-lite show config 2> /dev/null)
+
+    temp=$(echo $config | grep ^LITEDIR | sed 's/LITEDIR is //')
 
     [ -n "$temp" ] && litedir="$temp"
 
-    temp=$(rsh_command /sbin/${g_program}-lite show config 2> /dev/null | grep ^LIBEXEC | sed 's/LIBEXEC is //')
+    temp=$(echo $config | grep ^LIBEXEC | sed 's/LIBEXEC is //')
 
     if [ -n "$temp" ]; then
 	case $temp in
@@ -1370,6 +1372,14 @@ reload_command() # $* = original arguments less the command.
 	esac
     fi
 
+    temp=$(echo $config | grep ^SBINDIR | sed 's/SBINDIR is //')
+
+    if [ -n "$temp" ]; then
+	sbindir="$temp"
+    else
+	sbindir=/sbin
+    fi
+
     if [ -z "$getcaps" ]; then
 	g_shorewalldir=$(resolve_file $directory)
 	ensure_config_path
@@ -1414,15 +1424,15 @@ reload_command() # $* = original arguments less the command.
 
 	progress_message3 "Copy complete"
 	if [ $COMMAND = reload ]; then
-	    rsh_command "/sbin/${g_program}-lite $g_debugging $verbose $timestamp restart" && \
+	    rsh_command "${sbin}/${g_program}-lite $g_debugging $verbose $timestamp restart" && \
 	    progress_message3 "System $system reloaded" || saveit=
 	else
-	    rsh_command "/sbin/${g_program}-lite $g_debugging $verbose $timestamp start" && \
+	    rsh_command "${sbin}/${g_program}-lite $g_debugging $verbose $timestamp start" && \
 	    progress_message3 "System $system loaded" || saveit=
 	fi
 
 	if [ -n "$saveit" ]; then
-	    rsh_command "/sbin/${g_program}-lite $g_debugging $verbose $timestamp save" && \
+	    rsh_command "${sbin}/${g_program}-lite $g_debugging $verbose $timestamp save" && \
 	    progress_message3 "Configuration on system $system saved"
 	fi
     fi

Shorewall/lib.core

@@ -1,30 +1,34 @@
-#
-# Shorewall 4.5 -- /usr/share/shorewall/lib.core.
-#
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2010-2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2012 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Options are:
 #
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
+#	    -n				  Don't alter Routing
+#	    -v and -q			  Standard Shorewall Verbosity control
+#           -t                            Timestamp progress messages
+#           -p                            Purge conntrack table
+#           -r                            Recover from failed start/restart
+#           -V <verbosity>                Set verbosity level explicitly
+#           -R <restore>                  Overrides RESTOREFILE setting
 #
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
+#	Commands are:
 #
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	   start			  Starts the firewall
+#          refresh                        Refresh the firewall
+#	   restart			  Restarts the firewall
+#	   reload			  Reload the firewall
+#	   clear			  Removes all firewall rules
+#	   stop				  Stops the firewall
+#	   status			  Displays firewall status
+#	   version			  Displays the version of Shorewall that
+#	   				  generated this program
 #
-# The purpose of this library is to hold those functions used by the generated
-# scripts (both IPv4 and IPv6 -- the functions that are specific to one or the other
-# are found in prog.header and prog.header6).
-#
-#########################################################################################
+################################################################################
+# Functions imported from /usr/share/shorewall/lib.core
+################################################################################
+#                     Address family-neutral Functions
+################################################################################
 #
 # Conditionally produce message
 #
@@ -510,6 +514,20 @@ debug_restore_input() {
 	qt1 $g_tool -t raw -P $chain ACCEPT
     done
 
+    qt1 $g_tool -t rawpost -F
+    qt1 $g_tool -t rawpost    -X
+
+    for chain in POSTROUTING; do
+	qt1 $g_tool -t rawpost -P $chain ACCEPT
+    done
+
+    qt1 $g_tool -t nat    -F
+    qt1 $g_tool -t nat    -X
+
+    for chain in PREROUTING POSTROUTING; do
+        qt1 $g_tool -t nat -P $chain ACCEPT
+    done
+
     qt1 $g_tool -t filter -F
     qt1 $g_tool -t filter -X
 
@@ -616,3 +634,661 @@ EOF
 	done
     fi
 }
+
+?IF __IPV4
+#################################################################################
+#                        IPv4-specific Functions
+#################################################################################
+# Find the value 'weight' in the passed arguments then echo the next value
+#
+
+find_weight() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xweight ] && echo $2 && return
+	shift
+    done
+}
+
+#
+# Find the interfaces that have a route to the passed address - the default
+# route is not used.
+#
+
+find_rt_interface() {
+    $IP -4 route list | while read addr rest; do
+	case $addr in
+	    */*)
+		in_network ${1%/*} $addr && echo $(find_device $rest)
+		;;
+	    default)
+		;;
+	    *)
+		if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
+		    echo $(find_device $rest)
+		fi
+		;;
+	esac
+    done
+}
+
+#
+# Echo the name of the interface(s) that will be used to send to the
+# passed address
+#
+
+find_interface_by_address() {
+    local dev
+    dev="$(find_rt_interface $1)"
+    local first
+    local rest
+
+    [ -z "$dev" ] && dev=$(find_default_interface)
+
+    [ -n "$dev" ] && echo $dev
+}
+
+#
+#  echo the list of networks routed out of a given interface
+#
+get_routed_networks() # $1 = interface name, $2-n = Fatal error message
+{
+    local address
+    local rest
+
+    $IP -4 route show dev $1 2> /dev/null |
+	while read address rest; do
+	    case "$address" in
+		default)
+		    if [ $# -gt 1 ]; then
+			shift
+			fatal_error "$@"
+		    else
+			echo "WARNING: default route ignored on interface $1" >&2
+		    fi
+		    ;;
+		multicast|broadcast|prohibit|nat|throw|nexthop)
+		    ;;
+		*)
+		    [ "$address" = "${address%/*}" ] && address="${address}/32"
+		    echo $address
+		    ;;
+	    esac
+        done
+}
+
+#
+# Get the broadcast addresses associated with an interface
+#
+get_interface_bcasts() # $1 = interface
+{
+    local addresses
+    addresses=
+
+    $IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
+}
+
+#
+# Delete IP address
+#
+del_ip_addr() # $1 = address, $2 = interface
+{
+    [ $(find_first_interface_address_if_any $2) = $1 ] || qtnoin $IP addr del $1 dev $2
+}
+
+# Add IP Aliases
+#
+add_ip_aliases() # $* = List of addresses
+{
+    local local
+    local addresses
+    local external
+    local interface
+    local inet
+    local cidr
+    local rest
+    local val
+    local arping
+    arping=$(mywhich arping)
+
+    address_details()
+    {
+	#
+	# Folks feel uneasy if they don't see all of the same
+	# decoration on these IP addresses that they see when their
+	# distro's net config tool adds them. In an attempt to reduce
+	# the anxiety level, we have the following code which sets
+	# the VLSM and BRD from an existing address in the same networks
+	#
+	# Get all of the lines that contain inet addresses with broadcast
+	#
+	$IP -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do
+	    case $cidr in
+		*/*)
+		    if in_network $external $cidr; then
+			echo "/${cidr#*/} brd $(broadcastaddress $cidr)"
+			break
+		    fi
+		    ;;
+	    esac
+	done
+    }
+
+    do_one()
+    {
+	val=$(address_details)
+
+	$IP addr add ${external}${val} dev $interface $label
+	[ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external
+	echo "$external $interface" >> $VARDIR/nat
+	[ -n "$label" ] && label="with $label"
+	progress_message "   IP Address $external added to interface $interface $label"
+    }
+
+    progress_message "Adding IP Addresses..."
+
+    while [ $# -gt 0 ]; do
+	external=$1
+	interface=$2
+	label=
+
+	if [ "$interface" != "${interface%:*}" ]; then
+	    label="${interface#*:}"
+	    interface="${interface%:*}"
+	    label="label $interface:$label"
+	fi
+
+	shift 2
+
+	list_search $external $(find_interface_addresses $interface) || do_one
+    done
+}
+
+#
+# Detect the gateway through a PPP or DHCP-configured interface
+#
+detect_dynamic_gateway() { # $1 = interface
+    local interface
+    interface=$1
+    local GATEWAYS
+    GATEWAYS=
+    local gateway
+
+    gateway=$(run_findgw_exit $1);
+
+    if [ -z "$gateway" ]; then
+	gateway=$( find_peer $($IP addr list $interface ) )
+    fi
+
+    if [ -z "$gateway" -a -f /var/lib/dhcpcd/dhcpcd-${1}.info ]; then
+	eval $(grep ^GATEWAYS=  /var/lib/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
+	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
+    fi
+
+    if [ -z "$gateway" -a -f /var/lib/dhcp/dhclient-${1}.lease ]; then
+	gateway=$(grep 'option routers' /var/lib/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
+    fi
+
+    [ -n "$gateway" ] && echo $gateway
+}
+
+#
+# Detect the gateway through an interface
+#
+detect_gateway() # $1 = interface
+{
+    local interface
+    interface=$1
+    local gateway
+    #
+    # First assume that this is some sort of dynamic interface
+    #
+    gateway=$( detect_dynamic_gateway $interface )
+    #
+    # Maybe there's a default route through this gateway already
+    #
+    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
+    #
+    # Last hope -- is there a load-balancing route through the interface?
+    #
+    [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
+    #
+    # Be sure we found one
+    #
+    [ -n "$gateway" ] && echo $gateway
+}
+
+#
+# Disable IPV6
+#
+disable_ipv6() {
+    local foo
+    foo="$($IP -f inet6 addr list 2> /dev/null)"
+
+    if [ -n "$foo" ]; then
+	if [ -x "$IP6TABLES" ]; then
+	    $IP6TABLES -P FORWARD DROP
+	    $IP6TABLES -P INPUT DROP
+	    $IP6TABLES -P OUTPUT DROP
+	    $IP6TABLES -F
+	    $IP6TABLES -X
+	    $IP6TABLES -A OUTPUT -o lo -j ACCEPT
+	    $IP6TABLES -A INPUT -i lo -j ACCEPT
+	else
+	    error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
+	fi
+    fi
+}
+
+#
+# Add an additional gateway to the default route
+#
+add_gateway() # $1 = Delta $2 = Table Number
+{
+    local route
+    local weight
+    local delta
+    local dev
+    
+    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`
+
+    if [ -z "$route" ]; then
+	run_ip route add default scope global table $2 $1
+    else
+	delta=$1
+
+	if ! echo $route | fgrep -q ' nexthop '; then
+	    route=`echo $route | sed 's/via/nexthop via/'`
+	    dev=$(find_device $route)
+	    if [ -f ${VARDIR}/${dev}_weight ]; then
+		weight=`cat ${VARDIR}/${dev}_weight`
+		route="$route weight $weight"
+	    fi
+	fi
+
+	run_ip route replace default scope global table $2 $route $delta
+    fi
+}
+
+#
+# Remove a gateway from the default route
+#
+delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
+{
+    local route
+    local gateway
+    local dev
+
+    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
+    gateway=$1
+  
+    if [ -n "$route" ]; then
+	if echo $route | fgrep -q ' nexthop '; then
+	    gateway="nexthop $gateway"
+	    eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
+	    run_ip route replace table $2 $route
+	else
+	    dev=$(find_device $route)
+	    [ "$dev" = "$3" ] && run_ip route delete default table $2
+	fi
+    fi
+}
+
+#
+# Determine the MAC address of the passed IP through the passed interface
+#
+find_mac() # $1 = IP address, $2 = interface
+{
+    if interface_is_usable $2 ; then
+	qt ping -nc 1 -t 2 -I $2 $1
+
+	local result
+	result=$($IP neigh list |  awk "/^$1 / {print \$5}")
+
+	case $result in
+	    \<*\>)
+		;;
+	    *)
+		[ -n "$result" ] && echo $result
+		;;
+	esac
+    fi
+}
+
+#
+# Clear Proxy Arp
+#
+delete_proxyarp() {
+    if [ -f ${VARDIR}/proxyarp ]; then
+	while read address interface external haveroute; do
+	    qtnoin $IP -4 neigh del proxy $address dev $external
+	    [ -z "${haveroute}${g_noroutes}" ] && qtnoin $IP -4 route del $address/32 dev $interface
+	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
+	    [ -f $f ] && echo 0 > $f
+	done < ${VARDIR}/proxyarp
+
+	rm -f ${VARDIR}/proxyarp
+    fi
+}
+
+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+    qt $IPTABLES -t raw -F
+
+    echo 1 > /proc/sys/net/ipv4/ip_forward
+
+    if [ -n "$DISABLE_IPV6" ]; then
+	if [ -x $IP6TABLES ]; then
+    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
+	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
+	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
+	fi
+    fi
+
+    run_clear_exit
+
+    set_state "Cleared"
+
+    logger -p kern.info "$g_product Cleared"
+}
+
+#
+# Get a list of all configured broadcast addresses on the system
+#
+get_all_bcasts()
+{
+    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
+}
+
+?ELSE
+#################################################################################
+#                        IPv4-specific Functions
+#################################################################################
+#
+# Get all interface addresses with VLSMs
+#
+
+find_interface_full_addresses() # $1 = interface
+{
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
+}
+
+#
+# Normalize an IPv6 Address by compressing out consecutive zero elements
+#
+normalize_address() # $1 = valid IPv6 Address
+{
+    local address
+    address=$1
+    local j
+
+    while true; do
+	case $address in
+	    ::*)
+		address=0$address
+		;;
+	    *::*)
+		list_count $(split $address)
+
+		j=$?
+
+		if [ $j -eq 7 ]; then
+		    address=${address%::*}:0:${address#*::}
+		elif [ $j -eq 8 ]; then
+		    $address=${address%::*}:${address#*::}
+		    break 2
+		else
+		    address=${address%::*}:0::${address#*::}
+		fi
+		;;
+	    *)
+		echo $address
+		break 2
+		;;
+	esac
+    done
+}
+
+#
+# Reads correctly-formed and fully-qualified host and subnet addresses from STDIN. For each
+# that defines a /120 or larger network, it sends to STDOUT:
+#
+#    The corresponding subnet-router anycast address (all host address bits are zero)
+#    The corresponding anycast addresses defined by RFC 2526 (the last 128 addresses in the subnet)
+#
+convert_to_anycast() {
+    local address
+    local badress
+    local vlsm
+    local host
+    local o
+    local m
+    m=
+    local z
+    z=65535
+    local l
+
+    while read address; do
+	case $address in
+	    2*|3*)
+		vlsm=${address#*/}
+		vlsm=${vlsm:=128}
+
+		if [ $vlsm -le 120 ]; then
+	            #
+	            # Defines a viable subnet -- first get the subnet-router anycast address
+	            #
+		    host=$((128 - $vlsm))
+
+		    address=$(normalize_address ${address%/*})
+
+		    while [ $host -ge 16 ]; do
+			address=${address%:*}
+			host=$(($host - 16))
+		    done
+
+		    if [ $host -gt 0 ]; then
+			#
+			# VLSM is not a multiple of 16
+			#
+			host=$((16 - $host))
+			o=$((0x${address##*:}))
+			m=0
+			while [ $host -gt 0 ]; do
+			    m=$((($m >> 1) | 0x8000))
+			    z=$(($z >> 1))
+			    host=$(($host - 1))
+			done
+
+			o=$(($o & $m))
+
+			badress=${address%:*}
+
+			address=$badress:$(printf %04x $o)
+
+			z=$(($o | $z))
+
+			if [ $vlsm -gt 112 ]; then
+			    z=$(($z & 0xff80))
+			fi
+
+			badress=$badress:$(printf %04x $z)
+		    else
+			badress=$address
+		    fi
+		    #
+		    # Note: at this point $address and $badress are the same except possibly for
+		    #       the contents of the last half-word
+		    #
+		    list_count $(split $address)
+
+		    l=$?
+		    #
+		    # Now generate the anycast addresses defined by RFC 2526
+		    #
+		    if [ $l -lt 8 ]; then
+			#
+			# The subnet-router address
+			#
+			echo $address::
+
+		    	while [ $l -lt 8 ]; do
+			    badress=$badress:ffff
+			    l=$(($l + 1 ))
+			done
+		    else
+			#
+			# The subnet-router address
+			#
+			echo $address
+		    fi
+		    #
+		    # And the RFC 2526 addresses
+		    #
+		    echo $badress/121
+		fi
+		;;
+	esac
+    done
+}
+
+#
+# Generate a list of anycast addresses for a given interface
+#
+
+get_interface_acasts() # $1 = interface
+{
+    local addresses
+    addresses=
+
+    find_interface_full_addresses $1 | convert_to_anycast | sort -u
+}
+
+#
+# Get a list of all configured anycast addresses on the system
+#
+get_all_acasts()
+{
+    find_interface_full_addresses | convert_to_anycast | sort -u
+}
+
+#
+# Detect the gateway through an interface
+#
+detect_gateway() # $1 = interface
+{
+    local interface
+    interface=$1
+    #
+    # First assume that this is some sort of point-to-point interface
+    #
+    gateway=$( find_peer $($IP -6 addr list $interface ) )
+    #
+    # Maybe there's a default route through this gateway already
+    #
+    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -6 route list dev $interface | grep '^default'))
+    #
+    # Last hope -- is there a load-balancing route through the interface?
+    #
+    [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
+    #
+    # Be sure we found one
+    #
+    [ -n "$gateway" ] && echo $gateway
+}
+
+#
+# Add an additional gateway to the default route
+#
+add_gateway() # $1 = Delta $2 = Table Number
+{
+    local route
+    local weight
+    local delta
+    local dev
+    
+    run_ip route add default scope global table $2 $1
+}
+
+#
+# Remove a gateway from the default route
+#
+delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
+{
+    local route
+    local gateway
+    local dev
+
+    route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
+    gateway=$1
+  
+    dev=$(find_device $route)
+    [ "$dev" = "$3" ] && run_ip route delete default table $2
+}
+
+#
+# Determine how to do "echo -e"
+#
+
+find_echo() {
+    local result
+
+    result=$(echo "a\tb")
+    [ ${#result} -eq 3 ] && { echo echo; return; }
+
+    result=$(echo -e "a\tb")
+    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
+
+    result=$(which echo)
+    [ -n "$result" ] && { echo "$result -e"; return; }
+
+    echo echo
+}
+
+#
+# Clear Proxy NDP
+#
+delete_proxyndp() {
+    if [ -f ${VARDIR}/proxyndp ]; then
+	while read address interface external haveroute; do
+	    qt $IP -6 neigh del proxy $address dev $external
+	    [ -z "${haveroute}${g_noroutes}" ] && qt $IP -6 route del $address/128 dev $interface
+	    f=/proc/sys/net/ipv6/conf/$interface/proxy_ndp
+	    [ -f $f ] && echo 0 > $f
+	done < ${VARDIR}/proxyndp
+
+	rm -f ${VARDIR}/proxyndp
+    fi
+}
+
+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+    qt $IP6TABLES -t raw -F
+
+    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+
+    run_clear_exit
+
+    set_state "Cleared"
+
+    logger -p kern.info "$g_product Cleared"
+}
+
+?ENDIF

Shorewall/manpages/shorewall-accounting.xml

@@ -75,12 +75,9 @@
 
     <itemizedlist>
       <listitem>
-        <para>A jump to a user-defined accounting chain before entries that
-        add rules to that chain.</para>
-      </listitem>
-
-      <listitem>
-        <para>This eliminates loops and unreferenced chains.</para>
+        <para>A jump to a user-defined accounting chain must appear before
+        entries that add rules to that chain. This eliminates loops and
+        unreferenced chains.</para>
       </listitem>
 
       <listitem>

Shorewall/manpages/shorewall-hosts.xml

@@ -118,32 +118,6 @@
           must have no embedded white space.</para>
 
           <variablelist>
-            <varlistentry>
-              <term><emphasis role="bold">maclist</emphasis></term>
-
-              <listitem>
-                <para>Connection requests from these hosts are compared
-                against the contents of <ulink
-                url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
-                this option is specified, the interface must be an ethernet
-                NIC or equivalent and must be up before Shorewall is
-                started.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">routeback</emphasis></term>
-
-              <listitem>
-                <para>Shorewall should set up the infrastructure to pass
-                packets from this/these address(es) back to themselves. This
-                is necessary if hosts in this group use the services of a
-                transparent proxy that is a member of the group or if DNAT is
-                used to send requests originating from this group to a server
-                in the group.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">blacklist</emphasis></term>
 
@@ -154,48 +128,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis role="bold">tcpflags</emphasis></term>
-
-              <listitem>
-                <para>Packets arriving from these hosts are checked for
-                certain illegal combinations of TCP flags. Packets found to
-                have such a combination of flags are handled according to the
-                setting of TCP_FLAGS_DISPOSITION after having been logged
-                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">nosmurfs</emphasis></term>
-
-              <listitem>
-                <para>This option only makes sense for ports on a
-                bridge.</para>
-
-                <para>Filter packets for smurfs (packets with a broadcast
-                address as the source).</para>
-
-                <para>Smurfs will be optionally logged based on the setting of
-                SMURF_LOG_LEVEL in <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>(5). After
-                logging, the packets are dropped.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">ipsec</emphasis></term>
-
-              <listitem>
-                <para>The zone is accessed via a kernel 2.6 ipsec SA. Note
-                that if the zone named in the ZONE column is specified as an
-                IPSEC zone in the <ulink
-                url="shorewall-zones.html">shorewall-zones</ulink>(5) file
-                then you do NOT need to specify the 'ipsec' option
-                here.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">broadcast</emphasis></term>
 
@@ -229,6 +161,86 @@
                 net(s).</para>
               </listitem>
             </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">ipsec</emphasis></term>
+
+              <listitem>
+                <para>The zone is accessed via a kernel 2.6 ipsec SA. Note
+                that if the zone named in the ZONE column is specified as an
+                IPSEC zone in the <ulink
+                url="shorewall-zones.html">shorewall-zones</ulink>(5) file
+                then you do NOT need to specify the 'ipsec' option
+                here.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">maclist</emphasis></term>
+
+              <listitem>
+                <para>Connection requests from these hosts are compared
+                against the contents of <ulink
+                url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
+                this option is specified, the interface must be an ethernet
+                NIC or equivalent and must be up before Shorewall is
+                started.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">mss</emphasis>=<replaceable>mss</replaceable></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.2. When present, causes the TCP
+                mss for new connections to/from the hosts given in the HOST(S)
+                column to be clamped at the specified
+                <replaceable>mss</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">nosmurfs</emphasis></term>
+
+              <listitem>
+                <para>This option only makes sense for ports on a
+                bridge.</para>
+
+                <para>Filter packets for smurfs (packets with a broadcast
+                address as the source).</para>
+
+                <para>Smurfs will be optionally logged based on the setting of
+                SMURF_LOG_LEVEL in <ulink
+                url="shorewall.conf.html">shorewall.conf</ulink>(5). After
+                logging, the packets are dropped.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">routeback</emphasis></term>
+
+              <listitem>
+                <para>Shorewall should set up the infrastructure to pass
+                packets from this/these address(es) back to themselves. This
+                is necessary if hosts in this group use the services of a
+                transparent proxy that is a member of the group or if DNAT is
+                used to send requests originating from this group to a server
+                in the group.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">tcpflags</emphasis></term>
+
+              <listitem>
+                <para>Packets arriving from these hosts are checked for
+                certain illegal combinations of TCP flags. Packets found to
+                have such a combination of flags are handled according to the
+                setting of TCP_FLAGS_DISPOSITION after having been logged
+                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
+              </listitem>
+            </varlistentry>
           </variablelist>
         </listitem>
       </varlistentry>

Shorewall/manpages/shorewall-masq.xml

@@ -35,8 +35,8 @@
       <para>If you have more than one ISP link, adding entries to this file
       will <emphasis role="bold">not</emphasis> force connections to go out
       through a particular link. You must use entries in <ulink
-      url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
-      PREROUTING entries in <ulink
+      url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or PREROUTING
+      entries in <ulink
       url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5) to do
       that.</para>
     </warning>
@@ -88,7 +88,8 @@
           addresses to indicate that you only want to change the source IP
           address for packets being sent to those particular destinations.
           Exclusion is allowed (see <ulink
-          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) as
+          are ipset names preceded by a plus sign '+';</para>
 
           <para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
           entry then include the ":" but omit the digit:</para>
@@ -149,6 +150,10 @@
 
           <para>In that example traffic from eth1 would be masqueraded unless
           it came from 192.168.1.4 or 196.168.32.0/27</para>
+
+          <para>The preferred way to specify the SOURCE is to supply one or
+          more host or network addresses separated by comma. You may use ipset
+          names preceded by a plus sign (+) to specify a set of hosts.</para>
         </listitem>
       </varlistentry>
 
@@ -467,6 +472,43 @@
           </variablelist>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SWITCH -
+        [!]<replaceable>switch-name</replaceable></emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.1 and allows enabling and disabling the
+          rule without requiring <command>shorewall restart</command>.</para>
+
+          <para>The rule is enabled if the value stored in
+          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
+          is 1. The rule is disabled if that file contains 0 (the default). If
+          '!' is supplied, the test is inverted such that the rule is enabled
+          if the file contains 0. <replaceable>switch-name</replaceable> must
+          begin with a letter and be composed of letters, decimal digits,
+          underscores or hyphens. Switch names must be 30 characters or less
+          in length.</para>
+
+          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
+          turn a switch <emphasis role="bold">on</emphasis>:</para>
+
+          <simplelist>
+            <member><command>echo 1 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
+
+          <simplelist>
+            <member><command>echo 0 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>Switch settings are retained over <command>shorewall
+          restart</command>.</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
@@ -548,6 +590,19 @@
           </warning>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>Example 6:</term>
+
+        <listitem>
+          <para>Connections leaving on eth0 and destined to any host defined
+          in the ipset <emphasis>myset</emphasis> should have the source IP
+          address changed to 206.124.146.177.</para>
+
+          <programlisting>        #INTERFACE              SOURCE          ADDRESS
+        eth0:+myset[dst]        -               206.124.146.177</programlisting>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 

Shorewall/manpages/shorewall-params.xml

@@ -23,7 +23,11 @@
   <refsect1>
     <title>Description</title>
 
-    <para>Assign any shell variables that you need in this file.</para>
+    <para>Assign any shell variables that you need in this file. The file is
+    always processed by <filename>/bin/sh</filename> or by the shell specified
+    through SHOREWALL_SHELL in <ulink
+    url="shorewall.conf.html">shorewall.conf</ulink> (5) so the full range of
+    shell capabilities may be used.</para>
 
     <para>It is suggested that variable names begin with an upper case letter
     to distinguish them from variables used internally within the Shorewall
@@ -128,12 +132,13 @@ net     eth0            130.252.100.255 routefilter,norfc1918</programlisting>
     url="http://www.shorewall.net/configuration_file_basics.htm#Variables?">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-rules.xml

@@ -226,7 +226,7 @@
               <listitem>
                 <para>like DROP but exempts the rule from being suppressed by
                 OPTIMIZE=1 in <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>(5). </para>
+                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
               </listitem>
             </varlistentry>
 
@@ -782,7 +782,7 @@
             </orderedlist></para>
 
           <blockquote>
-            <para></para>
+            <para/>
 
             <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
             role="bold">+]|[-</emphasis>] is specified, the server may be
@@ -1230,8 +1230,18 @@
               <term>localtz</term>
 
               <listitem>
-                <para>Times are expressed in Local Civil Time
-                (default).</para>
+                <para>Deprecated by the Netfilter team in favor of <emphasis
+                role="bold">kerneltz</emphasis>. Times are expressed in Local
+                Civil Time (default).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>kerneltz</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.2. Times are expressed in Local
+                Kernel Time (requires iptables 1.4.12 or later).</para>
               </listitem>
             </varlistentry>
 
@@ -1548,9 +1558,9 @@
     shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-tcrules.xml

@@ -44,7 +44,7 @@
 
     <variablelist>
       <varlistentry>
-        <term><emphasis role="bold">MARK/CLASSIFY</emphasis> (mark) -
+        <term><emphasis role="bold">ACTION</emphasis> (mark) -
         <replaceable>mark</replaceable></term>
 
         <listitem>
@@ -271,8 +271,8 @@
               target allows you to work around that problem. SAME may be used
               in the PREROUTING and OUTPUT chains. When used in PREROUTING, it
               causes matching connections from an individual local system to
-              all use the same provider. For example: <programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
-#CLASSIFY                                                PORT(S)
+              all use the same provider. For example: <programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
+#                                                        PORT(S)
 SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
               If a host in 192.168.1.0/24 attempts a connection on TCP port 80
               or 443 and it has sent a packet on either of those ports in the
@@ -282,8 +282,8 @@ SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
 
               <para>When used in the OUTPUT chain, it causes all matching
               connections to an individual remote system to all use the same
-              provider. For example:<programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
-#CLASSIFY                                                PORT(S)
+              provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
+#                                                        PORT(S)
 SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               If the firewall attempts a connection on TCP port 80 or 443 and
               it has sent a packet on either of those ports in the last five
@@ -468,6 +468,112 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               <replaceable>number</replaceable>. Requires IMQ Target support
               in your kernel and iptables.</para>
             </listitem>
+
+            <listitem>
+              <para><emphasis
+              role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
+
+              <para>Added in Shorewall 4.5.1. Sets the
+              <firstterm>Differentiated Services Code Point</firstterm> field
+              in the IP header. The <replaceable>dscp</replaceable> value may
+              be given as an even number (hex or decimal) or as the name of a
+              DSCP class. Valid class names and their associated hex numeric
+              values are:</para>
+
+              <programlisting>    CS0  =&gt; 0x00
+    CS1  =&gt; 0x08
+    CS2  =&gt; 0x10
+    CS3  =&gt; 0x18
+    CS4  =&gt; 0x20
+    CS5  =&gt; 0x28
+    CS6  =&gt; 0x30
+    CS7  =&gt; 0x38
+    BE   =&gt; 0x00
+    AF11 =&gt; 0x0a
+    AF12 =&gt; 0x0c
+    AF13 =&gt; 0x0e
+    AF21 =&gt; 0x12
+    AF22 =&gt; 0x14
+    AF23 =&gt; 0x16
+    AF31 =&gt; 0x1a
+    AF32 =&gt; 0x1c
+    AF33 =&gt; 0x1e
+    AF41 =&gt; 0x22
+    AF42 =&gt; 0x24
+    AF43 =&gt; 0x26
+    EF   =&gt; 0x2e</programlisting>
+
+              <para>May be optionally followed by ':' and a capital letter
+              designating the chain where classification is to occur.</para>
+
+              <variablelist>
+                <varlistentry>
+                  <term>F</term>
+
+                  <listitem>
+                    <para>FORWARD chain.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>T</term>
+
+                  <listitem>
+                    <para>POSTROUTING chain (default).</para>
+                  </listitem>
+                </varlistentry>
+              </variablelist>
+            </listitem>
+
+            <listitem>
+              <para><emphasis
+              role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</para>
+
+              <para>Added in Shorewall 4.5.1. Sets the <firstterm>Type of
+              Service</firstterm> field in the IP header. The
+              <replaceable>tos</replaceable> value may be given as an number
+              (hex or decimal) or as the name of a TOS type. Valid type names
+              and their associated hex numeric values are:</para>
+
+              <programlisting>Minimize-Delay       =&gt; 0x10,
+Maximize-Throughput  =&gt; 0x08,
+Maximize-Reliability =&gt; 0x04,
+Minimize-Cost        =&gt; 0x02,
+Normal-Service       =&gt; 0x00</programlisting>
+
+              <para>When <replaceable>tos</replaceable> is given as a number,
+              it may be optionally followed by '/' and a
+              <replaceable>mask</replaceable>. When no
+              <replaceable>mask</replaceable> is given, the value 0xff is
+              assumed. When <replaceable>tos</replaceable> is given as a type
+              name, the <replaceable>mask</replaceable> 0x3f is
+              assumed.</para>
+
+              <para>The action performed is to zero out the bits specified by
+              the <replaceable>mask</replaceable>, then set the bits specified
+              by <replaceable>tos</replaceable>.</para>
+
+              <para>May be optionally followed by ':' and a capital letter
+              designating the chain where classification is to occur.</para>
+
+              <variablelist>
+                <varlistentry>
+                  <term>F</term>
+
+                  <listitem>
+                    <para>FORWARD chain.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>T</term>
+
+                  <listitem>
+                    <para>POSTROUTING chain (default).</para>
+                  </listitem>
+                </varlistentry>
+              </variablelist>
+            </listitem>
           </orderedlist>
         </listitem>
       </varlistentry>
@@ -494,7 +600,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               MAC addresses. <emphasis role="bold">This form will not match
               traffic that originates on the firewall itself unless either
               &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
-              the MARK column.</emphasis></para>
+              the ACTION column.</emphasis></para>
 
               <para>Examples:<simplelist>
                   <member>0.0.0.0/0</member>
@@ -516,7 +622,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               <para>$FW optionally followed by a colon (":") and a
               comma-separated list of host or network IP addresses. Matches
               packets originating on the firewall. May not be used with a
-              chain qualifier (:P, :F, etc.) in the MARK column.</para>
+              chain qualifier (:P, :F, etc.) in the ACTION column.</para>
             </listitem>
           </orderedlist>
 
@@ -832,15 +938,15 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
           original connection was made on.</para>
 
           <para>Example: Mark all FTP data connections with mark
-          4:<programlisting>#MARK/    SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
-#CLASSIFY                                        PORT(S)
+          4:<programlisting>#ACTION   SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
+#                                                PORT(S)
 4:T       0.0.0.0/0 0.0.0.0/0 TCP     -          -       -    -    -      -   -         ftp</programlisting></para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
         <term><emphasis role="bold">PROBABILITY</emphasis> -
-        [probability]</term>
+        [<replaceable>probability</replaceable>]</term>
 
         <listitem>
           <para>Added in Shorewall 4.5.0. When non-empty, requires the
@@ -852,6 +958,44 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
           at up to 8 decimal points of precision.</para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DSCP -</emphasis>
+        [[!]<replaceable>dscp</replaceable>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.1. When non-empty, match packets whose
+          <firstterm>Differentiated Service Code Point</firstterm> field
+          matches the supplied value (when '!' is given, the rule matches
+          packets whose DSCP field does not match the supplied value). The
+          <replaceable>dscp</replaceable> value may be given as an even number
+          (hex or decimal) or as the name of a DSCP class. Valid class names
+          and their associated hex numeric values are:</para>
+
+          <programlisting>    CS0  =&gt; 0x00
+    CS1  =&gt; 0x08
+    CS2  =&gt; 0x10
+    CS3  =&gt; 0x18
+    CS4  =&gt; 0x20
+    CS5  =&gt; 0x28
+    CS6  =&gt; 0x30
+    CS7  =&gt; 0x38
+    BE   =&gt; 0x00
+    AF11 =&gt; 0x0a
+    AF12 =&gt; 0x0c
+    AF13 =&gt; 0x0e
+    AF21 =&gt; 0x12
+    AF22 =&gt; 0x14
+    AF23 =&gt; 0x16
+    AF31 =&gt; 0x1a
+    AF32 =&gt; 0x1c
+    AF33 =&gt; 0x1e
+    AF41 =&gt; 0x22
+    AF42 =&gt; 0x24
+    AF43 =&gt; 0x26
+    EF   =&gt; 0x2e</programlisting>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
@@ -873,8 +1017,8 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
 
           <para>We assume packet/connection mark 0 means unclassified.</para>
 
-          <programlisting>       #MARK/     SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
-       #CLASSIFY                                               PORT(S)
+          <programlisting>       #ACTION    SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
+       #                                                       PORT(S)
        1:T        0.0.0.0/0 0.0.0.0/0    icmp    echo-request
        1:T        0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
        RESTORE:T  0.0.0.0/0 0.0.0.0/0    all     -             -       -       0

Shorewall/manpages/shorewall-tos.xml

@@ -23,7 +23,9 @@
   <refsect1>
     <title>Description</title>
 
-    <para>This file defines rules for setting Type Of Service (TOS)</para>
+    <para>This file defines rules for setting Type Of Service (TOS). Its use
+    is deprecated, beginning in Shorewall 4.5.1, in favor of the TOS target in
+    <ulink url="shorewall-tcrules.html">shorewall-tcrules</ulink> (5).</para>
 
     <para>The columns in the file are as follows (where the column name is
     followed by a different name in parentheses, the different name is used in

Shorewall/manpages/shorewall.conf.xml

@@ -848,6 +848,29 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">IPSET_WARNINGS=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.2. Default is Yes. When set, causes the
+          rules compiler to issue a warning when:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>The compiler is being run by root and an ipset specified
+              in the configuration does not exists. Only one warning is issued
+              for each missing ipset.</para>
+            </listitem>
+
+            <listitem>
+              <para>When [src] is specified in a destination column and when
+              [dst] is specified in a source column.</para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">IPTABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>
@@ -2092,14 +2115,14 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
           tcrules. This was done so that tcrules could reset the packet mark
           to zero, thus allowing the packet to be routed using the 'main'
           routing table. Using the main table allowed dynamic routes (such as
-          those added for VPNs) to be effective. The rtrules file was
-          created to provide a better alternative to clearing the packet mark.
-          As a consequence, passing these packets to PREROUTING complicates
-          things without providing any real benefit. Beginning with Shorewall
-          4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving
-          through 'tracked' interfaces will not be passed to the PREROUTING
-          rules. Since TRACK_PROVIDERS was just introduced in 4.4.3, this
-          change should be transparent to most, if not all, users.</para>
+          those added for VPNs) to be effective. The rtrules file was created
+          to provide a better alternative to clearing the packet mark. As a
+          consequence, passing these packets to PREROUTING complicates things
+          without providing any real benefit. Beginning with Shorewall 4.4.6,
+          when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving through
+          'tracked' interfaces will not be passed to the PREROUTING rules.
+          Since TRACK_PROVIDERS was just introduced in 4.4.3, this change
+          should be transparent to most, if not all, users.</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall.xml

@@ -1243,7 +1243,7 @@
           directory is given, then Shorewall will look in that directory first
           when opening configuration files.</para>
 
-          <para>Begining with Shorewall 4.5.0, you may specify a different
+          <para>Beginning with Shorewall 4.5.0, you may specify a different
           <replaceable>timeout</replaceable> value using the
           <option>-t</option> option. The numeric
           <replaceable>timeout</replaceable> may optionally be followed by an
@@ -1265,7 +1265,7 @@
           Shorewall will look in that directory first when opening
           configuration files.</para>
 
-          <para>Begining with Shorewall 4.5.0, you may specify a different
+          <para>Beginning with Shorewall 4.5.0, you may specify a different
           <replaceable>timeout</replaceable> value using the
           <option>-t</option> option. The numeric
           <replaceable>timeout</replaceable> may optionally be followed by an
@@ -1600,7 +1600,7 @@
           role="bold">restore</emphasis> is performed after
           <replaceable>timeout</replaceable> seconds.</para>
 
-          <para>Begining with Shorewall 4.5.0, the numeric
+          <para>Beginning with Shorewall 4.5.0, the numeric
           <replaceable>timeout</replaceable> may optionally be followed by an
           <option>s</option>, <option>m</option> or <option>h</option> suffix
           (e.g., 5m) to specify seconds, minutes or hours respectively. If the

Shorewall/shorewall

@@ -27,6 +27,24 @@
 ################################################################################################
 g_program=shorewall
 
-. /usr/share/shorewall/lib.cli
+if [ -f ~/.shorewallrc ]; then
+    . ~/.shorewallrc || exit 1
+else
+    SHAREDIR=/usr/share
+    CONFDIR=${CONFDIR}
+    SBINDIR=/sbin
+    VARDIR=/var/lib
+    LIBEXECDIR=/usr/share
+    PERLLIBDIR=/usr/share/shorewall
+
+fi
+
+g_libexec="$LIBEXECDIR"
+g_sharedir="$SHAREDIR"
+g_sbindir="$SBINDIR"
+g_perllib="$PERLLIBDIR"
+g_readrc=1
+
+. $g_sharedir/shorewall/lib.cli
 
 shorewall_cli $@

Shorewall/uninstall.sh

@@ -40,16 +40,25 @@ qt()
     "$@" >/dev/null 2>&1
 }
 
-restore_file() # $1 = file to restore
-{
-    if [ -f ${1}-shorewall.bkout ]; then
-	if (mv -f ${1}-shorewall.bkout $1); then
-	    echo
-	    echo "$1 restored"
-        else
-	    exit 1
-        fi
-    fi
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
 }
 
 remove_file() # $1 = file to restore
@@ -60,8 +69,31 @@ remove_file() # $1 = file to restore
     fi
 }
 
-if [ -f /usr/share/shorewall/version ]; then
-    INSTALLED_VERSION="$(cat /usr/share/shorewall/version)"
+if [ -f ~/.shorewallrc ]; then
+    . ~/shorewallrc || exit 1
+else
+    [ -n "${LIBEXEC:=/usr/share}" ]
+    [ -n "${PERLLIB:=/usr/share/shorewall}" ]
+    [ -n "${CONFDIR:=/etc}" ]
+    
+    if [ -z "$SYSCONFDIR" ]; then
+	if [ -d /etc/default ]; then
+	    SYSCONFDIR=/etc/default
+	else
+	    SYSCONFDIR=/etc/sysconfig
+	fi
+    fi
+
+    [ -n "${SBINDIR:=/sbin}" ]
+    [ -n "${SHAREDIR:=/usr/share}" ]
+    [ -n "${VARDIR:=/var/lib}" ]
+    [ -n "${INITFILE:=shorewall}" ]
+    [ -n "${INITDIR:=/etc/init.d}" ]
+    [ -n "${MANDIR:=/usr/share/man}" ]
+fi
+
+if [ -f ${SHAREDIR}/shorewall/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall/version)"
     if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
@@ -72,62 +104,54 @@ else
     VERSION=""
 fi
 
-[ -n "${LIBEXEC:=/usr/share}" ]
-[ -n "${PERLLIB:=/usr/share/shorewall}" ]
 
 echo "Uninstalling shorewall $VERSION"
 
-if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall-lite ]; then
-   /sbin/shorewall clear
+if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall-lite ]; then
+   shorewall clear
 fi
 
-if [ -L /usr/share/shorewall/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall/init)
-else
-    FIREWALL=/etc/init.d/shorewall
+if [ -L ${SHAREDIR}/shorewall/init ]; then
+    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall/init)
+elif [ -n "$INITFILE" ]; then
+    FIREWALL=/${INITDIR}/${INITFILE}
 fi
 
-if [ -n "$FIREWALL" ]; then
-    if [ -x /usr/sbin/updaterc.d ]; then
+if [ -f "$FIREWALL" ]; then
+    if mywhich updaterc.d; then
 	updaterc.d shorewall remove
-    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+    elif mywhich insserv; then
         insserv -r $FIREWALL
-    elif [ -x /sbin/systemctl ]; then
+    elif mywhich systemctl; then
 	systemctl disable shorewall
-    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+    elif mywhich chkconfig; then
 	chkconfig --del $(basename $FIREWALL)
-    else
-	rm -f /etc/rc*.d/*$(basename $FIREWALL)
     fi
 
     remove_file $FIREWALL
-    rm -f ${FIREWALL}-*.bkout
+    [ -f "$AUXINITFILE" ] && remove_file ${INITDIR}/{$AUXINITFILE}
 fi
 
-rm -f /sbin/shorewall
-rm -f /sbin/shorewall-*.bkout
+rm -f ${SBINDIR}/shorewall
 
-rm -rf /usr/share/shorewall/version
-rm -rf /etc/shorewall
-rm -rf /etc/shorewall-*.bkout
-rm -rf /var/lib/shorewall
-rm -rf /var/lib/shorewall-*.bkout
-rm -rf $PERLLIB}/Shorewall/*
+rm -rf ${SHAREDIR}/shorewall/version
+rm -rf ${CONFDIR}/shorewall
+rm -rf ${VARDIR}/shorewall
+rm -rf ${PERLLIB}/Shorewall/*
 rm -rf ${LIBEXEC}/shorewall
-rm -rf /usr/share/shorewall/configfiles/
-rm -rf /usr/share/shorewall/Samples/
-rm -rf /usr/share/shorewall/Shorewall/
-rm -f  /usr/share/shorewall/lib.cli-std
-rm -f  /usr/share/shorewall/lib.core
-rm -f  /usr/share/shorewall/compiler.pl
-rm -f  /usr/share/shorewall/prog.*
-rm -f  /usr/share/shorewall/module*
-rm -f  /usr/share/shorewall/helpers
-rm -f  /usr/share/shorewall/action*
-rm -f  /usr/share/shorewall/init
-rm -rf /usr/share/shorewall-*.bkout
+rm -rf ${SHAREDIR}/shorewall/configfiles/
+rm -rf ${SHAREDIR}/shorewall/Samples/
+rm -rf ${SHAREDIR}/shorewall/Shorewall/
+rm -f  ${SHAREDIR}/shorewall/lib.cli-std
+rm -f  ${SHAREDIR}/shorewall/lib.core
+rm -f  ${SHAREDIR}/shorewall/compiler.pl
+rm -f  ${SHAREDIR}/shorewall/prog.*
+rm -f  ${SHAREDIR}/shorewall/module*
+rm -f  ${SHAREDIR}/shorewall/helpers
+rm -f  ${SHAREDIR}/shorewall/action*
+rm -f  ${SHAREDIR}/shorewall/init
 
-for f in /usr/share/man/man5/shorewall* /usr/share/man/man8/shorewall*; do
+for f in ${MANDIR}/man5/shorewall* ${MANDIR}/man8/shorewall*; do
     case $f in
 	shorewall6*|shorewall-lite*)
 	    ;;
@@ -137,8 +161,10 @@ for f in /usr/share/man/man5/shorewall* /usr/share/man/man8/shorewall*; do
     esac
 done
 
-rm -f  /etc/logrotate.d/shorewall
-rm -f  /lib/systemd/system/shorewall.service
+rm -f  ${CONFDIR}/logrotate.d/shorewall
+
+if [ -n "$SYSTEMD" ]; THEN
+rm -f  ${SYSTEMD}/shorewall.service
 
 echo "Shorewall Uninstalled"
 

Shorewall6-lite/Makefile

@@ -12,7 +12,7 @@ $(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
 	then \
 	    /sbin/shorewall6-lite -q save >/dev/null; \
 	else \
-	    /sbin/shorewall6-lite -q restart 2>&1 | tail >&2; \
+	    /sbin/shorewall6-lite -q restart 2>&1 | tail >&2; exit 1; \
 	fi
 
 # EOF

Shorewall6-lite/init.debian.sh

@@ -78,6 +78,12 @@ else
 	not_configured
 fi
 
+#determine where the files were installed
+if [ -f ~/.shorewallrc ]; then
+    . ~/.shorewallrc || exit 1
+    [ -n "$SBIN" ] && SRWL=${SBIN}/shorewall6-lite
+fi
+
 # start the firewall
 shorewall6_start () {
   echo -n "Starting \"Shorewall6 Lite firewall\": "

Shorewall6-lite/init.sh

@@ -61,10 +61,16 @@ usage() {
 # Get startup options (override default)
 ################################################################################
 OPTIONS=
-if [ -f /etc/sysconfig/shorewall6-lite ]; then
-    . /etc/sysconfig/shorewall6-lite
-elif [ -f /etc/default/shorewall6-lite ] ; then
-    . /etc/default/shorewall6-lite
+
+if [ ~/.shorewallrc ]; then
+    . ~/.shorewallrc || exit 1
+else
+    SBIN=/sbin
+    SYSCONFDIR=/etc/sysconfig
+fi
+
+if [ -f ${SYSCONFDIR}/shorewall6-lite ]; then
+    . ${SYSCONFDIR}/shorewall6-lite
 fi
 
 export SHOREWALL_INIT_SCRIPT=1
@@ -76,13 +82,13 @@ command="$1"
 
 case "$command" in
     start)
-	exec /sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS $@
+	exec ${SBIN}/shorewall6-lite $OPTIONS start $STARTOPTIONS
 	;;
     restart|reload)
-	exec /sbin/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS $@
+	exec ${SBIN}/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS
 	;;
     status|stop)
-	exec /sbin/shorewall6-lite $OPTIONS $command $@
+	exec ${SBIN}/shorewall6-lite $OPTIONS $command $@
 	;;
     *)
 	usage

Shorewall6-lite/shorewall6-lite

@@ -27,6 +27,24 @@
 ################################################################################################
 g_program=shorewall6-lite
 
-. /usr/share/shorewall/lib.cli
+if [ -f ~/.shorewallrc ]; then
+    . ~/.shorewallrc || exit 1
+else
+    SHAREDIR=/usr/share
+    CONFDIR=${CONFDIR}
+    SBINDIR=/sbin
+    VARDIR=/var/lib
+    LIBEXECDIR=/usr/share
+    PERLLIBDIR=/usr/share/shorewall
+
+fi
+
+g_libexec="$LIBEXECDIR"
+g_sharedir="$SHAREDIR"
+g_sbindir="$SBINDIR"
+g_perllib="$PERLLIBDIR"
+g_readrc=1
+
+. $g_sharedir/shorewall/lib.cli
 
 shorewall_cli $@

Shorewall6-lite/uninstall.sh

@@ -40,6 +40,27 @@ qt()
     "$@" >/dev/null 2>&1
 }
 
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
 remove_file() # $1 = file to restore
 {
     if [ -f $1 -o -L $1 ] ; then
@@ -48,8 +69,31 @@ remove_file() # $1 = file to restore
     fi
 }
 
-if [ -f /usr/share/shorewall6-lite/version ]; then
-    INSTALLED_VERSION="$(cat /usr/share/shorewall6-lite/version)"
+if [ -f ~/.shorewallrc ]; then
+    . ~/shorewallrc || exit 1
+else
+    [ -n "${LIBEXEC:=/usr/share}" ]
+    [ -n "${PERLLIB:=/usr/share/shorewall}" ]
+    [ -n "${CONFDIR:=/etc}" ]
+    
+    if [ -z "$SYSCONFDIR" ]; then
+	if [ -d /etc/default ]; then
+	    SYSCONFDIR=/etc/default
+	else
+	    SYSCONFDIR=/etc/sysconfig
+	fi
+    fi
+
+    [ -n "${SBINDIR:=/sbin}" ]
+    [ -n "${SHAREDIR:=/usr/share}" ]
+    [ -n "${VARDIR:=/var/lib}" ]
+    [ -n "${INITFILE:=shorewall}" ]
+    [ -n "${INITDIR:=/etc/init.d}" ]
+    [ -n "${MANDIR:=/usr/share/man}" ]
+fi
+
+if [ -f ${SHAREDIR}/shorewall6-lite/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall6-lite/version)"
     if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall Lite Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
@@ -60,49 +104,39 @@ else
     VERSION=""
 fi
 
-[ -n "${LIBEXEC:=/usr/share}" ]
-
 echo "Uninstalling Shorewall Lite $VERSION"
 
-if qt ip6tables -L shorewall -n && [ ! -f /sbin/shorewall6 ]; then
-   /sbin/shorewall6-lite clear
+if qt ip6tables -L shorewall -n && [ ! -f ${SBINDIR)/shorewall6 ]; then
+   ${SBINDIR}/shorewall6-lite clear
 fi
 
-if [ -L /usr/share/shorewall6-lite/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall6-lite/init)
-else
-    FIREWALL=/etc/init.d/shorewall6-lite
+if [ -l ${SHAREDIR}/shorewall6-lite/init ]; then
+    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall6-lite/init)
+elif [ -n "$INITFILE" ]; then
+    FIREWALL=${INITDIR}/${INITFILE}
 fi
 
-if [ -n "$FIREWALL" ]; then
-    if [ -x /usr/sbin/updaterc.d ]; then
+if [ -f "$FIREWALL" ]; then
+    if mywhich updaterc.d ; then
 	updaterc.d shorewall6-lite remove
-    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+    elif mywhich insserv ; then
         insserv -r $FIREWALL
-    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+    elif mywhich chkconfig ; then
 	chkconfig --del $(basename $FIREWALL)
-    elif [ -x /sbin/systemctl ]; then
+    elif mywhich systemctl ; then
 	systemctl disable shorewall6-lite
-    else
-	rm -f /etc/rc*.d/*$(basename $FIREWALL)
     fi
 
     remove_file $FIREWALL
-    rm -f ${FIREWALL}-*.bkout
 fi
 
-rm -f /sbin/shorewall6-lite
-rm -f /sbin/shorewall6-lite-*.bkout
-
-rm -rf /etc/shorewall6-lite
-rm -rf /etc/shorewall6-lite-*.bkout
-rm -rf /var/lib/shorewall6-lite
-rm -rf /var/lib/shorewall6-lite-*.bkout
-rm -rf /usr/share/shorewall6-lite
+rm -f ${SBINDIR}/shorewall6-lite
+rm -rf ${CONFDIR}/shorewall6-lite
+rm -rf ${VARDIR}/shorewall6-lite
+rm -rf ${SHAREDIR}/shorewall6-lite
 rm -rf ${LIBEXEC}/shorewall6-lite
-rm -rf /usr/share/shorewall6-lite-*.bkout
-rm -f  /etc/logrotate.d/shorewall6-lite
-rm -f  /lib/systemd/system/shorewall6-lite.service
+rm -f  ${CONFDIR}/logrotate.d/shorewall6-lite
+[ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall6-lite.service
 
 echo "Shorewall6 Lite Uninstalled"
 

Shorewall6/Makefile

@@ -2,6 +2,7 @@
 VARDIR=$(shell /sbin/shorewall6 show vardir)
 CONFDIR=/etc/shorewall6
 RESTOREFILE?=firewall
+
 all: $(VARDIR)/${RESTOREFILE}
 
 $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
@@ -11,11 +12,12 @@ $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
 	then \
 	    /sbin/shorewall6 -q save >/dev/null; \
 	else \
-	    /sbin/shorewall6 -q restart 2>&1 | tail >&2; \
+	    /sbin/shorewall6 -q restart 2>&1 | tail >&2; exit 1; \
 	fi
 
 clean:
 	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
+
 .PHONY: clean
 
 # EOF

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=
 
 IMPLICIT_CONTINUE=No
 
+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=Off
 
 KEEP_RT_TABLES=Yes

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=
 
 IMPLICIT_CONTINUE=No
 
+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=Off
 
 KEEP_RT_TABLES=Yes

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=
 
 IMPLICIT_CONTINUE=No
 
+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On
 
 KEEP_RT_TABLES=Yes

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=
 
 IMPLICIT_CONTINUE=No
 
+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On
 
 KEEP_RT_TABLES=Yes

Shorewall6/configfiles/interfaces

@@ -7,4 +7,8 @@
 # http://www.shorewall.net/manpages6/shorewall6-interfaces.html
 #
 ###############################################################################
+FORMAT 1
 #ZONE	INTERFACE	ANYCAST		OPTIONS
+
+FORMAT 2
+#ZONE		INTERFACE		OPTIONS

Shorewall6/configfiles/isusable

@@ -8,13 +8,15 @@
 #
 #	The script is invoked inside a function that accepts an interface
 #	name as a single argument. The file below is designed to work with
-#	both swping and lsm as described at http://www.shorewall.net/MultiISP.html
+#	both swping and lsm as described at
+#	http://www.shorewall.net/MultiISP.html
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
 #
 ###############################################################################
-local status=0
+local status
+status=0
 
 [ -f ${VARDIR}/${1}.status ] && status=$(cat ${VARDIR}/${1}.status)
 

Shorewall6/configfiles/shorewall6.conf

@@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=Yes
 
 IMPLICIT_CONTINUE=No
 
+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=Off
 
 KEEP_RT_TABLES=Yes

Shorewall6/configfiles/tcrules

@@ -9,6 +9,6 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-##############################################################################################################################################
-#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER	HEADERS    PROBABILITY
+###################################################################################################################################################
+#ACTION	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER	HEADERS    PROBABILITY DSCP
 #						PORT(S)	PORT(S)

Shorewall6/configfiles/tos

@@ -4,5 +4,5 @@
 # For information about entries in this file, type "man shorewall6-tos"
 #
 ###############################################################################
-#SOURCE		DEST		PROTOCOL	SOURCE	DEST	TOS	MARK
+#SOURCE		DEST		PROTOCOL	DEST	SOURCE	TOS	MARK
 #						PORTS	PORTS

Shorewall6/init.debian.sh

@@ -54,10 +54,18 @@ not_configured () {
 	exit 0
 }
 
+#determine where the files were installed
+if [ -f ~/.shorewallrc ]; then
+    . ~/.shorewallrc || exit 1
+    [ -n "$SBIN" ] && SRWL=${SBIN}/shorewall6
+else
+    SYSCONFDIR=/etc/default
+fi
+
 # check if shorewall is configured or not
-if [ -f "/etc/default/shorewall6" ]
+if [ -f "${SYSCONFDIR}/shorewall6" ]
 then
-	. /etc/default/shorewall6
+	. ${SYSCONFDIR}/shorewall6
 	SRWL_OPTS="$SRWL_OPTS $OPTIONS"
 	if [ "$startup" != "1" ]
 	then

Shorewall6/init.sh

@@ -62,6 +62,14 @@ usage() {
 # Get startup options (override default)
 ################################################################################
 OPTIONS="-v0"
+
+if [ ~/.shorewallrc ]; then
+    . ~/.shorewallrc || exit 1
+else
+    SBIN=/sbin
+    SYSCONFDIR=/etc/sysconfig
+fi
+
 if [ -f /etc/sysconfig/shorewall6 ]; then
     . /etc/sysconfig/shorewall6
 elif [ -f /etc/default/shorewall6 ] ; then
@@ -77,13 +85,13 @@ command="$1"
 
 case "$command" in
     start)
-	exec /sbin/shorewall6 $OPTIONS start $STARTOPTIONS $@
+	exec ${SBIN}/shorewall6 $OPTIONS start $STARTOPTIONS
 	;;
     restart|reload)
-	exec /sbin/shorewall6 $OPTIONS restart $RESTARTOPTIONS $@
+	exec ${SBIN}/shorewall6 $OPTIONS restart $RESTARTOPTIONS
 	;;
     status|stop)
-	exec /sbin/shorewall6 $OPTIONS $command $@
+	exec ${SBIN}/shorewall6 $OPTIONS $command $@
 	;;
     *)
 	usage

Shorewall6/manpages/shorewall6-accounting.xml

@@ -75,12 +75,9 @@
 
     <itemizedlist>
       <listitem>
-        <para>A jump to a user-defined accounting chain before entries that
-        add rules to that chain.</para>
-      </listitem>
-
-      <listitem>
-        <para>This eliminates loops and unreferenced chains.</para>
+        <para>A jump to a user-defined accounting chain must appear before
+        entries that add rules to that chain. This eliminates loops and
+        unreferenced chains.</para>
       </listitem>
 
       <listitem>

Shorewall6/manpages/shorewall6-hosts.xml

@@ -120,19 +120,6 @@
           the list must have no embedded white space.</para>
 
           <variablelist>
-            <varlistentry>
-              <term><emphasis role="bold">routeback</emphasis></term>
-
-              <listitem>
-                <para>shorewall6 should set up the infrastructure to pass
-                packets from this/these address(es) back to themselves. This
-                is necessary if hosts in this group use the services of a
-                transparent proxy that is a member of the group or if DNAT is
-                used to send requests originating from this group to a server
-                in the group.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">blacklist</emphasis></term>
 
@@ -143,18 +130,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis role="bold">tcpflags</emphasis></term>
-
-              <listitem>
-                <para>Packets arriving from these hosts are checked for
-                certain illegal combinations of TCP flags. Packets found to
-                have such a combination of flags are handled according to the
-                setting of TCP_FLAGS_DISPOSITION after having been logged
-                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">ipsec</emphasis></term>
 
@@ -167,6 +142,43 @@
                 here.</para>
               </listitem>
             </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">mss</emphasis>=<replaceable>mss</replaceable></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.2. When present, causes the TCP
+                mss for new connections to/from the hosts given in the HOST(S)
+                column to be clamped at the specified
+                <replaceable>mss</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">routeback</emphasis></term>
+
+              <listitem>
+                <para>shorewall6 should set up the infrastructure to pass
+                packets from this/these address(es) back to themselves. This
+                is necessary if hosts in this group use the services of a
+                transparent proxy that is a member of the group or if DNAT is
+                used to send requests originating from this group to a server
+                in the group.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">tcpflags</emphasis></term>
+
+              <listitem>
+                <para>Packets arriving from these hosts are checked for
+                certain illegal combinations of TCP flags. Packets found to
+                have such a combination of flags are handled according to the
+                setting of TCP_FLAGS_DISPOSITION after having been logged
+                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
+              </listitem>
+            </varlistentry>
           </variablelist>
         </listitem>
       </varlistentry>

Shorewall6/manpages/shorewall6-params.xml

@@ -23,7 +23,11 @@
   <refsect1>
     <title>Description</title>
 
-    <para>Assign any shell variables that you need in this file.</para>
+    <para>Assign any shell variables that you need in this file. The file is
+    always processed by <filename>/bin/sh</filename> or by the shell specified
+    through SHOREWALL_SHELL in <ulink
+    url="shorewall6.conf.html">shorewall6.conf</ulink> (5) so the full range
+    of shell capabilities may be used.</para>
 
     <para>It is suggested that variable names begin with an upper case letter
     to distinguish them from variables used internally within the Shorewall
@@ -130,8 +134,8 @@ net     eth0            -               dhcp,nosmurfs</programlisting>
     <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
     shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
     shorewall6-maclist(5), shorewall6-policy(5), shorewall6-providers(5),
-    shorewall6-rtrules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
+    shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-rules(5),
+    shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
     shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
     shorewall6-tunnels(5), shorewall6-zones(5)</para>
   </refsect1>

Shorewall6/manpages/shorewall6-rules.xml

@@ -257,7 +257,7 @@
               <listitem>
                 <para>like CONTINUE but exempts the rule from being suppressed
                 by OPTIMIZE=1 in <ulink
-                url="shorewall6.conf.html">shorewall6.conf</ulink>(5). </para>
+                url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
               </listitem>
             </varlistentry>
 
@@ -970,8 +970,18 @@
               <term>localtz</term>
 
               <listitem>
-                <para>Times are expressed in Local Civil Time
-                (default).</para>
+                <para>Deprecated by the Netfilter team in favor of <emphasis
+                role="bold">kerneltz</emphasis>. Times are expressed in Local
+                Civil Time (default).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>kerneltz</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.2. Times are expressed in Local
+                Kernel Time (requires iptables 1.4.12 or later).</para>
               </listitem>
             </varlistentry>
 

Shorewall6/manpages/shorewall6-tcrules.xml

@@ -44,11 +44,11 @@
 
     <variablelist>
       <varlistentry>
-        <term><emphasis role="bold">MARK/CLASSIFY</emphasis> -
-        <replaceable>mark</replaceable></term>
+        <term><emphasis role="bold">ACTION</emphasis> -
+        <replaceable>action</replaceable></term>
 
         <listitem>
-          <para><replaceable>mark</replaceable> may assume one of the
+          <para><replaceable>action</replaceable> may assume one of the
           following values.</para>
 
           <orderedlist numeration="arabic">
@@ -272,8 +272,8 @@
               SAME may be used in the PREROUTING and OUTPUT chains. When used
               in PREROUTING, it causes matching connections from an individual
               local system to all use the same provider. For example:
-              <programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
-#CLASSIFY                                                PORT(S)
+              <programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
+#                                                        PORT(S)
 SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
               If a host in 192.168.1.0/24 attempts a connection on TCP port 80
               or 443 and it has sent a packet on either of those ports in the
@@ -283,8 +283,8 @@ SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
 
               <para>When used in the OUTPUT chain, it causes all matching
               connections to an individual remote system to all use the same
-              provider. For example:<programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
-#CLASSIFY                                                PORT(S)
+              provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
+#                                                        PORT(S)
 SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               If the firewall attempts a connection on TCP port 80 or 443 and
               it has sent a packet on either of those ports in the last five
@@ -365,6 +365,112 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               <replaceable>number</replaceable>. Requires IMQ Target support
               in your kernel and ip6tables.</para>
             </listitem>
+
+            <listitem>
+              <para><emphasis
+              role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
+
+              <para>Added in Shorewall 4.5.1. Sets the
+              <firstterm>Differentiated Services Code Point</firstterm> field
+              in the IP header. The <replaceable>dscp</replaceable> value may
+              be given as an even number (hex or decimal) or as the name of a
+              DSCP class. Valid class names and their associated hex numeric
+              values are:</para>
+
+              <programlisting>    CS0  =&gt; 0x00
+    CS1  =&gt; 0x08
+    CS2  =&gt; 0x10
+    CS3  =&gt; 0x18
+    CS4  =&gt; 0x20
+    CS5  =&gt; 0x28
+    CS6  =&gt; 0x30
+    CS7  =&gt; 0x38
+    BE   =&gt; 0x00
+    AF11 =&gt; 0x0a
+    AF12 =&gt; 0x0c
+    AF13 =&gt; 0x0e
+    AF21 =&gt; 0x12
+    AF22 =&gt; 0x14
+    AF23 =&gt; 0x16
+    AF31 =&gt; 0x1a
+    AF32 =&gt; 0x1c
+    AF33 =&gt; 0x1e
+    AF41 =&gt; 0x22
+    AF42 =&gt; 0x24
+    AF43 =&gt; 0x26
+    EF   =&gt; 0x2e</programlisting>
+
+              <para>May be optionally followed by ':' and a capital letter
+              designating the chain where classification is to occur.</para>
+
+              <variablelist>
+                <varlistentry>
+                  <term>F</term>
+
+                  <listitem>
+                    <para>FORWARD chain.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>T</term>
+
+                  <listitem>
+                    <para>POSTROUTING chain (default).</para>
+                  </listitem>
+                </varlistentry>
+              </variablelist>
+            </listitem>
+
+            <listitem>
+              <para><emphasis
+              role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</para>
+
+              <para>Added in Shorewall 4.5.1. Sets the <firstterm>Type of
+              Service</firstterm> field in the IP header. The
+              <replaceable>tos</replaceable> value may be given as an number
+              (hex or decimal) or as the name of a TOS type. Valid type names
+              and their associated hex numeric values are:</para>
+
+              <programlisting>Minimize-Delay       =&gt; 0x10,
+Maximize-Throughput  =&gt; 0x08,
+Maximize-Reliability =&gt; 0x04,
+Minimize-Cost        =&gt; 0x02,
+Normal-Service       =&gt; 0x00</programlisting>
+
+              <para>When <replaceable>tos</replaceable> is given as a number,
+              it may be optionally followed by '/' and a
+              <replaceable>mask</replaceable>. When no
+              <replaceable>mask</replaceable> is given, the value 0xff is
+              assumed. When <replaceable>tos</replaceable> is given as a type
+              name, the <replaceable>mask</replaceable> 0x3f is
+              assumed.</para>
+
+              <para>The action performed is to zero out the bits specified by
+              the <replaceable>mask</replaceable>, then set the bits specified
+              by <replaceable>tos</replaceable>.</para>
+
+              <para>May be optionally followed by ':' and a capital letter
+              designating the chain where classification is to occur.</para>
+
+              <variablelist>
+                <varlistentry>
+                  <term>F</term>
+
+                  <listitem>
+                    <para>FORWARD chain.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>T</term>
+
+                  <listitem>
+                    <para>POSTROUTING chain (default).</para>
+                  </listitem>
+                </varlistentry>
+              </variablelist>
+            </listitem>
           </orderedlist>
         </listitem>
       </varlistentry>
@@ -389,7 +495,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
 
           <para>Accordingly, use $<emphasis role="bold">FW</emphasis> in its
           own separate rule for packets originating on the firewall. In such a
-          rule, the MARK column may NOT specify either <emphasis
+          rule, the ACTION column may NOT specify either <emphasis
           role="bold">:P</emphasis> or <emphasis role="bold">:F</emphasis>
           because marking for firewall-originated packets always occurs in the
           OUTPUT chain.</para>
@@ -420,7 +526,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
           iprange match support, IP address ranges are also allowed. List
           elements may also consist of an interface name followed by ":" and
           an address (e.g., eth1:&lt;2002:ce7c:92b4::/48&gt;). If the
-          <emphasis role="bold">MARK</emphasis> column specificies a
+          <emphasis role="bold">ACTION</emphasis> column specificies a
           classification of the form
           <emphasis>major</emphasis>:<emphasis>minor</emphasis> then this
           column may also contain an interface name.</para>
@@ -689,8 +795,8 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
           that the original connection was made on.</para>
 
           <para>Example: Mark all FTP data connections with mark
-          4:<programlisting>#MARK/    SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
-#CLASSIFY                                        PORT(S)
+          4:<programlisting>#ACTION   SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
+#                                                PORT(S)
 4         ::/0      ::/0      TCP     -          -       -    -    -      -   -         ftp</programlisting></para>
         </listitem>
       </varlistentry>
@@ -824,8 +930,8 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
 
           <para>We assume packet/connection mark 0 means unclassified.</para>
 
-          <programlisting>       #MARK/    SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
-       #CLASSIFY                                              PORT(S)
+          <programlisting>       #ACTION   SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
+       #                                                      PORT(S)
        1         ::/0      ::/0         icmp    echo-request
        1         ::/0      ::/0         icmp    echo-reply
        RESTORE   ::/0      ::/0         all     -             -       -       0

Shorewall6/manpages/shorewall6-tos.xml

@@ -23,7 +23,10 @@
   <refsect1>
     <title>Description</title>
 
-    <para>This file defines rules for setting Type Of Service (TOS)</para>
+    <para>This file defines rules for setting Type Of Service (TOS). Its use
+    is deprecated, beginning in Shorewall 4.5.1, in favor of the TOS target in
+    <ulink url="shorewall6-tcrules.html">shorewall6-tcrules</ulink>
+    (5).</para>
 
     <para>The columns in the file are as follows.</para>
 

Shorewall6/manpages/shorewall6.conf.xml

@@ -756,6 +756,29 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">IPSET_WARNINGS=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.2. Default is Yes. When set, causes the
+          rules compiler to issue a warning when:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>The compiler is being run by root and an ipset specified
+              in the configuration does not exists. Only one warning is issued
+              for each missing ipset.</para>
+            </listitem>
+
+            <listitem>
+              <para>When [src] is specified in a destination column and when
+              [dst] is specified in a source column.</para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">KEEP_RT_TABLES=</emphasis>{<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@@ -1809,15 +1832,14 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
           to zero, thus allowing the packet to be routed using the 'main'
           routing table. Using the main table allowed dynamic routes (such as
           those added for VPNs) to be effective. The <ulink
-          url="shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5)
-          file was created to provide a better alternative to clearing the
-          packet mark. As a consequence, passing these packets to PREROUTING
-          complicates things without providing any real benefit. Beginning
-          with Shorewall 4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No,
-          packets arriving through 'tracked' interfaces will not be passed to
-          the PREROUTING rules. Since TRACK_PROVIDERS was just introduced in
-          4.4.3, this change should be transparent to most, if not all,
-          users.</para>
+          url="shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5) file was
+          created to provide a better alternative to clearing the packet mark.
+          As a consequence, passing these packets to PREROUTING complicates
+          things without providing any real benefit. Beginning with Shorewall
+          4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving
+          through 'tracked' interfaces will not be passed to the PREROUTING
+          rules. Since TRACK_PROVIDERS was just introduced in 4.4.3, this
+          change should be transparent to most, if not all, users.</para>
         </listitem>
       </varlistentry>
 
@@ -1977,10 +1999,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
     shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
     shorewall6-nat(5), shorewall6-netmap(5),
     shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
-    shorewall6-providers(5), shorewall6-proxyarp(5),
-    shorewall6-rtrules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
-    shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
-    shorewall6-zones(5)</para>
+    shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-rtrules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6-tcclasses(5),
+    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
+    shorewall6-tunnels(5), shorewall6-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall6/manpages/shorewall6.xml

@@ -1108,7 +1108,7 @@
           directory is given, then Shorewall6 will look in that directory
           first when opening configuration files.</para>
 
-          <para>Begining with Shorewall 4.5.0, you may specify a different
+          <para>Beginning with Shorewall 4.5.0, you may specify a different
           <replaceable>timeout</replaceable> value using the
           <option>-t</option> option. The numeric
           <replaceable>timeout</replaceable> may optionally be followed by an
@@ -1130,7 +1130,7 @@
           Shorewall6 will look in that directory first when opening
           configuration files.</para>
 
-          <para>Begining with Shorewall 4.5.0, you may specify a different
+          <para>Beginning with Shorewall 4.5.0, you may specify a different
           <replaceable>timeout</replaceable> value using the
           <option>-t</option> option. The numeric
           <replaceable>timeout</replaceable> may optionally be followed by an
@@ -1422,7 +1422,7 @@
           role="bold">restore</emphasis> is performed after
           <replaceable>timeout</replaceable> seconds.</para>
 
-          <para>Begining with Shorewall 4.5.0, the numeric
+          <para>Beginning with Shorewall 4.5.0, the numeric
           <replaceable>timeout</replaceable> may optionally be followed by an
           <option>s</option>, <option>m</option> or <option>h</option> suffix
           (e.g., 5m) to specify seconds, minutes or hours respectively. If the

Shorewall6/shorewall6

@@ -27,6 +27,24 @@
 ################################################################################################
 g_program=shorewall6
 
-. /usr/share/shorewall/lib.cli
+if [ -f ~/.shorewallrc ]; then
+    . ~/.shorewallrc || exit 1
+else
+    SHAREDIR=/usr/share
+    CONFDIR=${CONFDIR}
+    SBINDIR=/sbin
+    VARDIR=/var/lib
+    LIBEXECDIR=/usr/share
+    PERLLIBDIR=/usr/share/shorewall
+
+fi
+
+g_libexec="$LIBEXECDIR"
+g_sharedir="$SHAREDIR"
+g_sbindir="$SBINDIR"
+g_perllib="$PERLLIBDIR"
+g_readrc=1
+
+. $g_sharedir/shorewall/lib.cli
 
 shorewall_cli $@

Shorewall6/uninstall.sh

@@ -40,16 +40,25 @@ qt()
     "$@" >/dev/null 2>&1
 }
 
-restore_file() # $1 = file to restore
-{
-    if [ -f ${1}-shorewall.bkout ]; then
-	if (mv -f ${1}-shorewall.bkout $1); then
-	    echo
-	    echo "$1 restored"
-        else
-	    exit 1
-        fi
-    fi
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
 }
 
 remove_file() # $1 = file to restore
@@ -60,7 +69,30 @@ remove_file() # $1 = file to restore
     fi
 }
 
-if [ -f /usr/share/shorewall6/version ]; then
+if [ -f ~/.shorewallrc ]; then
+    . ~/shorewallrc || exit 1
+else
+    [ -n "${LIBEXEC:=/usr/share}" ]
+    [ -n "${PERLLIB:=/usr/share/shorewall}" ]
+    [ -n "${CONFDIR:=/etc}" ]
+    
+    if [ -z "$SYSCONFDIR" ]; then
+	if [ -d /etc/default ]; then
+	    SYSCONFDIR=/etc/default
+	else
+	    SYSCONFDIR=/etc/sysconfig
+	fi
+    fi
+
+    [ -n "${SBINDIR:=/sbin}" ]
+    [ -n "${SHAREDIR:=/usr/share}" ]
+    [ -n "${VARDIR:=/var/lib}" ]
+    [ -n "${INITFILE:=shorewall}" ]
+    [ -n "${INITDIR:=/etc/init.d}" ]
+    [ -n "${MANDIR:=/usr/share/man}" ]
+fi
+
+if [ -f ${SHARDIR}/shorewall6/version ]; then
     INSTALLED_VERSION="$(cat /usr/share/shorewall6/version)"
     if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall6 Version $INSTALLED_VERSION is installed"
@@ -72,49 +104,39 @@ else
     VERSION=""
 fi
 
-[ -n "${LIBEXEC:=/usr/share}" ]
-
 echo "Uninstalling shorewall6 $VERSION"
 
-if qt ip6tables -L shorewall6 -n && [ ! -f /sbin/shorewall6-lite ]; then
-   /sbin/shorewall6 clear
+if qt ip6tables -L shorewall6 -n && [ ! -f ${SBINDIR}/shorewall6-lite ]; then
+   ${SBINDIR}/shorewall6 clear
 fi
 
-if [ -L /usr/share/shorewall6/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall6/init)
-else
-    FIREWALL=/etc/init.d/shorewall6
+if [ -L ${SHAREDIR}/shorewall6/init ]; then
+    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall6/init)
+elif [ -n "$INITFILE" ]; then
+    FIREWALL=${INITDIR}/${INITFILE}
 fi
 
-if [ -n "$FIREWALL" ]; then
-    if [ -x /usr/sbin/updaterc.d ]; then
+if [ -f "$FIREWALL" ]; then
+    if mywhich updaterc.d ; then
 	updaterc.d shorewall6 remove
-    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+    elif mywhich insserv ; then
         insserv -r $FIREWALL
-    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+    elif mywhich chkconfig ; then
 	chkconfig --del $(basename $FIREWALL)
-    elif [ -x /sbin/systemctl ]; then
+    elif mywhich systemctl ; then
 	systemctl disable shorewall6
-    else
-	rm -f /etc/rc*.d/*$(basename $FIREWALL)
     fi
 
     remove_file $FIREWALL
-    rm -f ${FIREWALL}-*.bkout
 fi
 
-rm -f /sbin/shorewall6
-rm -f /sbin/shorewall6-*.bkout
-
-rm -rf /etc/shorewall6
-rm -rf /etc/shorewall6-*.bkout
-rm -rf /var/lib/shorewall6
-rm -rf /var/lib/shorewall6-*.bkout
+rm -f ${SBINDIR}/shorewall6
+rm -rf ${CONFDIR}/shorewall6
+rm -rf ${VARDIR}/shorewall6
 rm -rf ${LIBEXEC}/shorewall6
-rm -rf /usr/share/shorewall6
-rm -rf /usr/share/shorewall6-*.bkout
+rm -rf ${SHAREDIR}/shorewall6
 
-for f in /usr/share/man/man5/shorewall6* /usr/share/man/man8/shorewall6*; do
+for f in ${MANDIR}/man5/shorewall6* ${SHAREDIR}/man/man8/shorewall6*; do
     case $f in
 	shorewall6-lite*)
 	    ;;
@@ -123,8 +145,8 @@ for f in /usr/share/man/man5/shorewall6* /usr/share/man/man8/shorewall6*; do
     esac
 done
 
-rm -f  /etc/logrotate.d/shorewall6
-rm -f  /lib/systemd/system/shorewall6.service
+rm -f  ${CONFDIR}/logrotate.d/shorewall6
+[ -n "$SYSTEMD" ] && rm -f ${SYSTEMD}/shorewall6.service
 
 echo "Shorewall6 Uninstalled"
 

docs/Anatomy.xml

@@ -106,7 +106,7 @@
 
       <para>The <filename>/sbin/shorewall</filename> shell program is used to
       interact with Shorewall. See <ulink
-      url="manpages/shorewall.html">shorewall</ulink>(8). </para>
+      url="manpages/shorewall.html">shorewall</ulink>(8).</para>
     </section>
 
     <section id="share-shorewall">

docs/Documentation_Index.xml

@@ -223,8 +223,8 @@
 
             <entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>
 
-            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
-            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
+            <entry><ulink url="upgrade_issues.htm">Upgrade
+            Issues</ulink></entry>
           </row>
 
           <row>
@@ -234,7 +234,8 @@
             <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
             Shorewall</ulink></entry>
 
-            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
+            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
+            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
           </row>
 
           <row>
@@ -245,7 +246,7 @@
             <entry><ulink url="PacketMarking.html">Packet
             Marking</ulink></entry>
 
-            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
+            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
           </row>
 
           <row>
@@ -255,8 +256,7 @@
             <entry><ulink url="PacketHandling.html">Packet Processing in a
             Shorewall-based Firewall</ulink></entry>
 
-            <entry><ulink url="blacklisting_support.htm#whitelisting">White
-            List Creation</ulink></entry>
+            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
           </row>
 
           <row>
@@ -264,8 +264,8 @@
 
             <entry><ulink url="ping.html">'Ping' Management</ulink></entry>
 
-            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
-            DomU</ulink></entry>
+            <entry><ulink url="blacklisting_support.htm#whitelisting">White
+            List Creation</ulink></entry>
           </row>
 
           <row>
@@ -275,8 +275,8 @@
             <entry><ulink url="two-interface.htm#DNAT">Port
             Forwarding</ulink></entry>
 
-            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
-            Xen Dom0</ulink></entry>
+            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
+            DomU</ulink></entry>
           </row>
 
           <row>
@@ -285,7 +285,8 @@
 
             <entry><ulink url="ports.htm">Port Information</ulink></entry>
 
-            <entry/>
+            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
+            Xen Dom0</ulink></entry>
           </row>
 
           <row>