Correct typos in accounting manpages.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/install.sh

@@ -85,6 +85,13 @@ install_file() # $1 = source $2 = target $3 = mode
     run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
 
+cd "$(dirname $0)"
+
+#
+# Load packager's settings if any
+#
+[ -f ../shorewall-pkg.config ] && . ../shorewall-pkg.config
+
 [ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
 
 #

Shorewall-core/lib.cli

@@ -1112,7 +1112,7 @@ do_dump_command() {
 	echo "   Shorewall $(cat /usr/share/shorewall/version)"
 	echo
     fi
-    
+    show_status
     show_reset
     host=$(echo $g_hostname | sed 's/\..*$//')
     $g_tool -L $g_ipt_options
@@ -2369,9 +2369,7 @@ report_capabilities1() {
     echo KERNELVERSION=$KERNELVERSION
 }
 
-status_command() {
+show_status() {
-    echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)"
-    echo
     if product_is_started ; then
 	echo "$g_product is running"
 	status=0
@@ -2391,6 +2389,12 @@ status_command() {
 	state=Unknown
     fi
     echo "State:$state"
+}
+
+status_command() {
+    echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)"
+    echo
+    show_status
     echo
     exit $status
 }

Shorewall-init/install.sh

@@ -86,6 +86,13 @@ install_file() # $1 = source $2 = target $3 = mode
     run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
 
+cd "$(dirname $0)"
+
+#
+# Load packager's settings if any
+#
+[ -f ../shorewall-pkg.config ] && . ../shorewall-pkg.config
+
 [ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
 
 while [ $# -gt 0 ] ; do
@@ -193,6 +200,8 @@ case "$HOST" in
 	;;
 esac
 
+[ -z "$TARGET" ] && TARGET=$HOST
+
 if [ -z "$INITDIR" -a -n "$INITFILE" ] ; then
     INITDIR="/etc/init.d"
 fi
@@ -207,18 +216,15 @@ if [ -n "$DESTDIR" ]; then
 fi
 
 if [ -z "$DESTDIR" ]; then
-    if [ -f /lib/systemd/system ]; then
+    if [ -d /lib/systemd/system ]; then
 	SYSTEMD=Yes
+	INITFILE=
     fi
 elif [ -n "$SYSTEMD" ]; then
     mkdir -p ${DESTDIR}/lib/systemd/system
+    INITFILE=
 fi
 
-#
-# Change to the directory containing this script
-#
-cd "$(dirname $0)"
-
 echo "Installing Shorewall Init Version $VERSION"
 
 #
@@ -230,28 +236,36 @@ else
     first_install="Yes"
 fi
 
-#
+if [ -n "$INITFILE" ]; then
-# Install the Init Script
+    #
-#
+    # Install the Init Script
-case $TARGET in
+    #
-    debian)
+    case $TARGET in
-	install_file init.debian.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	debian)
-	;;
+	    install_file init.debian.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
-    redhat)
+	    ;;
-	install_file init.fedora.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	redhat)
-	;;
+	    install_file init.fedora.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
-    *)
+	    ;;
-	install_file init.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	*)
-	;;
+	    install_file init.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
-esac
+	    ;;
+    esac
 
-echo  "$Product script installed in ${DESTDIR}${INITDIR}/${INITFILE}"
+    echo  "Shorewall-init script installed in ${DESTDIR}${INITDIR}/${INITFILE}"
+fi
 #
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
     run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}/lib/systemd/system/shorewall-init.service
     echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-init.service"
+    if [ -n "$DESTDIR" ]; then
+	mkdir -p ${DESTDIR}/sbin/
+        chmod 755 ${DESTDIR}/sbin
+    fi
+    run_install $OWNERSHIP -m 700 shorewall-init ${DESTDIR}/sbin/shorewall-init
+    echo "CLI installed as ${DESTDIR}/sbin/shorewall-init"
 fi
 
 #

Shorewall-init/shorewall-init

@@ -0,0 +1,97 @@
+#! /bin/bash
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#########################################################################################
+# check if shorewall-init is configured or not
+if [ -f "/etc/sysconfig/shorewall-init" ]; then
+    . /etc/sysconfig/shorewall-init
+    if [ -z "$PRODUCTS" ]; then
+        echo "ERROR: No products configured" >&2
+	exit 1
+    fi
+else
+    echo "ERROR: /etc/sysconfig/shorewall-init not found" >&2
+    exit 1
+fi
+
+# Initialize the firewall
+shorewall_start () {
+  local PRODUCT
+  local VARDIR
+
+  echo -n "Initializing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      VARDIR=/var/lib/$PRODUCT
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
+      if [ -x ${VARDIR}/firewall ]; then
+	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
+	      ${VARDIR}/firewall stop || exit 1
+	  fi
+      fi
+  done
+
+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+      ipset -R < "$SAVE_IPSETS"
+  fi
+
+  return 0
+}
+
+# Clear the firewall
+shorewall_stop () {
+  local PRODUCT
+  local VARDIR
+
+  echo -n "Clearing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      VARDIR=/var/lib/$PRODUCT
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
+      if [ -x ${VARDIR}/firewall ]; then
+	  ${VARDIR}/firewall clear || exit 1
+      fi
+  done
+
+  if [ -n "$SAVE_IPSETS" ]; then
+      mkdir -p $(dirname "$SAVE_IPSETS")
+      if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+      fi
+  fi
+
+  return 0
+}
+
+case "$1" in
+  start)
+     shorewall_start
+     ;;
+  stop)
+     shorewall_stop
+     ;;
+  *)
+     echo "Usage: $0 {start|stop}"
+     exit 1
+esac
+
+exit 0

Shorewall-lite/Makefile

@@ -12,7 +12,7 @@ $(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
 	then \
 	    /sbin/shorewall-lite -q save >/dev/null; \
 	else \
-	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; \
+	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; exit 1; \
 	fi
 
 # EOF

Shorewall-lite/install.sh

@@ -90,6 +90,11 @@ install_file() # $1 = source $2 = target $3 = mode
 #
 cd "$(dirname $0)"
 
+#
+# Load packager's settings if any
+#
+[ -f ../shorewall-pkg.config ] && . ../shorewall-pkg.config
+
 if [ -f shorewall-lite ]; then
     PRODUCT=shorewall-lite
     Product="Shorewall Lite"
@@ -235,6 +240,7 @@ if [ -n "$DESTDIR" ]; then
 
     if [ -n "$SYSTEMD" ]; then
 	mkdir -p ${DESTDIR}/lib/systemd/system
+	INITFILE=
     fi
 else
     if [ ! -f /usr/share/shorewall/coreversion ]; then
@@ -244,6 +250,7 @@ else
 
     if [ -f /lib/systemd/system ]; then
 	SYSTEMD=Yes
+	INITFILE=
     fi
 fi
 
@@ -300,23 +307,24 @@ if [ -n "$DESTDIR" ]; then
     chmod 755 ${DESTDIR}${INITDIR}
 fi
 
-case $TARGET in
+if [ -n "$INITFILE" ]; then
-    debian)
+    case $TARGET in
-	install_file init.debian.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	debian)
-	;;
+	    install_file init.debian.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
-    redhat)
+	    ;;
-	install_file init.fedora.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	redhat)
-	;;
+	    install_file init.fedora.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
-    archlinux)
+	    ;;
-	install_file init.archlinux.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	archlinux)
-	;;
+	    install_file init.archlinux.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
-    *)
+	    ;;
-	install_file init.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	*)
-	;;
+	    install_file init.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
-esac
+	    ;;
-
+    esac
-echo  "$Product script installed in ${DESTDIR}${INITDIR}/${INITFILE}"
 
+    echo  "$Product init script installed in ${DESTDIR}${INITDIR}/${INITFILE}"
+fi
 #
 # Install the .service file
 #

Shorewall-lite/manpages/shorewall-lite.xml

@@ -517,15 +517,17 @@
           defined in the <ulink
           url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
           file. A <emphasis>host-list</emphasis> is comma-separated list whose
-          elements are host or network addresses.<caution>
+          elements are host or network addresses.</para>
-              <para>The <command>add</command> command is not very robust. If
+
-              there are errors in the <replaceable>host-list</replaceable>,
+          <caution>
-              you may see a large number of error messages yet a subsequent
+            <para>The <command>add</command> command is not very robust. If
-              <command>shorewall-lite show zones</command> command will
+            there are errors in the <replaceable>host-list</replaceable>, you
-              indicate that all hosts were added. If this happens, replace
+            may see a large number of error messages yet a subsequent
-              <command>add</command> by <command>delete</command> and run the
+            <command>shorewall-lite show zones</command> command will indicate
-              same command again. Then enter the correct command.</para>
+            that all hosts were added. If this happens, replace
-            </caution></para>
+            <command>add</command> by <command>delete</command> and run the
+            same command again. Then enter the correct command.</para>
+          </caution>
         </listitem>
       </varlistentry>
 

Shorewall/Makefile

@@ -2,6 +2,7 @@
 VARDIR=$(shell /sbin/shorewall show vardir)
 CONFDIR=/etc/shorewall
 RESTOREFILE?=firewall
+
 all: $(VARDIR)/${RESTOREFILE}
 
 $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
@@ -11,11 +12,12 @@ $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
 	then \
 	    /sbin/shorewall -q save >/dev/null; \
 	else \
-	    /sbin/shorewall -q restart 2>&1 | tail >&2; \
+	    /sbin/shorewall -q restart 2>&1 | tail >&2; exit 1; \
 	fi
 
 clean:
 	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
+
 .PHONY: clean
 
 # EOF

Shorewall/Perl/Shorewall/Chains.pm

@@ -191,6 +191,7 @@ our %EXPORT_TAGS = (
 				       do_time
 				       do_user
 				       do_length
+				       decode_tos
 				       do_tos
 				       do_connbytes
 				       do_helper
@@ -395,6 +396,11 @@ our %dscpmap = ( CS0  => 0x00,
 		 EF   => 0x2e,
 	       );
 
+our %tosmap = ( 'Minimize-Delay'       => 0x10,
+		'Maximize-Throughput'  => 0x08,
+		'Maximize-Reliability' => 0x04,
+		'Minimize-Cost'        => 0x02,
+		'Normal-Service'       => 0x00 );
 #
 # These hashes hold the shell code to set shell variables. The key is the name of the variable; the value is the code to generate the variable's contents
 #
@@ -4069,13 +4075,53 @@ sub do_user( $ ) {
     $rule;
 }
 
+
+
 #
 # Create a "-m tos" match for the passed TOS
 #
-sub do_tos( $ ) {
+# This helper is also used during tos file processing
-    my $tos = $_[0];
+#
+sub decode_tos( $$ ) {
+    my ( $tos, $set ) = @_;
 
-    $tos ne '-' ? "-m tos --tos $tos " : '';
+    if ( $tos eq '-' ) {
+	fatal_error [ '',                                            # 0
+		      'A value must be supplied in the TOS column',  # 1
+		      'Invalid TOS() parameter (-)',                 # 2
+		    ]->[$set] if $set;
+	return '';
+    }
+
+    my $mask = 0xff;
+    my $value;
+
+    if ( $tos =~ m"^(.+)/(.+)$" ) {
+	$value = numeric_value $1;
+	$mask  = numeric_value $2;
+    } elsif ( ! defined ( $value = numeric_value( $tos ) ) ) {
+	$value = $tosmap{$tos};
+	$mask  = 0x3f;
+    }
+
+    fatal_error( [ 'Invalid TOS column value',
+		   'Invalid TOS column value',
+		   'Invalid TOS() parameter', ]->[$set] . " ($tos)" )
+	unless ( defined $value &&
+		 $value <= 0xff &&
+		 defined $mask  &&
+		 $mask <= 0xff );
+
+    warning_message "Unmatchable TOS ($tos)" unless $set || $value & $mask;
+
+    $tos = in_hex( $value) . '/' . in_hex( $mask ) . ' ';
+
+    $set ? " --set-tos $tos" : "-m tos --tos $tos ";
+
+}
+
+sub do_tos( $ ) {
+    decode_tos( $_[0], 0 );
 }
 
 my %dir = ( O => 'original' ,
@@ -4156,8 +4202,17 @@ sub do_helper( $ ) {
 sub do_length( $ ) {
     my $length = $_[0];
 
+    return '' if $length eq '-';
+
     require_capability( 'LENGTH_MATCH' , 'A Non-empty LENGTH' , 's' );
-    $length ne '-' ? "-m length --length $length " : '';
+
+    fatal_error "Invalid LENGTH ($length)" unless $length =~/^(\d+)(:(\d+))?$/;
+
+    if ( supplied $2 ) {
+	fatal_error "First length must be < second length" unless $1 < $3;
+    }
+
+    "-m length --length $length ";
 }
 
 #
@@ -4396,7 +4451,7 @@ sub get_set_flags( $$ ) {
 	my %typemap = ( src => 'Source', dst => 'Destination' );
 
 	for ( @options ) {
-	    warning_messsage( "The '$_' ipset flag is used in a $typemap{$option} column" ), last unless $_ eq $option;
+	    warning_message( "The '$_' ipset flag is used in a $typemap{$option} column" ), last unless $_ eq $option;
 	}
     }
 
@@ -4409,7 +4464,6 @@ sub get_set_flags( $$ ) {
 
 	$ipset_exists{$setname} = 1; # Suppress subsequent checks/warnings
     }
-
     fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z]\w*/;
 
     have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options ";
@@ -4422,11 +4476,21 @@ sub have_ipset_rules() {
 
 sub get_interface_address( $ );
 
-sub record_runtime_address( $ ) {
+sub record_runtime_address( $$;$ ) {
-    my $interface = shift;
+    my ( $addrtype, $interface, $protect ) = @_;
     fatal_error "Unknown interface address variable (&$interface)" unless known_interface( $interface );
     fatal_error "Invalid interface address variable (&$interface)" if $interface =~ /\+$/;
-    get_interface_address( $interface ) . ' ';
+
+    my $addr;
+
+    if ( $addrtype eq '&' ) {
+	$addr = get_interface_address( $interface );
+    } else {
+	$addr = get_interface_gateway( $interface, $protect );
+    }
+
+    $addr . ' ';
+   
 }
 
 #
@@ -4438,12 +4502,19 @@ sub record_runtime_address( $ ) {
 sub conditional_rule( $$ ) {
     my ( $chainref, $address ) = @_;
 
-    if ( $address =~ /^!?&(.+)$/ ) {
+    if ( $address =~ /^!?([&%])(.+)$/ ) {
-	my $interface = $1;
+	my ($type, $interface) = ($1, $2);
 	if ( my $ref = known_interface $interface ) {
 	    if ( $ref->{options}{optional} ) {
-		my $variable = get_interface_address( $interface );
+		my $variable;
-		add_commands( $chainref , "if [ $variable != " . NILIP . ' ]; then' );
+		if ( $type eq '&' ) {
+		    $variable = get_interface_address( $interface );
+		    add_commands( $chainref , "if [ $variable != " . NILIP . ' ]; then' );
+		} else {
+		    $variable = get_interface_gateway( $interface );
+		    add_commands( $chainref , qq(if [ -n "$variable" ]; then) );
+		}
+
 		incr_cmd_level $chainref;
 		return 1;
 	    }
@@ -4507,16 +4578,16 @@ sub match_source_net( $;$\$ ) {
     }
 
     if ( $net =~ s/^!// ) {
-	if ( $net =~ /^&(.+)/ ) {
+	if ( $net =~ /^([&%])(.+)/ ) {
-	    return '! -s ' . record_runtime_address $1;
+	    return '! -s ' . record_runtime_address $1, $2;
 	}
 
 	validate_net $net, 1;
 	return "! -s $net ";
     }
 
-    if ( $net =~ /^&(.+)/ ) {
+    if ( $net =~ /^([&%])(.+)/ ) {
-	return '-s ' . record_runtime_address $1;
+	return '-s ' . record_runtime_address $1, $2;
     }
 
     validate_net $net, 1;
@@ -4561,16 +4632,16 @@ sub imatch_source_net( $;$\$ ) {
     }
 
     if ( $net =~ s/^!// ) {
-	if ( $net =~ /^&(.+)/ ) {
+	if ( $net =~ /^([&%])(.+)/ ) {
-	    return  ( s => '! ' . record_runtime_address $1 );
+	    return  ( s => '! ' . record_runtime_address( $1, $2, 1 ) );
 	}
 
 	validate_net $net, 1;
 	return ( s => "! $net " );
     }
 
-    if ( $net =~ /^&(.+)/ ) {
+    if ( $net =~ /^([&%])(.+)/ ) {
-	return ( s =>  record_runtime_address $1 );
+	return ( s =>  record_runtime_address( $1, $2, 1 ) );
     }
 
     validate_net $net, 1;
@@ -4610,16 +4681,16 @@ sub match_dest_net( $ ) {
     }
 
     if ( $net =~ s/^!// ) {
-	if ( $net =~ /^&(.+)/ ) {
+	if ( $net =~ /^([&%])(.+)/ ) {
-	    return '! -d ' . record_runtime_address $1;
+	    return '! -d ' . record_runtime_address $1, $2;
 	}
 	
 	validate_net $net, 1;
 	return "! -d $net ";
     }
 
-    if ( $net =~ /^&(.+)/ ) {
+    if ( $net =~ /^([&%])(.+)/ ) {
-	return '-d ' . record_runtime_address $1;
+	return '-d ' . record_runtime_address $1, $2;
     }
 
     validate_net $net, 1;
@@ -4657,16 +4728,16 @@ sub imatch_dest_net( $ ) {
     }
 
     if ( $net =~ s/^!// ) {
-	if ( $net =~ /^&(.+)/ ) {
+	if ( $net =~ /^([&%])(.+)/ ) {
-	    return ( d => '! ' . record_runtime_address $1 );
+	    return ( d => '! ' . record_runtime_address( $1, $2, 1 ) );
 	}
 	
 	validate_net $net, 1;
 	return ( d => "! $net " );
     }
 
-    if ( $net =~ /^&(.+)/ ) {
+    if ( $net =~ /^([&%])(.+)/ ) {
-	return ( d => record_runtime_address $1 );
+	return ( d => record_runtime_address( $1, $2, 1 ) );
     }
 
     validate_net $net, 1;
@@ -4684,7 +4755,7 @@ sub match_orig_dest ( $ ) {
 
     if ( $net =~ s/^!// ) {
 	if ( $net =~ /^&(.+)/ ) {
-	    $net = record_runtime_address $1;
+	    $net = record_runtime_address '&', $1;
 	} else {
 	    validate_net $net, 1;
 	}
@@ -4692,7 +4763,7 @@ sub match_orig_dest ( $ ) {
 	have_capability( 'OLD_CONNTRACK_MATCH' ) ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net ";
     } else {
 	if ( $net =~ /^&(.+)/ ) {
-	    $net = record_runtime_address $1;
+	    $net = record_runtime_address '&', $1;
 	} else {
 	    validate_net $net, 1;
 	}
@@ -5140,8 +5211,8 @@ sub interface_gateway( $ ) {
 #
 # Record that the ruleset requires the gateway address on the passed interface
 #
-sub get_interface_gateway ( $ ) {
+sub get_interface_gateway ( $;$ ) {
-    my ( $logical ) = $_[0];
+    my ( $logical, $protect ) = @_;
 
     my $interface = get_physical $logical;
     my $variable = interface_gateway( $interface );
@@ -5158,7 +5229,7 @@ sub get_interface_gateway ( $ ) {
 );
     }
 
-    "\$$variable";
+    $protect ? "\${$variable:-" . NILIP . '}' : "\$$variable";
 }
 
 #
@@ -5468,7 +5539,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    } else {
 		$inets = $source;
 	    }
-	} elsif ( $source =~ /(?:\+|&|~|\..*\.)/ ) {
+	} elsif ( $source =~ /(?:\+|&|%|~|\..*\.)/ ) {
 	    $inets = $source;
 	} else {
 	    $iiface = $source;
@@ -5553,7 +5624,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    if ( $dest =~ /^(.+?):(.+)$/ ) {
 		$diface = $1;
 		$dnets  = $2;
-	    } elsif ( $dest =~ /\+|&|~|\..*\./ ) {
+	    } elsif ( $dest =~ /\+|&|%|~|\..*\./ ) {
 		$dnets = $dest;
 	    } else {
 		$diface = $dest;
@@ -6498,7 +6569,7 @@ sub create_netfilter_load( $ ) {
     #
     emit(  'exec 3>&-',
 	   '',
-	   '[ -n "$DEBUG" ] && command=debug_restore_input || command=$' . $UTILITY,
+	   '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY,
 	   '',
 	   'progress_message2 "Running $command..."',
 	   '',

Shorewall/Perl/Shorewall/Config.pm

@@ -421,6 +421,11 @@ my %deprecated = ( LOGRATE            => '' ,
 		   HIGH_ROUTE_MARKS   => 'no'
 		 );
 #
+# Deprecated options that are eliminated via update
+#
+my %converted = ( WIDE_TC_MARKS => 1,
+		  HIGH_ROUTE_MARKS => 1 );
+#
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
 #
@@ -3166,7 +3171,7 @@ sub update_config_file( $ ) {
 
 	my $heading_printed;
 
-	for ( keys %deprecated ) {
+	for ( grep ! $converted{$_} , keys %deprecated ) {
 	    if ( supplied( my $val = $config{$_} ) ) {
 		if ( lc $val ne $deprecated{$_} ) {
 		    unless ( $heading_printed ) {
@@ -3202,7 +3207,7 @@ EOF
 		progress_message3 "No update required to configuration file $configfile; $configfile.bak not saved";
 	    } else {
 		warning_message "Unable to unlink $configfile.bak";
-		progress_message3 "No update required to configuration file $configfile; $configfile.b";
+		progress_message3 "No update required to configuration file $configfile";
 	    }
 
 	    exit 0 unless -f find_file 'blacklist';
@@ -3376,6 +3381,8 @@ sub unsupported_yes_no_warning( $ ) {
 sub get_params() {
     my $fn = find_file 'params';
 
+    my %reserved = ( COMMAND => 1, CONFDIR => 1, SHAREDIR => 1, VARDIR => 1 );
+
     if ( -f $fn ) {
 	progress_message2 "Processing $fn ...";
 
@@ -3479,6 +3486,11 @@ sub get_params() {
 	    }
 	}
 
+	for ( keys %params ) {
+	    fatal_error "The variable name $_ is reserved and may not be set in the params file"
+		if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_};
+	}
+
 	if ( $debug ) {
 	    print "PARAMS:\n";
 	    my $value;

Shorewall/Perl/Shorewall/Misc.pm

@@ -67,18 +67,17 @@ sub process_tos() {
     my $chain    = have_capability( 'MANGLE_FORWARD' ) ? 'fortos'  : 'pretos';
     my $stdchain = have_capability( 'MANGLE_FORWARD' ) ? 'FORWARD' : 'PREROUTING';
 
-    my %tosoptions = ( 'minimize-delay'       => 0x10 ,
+   if ( my $fn = open_file 'tos' ) {
-		       'maximize-throughput'  => 0x08 ,
-		       'maximize-reliability' => 0x04 ,
-		       'minimize-cost'        => 0x02 ,
-		       'normal-service'       => 0x00 );
-
-    if ( my $fn = open_file 'tos' ) {
 	my $first_entry = 1;
 
 	my ( $pretosref, $outtosref );
 
-	first_entry( sub { progress_message2 "$doing $fn..."; $pretosref = ensure_chain 'mangle' , $chain; $outtosref = ensure_chain 'mangle' , 'outtos'; } );
+	first_entry( sub { progress_message2 "$doing $fn..."; 
+			   warning_message "Use of the tos file is deprecated in favor of the TOS target in tcrules";
+			   $pretosref = ensure_chain 'mangle' , $chain; 
+			   $outtosref = ensure_chain 'mangle' , 'outtos';
+		       }
+		   );
 
 	while ( read_a_line ) {
 
@@ -86,14 +85,7 @@ sub process_tos() {
 
 	    $first_entry = 0;
 
-	    fatal_error 'A value must be supplied in the TOS column' if $tos eq '-';
+	    $tos = decode_tos( $tos , 1 );
-
-	    if ( defined ( my $tosval = $tosoptions{"\L$tos"} ) ) {
-		$tos = $tosval;
-	    } else {
-		my $val = numeric_value( $tos );
-		fatal_error "Invalid TOS value ($tos)" unless defined( $val ) && $val < 0x1f;
-	    }
 
 	    my $chainref;
 
@@ -129,7 +121,7 @@ sub process_tos() {
 		$src ,
 		$dst ,
 		'' ,
-		"TOS --set-tos $tos" ,
+		'TOS' . $tos ,
 		'' ,
 		'TOS' ,
 		'';
@@ -1013,9 +1005,10 @@ sub add_common_rules ( $ ) {
 	    for $interface ( @$list ) {
 		my $chainref = $filter_table->{input_option_chain $interface};
 		my $base     = uc chain_base get_physical $interface;
-		my $variable = get_interface_gateway $interface;
+		my $optional = interface_is_optional( $interface );
+		my $variable = get_interface_gateway( $interface, ! $optional );
 
-		if ( interface_is_optional $interface ) {
+		if ( $optional ) {
 		    add_commands( $chainref,
 				  qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
 		    incr_cmd_level( $chainref );

Shorewall/Perl/Shorewall/Nat.pm

@@ -88,7 +88,7 @@ sub process_one_masq( )
 	$interfacelist = $1;
     } elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
 	my ( $one, $two ) = ( $1, $2 );
-	if ( $2 =~ /\./ ) {
+	if ( $2 =~ /\./ || $2 =~ /^%/ ) {
 	    $interfacelist = $one;
 	    $destnets = $two;
 	}
@@ -195,7 +195,7 @@ sub process_one_masq( )
 			    if ( $conditional = conditional_rule( $chainref, $addr ) ) {
 				$addrlist .= '--to-source ' . get_interface_address $1;
 			    } else {
-				$addrlist .= '--to-source ' . record_runtime_address $1;
+				$addrlist .= '--to-source ' . record_runtime_address( '&', $1 );
 			    }
 			} elsif ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = 'SNAT ';

Shorewall/Perl/Shorewall/Providers.pm

@@ -916,7 +916,7 @@ sub add_an_rtrule( ) {
     if ( $source eq '-' ) {
 	$source = 'from ' . ALLIP;
     } elsif ( $source =~ s/^&// ) {
-	$source = 'from ' . record_runtime_address $source;
+	$source = 'from ' . record_runtime_address '&', $source;
     } elsif ( $family == F_IPV4 ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );

Shorewall/Perl/Shorewall/Tc.pm

@@ -380,11 +380,15 @@ sub process_tc_rule( ) {
 		       DSCP => sub() {
 			                  assert( $cmd =~ /^DSCP\((\w+)\)$/ );
 					  require_capability 'DSCP_TARGET', 'The DSCP action', 's'; 
-					  my $dscp = numeric_value( $1);
+					  my $dscp = numeric_value( $1 );
 					  $dscp = $dscpmap{$1} unless defined $dscp;
-					  fatal_error( "Invalid DSCP ($1)" ) unless defined $dscp && $dscp < 0x2f && ! ( $dscp & 1 );
+					  fatal_error( "Invalid DSCP ($1)" ) unless defined $dscp && $dscp <= 0x38 && ! ( $dscp & 1 );
 					  $target .= ' --set-dscp ' . in_hex( $dscp );
-				      }
+				      },
+		       TOS => sub() {
+			                  assert( $cmd =~ /^TOS\((.+)\)$/ );
+					  $target .= decode_tos( $1 , 2 );
+				      },
 		     );
 
     if ( $source ) {
@@ -459,7 +463,12 @@ sub process_tc_rule( ) {
 	}
     }
 
-    ($cmd, $rest) = split( '/', $mark, 2 );
+    if ( $mark =~ /^TOS/ ) {
+	$cmd = $mark;
+	$rest = '';
+    } else {
+	($cmd, $rest) = split( '/', $mark, 2 );
+    }
 
     $list = '';
 
@@ -2017,6 +2026,12 @@ sub setup_tc() {
 			  mask      => '',
 			  connmark  => 0
 			},
+			{ match     => sub( $ ) { $_[0] =~ /^TOS\(.+\)$/ },
+			  target    => 'TOS',
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			},
 		      );
 
 	if ( my $fn = open_file 'tcrules' ) {

Shorewall/Perl/prog.footer

@@ -62,12 +62,14 @@ checkkernelversion() {
 #
 # Start trace if first arg is "debug" or "trace"
 #
+g_debug_iptables=
+
 if [ $# -gt 1 ]; then
     if [ "x$1" = "xtrace" ]; then
 	set -x
 	shift
     elif [ "x$1" = "xdebug" ]; then
-	DEBUG=Yes
+	g_debug_iptables=Yes
 	shift
     fi
 fi

Shorewall/configfiles/tos

@@ -4,5 +4,5 @@
 # For information about entries in this file, type "man shorewall-tos"
 #
 ###############################################################################
-#SOURCE		DEST		PROTOCOL	SOURCE	DEST	TOS	MARK
+#SOURCE		DEST		PROTOCOL	DEST	SOURCE	TOS	MARK
 #						PORTS	PORTS

Shorewall/install.sh

@@ -92,6 +92,11 @@ install_file() # $1 = source $2 = target $3 = mode
 
 cd "$(dirname $0)"
 
+#
+# Load packager's settings if any
+#
+[ -f ../shorewall-pkg.config ] && . ../shorewall-pkg.config
+
 if [ -f shorewall ]; then
     PRODUCT=shorewall
     Product=Shorewall
@@ -231,7 +236,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 # Determine where to install the firewall script
 #
 
-if [ $PRODUCT = shorewall ]; then
+if [ $PRODUCT = shorewall -a -z "${DESTDIR}" ]; then
     #
     # Verify that Perl is installed
     #
@@ -297,17 +302,19 @@ if [ -n "$DESTDIR" ]; then
 
     install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
     install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
-else
+elif [ $PRODUCT != shorewall ]; then
-    [ -x /usr/share/shorewall/compiler.pl ] || \
+    [ -x ${LIBEXEC}/shorewall/compiler.pl ] || \
-	{ echo "   ERROR: Shorewall >= 4.3.5 is not installed" >&2; exit 1; }
+	{ echo "   ERROR: Shorewall >= 4.5.0 is not installed" >&2; exit 1; }
 fi
 
 if [ -z "$DESTDIR" ]; then
     if [ -f /lib/systemd/system ]; then
 	SYSTEMD=Yes
+	INITFILE=
     fi
 elif [ -n "$SYSTEMD" ]; then
     mkdir -p ${DESTDIR}/lib/systemd/system
+    INITFILE=
 fi
 
 echo "Installing $Product Version $VERSION"
@@ -337,27 +344,27 @@ fi
 #
 # Install the Firewall Script
 #
-case $HOST in
+if [ -n "$INITFILE" ]; then
-    debian)
+    case $HOST in
-	install_file init.debian.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	debian)
-	;;
+	    install_file init.debian.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
-    redhat)
+	    ;;
-	install_file init.fedora.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	redhat)
-	;;
+	    install_file init.fedora.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
-    slackware)
+	    ;;
-        if [ $PRODUCT = shorewall ]; then
+	slackware)
-	    install_file init.slackware.firewall.sh ${DESTDIR}${DEST}/rc.firewall 0644
+            if [ $PRODUCT = shorewall ]; then
-	    install_file init.slackware.$PRODUCT.sh ${DESTDIR}${DEST}/rc.$PRODUCT 0644
+		install_file init.slackware.firewall.sh ${DESTDIR}${DEST}/rc.firewall 0644
-	fi
+		install_file init.slackware.$PRODUCT.sh ${DESTDIR}${DEST}/rc.$PRODUCT 0644
-	;;
+	    fi
-    *)
+	    ;;
-	if [ -n "$INITFILE" ]; then
+	*)
 	    install_file init.sh ${DESTDIR}${INITDIR}/$INITFILE 0544
-	fi
+	    ;;
-	;;
+    esac
-esac
 
-[ -n "$INITFILE" ] && echo  "$Product script installed in ${DESTDIR}${INITDIR}/$INITFILE"
+    echo  "$Product script installed in ${DESTDIR}${INITDIR}/$INITFILE"
+fi
 
 #
 # Create /etc/$PRODUCT and /var/lib/$PRODUCT if needed
@@ -913,11 +920,6 @@ fi
 # Install the Isusable file
 #
 run_install $OWNERSHIP -m 0644 isusable ${DESTDIR}/usr/share/$PRODUCT/configfiles/isusable
-
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/$PRODUCT/isusable ]; then
-    run_install $OWNERSHIP -m 0600 isusable ${DESTDIR}/etc/$PRODUCT/isusable
-    echo "Isusable file installed as ${DESTDIR}/etc/$PRODUCT/isusable"
-fi
 #
 # Install the Refresh file
 #

Shorewall/lib.core

@@ -510,6 +510,20 @@ debug_restore_input() {
 	qt1 $g_tool -t raw -P $chain ACCEPT
     done
 
+    qt1 $g_tool -t rawpost -F
+    qt1 $g_tool -t rawpost    -X
+
+    for chain in POSTROUTING; do
+	qt1 $g_tool -t rawpost -P $chain ACCEPT
+    done
+
+    qt1 $g_tool -t nat    -F
+    qt1 $g_tool -t nat    -X
+
+    for chain in PREROUTING POSTROUTING; do
+        qt1 $g_tool -t nat -P $chain ACCEPT
+    done
+
     qt1 $g_tool -t filter -F
     qt1 $g_tool -t filter -X
 

Shorewall/manpages/shorewall-accounting.xml

@@ -75,12 +75,9 @@
 
     <itemizedlist>
       <listitem>
-        <para>A jump to a user-defined accounting chain before entries that
+        <para>A jump to a user-defined accounting chain must appear before
-        add rules to that chain.</para>
+        entries that add rules to that chain. This eliminates loops and
-      </listitem>
+        unreferenced chains.</para>
-
-      <listitem>
-        <para>This eliminates loops and unreferenced chains.</para>
       </listitem>
 
       <listitem>

Shorewall/manpages/shorewall-tcrules.xml

@@ -502,6 +502,77 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
     AF42 =&gt; 0x24
     AF43 =&gt; 0x26
     EF   =&gt; 0x2e</programlisting>
+
+              <para>May be optionally followed by ':' and a capital letter
+              designating the chain where classification is to occur.</para>
+
+              <variablelist>
+                <varlistentry>
+                  <term>F</term>
+
+                  <listitem>
+                    <para>FORWARD chain.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>T</term>
+
+                  <listitem>
+                    <para>POSTROUTING chain (default).</para>
+                  </listitem>
+                </varlistentry>
+              </variablelist>
+            </listitem>
+
+            <listitem>
+              <para><emphasis
+              role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</para>
+
+              <para>Added in Shorewall 4.5.1. Sets the <firstterm>Type of
+              Service</firstterm> field in the IP header. The
+              <replaceable>tos</replaceable> value may be given as an number
+              (hex or decimal) or as the name of a TOS type. Valid type names
+              and their associated hex numeric values are:</para>
+
+              <programlisting>Minimize-Delay       =&gt; 0x10,
+Maximize-Throughput  =&gt; 0x08,
+Maximize-Reliability =&gt; 0x04,
+Minimize-Cost        =&gt; 0x02,
+Normal-Service       =&gt; 0x00</programlisting>
+
+              <para>When <replaceable>tos</replaceable> is given as a number,
+              it may be optionally followed by '/' and a
+              <replaceable>mask</replaceable>. When no
+              <replaceable>mask</replaceable> is given, the value 0xff is
+              assumed. When <replaceable>tos</replaceable> is given as a type
+              name, the <replaceable>mask</replaceable> 0x3f is
+              assumed.</para>
+
+              <para>The action performed is to zero out the bits specified by
+              the <replaceable>mask</replaceable>, then set the bits specified
+              by <replaceable>tos</replaceable>.</para>
+
+              <para>May be optionally followed by ':' and a capital letter
+              designating the chain where classification is to occur.</para>
+
+              <variablelist>
+                <varlistentry>
+                  <term>F</term>
+
+                  <listitem>
+                    <para>FORWARD chain.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>T</term>
+
+                  <listitem>
+                    <para>POSTROUTING chain (default).</para>
+                  </listitem>
+                </varlistentry>
+              </variablelist>
             </listitem>
           </orderedlist>
         </listitem>

Shorewall/manpages/shorewall-tos.xml

@@ -23,7 +23,9 @@
   <refsect1>
     <title>Description</title>
 
-    <para>This file defines rules for setting Type Of Service (TOS)</para>
+    <para>This file defines rules for setting Type Of Service (TOS). Its use
+    is deprecated, beginning in Shorewall 4.5.1, in favor of the TOS target in
+    <ulink url="shorewall-tcrules.html">shorewall-tcrules</ulink> (5).</para>
 
     <para>The columns in the file are as follows (where the column name is
     followed by a different name in parentheses, the different name is used in

Shorewall/manpages/shorewall.xml

@@ -1243,7 +1243,7 @@
           directory is given, then Shorewall will look in that directory first
           when opening configuration files.</para>
 
-          <para>Begining with Shorewall 4.5.0, you may specify a different
+          <para>Beginning with Shorewall 4.5.0, you may specify a different
           <replaceable>timeout</replaceable> value using the
           <option>-t</option> option. The numeric
           <replaceable>timeout</replaceable> may optionally be followed by an
@@ -1265,7 +1265,7 @@
           Shorewall will look in that directory first when opening
           configuration files.</para>
 
-          <para>Begining with Shorewall 4.5.0, you may specify a different
+          <para>Beginning with Shorewall 4.5.0, you may specify a different
           <replaceable>timeout</replaceable> value using the
           <option>-t</option> option. The numeric
           <replaceable>timeout</replaceable> may optionally be followed by an
@@ -1600,7 +1600,7 @@
           role="bold">restore</emphasis> is performed after
           <replaceable>timeout</replaceable> seconds.</para>
 
-          <para>Begining with Shorewall 4.5.0, the numeric
+          <para>Beginning with Shorewall 4.5.0, the numeric
           <replaceable>timeout</replaceable> may optionally be followed by an
           <option>s</option>, <option>m</option> or <option>h</option> suffix
           (e.g., 5m) to specify seconds, minutes or hours respectively. If the

Shorewall6-lite/Makefile

@@ -12,7 +12,7 @@ $(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
 	then \
 	    /sbin/shorewall6-lite -q save >/dev/null; \
 	else \
-	    /sbin/shorewall6-lite -q restart 2>&1 | tail >&2; \
+	    /sbin/shorewall6-lite -q restart 2>&1 | tail >&2; exit 1; \
 	fi
 
 # EOF

Shorewall6/Makefile

@@ -2,6 +2,7 @@
 VARDIR=$(shell /sbin/shorewall6 show vardir)
 CONFDIR=/etc/shorewall6
 RESTOREFILE?=firewall
+
 all: $(VARDIR)/${RESTOREFILE}
 
 $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
@@ -11,11 +12,12 @@ $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
 	then \
 	    /sbin/shorewall6 -q save >/dev/null; \
 	else \
-	    /sbin/shorewall6 -q restart 2>&1 | tail >&2; \
+	    /sbin/shorewall6 -q restart 2>&1 | tail >&2; exit 1; \
 	fi
 
 clean:
 	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
+
 .PHONY: clean
 
 # EOF

Shorewall6/configfiles/isusable

@@ -8,13 +8,15 @@
 #
 #	The script is invoked inside a function that accepts an interface
 #	name as a single argument. The file below is designed to work with
-#	both swping and lsm as described at http://www.shorewall.net/MultiISP.html
+#	both swping and lsm as described at
+#	http://www.shorewall.net/MultiISP.html
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
 #
 ###############################################################################
-local status=0
+local status
+status=0
 
 [ -f ${VARDIR}/${1}.status ] && status=$(cat ${VARDIR}/${1}.status)
 

Shorewall6/configfiles/tos

@@ -4,5 +4,5 @@
 # For information about entries in this file, type "man shorewall6-tos"
 #
 ###############################################################################
-#SOURCE		DEST		PROTOCOL	SOURCE	DEST	TOS	MARK
+#SOURCE		DEST		PROTOCOL	DEST	SOURCE	TOS	MARK
 #						PORTS	PORTS

Shorewall6/manpages/shorewall6-accounting.xml

@@ -75,12 +75,9 @@
 
     <itemizedlist>
       <listitem>
-        <para>A jump to a user-defined accounting chain before entries that
+        <para>A jump to a user-defined accounting chain must appear before
-        add rules to that chain.</para>
+        entries that add rules to that chain. This eliminates loops and
-      </listitem>
+        unreferenced chains.</para>
-
-      <listitem>
-        <para>This eliminates loops and unreferenced chains.</para>
       </listitem>
 
       <listitem>

Shorewall6/manpages/shorewall6-tcrules.xml

@@ -399,6 +399,77 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
     AF42 =&gt; 0x24
     AF43 =&gt; 0x26
     EF   =&gt; 0x2e</programlisting>
+
+              <para>May be optionally followed by ':' and a capital letter
+              designating the chain where classification is to occur.</para>
+
+              <variablelist>
+                <varlistentry>
+                  <term>F</term>
+
+                  <listitem>
+                    <para>FORWARD chain.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>T</term>
+
+                  <listitem>
+                    <para>POSTROUTING chain (default).</para>
+                  </listitem>
+                </varlistentry>
+              </variablelist>
+            </listitem>
+
+            <listitem>
+              <para><emphasis
+              role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</para>
+
+              <para>Added in Shorewall 4.5.1. Sets the <firstterm>Type of
+              Service</firstterm> field in the IP header. The
+              <replaceable>tos</replaceable> value may be given as an number
+              (hex or decimal) or as the name of a TOS type. Valid type names
+              and their associated hex numeric values are:</para>
+
+              <programlisting>Minimize-Delay       =&gt; 0x10,
+Maximize-Throughput  =&gt; 0x08,
+Maximize-Reliability =&gt; 0x04,
+Minimize-Cost        =&gt; 0x02,
+Normal-Service       =&gt; 0x00</programlisting>
+
+              <para>When <replaceable>tos</replaceable> is given as a number,
+              it may be optionally followed by '/' and a
+              <replaceable>mask</replaceable>. When no
+              <replaceable>mask</replaceable> is given, the value 0xff is
+              assumed. When <replaceable>tos</replaceable> is given as a type
+              name, the <replaceable>mask</replaceable> 0x3f is
+              assumed.</para>
+
+              <para>The action performed is to zero out the bits specified by
+              the <replaceable>mask</replaceable>, then set the bits specified
+              by <replaceable>tos</replaceable>.</para>
+
+              <para>May be optionally followed by ':' and a capital letter
+              designating the chain where classification is to occur.</para>
+
+              <variablelist>
+                <varlistentry>
+                  <term>F</term>
+
+                  <listitem>
+                    <para>FORWARD chain.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>T</term>
+
+                  <listitem>
+                    <para>POSTROUTING chain (default).</para>
+                  </listitem>
+                </varlistentry>
+              </variablelist>
             </listitem>
           </orderedlist>
         </listitem>

Shorewall6/manpages/shorewall6-tos.xml

@@ -23,7 +23,10 @@
   <refsect1>
     <title>Description</title>
 
-    <para>This file defines rules for setting Type Of Service (TOS)</para>
+    <para>This file defines rules for setting Type Of Service (TOS). Its use
+    is deprecated, beginning in Shorewall 4.5.1, in favor of the TOS target in
+    <ulink url="shorewall6-tcrules.html">shorewall6-tcrules</ulink>
+    (5).</para>
 
     <para>The columns in the file are as follows.</para>
 

Shorewall6/manpages/shorewall6.xml

@@ -1108,7 +1108,7 @@
           directory is given, then Shorewall6 will look in that directory
           first when opening configuration files.</para>
 
-          <para>Begining with Shorewall 4.5.0, you may specify a different
+          <para>Beginning with Shorewall 4.5.0, you may specify a different
           <replaceable>timeout</replaceable> value using the
           <option>-t</option> option. The numeric
           <replaceable>timeout</replaceable> may optionally be followed by an
@@ -1130,7 +1130,7 @@
           Shorewall6 will look in that directory first when opening
           configuration files.</para>
 
-          <para>Begining with Shorewall 4.5.0, you may specify a different
+          <para>Beginning with Shorewall 4.5.0, you may specify a different
           <replaceable>timeout</replaceable> value using the
           <option>-t</option> option. The numeric
           <replaceable>timeout</replaceable> may optionally be followed by an
@@ -1422,7 +1422,7 @@
           role="bold">restore</emphasis> is performed after
           <replaceable>timeout</replaceable> seconds.</para>
 
-          <para>Begining with Shorewall 4.5.0, the numeric
+          <para>Beginning with Shorewall 4.5.0, the numeric
           <replaceable>timeout</replaceable> may optionally be followed by an
           <option>s</option>, <option>m</option> or <option>h</option> suffix
           (e.g., 5m) to specify seconds, minutes or hours respectively. If the

docs/FAQ.xml

@@ -247,7 +247,7 @@ DNAT    net:<emphasis>address</emphasis>   loc:<emphasis>local-IP-address</empha
         <itemizedlist>
           <listitem>
             <para>You are trying to test from inside your firewall (no, that
-            won't work -- see <xref linkend="faq2" />).</para>
+            won't work -- see <xref linkend="faq2"/>).</para>
           </listitem>
 
           <listitem>
@@ -2837,7 +2837,7 @@ Shorewall has detected the following iptables/netfilter capabilities:
    Persistent SNAT: Available
 gateway:~# </programlisting>
 
-      <para></para>
+      <para/>
     </section>
 
     <section id="faq19">
@@ -2982,5 +2982,53 @@ EXT_IF:192.168.1.1	     	0.0.0.0/0		192.168.1.254
         examples, macros, etc. easier.</para>
       </section>
     </section>
+
+    <section id="faq98">
+      <title>(FAQ 98) How do I Unsubscribe from the Mailing List</title>
+
+      <para><emphasis role="bold">Answer</emphasis>: There are two
+      ways:</para>
+
+      <orderedlist>
+        <listitem>
+          <para>On the web</para>
+
+          <para>Go to <ulink
+          url="https://lists.sourceforge.net/lists/listinfo/shorewall-users">https://lists.sourceforge.net/lists/listinfo/shorewall-users</ulink>.
+          At the bottom of the form is a section entitled "<emphasis
+          role="bold">Shorewall-users Subscribers</emphasis>". At the bottom
+          of that section find:</para>
+
+          <blockquote>
+            <para>"To <emphasis role="bold">unsubscribe</emphasis> from
+            Shorewall-users, get a password reminder, or change your
+            subscription options <emphasis role="bold">enter your subscription
+            email address</emphasis>:".</para>
+          </blockquote>
+
+          <para>Enter your email address in the box provided and click on the
+          "<emphasis role="bold"><ulink url="???">Unsubscribe or edit
+          options</ulink></emphasis>" button. That will take you to a second
+          form.</para>
+
+          <para>At the top of the second form is a box to <emphasis
+          role="bold">enter your password</emphasis> -- enter it there then
+          click the <emphasis role="bold">Unsubscribe</emphasis> button in the
+          center of the form. You will be unsubscribed.</para>
+
+          <para>If you <emphasis role="bold">don't remember your
+          password</emphasis>, click on the <emphasis
+          role="bold">Remind</emphasis> button at the bottom of the form and
+          your password will be emailed to you.</para>
+        </listitem>
+
+        <listitem>
+          <para>Via email using this link: <ulink
+          url="mailto:shorewall-users-request@lists.sourceforge.net?subject=unsubscribe">mailto:shorewall-users-request@lists.sourceforge.net?subject=unsubscribe</ulink>.
+          You will receive a confirmation email shortly; follow the
+          instructions in that email.</para>
+        </listitem>
+      </orderedlist>
+    </section>
   </section>
 </article>

docs/MultiISP.xml

@@ -117,7 +117,7 @@
           ISP.</para>
         </footnote> as in the following diagram.</para>
 
-      <graphic align="center" fileref="images/TwoISPs.png" valign="middle" />
+      <graphic align="center" fileref="images/TwoISPs.png" valign="middle"/>
 
       <itemizedlist>
         <listitem>
@@ -1578,8 +1578,11 @@ DOWN_COUNT=2</programlisting>
 return $status</programlisting></para>
 
         <para>The above script is installed in <filename
-        class="directory">/etc/shorewall</filename>, beginning with Shorewall
+        class="directory">/etc/shorewall</filename> in Shorewall releases
-        4.3.11.</para>
+        4.3.11 - 4.5.0. Beginning with Shorewall 4.5.1, it is no longer
+        installed in <filename class="directory">/etc/shorewall</filename>,
+        but may be copied there from <filename
+        class="directory">/usr/share/shorewall/configfiles</filename>.</para>
 
         <para>Also included is a sample init script
         (<filename>swping.init</filename>) to start the monitoring daemon.
@@ -2088,7 +2091,7 @@ exit 0
       on ursa that I will describe here</emphasis>.</para>
 
       <para>Below is a diagram of our network:<graphic align="center"
-      fileref="images/Network2008a.png" /></para>
+      fileref="images/Network2008a.png"/></para>
 
       <para>The local wired network in my office is connected to both gateways
       and uses the private (RFC 1918) network 172.20.1.0/24. The Comcast
@@ -2242,7 +2245,7 @@ wlan0                   192.168.0.0/24</programlisting><note>
 
     <para>The network is pictured in the following diagram:</para>
 
-    <graphic align="center" fileref="images/Network2009.png" />
+    <graphic align="center" fileref="images/Network2009.png"/>
 
     <para>Because of the speed of the cable provider, all traffic uses that
     provider unless there is a specific need for the traffic to use the DSL

docs/ReleaseModel.xml

@@ -32,6 +32,8 @@
 
       <year>2010</year>
 
+      <year>2012</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -52,81 +54,64 @@
     <orderedlist>
       <listitem>
         <para>Releases have a three-level identification
-        <firstterm>x.y.z</firstterm> (e.g., 2.0.3).</para>
+        <firstterm>x.y.z</firstterm> (e.g., 4.5.0).</para>
       </listitem>
 
       <listitem>
         <para>The first two levels (<emphasis>x.y</emphasis>) designate the
-        <firstterm>Major Release Number</firstterm> (e.g., 2.0).</para>
+        <firstterm>major release number</firstterm> (e.g., 4.5).</para>
       </listitem>
 
       <listitem>
-        <para>The third level (<emphasis>z</emphasis>) designates the
+        <para>The third level (<emphasis>y</emphasis>) designates the
-        <firstterm>Minor Release Number</firstterm>.</para>
+        <firstterm>minor release Number</firstterm>.</para>
       </listitem>
 
       <listitem>
-        <para>Even numbered major releases (e.g., 1.4, 2.0, 2.2, ...) are
+        <para>Installing a new minor release involves no migration issues
-        <firstterm>Stable Releases</firstterm>. No major new features are
+        unless you want to take advantage of an enhancement. For example, if
-        added to stable releases and new minor releases of a stable release
+        you are running 4.5.0 and I release 4.5.1, your current configuration
-        will only contain bug fixes and simple low-risk enhancements.
+        is 100% compatible with the new release.</para>
-        Installing a new minor release for the major release that you are
+      </listitem>
-        currently running involves no migration issues unless you want to take
+
-        advantage of an enhancement (for example, if you are running 1.4.10
+      <listitem>
-        and I release 1.4.11, your current configuration is 100% compatible
+        <para>A major release may have migration issues. These are listed in
-        with the new release).</para>
+        the release notes and on the <ulink url="upgrade_issues.htm">upgrade
+        issues page</ulink>.</para>
       </listitem>
 
       <listitem>
         <para>Support is available through the <ulink
         url="http://sourceforge.net/mail/?group_id=22587">Mailing List</ulink>
-        for the two or three most recent Stable Releases. Three releases are
+        for the two most recent Major Releases. Fixes will only be provided
-        supported when the Shorewall release in the Stable Debian distribution
+        for the last minor release in the previous Major Release. For example,
-        is two releases behind the current Shorewall development. In that
+        only 4.5.0 was released, the only fixes for major issues with 4.4.27
-        case, only the minor release in Stable is supported.</para>
+        would be released for the 4.4 series.</para>
       </listitem>
 
       <listitem>
-        <para>Odd numbered major releases (e.g., 2.1, 2.3, ...) are
+        <para>Once a minor release has been announced, work begins on the next
-        <firstterm>Development Releases</firstterm>. Development releases are
+        minor release. Periodic Beta releases are made available through
-        where new functionality is introduced. Documentation for new features
+        announcements on the Shorewall Development and Shorewall User mailing
-        will be available but it may not be up to the standards of the stable
+        lists. Those Beta releases are numberd w.x.y-Beta1, ...Beta2, etc.
-        release documentation. Sites running Development Releases should be
+        Support for the Beta releases is offered through the Shorewall
-        prepared to play an active role in testing new features. Bug fixes and
+        Development mailing list in the form of emailed patches. There is no
-        problem resolution for the development release take a back seat to
+        guarantee of compatability between one Beta release and the next as
-        support of the stable releases. Problem reports for the current
+        features are tweaked.</para>
-        development release should be sent to the <ulink
-        url="mailto:shorewall-devel@lists.shorewall.net">Shorewall Development
-        Mailing List</ulink>.</para>
       </listitem>
 
       <listitem>
-        <para>When the level of functionality of the current development
+        <para>When the next minor release is functionally complete, one or
-        release is judged adequate, the <firstterm>Beta period</firstterm> for
+        more <firstterm>release candidates</firstterm> are announced on the
-        a new Stable release will begin. Beta releases have identifications of
+        Shorewall Development and Shorewall User mailing lists. These release
-        the form <emphasis>x.y.0-BetaN</emphasis> where
+        candidates are numbered w.x.y-RC1, ...-RC2, etc.</para>
-        <emphasis>x.y</emphasis> is the number of the next Stable Release and
-        <emphasis>N</emphasis>=1,2,3... . Betas are expected to occur roughly
-        once per year. Beta releases may contain new functionality not present
-        in the previous beta release (e.g., 2.2.0-Beta4 may contain
-        functionality not present in 2.2.0-Beta3). When I'm confident that the
-        current Beta release is stable, I will release the first
-        <firstterm>Release Candidate</firstterm>. Release candidates have
-        identifications of the form <emphasis>x.y.0-RCn</emphasis> where
-        <emphasis>x.y</emphasis> is the number of the next Stable Release and
-        <emphasis>n</emphasis>=1,2,3... . Release candidates contain no new
-        functionality -- they only contain bug fixes. When the stability of
-        the current release candidate is judged to be sufficient then that
-        release candidate will be released as the new stable release (e.g.,
-        2.2.0). At that time, the new stable release and the prior stable
-        release are those that are supported.</para>
       </listitem>
 
       <listitem>
         <para>What does it mean for a major release to be
-        <firstterm>supported</firstterm>? It means that I will answer
+        <firstterm>supported</firstterm>? It means that that if a bug is
-        questions about the release and that if a bug is found, I will fix the
+        found, we will fix the bug and include the fix in the next minor
-        bug and include the fix in the next minor release.</para>
+        release.</para>
       </listitem>
 
       <listitem>
@@ -135,16 +120,8 @@
         four-level identification <emphasis>x.y.z.N</emphasis> where x.y.z is
         the minor release being fixed and N = 1.2.3...</para>
       </listitem>
-
-      <listitem>
-        <para>Additionally, bug fixes may be made available in the form of a
-        <firstterm>patch release</firstterm>. Patch releases have four-level
-        identifications (e.g., 4.0.6.1); the first three identify the minor
-        release and the fourth identifies the patch level.</para>
-      </listitem>
     </orderedlist>
 
-    <para>The currently-supported major releases are and 4.0.10., 4.2.x. and
+    <para>The currently-supported major releases are 4.4 and 4.5.</para>
-    4.4.x.</para>
   </section>
 </article>

docs/configuration_file_basics.xml

@@ -190,9 +190,9 @@
         </listitem>
 
         <listitem>
-          <para><filename>/etc/shorewall/rtrules</filename> - Defines
+          <para><filename>/etc/shorewall/rtrules</filename> - Defines routing
-          routing rules to be used in conjunction with the routing tables
+          rules to be used in conjunction with the routing tables defined in
-          defined in <filename>/etc/shorewall/providers</filename>.</para>
+          <filename>/etc/shorewall/providers</filename>.</para>
         </listitem>
 
         <listitem>
@@ -1287,6 +1287,11 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
         <para><ulink url="Macros.html">Macro</ulink> files</para>
       </listitem>
 
+      <listitem>
+        <para><ulink
+        url="manpages/shorewall-nat.html">shorewall-nat</ulink>(5)</para>
+      </listitem>
+
       <listitem>
         <para><ulink
         url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
@@ -1324,8 +1329,88 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
     </itemizedlist>
 
     <para>For optional interfaces, if the interface is not usable at the time
-    that the firewall starts the all-zero address will be used (0.0.0.0 in
+    that the firewall starts, one of two approaches are taken, depending on
-    IPv4 and :: in IPv6), resulting in no packets matching the rule.</para>
+    the context:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>the all-zero address will be used (0.0.0.0 in IPv4 and :: in
+        IPv6), resulting in no packets matching the rule (or all packets if
+        used with exclusion).</para>
+      </listitem>
+
+      <listitem>
+        <para>the entire rule is omitted from the ruleset.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Beginning with Shorewall 4.5.1, <firstterm>Run-time Gateway
+    Variables</firstterm> in the form of a percent sign ('%') followed by a
+    logical interface name are also supported. These are expanded at run-time
+    to the gateway through the named interface. For optional interfaces, if
+    the interface is not usable at the time that the firewall starts, the nil
+    address will be used (0.0.0.0 in IPv4 and :: in IPv6), resulting in no
+    packets matching the rule. Run-time gateway variables may be used in the
+    SOURCE and DEST columns of the following configuration files:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para><ulink
+        url="manapges/shorewall-accounting.html">shorewall-accounting</ulink>
+        (5)</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink url="Actions.html">Action</ulink> files</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink
+        url="manpages/shorewall-accounting.html">shorewall-blacklist</ulink>
+        (5)</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink url="Macros.html">Macro</ulink> files</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink
+        url="manpages/shorewall-nat.html">shorewall-nat</ulink>(5) (As a
+        qualifier to the INTERFACE).</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink
+        url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink
+        url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>
+        (5)</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink url="manpages/shorewall-tos.html">shorewall-tos</ulink>
+        (5)</para>
+      </listitem>
+    </itemizedlist>
+
+    <variablelist>
+      <varlistentry>
+        <term>Example:</term>
+
+        <listitem>
+          <para><emphasis role="bold">%eth0</emphasis> would represent the IP
+          address of the gateway out of eth0.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>If there is no gateway out of the named interface, the nil IP
+    address is used (0.0.0.0 in IPv4 and :: in IPv6). That way, the generated
+    rule will match no packets (or all packets if used with exclusion).</para>
 
     <para>Beginning with Shorewall 4.4.27, you may also use options in <ulink
     url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) (e.g.,
@@ -1333,7 +1418,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
 
     <note>
       <para>When an option is set to 'No' in shorewall.conf, the corresponding
-      shell variable is will be empty.</para>
+      shell variable will be empty.</para>
     </note>
 
     <note>
@@ -1353,7 +1438,9 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
     richer and more flexible extension capability.</para>
 
     <para>While inline scripts may be written in either Shell or Perl, those
-    written in Perl have a lot more power.</para>
+    written in Perl have a lot more power. They may be used in all
+    configuration files except <filename>/etc/shorewall/params</filename> and
+    <filename>/etc/shorewall/shorewall.conf</filename>.</para>
 
     <para>Embedded scripts can be either single-line or multi-line. Single
     line scripts take one of the following forms:</para>

docs/support.xml

@@ -85,7 +85,7 @@
     problem reporting process. It will ensure that you provide us with the
     information we need to solve your problem as quickly as possible.</para>
 
-    <graphic align="center" fileref="images/Troubleshoot.png" />
+    <graphic align="center" fileref="images/Troubleshoot.png"/>
 
     <orderedlist>
       <important>
@@ -203,7 +203,7 @@
         message produced by Shorewall is "done.":</para>
 
         <blockquote>
-          <para></para>
+          <para/>
 
           <programlisting>…
 Activating Rules...
@@ -457,9 +457,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
   <section id="Unsubscribe">
     <title>Unsubscribing from Shorewall Mailing Lists</title>
 
-    <para>If you are really dim-witted enough to have to ask -- you
+    <para>See <ulink url="FAQ.htm#faq98">Shorewall FAQ 98</ulink>.</para>
-    unsubscribe at the same place that you subscribed. <emphasis
-    role="bold">Doh.......</emphasis></para>
   </section>
 
   <section id="Other">

docs/upgrade_issues.xml

@@ -79,13 +79,18 @@
   <section>
     <title>Versions &gt;= 4.5.0</title>
 
-    <para/>
-
     <orderedlist>
+      <listitem>
+        <para>Shorewall, Shorewall6, Shorewall-lite and Shorewall6-lite now
+        depend on the new package Shorewall-core. If you use the Shorewall
+        installers, you must install Shorewall-core prior to installing or
+        upgrading any of the other packages.</para>
+      </listitem>
+
       <listitem>
         <para>The BLACKLIST section of the rules file has been eliminated. If
         you have entries in that file section, you must move them to the
-        blrules file. </para>
+        blrules file.</para>
       </listitem>
 
       <listitem>
@@ -97,7 +102,7 @@
 
           <member>Fedora: perl-Digest-SHA1</member>
 
-          <member>OpenSuSE: perl-Digest-SHA1 </member>
+          <member>OpenSuSE: perl-Digest-SHA1</member>
         </simplelist>
       </listitem>