Remove extra logic

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Samples/one-interface/rules

@@ -10,13 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#############################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
-#SECTION ALL
-#SECTION ESTABLISHED
-#SECTION RELATED
-SECTION NEW
 
 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
 

Samples/one-interface/shorewall.conf

@@ -29,180 +29,182 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 
 ###############################################################################
-#		                L O G G I N G
+#			       L O G G I N G
 ###############################################################################
 
-BLACKLIST_LOGLEVEL=
+LOGFILE=/var/log/messages
 
-LOG_MARTIANS=Yes
+STARTUP_LOG=/var/log/shorewall-init.log
 
 LOG_VERBOSITY=2
 
-LOGALLNEW=
-
-LOGFILE=/var/log/messages
-
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=
+
+LOGALLNEW=
+
+BLACKLIST_LOGLEVEL=
 
 MACLIST_LOG_LEVEL=info
 
-RELATED_LOG_LEVEL=
-
-SFILTER_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL=info
 
 SMURF_LOG_LEVEL=info
 
-STARTUP_LOG=/var/log/shorewall-init.log
-
-TCP_FLAGS_LOG_LEVEL=info
+LOG_MARTIANS=Yes
 
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
-
 IPTABLES=
 
 IP=
 
+TC=
+
 IPSET=
 
-MODULESDIR=
-
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
-RESTOREFILE=restore
-
 SHOREWALL_SHELL=/bin/sh
 
 SUBSYSLOCK=
 
-TC=
+MODULESDIR=
+
+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+
+RESTOREFILE=
+
+IPSECFILE=zones
+
+LOCKFILE=
 
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT="none"
+QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT="none"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 
-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 
-ACCOUNTING=Yes
-
-ACCOUNTING_TABLE=filter
+IP_FORWARDING=Off
 
 ADD_IP_ALIASES=No
 
 ADD_SNAT_ALIASES=No
 
-ADMINISABSENTMINDED=Yes
-
-AUTO_COMMENT=Yes
-
-AUTOMAKE=No
-
-BLACKLISTNEWONLY=Yes
-
-CLAMPMSS=No
-
-CLEAR_TC=Yes
-
-COMPLETE=No
-
-DISABLE_IPV6=No
-
-DELETE_THEN_ADD=Yes
-
-DETECT_DNAT_IPADDRS=No
-
-DONT_LOAD=
-
-DYNAMIC_BLACKLIST=Yes
-
-EXPAND_POLICIES=Yes
-
-EXPORTMODULES=Yes
-
-FASTACCEPT=No
-
-FORWARD_CLEAR_MARK=
-
-IMPLICIT_CONTINUE=No
-
-IP_FORWARDING=Off
-
-KEEP_RT_TABLES=No
-
-LOAD_HELPERS_ONLY=Yes
-
-LEGACY_FASTSTART=No
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-MANGLE_ENABLED=Yes
-
-MAPOLDACTIONS=No
-
-MARK_IN_FORWARD_CHAIN=No
-
-MODULE_SUFFIX=ko
-
-MULTICAST=No
-
-MUTEX_TIMEOUT=60
-
-NULL_ROUTE_RFC1918=No
-
-OPTIMIZE=1
-
-OPTIMIZE_ACCOUNTING=No
-
-REQUIRE_INTERFACE=No
-
-RESTORE_DEFAULT_ROUTE=Yes
-
 RETAIN_ALIASES=No
 
-ROUTE_FILTER=No
-
-SAVE_IPSETS=No
-
 TC_ENABLED=Internal
 
 TC_EXPERT=No
 
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 
-TRACK_PROVIDERS=Yes
+CLEAR_TC=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+CLAMPMSS=No
+
+ROUTE_FILTER=No
+
+DETECT_DNAT_IPADDRS=No
+
+MUTEX_TIMEOUT=60
+
+ADMINISABSENTMINDED=Yes
+
+BLACKLISTNEWONLY=Yes
+
+DELAYBLACKLISTLOAD=No
+
+MODULE_SUFFIX=ko
+
+DISABLE_IPV6=No
+
+BRIDGING=No
+
+DYNAMIC_ZONES=No
+
+PKTTYPE=Yes
+
+NULL_ROUTE_RFC1918=No
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+SAVE_IPSETS=No
+
+MAPOLDACTIONS=No
+
+FASTACCEPT=No
+
+IMPLICIT_CONTINUE=No
+
+HIGH_ROUTE_MARKS=No
+
+USE_ACTIONS=Yes
+
+OPTIMIZE=1
+
+EXPORTPARAMS=No
+
+EXPAND_POLICIES=Yes
+
+KEEP_RT_TABLES=No
+
+DELETE_THEN_ADD=Yes
+
+MULTICAST=No
+
+DONT_LOAD=
+
+AUTO_COMMENT=Yes
+
+MANGLE_ENABLED=Yes
 
 USE_DEFAULT_RT=No
 
-USE_PHYSICAL_NAMES=No
+RESTORE_DEFAULT_ROUTE=Yes
+
+AUTOMAKE=No
+
+WIDE_TC_MARKS=Yes
+
+TRACK_PROVIDERS=Yes
 
 ZONE2ZONE=2
 
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -211,33 +213,6 @@ BLACKLIST_DISPOSITION=DROP
 
 MACLIST_DISPOSITION=REJECT
 
-RELATED_DISPOSITION=ACCEPT
-
-SMURF_DISPOSITION=DROP
-
-SFILTER_DISPOSITION=DROP
-
 TCP_FLAGS_DISPOSITION=DROP
 
-################################################################################
-#			P A C K E T  M A R K  L A Y O U T
-################################################################################
-
-TC_BITS=
-
-PROVIDER_BITS=
-
-PROVIDER_OFFSET=
-
-MASK_BITS=
-
-ZONE_BITS=0
-
-################################################################################
-#                            L E G A C Y  O P T I O N
-#                      D O  N O T  D E L E T E  O R  A L T E R
-################################################################################
-
-IPSECFILE=zones
-
 #LAST LINE -- DO NOT REMOVE

Samples/three-interfaces/rules

@@ -10,17 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#############################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
-#SECTION ALL
-#SECTION ESTABLISHED
-#SECTION RELATED
-SECTION NEW
-
-#       Don't allow connection pickup from the net
-#
-Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the Internet
 #

Samples/three-interfaces/shorewall.conf

@@ -3,7 +3,6 @@
 # Shorewall version 4.0 - Sample shorewall.conf for three-interface
 #                         configuration.
 # Copyright (C) 2006 by the Shorewall Team
-#               2011 by Thomas M. Eastep
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -18,6 +17,9 @@
 # http://shorewall.net/manpages/shorewall.conf.html
 #
 ###############################################################################
+#		       S T A R T U P   E N A B L E D
+###############################################################################
+
 STARTUP_ENABLED=No
 
 ###############################################################################
@@ -27,180 +29,182 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 
 ###############################################################################
-#		                L O G G I N G
+#			       L O G G I N G
 ###############################################################################
 
-BLACKLIST_LOGLEVEL=
+LOGFILE=/var/log/messages
 
-LOG_MARTIANS=Yes
+STARTUP_LOG=/var/log/shorewall-init.log
 
 LOG_VERBOSITY=2
 
-LOGALLNEW=
-
-LOGFILE=/var/log/messages
-
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=
+
+LOGALLNEW=
+
+BLACKLIST_LOGLEVEL=
 
 MACLIST_LOG_LEVEL=info
 
-RELATED_LOG_LEVEL=
-
-SFILTER_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL=info
 
 SMURF_LOG_LEVEL=info
 
-STARTUP_LOG=/var/log/shorewall-init.log
-
-TCP_FLAGS_LOG_LEVEL=info
+LOG_MARTIANS=Yes
 
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
-
 IPTABLES=
 
 IP=
 
+TC=
+
 IPSET=
 
-MODULESDIR=
-
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
-RESTOREFILE=restore
-
 SHOREWALL_SHELL=/bin/sh
 
 SUBSYSLOCK=
 
-TC=
+MODULESDIR=
+
+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+
+RESTOREFILE=
+
+IPSECFILE=zones
+
+LOCKFILE=
 
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT="none"
+QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT="none"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 
-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 
-ACCOUNTING=Yes
-
-ACCOUNTING_TABLE=filter
+IP_FORWARDING=On
 
 ADD_IP_ALIASES=No
 
 ADD_SNAT_ALIASES=No
 
-ADMINISABSENTMINDED=Yes
-
-AUTO_COMMENT=Yes
-
-AUTOMAKE=No
-
-BLACKLISTNEWONLY=Yes
-
-CLAMPMSS=Yes
-
-CLEAR_TC=Yes
-
-COMPLETE=No
-
-DISABLE_IPV6=No
-
-DELETE_THEN_ADD=Yes
-
-DETECT_DNAT_IPADDRS=No
-
-DONT_LOAD=
-
-DYNAMIC_BLACKLIST=Yes
-
-EXPAND_POLICIES=Yes
-
-EXPORTMODULES=Yes
-
-FASTACCEPT=No
-
-FORWARD_CLEAR_MARK=
-
-IMPLICIT_CONTINUE=No
-
-IP_FORWARDING=On
-
-KEEP_RT_TABLES=No
-
-LOAD_HELPERS_ONLY=Yes
-
-LEGACY_FASTSTART=No
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-MANGLE_ENABLED=Yes
-
-MAPOLDACTIONS=No
-
-MARK_IN_FORWARD_CHAIN=No
-
-MODULE_SUFFIX=ko
-
-MULTICAST=No
-
-MUTEX_TIMEOUT=60
-
-NULL_ROUTE_RFC1918=No
-
-OPTIMIZE=1
-
-OPTIMIZE_ACCOUNTING=No
-
-REQUIRE_INTERFACE=No
-
-RESTORE_DEFAULT_ROUTE=Yes
-
 RETAIN_ALIASES=No
 
-ROUTE_FILTER=No
-
-SAVE_IPSETS=No
-
 TC_ENABLED=Internal
 
 TC_EXPERT=No
 
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 
-TRACK_PROVIDERS=Yes
+CLEAR_TC=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+CLAMPMSS=Yes
+
+ROUTE_FILTER=No
+
+DETECT_DNAT_IPADDRS=No
+
+MUTEX_TIMEOUT=60
+
+ADMINISABSENTMINDED=Yes
+
+BLACKLISTNEWONLY=Yes
+
+DELAYBLACKLISTLOAD=No
+
+MODULE_SUFFIX=ko
+
+DISABLE_IPV6=No
+
+BRIDGING=No
+
+DYNAMIC_ZONES=No
+
+PKTTYPE=Yes
+
+NULL_ROUTE_RFC1918=No
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+SAVE_IPSETS=No
+
+MAPOLDACTIONS=No
+
+FASTACCEPT=No
+
+IMPLICIT_CONTINUE=No
+
+HIGH_ROUTE_MARKS=No
+
+USE_ACTIONS=Yes
+
+OPTIMIZE=1
+
+EXPORTPARAMS=No
+
+EXPAND_POLICIES=Yes
+
+KEEP_RT_TABLES=No
+
+DELETE_THEN_ADD=Yes
+
+MULTICAST=No
+
+DONT_LOAD=
+
+AUTO_COMMENT=Yes
+
+MANGLE_ENABLED=Yes
 
 USE_DEFAULT_RT=No
 
-USE_PHYSICAL_NAMES=No
+RESTORE_DEFAULT_ROUTE=Yes
+
+AUTOMAKE=No
+
+WIDE_TC_MARKS=Yes
+
+TRACK_PROVIDERS=Yes
 
 ZONE2ZONE=2
 
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -209,33 +213,6 @@ BLACKLIST_DISPOSITION=DROP
 
 MACLIST_DISPOSITION=REJECT
 
-RELATED_DISPOSITION=ACCEPT
-
-SMURF_DISPOSITION=DROP
-
-SFILTER_DISPOSITION=DROP
-
 TCP_FLAGS_DISPOSITION=DROP
 
-################################################################################
-#			P A C K E T  M A R K  L A Y O U T
-################################################################################
-
-TC_BITS=
-
-PROVIDER_BITS=
-
-PROVIDER_OFFSET=
-
-MASK_BITS=
-
-ZONE_BITS=0
-
-################################################################################
-#                            L E G A C Y  O P T I O N
-#                      D O  N O T  D E L E T E  O R  A L T E R
-################################################################################
-
-IPSECFILE=zones
-
 #LAST LINE -- DO NOT REMOVE

Samples/two-interfaces/rules

@@ -10,17 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#############################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
-#SECTION ALL
-#SECTION ESTABLISHED
-#SECTION RELATED
-SECTION NEW
-
-#       Don't allow connection pickup from the net
-#
-Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the network
 #

Samples/two-interfaces/shorewall.conf

@@ -3,7 +3,6 @@
 # Shorewall version 4.0 - Sample shorewall.conf for two-interface
 #                         configuration.
 # Copyright (C) 2006,2007 by the Shorewall Team
-#               2011 by Thomas M. Eastep            
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -30,180 +29,189 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 
 ###############################################################################
-#		                L O G G I N G
+#                              C O M P I L E R
+#      (setting this to 'perl' requires installation of Shorewall-perl)
 ###############################################################################
 
-BLACKLIST_LOGLEVEL=
+SHOREWALL_COMPILER=
 
-LOG_MARTIANS=Yes
-
-LOG_VERBOSITY=2
-
-LOGALLNEW=
+###############################################################################
+#			       L O G G I N G
+###############################################################################
 
 LOGFILE=/var/log/messages
 
+STARTUP_LOG=/var/log/shorewall-init.log
+
+LOG_VERBOSITY=2
+
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=
+
+LOGALLNEW=
+
+BLACKLIST_LOGLEVEL=
 
 MACLIST_LOG_LEVEL=info
 
-RELATED_LOG_LEVEL=
-
-SFILTER_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL=info
 
 SMURF_LOG_LEVEL=info
 
-STARTUP_LOG=/var/log/shorewall-init.log
-
-TCP_FLAGS_LOG_LEVEL=info
+LOG_MARTIANS=Yes
 
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
-
 IPTABLES=
 
 IP=
 
+TC=
+
 IPSET=
 
-MODULESDIR=
-
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
-RESTOREFILE=restore
-
 SHOREWALL_SHELL=/bin/sh
 
 SUBSYSLOCK=
 
-TC=
+MODULESDIR=
+
+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+
+RESTOREFILE=
+
+IPSECFILE=zones
+
+LOCKFILE=
 
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT="none"
+QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT="none"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 
-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 
-ACCOUNTING=Yes
-
-ACCOUNTING_TABLE=filter
+IP_FORWARDING=On
 
 ADD_IP_ALIASES=No
 
 ADD_SNAT_ALIASES=No
 
-ADMINISABSENTMINDED=Yes
-
-AUTO_COMMENT=Yes
-
-AUTOMAKE=No
-
-BLACKLISTNEWONLY=Yes
-
-CLAMPMSS=Yes
-
-CLEAR_TC=Yes
-
-COMPLETE=No
-
-DISABLE_IPV6=No
-
-DELETE_THEN_ADD=Yes
-
-DETECT_DNAT_IPADDRS=No
-
-DONT_LOAD=
-
-DYNAMIC_BLACKLIST=Yes
-
-EXPAND_POLICIES=Yes
-
-EXPORTMODULES=Yes
-
-FASTACCEPT=No
-
-FORWARD_CLEAR_MARK=
-
-IMPLICIT_CONTINUE=No
-
-IP_FORWARDING=On
-
-KEEP_RT_TABLES=No
-
-LOAD_HELPERS_ONLY=Yes
-
-LEGACY_FASTSTART=No
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-MANGLE_ENABLED=Yes
-
-MAPOLDACTIONS=No
-
-MARK_IN_FORWARD_CHAIN=No
-
-MODULE_SUFFIX=ko
-
-MULTICAST=No
-
-MUTEX_TIMEOUT=60
-
-NULL_ROUTE_RFC1918=No
-
-OPTIMIZE=1
-
-OPTIMIZE_ACCOUNTING=No
-
-REQUIRE_INTERFACE=No
-
-RESTORE_DEFAULT_ROUTE=Yes
-
 RETAIN_ALIASES=No
 
-ROUTE_FILTER=No
-
-SAVE_IPSETS=No
-
 TC_ENABLED=Internal
 
 TC_EXPERT=No
 
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 
-TRACK_PROVIDERS=Yes
+CLEAR_TC=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+CLAMPMSS=Yes
+
+ROUTE_FILTER=No
+
+DETECT_DNAT_IPADDRS=No
+
+MUTEX_TIMEOUT=60
+
+ADMINISABSENTMINDED=Yes
+
+BLACKLISTNEWONLY=Yes
+
+DELAYBLACKLISTLOAD=No
+
+MODULE_SUFFIX=ko
+
+DISABLE_IPV6=No
+
+BRIDGING=No
+
+DYNAMIC_ZONES=No
+
+PKTTYPE=Yes
+
+NULL_ROUTE_RFC1918=No
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+SAVE_IPSETS=No
+
+MAPOLDACTIONS=No
+
+FASTACCEPT=No
+
+IMPLICIT_CONTINUE=No
+
+HIGH_ROUTE_MARKS=No
+
+USE_ACTIONS=Yes
+
+OPTIMIZE=1
+
+EXPORTPARAMS=No
+
+EXPAND_POLICIES=Yes
+
+KEEP_RT_TABLES=No
+
+DELETE_THEN_ADD=Yes
+
+MULTICAST=No
+
+DONT_LOAD=
+
+AUTO_COMMENT=Yes
+
+MANGLE_ENABLED=Yes
 
 USE_DEFAULT_RT=No
 
-USE_PHYSICAL_NAMES=No
+RESTORE_DEFAULT_ROUTE=Yes
+
+AUTOMAKE=No
+
+WIDE_TC_MARKS=Yes
+
+TRACK_PROVIDERS=Yes
 
 ZONE2ZONE=2
 
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -212,33 +220,6 @@ BLACKLIST_DISPOSITION=DROP
 
 MACLIST_DISPOSITION=REJECT
 
-RELATED_DISPOSITION=ACCEPT
-
-SMURF_DISPOSITION=DROP
-
-SFILTER_DISPOSITION=DROP
-
 TCP_FLAGS_DISPOSITION=DROP
 
-################################################################################
-#			P A C K E T  M A R K  L A Y O U T
-################################################################################
-
-TC_BITS=
-
-PROVIDER_BITS=
-
-PROVIDER_OFFSET=
-
-MASK_BITS=
-
-ZONE_BITS=0
-
-################################################################################
-#                            L E G A C Y  O P T I O N
-#                      D O  N O T  D E L E T E  O R  A L T E R
-################################################################################
-
-IPSECFILE=zones
-
 #LAST LINE -- DO NOT REMOVE

Samples6/one-interface/rules

@@ -10,13 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall6-rules"
-###########################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
+#############################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
-#SECTION ALL
-#SECTION ESTABLISHED
-#SECTION RELATED
-SECTION NEW
 
 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
 

Samples6/one-interface/shorewall6.conf

@@ -1,11 +1,19 @@
 ###############################################################################
 #
-#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
+# Shorewall6 version 4 - Sample shorewall.conf for one-interface configuration.
+# Copyright (C) 2006,2008 by the Shorewall Team
 #
-#  For information about the settings in this file, type "man shorewall6.conf"
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
 #
-#  Manpage also online at
-#  http://www.shorewall.net/manpages6/shorewall6.conf.html
+# See the file README.txt for further details.
+#
+# For information about the settings in this file, type "man shorewall6.conf"
+#
+# The manpage is also online at 
+# http://shorewall.net/manpages6/shorewall6.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
@@ -22,179 +30,135 @@ VERBOSITY=1
 #			       L O G G I N G
 ###############################################################################
 
-BLACKLIST_LOGLEVEL=
-
-LOG_VERBOSITY=2
-
-LOGALLNEW=
-
-LOGFILE=
-
-LOGFORMAT="Shorewall:%s:%s:"
-
-LOGLIMIT=
-
-LOGTAGONLY=No
-
-MACLIST_LOG_LEVEL=info
-
-RELATED_LOG_LEVEL=
-
-SFILTER_LOG_LEVEL=info
-
-SMURF_LOG_LEVEL=info
+LOGFILE=/var/log/messages
 
 STARTUP_LOG=/var/log/shorewall6-init.log
 
+LOG_VERBOSITY=2
+
+LOGFORMAT="Shorewall:%s:%s:"
+
+LOGTAGONLY=No
+
+LOGRATE=
+
+LOGBURST=
+
+LOGALLNEW=
+
+BLACKLIST_LOGLEVEL=
+
 TCP_FLAGS_LOG_LEVEL=info
 
+SMURF_LOG_LEVEL=info
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
-CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
-
 IP6TABLES=
 
-IP=
-
-IPSET=
-
-MODULESDIR=
-
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
-RESTOREFILE=
-
 SHOREWALL_SHELL=/bin/sh
 
 SUBSYSLOCK=
 
-TC=
+MODULESDIR=
+
+CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
+
+RESTOREFILE=
+
+LOCKFILE=
 
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT="none"
+QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT="none"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 
-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 
-ACCOUNTING=Yes
-
-ACCOUNTING_TABLE=filter
-
-ADMINISABSENTMINDED=Yes
-
-AUTO_COMMENT=Yes
-
-AUTOMAKE=No
-
-BLACKLISTNEWONLY=Yes
-
-CLAMPMSS=No
-
-CLEAR_TC=Yes
-
-COMPLETE=No
-
-DELETE_THEN_ADD=Yes
-
-DONT_LOAD=
-
-DYNAMIC_BLACKLIST=Yes
-
-EXPAND_POLICIES=No
-
-EXPORTMODULES=Yes
-
-FASTACCEPT=No
-
-FORWARD_CLEAR_MARK=
-
-IMPLICIT_CONTINUE=No
-
 IP_FORWARDING=Off
 
-KEEP_RT_TABLES=Yes
-
-LEGACY_FASTSTART=No
-
-LOAD_HELPERS_ONLY=Yes
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-MANGLE_ENABLED=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-MODULE_SUFFIX=ko
-
-MUTEX_TIMEOUT=60
-
-OPTIMIZE=1
-
-OPTIMIZE_ACCOUNTING=No
-
-REQUIRE_INTERFACE=No
-
 TC_ENABLED=No
 
 TC_EXPERT=No
 
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 
+CLEAR_TC=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+CLAMPMSS=No
+
+MUTEX_TIMEOUT=60
+
+ADMINISABSENTMINDED=Yes
+
+BLACKLISTNEWONLY=Yes
+
+MODULE_SUFFIX=ko
+
+FASTACCEPT=No
+
+IMPLICIT_CONTINUE=No
+
+HIGH_ROUTE_MARKS=No
+
+OPTIMIZE=1
+
+EXPORTPARAMS=No
+
+EXPAND_POLICIES=No
+
+KEEP_RT_TABLES=Yes
+
+DELETE_THEN_ADD=Yes
+
+DONT_LOAD=
+
+AUTO_COMMENT=Yes
+
+MANGLE_ENABLED=Yes
+
+AUTOMAKE=No
+
+WIDE_TC_MARKS=Yes
+
 TRACK_PROVIDERS=Yes
 
-USE_DEFAULT_RT=No
-
-USE_PHYSICAL_NAMES=No
-
 ZONE2ZONE=2
 
-###############################################################################
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
+##############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
 
 BLACKLIST_DISPOSITION=DROP
 
-MACLIST_DISPOSITION=REJECT
-
-RELATED_DISPOSITION=ACCEPT
-
-SFILTER_DISPOSITION=DROP
-
-SMURF_DISPOSITION=DROP
-
 TCP_FLAGS_DISPOSITION=DROP
 
-################################################################################
-#			P A C K E T  M A R K  L A Y O U T
-################################################################################
-
-TC_BITS=
-
-PROVIDER_BITS=
-
-PROVIDER_OFFSET=
-
-MASK_BITS=
-
-ZONE_BITS=0
+#LAST LINE -- DO NOT REMOVE

Samples6/three-interfaces/rules

@@ -10,17 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-rules"
-###########################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
+#############################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
-#SECTION ALL
-#SECTION ESTABLISHED
-#SECTION RELATED
-SECTION NEW
-
-#       Don't allow connection pickup from the net
-#
-Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the Internet
 #

Samples6/three-interfaces/shorewall6.conf

@@ -1,16 +1,24 @@
 ###############################################################################
 #
-#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
+# Shorewall6 version 4 - Sample shorewall.conf for one-interface configuration.
+# Copyright (C) 2006,2008 by the Shorewall Team
 #
-#  For information about the settings in this file, type "man shorewall6.conf"
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
 #
-#  Manpage also online at
-#  http://www.shorewall.net/manpages6/shorewall6.conf.html
+# See the file README.txt for further details.
+#
+# For information about the settings in this file, type "man shorewall6.conf"
+#
+# The manpage is also online at 
+# http://shorewall.net/manpages6/shorewall6.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
 
-STARTUP_ENABLED=Yes
+STARTUP_ENABLED=No
 
 ###############################################################################
 #		              V E R B O S I T Y
@@ -22,138 +30,70 @@ VERBOSITY=1
 #			       L O G G I N G
 ###############################################################################
 
-BLACKLIST_LOGLEVEL=
-
-LOG_VERBOSITY=2
-
-LOGALLNEW=
-
-LOGFILE=
-
-LOGFORMAT="Shorewall:%s:%s:"
-
-LOGLIMIT=
-
-LOGTAGONLY=No
-
-MACLIST_LOG_LEVEL=info
-
-RELATED_LOG_LEVEL=
-
-SFILTER_LOG_LEVEL=info
-
-SMURF_LOG_LEVEL=info
+LOGFILE=/var/log/messages
 
 STARTUP_LOG=/var/log/shorewall6-init.log
 
+LOG_VERBOSITY=2
+
+LOGFORMAT="Shorewall:%s:%s:"
+
+LOGTAGONLY=No
+
+LOGRATE=
+
+LOGBURST=
+
+LOGALLNEW=
+
+BLACKLIST_LOGLEVEL=
+
 TCP_FLAGS_LOG_LEVEL=info
 
+SMURF_LOG_LEVEL=info
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
-CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
-
 IP6TABLES=
 
-IP=
-
-IPSET=
-
-MODULESDIR=
-
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
-RESTOREFILE=
-
 SHOREWALL_SHELL=/bin/sh
 
 SUBSYSLOCK=
 
-TC=
+MODULESDIR=
+
+CONFIG_PATH=/etc/shorewall6/:/usr/share/shorewall6:/usr/share/shorewall
+
+RESTOREFILE=
+
+LOCKFILE=
 
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT="none"
+QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT="none"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 
-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 
-ACCOUNTING=Yes
-
-ACCOUNTING_TABLE=filter
-
-ADMINISABSENTMINDED=Yes
-
-AUTO_COMMENT=Yes
-
-AUTOMAKE=No
-
-BLACKLISTNEWONLY=Yes
-
-CLAMPMSS=No
-
-CLEAR_TC=Yes
-
-COMPLETE=Yes
-
-DELETE_THEN_ADD=Yes
-
-DONT_LOAD=
-
-DYNAMIC_BLACKLIST=Yes
-
-EXPAND_POLICIES=Yes
-
-EXPORTMODULES=Yes
-
-FASTACCEPT=Yes
-
-FORWARD_CLEAR_MARK=
-
-IMPLICIT_CONTINUE=No
-
-IP_FORWARDING=Off
-
-KEEP_RT_TABLES=Yes
-
-LEGACY_FASTSTART=No
-
-LOAD_HELPERS_ONLY=Yes
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-MANGLE_ENABLED=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-MODULE_SUFFIX=ko
-
-MUTEX_TIMEOUT=60
-
-OPTIMIZE=15
-
-OPTIMIZE_ACCOUNTING=No
-
-REQUIRE_INTERFACE=Yes
+IP_FORWARDING=On
 
 TC_ENABLED=No
 
@@ -161,40 +101,64 @@ TC_EXPERT=No
 
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 
+CLEAR_TC=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+CLAMPMSS=No
+
+MUTEX_TIMEOUT=60
+
+ADMINISABSENTMINDED=Yes
+
+BLACKLISTNEWONLY=Yes
+
+MODULE_SUFFIX=ko
+
+FASTACCEPT=No
+
+IMPLICIT_CONTINUE=No
+
+HIGH_ROUTE_MARKS=No
+
+OPTIMIZE=1
+
+EXPORTPARAMS=No
+
+EXPAND_POLICIES=Yes
+
+KEEP_RT_TABLES=Yes
+
+DELETE_THEN_ADD=Yes
+
+DONT_LOAD=
+
+AUTO_COMMENT=Yes
+
+MANGLE_ENABLED=Yes
+
+AUTOMAKE=No
+
+WIDE_TC_MARKS=Yes
+
 TRACK_PROVIDERS=Yes
 
-USE_DEFAULT_RT=No
-
-USE_PHYSICAL_NAMES=No
-
 ZONE2ZONE=2
 
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
 
 BLACKLIST_DISPOSITION=DROP
 
-MACLIST_DISPOSITION=REJECT
-
-RELATED_DISPOSITION=ACCEPT
-
-SFILTER_DISPOSITION=DROP
-
-SMURF_DISPOSITION=DROP
-
 TCP_FLAGS_DISPOSITION=DROP
 
-################################################################################
-#			P A C K E T  M A R K  L A Y O U T
-################################################################################
-
-TC_BITS=
-
-PROVIDER_BITS=
-
-PROVIDER_OFFSET=
-
-MASK_BITS=
-
-ZONE_BITS=0
+#LAST LINE -- DO NOT REMOVE

Samples6/three-interfaces/zones

@@ -15,6 +15,6 @@
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS
 fw	firewall
-net	ipv6
-loc	ipv6
-dmz	ipv6
+net	ipv4
+loc	ipv4
+dmz	ipv4

Samples6/two-interfaces/rules

@@ -10,17 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-rules"
-###########################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
+#############################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
-#SECTION ALL
-#SECTION ESTABLISHED
-#SECTION RELATED
-SECTION NEW
-
-#       Don't allow connection pickup from the net
-#
-Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the network
 #

Samples6/two-interfaces/shorewall6.conf

@@ -1,11 +1,19 @@
 ###############################################################################
 #
-#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
+# Shorewall version 3.4 - Sample shorewall.conf for one-interface configuration.
+# Copyright (C) 2006 by the Shorewall Team
 #
-#  For information about the settings in this file, type "man shorewall6.conf"
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
 #
-#  Manpage also online at
-#  http://www.shorewall.net/manpages6/shorewall6.conf.html
+# See the file README.txt for further details.
+#
+# For information about the settings in this file, type "man shorewall6.conf"
+#
+# The manpage is also online at 
+# http://shorewall.net/manpages6/shorewall6.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
@@ -22,179 +30,135 @@ VERBOSITY=1
 #			       L O G G I N G
 ###############################################################################
 
-BLACKLIST_LOGLEVEL=
-
-LOG_VERBOSITY=2
-
-LOGALLNEW=
-
 LOGFILE=/var/log/messages
 
-LOGFORMAT="Shorewall:%s:%s:"
-
-LOGLIMIT=
-
-LOGTAGONLY=No
-
-MACLIST_LOG_LEVEL=info
-
-RELATED_LOG_LEVEL=
-
-SFILTER_LOG_LEVEL=info
-
-SMURF_LOG_LEVEL=info
-
 STARTUP_LOG=/var/log/shorewall6-init.log
 
+LOG_VERBOSITY=2
+
+LOGFORMAT="Shorewall:%s:%s:"
+
+LOGTAGONLY=No
+
+LOGRATE=
+
+LOGBURST=
+
+LOGALLNEW=
+
+BLACKLIST_LOGLEVEL=
+
 TCP_FLAGS_LOG_LEVEL=info
 
+SMURF_LOG_LEVEL=info
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
-CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
-
 IP6TABLES=
 
-IP=
-
-IPSET=
-
-MODULESDIR=
-
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
-RESTOREFILE=
-
 SHOREWALL_SHELL=/bin/sh
 
 SUBSYSLOCK=
 
-TC=
+MODULESDIR=
+
+CONFIG_PATH=/etc/shorewall6/:/usr/share/shorewall6:/usr/share/shorewall/
+
+RESTOREFILE=
+
+LOCKFILE=
 
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT="none"
+QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT="none"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 
-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 
-ACCOUNTING=Yes
-
-ACCOUNTING_TABLE=filter
-
-ADMINISABSENTMINDED=Yes
-
-AUTO_COMMENT=Yes
-
-AUTOMAKE=No
-
-BLACKLISTNEWONLY=Yes
-
-CLAMPMSS=No
-
-CLEAR_TC=Yes
-
-COMPLETE=No
-
-DELETE_THEN_ADD=Yes
-
-DONT_LOAD=
-
-DYNAMIC_BLACKLIST=Yes
-
-EXPAND_POLICIES=No
-
-EXPORTMODULES=Yes
-
-FASTACCEPT=No
-
-FORWARD_CLEAR_MARK=
-
-IMPLICIT_CONTINUE=No
-
 IP_FORWARDING=On
 
-KEEP_RT_TABLES=Yes
-
-LEGACY_FASTSTART=No
-
-LOAD_HELPERS_ONLY=Yes
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-MANGLE_ENABLED=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-MODULE_SUFFIX=ko
-
-MUTEX_TIMEOUT=60
-
-OPTIMIZE=1
-
-OPTIMIZE_ACCOUNTING=No
-
-REQUIRE_INTERFACE=No
-
 TC_ENABLED=No
 
 TC_EXPERT=No
 
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 
+CLEAR_TC=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+CLAMPMSS=No
+
+MUTEX_TIMEOUT=60
+
+ADMINISABSENTMINDED=Yes
+
+BLACKLISTNEWONLY=Yes
+
+MODULE_SUFFIX=ko
+
+FASTACCEPT=No
+
+IMPLICIT_CONTINUE=No
+
+HIGH_ROUTE_MARKS=No
+
+OPTIMIZE=1
+
+EXPORTPARAMS=No
+
+EXPAND_POLICIES=No
+
+KEEP_RT_TABLES=Yes
+
+DELETE_THEN_ADD=Yes
+
+DONT_LOAD=
+
+AUTO_COMMENT=Yes
+
+MANGLE_ENABLED=Yes
+
+AUTOMAKE=No
+
+WIDE_TC_MARKS=Yes
+
 TRACK_PROVIDERS=Yes
 
-USE_DEFAULT_RT=No
-
-USE_PHYSICAL_NAMES=No
-
 ZONE2ZONE=2
 
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
 
 BLACKLIST_DISPOSITION=DROP
 
-MACLIST_DISPOSITION=REJECT
-
-RELATED_DISPOSITION=ACCEPT
-
-SFILTER_DISPOSITION=DROP
-
-SMURF_DISPOSITION=DROP
-
 TCP_FLAGS_DISPOSITION=DROP
 
-################################################################################
-#			P A C K E T  M A R K  L A Y O U T
-################################################################################
-
-TC_BITS=
-
-PROVIDER_BITS=
-
-PROVIDER_OFFSET=
-
-MASK_BITS=
-
-ZONE_BITS=0
+#LAST LINE -- DO NOT REMOVE

Shorewall-core/COPYING

@@ -1,341 +0,0 @@
-		    GNU GENERAL PUBLIC LICENSE
-		       Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                          51 Franklin Street, Fifth Floor,
-			  Boston, MA 02110-1301 USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-			    Preamble
-
-  The licenses for most software are designed to take away your
-freedom to share and change it.  By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users.  This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it.  (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.)  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
-
-  To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have.  You must make sure that they, too, receive or can get the
-source code.  And you must show them these terms so they know their
-rights.
-
-  We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
-
-  Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software.  If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
-  Finally, any free program is threatened constantly by software
-patents.  We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary.  To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-		    GNU GENERAL PUBLIC LICENSE
-   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
-  0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License.  The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language.  (Hereinafter, translation is included without limitation in
-the term "modification".)  Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope.  The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
-
-  1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
-  2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
-    a) You must cause the modified files to carry prominent notices
-    stating that you changed the files and the date of any change.
-
-    b) You must cause any work that you distribute or publish, that in
-    whole or in part contains or is derived from the Program or any
-    part thereof, to be licensed as a whole at no charge to all third
-    parties under the terms of this License.
-
-    c) If the modified program normally reads commands interactively
-    when run, you must cause it, when started running for such
-    interactive use in the most ordinary way, to print or display an
-    announcement including an appropriate copyright notice and a
-    notice that there is no warranty (or else, saying that you provide
-    a warranty) and that users may redistribute the program under
-    these conditions, and telling the user how to view a copy of this
-    License.  (Exception: if the Program itself is interactive but
-    does not normally print such an announcement, your work based on
-    the Program is not required to print an announcement.)
-
-These requirements apply to the modified work as a whole.  If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works.  But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
-  3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
-
-    a) Accompany it with the complete corresponding machine-readable
-    source code, which must be distributed under the terms of Sections
-    1 and 2 above on a medium customarily used for software interchange; or,
-
-    b) Accompany it with a written offer, valid for at least three
-    years, to give any third party, for a charge no more than your
-    cost of physically performing source distribution, a complete
-    machine-readable copy of the corresponding source code, to be
-    distributed under the terms of Sections 1 and 2 above on a medium
-    customarily used for software interchange; or,
-
-    c) Accompany it with the information you received as to the offer
-    to distribute corresponding source code.  (This alternative is
-    allowed only for noncommercial distribution and only if you
-    received the program in object code or executable form with such
-    an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it.  For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable.  However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
-
-  4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License.  Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
-
-  5. You are not required to accept this License, since you have not
-signed it.  However, nothing else grants you permission to modify or
-distribute the Program or its derivative works.  These actions are
-prohibited by law if you do not accept this License.  Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
-  6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions.  You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
-  7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all.  For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices.  Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-
-  8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded.  In such case, this License incorporates
-the limitation as if written in the body of this License.
-
-  9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number.  If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation.  If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
-  10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission.  For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this.  Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
-			    NO WARRANTY
-
-  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
-  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
-		     END OF TERMS AND CONDITIONS
-
-	    How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) 19yy  <name of author>
-
-    This program is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 2 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
-    Gnomovision version 69, Copyright (C) 19yy name of author
-    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary.  Here is a sample; alter the names:
-
-  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
-  `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
-  <signature of Ty Coon>, 1 April 1989
-  Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs.  If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Library General
-Public License instead of this License.

Shorewall-core/INSTALL

@@ -1,24 +0,0 @@
-Shoreline Firewall (Shorewall) Version 4
------         ----
-
------------------------------------------------------------------------------
-
-     This program is free software; you can redistribute it and/or modify
-     it under the terms of Version 2 of the GNU General Public License
-     as published by the Free Software Foundation.
-
-     This program is distributed in the hope that it will be useful,
-     but WITHOUT ANY WARRANTY; without even the implied warranty of
-     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-     GNU General Public License for more details.
-
-     You should have received a copy of the GNU General Public License
-     along with this program; if not, write to the Free Software
-     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
----------------------------------------------------------------------------
-
-Please see http://www.shorewall.net/Install.htm for installation
-instructions.
-
-

Shorewall-core/install.sh

@@ -1,301 +0,0 @@
-#!/bin/sh
-#
-# Script to install Shoreline Firewall Core Modules
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
-#
-#       Shorewall documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-
-VERSION=xxx #The Build script inserts the actual version
-
-usage() # $1 = exit status
-{
-    ME=$(basename $0)
-    echo "usage: $ME"
-    echo "       $ME -v"
-    echo "       $ME -h"
-    exit $1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-run_install()
-{
-    if ! install $*; then
-	echo
-	echo "ERROR: Failed to install $*" >&2
-	exit 1
-    fi
-}
-
-cant_autostart()
-{
-    echo
-    echo  "WARNING: Unable to configure shorewall to start automatically at boot" >&2
-}
-
-delete_file() # $1 = file to delete
-{
-    rm -f $1
-}
-
-install_file() # $1 = source $2 = target $3 = mode
-{
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
-}
-
-cd "$(dirname $0)"
-
-#
-# Load packager's settings if any
-#
-[ -f ../shorewall-pkg.config ] && . ../shorewall-pkg.config
-
-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
-
-#
-# Parse the run line
-#
-# ARGS is "yes" if we've already parsed an argument
-#
-T="-T"
-
-[ -n "${LIBEXEC:=/usr/share}" ]
-[ -n "${PERLLIB:=/usr/share/shorewall}" ]
-
-case "$LIBEXEC" in
-    /*)
-	;;
-    *)
-	echo "The LIBEXEC setting must be an absolute path name" >&2
-	exit 1
-	;;
-esac
-
-case "$PERLLIB" in
-    /*)
-	;;
-    *)
-	echo "The PERLLIB setting must be an absolute path name" >&2
-	exit 1
-	;;
-esac
-
-INSTALLD='-D'
-
-if [ -z "$BUILD" ]; then
-    case $(uname) in
-	cygwin*)
-	    BUILD=cygwin
-	    ;;
-	Darwin)
-	    BUILD=apple
-	    ;;
-	*)
-	    if [ -f /etc/debian_version ]; then
-		BUILD=debian
-	    elif [ -f /etc/redhat-release ]; then
-		BUILD=redhat
-	    elif [ -f /etc/slackware-version ] ; then
-		BUILD=slackware
-	    elif [ -f /etc/SuSE-release ]; then
-		BUILD=suse
-	    elif [ -f /etc/arch-release ] ; then
-		BUILD=archlinux
-	    else
-		BUILD=linux
-	    fi
-	    ;;
-    esac
-fi
-
-case $BUILD in
-    cygwin*)
-	if [ -z "$DESTDIR" ]; then
-	    DEST=
-	    INIT=
-	fi
-
-	OWNER=$(id -un)
-	GROUP=$(id -gn)
-	;;
-    apple)
-	if [ -z "$DESTDIR" ]; then
-	    DEST=
-	    INIT=
-	    SPARSE=Yes
-	fi
-
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=wheel
-	INSTALLD=
-	T=
-	;;
-    *)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=root
-	;;
-esac
-
-OWNERSHIP="-o $OWNER -g $GROUP"
-
-finished=0
-
-while [ $finished -eq 0 ]; do
-    option=$1
-
-    case "$option" in
-	-*)
-	    option=${option#-}
-	    
-	    while [ -n "$option" ]; do
-		case $option in
-		    h)
-			usage 0
-			;;
-		    v)
-			echo "Shorewall Firewall Installer Version $VERSION"
-			exit 0
-			;;
-		    *)
-			usage 1
-			;;
-		esac
-	    done
-
-	    shift
-	    ;;
-	*)
-	    [ -n "$option" ] && usage 1
-	    finished=1
-	    ;;
-    esac
-done
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-
-#
-# Determine where to install the firewall script
-#
-
-[ -n "$HOST" ] || HOST=$BUILD
-
-case "$HOST" in
-    cygwin)
-	echo "Installing Cygwin-specific configuration..."
-	;;
-    apple)
-	echo "Installing Mac-specific configuration...";
-	;;
-    debian|redhat|slackware|archlinux|linux|suse)
-	;;
-    *)
-	echo "ERROR: Unknown HOST \"$HOST\"" >&2
-	exit 1;
-	;;
-esac
-
-if [ -n "$DESTDIR" ]; then
-    if [ $BUILD != cygwin ]; then
-	if [ `id -u` != 0 ] ; then
-	    echo "Not setting file owner/group permissions, not running as root."
-	    OWNERSHIP=""
-	fi
-    fi
-fi
-
-#
-# Change to the directory containing this script
-#
-cd "$(dirname $0)"
-
-echo "Installing Shorewall Core Version $VERSION"
-
-#
-# Create /usr/share/shorewall
-#
-mkdir -p ${DESTDIR}${LIBEXEC}/shorewall
-chmod 755 ${DESTDIR}${LIBEXEC}/shorewall
-
-if [ $LIBEXEC != /usr/shorewall/ ]; then
-    mkdir -p ${DESTDIR}/usr/share/shorewall
-    chmod 755 ${DESTDIR}/usr/share/shorewall
-fi
-#
-# Install wait4ifup
-#
-install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup 0755
-
-echo
-echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup"
-
-#
-# Install the libraries
-#
-for f in lib.* ; do
-    install_file $f ${DESTDIR}/usr/share/shorewall/$f 0644
-    echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall/$f"
-done
-
-if [ $BUILD != apple ]; then
-    eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
-    eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
-else
-    eval sed -i \'\' -e \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
-    eval sed -i \'\' -e \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
-fi
-
-#
-# Symbolically link 'functions' to lib.base
-#
-ln -sf lib.base ${DESTDIR}/usr/share/shorewall/functions
-#
-# Create the version file
-#
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall/coreversion
-chmod 644 ${DESTDIR}/usr/share/shorewall/coreversion
-#
-#  Report Success
-#
-echo "Shorewall Core Version $VERSION Installed"

Shorewall-core/uninstall.sh

@@ -1,84 +0,0 @@
-#!/bin/sh
-#
-# Script to back uninstall Shoreline Firewall
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
-#
-#       Shorewall documentation is available at http://www.shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#    Usage:
-#
-#       You may only use this script to uninstall the version
-#       shown below. Simply run this script to remove Shorewall Firewall
-
-VERSION=xxx #The Build script inserts the actual version
-
-usage() # $1 = exit status
-{
-    ME=$(basename $0)
-    echo "usage: $ME"
-    exit $1
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-restore_file() # $1 = file to restore
-{
-    if [ -f ${1}-shorewall.bkout ]; then
-	if (mv -f ${1}-shorewall.bkout $1); then
-	    echo
-	    echo "$1 restored"
-        else
-	    exit 1
-        fi
-    fi
-}
-
-remove_file() # $1 = file to restore
-{
-    if [ -f $1 -o -L $1 ] ; then
-	rm -f $1
-	echo "$1 Removed"
-    fi
-}
-
-if [ -f /usr/share/shorewall/coreversion ]; then
-    INSTALLED_VERSION="$(cat /usr/share/shorewall/coreversion)"
-    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: Shorewall Core Version $INSTALLED_VERSION is installed"
-	echo "         and this is the $VERSION uninstaller."
-	VERSION="$INSTALLED_VERSION"
-    fi
-else
-    echo "WARNING: Shorewall Core Version $VERSION is not installed"
-    VERSION=""
-fi
-
-[ -n "${LIBEXEC:=/usr/share}" ]
-[ -n "${PERLLIB:=/usr/share/shorewall}" ]
-
-echo "Uninstalling Shorewall Core $VERSION"
-
-rm -rf /usr/share/shorewall
-
-echo "Shorewall Core Uninstalled"
-
-

Shorewall-init/COPYING

@@ -2,8 +2,7 @@
 		       Version 2, June 1991
 
  Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                          51 Franklin Street, Fifth Floor,
-			  Boston, MA 02110-1301 USA
+                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 

Shorewall-init/ifupdown.sh

@@ -22,52 +22,6 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-Debian_SuSE_ppp() {
-    NEWPRODUCTS=
-    INTERFACE="$1"
-
-    case $0 in
-	/etc/ppp/ip-*)
-	    #
-	    # IPv4
-	    #
-	    for product in $PRODUCTS; do
-		case $product in
-		    shorewall|shorewall-lite)
-			NEWPRODUCTS="$NEWPRODUCTS $product";
-			;;
-		esac
-	    done
-	    ;;
-	/etc/ppp/ipv6-*)
-	    #
-	    # IPv6
-	    #
-	    for product in $PRODUCTS; do
-		case $product in
-		    shorewall6|shorewall6-lite)
-			NEWPRODUCTS="$NEWPRODUCTS $product";
-			;;
-		esac
-	    done
-	    ;;
-	*)
-	    exit 0
-	    ;;
-    esac
-
-    PRODUCTS="$NEWPRODUCTS"
-
-    case $0 in
-	*up/*)
-	    COMMAND=up
-	    ;;
-	*)
-	    COMMAND=down
-	    ;;
-    esac
-}
-
 IFUPDOWN=0
 PRODUCTS=
 
@@ -80,103 +34,57 @@ fi
 [ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
 
 if [ -f /etc/debian_version ]; then
-    case $0 in
-	/etc/ppp*)
-	    #
-	    # Debian ppp
-	    #
-	    Debian_SuSE_ppp
-	    ;;
-	
-	*)
-            #
-            # Debian ifupdown system
-            #
-	    INTERFACE="$IFACE"
+    #
+    # Debian ifupdown system
+    #
+    if [ "$MODE" = start ]; then
+	COMMAND=up
+    elif [ "$MODE" = stop ]; then
+	COMMAND=down
+    else
+	exit 0
+    fi
 
-	    if [ "$MODE" = start ]; then
-		COMMAND=up
-	    elif [ "$MODE" = stop ]; then
-		COMMAND=down
-	    else
-		exit 0
-	    fi
-
-	    case "$PHASE" in
-		pre-*)
-		    exit 0
-		    ;;
-	    esac
+    case "$PHASE" in
+	pre-*)
+	    exit 0
 	    ;;
     esac
 elif [ -f /etc/SuSE-release ]; then
-    case $0 in
-	/etc/ppp*)
-	    #
-	    # SUSE ppp
-	    #
-	    Debian_SuSE_ppp
-	    ;;
-	
-	*)
-            #
-            # SuSE ifupdown system
-            #
-	    INTERFACE="$2"
+    #
+    # SuSE ifupdown system
+    #
+    IFACE="$2"
 
-	    case $0 in
-		*if-up.d*)
-		    COMMAND=up
-		    ;;
-		*if-down.d*)
-		    COMMAND=down
-		    ;;
-		*)
-		    exit 0
-		    ;;
-	    esac
+    case $0 in
+	*if-up.d*)
+	    COMMAND=up
+	    ;;
+	*if-down.d*)
+	    COMMAND=down
+	    ;;
+	*)
+	    exit 0
 	    ;;
     esac
 else
     #
     # Assume RedHat/Fedora/CentOS/Foobar/...
     #
-    case $0 in
-	/etc/ppp*)
-	    INTERFACE="$1"
-
-	    case $0 in
-		*ip-up.local)
-		    COMMAND=up
-		    ;;
-		*ip-down.local)
-		    COMMAND=down
-		    ;;
-		*)
-		    exit 0
-		    ;;
-	    esac
+    IFACE="$1"
+    
+    case $0 in 
+	*ifup*)
+	    COMMAND=up
+	    ;;
+	*ifdown*)
+	    COMMAND=down
+	    ;;
+	*dispatcher.d*)
+	    COMMAND="$2"
 	    ;;
 	*)
-	    #
-	    # RedHat ifup/down system
-	    #
-	    INTERFACE="$1"
-    
-	    case $0 in 
-		*ifup*)
-		    COMMAND=up
-		    ;;
-		*ifdown*)
-		    COMMAND=down
-		    ;;
-		*dispatcher.d*)
-		    COMMAND="$2"
-		    ;;
-		*)
-		    exit 0
-		    ;;
-	    esac
+	    exit 0
 	    ;;
     esac
 fi
@@ -185,11 +93,7 @@ for PRODUCT in $PRODUCTS; do
     VARDIR=/var/lib/$PRODUCT
     [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir
     if [ -x $VARDIR/firewall ]; then
-	  ( . /usr/share/shorewall/lib.base
-	    mutex_on
-	    ${VARDIR}/firewall -V0 $COMMAND $INTERFACE || echo_notdone
-	    mutex_off
-	  )
+	$VARDIR/firewall -V0 $COMMAND $IFACE
     fi
 done
 

Shorewall-init/init.debian.sh

@@ -84,20 +84,7 @@ shorewall_start () {
       VARDIR=/var/lib/$product
       [ -f /etc/$product/vardir ] && . /etc/$product/vardir
       if [ -x ${VARDIR}/firewall ]; then
-	  #
-	  # Run in a sub-shell to avoid name collisions
-	  #
-	  ( 
-	      . /usr/share/$product/lib.base
-	      #
-	      # Get mutex so the firewall state is stable
-	      #
-	      mutex_on
-	      if ! ${VARDIR}/firewall status > /dev/null 2>&1; then
-		  ${VARDIR}/firewall stop || echo_notdone
-	      fi
-	      mutex_off
-	  )
+	  ${VARDIR}/firewall stop || echo_notdone
       fi
   done
 
@@ -116,11 +103,7 @@ shorewall_stop () {
       VARDIR=/var/lib/$product
       [ -f /etc/$product/vardir ] && . /etc/$product/vardir
       if [ -x ${VARDIR}/firewall ]; then
-	  ( . /usr/share/$product/lib.base
-	    mutex_on
-	    ${VARDIR}/firewall clear || echo_notdone
-	    mutex_off
-	  )
+	  ${VARDIR}/firewall clear || echo_notdone
       fi
   done
 

Shorewall-init/init.fedora.sh

@@ -1,121 +0,0 @@
-#! /bin/bash
-#
-# chkconfig: - 09 91
-# description: Initialize the shorewall firewall at boot time
-#
-### BEGIN INIT INFO
-# Provides: shorewall-init
-# Required-Start: $local_fs
-# Required-Stop:  $local_fs
-# Default-Start:
-# Default-Stop:	  0 1 2 3 4 5 6
-# Short-Description: Initialize the shorewall firewall at boot time
-# Description:       Place the firewall in a safe state at boot time
-#                    prior to bringing up the network.  
-### END INIT INFO
-prog="shorewall-init"
-logger="logger -i -t $prog"
-lockfile="/var/lock/subsys/shorewall-init"
-
-# Source function library.
-. /etc/rc.d/init.d/functions
-
-# Get startup options (override default)
-OPTIONS=
-
-# check if shorewall-init is configured or not
-if [ -f "/etc/sysconfig/shorewall-init" ]; then
-    . /etc/sysconfig/shorewall-init
-else
-    echo "/etc/sysconfig/shorewall-init not found"
-    exit 6
-fi
-
-# Initialize the firewall
-start () {
-    local product
-    local vardir
-
-    if [ -z "$PRODUCTS" ]; then
-	echo "No firewalls configured for shorewall-init"
-	failure
-	return 6 #Not configured
-    fi
-
-    echo -n "Initializing \"Shorewall-based firewalls\": "
-    for product in $PRODUCTS; do
-	vardir=/var/lib/$product
-	[ -f /etc/$product/vardir ] && . /etc/$product/vardir 
-	if [ -x ${vardir}/firewall ]; then
-	    ${vardir}/firewall stop 2>&1 | $logger
-	    retval=${PIPESTATUS[0]}
-	    [ retval -ne 0 ] && break
-	fi
-    done
-
-    if [ retval -eq 0 ]; then
-	touch $lockfile 
-	success
-    else
-	failure
-    fi
-    echo
-    return $retval
-}
-
-# Clear the firewall
-stop () {
-    local product
-    local vardir
-
-    echo -n "Clearing \"Shorewall-based firewalls\": "
-    for product in $PRODUCTS; do
-	vardir=/var/lib/$product
-	[ -f /etc/$product/vardir ] && . /etc/$product/vardir 
-	if [ -x ${vardir}/firewall ]; then
-	    ${vardir}/firewall clear 2>&1 | $logger
-	    retval=${PIPESTATUS[0]}
-	    [ retval -ne 0 ] && break
-	fi
-    done
-
-    if [ retval -eq 0 ]; then
-	rm -f $lockfile
-	success
-    else
-	failure
-    fi
-    echo
-    return $retval
-}
-
-status_q() {
-    status > /dev/null 2>&1
-}
-
-case "$1" in
-    start)
-	status_q && exit 0
-	$1
-	;;
-    stop)
-	status_q || exit 0
-	$1
-	;;
-    restart|reload|force-reload)
-	echo "Not implemented"
-	exit 3
-	;;
-    condrestart|try-restart)
-	echo "Not implemented"
-	exit 3
-        ;;
-    status)
-	status $prog
-	;;
-  *)
-	echo "Usage: /etc/init.d/shorewall-init {start|stop}"
-	exit 1
-esac
-
-exit 0

Shorewall-init/init.sh

@@ -29,7 +29,7 @@
 # Required-start: $local_fs
 # Required-stop:  $local_fs
 # Default-Start:  2 3 5
-# Default-Stop:   6
+# Default-Stop:
 # Short-Description: Initialize the firewall at boot time
 # Description:       Place the firewall in a safe state at boot time
 #                    prior to bringing up the network.  
@@ -55,48 +55,35 @@ fi
 
 # Initialize the firewall
 shorewall_start () {
-  local PRODUCT
-  local VARDIR
+  local product
+  local vardir
 
   echo -n "Initializing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
-      VARDIR=/var/lib/$PRODUCT
-      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
-      if [ -x ${VARDIR}/firewall ]; then
-	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
-	      ${VARDIR}/firewall stop || echo_notdone
-	  fi
+  for product in $PRODUCTS; do
+      vardir=/var/lib/$product
+      [ -f /etc/$product/vardir ] && . /etc/$product/vardir 
+      if [ -x ${vardir}/firewall ]; then
+	  ${vardir}/firewall stop || exit 1
       fi
   done
 
-  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-      ipset -R < "$SAVE_IPSETS"
-  fi
-
   return 0
 }
 
 # Clear the firewall
 shorewall_stop () {
-  local PRODUCT
-  local VARDIR
+  local product
+  local vardir
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
-      VARDIR=/var/lib/$PRODUCT
-      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
-      if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall clear || exit 1
+  for product in $PRODUCTS; do
+      vardir=/var/lib/$PRODUCT
+      [ -f /etc/$product/vardir ] && . /etc/$product/vardir 
+      if [ -x ${vardir}/firewall ]; then
+	  ${vardir}/firewall clear || exit 1
       fi
   done
 
-  if [ -n "$SAVE_IPSETS" ]; then
-      mkdir -p $(dirname "$SAVE_IPSETS")
-      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
-      fi
-  fi
-
   return 0
 }
 

Shorewall-init/install.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
 #       Shorewall documentation is available at http://shorewall.net
@@ -23,7 +23,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=xxx #The Build script inserts the actual version.
+VERSION=4.4.10
 
 usage() # $1 = exit status
 {
@@ -86,15 +86,25 @@ install_file() # $1 = source $2 = target $3 = mode
     run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
 
-cd "$(dirname $0)"
-
-#
-# Load packager's settings if any
-#
-[ -f ../shorewall-pkg.config ] && . ../shorewall-pkg.config
-
 [ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
 
+#
+# Parse the run line
+#
+# DEST is the SysVInit script directory
+# INIT is the name of the script in the $DEST directory
+# ARGS is "yes" if we've already parsed an argument
+#
+ARGS=""
+
+if [ -z "$DEST" ] ; then
+	DEST="/etc/init.d"
+fi
+
+if [ -z "$INIT" ] ; then
+	INIT="shorewall-init"
+fi
+
 while [ $# -gt 0 ] ; do
     case "$1" in
 	-h|help|?)
@@ -109,121 +119,65 @@ while [ $# -gt 0 ] ; do
 	    ;;
     esac
     shift
+    ARGS="yes"
 done
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
-[ -n "${LIBEXEC:=/usr/share}" ]
+#
+# Determine where to install the firewall script
+#
 
-case "$LIBEXEC" in
-    /*)
-	;;
-    *)
-	echo "The LIBEXEC setting must be an absolute path name" >&2
-	exit 1
-	;;
-esac
-
-INITFILE="shorewall-init"
-
-if [ -z "$BUILD" ]; then
-    case $(uname) in
-	cygwin*)
-	    BUILD=cygwin
-	    ;;
-	Darwin)
-	    BUILD=apple
-	    ;;
-	*)
-	    if [ -f /etc/debian_version ]; then
-		BUILD=debian
-	    elif [ -f /etc/redhat-release ]; then
-		BUILD=redhat
-	    elif [ -f /etc/SuSE-release ]; then
-		BUILD=suse
-	    elif [ -f /etc/slackware-version ] ; then
-		BUILD=slackware
-	    elif [ -f /etc/arch-release ] ; then
-		BUILD=archlinux
-	    else
-		BUILD=linux
-	    fi
-	    ;;
-    esac
-fi
-
-[ -n "$OWNER" ] || OWNER=$(id -un)
-[ -n "$GROUP" ] || GROUP=$(id -gn)
-
-case $BUILD in
-    apple)
+case $(uname) in
+    Darwin)
+	[ -z "$OWNER" ] && OWNER=root
+	[ -z "$GROUP" ] && GROUP=wheel
 	T=
-	;;
-    debian|redhat|suse|slackware|archlinux)
-	;;
+	;;	
     *)
-	[ -n "$BUILD" ] && echo "ERROR: Unknown BUILD environment ($BUILD)" >&2 || echo "ERROR: Unknown BUILD environment"
-	exit 1
+	[ -z "$OWNER" ] && OWNER=root
+	[ -z "$GROUP" ] && GROUP=root
 	;;
 esac
 
 OWNERSHIP="-o $OWNER -g $GROUP"
 
-[ -n "$HOST" ] || HOST=$BUILD
-
-case "$HOST" in
-    debian)
-	echo "Installing Debian-specific configuration..."
-	SPARSE=yes
-	;;
-    redhat|redhat)
-	echo "Installing Redhat/Fedora-specific configuration..."
-	[ -n "$INITDIR" ] || INITDIR=/etc/rc.d/init.d
-	;;
-    slackware)
-	echo "Shorewall-init is currently not supported on Slackware" >&2
-	exit 1
-	;;
-    archlinux)
-	echo "Shorewall-init is currently not supported on Arch Linux" >&2
-	exit 1
-	;;
-    suse|suse)
-	echo "Installing SuSE-specific configuration..."
-	;;
-    linux)
-	echo "ERROR: Shorewall-init is not supported on this system" >&2
-	;;
-    *)
-	echo "ERROR: Unsupported HOST distribution: \"$HOST\"" >&2
-	exit 1;
-	;;
-esac
-
-[ -z "$TARGET" ] && TARGET=$HOST
-
-if [ -z "$INITDIR" -a -n "$INITFILE" ] ; then
-    INITDIR="/etc/init.d"
-fi
-
 if [ -n "$DESTDIR" ]; then
     if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
     fi
     
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+elif [ -f /etc/debian_version ]; then
+    DEBIAN=yes
+elif [ -f /etc/SuSE-release ]; then
+    SUSE=Yes
+elif [ -f /etc/slackware-version ] ; then
+    echo "Shorewall-init is currently not supported on Slackware" >&2
+    exit 1
+#   DEST="/etc/rc.d"
+#   INIT="rc.firewall"
+elif [ -f /etc/arch-release ] ; then
+    echo "Shorewall-init is currently not supported on Arch Linux" >&2
+    exit 1
+#   DEST="/etc/rc.d"
+#   INIT="shorewall-init"
+#   ARCHLINUX=yes
+elif [ -d /etc/sysconfig/network-scripts/ ]; then
+    #
+    # Assume RedHat-based
+    #
+    REDHAT=Yes
+else
+    echo "Unknown distribution: Shorewall-init support is not available" >&2
+    exit 1
 fi
 
-if [ -z "$DESTDIR" ]; then
-    if [ -d /lib/systemd/system ]; then
-	SYSTEMD=Yes
-	INITFILE=
-    fi
-elif [ -n "$SYSTEMD" ]; then
-    mkdir -p ${DESTDIR}/lib/systemd/system
-    INITFILE=
-fi
+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
 
 echo "Installing Shorewall Init Version $VERSION"
 
@@ -236,37 +190,18 @@ else
     first_install="Yes"
 fi
 
-if [ -n "$INITFILE" ]; then
-    #
-    # Install the Init Script
-    #
-    case $TARGET in
-	debian)
-	    install_file init.debian.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
-	    ;;
-	redhat)
-	    install_file init.fedora.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
-	    ;;
-	*)
-	    install_file init.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
-	    ;;
-    esac
+#
+# Install the Init Script
+#
+if [ -n "$DEBIAN" ]; then
+    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
+#elif [ -n "$ARCHLINUX" ]; then
+#    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
+else
+    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
+fi
 
-    echo  "Shorewall-init script installed in ${DESTDIR}${INITDIR}/${INITFILE}"
-fi
-#
-# Install the .service file
-#
-if [ -n "$SYSTEMD" ]; then
-    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}/lib/systemd/system/shorewall-init.service
-    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-init.service"
-    if [ -n "$DESTDIR" ]; then
-	mkdir -p ${DESTDIR}/sbin/
-        chmod 755 ${DESTDIR}/sbin
-    fi
-    run_install $OWNERSHIP -m 700 shorewall-init ${DESTDIR}/sbin/shorewall-init
-    echo "CLI installed as ${DESTDIR}/sbin/shorewall-init"
-fi
+echo  "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"
 
 #
 # Create /usr/share/shorewall-init if needed
@@ -285,10 +220,10 @@ chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
 #
 if [ -z "$DESTDIR" ]; then
     rm -f /usr/share/shorewall-init/init
-    ln -s ${INITDIR}/${INITFILE} /usr/share/shorewall-init/init
+    ln -s ${DEST}/${INIT} /usr/share/shorewall-init/init
 fi
 
-if [ $HOST = debian ]; then
+if [ -n "$DEBIAN" ]; then
     if [ -n "${DESTDIR}" ]; then
 	mkdir -p ${DESTDIR}/etc/network/if-up.d/
 	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
@@ -306,7 +241,7 @@ else
 	mkdir -p ${DESTDIR}/etc/sysconfig
 
 	if [ -z "$RPM" ]; then
-	    if [ $HOST = suse ]; then
+	    if [ -n "$SUSE" ]; then
 		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
 		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
 	    else
@@ -324,48 +259,36 @@ fi
 # Install the ifupdown script
 #
 
-mkdir -p ${DESTDIR}${LIBEXEC}/shorewall-init
+mkdir -p ${DESTDIR}/usr/share/shorewall-init
 
-install_file ifupdown.sh ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown 0544
+install_file ifupdown.sh ${DESTDIR}/usr/share/shorewall-init/ifupdown 0544
 
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
     install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
 fi
 
-case $HOST in
-    debian)
-	install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-	install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
-	;;
-    suse)
-	if [ -z "$RPM" ]; then
-	    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
-	    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
-	fi
-	;;
-    redhat)
-	if [ -f ${DESTDIR}/sbin/ifup-local -o -f ${DESTDIR}/sbin/ifdown-local ]; then
-	    echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; up/down events will not be handled"
-	elif [ -z "$DESTDIR" ]; then
-	    install_file ifupdown.sh ${DESTDIR}/sbin/ifup-local 0544
-	    install_file ifupdown.sh ${DESTDIR}/sbin/ifdown-local 0544
-	fi
-	;;
-esac
+if [ -n "$DEBIAN" ]; then
+    install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
+    install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+elif [ -n "$SUSE" ]; then
+    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
+    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
+elif [ -n "$REDHAT" ]; then
+    if [ -f ${DESTDIR}/sbin/ifup-local -o -f ${DESTDIR}/sbin/ifdown-local ]; then
+	echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; up/down events will not be handled"
+    else
+	install_file ifupdown.sh ${DESTDIR}/sbin/ifup-local 0544
+	install_file ifupdown.sh ${DESTDIR}/sbin/ifdown-local 0544
+    fi
+fi
 
 if [ -z "$DESTDIR" ]; then
     if [ -n "$first_install" ]; then
-	if [ $HOST = debian ]; then
-	    
-	    update-rc.d shorewall-init defaults
-
+	if [ -n "$DEBIAN" ]; then
+	    ln -sf ../init.d/shorewall-init /etc/rcS.d/S38shorewall-init
 	    echo "Shorewall Init will start automatically at boot"
 	else
-	    if [ -n "$SYSTEMD" ]; then
-		if systemctl enable shorewall-init; then
-		    echo "Shorewall Init will start automatically at boot"
-		fi
-	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 		if insserv /etc/init.d/shorewall-init ; then
 		    echo "Shorewall Init will start automatically at boot"
 		else
@@ -384,15 +307,14 @@ if [ -z "$DESTDIR" ]; then
 		else
 		    cant_autostart
 		fi
-	    else
+	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
 		cant_autostart
 	    fi
-
 	fi
     fi
 else
     if [ -n "$first_install" ]; then
-	if [ $HOST = debian ]; then
+	if [ -n "$DEBIAN" ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi
@@ -403,34 +325,6 @@ else
     fi
 fi
 
-if [ -f ${DESTDIR}/etc/ppp ]; then
-    case $HOST in
-	debian|suse)
-	    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-		mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
-		cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
-	    done
-	    ;;
-	redhat)
-	    #
-	    # Must use the dreaded ip_xxx.local file
-	    #
-	    for file in ip-up.local ip-down.local; do
-		FILE=${DESTDIR}/etc/ppp/$file
-		if [ -f $FILE ]; then
-		    if fgrep -q Shorewall-based $FILE ; then
-			cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
-		    else
-			echo "$FILE already exists -- ppp devices will not be handled"
-			break
-		    fi
-		else
-		    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
-		fi
-	    done
-	    ;;
-    esac
-fi
 #
 #  Report Success
 #

Shorewall-init/shorewall-init

@@ -1,97 +0,0 @@
-#! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
-#
-#       On most distributions, this file should be called /etc/init.d/shorewall.
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#########################################################################################
-# check if shorewall-init is configured or not
-if [ -f "/etc/sysconfig/shorewall-init" ]; then
-    . /etc/sysconfig/shorewall-init
-    if [ -z "$PRODUCTS" ]; then
-        echo "ERROR: No products configured" >&2
-	exit 1
-    fi
-else
-    echo "ERROR: /etc/sysconfig/shorewall-init not found" >&2
-    exit 1
-fi
-
-# Initialize the firewall
-shorewall_start () {
-  local PRODUCT
-  local VARDIR
-
-  echo -n "Initializing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
-      VARDIR=/var/lib/$PRODUCT
-      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
-      if [ -x ${VARDIR}/firewall ]; then
-	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
-	      ${VARDIR}/firewall stop || exit 1
-	  fi
-      fi
-  done
-
-  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-      ipset -R < "$SAVE_IPSETS"
-  fi
-
-  return 0
-}
-
-# Clear the firewall
-shorewall_stop () {
-  local PRODUCT
-  local VARDIR
-
-  echo -n "Clearing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
-      VARDIR=/var/lib/$PRODUCT
-      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
-      if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall clear || exit 1
-      fi
-  done
-
-  if [ -n "$SAVE_IPSETS" ]; then
-      mkdir -p $(dirname "$SAVE_IPSETS")
-      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
-      fi
-  fi
-
-  return 0
-}
-
-case "$1" in
-  start)
-     shorewall_start
-     ;;
-  stop)
-     shorewall_stop
-     ;;
-  *)
-     echo "Usage: $0 {start|stop}"
-     exit 1
-esac
-
-exit 0

Shorewall-init/shorewall-init.service

@@ -1,20 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
-#
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
-#
-[Unit]
-Description=Shorewall IPv4 firewall
-After=syslog.target
-Before=network.target
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/sysconfig/shorewall-init
-StandardOutput=syslog
-ExecStart=/sbin/shorewall-init $OPTIONS start
-ExecStop=/sbin/shorewall-init $OPTIONS stop
-
-[Install]
-WantedBy=multi-user.target

Shorewall-init/shorewall-init.spec

@@ -0,0 +1,120 @@
+%define name shorewall-init
+%define version 4.4.10
+%define release 0base
+
+Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
+Name: %{name}
+Version: %{version}
+Release: %{release}
+License: GPLv2
+Packager: Tom Eastep <teastep@shorewall.net>
+Group: Networking/Utilities
+Source: %{name}-%{version}.tgz
+URL: http://www.shorewall.net/
+BuildArch: noarch
+BuildRoot: %{_tmppath}/%{name}-%{version}-root
+Requires: shoreline_firewall >= 4.4.10
+
+%description
+
+The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
+(iptables) based firewall that can be used on a dedicated firewall system,
+a multi-function gateway/ router/server or on a standalone GNU/Linux system.
+
+Shorewall Init is a companion product to Shorewall that allows for tigher
+control of connections during boot and that integrates Shorewall with
+ifup/ifdown and NetworkManager.
+
+%prep
+
+%setup
+
+%build
+
+%install
+export DESTDIR=$RPM_BUILD_ROOT ; \
+export OWNER=`id -n -u` ; \
+export GROUP=`id -n -g` ;\
+./install.sh
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%post
+
+if [ $1 -eq 1 ]; then
+    if [ -x /sbin/insserv ]; then
+	/sbin/insserv /etc/rc.d/shorewall-init
+    elif [ -x /sbin/chkconfig ]; then
+	/sbin/chkconfig --add shorewall-init;
+    fi
+fi
+
+if [ -f /etc/SuSE-release ]; then
+    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-up.d/shorewall
+    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-down.d/shorewall
+else
+    if [ -f /sbin/ifup-local -o -f /sbin/ifdown-local ]; then
+	if ! grep -q Shorewall /sbin/ifup-local || ! grep -q Shorewall /sbin/ifdown-local; then
+	    echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; ifup/ifdown events will not be handled" >&2
+	else
+	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
+	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
+	fi
+    else
+	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
+	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
+    fi
+
+    if [ -d /etc/NetworkManager/dispatcher.d/ ]; then
+	cp -pf /usr/share/shorewall-init/ifupdown /etc/NetworkManager/dispatcher.d/01-shorewall
+    fi
+fi
+
+%preun
+
+if [ $1 -eq 0 ]; then
+    if [ -x /sbin/insserv ]; then
+	/sbin/insserv -r /etc/init.d/shorewall-init
+    elif [ -x /sbin/chkconfig ]; then
+	/sbin/chkconfig --del shorewall-init
+    fi
+
+    [ -f /sbin/ifup-local ]   && grep -q Shorewall /sbin/ifup-local   && rm -f /sbin/ifup-local
+    [ -f /sbin/ifdown-local ] && grep -q Shorewall /sbin/ifdown-local && rm -f /sbin/ifdown-local
+
+    rm -f /etc/NetworkManager/dispatcher.d/01-shorewall
+fi
+
+%files
+%defattr(0644,root,root,0755)
+%attr(0644,root,root) %config(noreplace) /etc/sysconfig/shorewall-init
+
+%attr(0544,root,root) /etc/init.d/shorewall-init
+%attr(0755,root,root) %dir /usr/share/shorewall-init
+
+%attr(0644,root,root) /usr/share/shorewall-init/version
+%attr(0544,root,root) /usr/share/shorewall-init/ifupdown
+
+%doc COPYING changelog.txt releasenotes.txt
+
+%changelog
+* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0base
+* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC3
+* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC2
+* Thu May 27 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC1
+* Wed May 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta4
+* Tue May 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta3
+* Thu May 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta2
+* Tue May 18 2010 Tom Eastep tom@shorewall.net
+- Initial version
+
+
+

Shorewall-init/sysconfig

@@ -10,9 +10,3 @@ PRODUCTS=""
 # ifup/ifdown and NetworkManager events
 #
 IFUPDOWN=0
-#
-# Set this to the name of the file that is to hold
-# ipset contents. Shorewall-init will load those ipsets
-# during 'start' and will save them there during 'stop'.
-#
-SAVE_IPSETS=""

Shorewall-init/uninstall.sh

@@ -1,10 +1,10 @@
-\#!/bin/sh
+#!/bin/sh
 #
 # Script to back uninstall Shoreline Firewall
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=xxx  #The Build script inserts the actual version
+VERSION=4.4.10
 
 usage() # $1 = exit status
 {
@@ -60,21 +60,15 @@ else
     VERSION=""
 fi
 
-[ -n "${LIBEXEC:=/usr/share}" ]
-
 echo "Uninstalling Shorewall Init $VERSION"
 
 INITSCRIPT=/etc/init.d/shorewall-init
 
 if [ -n "$INITSCRIPT" ]; then
-    if [ -x /usr/sbin/updaterc.d ]; then
-	updaterc.d shorewall-init remove
-    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
         insserv -r $INITSCRIPT
     elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $INITSCRIPT)
-    elif [ -x /sbin/systemctl ]; then
-	systemctl disable shorewall-init
     else
 	rm -f /etc/rc*.d/*$(basename $INITSCRIPT)
     fi
@@ -95,22 +89,8 @@ remove_file /etc/network/if-down.d/shorewall
 
 remove_file /etc/sysconfig/network/if-up.d/shorewall
 remove_file /etc/sysconfig/network/if-down.d/shorewall
-remove_file /lib/systemd/system/shorewall.service
-
-if [ -d /etc/ppp ]; then
-    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-	remove_file /etc/ppp/$directory/shorewall
-    done
-
-    for file in if-up.local if-down.local; do
-	if fgrep -q Shorewall-based /etc/ppp/$FILE; then
-	    remove_file /etc/ppp/$FILE
-	fi
-    done
-fi
 
 rm -rf /usr/share/shorewall-init
-rm -rf ${LIBEXEC}/shorewall-init
 
 echo "Shorewall Init Uninstalled"
 

Shorewall-lite/COPYING

@@ -2,8 +2,7 @@
 		       Version 2, June 1991
 
  Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                          51 Franklin Street, Fifth Floor,
-			  Boston, MA 02110-1301 USA
+                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 

Shorewall-lite/Makefile

@@ -12,7 +12,7 @@ $(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
 	then \
 	    /sbin/shorewall-lite -q save >/dev/null; \
 	else \
-	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; exit 1; \
+	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; \
 	fi
 
 # EOF

Shorewall-lite/default.debian

@@ -18,18 +18,9 @@ startup=0
 #
 # Startup options
 #
+
 OPTIONS=""
 
-#
-# Start options
-#
-STARTOPTIONS=""
-
-#
-# Restart options
-#
-RESTARTOPTIONS=""
-
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #
@@ -39,6 +30,7 @@ INITLOG=/dev/null
 # Set this to 1 to cause '/etc/init.d/shorewall-lite stop' to place the firewall in
 # a safe state rather than to open it
 #
+
 SAFESTOP=0
 
 # EOF

Shorewall-lite/init.debian.sh

@@ -17,9 +17,10 @@ SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
 
-[ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
+[ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
 
 export SHOREWALL_INIT_SCRIPT
+
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
 test -n "$INITLOG" || {
@@ -80,7 +81,7 @@ fi
 # start the firewall
 shorewall_start () {
   echo -n "Starting \"Shorewall firewall\": "
-  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS start >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
@@ -98,7 +99,7 @@ shorewall_stop () {
 # restart the firewall
 shorewall_restart () {
   echo -n "Restarting \"Shorewall firewall\": "
-  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS restart >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
@@ -109,11 +110,6 @@ shorewall_refresh () {
   return 0
 }
 
-# status of the firewall
-shorewall_status () {
-  $SRWL $SRWL_OPTS status && exit 0 || exit $?
-}
-
 case "$1" in
   start)
      shorewall_start
@@ -127,11 +123,8 @@ case "$1" in
   force-reload|restart)
      shorewall_restart
      ;;
-  status)
-     shorewall_status
-     ;;
   *)
-     echo "Usage: /etc/init.d/shorewall-lite {start|stop|refresh|restart|force-reload|status}"
+     echo "Usage: /etc/init.d/shorewall-lite {start|stop|refresh|restart|force-reload}"
      exit 1
 esac
 

Shorewall-lite/init.fedora.sh

@@ -1,112 +0,0 @@
-#!/bin/sh
-#
-# Shorewall init script
-#
-# chkconfig: - 28 90
-# description: Packet filtering firewall
-
-### BEGIN INIT INFO
-# Provides: shorewall-lite
-# Required-Start: $local_fs $remote_fs $syslog $network
-# Should-Start: VMware $time $named
-# Required-Stop:
-# Default-Start:
-# Default-Stop:	  0 1 2 3 4 5 6
-# Short-Description: Packet filtering firewall
-# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
-#              Netfilter (iptables) based firewall
-### END INIT INFO
-
-# Source function library.
-. /etc/rc.d/init.d/functions
-
-prog="shorewall-lite"
-shorewall="/sbin/$prog"
-logger="logger -i -t $prog"
-lockfile="/var/lock/subsys/$prog"
-
-# Get startup options (override default)
-OPTIONS=
-
-if [ -f /etc/sysconfig/$prog ]; then
-    . /etc/sysconfig/$prog
-fi
-
-start() {
-    echo -n $"Starting Shorewall: "
-    $shorewall $OPTIONS start 2>&1 | $logger
-    retval=${PIPESTATUS[0]}
-    if [[ $retval == 0 ]]; then 
-	touch $lockfile
-	success
-    else 
-	failure
-    fi
-    echo
-    return $retval
-}
-
-stop() {
-    echo -n $"Stopping Shorewall: "
-    $shorewall $OPTIONS stop 2>&1 | $logger
-    retval=${PIPESTATUS[0]}
-    if [[ $retval == 0 ]]; then 
-	rm -f $lockfile
-	success
-    else 
-	failure
-    fi
-    echo
-    return $retval
-}
-
-restart() {
-# Note that we don't simply stop and start since shorewall has a built in
-# restart which stops the firewall if running and then starts it.
-    echo -n $"Restarting Shorewall: "
-    $shorewall $OPTIONS restart 2>&1 | $logger
-    retval=${PIPESTATUS[0]}
-    if [[ $retval == 0 ]]; then 
-	touch $lockfile
-	success
-    else # Failed to start, clean up lock file if present
-	rm -f $lockfile
-	failure
-    fi
-    echo
-    return $retval
-}
-
-status(){
-    $shorewall status
-    return $?
-}
-
-status_q() {
-    status > /dev/null 2>&1
-}
-
-case "$1" in
-    start)
-	status_q && exit 0
-	$1
-	;;
-    stop)
-	status_q || exit 0
-	$1
-	;;
-    restart|reload|force-reload)
-	restart
-	;;
-    condrestart|try-restart)
-        status_q || exit 0
-        restart
-        ;;
-    status)
-	$1
-	;;
-    *)
-	echo "Usage: $0 start|stop|reload|restart|force-reload|status"
-	exit 1
-	;;
-esac

Shorewall-lite/init.sh

@@ -76,13 +76,14 @@ command="$1"
 
 case "$command" in
     start)
-	exec /sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
+	exec /sbin/shorewall-lite $OPTIONS $@
 	;;
-    restart|reload)
-	exec /sbin/shorewall-lite $OPTIONS restart $RESTARTOPTIONS
+    stop|restart|status)
+	exec /sbin/shorewall-lite $@
 	;;
-    status|stop)
-	exec /sbin/shorewall-lite $OPTIONS $command $@
+    reload)
+	shift
+	exec /sbin/shorewall-lite restart $@
 	;;
     *)
 	usage

Shorewall-lite/install.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=xxx #The Build script inserts the actual version
+VERSION=4.4.10
 
 usage() # $1 = exit status
 {
@@ -72,7 +72,7 @@ run_install()
 cant_autostart()
 {
     echo
-    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
+    echo  "WARNING: Unable to configure shorewall to start automatically at boot" >&2
 }
 
 delete_file() # $1 = file to delete
@@ -85,36 +85,32 @@ install_file() # $1 = source $2 = target $3 = mode
     run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
 
-#
-# Change to the directory containing this script
-#
-cd "$(dirname $0)"
-
-#
-# Load packager's settings if any
-#
-[ -f ../shorewall-pkg.config ] && . ../shorewall-pkg.config
-
-if [ -f shorewall-lite ]; then
-    PRODUCT=shorewall-lite
-    Product="Shorewall Lite"
-else
-    PRODUCT=shorewall6-lite
-    Product="Shorewall6 Lite"
-fi
-
 [ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
 
 #
 # Parse the run line
 #
+# DEST is the SysVInit script directory
+# INIT is the name of the script in the $DEST directory
+# ARGS is "yes" if we've already parsed an argument
+#
+ARGS=""
+
+if [ -z "$DEST" ] ; then
+	DEST="/etc/init.d"
+fi
+
+if [ -z "$INIT" ] ; then
+	INIT="shorewall-lite"
+fi
+
 while [ $# -gt 0 ] ; do
     case "$1" in
 	-h|help|?)
 	    usage 0
 	    ;;
         -v)
-	    echo "$Product Firewall Installer Version $VERSION"
+	    echo "Shorewall Lite Firewall Installer Version $VERSION"
 	    exit 0
 	    ;;
 	*)
@@ -122,66 +118,33 @@ while [ $# -gt 0 ] ; do
 	    ;;
     esac
     shift
+    ARGS="yes"
 done
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
-[ -n "${LIBEXEC:=/usr/share}" ]
-
-case "$LIBEXEC" in
-    /*)
-	;;
-    *)
-	echo "The LIBEXEC setting must be an absolute path name" >&2
-	exit 1
-	;;
-esac
-
 #
 # Determine where to install the firewall script
 #
-cygwin=
+DEBIAN=
+CYGWIN=
 INSTALLD='-D'
-INITFILE=$PRODUCT
 T='-T'
 
-if [ -z "$BUILD" ]; then
-    case $(uname) in
-	cygwin*)
-	    BUILD=cygwin
-	    ;;
-	Darwin)
-	    BUILD=apple
-	    ;;
-	*)
-	    if [ -f /etc/debian_version ]; then
-		BUILD=debian
-	    elif [ -f /etc/redhat-release ]; then
-		BUILD=redhat
-	    elif [ -f /etc/SuSE-release ]; then
-		BUILD=suse
-	    elif [ -f /etc/slackware-version ] ; then
-		BUILD=slackware
-	    elif [ -f /etc/arch-release ] ; then
-		BUILD=archlinux
-	    else
-		BUILD=linux
-	    fi
-	    ;;
-    esac
-fi
+case $(uname) in
+    CYGWIN*)
+	if [ -z "$DESTDIR" ]; then
+	    DEST=
+	    INIT=
+	fi
 
-case $BUILD in
-    cygwin*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
-    apple)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=wheel
+    Darwin)
 	INSTALLD=
 	T=
-	;;
+	;;	   
     *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
@@ -190,45 +153,6 @@ esac
 
 OWNERSHIP="-o $OWNER -g $GROUP"
 
-[ -n "$HOST" ] || HOST=$BUILD
-
-case "$HOST" in
-    cygwin)
-	echo "$PRODUCT is not supported on Cygwin" >&2
-	exit 1
-	;;
-    apple)
-	echo "$PRODUCT is not supported on OS X" >&2
-	exit 1
-	;;
-    debian)
-	echo "Installing Debian-specific configuration..."
-	SPARSE=yes
-	;;
-    redhat)
-	echo "Installing Redhat/Fedora-specific configuration..."
-	[ -n "$INITDIR" ]  || INITDIR=/etc/rc.d/init.d
-	;;
-    slackware)
-	echo "Installing Slackware-specific configuration..."
-	[ -n "$INITDIR" ]  || INITDIR="/etc/rc.d"
-	[ -n "$INITFILE" ] || INITFILE="rc.firewall"
-	[ -n "$MANDIR=" ]  || MANDIR=/usr/man
-	;;
-    archlinux)
-	echo "Installing ArchLinux-specific configuration..."
-	[ -n "$INITDIR" ]  || INITDIR="/etc/rc.d"
-	;;
-    linux|suse)
-	;;
-    *)
-	echo "ERROR: Unknown HOST \"$HOST\"" >&2
-	exit 1;
-	;;
-esac
-
-[ -z "$INITDIR" ] && INITDIR="/etc/init.d"
-
 if [ -n "$DESTDIR" ]; then
     if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
@@ -236,169 +160,148 @@ if [ -n "$DESTDIR" ]; then
     fi
     
     install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DESTFILE}
-
-    if [ -n "$SYSTEMD" ]; then
-	mkdir -p ${DESTDIR}/lib/systemd/system
-	INITFILE=
-    fi
-else
-    if [ ! -f /usr/share/shorewall/coreversion ]; then
-	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
-	exit 1
-    fi
-
-    if [ -f /lib/systemd/system ]; then
-	SYSTEMD=Yes
-	INITFILE=
-    fi
-fi
-
-echo "Installing $Product Version $VERSION"
-
-#
-# Check for /etc/$PRODUCT
-#
-if [ -z "$DESTDIR" -a -d /etc/$PRODUCT ]; then
-    if [ ! -f /usr/share/shorewall/coreversion ]; then
-	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
-	exit 1
-    fi
-
-    [ -f /etc/$PRODUCT/shorewall.conf ] && \
-	mv -f /etc/$PRODUCT/shorewall.conf /etc/$PRODUCT/$PRODUCT.conf
-else
-    rm -rf ${DESTDIR}/etc/$PRODUCT
-    rm -rf ${DESTDIR}/usr/share/$PRODUCT
-    rm -rf ${DESTDIR}/var/lib/$PRODUCT
-    [ "$LIBEXEC" = /usr/share ] || rm -rf ${DESTDIR}/usr/share/$PRODUCT/wait4ifup ${DESTDIR}/usr/share/$PRODUCT/shorecap
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
+    DEBIAN=yes
+elif [ -f /etc/slackware-version ] ; then
+    DEST="/etc/rc.d"
+    INIT="rc.firewall"
+elif [ -f /etc/arch-release ] ; then
+      DEST="/etc/rc.d"
+      INIT="shorewall-lite"
+      ARCHLINUX=yes
 fi
 
 #
-# Check for /sbin/$PRODUCT
+# Change to the directory containing this script
 #
-if [ -f ${DESTDIR}/sbin/$PRODUCT ]; then
+cd "$(dirname $0)"
+
+echo "Installing Shorewall Lite Version $VERSION"
+
+#
+# Check for /etc/shorewall-lite
+#
+if [ -z "$DESTDIR" -a -d /etc/shorewall-lite ]; then
+    [ -f /etc/shorewall-lite/shorewall.conf ] && \
+	mv -f /etc/shorewall-lite/shorewall.conf /etc/shorewall-lite/shorewall-lite.conf
+else
+    rm -rf ${DESTDIR}/etc/shorewall-lite
+    rm -rf ${DESTDIR}/usr/share/shorewall-lite
+    rm -rf ${DESTDIR}/var/lib/shorewall-lite
+fi
+
+#
+# Check for /sbin/shorewall-lite
+#
+if [ -f ${DESTDIR}/sbin/shorewall-lite ]; then
     first_install=""
 else
     first_install="Yes"
 fi
 
-delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
+delete_file ${DESTDIR}/usr/share/shorewall-lite/xmodules
 
-install_file $PRODUCT ${DESTDIR}/sbin/$PRODUCT 0544
+install_file shorewall-lite ${DESTDIR}/sbin/shorewall-lite 0544
 
-echo "$Product control program installed in ${DESTDIR}/sbin/$PRODUCT"
+echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite"
 
 #
-# Create /etc/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
+# Install the Firewall Script
 #
-mkdir -p ${DESTDIR}/etc/$PRODUCT
-mkdir -p ${DESTDIR}/usr/share/$PRODUCT
-mkdir -p ${DESTDIR}${LIBEXEC}/$PRODUCT
-mkdir -p ${DESTDIR}/var/lib/$PRODUCT
+if [ -n "$DEBIAN" ]; then
+    install_file init.debian.sh /etc/init.d/shorewall-lite 0544
+elif [ -n "$ARCHLINUX" ]; then
+    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
 
-chmod 755 ${DESTDIR}/etc/$PRODUCT
-chmod 755 ${DESTDIR}/usr/share/$PRODUCT
+else
+    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
+fi
+
+echo  "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
+
+#
+# Create /etc/shorewall-lite, /usr/share/shorewall-lite and /var/lib/shorewall-lite if needed
+#
+mkdir -p ${DESTDIR}/etc/shorewall-lite
+mkdir -p ${DESTDIR}/usr/share/shorewall-lite
+mkdir -p ${DESTDIR}/var/lib/shorewall-lite
+
+chmod 755 ${DESTDIR}/etc/shorewall-lite
+chmod 755 ${DESTDIR}/usr/share/shorewall-lite
 
 if [ -n "$DESTDIR" ]; then
     mkdir -p ${DESTDIR}/etc/logrotate.d
     chmod 755 ${DESTDIR}/etc/logrotate.d
-    mkdir -p ${DESTDIR}${INITDIR}
-    chmod 755 ${DESTDIR}${INITDIR}
-fi
-
-if [ -n "$INITFILE" ]; then
-    case $HOST in
-	debian)
-	    install_file init.debian.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
-	    ;;
-	redhat)
-	    install_file init.fedora.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
-	    ;;
-	archlinux)
-	    install_file init.archlinux.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
-	    ;;
-	*)
-	    install_file init.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
-	    ;;
-    esac
-
-    echo  "$Product init script installed in ${DESTDIR}${INITDIR}/${INITFILE}"
-fi
-#
-# Install the .service file
-#
-if [ -n "$SYSTEMD" ]; then
-    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/lib/systemd/system/$PRODUCT.service
-    echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
 fi
 
 #
 # Install the config file
 #
-if [ ! -f ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf ]; then
-   install_file $PRODUCT.conf ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf 0744
-   echo "Config file installed as ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf"
+if [ ! -f ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf ]; then
+   run_install $OWNERSHIP -m 0744 shorewall-lite.conf ${DESTDIR}/etc/shorewall-lite
+   echo "Config file installed as ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf"
 fi
 
-if [ $HOST = archlinux ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf
+if [ -n "$ARCHLINUX" ] ; then
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall-lite/shorewall.conf
 fi
 
 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/$PRODUCT
-echo "Makefile installed as ${DESTDIR}/etc/$PRODUCT/Makefile"
+run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall-lite
+echo "Makefile installed as ${DESTDIR}/etc/shorewall-lite/Makefile"
 
 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/$PRODUCT/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/$PRODUCT/configpath"
+install_file configpath ${DESTDIR}/usr/share/shorewall-lite/configpath 0644
+echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall-lite/configpath"
 
 #
 # Install the libraries
 #
 for f in lib.* ; do
     if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/$PRODUCT/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/$PRODUCT/$f"
+	install_file $f ${DESTDIR}/usr/share/shorewall-lite/$f 0644
+	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall-lite/$f"
     fi
 done
 
-ln -sf lib.base ${DESTDIR}/usr/share/$PRODUCT/functions
+ln -sf lib.base ${DESTDIR}/usr/share/shorewall-lite/functions
 
-echo "Common functions linked through ${DESTDIR}/usr/share/$PRODUCT/functions"
+echo "Common functions linked through ${DESTDIR}/usr/share/shorewall-lite/functions"
 
 #
 # Install Shorecap
 #
 
-install_file shorecap ${DESTDIR}${LIBEXEC}/$PRODUCT/shorecap 0755
+install_file shorecap ${DESTDIR}/usr/share/shorewall-lite/shorecap 0755
 
 echo
-echo "Capability file builder installed in ${DESTDIR}${LIBEXEC}/$PRODUCT/shorecap"
+echo "Capability file builder installed in ${DESTDIR}/usr/share/shorewall-lite/shorecap"
 
 #
-# Install the Modules files
+# Install wait4ifup
+#
+
+if [ -f wait4ifup ]; then
+    install_file wait4ifup ${DESTDIR}/usr/share/shorewall-lite/wait4ifup 0755
+
+    echo
+    echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall-lite/wait4ifup"
+fi
+
+#
+# Install the Modules file
 #
 
 if [ -f modules ]; then
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/$PRODUCT
-    echo "Modules file installed as ${DESTDIR}/usr/share/$PRODUCT/modules"
+    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall-lite
+    echo "Modules file installed as ${DESTDIR}/usr/share/shorewall-lite/modules"
 fi
 
-if [ -f helpers ]; then
-    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/$PRODUCT
-    echo "Helper modules file installed as ${DESTDIR}/usr/share/$PRODUCT/helpers"
-fi
-
-for f in modules.*; do
-    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}/usr/share/$PRODUCT/$f
-    echo "Module file $f installed as ${DESTDIR}/usr/share/$PRODUCT/$f"
-done
-
 #
 # Install the Man Pages
 #
@@ -426,69 +329,54 @@ if [ -d manpages ]; then
 fi
 
 if [ -d ${DESTDIR}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/$PRODUCT
-    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/$PRODUCT"
+    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/shorewall-lite
+    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/shorewall-lite"
 fi
 
+
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/$PRODUCT/version
-chmod 644 ${DESTDIR}/usr/share/$PRODUCT/version
+echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-lite/version
+chmod 644 ${DESTDIR}/usr/share/shorewall-lite/version
 #
 # Remove and create the symbolic link to the init script
 #
 
 if [ -z "$DESTDIR" ]; then
-    rm -f /usr/share/$PRODUCT/init
-    ln -s ${INITDIR}/${INITFILE} /usr/share/$PRODUCT/init
+    rm -f /usr/share/shorewall-lite/init
+    ln -s ${DEST}/${INIT} /usr/share/shorewall-lite/init
 fi
 
-delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.common
-delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.cli
-delete_file ${DESTDIR}/usr/share/$PRODUCT/wait4ifup
-
 if [ -z "$DESTDIR" ]; then
-    touch /var/log/$PRODUCT-init.log
+    touch /var/log/shorewall-lite-init.log
 
     if [ -n "$first_install" ]; then
-	if [ $HOST = debian ]; then
-	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/$PRODUCT
-
-	    update-rc.d $PRODUCT defaults
-
-	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/$PRODUCT
-	    else
-		ln -s ../init.d/$PRODUCT /etc/rcS.d/S40$PRODUCT
-	    fi
-
-	    echo "$Product will start automatically at boot"
+	if [ -n "$DEBIAN" ]; then
+	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
+	    ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
+	    echo "Shorewall Lite will start automatically at boot"
 	else
-	    if [ -n "$SYSTEMD" ]; then
-		if systemctl enable $PRODUCT; then
-		    echo "$Product will start automatically at boot"
-		fi
-	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-		if insserv /etc/init.d/$PRODUCT ; then
-		    echo "$Product will start automatically at boot"
+	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+		if insserv /etc/init.d/shorewall-lite ; then
+		    echo "Shorewall Lite will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-		if chkconfig --add $PRODUCT ; then
-		    echo "$Product will start automatically in run levels as follows:"
-		    chkconfig --list $PRODUCT
+		if chkconfig --add shorewall-lite ; then
+		    echo "Shorewall Lite will start automatically in run levels as follows:"
+		    chkconfig --list shorewall-lite
 		else
 		    cant_autostart
 		fi
 	    elif [ -x /sbin/rc-update ]; then
-		if rc-update add $PRODUCT default; then
-		    echo "$Product will start automatically at boot"
+		if rc-update add shorewall-lite default; then
+		    echo "Shorewall Lite will start automatically at boot"
 		else
 		    cant_autostart
 		fi
-	    elif [ "$INITFILE" != rc.firewall ]; then #Slackware starts this automatically
+	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
 		cant_autostart
 	    fi
 	fi
@@ -498,4 +386,4 @@ fi
 #
 #  Report Success
 #
-echo "$Product Version $VERSION Installed"
+echo "shorewall Lite Version $VERSION Installed"

Shorewall-lite/lib.base

@@ -1,34 +0,0 @@
-#
-# Shorewall 4.4 -- /usr/share/shorewall-lite/lib.base
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
-#
-#	Complete documentation is available at http://shorewall.net
-#
-#	This program is free software; you can redisribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# This library contains the code common to all Shorewall components.
-
-g_program=shorewall-lite
-g_family=4
-g_basedir=/usr/share/shorewall
-
-[ -n "${VARDIR:=/var/lib/$g_program}" ]
-[ -n "${SHAREDIR:=/usr/share/$g_program}" ]
-[ -n "${CONFDIR:=/etc/$g_program}" ]
-
-. /usr/share/shorewall/lib.base
-

Shorewall-lite/shorecap

@@ -48,14 +48,10 @@
 SHAREDIR=/usr/share/shorewall-lite
 VARDIR=/var/lib/shorewall-lite
 CONFDIR=/etc/shorewall-lite
-g_program=shorewall-lite
 g_product="Shorewall Lite"
-g_family=4
-g_base=shorewall
-g_basedir=/usr/share/shorewall-lite
 
 . /usr/share/shorewall-lite/lib.base
-. /usr/share/shorewall/lib.cli
+. /usr/share/shorewall-lite/lib.cli
 . /usr/share/shorewall-lite/configpath
 
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -64,8 +60,6 @@ SHOREWALL_VERSION=$(cat /usr/share/shorewall-lite/version)
 
 [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
 
-g_tool=$IPTABLES
-
 VERBOSITY=0
 load_kernel_modules No
 determine_capabilities

Shorewall-lite/shorewall-lite

@@ -1,13 +1,14 @@
 #!/bin/sh
 #
-#     Shorewall Lite Packet Filtering Firewall Control Program - V4.5
+#     Shorewall Lite Packet Filtering Firewall Control Program - V4.1
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 - 
-#         Tom Eastep (teastep@shorewall.net)
+#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	This file should be placed in /sbin/shorewall-lite.
+#
+#	Shorewall documentation is available at http://shorewall.net
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
@@ -22,11 +23,841 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
+#     If an error occurs while starting or restarting the firewall, the
+#     firewall is automatically stopped.
 #
-################################################################################################
-g_program=shorewall-lite
+#     Commands are:
+#
+#     shorewall-lite dump                          Dumps all Shorewall-related information
+#                                                  for problem analysis
+#     shorewall-lite start 			   Starts the firewall
+#     shorewall-lite restart			   Restarts the firewall
+#     shorewall-lite stop			   Stops the firewall
+#     shorewall-lite status			   Displays firewall status
+#     shorewall-lite reset			   Resets iptables packet and
+#						   byte counts
+#     shorewall-lite clear			   Open the floodgates by
+#						   removing all iptables rules
+#						   and setting the three permanent
+#						   chain policies to ACCEPT
+#     shorewall-lite show <chain> [ <chain> ... ]  Display the rules in each <chain> listed
+#     shorewall-lite show log			   Print the last 20 log messages
+#     shorewall-lite show connections		   Show the kernel's connection
+#						   tracking table
+#     shorewall-lite show nat			   Display the rules in the nat table
+#     shorewall-lite show {mangle|tos}		   Display the rules in the mangle table
+#     shorewall-lite show tc			   Display traffic control info
+#     shorewall-lite show classifiers		   Display classifiers
+#     shorewall-lite show capabilities             Display iptables/kernel capabilities
+#     shorewall-lite show vardir                   Display VARDIR setting
+#     shorewall-lite version			   Display the installed version id
+#     shorewall-lite logwatch [ refresh-interval ] Monitor the local log for Shorewall
+#						   messages.
+#     shorewall-lite drop <address> ...		   Temporarily drop all packets from the
+#						   listed address(es)
+#     shorewall-lite reject <address> ...	   Temporarily reject all packets from the
+#						   listed address(es)
+#     shorewall-lite allow <address> ...	   Reenable address(es) previously
+#						   disabled with "drop" or "reject"
+#     shorewall-lite save [ <file> ]		   Save the list of "rejected" and
+#						   "dropped" addresses so that it will
+#						   be automatically reinstated the
+#						   next time that Shorewall starts.
+#                                                  Save the current state so that 'shorewall
+#                                                  restore' can be used.
+#
+#     shorewall-lite forget [ <file> ]             Discard the data saved by 'shorewall save'
+#
+#     shorewall-lite restore [ <file> ]            Restore the state of the firewall from
+#                                                  previously saved information.
+#
+#     shorewall-lite ipaddr { <address>/<cidr> | <address> <netmask> }
+#
+#                                                  Displays information about the network
+#                                                  defined by the argument[s]
+#
+#     shorewall-lite iprange <address>-<address>   Decomposes a range of IP addresses into
+#                                                  a list of network/host addresses.
+#
+#     shorewall-lite ipdecimal { <address> | <integer> }
+#
+#                                                  Displays the decimal equivalent of an IP
+#                                                  address and vice versa.
 
-. /usr/share/shorewall/lib.cli
+#
+# Set the configuration variables from shorewall-lite.conf
+#
+get_config() {
 
-shorewall_cli $@
+    [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+
+    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
+
+    if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
+	LOGREAD="logread | tac"
+    elif [ -r $LOGFILE ]; then
+	LOGREAD="tac $LOGFILE"
+    else
+	echo "LOGFILE ($LOGFILE) does not exist!" >&2
+	exit 2
+    fi
+    #
+    # See if we have a real version of "tail" -- use separate redirection so
+    # that ash (aka /bin/sh on LRP) doesn't crap
+    #
+    if ( tail -n5 /dev/null > /dev/null 2> /dev/null ) ; then
+	realtail="Yes"
+    else
+	realtail=""
+    fi
+
+    [ -n "$FW" ] || FW=fw
+
+    [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"
+
+    [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
+
+    if [ -n "$IPTABLES" ]; then
+	if [ ! -x "$IPTABLES" ]; then
+	    echo "   ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
+	    exit 2
+	fi
+    else
+	IPTABLES=$(mywhich iptables 2> /dev/null)
+	if [ -z "$IPTABLES" ] ; then
+	    echo "   ERROR: Can't find iptables executable" >&2
+	    exit 2
+	fi
+    fi
+
+    if [ -n "$SHOREWALL_SHELL" ]; then
+	if [ ! -x "$SHOREWALL_SHELL" ]; then
+	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
+	    SHOREWALL_SHELL=/bin/sh
+	fi
+    fi
+
+    [ -n "$RESTOREFILE" ] || RESTOREFILE=restore
+
+    validate_restorefile RESTOREFILE
+
+    [ -n "${VERBOSITY:=2}" ]
+
+    [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
+
+    g_hostname=$(hostname 2> /dev/null)
+
+    IP=$(mywhich ip 2> /dev/null)
+    if [ -z "$IP" ] ; then
+	echo "   ERROR: Can't find ip executable" >&2
+	exit 2
+    fi
+
+    IPSET=ipset
+    TC=tc
+
+}
+
+#
+# Verify that we have a compiled firewall script
+#
+verify_firewall_script() {
+    if [ ! -f $g_firewall ]; then
+	echo "   ERROR: Shorewall Lite is not properly installed" >&2
+	if [ -L $g_firewall ]; then
+	    echo "          $g_firewall is a symbolic link to a" >&2
+	    echo "          non-existant file" >&2
+	else
+	    echo "          The file $g_firewall does not exist" >&2
+	fi
+	
+	exit 2
+    fi
+}
+
+#
+# Start Command Executor
+#
+start_command() {
+    local finished
+    finished=0
+
+    do_it() {
+	local rc
+	rc=0
+	[ -n "$nolock" ] || mutex_on
+
+	if [ -x ${LITEDIR}/firewall ]; then
+	    run_it ${LITEDIR}/firewall $debugging start
+	    rc=$?
+	else
+	    error_message "${LITEDIR}/firewall is missing or is not executable"
+	    logger -p kern.err "ERROR:Shorewall Lite start failed"
+	    rc=2
+	fi
+
+	[ -n "$nolock" ] || mutex_off
+	exit $rc
+    }
+
+    verify_firewall_script
+
+    if shorewall_is_started; then
+	error_message "Shorewall is already running"
+	exit 0
+    fi
+
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
+	option=$1
+	case $option in
+	    -*)
+		option=${option#-}
+
+		while [ -n "$option" ]; do
+		    case $option in
+			-)
+			    finished=1
+			    option=
+			    ;;
+			f*)
+			    g_fast=Yes
+			    option=${option#f}
+			    ;;
+			p*)
+			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
+			    g_purge=Yes
+			    option=${option%p}
+			    ;;
+			*)
+			    usage 1
+			    ;;
+		    esac
+		done
+		shift
+		;;
+	    *)
+		finished=1
+		;;
+	esac
+    done
+
+    case $# in
+	0)
+	    ;;
+	*)
+	    usage 1
+	    ;;
+    esac
+
+    if [ -n "$g_fast" ]; then
+	if qt mywhich make; then
+	    export RESTOREFILE
+	    make -qf ${CONFDIR}/Makefile || g_fast=
+	fi
+
+	if [ -n "$g_fast" ]; then
+
+	    g_restorepath=${VARDIR}/$RESTOREFILE
+
+	    if [ -x $g_restorepath ]; then
+		echo Restoring Shorewall Lite...
+		run_it $g_restorepath restore
+		date > ${VARDIR}/restarted
+		progress_message3 Shorewall Lite restored from $g_restorepath
+	    else
+		do_it
+	    fi
+	else
+	    do_it
+	fi
+    else
+	do_it
+    fi
+}
+
+#
+# Restart Command Executor
+#
+restart_command() {
+    local finished
+    finished=0
+    local rc
+    rc=0
+
+    verify_firewall_script
+
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
+	option=$1
+	case $option in
+	    -*)
+		option=${option#-}
+
+		while [ -n "$option" ]; do
+		    case $option in
+			-)
+			    finished=1
+			    option=
+			    ;;
+			n*)
+			    g_noroutes=Yes
+			    option=${option#n}
+			    ;;
+			p*)
+			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
+			    g_purge=Yes
+			    option=${option%p}
+			    ;;
+			*)
+			    usage 1
+			    ;;
+		    esac
+		done
+		shift
+		;;
+	    *)
+		finished=1
+		;;
+	esac
+    done
+
+    case $# in
+	0)
+	    ;;
+	*)
+	    usage 1
+	    ;;
+    esac
+
+    [ -n "$nolock" ] || mutex_on
+
+    if [ -x ${LITEDIR}/firewall ]; then
+	run_it ${LITEDIR}/firewall $debugging restart
+	rc=$?
+    else
+	error_message "${LITEDIR}/firewall is missing or is not executable"
+	logger -p kern.err "ERROR:Shorewall Lite restart failed"
+	rc=2
+    fi
+
+    [ -n "$nolock" ] || mutex_off
+    return $rc
+}
+
+#
+# Give Usage Information
+#
+usage() # $1 = exit status
+{
+    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
+    echo "where <command> is one of:"
+    echo "   add <interface>[:<host-list>] ... <zone>"
+    echo "   allow <address> ..."
+    echo "   clear"
+    echo "   delete <interface>[:<host-list>] ... <zone>"
+    echo "   drop <address> ..."
+    echo "   dump [ -x ]"
+    echo "   forget [ <file name> ]"
+    echo "   help"
+    echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
+    echo "   ipdecimal { <address> | <integer> }"
+    echo "   iprange <address>-<address>"
+    echo "   logdrop <address> ..."
+    echo "   logreject <address> ..."
+    echo "   logwatch [<refresh interval>]"
+    echo "   reject <address> ..."
+    echo "   reset [ <chain> ... ]"
+    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
+    echo "   restore [ -n ] [ <file name> ]"
+    echo "   save [ <file name> ]"
+    echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
+    echo "   show [ -f ] capabilities"
+    echo "   show classifiers"
+    echo "   show config"
+    echo "   show connections"
+    echo "   show filters"
+    echo "   show ip"
+    echo "   show [ -m ] log [<regex>]"
+    echo "   show [ -x ] mangle|nat|raw|routing"
+    echo "   show policies"
+    echo "   show tc [ device ]"
+    echo "   show vardir"
+    echo "   show zones"
+    echo "   start [ -f ] [ -p ] [ <directory> ]"
+    echo "   stop"
+    echo "   status"
+    echo "   version [ -a ]"
+    echo
+    exit $1
+}
+
+version_command() {
+    local finished
+    finished=0
+    local all
+    all=
+    local product
+
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
+	option=$1
+	case $option in
+	    -*)
+		option=${option#-}
+
+		while [ -n "$option" ]; do
+		    case $option in
+			-)
+			    finished=1
+			    option=
+			    ;;
+			a*)
+			    all=Yes
+			    option=${option#a}
+			    ;;
+			*)
+			    usage 1
+			    ;;
+		    esac
+		done
+		shift
+		;;
+	    *)
+		finished=1
+		;;
+	esac
+    done
+
+    [ $# -gt 0 ] && usage 1
+
+    echo $SHOREWALL_VERSION
+    
+    if [ -n "$all" ]; then
+	for product in shorewall shorewall6 shorewall6-lite shorewall-init; do
+	    if [ -f /usr/share/$product/version ]; then
+		echo "$product: $(cat /usr/share/$product/version)"
+	    fi
+	done
+    fi
+}
+
+#
+# Execution begins here
+#
+debugging=
+
+if [ $# -gt 0 ] && [ "$1" = "debug" -o "$1" = "trace" ]; then
+    debugging=$1
+    shift
+fi
+
+nolock=
+
+if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
+    nolock=nolock
+    shift
+fi
+
+g_ipt_options="-nv"
+g_fast=
+g_verbose_offset=0
+g_use_verbosity=
+g_noroutes=
+g_timestamp=
+g_recovering=
+
+finished=0
+
+while [ $finished -eq 0 ]; do
+    [ $# -eq 0 ] && usage 1
+    option=$1
+    case $option in
+	-)
+	    finished=1
+	    ;;
+	-*)
+	    option=${option#-}
+
+	    [ -z "$option" ] && usage 1
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    x*)
+			g_ipt_options="-xnv"
+			option=${option#x}
+			;;
+		    q*)
+			g_verbose_offset=$(($g_verbose_offset - 1 ))
+			option=${option#q}
+			;;
+		    f*)
+			g_fast=Yes
+			option=${option#f}
+			;;
+		    v*)
+			option=${option#v}
+			case $option in 
+			    -1*)
+				g_use_verbosity=-1
+				option=${option#-1}
+				;;
+			    0*)
+				g_use_verbosity=0
+				option=${option#0}
+				;;
+			    1*)
+				g_use_verbosity=1
+				option=${option#1}
+				;;
+			    2*)
+				g_use_verbosity=2
+				option=${option#2}
+				;;
+			    *)
+				g_verbose_offset=$(($g_verbose_offset + 1 ))
+				g_use_verbosity=
+				;;
+			esac
+			;;
+		    n*)
+			g_noroutes=Yes
+			option=${option#n}
+			;;
+		    t*)
+			g_timestamp=Yes
+			option=${option#t}
+			;;
+		    -)
+			finished=1
+			option=
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+	    shift
+	    ;;
+	*)
+	    finished=1
+            ;;
+    esac
+done
+
+if [ $# -eq 0 ]; then
+    usage 1
+fi
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+MUTEX_TIMEOUT=
+
+SHAREDIR=/usr/share/shorewall-lite
+CONFDIR=/etc/shorewall-lite
+g_product="Shorewall Lite"
+
+[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]
+
+[ -n "${VARDIR:=/var/lib/shorewall-lite}" ]
+
+[ -d $VARDIR ] || mkdir -p $VARDIR || fatal_error "Unable to create $VARDIR"
+
+version_file=$SHAREDIR/version
+
+for library in base cli; do
+    . ${SHAREDIR}/lib.$library
+done
+
+ensure_config_path
+
+config=$(find_file shorewall-lite.conf)
+
+if [ -f $config ]; then
+    if [ -r $config ]; then
+	. $config
+    else
+	echo "Cannot read $config! (Hint: Are you root?)" >&2
+	exit 1
+    fi
+else
+    echo "$config does not exist!" >&2
+    exit 2
+fi
+
+ensure_config_path
+
+LITEDIR=${VARDIR}
+
+[ -f ${LITEDIR}/firewall.conf ] && . ${LITEDIR}/firewall.conf
+
+get_config
+
+g_firewall=$LITEDIR/firewall
+
+if [ -f $version_file ]; then
+    SHOREWALL_VERSION=$(cat $version_file)
+else
+    echo "   ERROR: Shorewall Lite is not properly installed" >&2
+    echo "          The file $version_file does not exist" >&2
+    exit 1
+fi
+
+banner="Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname -"
+
+case $(echo -e) in
+    -e*)
+	RING_BELL="echo \a"
+	ECHO_E="echo"
+	;;
+    *)
+	RING_BELL="echo -e \a"
+	ECHO_E="echo -e"
+	;;
+esac
+
+case $(echo -n "Testing") in
+    -n*)
+	ECHO_N=
+	;;
+    *)
+	ECHO_N=-n
+	;;
+esac
+
+COMMAND=$1
+
+case "$COMMAND" in
+    start)
+	shift
+	start_command $@
+	;;
+    stop|clear)
+	[ $# -ne 1 ] && usage 1
+	verify_firewall_script
+	run_it $g_firewall $debugging $nolock $COMMAND
+	;;
+    reset)
+	verify_firewall_script
+	run_it $SHOREWALL_SHELL $g_firewall $debugging $nolock $@
+	;;
+    restart)
+	shift
+	restart_command
+	;;
+    show|list)
+    	shift
+    	show_command $@
+	;;
+    status)
+	[ $# -eq 1 ] || usage 1
+	[ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root"
+	echo "Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname - $(date)"
+	echo
+	if shorewall_is_started ; then
+	    echo "Shorewall Lite is running"
+	    status=0
+	else
+	    echo "Shorewall Lite is stopped"
+	    status=4
+	fi
+
+	if [ -f ${VARDIR}/state ]; then
+	    state="$(cat ${VARDIR}/state)"
+	    case $state in
+		Stopped*|Closed*|Clear*)
+		    status=3
+		    ;;
+	    esac
+	else
+	    state=Unknown
+	fi
+	echo "State:$state"
+	echo
+	exit $status
+	;;
+    dump)
+    	shift
+    	dump_command $@
+	;;
+    hits)
+	[ -n "$debugging" ] && set -x
+	shift
+	hits_command $@
+	;;
+    version)
+	shift
+	version_command $@
+	;;
+    logwatch)
+	logwatch_command $@
+	;;
+    drop)
+	[ -n "$debugging" ] && set -x
+	[ $# -eq 1 ] && usage 1
+	if shorewall_is_started ; then
+	    [ -n "$nolock" ] || mutex_on
+	    block DROP Dropped $*
+	    [ -n "$nolock" ] || mutex_off
+	else
+	    error_message "ERROR: Shorewall Lite is not started"
+	    exit 2
+	fi
+	;;
+    logdrop)
+	[ -n "$debugging" ] && set -x
+	[ $# -eq 1 ] && usage 1
+	if shorewall_is_started ; then
+	    [ -n "$nolock" ] || mutex_on
+	    block logdrop Dropped $*
+	    [ -n "$nolock" ] || mutex_off
+	else
+	    error_message "ERROR: Shorewall Lite is not started"
+	    exit 2
+	fi
+	;;
+    reject|logreject)
+	[ -n "$debugging" ] && set -x
+	[ $# -eq 1 ] && usage 1
+	if shorewall_is_started ; then
+	    [ -n "$nolock" ] || mutex_on
+	    block $COMMAND Rejected $*
+	    [ -n "$nolock" ] || mutex_off
+	else
+	    error_message "ERROR: Shorewall Lite is not started"
+	    exit 2
+	fi
+	;;
+    allow)
+	allow_command $@
+	;;
+    add)
+	get_config
+	shift
+	add_command $@
+	;;
+    delete)
+	get_config
+	shift
+	add_command $@
+	;;
+    save)
+	[ -n "$debugging" ] && set -x
+
+	case $# in
+	1)
+	    ;;
+	2)
+	    RESTOREFILE="$2"
+	    validate_restorefile '<restore file>'
+	    ;;
+	*)
+	    usage 1
+	    ;;
+	esac
+
+	g_restorepath=${VARDIR}/$RESTOREFILE
+
+	[ "$nolock" ] || mutex_on
+
+	save_config
+
+	[ "$nolock" ] || mutex_off
+	;;
+    forget)
+	case $# in
+	1)
+	    ;;
+	2)
+	    RESTOREFILE="$2"
+	    validate_restorefile '<restore file>'
+	    ;;
+	*)
+	    usage 1
+	    ;;
+	esac
+
+
+	g_restorepath=${VARDIR}/$RESTOREFILE
+
+	if [ -x $g_restorepath ]; then
+	    rm -f $g_restorepath
+	    rm -f ${g_restorepath}-iptables
+	    rm -f ${g_restorepath}-ipsets
+	    echo "    $g_restorepath removed"
+	elif [ -f $g_restorepath ]; then
+	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"
+	fi
+	rm -f ${VARDIR}/save
+	;;
+    ipcalc)
+    	[ -n "$debugging" ] && set -x
+	if [ $# -eq 2 ]; then
+	    address=${2%/*}
+	    vlsm=${2#*/}
+	elif [ $# -eq 3 ]; then
+	    address=$2
+	    vlsm=$(ip_vlsm $3)
+	else
+	    usage 1
+	fi
+
+	valid_address $address || fatal_error "Invalid IP address: $address"
+	[ -z "$vlsm" ] && exit 2
+	[ "x$address" = "x$vlsm" ] && usage 2
+	[ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2
+
+	address=$address/$vlsm
+
+	                                   echo "   CIDR=$address"
+	temp=$(ip_netmask $address);       echo "   NETMASK=$(encodeaddr $temp)"
+	temp=$(ip_network $address);       echo "   NETWORK=$temp"
+	temp=$(broadcastaddress $address); echo "   BROADCAST=$temp"
+	;;
+
+    iprange)
+	[ -n "$debugging" ] && set -x
+	case $2 in
+	    *.*.*.*-*.*.*.*)
+		for address in ${2%-*} ${2#*-}; do
+		    valid_address $address || fatal_error "Invalid IP address: $address"
+		done
+
+		ip_range $2
+		;;
+	    *)
+		usage 1
+		;;
+	esac
+	;;
+    ipdecimal)
+	[ -n "$debugging" ] && set -x
+	[ $# -eq 2 ] || usage 1
+	case $2 in
+	    *.*.*.*)
+		valid_address $2 || fatal_error "Invalid IP address: $2"
+		echo "   $(decodeaddr $2)"
+		;;
+	    *)
+		echo "   $(encodeaddr $2)"
+		;;
+	esac
+	;;
+    restore)
+	shift
+	STARTUP_ENABLED=Yes
+	restore_command $@
+        ;;
+    call)
+	[ -n "$debugging" ] && set -x
+	#
+	# Undocumented way to call functions in ${SHAREDIR}/functions directly
+	#
+	shift
+	$@
+	;;
+    help)
+	shift
+	usage
+	;;
+    *)
+	usage 1
+	;;
+
+esac

Shorewall-lite/shorewall-lite.conf

@@ -21,7 +21,6 @@
 ###############################################################################
 #		              V E R B O S I T Y
 ###############################################################################
-
 VERBOSITY=
 
 ###############################################################################
@@ -30,6 +29,8 @@ VERBOSITY=
 
 LOGFILE=
 
+LOGFORMAT=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

Shorewall-lite/shorewall-lite.service

@@ -1,20 +0,0 @@
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
-#
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
-#
-[Unit]
-Description=Shorewall IPv4 firewall (lite)
-After=syslog.target
-After=network.target
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-EnvironmentFile=-/etc/sysconfig/shorewall-lite
-StandardOutput=syslog
-ExecStart=/sbin/shorewall-lite $OPTIONS start
-ExecStop=/sbin/shorewall-lite $OPTIONS stop
-
-[Install]
-WantedBy=multi-user.target

Shorewall-lite/shorewall-lite.spec

@@ -0,0 +1,350 @@
+%define name shorewall-lite
+%define version 4.4.10
+%define release 0base
+
+Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
+Name: %{name}
+Version: %{version}
+Release: %{release}
+License: GPLv2
+Packager: Tom Eastep <teastep@shorewall.net>
+Group: Networking/Utilities
+Source: %{name}-%{version}.tgz
+URL: http://www.shorewall.net/
+BuildArch: noarch
+BuildRoot: %{_tmppath}/%{name}-%{version}-root
+Requires: iptables iproute
+Provides: shoreline_firewall = %{version}-%{release}
+
+%description
+
+The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
+(iptables) based firewall that can be used on a dedicated firewall system,
+a multi-function gateway/ router/server or on a standalone GNU/Linux system.
+
+Shorewall Lite is a companion product to Shorewall that allows network
+administrators to centralize the configuration of Shorewall-based firewalls.
+
+%prep
+
+%setup
+
+%build
+
+%install
+export DESTDIR=$RPM_BUILD_ROOT ; \
+export OWNER=`id -n -u` ; \
+export GROUP=`id -n -g` ;\
+./install.sh
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%pre
+
+if [ -f /etc/shorewall-lite/shorewall.conf ]; then
+    cp -fa /etc/shorewall-lite/shorewall.conf /etc/shorewall-lite/shorewall.conf.rpmsave
+fi
+
+%post
+
+if [ $1 -eq 1 ]; then
+    if [ -x /sbin/insserv ]; then
+	/sbin/insserv /etc/rc.d/shorewall-lite
+    elif [ -x /sbin/chkconfig ]; then
+	/sbin/chkconfig --add shorewall-lite;
+    fi
+elif [ -f /etc/shorewall-lite/shorewall.conf.rpmsave ]; then
+    mv -f /etc/shorewall-lite/shorewall-lite.conf /etc/shorewall-lite/shorewall-lite.conf.rpmnew
+    mv -f /etc/shorewall-lite/shorewall.conf.rpmsave /etc/shorewall-lite/shorewall-lite.conf
+    echo "/etc/shorewall-lite/shorewall.conf retained as /etc/shorewall-lite/shorewall-lite.conf"
+    echo "/etc/shorewall-lite/shorewall-lite.conf installed as /etc/shorewall-lite/shorewall-lite.conf.rpmnew"
+fi
+
+%preun
+
+if [ $1 -eq 0 ]; then
+    if [ -x /sbin/insserv ]; then
+	/sbin/insserv -r /etc/init.d/shorewall-lite
+    elif [ -x /sbin/chkconfig ]; then
+	/sbin/chkconfig --del shorewall-lite
+    fi
+fi
+
+%files
+%defattr(0644,root,root,0755)
+%attr(0755,root,root) %dir /etc/shorewall-lite
+%attr(0644,root,root) %config(noreplace) /etc/shorewall-lite/shorewall-lite.conf
+%attr(0644,root,root) /etc/shorewall-lite/Makefile
+%attr(0544,root,root) /etc/init.d/shorewall-lite
+%attr(0755,root,root) %dir /usr/share/shorewall-lite
+%attr(0700,root,root) %dir /var/lib/shorewall-lite
+
+%attr(0644,root,root) /etc/logrotate.d/shorewall-lite
+
+%attr(0755,root,root) /sbin/shorewall-lite
+
+%attr(0644,root,root) /usr/share/shorewall-lite/version
+%attr(0644,root,root) /usr/share/shorewall-lite/configpath
+%attr(-   ,root,root) /usr/share/shorewall-lite/functions
+%attr(0644,root,root) /usr/share/shorewall-lite/lib.base
+%attr(0644,root,root) /usr/share/shorewall-lite/lib.cli
+%attr(0644,root,root) /usr/share/shorewall-lite/lib.common
+%attr(0644,root,root) /usr/share/shorewall-lite/modules
+%attr(0544,root,root) /usr/share/shorewall-lite/shorecap
+%attr(0755,root,root) /usr/share/shorewall-lite/wait4ifup
+
+%attr(0644,root,root) %{_mandir}/man5/shorewall-lite.conf.5.gz
+%attr(0644,root,root) %{_mandir}/man5/shorewall-lite-vardir.5.gz
+
+%attr(0644,root,root) %{_mandir}/man8/shorewall-lite.8.gz
+
+%doc COPYING changelog.txt releasenotes.txt
+
+%changelog
+* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0base
+* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC3
+* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC2
+* Thu May 27 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC1
+* Wed May 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta4
+* Tue May 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta3
+* Thu May 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta2
+* Thu May 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta2
+* Thu May 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta1
+* Mon May 03 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0base
+* Sun May 02 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0RC2
+* Sun Apr 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0RC1
+* Sat Apr 24 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta5
+* Fri Apr 16 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta4
+* Fri Apr 09 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta3
+* Thu Apr 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta2
+* Sat Mar 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta1
+* Fri Mar 19 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0base
+* Tue Mar 16 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0RC2
+* Mon Mar 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0RC1
+* Sun Feb 28 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0Beta2
+* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0Beta1
+* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0base
+* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0RC2
+* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0RC1
+* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta4
+* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta3
+* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta2
+* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta1
+* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.6-0base
+* Tue Jan 12 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.6-0Beta1
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-0base
+* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0base
+* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta2
+* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta1
+* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.3-0base
+* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-0base
+* Mon Aug 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0base
+* Tue Jul 28 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0RC2
+* Sun Jul 12 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0RC1
+* Thu Jul 09 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0Beta4
+* Sat Jun 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0Beta3
+* Mon Jun 15 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0Beta2
+* Fri Jun 12 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0Beta1
+* Sun Jun 07 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.13-0base
+* Fri Jun 05 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.12-0base
+* Sun May 10 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.11-0base
+* Sun Apr 19 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.10-0base
+* Sat Apr 11 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.9-0base
+* Tue Mar 17 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.8-0base
+* Sun Mar 01 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.7-0base
+* Fri Feb 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.6-0base
+* Sun Feb 22 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.5-0base
+* Wed Feb 04 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.2.6-0base
+* Thu Jan 29 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.2.6-0base
+* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.2.5-0base
+* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.4-0base
+* Fri Dec 05 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.3-0base
+* Wed Nov 05 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.2-0base
+* Wed Oct 08 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.1-0base
+* Fri Oct 03 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.0-0base
+* Tue Sep 23 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.0-0RC4
+* Mon Sep 15 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.0-0RC3
+* Mon Sep 08 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.0-0RC2
+* Tue Aug 19 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.0-0RC1
+* Thu Jul 03 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.0-0Beta3
+* Mon Jun 02 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.0-0Beta2
+* Wed May 07 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.0-0Beta1
+* Mon Apr 28 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.1.8-0base
+* Mon Mar 24 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.1.7-0base
+* Thu Mar 13 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.1.6-0base
+* Tue Feb 05 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.1.5-0base
+* Fri Jan 04 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.1.4-0base
+* Wed Dec 12 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.1.3-0base
+* Fri Dec 07 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.1.3-1
+* Tue Nov 27 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.1.2-1
+* Wed Nov 21 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.1.1-1
+* Mon Nov 19 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.1.0-1
+* Thu Nov 15 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-1
+* Sat Nov 10 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC3
+* Wed Nov 07 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC2
+* Thu Oct 25 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC1
+* Tue Oct 03 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.5-1
+* Wed Sep 05 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.4-1
+* Mon Aug 13 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.3-1
+* Thu Aug 09 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.2-1
+* Sat Jul 21 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.1-1
+* Wed Jul 11 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-1
+* Sun Jul 08 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-0RC2
+* Mon Jul 02 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-0RC1
+* Sun Jun 24 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-0Beta7
+* Wed Jun 20 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-0Beta6
+* Thu Jun 14 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-0Beta5
+* Fri Jun 08 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-0Beta4
+* Tue Jun 05 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-0Beta3
+* Tue May 15 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-0Beta1
+* Fri May 11 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.9.7-1
+* Sat May 05 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.9.6-1
+* Mon Apr 30 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.9.5-1
+* Mon Apr 23 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.9.4-1
+* Wed Apr 18 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.9.3-1
+* Sat Apr 14 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.9.2-1
+* Sat Apr 07 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.9.1-1
+* Thu Mar 15 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.4.1-1
+* Sat Mar 10 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.4.0-1
+* Sun Feb 25 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.4.0-0RC3
+* Sun Feb 04 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.4.0-0RC2
+* Wed Jan 24 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.4.0-0RC1
+* Mon Jan 22 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.4.0-0Beta3
+* Wed Jan 03 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.4.0-0Beta2
+- Handle rename of shorewall.conf
+* Thu Dec 14 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.4.0-0Beta1
+* Sat Nov 25 2006 Tom Eastep tom@shorewall.net
+- Added shorewall-exclusion(5)
+- Updated to 3.3.6-1
+* Sun Nov 19 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.3.5-1
+* Sun Oct 29 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.3.4-1
+* Mon Oct 16 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.3.3-1
+* Sat Sep 30 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.3.2-1
+* Wed Aug 30 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.3.1-1
+* Wed Aug 09 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.3.0-1
+* Wed Aug 09 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.3.0-1
+
+

Shorewall-lite/uninstall.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=xxx  #The Build script inserts the actual version
+VERSION=4.4.10
 
 usage() # $1 = exit status
 {
@@ -72,8 +72,6 @@ else
     VERSION=""
 fi
 
-[ -n "${LIBEXEC:=/usr/share}" ]
-
 echo "Uninstalling Shorewall Lite $VERSION"
 
 if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall ]; then
@@ -87,14 +85,10 @@ else
 fi
 
 if [ -n "$FIREWALL" ]; then
-    if [ -x /usr/sbin/updaterc.d ]; then
-	updaterc.d shorewall-lite remove
-    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
         insserv -r $FIREWALL
     elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $FIREWALL)
-    elif [ -x /sbin/systemctl ]; then
-	systemctl disable shorewall-lite
     else
 	rm -f /etc/rc*.d/*$(basename $FIREWALL)
     fi
@@ -111,11 +105,9 @@ rm -rf /etc/shorewall-lite-*.bkout
 rm -rf /var/lib/shorewall-lite
 rm -rf /var/lib/shorewall-lite-*.bkout
 rm -rf /usr/share/shorewall-lite
-rm -rf ${LIBEXEC}/shorewall-lite
 rm -rf /usr/share/shorewall-lite-*.bkout
 rm -f  /etc/logrotate.d/shorewall-lite
-rm -f  /lib/systemd/system/shorewall-lite.service
 
-echo "Shorewall Lite Uninstalled"
+echo "Shorewall Uninstalled"
 
 

Shorewall/COPYING

@@ -2,8 +2,7 @@
 		       Version 2, June 1991
 
  Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                          51 Franklin Street, Fifth Floor,
-			  Boston, MA 02110-1301 USA
+                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 

Shorewall/Contrib/swping

@@ -224,7 +224,7 @@ while : ; do
 	# One of the interfaces changed state -- restart Shorewall
 	#
 	echo $if1_state > $VARDIR/${IF1}.status
-	echo $if2_state > $VARDIR/${IF2}.status
+	echo $if2_state > $VARDIR/${IF2}.status 
 	eval $COMMAND
 	state_changed=
     fi

Shorewall/Contrib/swping.init

@@ -32,7 +32,7 @@
 ### BEGIN INIT INFO
 # Provides:	  swping
 # Required-Start: shorewall
-# Should-Start:
+# Should-Start: 
 # Required-Stop:
 # Default-Start:  2 3 5
 # Default-Stop:	  0 1 6
@@ -87,7 +87,7 @@ case "$command" in
 	    echo "swping is running"
 	    exit 0
 	else
-	    echo "swping is stopped"
+	    echo "swping is stopped" 
 	    exit 3
 	fi
 	;;

Shorewall/Macros/macro.A_AllowICMPs

@@ -1,15 +0,0 @@
-#
-# Shorewall version 4 - Audited AllowICMPs Macro
-#
-# /usr/share/shorewall/macro.AAllowICMPs
-#
-#	This macro A_ACCEPTs needed ICMP types
-#
-###############################################################################
-#ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#					PORT(S)	PORT(S)	LIMIT	GROUP
-
-COMMENT Needed ICMP types
-
-A_ACCEPT       -	-	icmp	fragmentation-needed
-A_ACCEPT       -	-	icmp	time-exceeded

Shorewall/Macros/macro.A_DropDNSrep

@@ -1,14 +0,0 @@
-#
-# Shorewall version 4 - Audited DropDNSrep Macro
-#
-# /usr/share/shorewall/macro.ADropDNSrep
-#
-#	This macro silently audites and drops DNS UDP replies
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-
-COMMENT Late DNS Replies
-
-A_DROP	-	-	udp	-	53

Shorewall/Macros/macro.A_DropUPnP

@@ -1,14 +0,0 @@
-#
-# Shorewall version 4 - ADropUPnP Macro
-#
-# /usr/share/shorewall/macro.ADropUPnP
-#
-#	This macro silently drops UPnP probes on UDP port 1900
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-
-COMMENT UPnP
-
-A_DROP	-	-	udp	1900

Shorewall/Macros/macro.AllowICMPs

@@ -11,6 +11,5 @@
 
 COMMENT Needed ICMP types
 
-DEFAULT ACCEPT
-PARAM	-	-	icmp	fragmentation-needed
-PARAM	-	-	icmp	time-exceeded
+ACCEPT	-	-	icmp	fragmentation-needed
+ACCEPT	-	-	icmp	time-exceeded

Shorewall/Macros/macro.BitTorrent

@@ -5,7 +5,7 @@
 #
 #	This macro handles BitTorrent traffic for BitTorrent 3.1 and earlier.
 #
-#	If you are running BitTorrent 3.2 or later, you should use the
+#	If you are running BitTorrent 3.2 or later, you should use the 
 #	BitTorrent32 macro.
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/

Shorewall/Macros/macro.DropDNSrep

@@ -11,5 +11,4 @@
 
 COMMENT Late DNS Replies
 
-DEFAULT DROP
-PARAM	-	-	udp	-	53
+DROP	-	-	udp	-	53

Shorewall/Macros/macro.DropUPnP

@@ -11,5 +11,4 @@
 
 COMMENT UPnP
 
-DEFAULT DROP
-PARAM	-	-	udp	1900
+DROP	-	-	udp	1900

Shorewall/Macros/macro.ICPV2

@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - ICPV2 Macro
-#
-# /usr/share/shorewall/macro.ICPV2
-#
-#	This macro handles Internet Cache Protocol V2 (Squid) traffic
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	3130

Shorewall/Macros/macro.IPPserver

@@ -15,7 +15,7 @@
 #	Example for a two-interface firewall which acts as a print
 #	server for loc:
 #		IPPserver/ACCEPT loc $FW
-#
+#	
 #	NOTE: If you want both to serve requests for local printers and
 #	listen to requests for remote printers (i.e. your CUPS server is
 #	also a client), you need to apply the rule twice, e.g.

Shorewall/Macros/macro.JAP

@@ -13,5 +13,5 @@
 PARAM	-	-	tcp	8080 # HTTP port
 PARAM	-	-	tcp	6544 # HTTP port
 PARAM	-	-	tcp	6543 # InfoService port
-HTTPS(PARAM)
-SSH(PARAM)
+HTTPS/PARAM
+SSH/PARAM

Shorewall/Macros/macro.MSNP

@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - MSNP Macro
-#
-# /usr/share/shorewall/macro.MSNP
-#
-#	This macro handles MSNP (MicroSoft Notification Protocol)
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	1863

Shorewall/Macros/macro.Munin

@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - Munin Macro
-#
-# /usr/share/shorewall/macro.Munin
-#
-#	This macro handles Munin networked resource monitoring traffic
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	4949

Shorewall/Macros/macro.Squid

@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - Squid Macro
-#
-# /usr/share/shorewall/macro.Squid
-#
-#	This macro handles Squid web proxy traffic
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	3128

Shorewall/Macros/macro.Syslog

@@ -3,10 +3,9 @@
 #
 # /usr/share/shorewall/macro.Syslog
 #
-#	This macro handles syslog traffic.
+#	This macro handles syslog UDP traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	514
-PARAM	-	-	tcp	514

Shorewall/Macros/macro.template

@@ -15,7 +15,389 @@
 #	- All entries in a macro undergo substitution when the macro is
 #	  invoked in the rules file.
 #
-# Columns are the same as in /etc/shorewall/rules.
+#	- Macros used in action bodies may not invoke other macros.
+#
+# The columns in the file are the same as those in the action.template file but
+# have different restrictions:
+#
+# Columns are:
+#
+#	ACTION		ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
+#			LOG, QUEUE, PARAM or an <action> name.
+#
+#				ACCEPT	 -- allow the connection request
+#				ACCEPT+	 -- like ACCEPT but also excludes the
+#					    connection from any subsequent
+#					    DNAT[-] or REDIRECT[-] rules
+#				NONAT	 -- Excludes the connection from any
+#					    subsequent DNAT[-] or REDIRECT[-]
+#					    rules but doesn't generate a rule
+#					    to accept the traffic.
+#				DROP	 -- ignore the request
+#				REJECT	 -- disallow the request and return an
+#					    icmp-unreachable or an RST packet.
+#				DNAT	 -- Forward the request to another
+#					    system (and optionally another
+#					    port).
+#				DNAT-	 -- Advanced users only.
+#					    Like DNAT but only generates the
+#					    DNAT iptables rule and not
+#					    the companion ACCEPT rule.
+#				SAME	 -- Similar to DNAT except that the
+#					    port may not be remapped and when
+#					    multiple server addresses are
+#					    listed, all requests from a given
+#					    remote system go to the same
+#					    server.
+#				SAME-	 -- Advanced users only.
+#					    Like SAME but only generates the
+#					    NAT iptables rule and not
+#					    the companion ACCEPT rule.
+#				REDIRECT -- Redirect the request to a local
+#					    port on the firewall.
+#				REDIRECT-
+#					 -- Advanced users only.
+#					    Like REDIRET but only generates the
+#					    REDIRECT iptables rule and not
+#					    the companion ACCEPT rule.
+#
+#				CONTINUE -- (For experts only). Do not process
+#					    any of the following rules for this
+#					    (source zone,destination zone). If
+#					    The source and/or destination IP
+#					    address falls into a zone defined
+#					    later in /etc/shorewall/zones, this
+#					    connection request will be passed
+#					    to the rules defined for that
+#					    (those) zone(s).
+#				LOG	 -- Simply log the packet and continue.
+#				QUEUE	 -- Queue the packet to a user-space
+#					    application such as ftwall
+#					    (http://p2pwall.sf.net).
+#				PARAM	 -- If you code PARAM as the action in
+#					    a macro then when you invoke the
+#					    macro, you can include the name of
+#					    the macro followed by a slash ("/")
+#					    and an ACTION (either builtin or
+#					    user-defined. All instances of
+#					    PARAM in the body of the macro will
+#					    be replaced with the ACTION.
+#				<action> -- The name of an action defined in
+#					    /usr/share/shorewall/actions.std or
+#					    in /etc/shorewall/actions.
+#
+#			The ACTION may optionally be followed
+#			by ":" and a syslog log level (e.g, REJECT:info or
+#			DNAT:debug). This causes the packet to be
+#			logged at the specified level.
+#
+#			You may also specify ULOG (must be in upper case) as a
+#			log level.This will log to the ULOG target for routing
+#			to a separate log through use of ulogd
+#			(http://www.gnumonks.org/projects/ulogd).
+#
+#			Actions specifying logging may be followed by a
+#			log tag (a string of alphanumeric characters)
+#			are appended to the string generated by the
+#			LOGPREFIX (in /etc/shorewall/shorewall.conf).
+#
+#			Example: ACCEPT:info:ftp would include 'ftp '
+#			at the end of the log prefix generated by the
+#			LOGPREFIX setting.
+#
+#	SOURCE		Source hosts to which the rule applies. May be a zone
+#			defined in /etc/shorewall/zones, $FW to indicate the
+#			firewall itself, "all", "all+" or "none" If the ACTION
+#			is DNAT	or REDIRECT, sub-zones of the specified zone
+#			may be excluded from the rule by following the zone
+#			name with "!' and a comma-separated list of sub-zone
+#			names.
+#
+#			When "none" is used either in the SOURCE or DEST
+#			column, the rule is ignored.
+#
+#			When "all" is used either in the SOURCE or DEST column
+#			intra-zone traffic is not affected. When "all+" is
+#			used, intra-zone traffic is affected.
+#
+#			Except when "all[+]" is specified, clients may be
+#			further restricted to a list of subnets and/or hosts by
+#			appending ":" and a comma-separated list of subnets
+#			and/or hosts. Hosts may be specified by IP or MAC
+#			address; mac addresses must begin with "~" and must use
+#			"-" as a separator.
+#
+#			Hosts may be specified as an IP address range using the
+#			syntax <low address>-<high address>. This requires that
+#			your kernel and iptables contain iprange match support.
+#			If you kernel and iptables have ipset match support
+#			then you may give the name of an ipset prefaced by "+".
+#			The ipset name may be optionally followed by a number
+#			from 1 to 6 enclosed in square brackets ([]) to
+#			indicate the number of levels of source bindings to be
+#			matched.
+#
+#			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
+#
+#			net:155.186.235.0/24	Subnet 155.186.235.0/24 on the
+#						Internet
+#
+#			loc:192.168.1.1,192.168.1.2
+#						Hosts 192.168.1.1 and
+#						192.168.1.2 in the local zone.
+#			loc:~00-A0-C9-15-39-78	Host in the local zone with
+#						MAC address 00:A0:C9:15:39:78.
+#
+#			net:192.0.2.11-192.0.2.17
+#						Hosts 192.0.2.11-192.0.2.17 in
+#						the net zone.
+#
+#			Alternatively, clients may be specified by interface
+#			by appending ":" to the zone name followed by the
+#			interface name. For example, loc:eth1 specifies a
+#			client that communicates with the firewall system
+#			through eth1. This may be optionally followed by
+#			another colon (":") and an IP/MAC/subnet address
+#			as described above (e.g., loc:eth1:192.168.1.5).
+#
+#	DEST		Location of Server. May be a zone defined in
+#			/etc/shorewall/zones, $FW to indicate the firewall
+#			itself, "all". "all+" or "none".
+#
+#			When "none" is used either in the SOURCE or DEST
+#			column, the rule is ignored.
+#
+#			When "all" is used either in the SOURCE or DEST column
+#			intra-zone traffic is not affected. When "all+" is
+#			used, intra-zone traffic is affected.
+#
+#			Except when "all[+]" is specified, the server may be
+#			further restricted to a particular subnet, host or
+#			interface by appending ":" and the subnet, host or
+#			interface. See above.
+#
+#				Restrictions:
+#
+#				1. MAC addresses are not allowed.
+#				2. In DNAT rules, only IP addresses are
+#				   allowed; no FQDNs or subnet addresses
+#				   are permitted.
+#				3. You may not specify both an interface and
+#				   an address.
+#
+#			Like in the SOURCE column, you may specify a range of
+#			up to 256 IP addresses using the syntax
+#			<first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
+#			the connections will be assigned to addresses in the
+#			range in a round-robin fashion.
+#
+#			If you kernel and iptables have ipset match support
+#			then you may give the name of an ipset prefaced by "+".
+#			The ipset name may be optionally followed by a number
+#			from 1 to 6 enclosed in square brackets ([]) to
+#			indicate the number of levels of destination bindings
+#			to be matched. Only one of the SOURCE and DEST columns
+#			may specify an ipset name.
+#
+#			The port that the server is listening on may be
+#			included and separated from the server's IP address by
+#			":". If omitted, the firewall will not modifiy the
+#			destination port. A destination port may only be
+#			included if the ACTION is DNAT or REDIRECT.
+#
+#			Example: loc:192.168.1.3:3128 specifies a local
+#			server at IP address 192.168.1.3 and listening on port
+#			3128. The port number MUST be specified as an integer
+#			and not as a name from /etc/services.
+#
+#			if the ACTION is REDIRECT, this column needs only to
+#			contain the port number on the firewall that the
+#			request should be redirected to.
+#
+#	PROTO		Protocol - Must be "tcp", "tcp:syn", "udp", "icmp",
+#			"ipp2p", "ipp2p:udp", "ipp2p:all" a number, or "all".
+#                       "ipp2p*" requires ipp2p match support in your kernel
+#                       and iptables.
+#
+#			"tcp:syn" implies "tcp" plus the SYN flag must be
+#			set and the RST,ACK and FIN flags must be reset.
+#
+#	DEST PORT(S)	Destination Ports. A comma-separated list of Port
+#			names (from /etc/services), port numbers or port
+#			ranges; if the protocol is "icmp", this column is
+#			interpreted as the destination icmp-type(s).
+#
+#			If the protocol is ipp2p*, this column is interpreted
+#			as an ipp2p option without the leading "--" (example
+#			"bit" for bit-torrent). If no port is given, "ipp2p" is
+#			assumed.
+#
+#			A port range is expressed as <low port>:<high port>.
+#
+#			This column is ignored if PROTOCOL = all but must be
+#			entered if any of the following ields are supplied.
+#			In that case, it is suggested that this field contain
+#			 "-"
+#
+#			If your kernel contains multi-port match support, then
+#			only a single Netfilter rule will be generated if in
+#			this list and the CLIENT PORT(S) list below:
+#			1. There are 15 or less ports listed.
+#			2. No port ranges are included.
+#			Otherwise, a separate rule will be generated for each
+#			port.
+#
+#	SOURCE PORT(S)	(Optional) Port(s) used by the client. If omitted,
+#			any source port is acceptable. Specified as a comma-
+#			separated list of port names, port numbers or port
+#			ranges.
+#
+#			If you don't want to restrict client ports but need to
+#			specify an ORIGINAL DEST in the next column, then
+#			place "-" in this column.
+#
+#			If your kernel contains multi-port match support, then
+#			only a single Netfilter rule will be generated if in
+#			this list and the DEST PORT(S) list above:
+#			1. There are 15 or less ports listed.
+#			2. No port ranges are included.
+#			Otherwise, a separate rule will be generated for each
+#			port.
+#
+#       ORIGINAL        Original destination IP address. Must be omitted (
+#       DEST            or '-') if the macro is to be used from within
+#                       an action. See 'man shorewall-rules'.
+#
+#	RATE LIMIT	You may rate-limit the rule by placing a value in
+#			this column:
+#
+#				<rate>/<interval>[:<burst>]
+#
+#			where <rate> is the number of connections per
+#			<interval> ("sec" or "min") and <burst> is the
+#			largest burst permitted. If no <burst> is given,
+#			a value of 5 is assumed. There may be no
+#			no whitespace embedded in the specification.
+#
+#				Example: 10/sec:20
+#
+#	USER/GROUP	This column may only be non-empty if the SOURCE is
+#			the firewall itself.
+#
+#			The column may contain:
+#
+#	[!][<user name or number>][:<group name or number>][+<program name>]
+#
+#			When this column is non-empty, the rule applies only
+#			if the program generating the output is running under
+#			the effective <user> and/or <group> specified (or is
+#			NOT running under that id if "!" is given).
+#
+#			Examples:
+#
+#				joe	#program must be run by joe
+#				:kids	#program must be run by a member of
+#					#the 'kids' group
+#				!:kids	#program must not be run by a member
+#					#of the 'kids' group
+#				+upnpd	#program named upnpd (This feature was
+#					#removed from Netfilter in kernel
+#					#version 2.6.14).
+#
+#	MARK		Specifies a MARK value to match. Must be empty or 
+#			'-' if the macro is to be used within an action.
+#			
+#				[!]value[/mask][:C]
+#
+#    			Defines a test on the existing packet or connection
+#			mark. The rule will match only if the test returns
+#			true.
+#
+#    			If you don't want to define a test but need to
+#			specify anything in the following columns,
+#			place a "-" in this field.
+#
+#    			!
+#
+#				Inverts the test (not equal)
+#
+#    			value
+#
+#				Value of the packet or connection mark.
+#
+#  			mask
+#
+#				A mask to be applied to the mark before
+#				testing.
+#
+#    			:C
+#
+#				Designates a connection mark. If omitted, the
+#				packet mark's value is tested.
+#
+#	CONNLIMIT	Must be empty or '-' if the macro is to be used within
+#			an action.
+#
+#				[!]limit[:mask]
+#
+#			May be used to limit the number of simultaneous
+#			connections from each individual host to limit 
+#			connections. Requires connlimit match in your kernel
+#			and iptables. While the limit is only checked on rules
+#			specifying CONNLIMIT, the number of current connections
+#			is calculated over all current connections from the
+#			SOURCE host. By default, the limit is applied to each
+#			host but can be made to apply to networks of hosts by
+#			specifying a mask. The mask specifies the width of a
+#			VLSM mask to be applied to the source address; the
+#			number of current connections is then taken over all
+#			hosts in the subnet source-address/mask. When ! is
+#			specified, the rule matches when the number of
+#			connection exceeds the limit.
+#
+#	TIME		Must be empty or '-' if the macro is to be used within
+#			an action.
+#
+#
+#				<timeelement>[&...]
+#
+#			timeelement may be:
+#
+#    				timestart=hh:mm[:ss]
+#
+#					Defines the starting time of day.
+#
+#    				timestop=hh:mm[:ss]
+#
+#					Defines the ending time of day.
+#
+#    				utc
+#
+#					Times are expressed in Greenwich Mean
+#					Time.
+#
+#    				localtz
+#
+#					Times are expressed in Local Civil Time
+#					(default).
+#
+#    				weekdays=ddd[,ddd]...
+#
+#					where ddd is one of Mon, Tue, Wed, Thu,
+#					Fri, Sat or Sun
+#
+#    				monthdays=dd[,dd],...
+#
+#					where dd is an ordinal day of the month#
+#
+#    				datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
+#
+#					Defines the starting date and time.
+#
+#    				datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
+#
+#					Defines the ending date and time.
+#
 # A few examples should help show how Macros work.
 #
 # /etc/shorewall/macro.FwdFTP:
@@ -74,6 +456,6 @@
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
 FORMAT 2
-####################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
+#######################################################################################################
+#ACTION		SOURCE		DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/	ORIGINAL
+#						PORT(S)	PORT(S)	DEST		LIMIT	GROUP   DEST

Shorewall/Makefile

@@ -2,7 +2,6 @@
 VARDIR=$(shell /sbin/shorewall show vardir)
 CONFDIR=/etc/shorewall
 RESTOREFILE?=firewall
-
 all: $(VARDIR)/${RESTOREFILE}
 
 $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
@@ -12,12 +11,11 @@ $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
 	then \
 	    /sbin/shorewall -q save >/dev/null; \
 	else \
-	    /sbin/shorewall -q restart 2>&1 | tail >&2; exit 1; \
+	    /sbin/shorewall -q restart 2>&1 | tail >&2; \
 	fi
 
 clean:
 	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
-
 .PHONY: clean
 
 # EOF

Shorewall/Makefile-lite

@@ -23,10 +23,10 @@
 # to the name of the remote firewall corresponding to the directory.
 #
 #	To make the 'firewall' script, type "make".
-#
+# 
 #	Once the script is compiling correctly, you can install it by
 #	typing "make install".
-#
+#  
 ################################################################################
 #                             V A R I A B L E S
 #
@@ -55,7 +55,7 @@ all: firewall
 #
 # Only generate the capabilities file if it doesn't already exist
 #
-capabilities:
+capabilities: 
 	ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities"
 	scp root@$(HOST):$(LITEDIR)/capabilities .
 #
@@ -78,5 +78,5 @@ save:
 #
 # Remove generated files
 #
-clean:
+clean: 
 	rm -f capabilities firewall firewall.conf reload

Shorewall/Perl/.includepath

@@ -1,3 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<includepath />
-

Shorewall/Perl/.project

@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<projectDescription>
-	<name>Shorewall</name>
-	<comment></comment>
-	<projects>
-	</projects>
-	<buildSpec>
-		<buildCommand>
-			<name>org.epic.perleditor.perlbuilder</name>
-			<arguments>
-			</arguments>
-		</buildCommand>
-	</buildSpec>
-	<natures>
-		<nature>org.epic.perleditor.perlnature</nature>
-	</natures>
-</projectDescription>

Shorewall/Perl/Shorewall/Accounting.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,101 +35,14 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = 'MODULEVERSION';
-
-#
-# Per-IP accounting tables. Each entry contains the associated network.
-#
-my %tables;
-
-my $jumpchainref;
-my %accountingjumps;
-my $asection;
-my $defaultchain;
-my $defaultrestriction;
-my $restriction;
-my $accounting_commands = { COMMENT => 0, SECTION => 2 };
-my $sectionname;
-my $acctable;
-
-#
-# Sections in the Accounting File
-#
-
-use constant {
-	      LEGACY      => 0,
-	      PREROUTING  => 1,
-	      INPUT       => 2,
-	      OUTPUT      => 3,
-	      FORWARD     => 4,
-	      POSTROUTING => 5
-	  };
-#
-# Map names to values
-#
-our %asections = ( PREROUTING  => PREROUTING,
-		   INPUT       => INPUT,
-		   FORWARD     => FORWARD,
-		   OUTPUT      => OUTPUT,
-		   POSTROUTING => POSTROUTING
-		 );
+our $VERSION = '4.4.7';
 
 #
 # Called by the compiler to [re-]initialize this module's state
 #
 sub initialize() {
-    $jumpchainref       = undef;
-    %tables             = ();
-    %accountingjumps    = ();
-    #
-    # The section number is initialized to a value less thatn LEGACY. It will be set to LEGACY if a
-    # the first non-commentary line in the accounting file isn't a section header
-    #
-    # This allows the section header processor to quickly check for correct order 
-    #
-    $asection           = -1;
-    #
-    # These are the legacy values
-    #
-    $defaultchain       = 'accounting';
-    $defaultrestriction = NO_RESTRICT;
-    $sectionname        = '';
-}
-
-#
-# Process a SECTION header
-#
-sub process_section ($) {
-    $sectionname = shift;
-    my $newsect  = $asections{$sectionname};
-    #
-    # read_a_line has already verified that there are exactly two tokens on the line
-    #
-    fatal_error "Invalid SECTION ($sectionname)"                   unless defined $newsect;
-    fatal_error "SECTION not allowed after un-sectioned rules"     unless $asection;
-    fatal_error "Duplicate or out-of-order SECTION ($sectionname)" if     $newsect <= $asection;
-
-    if ( $sectionname eq 'INPUT' ) {
-	$defaultchain = 'accountin';
-	$defaultrestriction = INPUT_RESTRICT;
-    } elsif ( $sectionname eq 'OUTPUT' ) {
-	$defaultchain = 'accountout';
-	$defaultrestriction = OUTPUT_RESTRICT;
-    } elsif ( $sectionname eq 'FORWARD' ) {
-	$defaultchain = 'accountfwd';
-	$defaultrestriction = NO_RESTRICT;
-     } else {
-	 fatal_error "The $sectionname SECTION is not allowed when ACCOUNTING_TABLE=filter" unless $acctable eq 'mangle';
-	 if ( $sectionname eq 'PREROUTING' ) {
-	     $defaultchain = 'accountpre';
-	     $defaultrestriction = PREROUTE_RESTRICT;
-	 } else {
-	     $defaultchain = 'accountpost';
-	     $defaultrestriction = POSTROUTE_RESTRICT;
-	 }
-     }
-
-    $asection = $newsect;
+    our $jumpchainref;
+    $jumpchainref = undef;
 }
 
 #
@@ -137,39 +50,17 @@ sub process_section ($) {
 #
 sub process_accounting_rule( ) {
 
-    $acctable = $config{ACCOUNTING_TABLE};
+    our $jumpchainref;
 
-    $jumpchainref = 0;
-
-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) =
-	split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 }, $accounting_commands;
-
-    fatal_error 'ACTION must be specified' if $action eq '-';
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = split_line1 1, 9, 'Accounting File';
 
     if ( $action eq 'COMMENT' ) {
 	process_comment;
 	return 0;
     }
 
-    if ( $action eq 'SECTION' ) {
-	process_section( $chain );
-	return 0;
-    }
-
-    $asection = LEGACY if $asection < 0;
-
     our $disposition = '';
 
-    sub reserved_chain_name($) {
-	$_[0] =~ /^acc(?:ount(?:fwd|in|ing|out|pre|post)|ipsecin|ipsecout)$/;
-    }
-
-    sub ipsec_chain_name($) {
-	if ( $_[0] =~ /^accipsec(in|out)$/ ) {
-	    $1;
-	}
-    }
-
     sub check_chain( $ ) {
 	my $chainref = shift;
 	fatal_error "A non-accounting chain ($chainref->{name}) may not appear in the accounting file" if $chainref->{policy};
@@ -181,11 +72,10 @@ sub process_accounting_rule( ) {
 
     sub jump_to_chain( $ ) {
 	my $jumpchain = $_[0];
-	fatal_error "Jumps to the $jumpchain chain are not allowed" if reserved_chain_name( $jumpchain );
-	$jumpchainref = ensure_accounting_chain( $jumpchain, 0, $defaultrestriction );
+	$jumpchainref = ensure_accounting_chain( $jumpchain );
 	check_chain( $jumpchainref );
 	$disposition = $jumpchain;
-	$jumpchain;
+	"-j $jumpchain";
     }
 
     my $target = '';
@@ -194,50 +84,18 @@ sub process_accounting_rule( ) {
     $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
     $sports = ''    if $sports eq 'any' || $sports eq 'all';
 
-    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT; 
-
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
     my $rule2 = 0;
-    my $jump  = 0;
 
     unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
-	    $target = 'RETURN';
-	} elsif ( $action =~ /^ACCOUNT\(/ ) {
-	    if ( $action =~ /^ACCOUNT\((.+)\)$/ ) {
-		require_capability 'ACCOUNT_TARGET' , 'ACCOUNT Rules' , '';
-		my ( $table, $net, $rest ) = split/,/, $1;
-		fatal_error "Invalid Network Address (${net},${rest})" if defined $rest;
-		fatal_error "Missing Table Name"                       unless supplied $table;
-		fatal_error "Invalid Table Name ($table)"              unless $table =~ /^([-\w.]+)$/;
-		fatal_error "Missing Network Address"                  unless defined $net;
-		fatal_error "Invalid Network Address ($net)"           unless defined $net   && $net =~ '/(\d+)$';
-		fatal_error "Netmask ($1) out of range"                unless $1 >= 8;
-		validate_net $net, 0;
-
-		my $prevnet = $tables{$table};
-
-		if ( $prevnet ) {
-		    fatal_error "Previous net associated with $table ($prevnet) does not match this one ($net)" unless compare_nets( $net , $prevnet );
-		} else {
-		    $tables{$table} = $net;
-		}
-
-		$target = "ACCOUNT --addr $net --tname $table";
-	    } else {
-		fatal_error "Invalid ACCOUNT Action";
-	    }
-	} elsif ( $action =~ /^NFLOG/ ) {
-	    $target = validate_level $action;
+	    $target = '-j RETURN';
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;
-
 	    if ( $cmd ) {
 		if ( $cmd eq 'COUNT' ) {
-		    $rule2 = 1;
-		} elsif ( $cmd eq 'JUMP' ) {
-		    $jump = 1;
-		} else {
+		    $rule2=1;
+		} elsif ( $cmd ne 'JUMP' ) {
 		    accounting_error;
 		}
 	    }
@@ -246,15 +104,11 @@ sub process_accounting_rule( ) {
 	}
     }
 
-    $restriction = $defaultrestriction;
+    my $restriction = NO_RESTRICT;
 
-    if ( $source eq 'any' || $source eq 'all' ) {
-        $source = ALLIP;
-    } else { 
-	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT || ! $asection );
-    }
+    $source = ALLIP if $source eq 'any' || $source eq 'all';
 
-    if ( have_bridges && ! $asection ) {
+    if ( have_bridges ) {
 	my $fw = firewall_zone;
 
 	if ( $source =~ /^$fw:?(.*)$/ ) {
@@ -264,10 +118,9 @@ sub process_accounting_rule( ) {
 	    $dest = ALLIP if $dest   eq 'any' || $dest   eq 'all';
 	} else {
 	    $chain = 'accounting' unless $chain and $chain ne '-';
-
 	    if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) {
 		expand_rule(
-			    ensure_rules_chain ( 'accountout' ) ,
+			    ensure_filter_chain( 'accountout' , 0 ) ,
 			    OUTPUT_RESTRICT ,
 			    $rule ,
 			    $source ,
@@ -280,66 +133,11 @@ sub process_accounting_rule( ) {
 	    }
 	}
     } else {
-	$chain = $defaultchain unless $chain and $chain ne '-';
+	$chain = 'accounting' unless $chain and $chain ne '-';
 	$dest = ALLIP if $dest   eq 'any' || $dest   eq 'all';
     }
 
-    my $chainref = $chain_table{$config{ACCOUNTING_TABLE}}{$chain};
-    my $dir;
-
-    if ( ! $chainref ) {
-	if ( reserved_chain_name( $chain ) ) {
-	    fatal_error "May not use chain $chain in the $sectionname section" if $asection && $chain ne $defaultchain; 
-	    $chainref = ensure_accounting_chain $chain, 0 , $restriction;
-	} elsif ( $asection ) {
-	    fatal_error "Unknown accounting chain ($chain)";
-	} else {
-	    $chainref = ensure_accounting_chain $chain, 0 , $restriction;
-	}
-
-	$dir      = ipsec_chain_name( $chain );
-
-	if ( $ipsec ne '-' ) {
-	    if ( $dir ) {
-		$rule .= do_ipsec( $dir, $ipsec );
-		$chainref->{ipsec} = $dir;
-	    } else {
-		fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
-	    }
-	} else {
-	    warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
-	    $chainref->{ipsec} = $dir;
-	}
-    } else {
-	fatal_error "$chain is not an accounting chain" unless $chainref->{accounting};
-    
-	if ( $ipsec ne '-' ) {
-	    $dir = $chainref->{ipsec};
-	    fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
-	    $rule .= do_ipsec( $dir , $ipsec );
-	} elsif ( $asection ) {
-	    $restriction |= $chainref->{restriction};
-	}
-    }
-
-    set_optflags( $chainref, DONT_OPTIMIZE ) if $target eq 'RETURN';
-
-    if ( $jumpchainref ) {
-	if ( $asection ) {
-	    #
-	    # Check the jump-to chain to be sure that it doesn't contain rules that are incompatible with this section
-	    #
-	    my $jumprestricted = $jumpchainref->{restricted};
-	    fatal_error "Chain $jumpchainref->{name} contains rules that are incompatible with the $sectionname section" if $jumprestricted && $restriction && $jumprestricted ne $restriction;
-	    $restriction |= $jumpchainref->{restriction};
-	}
-
-	$accountingjumps{$jumpchainref->{name}}{$chain} = 1;
-    }
-
-    fatal_error "$chain is not an accounting chain" unless $chainref->{accounting};
-    
-    $restriction = $dir eq 'in' ? INPUT_RESTRICT : OUTPUT_RESTRICT if $dir;
+    my $chainref = ensure_accounting_chain $chain;
 
     expand_rule
 	$chainref ,
@@ -353,22 +151,6 @@ sub process_accounting_rule( ) {
 	$disposition ,
 	'' ;
 
-    if ( $rule2 || $jump ) {
-	if ( $chainref->{ipsec} ) {
-	    if ( $jumpchainref->{ipsec} ) {
-		fatal_error "IPSEC in/out mismatch on chains $chain and $jumpchainref->{name}";
-	    } else {
-		fatal_error "$jumpchainref->{name} is not an IPSEC chain" if keys %{$jumpchainref->{references}} > 1;
-		$jumpchainref->{ipsec} = $chainref->{ipsec};
-	    }
-	} elsif ( $jumpchainref->{ipsec} ) {
-	    fatal_error "Jump from a non-IPSEC chain to an IPSEC chain not allowed";
-	} else {
-	    $jumpchainref->{ipsec} = $chainref->{ipsec};
-	}
-
-    }
-
     if ( $rule2 ) {
 	expand_rule
 	    $jumpchainref ,
@@ -388,93 +170,32 @@ sub process_accounting_rule( ) {
 
 sub setup_accounting() {
 
-    if ( my $fn = open_file 'accounting' ) {
+    my $fn = open_file 'accounting';
 
-	first_entry "$doing $fn...";
+    first_entry "$doing $fn...";
 
-	my $nonEmpty = 0;
+    my $nonEmpty = 0;
 
-	$nonEmpty |= process_accounting_rule while read_a_line;
+    $nonEmpty |= process_accounting_rule while read_a_line;
 
-	clear_comment;
+    fatal_error "Accounring rules are isolated" if $nonEmpty && ! $filter_table->{accounting};
 
-	if ( $nonEmpty ) {
-	    my $tableref = $chain_table{$acctable};
+    clear_comment;
 
-	    if ( have_bridges || $asection ) {
-		if ( $tableref->{accountin} ) {
-		    insert_ijump( $tableref->{INPUT}, j => 'accountin', 0 );
-		}
-
-		if ( $tableref->{accounting} ) {
-		    set_optflags( 'accounting' , DONT_OPTIMIZE );
-		    for my $chain ( qw/INPUT FORWARD/ ) {
-			insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
-		    }
-		}
-
-		if ( $tableref->{accountfwd} ) {
-		    insert_ijump( $tableref->{FORWARD}, j => 'accountfwd', 0 );
-		}
-
-		if ( $tableref->{accountout} ) {
-		    insert_ijump( $tableref->{OUTPUT}, j => 'accountout', 0 );
-		}
-
-		if ( $tableref->{accountpre} ) {
-		    insert_ijump( $tableref->{PREROUTING}, j => 'accountpre' , 0 );
-		}
-
-		if ( $tableref->{accountpost} ) {
-		    insert_ijump( $tableref->{POSTROUTING}, j => 'accountpost', 0 );
-		}
-	    } elsif ( $tableref->{accounting} ) {
-		set_optflags( 'accounting' , DONT_OPTIMIZE );
-		for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-		    insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
-		}
+    if ( have_bridges ) {
+	if ( $filter_table->{accounting} ) {
+	    for my $chain ( qw/INPUT FORWARD/ ) {
+		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 	    }
+	}
 
-	    if ( $tableref->{accipsecin} ) {
-		for my $chain ( qw/INPUT FORWARD/ ) {
-		    insert_ijump( $tableref->{$chain}, j => 'accipsecin', 0 );
-		}
-	    }
-
-	    if ( $tableref->{accipsecout} ) {
-		for my $chain ( qw/FORWARD OUTPUT/ ) {
-		    insert_ijump( $tableref->{$chain}, j => 'accipsecout', 0 );
-		}
-	    }
-
-	    unless ( $asection ) {
-		for ( accounting_chainrefs ) {
-		    warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}};
-		}
-	    }
-
-	    if ( my $chainswithjumps = keys %accountingjumps ) {
-		my $progress = 1;
-
-		while ( $chainswithjumps && $progress ) {
-		    $progress = 0;
-		    for my $chain1 (  keys %accountingjumps ) {
-			if ( keys %{$accountingjumps{$chain1}} ) {
-			    for my $chain2 ( keys %{$accountingjumps{$chain1}} ) {
-				delete $accountingjumps{$chain1}{$chain2}, $progress = 1 unless $accountingjumps{$chain2};
-			    }
-			} else {
-			    delete $accountingjumps{$chain1};
-			    $chainswithjumps--;
-			    $progress = 1;
-			}
-		    }
-		}
-
-		if ( $chainswithjumps ) {
-		    my @chainswithjumps = keys %accountingjumps;
-		    fatal_error "Jump loop involving the following chains: @chainswithjumps";
-		}
+	if ( $filter_table->{accountout} ) {
+	    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
+	}
+    } else {
+	if ( $filter_table->{accounting} ) {
+	    for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
+		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 	    }
 	}
     }

Shorewall/Perl/Shorewall/Actions.pm

@@ -0,0 +1,945 @@
+#
+# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Actions.pm
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   This module contains the code for dealing with actions (built-in,
+#   standard and user-defined) and Macros.
+#
+package Shorewall::Actions;
+require Exporter;
+use Shorewall::Config qw(:DEFAULT :internal);
+use Shorewall::Zones;
+use Shorewall::Chains qw(:DEFAULT :internal);
+
+use strict;
+
+our @ISA = qw(Exporter);
+our @EXPORT = qw( merge_levels
+		  isolate_basic_target
+		  get_target_param
+		  add_requiredby
+		  createactionchain
+		  find_logactionchain
+		  process_actions1
+		  process_actions2
+		  process_actions3
+
+		  find_macro
+		  split_action
+		  substitute_param
+		  merge_macro_source_dest
+		  merge_macro_column
+		  map_old_actions
+
+		  %usedactions
+		  %default_actions
+		  %actions
+
+		  %macros
+		  $macro_commands
+		  );
+our @EXPORT_OK = qw( initialize );
+our $VERSION = '4.4_10';
+
+#
+#  Used Actions. Each action that is actually used has an entry with value 1.
+#
+our %usedactions;
+#
+# Default actions for each policy.
+#
+our %default_actions;
+
+#  Action Table
+#
+#     %actions{ <action1> =>  { requires => { <requisite1> = 1,
+#                                             <requisite2> = 1,
+#                                             ...
+#                                           } ,
+#                               actchain => <action chain number> # Used for generating unique chain names for each <level>:<tag> pair.
+#
+our %actions;
+#
+# Contains an entry for each used <action>:<level>[:<tag>] that maps to the associated chain.
+#
+our %logactionchains;
+
+our %macros;
+
+our $family;
+
+our @builtins;
+
+#
+# Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited).
+#
+our $macro_commands = { COMMENT => 0, FORMAT => 2 };
+
+#
+# Rather than initializing globals in an INIT block or during declaration,
+# we initialize them in a function. This is done for two reasons:
+#
+#   1. Proper initialization depends on the address family which isn't
+#      known until the compiler has started.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
+#
+sub initialize( $ ) {
+
+    $family          = shift;
+    %usedactions     = ();
+    %default_actions = ( DROP     => 'none' ,
+			 REJECT   => 'none' ,
+			 ACCEPT   => 'none' ,
+			 QUEUE    => 'none' );
+    %actions         = ();
+    %logactionchains = ();
+    %macros          = ();
+
+    if ( $family == F_IPV4 ) {
+	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit/;
+    } else {
+	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/;
+    }
+}
+
+#
+# This function determines the logging for a subordinate action or a rule within a superior action
+#
+sub merge_levels ($$) {
+    my ( $superior, $subordinate ) = @_;
+
+    my @supparts = split /:/, $superior;
+    my @subparts = split /:/, $subordinate;
+
+    my $subparts = @subparts;
+
+    my $target   = $subparts[0];
+
+    push @subparts, '' while @subparts < 3;   #Avoid undefined values
+
+    my $level = $supparts[1];
+    my $tag   = $supparts[2];
+
+    if ( @supparts == 3 ) {
+	return "$target:none!:$tag"   if $level eq 'none!';
+	return "$target:$level:$tag"  if $level =~ /!$/;
+	return $subordinate           if $subparts >= 2;
+	return "$target:$level:$tag";
+    }
+
+    if ( @supparts == 2 ) {
+	return "$target:none!"        if $level eq 'none!';
+	return "$target:$level"       if ($level =~ /!$/) || ($subparts < 2);
+    }
+
+    $subordinate;
+}
+
+#
+# Try to find a macro file -- RETURNS false if the file doesn't exist or MACRO if it does.
+# If the file exists, the macro is entered into the 'targets' table and the fully-qualified
+# name of the file is stored in the 'macro' table.
+#
+sub find_macro( $ )
+{
+    my $macro = $_[0];
+    my $macrofile = find_file "macro.$macro";
+
+    if ( -f $macrofile ) {
+	$macros{$macro} = $macrofile;
+	$targets{$macro} = MACRO;
+    } else {
+	0;
+    }
+}
+
+#
+# Return ( action, level[:tag] ) from passed full action
+#
+sub split_action ( $ ) {
+    my $action = $_[0];
+    my @a = split( /:/ , $action, 4 );
+    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > 3 );
+    ( shift @a, join ":", @a );
+}
+
+#
+# This function substitutes the second argument for the first part of the first argument up to the first colon (":")
+#
+# Example:
+#
+#         substitute_param DNAT PARAM:info:FTP
+#
+#         produces "DNAT:info:FTP"
+#
+sub substitute_param( $$ ) {
+    my ( $param, $action ) = @_;
+
+    if ( $action =~ /:/ ) {
+	my $logpart = (split_action $action)[1];
+	$logpart =~ s!/$!!;
+	return "$param:$logpart";
+    }
+
+    $param;
+}
+
+#
+# Combine fields from a macro body with one from the macro invocation
+#
+sub merge_macro_source_dest( $$ ) {
+    my ( $body, $invocation ) = @_;
+
+    if ( $invocation ) {
+	if ( $body ) {
+	    return $body if $invocation eq '-';
+	    return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^!+|^~|^!~|~<|~\[/;
+	    return "$invocation:$body";
+	}
+
+	return $invocation;
+    }
+
+    $body || '';
+}
+
+sub merge_macro_column( $$ ) {
+    my ( $body, $invocation ) = @_;
+
+    if ( defined $invocation && $invocation ne '' && $invocation ne '-' ) {
+	$invocation;
+    } else {
+	$body;
+    }
+}
+
+#
+# Get Macro Name -- strips away trailing /*, :* and (*) from the first column in a rule, macro or action.
+#
+sub isolate_basic_target( $ ) {
+    my $target = ( split '[/:]', $_[0])[0];
+
+    $target =~ /^(\w+)[(].*[)]$/ ? $1 : $target;
+}
+
+#
+# Split the passed target into the basic target and parameter
+#
+sub get_target_param( $ ) {
+    my ( $target, $param ) = split '/', $_[0];
+
+    unless ( defined $param ) {
+	( $target, $param ) = ( $1, $2 ) if $target =~ /^(.*?)[(](.*)[)]$/;
+    }
+
+    ( $target, $param );
+}
+
+#
+# Define an Action
+#
+sub new_action( $ ) {
+
+    my $action = $_[0];
+
+    $actions{$action} = { actchain => '', requires => {} };
+}
+
+#
+# Record a 'requires' relationship between a pair of actions.
+#
+sub add_requiredby ( $$ ) {
+    my ($requiredby , $requires ) = @_;
+    $actions{$requires}{requires}{$requiredby} = 1;
+}
+
+#
+# Map pre-3.0 actions to the corresponding Macro invocation
+#
+
+sub find_old_action ( $$$ ) {
+    my ( $target, $macro, $param ) = @_;
+
+    if ( my $actiontype = find_macro( $macro ) ) {
+	( $macro, $actiontype , $param );
+    } else {
+	( $target, 0, '' );
+    }
+}
+
+sub map_old_actions( $ ) {
+    my $target = shift;
+
+    if ( $target =~ /^Allow(.*)$/ ) {
+	find_old_action( $target, $1, 'ACCEPT' );
+    } elsif ( $target =~ /^Drop(.*)$/ ) {
+	find_old_action( $target, $1, 'DROP' );
+    } elsif ( $target = /^Reject(.*)$/ ) {
+	find_old_action( $target, $1, 'REJECT' );
+    } else {
+	( $target, 0, '' );
+    }
+}
+
+#
+# Create and record a log action chain -- Log action chains have names
+# that are formed from the action name by prepending a "%" and appending
+# a 1- or 2-digit sequence number. In the functions that follow,
+# the $chain, $level and $tag variable serves as arguments to the user's
+# exit. We call the exit corresponding to the name of the action but we
+# set $chain to the name of the iptables chain where rules are to be added.
+# Similarly, $level and $tag contain the log level and log tag respectively.
+#
+# The maximum length of a chain name is 30 characters -- since the log
+# action chain name is 2-3 characters longer than the base chain name,
+# this function truncates the original chain name where necessary before
+# it adds the leading "%" and trailing sequence number.
+#
+sub createlogactionchain( $$ ) {
+    my ( $action, $level ) = @_;
+    my $chain = $action;
+    my $actionref = $actions{$action};
+    my $chainref;
+
+    my ($lev, $tag) = split ':', $level;
+
+    validate_level $lev;
+
+    $actionref = new_action $action unless $actionref;
+
+    $chain = substr $chain, 0, 28 if ( length $chain ) > 28;
+
+  CHECKDUP:
+    {
+	$actionref->{actchain}++ while $chain_table{filter}{'%' . $chain . $actionref->{actchain}};
+	$chain = substr( $chain, 0, 27 ), redo CHECKDUP if ( $actionref->{actchain} || 0 ) >= 10 and length $chain == 28;
+    }
+
+    $logactionchains{"$action:$level"} = $chainref = new_standard_chain '%' . $chain . $actionref->{actchain}++;
+
+    fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99;
+
+    unless ( $targets{$action} & BUILTIN ) {
+
+	dont_optimize $chainref;
+
+	my $file = find_file $chain;
+
+	if ( -f $file ) {
+	    progress_message "Processing $file...";
+
+	    ( $level, my $tag ) = split /:/, $level;
+
+	    $tag = $tag || '';
+
+	    unless ( my $return = eval `cat $file` ) {
+		fatal_error "Couldn't parse $file: $@" if $@;
+		fatal_error "Couldn't do $file: $!"    unless defined $return;
+		fatal_error "Couldn't run $file"       unless $return;
+	    }
+	}
+    }
+}
+
+sub createsimpleactionchain( $ ) {
+    my $action  = shift;
+    my $chainref = new_standard_chain $action;
+
+    $logactionchains{"$action:none"} = $chainref;
+
+    unless ( $targets{$action} & BUILTIN ) {
+
+	dont_optimize $chainref;
+
+	my $file = find_file $action;
+
+	if ( -f $file ) {
+	    progress_message "Processing $file...";
+
+	    my ( $level, $tag ) = ( '', '' );
+
+	    unless ( my $return = eval `cat $file` ) {
+		fatal_error "Couldn't parse $file: $@" if $@;
+		fatal_error "Couldn't do $file: $!"    unless defined $return;
+		fatal_error "Couldn't run $file"       unless $return;
+	    }
+	}
+    }
+}
+
+#
+# Create an action chain and run its associated user exit
+#
+sub createactionchain( $ ) {
+    my ( $action , $level ) = split_action $_[0];
+
+    my $chainref;
+
+    if ( defined $level && $level ne '' ) {
+	if ( $level eq 'none' ) {
+	    createsimpleactionchain $action;
+	} else {
+	    createlogactionchain $action , $level;
+	}
+    } else {
+	createsimpleactionchain $action;
+    }
+}
+
+#
+# Find the chain that handles the passed action. If the chain cannot be found,
+# a fatal error is generated and the function does not return.
+#
+sub find_logactionchain( $ ) {
+    my $fullaction = $_[0];
+    my ( $action, $level ) = split_action $fullaction;
+
+    $level = 'none' unless $level;
+
+    fatal_error "Fatal error in find_logactionchain" unless $logactionchains{"$action:$level"};
+}
+
+#
+# Scans a macro file invoked from an action file ensuring that all targets mentioned in the file are known and that none are actions.
+#
+sub process_macro1 ( $$ ) {
+    my ( $action, $macrofile ) = @_;
+
+    progress_message "   ..Expanding Macro $macrofile...";
+
+    push_open( $macrofile );
+
+    while ( read_a_line ) {
+	my ( $mtarget, $msource,  $mdest,  $mproto,  $mports,  $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands;
+
+	next if $mtarget eq 'COMMENT' || $mtarget eq 'FORMAT';
+
+	$mtarget =~ s/:.*$//;
+
+	$mtarget = (split '/' , $mtarget)[0];
+
+	my $targettype = $targets{$mtarget};
+
+	$targettype = 0 unless defined $targettype;
+
+	fatal_error "Invalid target ($mtarget)"
+	    unless ( $targettype == STANDARD ) || ( $mtarget eq 'PARAM' ) || ( $targettype & ( LOGRULE | NFQ | CHAIN ) );
+    }
+
+    progress_message "   ..End Macro $macrofile";
+
+    pop_open;
+}
+
+#
+# The functions process_actions1-3() implement the three phases of action processing.
+#
+# The first phase (process_actions1) occurs before the rules file is processed. The builtin-actions are added
+# to the target table (%Shorewall::Chains::targets) and actions table, then ${SHAREDIR}/actions.std and
+# ${CONFDIR}/actions are scanned (in that order). For each action:
+#
+#      a) The related action definition file is located and scanned.
+#      b) Forward and unresolved action references are trapped as errors.
+#      c) A dependency graph is created using the 'requires' field in the 'actions' table.
+#
+# As the rules file is scanned, each action[:level[:tag]] is merged onto the 'usedactions' hash. When an <action>
+# is merged into the hash, its action chain is created. Where logging is specified, a chain with the name
+# %<action>n is used where the <action> name is truncated on the right where necessary to ensure that the total
+# length of the chain name does not exceed 30 characters.
+#
+# The second phase (process_actions2) occurs after the rules file is scanned. The transitive closure of
+# %usedactions is generated; again, as new actions are merged into the hash, their action chains are created.
+#
+# The final phase (process_actions3) traverses the keys of %usedactions populating each chain appropriately
+# by reading the related action definition file and creating rules. Note that a given action definition file is
+# processed once for each unique [:level[:tag]] applied to an invocation of the action.
+#
+
+sub process_action1 ( $$ ) {
+    my ( $action, $wholetarget ) = @_;
+
+    my ( $target, $level ) = split_action $wholetarget;
+
+    $level = 'none' unless $level;
+
+    my $targettype = $targets{$target};
+
+    if ( defined $targettype ) {
+	return if ( $targettype == STANDARD ) || ( $targettype & ( MACRO | LOGRULE |  NFQ | CHAIN ) );
+
+	fatal_error "Invalid TARGET ($target)" if $targettype & STANDARD;
+
+	fatal_error "An action may not invoke itself" if $target eq $action;
+
+	add_requiredby $wholetarget, $action if $targettype & ACTION;
+    } elsif ( $target eq 'COMMENT' ) {
+	fatal_error "Invalid TARGET ($wholetarget)" unless $wholetarget eq $target;
+    } else {
+	( $target, my $param ) = get_target_param $target;
+
+	return if $target eq 'NFQUEUE';
+
+	if ( defined $param ) {
+	    my $paramtype = $targets{$param} || 0;
+
+	    fatal_error "Parameter value not allowed in action files ($param)" if $paramtype & NATRULE;
+	}
+
+	fatal_error "Invalid or missing ACTION ($wholetarget)" unless defined $target;
+
+	if ( find_macro $target ) {
+	    process_macro1( $action, $macros{$target} );
+	} else {
+	    fatal_error "Invalid TARGET ($target)";
+	}
+    }
+}
+
+sub process_actions1() {
+
+    progress_message2 "Preprocessing Action Files...";
+    #
+    # Add built-in actions to the target table and create those actions
+    #
+    $targets{$_} = ACTION + BUILTIN, new_action( $_ ) for @builtins;
+
+    for my $file ( qw/actions.std actions/ ) {
+	open_file $file;
+
+	while ( read_a_line ) {
+	    my ( $action ) = split_line 1, 1, 'action file';
+
+	    if ( $action =~ /:/ ) {
+		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
+		$action =~ s/:.*$//;
+	    }
+
+	    next unless $action;
+
+	    if ( $targets{$action} ) {
+		warning_message "Duplicate Action Name ($action) Ignored" unless $targets{$action} & ACTION;
+		next;
+	    }
+
+	    $targets{$action} = ACTION;
+
+	    fatal_error "Invalid Action Name ($action)" unless "\L$action" =~ /^[a-z]\w*$/;
+
+	    new_action $action;
+
+	    my $actionfile = find_file "action.$action";
+
+	    fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
+
+	    progress_message2 "   Pre-processing $actionfile...";
+
+	    push_open( $actionfile );
+
+	    while ( read_a_line ) {
+
+		my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users, $mark ) = split_line 1, 9, 'action file';
+
+		process_action1( $action, $wholetarget );
+
+	    }
+
+	    pop_open;
+	}
+    }
+}
+
+sub process_actions2 () {
+    progress_message2 'Generating Transitive Closure of Used-action List...';
+
+    my $changed = 1;
+
+    while ( $changed ) {
+	$changed = 0;
+	for my $target (keys %usedactions) {
+	    my ($action, $level) = split_action $target;
+	    my $actionref = $actions{$action};
+	    assert( $actionref );
+	    for my $action1 ( keys %{$actionref->{requires}} ) {
+		my $action2 = merge_levels $target, $action1;
+		unless ( $usedactions{ $action2 } ) {
+		    $usedactions{ $action2 } = 1;
+		    createactionchain $action2;
+		    $changed = 1;
+		}
+	    }
+	}
+    }
+}
+
+#
+# This function is called to process each rule generated from an action file.
+#
+sub process_action( $$$$$$$$$$$ ) {
+    my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = @_;
+
+    my ( $action , $level ) = split_action $target;
+
+    if ( $action eq 'REJECT' ) {
+	$action = 'reject';
+    } elsif ( $action eq 'CONTINUE' ) {
+	$action = 'RETURN';
+    } elsif ( $action =~ /^NFQUEUE/ ) {
+	( $action, my $param ) = get_target_param $action;
+	$param = 1 unless defined $param;
+	$action = "NFQUEUE --queue-num $param";
+    } elsif ( $action eq 'COUNT' ) {
+	$action = '';
+    }
+
+    expand_rule ( $chainref ,
+		  NO_RESTRICT ,
+		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user . do_test( $mark, $globals{TC_MASK} ) ,
+		  $source ,
+		  $dest ,
+		  '', #Original Dest
+		  $action ? "-j $action" : '',
+		  $level ,
+		  $action ,
+		  '' );
+}
+
+#
+# Expand Macro in action files.
+#
+sub process_macro3( $$$$$$$$$$$$ ) {
+    my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = @_;
+
+    my $nocomment = no_comment;
+
+    my $format = 1;
+
+    macro_comment $macro;
+
+    my $fn = $macros{$macro};
+
+    progress_message "..Expanding Macro $fn...";
+
+    push_open $fn;
+
+    while ( read_a_line ) {
+
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark );
+
+	if ( $format == 1 ) {
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands;
+	    $morigdest = '-';
+	    $mmark     = '-';
+	} else {
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark ) = split_line1 1, 10, 'macro file', $macro_commands;
+	}
+
+	if ( $mtarget eq 'COMMENT' ) {
+	    process_comment unless $nocomment;
+	    next;
+	}
+
+	if ( $mtarget eq 'FORMAT' ) {
+	    fatal_error "Invalid FORMAT ($msource)" unless $msource =~ /^[12]$/;
+	    $format = $msource;
+	    next;
+	}
+
+	if ( $mtarget =~ /^PARAM:?/ ) {
+	    fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
+	    $mtarget = substitute_param $param,  $mtarget;
+	}
+
+	fatal_error "Macros used within Actions may not specify an ORIGINAL DEST " if $morigdest ne '-';
+
+	if ( $msource ) {
+	    if ( ( $msource eq '-' ) || ( $msource eq 'SOURCE' ) ) {
+		$msource = $source || '';
+	    } elsif ( $msource eq 'DEST' ) {
+		$msource = $dest || '';
+	    } else {
+		$msource = merge_macro_source_dest $msource, $source;
+	    }
+	} else {
+	    $msource = '';
+	}
+
+	$msource = '' if $msource eq '-';
+
+	if ( $mdest ) {
+	    if ( ( $mdest eq '-' ) || ( $mdest eq 'DEST' ) ) {
+		$mdest = $dest || '';
+	    } elsif ( $mdest eq 'SOURCE' ) {
+		$mdest = $source || '';
+	    } else {
+		$mdest = merge_macro_source_dest $mdest, $dest;
+	    }
+	} else {
+	    $mdest = '';
+	}
+
+	$mdest   = '' if $mdest eq '-';
+
+	$mproto  = merge_macro_column $mproto,  $proto;
+	$mports  = merge_macro_column $mports,  $ports;
+	$msports = merge_macro_column $msports, $sports;
+	$mrate   = merge_macro_column $mrate,   $rate;
+	$muser   = merge_macro_column $muser,   $user;
+	$mmark   = merge_macro_column $mmark,   $mark;
+
+	process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $mark;
+    }
+
+    pop_open;
+
+    progress_message '..End Macro';
+
+    clear_comment unless $nocomment;
+}
+
+#
+# Generate chain for non-builtin action invocation
+#
+sub process_action3( $$$$$ ) {
+    my ( $chainref, $wholeaction, $action, $level, $tag ) = @_;
+    my $actionfile = find_file "action.$action";
+
+    fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
+
+    progress_message2 "Processing $actionfile for chain $chainref->{name}...";
+
+    open_file $actionfile;
+
+    while ( read_a_line ) {
+
+	my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = split_line1 1, 9, 'action file';
+
+	if ( $target eq 'COMMENT' ) {
+	    process_comment;
+	    next;
+	}
+
+	my $target2 = merge_levels $wholeaction, $target;
+
+	my ( $action2 , $level2 ) = split_action $target2;
+
+	( $action2 , my $param ) = get_target_param $action2;
+
+	my $action2type = $targets{$action2} || 0;
+
+	unless ( $action2type == STANDARD ) {
+	    if ( $action2type & ACTION ) {
+		$target2 = (find_logactionchain ( $target = $target2 ))->{name};
+	    } else {
+		assert( $action2type & ( MACRO | LOGRULE | NFQ | CHAIN ) );
+	    }
+	}
+
+	if ( $action2type == MACRO ) {
+	    process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark );
+	} else {
+	    process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark;
+	}
+    }
+
+    clear_comment;
+}
+
+#
+# The following small functions generate rules for the builtin actions of the same name
+#
+sub dropBcast( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    if ( have_capability( 'ADDRTYPE' ) ) {
+	if ( $level ne '' ) {
+	    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
+	    if ( $family == F_IPV4 ) {
+		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
+	    } else {
+		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d ff00::/10 -j DROP ';
+	    }		
+	}
+
+	add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
+    } else {
+	if ( $family == F_IPV4 ) {
+	    add_commands $chainref, 'for address in $ALL_BCASTS; do';
+	} else {
+	    add_commands $chainref, 'for address in $ALL_ACASTS; do';
+	}
+
+	incr_cmd_level $chainref;
+	log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne '';
+	add_rule $chainref, '-d $address -j DROP';
+	decr_cmd_level $chainref;
+	add_commands $chainref, 'done';
+
+	log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
+    }
+
+
+    if ( $family == F_IPV4 ) {
+	add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
+    } else {
+	add_rule $chainref, '-d ff00::/10 -j DROP';
+    }
+}
+
+sub allowBcast( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
+	if ( $level ne '' ) {
+	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
+	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
+	}
+
+	add_rule $chainref, '-m addrtype --dst-type BROADCAST -j ACCEPT';
+	add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
+    } else {
+	if ( $family == F_IPV4 ) {
+	    add_commands $chainref, 'for address in $ALL_BCASTS; do';
+	} else {
+	    add_commands $chainref, 'for address in $ALL_MACASTS; do';
+	}
+
+	incr_cmd_level $chainref;
+	log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address ' if $level ne '';
+	add_rule $chainref, '-d $address -j ACCEPT';
+	decr_cmd_level $chainref;
+	add_commands $chainref, 'done';
+
+	if ( $family == F_IPV4 ) {
+	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
+	    add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
+	} else {
+	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ff00::/10 ' if $level ne '';
+	    add_rule $chainref, '-d ff00:/10 -j ACCEPT';
+	}
+    }
+}
+
+sub dropNotSyn ( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
+    add_rule $chainref , '-p 6 ! --syn -j DROP';
+}
+
+sub rejNotSyn ( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
+    add_rule $chainref , '-p 6 ! --syn -j REJECT --reject-with tcp-reset';
+}
+
+sub dropInvalid ( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
+    add_rule $chainref , "$globals{STATEMATCH} INVALID -j DROP";
+}
+
+sub allowInvalid ( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
+    add_rule $chainref , "$globals{STATEMATCH} INVALID -j ACCEPT";
+}
+
+sub forwardUPnP ( $$$ ) {
+    my $chainref = dont_optimize 'forwardUPnP';
+    add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
+}
+
+sub allowinUPnP ( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    if ( $level ne '' ) {
+	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 17 --dport 1900 ';
+	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 6 --dport 49152 ';
+    }
+
+    add_rule $chainref, '-p 17 --dport 1900 -j ACCEPT';
+    add_rule $chainref, '-p 6 --dport 49152 -j ACCEPT';
+}
+
+sub Limit( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    my @tag = split /,/, $tag;
+
+    fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')' unless @tag == 3;
+
+    my $set   = $tag[0];
+
+    for ( @tag[1,2] ) {
+	fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
+    }
+
+    my $count = $tag[1] + 1;
+
+    require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
+
+    add_rule $chainref, "-m recent --name $set --set";
+
+    if ( $level ne '' ) {
+	my $xchainref = new_chain 'filter' , "$chainref->{name}%";
+	log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
+	add_rule $xchainref, '-j DROP';
+	add_jump $chainref,  $xchainref, 0, "-m recent --name $set --update --seconds $tag[2] --hitcount $count ";
+    } else {
+	add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
+    }
+
+    add_rule $chainref, '-j ACCEPT';
+}
+
+sub process_actions3 () {
+    my %builtinops = ( 'dropBcast'      => \&dropBcast,
+		       'allowBcast'     => \&allowBcast,
+		       'dropNotSyn'     => \&dropNotSyn,
+		       'rejNotSyn'      => \&rejNotSyn,
+		       'dropInvalid'    => \&dropInvalid,
+		       'allowInvalid'   => \&allowInvalid,
+		       'allowinUPnP'    => \&allowinUPnP,
+		       'forwardUPnP'    => \&forwardUPnP,
+		       'Limit'          => \&Limit, );
+
+    for my $wholeaction ( keys %usedactions ) {
+	my $chainref = find_logactionchain $wholeaction;
+	my ( $action, $level, $tag ) = split /:/, $wholeaction;
+
+	$level = '' unless defined $level;
+	$tag   = '' unless defined $tag;
+
+	if ( $targets{$action} & BUILTIN ) {
+	    $level = '' if $level =~ /none!?/;
+	    $builtinops{$action}->($chainref, $level, $tag);
+	} else {
+	    process_action3 $chainref, $wholeaction, $action, $level, $tag;
+	}
+    }
+}
+
+1;