Remove allow_optimize() call from action.New.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Mention the requirement for a params file in the Shorewall Lite article.
2013-02-11 06:45:33 -08:00 · 2013-02-11 05:58:01 -08:00 · 2013-02-10 15:19:30 -08:00 · 2013-02-10 09:29:30 -08:00 · 2013-02-10 09:00:13 -08:00 · 2013-02-10 07:56:04 -08:00
55 changed files with 2021 additions and 829 deletions
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -1,21 +1,21 @@
 #
-# Archlinux Shorewall 4.5 rc file
+# Arch Linux Shorewall 4.5 rc file
 #
-BUILD=archlinux
+BUILD=                                 #Default is to detect the build system
 HOST=archlinux
 PREFIX=/usr                            #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share               #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share             #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall   #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                           #Directory where subsystem configurations are installed
-SBINDIR=/sbin                          #Directory where system administration programs are installed
+SBINDIR=/usr/sbin                      #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                 #Directory where manpages are installed.
-INITDIR=/etc/rc.d                      #Directory where SysV init scripts are installed.
+INITDIR=                               #Directory where SysV init scripts are installed.
-INITFILE=$PRODUCT                      #Name of the product's installed SysV init script
+INITFILE=                              #Name of the product's installed SysV init script
-INITSOURCE=init.sh                     #Name of the distributed file to be installed as the SysV init script
+INITSOURCE=                            #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                             #If non-zero, annotated configuration files are installed
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
-SYSTEMD=                               #Directory where .service files are installed (systems running systemd only)
+SYSTEMD=/usr/lib/systemd/system        #Directory where .service files are installed (systems running systemd only)
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                        #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.
--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-init $OPTIONS start
+ExecStart=/shorewall-init $OPTIONS start
-ExecStop=/sbin/shorewall-init $OPTIONS stop
+ExecStop=/shorewall-init $OPTIONS stop
 [Install]
 WantedBy=multi-user.target
--- a/Shorewall-lite/init.archlinux.sh
+++ b/Shorewall-lite/init.archlinux.sh
@@ -1,58 +0,0 @@
 #!/bin/bash
 OPTIONS="-f"
 if [ -f /etc/sysconfig/shorewall ] ; then
 	. /etc/sysconfig/shorewall
 elif [ -f /etc/default/shorewall ] ; then
 	. /etc/default/shorewall
 fi
 # if you want to override options, do so in /etc/sysconfig/shorewall or
 # in /etc/default/shorewall --
 # i strongly encourage you use the latter, since /etc/sysconfig/ does not exist.
 . /etc/rc.conf
 . /etc/rc.d/functions
 DAEMON_NAME="shorewall" # of course shorewall is NOT a deamon.
 case "$1" in
 	start)
 		stat_busy "Starting $DAEMON_NAME"
 		/sbin/shorewall-lite $OPTIONS start &>/dev/null
 		if [ $? -gt 0 ]; then
 			stat_fail
 		else
 			add_daemon $DAEMON_NAME
 			stat_done
 		fi
 		;;
 	stop)
 		stat_busy "Stopping $DAEMON_NAME"
 		/sbin/shorewall-lite stop &>/dev/null
 		if [ $? -gt 0 ]; then
 			stat_fail
 		else
 			rm_daemon $DAEMON_NAME
 			stat_done
 		fi
 		;;
 	restart|reload)
 		stat_busy "Restarting $DAEMON_NAME"
 		/sbin/shorewall-lite restart &>/dev/null
 		if [ $? -gt 0  ]; then
 			stat_fail
 		else
 			stat_done
 		fi
 		;;
 	*)
 		echo "usage: $0 {start|stop|restart}"
 esac
 exit 0
--- a/Shorewall-lite/shorewall-lite.service
+++ b/Shorewall-lite/shorewall-lite.service
@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
-ExecStart=/usr/sbin/shorewall-lite $OPTIONS start
+ExecStart=/sbin/shorewall-lite $OPTIONS start
-ExecStop=/usr/sbin/shorewall-lite $OPTIONS stop
+ExecStop=/sbin/shorewall-lite $OPTIONS stop
 [Install]
 WantedBy=multi-user.target
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -72,11 +72,31 @@ our @EXPORT = ( qw(
 		    allow_move
 		    set_optflags
 		    reset_optflags
 		    has_return
 		    dont_optimize
 		    dont_delete
 		    dont_move
 		    add_interface_options
 		    STANDARD
 		    NATRULE
 		    BUILTIN
 		    NONAT
 		    NATONLY
 		    REDIRECT
 		    ACTION
 		    MACRO
 		    LOGRULE
 		    NFLOG
 		    NFQ
 		    CHAIN
 		    SET
 		    AUDIT
 		    HELPER
 		    INLINE
 		    TERMINATING
 		    STATEMATCH
 		    %chain_table
 		    %targets
 		    $raw_table
@@ -88,23 +108,7 @@ our @EXPORT = ( qw(
 	      );
 our %EXPORT_TAGS = (
-		    internal => [  qw( STANDARD
+		    internal => [  qw( NO_RESTRICT
 				       NATRULE
 				       BUILTIN
 				       NONAT
 				       NATONLY
 				       REDIRECT
 				       ACTION
 				       MACRO
 				       LOGRULE
 				       NFLOG
 				       NFQ
 				       CHAIN
 				       SET
 				       AUDIT
 				       HELPER
 				       INLINE
 				       NO_RESTRICT
 				       PREROUTE_RESTRICT
 				       DESTIFACE_DISALLOW
 				       INPUT_RESTRICT
@@ -131,6 +135,8 @@ our %EXPORT_TAGS = (
 				       rules_chain
 				       blacklist_chain
 				       related_chain
 				       invalid_chain
 				       untracked_chain
 				       zone_forward_chain
 				       use_forward_chain
 				       input_chain
@@ -291,9 +297,9 @@ our $VERSION = 'MODULEVERSION';
 #                                               filtered     => Number of filter rules at the front of an interface forward chain
 #                                               digest       => string representation of the chain's rules for use in optimization
 #                                                               level 8.
 #                                               accepted     => A 'ESTABLISHED,RELATED' ACCEPT rule has been added to this chain.
 #                                               complete     => The last rule in the chain is a -g or a simple -j to a terminating target
 #                                                               Suppresses adding additional rules to the chain end of the chain
 #                                               sections     => { <section> = 1, ... } - Records sections that have been completed.
 #                                             } ,
 #                                <chain2> => ...
 #                              }
@@ -341,22 +347,23 @@ our %nfobjects;
 #
 # Target Types
 #
-use constant { STANDARD    =>    0x1,       #defined by Netfilter
+use constant { STANDARD     =>     0x1,       #defined by Netfilter
-	       NATRULE     =>    0x2,       #Involves NAT
+	       NATRULE      =>     0x2,       #Involves NAT
-	       BUILTIN     =>    0x4,       #A built-in action
+	       BUILTIN      =>     0x4,       #A built-in action
-	       NONAT       =>    0x8,       #'NONAT' or 'ACCEPT+'
+	       NONAT        =>     0x8,       #'NONAT' or 'ACCEPT+'
-	       NATONLY     =>   0x10,       #'DNAT-' or 'REDIRECT-'
+	       NATONLY      =>    0x10,       #'DNAT-' or 'REDIRECT-'
-	       REDIRECT    =>   0x20,       #'REDIRECT'
+	       REDIRECT     =>    0x20,       #'REDIRECT'
-	       ACTION      =>   0x40,       #An action (may be built-in)
+	       ACTION       =>    0x40,       #An action (may be built-in)
-	       MACRO       =>   0x80,       #A Macro
+	       MACRO        =>    0x80,       #A Macro
-	       LOGRULE     =>  0x100,       #'LOG','NFLOG'
+	       LOGRULE      =>   0x100,       #'LOG','NFLOG'
-	       NFQ         =>  0x200,       #'NFQUEUE'
+	       NFQ          =>   0x200,       #'NFQUEUE'
-	       CHAIN       =>  0x400,       #Manual Chain
+	       CHAIN        =>   0x400,       #Manual Chain
-	       SET         =>  0x800,       #SET
+	       SET          =>   0x800,       #SET
-	       AUDIT       => 0x1000,       #A_ACCEPT, etc
+	       AUDIT        =>  0x1000,       #A_ACCEPT, etc
-	       HELPER      => 0x2000,       #CT:helper
+	       HELPER       =>  0x2000,       #CT:helper
-	       NFLOG       => 0x4000,       #NFLOG or ULOG
+	       NFLOG        =>  0x4000,       #NFLOG or ULOG
-	       INLINE      => 0x8000,       #Inline action
+	       INLINE       =>  0x8000,       #Inline action
 	       STATEMATCH   => 0x10000,       #action.Invalid, action.Related, etc.
 	   };
 #
 # Valid Targets -- value is a combination of one or more of the above
@@ -558,7 +565,9 @@ use constant { UNIQUE      => 1,
 	       TARGET      => 2,
 	       EXCLUSIVE   => 4,
 	       MATCH       => 8,
-	       CONTROL     => 16 };
+	       CONTROL     => 16,
 	       COMPLEX     => 32
 	   };
 our %opttype = ( rule          => CONTROL,
 		 cmd           => CONTROL,
@@ -584,6 +593,8 @@ our %opttype = ( rule          => CONTROL,
 		 policy        => MATCH,
 		 state         => EXCLUSIVE,
 		 conntrack     => COMPLEX,
 		 jump          => TARGET,
 		 target        => TARGET,
 		 targetopts    => TARGET,
@@ -723,6 +734,25 @@ sub set_rule_option( $$$ ) {
    my $opttype = $opttype{$option} || MATCH;
    if ( $opttype == COMPLEX ) {
 	#
 	# Consider each subtype as a separate type
 	#
 	my ( $invert, $subtype, $val, $rest ) = split ' ', $value;
 	if ( $invert eq '!' ) {
 	    assert( ! supplied $rest );
 	    $option = join( ' ', $option, $invert, $subtype );
 	    $value  = $val;
 	} else {
 	    assert( ! supplied $val );
 	    $option  = join( ' ', $option, $invert );
 	    $value   = $subtype;
 	}
 	$opttype = EXCLUSIVE;
    }
    if ( exists $ruleref->{$option} ) {
 	assert( defined( my $value1 = $ruleref->{$option} ) , $ruleref );
@@ -744,6 +774,15 @@ sub set_rule_option( $$$ ) {
 	} elsif ( $opttype == EXCLUSIVE ) {
 	    $ruleref->{$option} .= ",$value";
 	} elsif ( $opttype == UNIQUE ) {
 	    #
 	    # Shorewall::Rules::perl_action_tcp_helper() can produce rules that have two -p specifications.
 	    # The first will have a modifier like '! --syn' while the second will not.  We want to retain
 	    # the first while 
 	    if ( $option eq 'p' ) {
 		my ( $proto ) = split( ' ', $ruleref->{p} );
 		return if $proto eq $value;
 	    }
 	    fatal_error "Multiple $option settings in one rule is prohibited";
 	} else {
 	    assert(0, $opttype );
@@ -1629,6 +1668,20 @@ sub related_chain($$) {
    '+' . &rules_chain(@_);
 }
 #
 # Name of the invalid chain between an ordered pair of zones
 #
 sub invalid_chain($$) {
    '_' . &rules_chain(@_);
 }
 #
 # Name of the untracked chain between an ordered pair of zones
 #
 sub untracked_chain($$) {
    '&' . &rules_chain(@_);
 }
 #
 # Create the base for a chain involving the passed interface -- we make this a function so it will be
 # easy to change the mapping should the need ever arrive.
@@ -2165,7 +2218,7 @@ sub reset_optflags( $$ ) {
    my $chainref = reftype $chain ? $chain : $filter_table->{$chain};
-    $chainref->{optflags} ^= $flags;
+    $chainref->{optflags} ^= ( $flags & $chainref->{optflags} );
    trace( $chainref, "O${flags}", undef, '' ) if $debug;
@@ -2184,6 +2237,14 @@ sub set_optflags( $$ ) {
    $chainref;
 }
 #
 # Return true if the passed chain has a RETURN rule.
 #
 sub has_return( $ ) {
    $_[0]->{optflags} & RETURNS;
 }
 #
 # Reset the dont_optimize flag for a chain
 #
@@ -2674,11 +2735,29 @@ sub delete_references( $ ) {
    $count;
 }
 #
 # Calculate a digest for the passed chain and store it in the {digest} member.
 #
 sub calculate_digest( $ ) {
    my $chainref = shift;
    my $digest = '';
    for ( @{$chainref->{rules}} ) {
 	if ( $digest ) {
 	    $digest .= ' |' . format_rule( $chainref, $_, 1 );
 	} else {
 	    $digest = format_rule( $chainref, $_, 1 );
 	}
    }
    $chainref->{digest} = sha1 $digest;
 }
 #
 # Replace jumps to the passed chain with jumps to the passed target
 #
-sub replace_references( $$$ ) {
+sub replace_references( $$$;$ ) {
-    my ( $chainref, $target, $targetopts ) = @_;
+    my ( $chainref, $target, $targetopts, $digest ) = @_;
    my $tableref  = $chain_table{$chainref->{table}};
    my $count     = 0;
    my $name      = $chainref->{name};
@@ -2707,6 +2786,10 @@ sub replace_references( $$$ ) {
 		}
 	    }
 	    #
 	    # The chain has been modified, so the digest is now stale
 	    #
 	    calculate_digest( $fromref ) if $digest;
 	    #
 	    # The passed chain is no longer referenced by chain $fromref
 	    #
 	    delete $chainref->{references}{$fromref->{name}};
@@ -2925,6 +3008,7 @@ sub optimize_level4( $$ ) {
 				# A chain with a single 'RETURN' rule -- get rid of it
 				#
 				delete_chain_and_references( $chainref );
 				$progress = 1;
 			    } else {
 				#
 				# Replace all references to this chain with references to the target
@@ -2933,16 +3017,19 @@ sub optimize_level4( $$ ) {
 				$progress = 1;
 			    }
 			} elsif ( $firstrule->{target} ) {
-			    #
+			    if ( $firstrule->{target} eq 'RETURN' ) {
-			    # Not so easy -- the rule contains matches
+				#
-			    #
+				# A chain with a single 'RETURN' rule -- get rid of it
-			    if ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
+				#
 				delete_chain_and_references( $chainref );
 				$progress = 1;
 			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
 				#
 				# This case requires a new rule merging algorithm. Ignore this chain for
 				# now on.
 				#
 				$chainref->{optflags} |= DONT_OPTIMIZE;
-			    } else {
+			    } elsif ( ! ( $chainref->{optflags} & DONT_MOVE ) ) {
 				#
 				# Replace references to this chain with the target and add the matches
 				#
@@ -2956,6 +3043,15 @@ sub optimize_level4( $$ ) {
 			#
 			my $rulesref = $chainref->{rules};
 			if ( ( $lastref->{target} || '' ) eq 'RETURN' ) {
 			    #
 			    # The last rule is a RETURN -- get rid of it
 			    #
 			    pop @$rulesref;
 			    $lastref = $rulesref->[-1];
 			    $progress = 1;
 			}
 			if ( $lastref->{simple} && $lastref->{target} && ! $lastref->{targetopts} ) {
 			    my $target = $lastref->{target};
 			    my $count  = 0;
@@ -3083,128 +3179,137 @@ sub optimize_level4( $$ ) {
    $passes;
 }
 #
 # Compare two chains. Sort in reverse order except within names that have the
 # same first character, which are sorted in forward order.
 #
 sub level8_compare( $$ ) {
    my ( $name1, $name2 ) = ( $_[0]->{name}, $_[1]->{name} );
    if ( substr( $name1, 0, 1 ) eq substr( $name2, 0, 1 ) ) {
 	$name1 cmp $name2;
    } else {
 	$name2 cmp $name1;
    }
 }
 #
 # Delete duplicate chains replacing their references
 #
 sub optimize_level8( $$$ ) {
    my ( $table, $tableref , $passes ) = @_;
    my $progress = 1;
    my @chains   = ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} );
    my @chains1  = @chains;
    my $chains   = @chains;
    my $chainseq = 0;
    my %rename;
    my %combined;
    $passes++;
    progress_message "\n Table $table pass $passes, $chains referenced user chains, level 8...";
    %renamed = ();
-    for my $chainref ( @chains ) {
+    while ( $progress ) {
-	my $digest = '';
+	my @chains   = ( sort level8_compare grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} );
 	my @chains1  = @chains;
 	my $chains   = @chains;
 	my %rename;
 	my %combined;
-	for ( @{$chainref->{rules}} ) {
+	$progress = 0;
 	    if ( $digest ) {
 		$digest .= ' |' . format_rule( $chainref, $_, 1 );
 	    } else {
 		$digest = format_rule( $chainref, $_, 1 );
 	    }
 	}
-	$chainref->{digest} = sha1 $digest;
+	progress_message "\n Table $table pass $passes, $chains referenced user chains, level 8...";
    }
-    for my $chainref ( @chains ) {
+	$passes++;
 	my $rules    = $chainref->{rules};
 	#
 	# Shift the current $chainref off of @chains1
 	#
 	shift @chains1;
 	#
 	# Skip empty chains
 	#
 	for my $chainref1 ( @chains1 ) {
 	    next unless @{$chainref1->{rules}};
 	    next if $chainref1->{optflags} & DONT_DELETE;
 	    if ( $chainref->{digest} eq $chainref1->{digest} ) {
 		progress_message "  Chain $chainref1->{name} combined with $chainref->{name}";
 		replace_references $chainref1, $chainref->{name}, undef;
-		unless ( $chainref->{name} =~ /^~/ ) {
+	calculate_digest( $_ ) for ( grep ! $_->{digest}, @chains );
 		    #
 		    # For simple use of the BLACKLIST section, we can end up with many identical
 		    # chains. To distinguish them from other renamed chains, we keep track of
 		    # these chains via the 'blacklistsection' member.
 		    #
 		    $rename{ $chainref->{name} } = $chainref->{blacklistsection} ? '~blacklist' : '~comb';
 		}
-		$combined{ $chainref1->{name} } = $chainref->{name};
+	for my $chainref ( @chains ) {
-	    }
+	    my $rules    = $chainref->{rules};
-	}
+	    #
-    }
+	    # Shift the current $chainref off of @chains1
 	    #
 	    shift @chains1;
 	    #
 	    # Skip empty chains
 	    #
 	    for my $chainref1 ( @chains1 ) {
 		next unless @{$chainref1->{rules}};
 		next if $chainref1->{optflags} & DONT_DELETE;
 		if ( $chainref->{digest} eq $chainref1->{digest} ) {
 		    progress_message "  Chain $chainref1->{name} combined with $chainref->{name}";
 		    $progress = 1;
 		    replace_references $chainref1, $chainref->{name}, undef, 1;
-    my @rename = keys %rename;
+		    unless ( $chainref->{name} =~ /^~/ || $chainref1->{name} =~ /^%/ ) {
 			#
 			# For simple use of the BLACKLIST section, we can end up with many identical
 			# chains. To distinguish them from other renamed chains, we keep track of
 			# these chains via the 'blacklistsection' member.
 			#
 			$rename{ $chainref->{name} } = $chainref->{blacklistsection} ? '~blacklist' : '~comb';
 		    }
-    if ( @rename ) {
+		    $combined{ $chainref1->{name} } = $chainref->{name};
 	#
 	# First create aliases for each renamed chain and change the {name} member.
 	#
 	for my $oldname ( @rename ) {
 	    my $newname = $renamed{ $oldname } = $rename{ $oldname } . $chainseq++;
 	    trace( $tableref->{$oldname}, 'RN', 0, " Renamed $newname" ) if $debug;
 	    $tableref->{$newname} = $tableref->{$oldname};
 	    $tableref->{$oldname}{name} = $newname;
 	    progress_message "  Chain $oldname renamed to $newname";
 	}
 	#
 	# Next, map the combined names
 	#
 	while ( my ( $oldname, $combinedname ) = each %combined ) {
 	    $renamed{$oldname} = $renamed{$combinedname} || $combinedname;
 	}
 	#
 	# Now adjust the references to point to the new name
 	#
 	while ( my ($chain, $chainref ) = each %$tableref ) {
 	    my %references = %{$chainref->{references}};
 	    if ( my $newname = $renamed{$chainref->{policychain} || ''} ) {
 		$chainref->{policychain} = $newname;
 	    }
 	    while ( my ( $chain1, $chainref1 ) = each %references ) {
 		if ( my $newname = $renamed{$chainref->{references}{$chain1}} ) {
 		    $chainref->{references}{$newname} = $chainref->{references}{$chain1};
 		    delete $chainref->{references}{$chain1};
 		}
 	    }
 	}
 	#
 	# Delete the old names from the table
 	#
 	delete $tableref->{$_} for @rename;
 	#
 	# And fix up the rules
 	#
 	for my $chainref ( values %$tableref ) {
 	    my $rulenum = 0;
-	    for ( @{$chainref->{rules}} ) {
+	if ( $progress ) {
-		$rulenum++;
+	    my @rename = keys %rename;
 	    #
 	    # First create aliases for each renamed chain and change the {name} member.
 	    #
 	    for my $oldname ( @rename ) {
 		my $newname = $renamed{ $oldname } = $rename{ $oldname } . $chainseq++;
-		if ( my $newname = $renamed{$_->{target}} ) {
+		trace( $tableref->{$oldname}, 'RN', 0, " Renamed $newname" ) if $debug;
-		    $_->{target} = $newname;
+		$tableref->{$newname} = $tableref->{$oldname};
-		    trace( $chainref, 'R', $rulenum, $_ ) if $debug;
+		$tableref->{$oldname}{name} = $newname;
 		progress_message "  Chain $oldname renamed to $newname";
 	    }
 	    #
 	    # Next, map the combined names
 	    #
 	    while ( my ( $oldname, $combinedname ) = each %combined ) {
 		$renamed{$oldname} = $renamed{$combinedname} || $combinedname;
 	    }
 	    #
 	    # Now adjust the references to point to the new name
 	    #
 	    while ( my ($chain, $chainref ) = each %$tableref ) {
 		my %references = %{$chainref->{references}};
 		if ( my $newname = $renamed{$chainref->{policychain} || ''} ) {
 		    $chainref->{policychain} = $newname;
 		}
 		while ( my ( $chain1, $chainref1 ) = each %references ) {
 		    if ( my $newname = $renamed{$chainref->{references}{$chain1}} ) {
 			$chainref->{references}{$newname} = $chainref->{references}{$chain1};
 			delete $chainref->{references}{$chain1};
 		    }
 		}
 	    }
 	    #
 	    # Delete the old names from the table
 	    #
 	    delete $tableref->{$_} for @rename;
 	    #
 	    # And fix up the rules
 	    #
 	    for my $chainref ( values %$tableref ) {
 		my $rulenum = 0;
 		for ( @{$chainref->{rules}} ) {
 		    $rulenum++;
 		    if ( my $newname = $renamed{$_->{target}} ) {
 			$_->{target} = $newname;
 			delete $chainref->{digest};
 			trace( $chainref, 'R', $rulenum, $_ ) if $debug;
 		    }
 		}
 	    }
 	}
    }
    $passes;
 }
 #
@@ -3390,13 +3495,13 @@ sub combine_dports {
 # using any of these matches, because an intervening rule could modify the result of the match
 # of the second duplicate
 #
-my %bad_match = ( conntrack => 1, 
+my %bad_match = ( 'conntrack --ctstate' => 1, 
-		  dscp      => 1,
+		  dscp                  => 1,
-		  ecn       => 1,
+		  ecn                   => 1,
-		  mark      => 1,
+		  mark                  => 1,
-		  set       => 1,
+		  set                   => 1,
-		  tos       => 1,
+		  tos                   => 1,
-		  u32       => 1 );
+		  u32                   => 1 );
 #
 # Delete duplicate rules from the passed chain.
 #
@@ -3482,6 +3587,142 @@ sub delete_duplicates {
    \@rules;
 }
 #
 # Get the 'conntrack' state(s) for the passed rule reference
 #
 sub get_conntrack( $ ) {
    my $ruleref = $_[0];
    if ( my $states = $ruleref->{'conntrack --ctstate'} ) {
 	#
 	# Normalize the rule and return the states.
 	#
 	delete $ruleref->{targetopts} unless $ruleref->{targetopts};
 	$ruleref->{simple} = ''       unless $ruleref->{simple};
 	return $states 
    }
    '';
 }
 #
 # Return an array of keys for the passed rule. 'conntrack' and 'comment' are omitted;
 #
 sub get_keys1( $ ) {
    sort grep $_ ne 'conntrack --ctstate' && $_ ne 'comment',  keys %{$_[0]};
 }
 #
 # The arguments are a list of rule references; function returns a similar list with adjacent compatible rules combined
 #
 # Adjacent rules are compatible if:
 #
 #   - They all specify conntrack match
 #   - All of the rest of their members are identical with the possible exception of 'comment'.
 #
 #  Adjacent distinct comments are combined, separated by ', '. Redundant adjacent comments are dropped.
 #
 sub combine_states {
    my @rules;
    my $rulenum  = 1;
    my $chainref = shift;
    my $baseref  = shift;
    while ( $baseref ) {
 	{
 	    my $ruleref;
 	    my $conntrack;
 	    my $basenum = $rulenum;
 	    if ( my $conntrack1 = get_conntrack( $baseref ) ) {
 		my @keys1         = get_keys1( $baseref );
 		my @states        = ( split ',', $conntrack1 );
 		my %states;
 		$states{$_} = 1 for @states;
 		my $origstates  = @states;
 		my $comment     = $baseref->{comment} || '';
 		my $lastcomment = $comment;
 	      RULE:
 		while ( ( $ruleref = shift ) ) {
 		    my $conntrack2;
 		    $rulenum++;
 		    if ( $conntrack2 = get_conntrack( $ruleref ) ) {
 			#
 			# We have a candidate
 			#
 			my $comment2 = $ruleref->{comment} || '';
 			last if $comment2 ne $lastcomment && length( $comment ) + length( $comment2 ) > 253;
 			my @keys2 = get_keys1( $ruleref );
 			last unless @keys1 == @keys2 ;
 			my $keynum = 0;
 			for my $key ( @keys1 ) {
 			    last RULE unless $key eq $keys2[$keynum++];
 			    last RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
 			}
 			if ( $comment2 ) {
 			    if ( $comment ) {
 				$comment .= ", $comment2" unless $comment2 eq $lastcomment;
 			    } else {
 				$comment = 'Others and ';
 				last if length( $comment ) + length( $comment2 ) > 255;
 				$comment .= $comment2;
 			    }
 			    $lastcomment = $comment2;
 			} else {
 			    if ( $comment ) {
 				unless ( ( $comment2 = ' and others' ) eq $lastcomment ) {
 				    last if length( $comment ) + length( $comment2 ) > 255;
 				    $comment .= $comment2;
 				}
 			    }
 			    $lastcomment = $comment2;
 			}
 			for ( split ',', $conntrack2 ) {
 			    unless ( $states{$_} ) {
 				push @states, $_;
 				$states{$_} = 1;
 			    }
 			}
 			trace( $chainref, 'D', $rulenum, $ruleref ) if $debug;
 		    } else {
 			#
 			# Rule doesn't have the conntrack match
 			#
 			last;
 		    }
 		}
 		if ( @states > $origstates ) {
 		    $baseref->{'conntrack --ctstate'} = join( ',', @states );
 		    trace ( $chainref, 'R', $basenum, $baseref ) if $debug;
 		}
 	    }
 	    push @rules, $baseref;
 	    $baseref = $ruleref ? $ruleref : shift;
 	}
    }
    \@rules;
 }
 sub optimize_level16( $$$ ) {
    my ( $table, $tableref , $passes ) = @_;
    my @chains   = ( grep $_->{referenced}, values %{$tableref} );
@@ -3501,6 +3742,13 @@ sub optimize_level16( $$$ ) {
    }
    ++$passes;
    if ( have_capability 'CONNTRACK_MATCH' ) {
 	for my $chainref ( @chains ) {
 	    $chainref->{rules} = combine_states( $chainref, @{$chainref->{rules}} );
 	}
    }
 }
 #
@@ -3810,7 +4058,9 @@ sub state_imatch( $ ) {
    my $state = shift;
    unless ( $state eq 'ALL' ) {
-	have_capability 'CONNTRACK_MATCH' ? ( conntrack => "--ctstate $state" ) : ( state => "--state $state" );
+	have_capability 'CONNTRACK_MATCH' ? ( 'conntrack --ctstate' => $state ) : ( state => "--state $state" );
    } else {
 	();
    }
 }
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -545,13 +545,16 @@ our %deprecated = ( LOGRATE            => '' ,
 		    LOGBURST           => '' ,
 		    EXPORTPARAMS       => 'no',
 		    WIDE_TC_MARKS      => 'no',
-		    HIGH_ROUTE_MARKS   => 'no'
+		    HIGH_ROUTE_MARKS   => 'no',
 		    BLACKLISTNEWONLY   => 'yes',
 		  );
 #
 # Deprecated options that are eliminated via update
 #
 our %converted = ( WIDE_TC_MARKS => 1,
-		   HIGH_ROUTE_MARKS => 1 );
+		   HIGH_ROUTE_MARKS => 1,
 		   BLACKLISTNEWONLY => 1,
 		 );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
 #
@@ -642,7 +645,7 @@ sub initialize( $;$$) {
 		    EXPORT     => 0,
 		    KLUDGEFREE => '',
 		    STATEMATCH => '-m state --state',
-		    VERSION    => "4.5.13-Beta1",
+		    VERSION    => "4.5.13-Beta3",
 		    CAPVERSION => 40512 ,
 		  );
    #
@@ -672,6 +675,8 @@ sub initialize( $;$$) {
 	  STARTUP_LOG => undef,
 	  SFILTER_LOG_LEVEL => undef,
 	  RPFILTER_LOG_LEVEL => undef,
 	  INVALID_LOG_LEVEL => undef,
 	  UNTRACKED_LOG_LEVEL => undef,
 	  #
 	  # Location of Files
 	  #
@@ -720,6 +725,7 @@ sub initialize( $;$$) {
 	  DETECT_DNAT_IPADDRS => undef,
 	  MUTEX_TIMEOUT => undef,
 	  ADMINISABSENTMINDED => undef,
 	  BLACKLIST => undef,
 	  BLACKLISTNEWONLY => undef,
 	  DELAYBLACKLISTLOAD => undef,
 	  MODULE_SUFFIX => undef,
@@ -782,6 +788,8 @@ sub initialize( $;$$) {
 	  SFILTER_DISPOSITION => undef,
 	  RPFILTER_DISPOSITION => undef,
 	  RELATED_DISPOSITION => undef,
 	  INVALID_DISPOSITION => undef,
 	  UNTRACKED_DISPOSITION => undef,
 	  #
 	  # Mark Geometry
 	  #
@@ -942,7 +950,7 @@ sub initialize( $;$$) {
    %compiler_params = ();
-    %actparms = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => ''  );
+    %actparms = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
    $parmsmodified = 0;
    %helpers_enabled = (
@@ -1084,6 +1092,8 @@ sub currentlineinfo() {
    }
 }
 sub handle_first_entry();
 #
 # Issue a Warning Message
 #
@@ -1092,6 +1102,8 @@ sub warning_message
    my $currentlineinfo = currentlineinfo;
    our @localtime;
    handle_first_entry if $first_entry;
    $| = 1; #Reset output buffering (flush any partially filled buffers).
    if ( $log ) {
@@ -1176,6 +1188,8 @@ sub cleanup() {
 sub fatal_error	{
    my $currentlineinfo = currentlineinfo;
    handle_first_entry if $first_entry;
    $| = 1; #Reset output buffering (flush any partially filled buffers).
    if ( $log ) {
@@ -1204,6 +1218,8 @@ sub fatal_error	{
 }
 sub fatal_error1 {
    handle_first_entry if $first_entry;
    $| = 1;
    if ( $log ) {
@@ -1796,8 +1812,12 @@ sub split_list2( $$ ) {
 sub split_list3( $$ ) {
    my ($list, $type ) = @_;
-
+    #
-    fatal_error "Invalid $type ($list)" if $list =~ /^,|,,/;
+    # We allow omitted arguments in action invocations.
    #
    $list =~ s/^,/-,/;
    $list =~ s/,$/,-/;
    $list =~ s/,,/,-,/g;
    my @list1 = split /,/, $list;
    my @list2;
@@ -2160,8 +2180,9 @@ sub evaluate_expression( $$$ ) {
 	#                         $1      $2   $3                     -     $4
 	while ( $expression =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
-	    $var = numeric_value( $var ) if $var;
+	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparms{$var} : $chain;
 	    $parmsmodified ||= $var eq 'caller';
 	    $expression = join_parts( $first, $val, $rest );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
 	}
@@ -2191,7 +2212,9 @@ sub evaluate_expression( $$$ ) {
    print "EXPR=> $expression\n" if $debug;
-    unless ( $expression =~ /^\d+$/ ) {
+    if ( $expression =~ /^\d+$/ ) {
 	$val = $expression
    } else {
 	#
 	# Not a simple one-term expression -- compile it
 	#
@@ -2281,15 +2304,16 @@ sub process_compiler_directive( $$$$ ) {
 			       directive_error( "Missing SET expression"     , $filename, $linenumber) unless supplied $expression;
 			       if ( ( $1 || '' ) eq '@' ) {
 				   $var = $2;
 				   $var = numeric_value( $var ) if $var =~ /^\d/;
 				   $var = $2 || 'chain';
-				   directive_error( "Action variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparms{0};
+				   directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparms{0};
 				   my $val = $actparms{$var} = evaluate_expression ( $expression,
 										     $filename,
 										     $linenumber );
 				   $parmsmodified = 1;
 			       } else {
-				   $variables{$1} = evaluate_expression( $expression,
+				   $variables{$2} = evaluate_expression( $expression,
 									 $filename,
 									 $linenumber );
 			       }
@@ -2310,12 +2334,28 @@ sub process_compiler_directive( $$$$ ) {
 			   unless ( $omitting ) {
 			       my $var = $expression;
 			       directive_error( "Missing RESET variable", $filename, $linenumber)        unless supplied $var;
-			       directive_error( "Invalid RESET variable ($var)", $filename, $linenumber) unless $var =~ /^\$?([a-zA-Z]\w*)$/;
+			       directive_error( "Invalid RESET variable ($var)", $filename, $linenumber) unless $var =~ /^(\$)?([a-zA-Z]\w*)$/ || $var =~ /^(@)(\d+|[a-zA-Z]\w*)/;
 			       if ( ( $1 || '' ) eq '@' ) {
 				   $var = numeric_value( $var ) if $var =~ /^\d/;
 				   $var = $2 || 'chain';
 				   directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparms{0};
 				   if ( exists $actparms{$var} ) {
 				       if ( $var =~ /^loglevel|logtag|chain|disposition|caller$/ ) {
 					   $actparms{$var} = '';
 				       } else {
 					   delete $actparms{$var}
 				       }
 				   } else {
 				       directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber );
 				   }
 			       if ( exists $variables{$1} ) {
 				   delete $variables{$1};
 			       } else {
-				   directive_warning( "Variable $1 does not exist", $filename, $linenumber );
+				   if ( exists $variables{$2} ) {
 				       delete $variables{$2};
 				   } else {
 				       directive_warning( "Shell variable $2 does not exist", $filename, $linenumber );
 				   }
 			       }
 			   }
 		       } ,
@@ -2778,10 +2818,10 @@ sub embedded_perl( $ ) {
 }
 #
-# Push/pop action params
+# Push/pop acton params
 #
-sub push_action_params( $$$$$ ) {
+sub push_action_params( $$$$$$ ) {
-    my ( $chainref, $parms, $loglevel, $logtag, $caller ) = @_;
+    my ( $action, $chainref, $parms, $loglevel, $logtag, $caller ) = @_;
    my @parms = ( undef , split_list3( $parms , 'parameter' ) );
    $actparms{modified} = $parmsmodified;
@@ -2799,6 +2839,7 @@ sub push_action_params( $$$$$ ) {
    }
    $actparms{0}           = $chainref;
    $actparms{action}      = $action;
    $actparms{loglevel}    = $loglevel;
    $actparms{logtag}      = $logtag;
    $actparms{caller}      = $caller;
@@ -2893,13 +2934,14 @@ sub expand_variables( \$ ) {
 	if ( $var =~ /^\d+$/ ) {
 	    fatal_error "Action parameters (\$$var) may only be referenced within the body of an action" unless $chain;
-	    unless ( $config{IGNOREUNKNOWNVARIABLES} ) {
+	    if ( $config{IGNOREUNKNOWNVARIABLES} ) {
 		fatal_error "Invalid action parameter (\$$var)" if ( length( $var ) > 1 && $var =~ /^0/ );
 	    } else {
 		fatal_error "Undefined parameter (\$$var)" unless ( defined $actparms{$var} &&
 								    ( length( $var ) == 1 ||
 								      $var !~ /^0/ ) );
 	    }
 	    fatal_error "Invalid action parameter (\$$var)" if ( ! defined $actparms{$var} ) || ( length( $var ) > 1 && $var =~ /^0/ );
 	    $val = $var ? $actparms{$var} : $actparms{0}->{name};
 	} elsif ( exists $variables{$var} ) {
 	    $val = $variables{$var};
@@ -2953,8 +2995,11 @@ sub handle_first_entry() {
    # $first_entry can contain either a function reference or a message. If it
    # contains a reference, call the function -- otherwise issue the message
    #
-    reftype( $first_entry ) ? $first_entry->() : progress_message2( $first_entry );
+    my $entry = $first_entry;
    $first_entry = 0;
    reftype( $entry ) ? $entry->() : progress_message2( $entry );
 }
 #
@@ -5045,7 +5090,6 @@ sub get_configuration( $$$$ ) {
    }
    default_yes_no 'ADMINISABSENTMINDED'        , '';
    default_yes_no 'BLACKLISTNEWONLY'           , '';
    default_yes_no 'DISABLE_IPV6'               , '';
    unsupported_yes_no_warning 'DYNAMIC_ZONES';
@@ -5064,7 +5108,47 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'FASTACCEPT'                 , '';
-    fatal_error "BLACKLISTNEWONLY=No may not be specified with FASTACCEPT=Yes" if $config{FASTACCEPT} && ! $config{BLACKLISTNEWONLY};
+    if ( supplied( $val = $config{BLACKLIST} ) ) {
 	my %states;
 	if ( $val eq 'ALL' ) {
 	    $globals{BLACKLIST_STATES} = 'ALL';
 	} else {
 	    for ( split_list $val, 'BLACKLIST' ) {
 		fatal_error "Invalid BLACKLIST state ($_)" unless /^(?:NEW|RELATED|ESTABLISHED|INVALID|UNTRACKED)$/;
 		fatal_error "Duplicate BLACKLIST state($_)" if $states{$_};
 		$states{$_} = 1;
 	    }
 	    fatal_error "ESTABLISHED state may not be specified when FASTACCEPT=Yes" if $config{FASTACCEPT} && $states{ESTABLISHED};
 	    require_capability 'RAW_TABLE', 'UNTRACKED state', 's' if $states{UNTRACKED};
 	    #
 	    # Place the states in a predictable order
 	    #
 	    my @states;
 	    for ( qw( NEW ESTABLISHED RELATED INVALID UNTRACKED ) ) {
 		push @states, $_ if $states{$_};
 	    }
 	    $globals{BLACKLIST_STATES} = join ',', @states;
 	}
    } elsif ( supplied $config{BLACKLISTNEWONLY} ) {
 	default_yes_no 'BLACKLISTNEWONLY'           , '';
 	fatal_error "BLACKLISTNEWONLY=No may not be specified with FASTACCEPT=Yes" if $config{FASTACCEPT} && ! $config{BLACKLISTNEWONLY};
 	if ( have_capability 'RAW_TABLE' ) {
 	    $globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID,UNTRACKED' : 'NEW,ESTABLISHED,INVALID,UNTRACKED';
 	} else {
 	    $globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID' : 'NEW,ESTABLISHED,INVALID';
 	}
    } else {
 	if ( have_capability 'RAW_TABLE' ) {
 	    $globals{BLACKLIST_STATES} = $config{FASTACCEPT} ? 'NEW,INVALID,UNTRACKED' : 'NEW,ESTABLISHED,INVALID,UNTRACKED';
 	} else {
 	    $globals{BLACKLIST_STATES} = $config{FASTACCEPT} ? 'NEW,INVALID' : 'NEW,INVALID,ESTABLISHED';
 	}
    }
    default_yes_no 'IMPLICIT_CONTINUE'          , '';
    default_yes_no 'HIGH_ROUTE_MARKS'           , '';
@@ -5206,6 +5290,8 @@ sub get_configuration( $$$$ ) {
    default_log_level 'TCP_FLAGS_LOG_LEVEL', '';
    default_log_level 'RFC1918_LOG_LEVEL',   '';
    default_log_level 'RELATED_LOG_LEVEL',   '';
    default_log_level 'INVALID_LOG_LEVEL',   '';
    default_log_level 'UNTRACKED_LOG_LEVEL', '';
    warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
@@ -5256,16 +5342,56 @@ sub get_configuration( $$$$ ) {
 	    $globals{RELATED_TARGET} = 'reject';
 	} elsif ( $val eq 'A_REJECT' ) {
 	    $globals{RELATED_TARGET} = $val;
 	} elsif ( $val eq 'CONTINUE' ) {
 	    $globals{RELATED_TARGET} = '';
 	} else {
 	    fatal_error "Invalid value ($config{RELATED_DISPOSITION}) for RELATED_DISPOSITION"
 	}
-	require_capability 'AUDIT_TARGET' , "MACLIST_DISPOSITION=$val", 's' if $val =~ /^A_/;
+	require_capability 'AUDIT_TARGET' , "RELATED_DISPOSITION=$val", 's' if $val =~ /^A_/;
    } else {
 	$config{RELATED_DISPOSITION}  =
 	$globals{RELATED_TARGET}      = 'ACCEPT';
    }
    if ( $val = $config{INVALID_DISPOSITION} ) {
 	if ( $val =~ /^(?:A_)?DROP$/ ) {
 	    $globals{INVALID_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
 	    $globals{INVALID_TARGET} = 'reject';
 	} elsif ( $val eq 'A_REJECT' ) {
 	    $globals{INVALID_TARGET} = $val;
 	} elsif ( $val eq 'CONTINUE' ) {
 	    $globals{INVALID_TARGET} = '';
 	} else {
 	    fatal_error "Invalid value ($config{INVALID_DISPOSITION}) for INVALID_DISPOSITION"
 	}
 	require_capability 'AUDIT_TARGET' , "INVALID_DISPOSITION=$val", 's' if $val =~ /^A_/;
    } else {
 	$config{INVALID_DISPOSITION}  = 'CONTINUE';
 	$globals{INVALID_TARGET}      = '';
    }
    if ( $val = $config{UNTRACKED_DISPOSITION} ) {
 	if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
 	    $globals{UNTRACKED_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
 	    $globals{UNTRACKED_TARGET} = 'reject';
 	} elsif ( $val eq 'A_REJECT' ) {
 	    $globals{UNTRACKED_TARGET} = $val;
 	} elsif ( $val eq 'CONTINUE' ) {
 	    $globals{UNTRACKED_TARGET} = '';
 	} else {
 	    fatal_error "Invalid value ($config{UNTRACKED_DISPOSITION}) for UNTRACKED_DISPOSITION"
 	}
 	require_capability 'AUDIT_TARGET' , "UNTRACKED_DISPOSITION=$val", 's' if $val =~ /^A_/;
    } else {
 	$config{UNTRACKED_DISPOSITION}  = 'CONTINUE';
 	$globals{UNTRACKED_TARGET}        = '';
    }
    if ( $val = $config{MACLIST_TABLE} ) {
 	if ( $val eq 'mangle' ) {
 	    fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
@@ -5283,7 +5409,6 @@ sub get_configuration( $$$$ ) {
 	$val = $config{TCP_FLAGS_DISPOSITION} = 'DROP';
    }
    default 'TC_ENABLED' , $family == F_IPV4 ? 'Internal' : 'no';
    $val = "\L$config{TC_ENABLED}";
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -764,7 +764,7 @@ sub add_common_rules ( $ ) {
    my $chain;
    my $dynamicref;
-    my @state     = $config{BLACKLISTNEWONLY} ? have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
+    my @state     = state_imatch( $globals{BLACKLIST_STATES} );
    my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED';
    my $level     = $config{BLACKLIST_LOGLEVEL};
    my $rejectref = $filter_table->{reject};
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Samples/Universal/rules
+++ b/Shorewall/Samples/Universal/rules
@@ -12,6 +12,8 @@
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 #SECTION INVALID
 #SECTION UNTRACKED
 SECTION NEW
 Invalid(DROP)	net		$FW		tcp
 SSH(ACCEPT)	net		$FW
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -23,6 +23,8 @@ VERBOSITY=1
 BLACKLIST_LOGLEVEL=
 INVALID_LOG_LEVEL=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
@@ -51,6 +53,8 @@ STARTUP_LOG=/var/log/shorewall-init.log
 TCP_FLAGS_LOG_LEVEL=info
 UNTRACKED_LOG_LEVEL=
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
@@ -124,7 +128,7 @@ AUTOHELPERS=Yes
 AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 CLAMPMSS=No
@@ -224,6 +228,8 @@ ZONE2ZONE=2
 BLACKLIST_DISPOSITION=DROP
 INVALID_DISPOSITION=CONTINUE
 MACLIST_DISPOSITION=REJECT
 RELATED_DISPOSITION=ACCEPT
@@ -236,6 +242,8 @@ SFILTER_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 UNTRACKED_DISPOSITION=CONTINUE
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall/Samples/one-interface/rules
+++ b/Shorewall/Samples/one-interface/rules
@@ -16,6 +16,8 @@
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 #SECTION INVALID
 #SECTION UNTRACKED
 SECTION NEW
 # Drop packets in the INVALID state
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -34,6 +34,8 @@ VERBOSITY=1
 BLACKLIST_LOGLEVEL=
 INVALID_LOG_LEVEL=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
@@ -62,6 +64,8 @@ STARTUP_LOG=/var/log/shorewall-init.log
 TCP_FLAGS_LOG_LEVEL=info
 UNTRACKED_LOG_LEVEL=
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
@@ -135,7 +139,7 @@ AUTOHELPERS=Yes
 AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 CLAMPMSS=No
@@ -235,6 +239,8 @@ ZONE2ZONE=2
 BLACKLIST_DISPOSITION=DROP
 INVALID_DISPOSITION=CONTINUE
 MACLIST_DISPOSITION=REJECT
 RELATED_DISPOSITION=ACCEPT
@@ -247,6 +253,8 @@ SFILTER_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 UNTRACKED_DISPOSITION=CONTINUE
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall/Samples/three-interfaces/rules
+++ b/Shorewall/Samples/three-interfaces/rules
@@ -16,6 +16,8 @@
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 #SECTION INVALID
 #SECTION UNTRACKED
 SECTION NEW
 #       Don't allow connection pickup from the net
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -32,6 +32,8 @@ VERBOSITY=1
 BLACKLIST_LOGLEVEL=
 INVALID_LOG_LEVEL=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
@@ -60,6 +62,8 @@ STARTUP_LOG=/var/log/shorewall-init.log
 TCP_FLAGS_LOG_LEVEL=info
 UNTRACKED_LOG_LEVEL=
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
@@ -133,7 +137,7 @@ AUTOHELPERS=Yes
 AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 CLAMPMSS=Yes
@@ -233,6 +237,8 @@ ZONE2ZONE=2
 BLACKLIST_DISPOSITION=DROP
 INVALID_DISPOSITION=CONTINUE
 MACLIST_DISPOSITION=REJECT
 RELATED_DISPOSITION=ACCEPT
@@ -245,6 +251,8 @@ SFILTER_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 UNTRACKED_DISPOSITION=CONTINUE
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall/Samples/two-interfaces/rules
+++ b/Shorewall/Samples/two-interfaces/rules
@@ -16,6 +16,8 @@
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 #SECTION INVALID
 #SECTION UNTRACKED
 SECTION NEW
 #       Don't allow connection pickup from the net
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -35,6 +35,8 @@ VERBOSITY=1
 BLACKLIST_LOGLEVEL=
 INVALID_LOG_LEVEL=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
@@ -63,6 +65,8 @@ STARTUP_LOG=/var/log/shorewall-init.log
 TCP_FLAGS_LOG_LEVEL=info
 UNTRACKED_LOG_LEVEL=
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
@@ -136,7 +140,7 @@ AUTOHELPERS=Yes
 AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 CLAMPMSS=Yes
@@ -236,6 +240,8 @@ ZONE2ZONE=2
 BLACKLIST_DISPOSITION=DROP
 INVALID_DISPOSITION=CONTINUE
 MACLIST_DISPOSITION=REJECT
 RELATED_DISPOSITION=ACCEPT
@@ -248,6 +254,8 @@ SFILTER_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 UNTRACKED_DISPOSITION=CONTINUE
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall/action.Established
+++ b/Shorewall/action.Established
@@ -0,0 +1,49 @@
 #
 # Shorewall 4 - Established Action
 #
 #    /usr/share/shorewall/action.Established
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #   Established[([<action>])]
 #
 #       Default action is ACCEPT
 #
 ##########################################################################################
 ?FORMAT 2
 DEFAULTS ACCEPT
 ?BEGIN PERL;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $action ) = get_action_params( 1 );
 if ( my $check = check_state( 'ESTABLISHED' ) ) {
    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} ESTABLISHED" : '', 'ESTABLISHED' );
 }
 1;
 ?END PERL;
--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@@ -5,7 +5,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Invalid[([<action>|-[,{audit|-}])]
+#   Invalid[([<action>])]
 #
 #       Default action is DROP
 #
@@ -36,21 +36,18 @@ DEFAULTS DROP,-
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $action, $audit ) = get_action_params( 2 );
-fatal_error "Invalid parameter ($audit) to action Invalid"   if supplied $audit && $audit ne 'audit';
+if ( supplied $audit ) {
-fatal_error "Invalid parameter ($action) to action Invalid"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
+     fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
     $action = "A_$action";
 }
-my $chainref         = get_action_chain;
+if ( my $check = check_state( 'INVALID' ) ) {
-
+    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} INVALID" : '' , 'INVALID' );
-my ( $level, $tag )  = get_action_logging;
+}
 my $target           = require_audit ( $action , $audit );
 log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
 add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID ";
 allow_optimize( $chainref );
 1;
--- a/Shorewall/action.New
+++ b/Shorewall/action.New
@@ -0,0 +1,49 @@
 #
 # Shorewall 4 - New Action
 #
 #    /usr/share/shorewall/action.New
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #   Untracked[([<action>])]
 #
 #       Default action is ACCEPT
 #
 ##########################################################################################
 ?FORMAT 2
 DEFAULTS ACCEPT
 ?BEGIN PERL;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $action ) = get_action_params( 1 );
 if ( my $check = check_state( 'NEW' ) ) {
    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} NEW" : '' , 'NEW' );
 }
 1;
 ?END PERL;
--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@@ -22,7 +22,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   NotSyn[([<action>|-[,{audit|-}])]
+#   NotSyn[([<action>])]
 #
 #       Default action is DROP
 #
@@ -33,24 +33,20 @@ DEFAULTS DROP,-
 ?BEGIN PERL;
 use strict;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $action, $audit ) = get_action_params( 2 );
-fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit && $audit ne 'audit';
+if ( supplied $audit ) {
-fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
+     fatal_error "Invalid parameter ($audit) to action NotSyn" if $audit ne 'audit';
     $action = "A_$action";
 }    
-my $chainref         = get_action_chain;
+perl_action_tcp_helper( $action, '-p 6 ! --syn' );
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );
 log_rule_limit $level, $chainref, 'NotSyn' , $action, '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
 add_jump $chainref , $target, 0, '-p 6 ! --syn ';
 allow_optimize( $chainref );
 1;
--- a/Shorewall/action.RST
+++ b/Shorewall/action.RST
@@ -22,7 +22,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   RST[([<action>|-[,{audit|-}])]
+#   RST[([<action>])]
 #
 #       Default action is DROP
 #
@@ -35,21 +35,16 @@ DEFAULTS DROP,-
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $action, $audit ) = get_action_params( 2 );
-fatal_error "Invalid parameter ($audit) to action RST"   if supplied $audit && $audit ne 'audit';
+if ( supplied $audit ) {
-fatal_error "Invalid parameter ($action) to action RST"  unless $action =~ /^(?:ACCEPT|DROP)$/;
+     fatal_error "Invalid parameter ($audit) to action RST" if $audit ne 'audit';
     $action = "A_$action";
 }    
-my $chainref         = get_action_chain;
+perl_action_tcp_helper( $action, '-p 6 --tcp-flags RST RST' );
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );
 log_rule_limit $level, $chainref, 'RST' , $action, '', $tag, 'add', '-p 6 --tcp-flags RST RST ' if $level ne '';
 add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST ';
 allow_optimize( $chainref );
 1;
--- a/Shorewall/action.Related
+++ b/Shorewall/action.Related
@@ -0,0 +1,50 @@
 #
 # Shorewall 4 - Related Action
 #
 #    /usr/share/shorewall/action.Related
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #   Related[([<action>])]
 #
 #       Default action is DROP
 #
 ##########################################################################################
 ?FORMAT 2
 DEFAULTS DROP
 ?BEGIN PERL;
 use strict;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $action ) = get_action_params( 1 );
 if ( my $check = check_state( 'RELATED' ) ) {
    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} RELATED" : '', 'RELATED' );
 }
 1;
 ?END PERL;
--- a/Shorewall/action.TCPFlags
+++ b/Shorewall/action.TCPFlags
@@ -11,49 +11,28 @@
 #################################################################################
 ?FORMAT 2
-DEFAULTS DROP,-
+DEFAULTS -
 ?BEGIN PERL;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
 use Shorewall::Chains;
 use Shorewall::Rules;
-my ( $disposition, $audit ) = get_action_params( 2 );
+my $action = 'DROP';
-my $chainref        = get_action_chain;
+my ( $audit ) = get_action_params( 1 );
-my ( $level, $tag ) = get_action_logging;
+if ( supplied $audit ) {
-
+     fatal_error "Invalid parameter ($audit) to action TCPFlags" if $audit ne 'audit';
-fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/;
+     $action = "A_DROP";
 if ( $level ne '-' || $audit ne '-' ) {
    my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
    log_rule_limit( $level,
 		    $logchainref,
 		    $chainref->{name},
 		    $disposition,
 		    '',
 		    $tag,
 		    'add',
 		    '' ) if $level;
    if ( supplied $audit ) {
 	fatal_error "Invalid argument ($audit) to TCPFlags" if $audit ne 'audit';
 	require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's';
 	add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition );
    }
    add_ijump( $logchainref, g => $disposition );
    $disposition = $logchainref;
 }    
-add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL FIN,URG,PSH';
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL FIN,URG,PSH' );
-add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL NONE';
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL NONE' );
-add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST';
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,RST SYN,RST' );
-add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,FIN SYN,FIN';
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,FIN SYN,FIN' );
-add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0';
+perl_action_tcp_helper( $action, '-p tcp --syn --sport 0' );
 ?END PERL;
--- a/Shorewall/action.Untracked
+++ b/Shorewall/action.Untracked
@@ -0,0 +1,49 @@
 #
 # Shorewall 4 - Untracked Action
 #
 #    /usr/share/shorewall/action.Untracked
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #   Untracked[([<action>])]
 #
 #       Default action is DROP
 #
 ##########################################################################################
 ?FORMAT 2
 DEFAULTS DROP
 ?BEGIN PERL;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $action ) = get_action_params( 1 );
 if ( my $check = check_state( 'UNTRACKED' ) ) {
    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} UNTRACKED" : '' , 'UNTRACKED' );
 }
 1;
 ?END PERL;
--- a/Shorewall/action.allowInvalid
+++ b/Shorewall/action.allowInvalid
@@ -0,0 +1,53 @@
 #
 # Shorewall 4 - allowInvalid Action
 #
 #    /usr/share/shorewall/action.allowInvalid
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #   allowInvalid[([audit])]
 #
 ##########################################################################################
 ?FORMAT 2
 DEFAULTS -
 ?BEGIN PERL;
 use strict;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my $action = 'ACCEPT';
 my ( $audit ) = get_action_params( 1 );
 if ( supplied $audit ) {
     fatal_error "Invalid parameter ($audit) to action allowInvalid" if $audit ne 'audit';
     $action = "A_ACCEPT";
 }    
 perl_action_helper( "Invalid($action)", '' );
 1;
 ?END PERL;
--- a/Shorewall/action.dropInvalid
+++ b/Shorewall/action.dropInvalid
@@ -0,0 +1,53 @@
 #
 # Shorewall 4 - dropInvalid Action
 #
 #    /usr/share/shorewall/action.dropInvalid
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #   dropInvalid[([audit])]
 #
 ##########################################################################################
 ?FORMAT 2
 DEFAULTS -
 ?BEGIN PERL;
 use strict;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my $action = 'DROP';
 my ( $audit ) = get_action_params( 1 );
 if ( supplied $audit ) {
     fatal_error "Invalid parameter ($audit) to action dropInvalid" if $audit ne 'audit';
     $action = "A_DROP";
 }    
 perl_action_helper( "Invalid($action)", '' );
 1;
 ?END PERL;
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -15,19 +15,11 @@
 #    dropBcast		# Silently Drop Broadcast/multicast
 #    dropNotSyn		# Silently Drop Non-syn TCP packets
 #    rejNotSyn		# Silently Reject Non-syn TCP packets
 #    dropInvalid	# Silently Drop packets that are in the INVALID
 #			# conntrack state.
 #    allowInvalid	# Accept packets that are in the INVALID
 #			# conntrack state.
 #    allowoutUPnP	# Allow traffic from local command 'upnpd' (does not
 #                       # work with kernel 2.6.14 and later).
 #    allowinUPnP	# Allow UPnP inbound (to firewall) traffic
 #    forwardUPnP	# Allow traffic that upnpd has redirected from
 #			# 'upnp' interfaces.
 #    drop1918src        # Drop packets with an RFC 1918 source address
 #    drop1918dst        # Drop packets with an RFC 1918 original dest address
 #    rej1918src         # Reject packets with an RFC 1918 source address
 #    rej1918dst         # Reject packets with an RFC 1918 original dest address
 #    Limit              # Limit the rate of connections from each individual
 #                       # IP address
 #
@@ -35,11 +27,17 @@
 #ACTION
 A_Drop 		                # Audited Default Action for DROP policy
 A_Reject	                # Audited Default action for REJECT policy
-Broadcast  noinline             # Handles Broadcast/Multicast/Anycast
+allowInvalid inline		# Accepts packets in the INVALID conntrack state
 Broadcast    noinline           # Handles Broadcast/Multicast/Anycast
 Drop		                # Default Action for DROP policy
-DropSmurfs noinline             # Drop smurf packets
+dropInvalid  inline		# Drops packets in the INVALID conntrack state
-Invalid    noinline             # Handles packets in the INVALID conntrack state
+DropSmurfs   noinline           # Drop smurf packets
-NotSyn     noinline             # Handles TCP packets which do not have SYN=1 and ACK=0
+Established  inline		# Handles packets in the ESTABLISHED state
 Invalid      inline             # Handles packets in the INVALID conntrack state
 New	     inline             # Handles packets in the NEW conntrack state
 NotSyn       inline             # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject                          # Default Action for REJECT policy
-RST	   noinline             # Handle packets with RST set
+Related      inline             # Handles packets in the RELATED conntrack state
-TCPFlags   noinline             # Handle bad flag combinations.
+RST	     inline             # Handle packets with RST set
 TCPFlags    			# Handle bad flag combinations.
 Untracked    inline             # Handles packets in the UNTRACKED conntrack state
--- a/Shorewall/configfiles/rules
+++ b/Shorewall/configfiles/rules
@@ -12,4 +12,6 @@
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 #SECTION INVALID
 #SECTION UNTRACKED
 SECTION NEW
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -23,6 +23,8 @@ VERBOSITY=1
 BLACKLIST_LOGLEVEL=
 INVALID_LOG_LEVEL=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
@@ -51,6 +53,8 @@ STARTUP_LOG=/var/log/shorewall-init.log
 TCP_FLAGS_LOG_LEVEL=info
 UNTRACKED_LOG_LEVEL=
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
@@ -124,7 +128,7 @@ AUTOHELPERS=Yes
 AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 CLAMPMSS=No
@@ -224,6 +228,8 @@ ZONE2ZONE=2
 BLACKLIST_DISPOSITION=DROP
 INVALID_DISPOSITION=CONTINUE
 MACLIST_DISPOSITION=REJECT
 RELATED_DISPOSITION=ACCEPT
@@ -236,6 +242,8 @@ SFILTER_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 UNTRACKED_DISPOSITION=CONTINUE
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall/configfiles/tcinterfaces
+++ b/Shorewall/configfiles/tcinterfaces
@@ -7,4 +7,4 @@
 # information.
 #
 ###############################################################################
-#INTERFACE	TYPE		IN-BANDWIDTH
+#INTERFACE	TYPE		IN-BANDWIDTH		OUT-BANDWIDTH
--- a/Shorewall/init.archlinux.sh
+++ b/Shorewall/init.archlinux.sh
@@ -1,60 +0,0 @@
 #!/bin/bash
 OPTIONS="-f"
 if [ -f /etc/sysconfig/shorewall ] ; then
 	. /etc/sysconfig/shorewall
 elif [ -f /etc/default/shorewall ] ; then
 	. /etc/default/shorewall
 fi
 # if you want to override options, do so in /etc/sysconfig/shorewall or
 # in /etc/default/shorewall --
 # i strongly encourage you use the latter, since /etc/sysconfig/ does not exist.
 . /etc/rc.conf
 . /etc/rc.d/functions
 DAEMON_NAME="shorewall" # of course shorewall is NOT a deamon.
 export SHOREWALL_INIT_SCRIPT=1
 case "$1" in
 	start)
 		stat_busy "Starting $DAEMON_NAME"
 		/sbin/shorewall $OPTIONS start &>/dev/null
 		if [ $? -gt 0 ]; then
 			stat_fail
 		else
 			add_daemon $DAEMON_NAME
 			stat_done
 		fi
 		;;
 	stop)
 		stat_busy "Stopping $DAEMON_NAME"
 		/sbin/shorewall stop &>/dev/null
 		if [ $? -gt 0 ]; then
 			stat_fail
 		else
 			rm_daemon $DAEMON_NAME
 			stat_done
 		fi
 		;;
 	restart|reload)
 		stat_busy "Restarting $DAEMON_NAME"
 		/sbin/shorewall restart &>/dev/null
 		if [ $? -gt 0  ]; then
 			stat_fail
 		else
 			stat_done
 		fi
 		;;
 	*)
 		echo "usage: $0 {start|stop|restart}"
 esac
 exit 0
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -349,7 +349,9 @@
        <listitem>
          <para>The name of a <emphasis>chain</emphasis>. If specified as
          <emphasis role="bold">-</emphasis> the <emphasis
-          role="bold">accounting</emphasis> chain is assumed. This is the
+          role="bold">accounting</emphasis> chain is assumed when the file is
          un-sectioned. When the file is sectioned, the default is one of
          accountin, accountout, etc. depending on the section. This is the
          chain where the accounting rule is added. The
          <emphasis>chain</emphasis> will be created if it doesn't already
          exist. The <emphasis>chain</emphasis> may not exceed 29 characters
@@ -370,7 +372,8 @@
          <para>The name of an <replaceable>interface</replaceable>, an
          <replaceable>address</replaceable> (host or net) or an
          <replaceable>interface</replaceable> name followed by ":" and a host
-          or net <replaceable>address</replaceable>.</para>
+          or net <replaceable>address</replaceable>. An ipset name is also
          accepted as an <replaceable>address</replaceable>.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -71,11 +71,11 @@
                    <member>DropSmurfs</member>
-                    <member>Invalid</member>
+                    <member>Invalid (Prior to Shorewall 4.5.13)</member>
-                    <member>NotSyn</member>
+                    <member>NotSyn (Prior to Shorewall 4.5.13)</member>
-                    <member>RST</member>
+                    <member>RST (Prior to Shorewall 4.5.13)</member>
                    <member>TCPFlags</member>
                  </simplelist>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -81,8 +81,41 @@
          <para>The only ACTIONs allowed in this section are ACCEPT, DROP,
          REJECT, LOG and QUEUE</para>
-          <para>There is an implicit ACCEPT rule inserted at the end of this
+          <para>There is an implicit rule added at the end of this section
-          section.</para>
+          that invokes the RELATED_DISPOSITION (<ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">INVALID</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.5.13. Packets in the INVALID state are
          processed by rules in this section.</para>
          <para>The only Actions allowed in this section are ACCEPT, DROP,
          REJECT, LOG and QUEUE.</para>
          <para>There is an implicit rule added at the end of this section
          that invokes the INVALID_DISPOSITION (<ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">UNTRACKED</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state are
          processed by rules in this section.</para>
          <para>The only Actions allowed in this section are ACCEPT, DROP,
          REJECT, LOG and QUEUE.</para>
          <para>There is an implicit rule added at the end of this section
          that invokes the UNTRACKED_DISPOSITION (<ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -372,6 +372,28 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">BLACKLIST=</emphasis>[{<emphasis
        role="bold">ALL</emphasis>|<emphasis
        role="bold"><replaceable>state</replaceable>[,...]</emphasis>}]</term>
        <listitem>
          <para>where state is one of NEW, ESTABLISHED, RELATED, INVALID,or
          UNTRACKED.</para>
          <para>Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY
          option below. Specifies the connection tracking states that are to
          be subject to blacklist screening. If neither BLACKLIST nor
          BLACKLISTNEWONLY are specified then the states subject to
          blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED.</para>
          <para>ALL sends all packets through the blacklist chains.</para>
          <para>Note: The ESTABLISHED state may not be specified if FASTACCEPT
          is specified.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">BLACKLIST_DISPOSITION=</emphasis>[<emphasis
@@ -422,12 +444,16 @@
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
        <listitem>
          <para>Deprecated in Shorewall 4.5.13 in favor of BLACKLIST
          above.</para>
          <para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
          role="bold">yes</emphasis>, blacklists are only consulted for new
-          connections. That includes entries in the <ulink
+          connections and for packets in the INVALID connection state (such as
-          url="???">shorewall-blrules</ulink> (5) file and in the BLACKLIST
+          TCP SYN,ACK when there has been no corresponding SYN). That includes
-          section of <ulink url="shorewall-rules.html">shorewall-rules</ulink>
+          entries in the <ulink url="???">shorewall-blrules</ulink> (5) file
-          (5).</para>
+          and in the BLACKLIST section of <ulink
          url="shorewall-rules.html">shorewall-rules</ulink> (5).</para>
          <para>When set to <emphasis role="bold">No</emphasis> or <emphasis
          role="bold">no</emphasis>, blacklists are consulted for every packet
@@ -941,6 +967,34 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
          INVALID packets through the NEW section of <ulink
          url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
          packet in INVALID state fails to match any rule in the INVALID
          section, the packet is disposed of based on this setting. The
          default value is CONTINUE for compatibility with earlier
          versions.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">INVALID_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.5.13. Packets in the INVALID state that
          do not match any rule in the INVALID section of <ulink
          url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are
          logged at this level. The default value is empty which means no
          logging is performed.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">IP</emphasis>=[<emphasis>pathname</emphasis>]</term>
@@ -1970,18 +2024,17 @@ LOG:info:,bar                        net                    fw</programlisting>
      <varlistentry>
        <term><emphasis
-        role="bold">RELATED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT]</emphasis></term>
+        role="bold">RELATED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.4.27. Shorewall has traditionally
          ACCEPTed RELATED packets that don't match any rule in the RELATED
-          section of <ulink
+          section of <ulink url="shorewall-rules.html">shorewall-rules</ulink>
-          url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5).
+          (5). Concern about the safety of this practice resulted in the
-          Concern about the safety of this practice resulted in the addition
+          addition of this option. When a packet in RELATED state fails to
-          of this option. When a packet in RELATED state fails to match any
+          match any rule in the RELATED section, the packet is disposed of
-          rule in the RELATED section, the packet is disposed of based on this
+          based on this setting. The default value is ACCEPT for compatibility
-          setting. The default value is ACCEPT for compatibility with earlier
+          with earlier versions.</para>
          versions.</para>
        </listitem>
      </varlistentry>
@@ -1992,9 +2045,9 @@ LOG:info:,bar                        net                    fw</programlisting>
        <listitem>
          <para>Added in Shorewall 4.4.27. Packets in the related state that
          do not match any rule in the RELATED section of <ulink
-          url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are
+          url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
-          logged at this level. The default value is empty which means no
+          this level. The default value is empty which means no logging is
-          logging is performed.</para>
+          performed.</para>
        </listitem>
      </varlistentry>
@@ -2438,6 +2491,34 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">UNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
          UNTRACKED packets through the NEW section of <ulink
          url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
          packet in UNTRACKED state fails to match any rule in the UNTRACKED
          section, the packet is disposed of based on this setting. The
          default value is CONTINUE for compatibility with earlier
          versions.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">UNTRACKED_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
          do not match any rule in the UNTRACKED section of <ulink
          url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
          this level. The default value is empty which means no logging is
          performed.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
--- a/Shorewall/shorewall.service
+++ b/Shorewall/shorewall.service
@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall
 StandardOutput=syslog
-ExecStart=/usr/sbin/shorewall $OPTIONS start
+ExecStart=/sbin/shorewall $OPTIONS start
-ExecStop=/usr/sbin/shorewall $OPTIONS stop
+ExecStop=/sbin/shorewall $OPTIONS stop
 [Install]
 WantedBy=multi-user.target
--- a/Shorewall6-lite/init.archlinux.sh
+++ b/Shorewall6-lite/init.archlinux.sh
@@ -1,58 +0,0 @@
 #!/bin/bash
 OPTIONS=""
 if [ -f /etc/sysconfig/shorewall6 ] ; then
 	. /etc/sysconfig/shorewall6
 elif [ -f /etc/default/shorewall6 ] ; then
 	. /etc/default/shorewall6
 fi
 # if you want to override options, do so in /etc/sysconfig/shorewall6 or
 # in /etc/default/shorewall6 --
 # i strongly encourage you use the latter, since /etc/sysconfig/ does not exist.
 . /etc/rc.conf
 . /etc/rc.d/functions
 DAEMON_NAME="shorewall6" # of course shorewall6 is NOT a deamon.
 case "$1" in
 	start)
 		stat_busy "Starting $DAEMON_NAME"
 		/sbin/shorewall6-lite $OPTIONS start &>/dev/null
 		if [ $? -gt 0 ]; then
 			stat_fail
 		else
 			add_daemon $DAEMON_NAME
 			stat_done
 		fi
 		;;
 	stop)
 		stat_busy "Stopping $DAEMON_NAME"
 		/sbin/shorewall6-lite stop &>/dev/null
 		if [ $? -gt 0 ]; then
 			stat_fail
 		else
 			rm_daemon $DAEMON_NAME
 			stat_done
 		fi
 		;;
 	restart|reload)
 		stat_busy "Restarting $DAEMON_NAME"
 		/sbin/shorewall6-lite restart &>/dev/null
 		if [ $? -gt 0  ]; then
 			stat_fail
 		else
 			stat_done
 		fi
 		;;
 	*)
 		echo "usage: $0 {start|stop|restart}"
 esac
 exit 0
--- a/Shorewall6-lite/shorewall6-lite.service
+++ b/Shorewall6-lite/shorewall6-lite.service
@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6-lite
 StandardOutput=syslog
-ExecStart=/usr/sbin/shorewall6-lite $OPTIONS start
+ExecStart=/sbin/shorewall6-lite $OPTIONS start
-ExecStop=/usr/sbin/shorewall6-lite $OPTIONS stop
+ExecStop=/sbin/shorewall6-lite $OPTIONS stop
 [Install]
 WantedBy=multi-user.target
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -24,6 +24,8 @@ VERBOSITY=1
 BLACKLIST_LOGLEVEL=
 INVALID_LOG_LEVEL=
 LOG_VERBOSITY=2
 LOGALLNEW=
@@ -50,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log
 TCP_FLAGS_LOG_LEVEL=info
 UNTRACKED_LOG_LEVEL=
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
@@ -117,7 +121,7 @@ AUTOHELPERS=Yes
 AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 CLAMPMSS=No
@@ -197,6 +201,8 @@ ZONE2ZONE=2
 BLACKLIST_DISPOSITION=DROP
 INVALID_DISPOSITION=CONTINUE
 MACLIST_DISPOSITION=REJECT
 RELATED_DISPOSITION=ACCEPT
@@ -209,6 +215,8 @@ SMURF_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 UNTRACKED_DISPOSITION=CONTINUE
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -24,6 +24,8 @@ VERBOSITY=1
 BLACKLIST_LOGLEVEL=
 INVALID_LOG_LEVEL=
 LOG_VERBOSITY=2
 LOGALLNEW=
@@ -50,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log
 TCP_FLAGS_LOG_LEVEL=info
 UNTRACKED_LOG_LEVEL=
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
@@ -117,7 +121,7 @@ AUTOHELPERS=Yes
 AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 CLAMPMSS=No
@@ -197,6 +201,8 @@ ZONE2ZONE=2
 BLACKLIST_DISPOSITION=DROP
 INVALID_DISPOSITION=CONTINUE
 MACLIST_DISPOSITION=REJECT
 RELATED_DISPOSITION=ACCEPT
@@ -209,6 +215,8 @@ SMURF_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 UNTRACKED_DISPOSITION=CONTINUE
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -24,6 +24,8 @@ VERBOSITY=1
 BLACKLIST_LOGLEVEL=
 INVALID_LOG_LEVEL=
 LOG_VERBOSITY=2
 LOGALLNEW=
@@ -50,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log
 TCP_FLAGS_LOG_LEVEL=info
 UNTRACKED_LOG_LEVEL=
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
@@ -117,7 +121,7 @@ AUTOHELPERS=Yes
 AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 CLAMPMSS=No
@@ -197,6 +201,8 @@ ZONE2ZONE=2
 BLACKLIST_DISPOSITION=DROP
 INVALID_DISPOSITION=CONTINUE
 MACLIST_DISPOSITION=REJECT
 RELATED_DISPOSITION=ACCEPT
@@ -209,6 +215,8 @@ SMURF_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 UNTRACKED_DISPOSITION=CONTINUE
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -24,6 +24,8 @@ VERBOSITY=1
 BLACKLIST_LOGLEVEL=
 INVALID_LOG_LEVEL=
 LOG_VERBOSITY=2
 LOGALLNEW=
@@ -50,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log
 TCP_FLAGS_LOG_LEVEL=info
 UNTRACKED_LOG_LEVEL=
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
@@ -117,7 +121,7 @@ AUTOHELPERS=Yes
 AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 CLAMPMSS=No
@@ -197,6 +201,8 @@ ZONE2ZONE=2
 BLACKLIST_DISPOSITION=DROP
 INVALID_DISPOSITION=CONTINUE
 MACLIST_DISPOSITION=REJECT
 RELATED_DISPOSITION=ACCEPT
@@ -209,6 +215,8 @@ SMURF_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 UNTRACKED_DISPOSITION=CONTINUE
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@@ -12,10 +12,6 @@
 #    dropBcasts         # Silently Drop multicast and anycast packets
 #    dropNotSyn		# Silently Drop Non-syn TCP packets
 #    rejNotSyn		# Silently Reject Non-syn TCP packets
 #    dropInvalid	# Silently Drop packets that are in the INVALID
 #			# conntrack state.
 #    allowInvalid	# Accept packets that are in the INVALID
 #			# conntrack state.
 #
 ###############################################################################
 #ACTION
@@ -23,11 +19,17 @@ A_Drop	                        # Audited Default Action for DROP policy
 A_Reject	                # Audited Default Action for REJECT policy
 A_AllowICMPs	                # Audited Accept needed ICMP6 types
 AllowICMPs   	                # Accept needed ICMP6 types
-Broadcast  noinline      	# Handles Broadcast/Multicast/Anycast
+allowInvalid inline		# Accepts packets in the INVALID conntrack state
 Broadcast    noinline      	# Handles Broadcast/Multicast/Anycast
 Drop		        	# Default Action for DROP policy
-DropSmurfs noinline     	# Handles packets with a broadcast source address
+dropInvalid  inline		# Drops packets in the INVALID conntrack state
-Invalid	   noinline		# Handles packets in the INVALID conntrack state
+DropSmurfs   noinline     	# Handles packets with a broadcast source address
-NotSyn	   noinline 		# Handles TCP packets that do not have SYN=1 and ACK=0
+Established  inline		# Handles packets in the ESTABLISHED state
 Invalid	     inline		# Handles packets in the INVALID conntrack state
 New	     inline             # Handles packets in the NEW conntrack state
 NotSyn	     inline 		# Handles TCP packets that do not have SYN=1 and ACK=0
 Reject		        	# Default Action for REJECT policy
-TCPFlags   noinline		# Handles bad flags combinations
+Related      inline             # Handles packets in the RELATED conntrack state
-
+RST	     inline             # Handle packets with RST set
 TCPFlags    			# Handles bad flags combinations
 Untracked    inline             # Handles packets in the UNTRACKED conntrack state
--- a/Shorewall6/configfiles/rules
+++ b/Shorewall6/configfiles/rules
@@ -12,4 +12,6 @@
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 #SECTION INVALID
 #SECTION UNTRACKED
 SECTION NEW
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -24,6 +24,8 @@ VERBOSITY=1
 BLACKLIST_LOGLEVEL=
 INVALID_LOG_LEVEL=
 LOG_VERBOSITY=2
 LOGALLNEW=
@@ -50,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log
 TCP_FLAGS_LOG_LEVEL=info
 UNTRACKED_LOG_LEVEL=
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
@@ -117,7 +121,7 @@ AUTOHELPERS=Yes
 AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 CLAMPMSS=No
@@ -197,6 +201,8 @@ ZONE2ZONE=2
 BLACKLIST_DISPOSITION=DROP
 INVALID_DISPOSITION=CONTINUE
 MACLIST_DISPOSITION=REJECT
 RELATED_DISPOSITION=ACCEPT
@@ -209,6 +215,8 @@ SMURF_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 UNTRACKED_DISPOSITION=CONTINUE
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall6/configfiles/tcinterfaces
+++ b/Shorewall6/configfiles/tcinterfaces
@@ -7,5 +7,5 @@
 # information.
 #
 ###############################################################################
-#INTERFACE		TYPE	IN-BANDWIDTH
+#INTERFACE		TYPE	IN-BANDWIDTH		OUT-INTERFACE
--- a/Shorewall6/init.archlinux.sh
+++ b/Shorewall6/init.archlinux.sh
@@ -1,60 +0,0 @@
 #!/bin/bash
 OPTIONS="-f"
 if [ -f /etc/sysconfig/shorewall6 ] ; then
 	. /etc/sysconfig/shorewall6
 elif [ -f /etc/default/shorewall6 ] ; then
 	. /etc/default/shorewall6
 fi
 # if you want to override options, do so in /etc/sysconfig/shorewall6 or
 # in /etc/default/shorewall6 --
 # i strongly encourage you use the latter, since /etc/sysconfig/ does not exist.
 . /etc/rc.conf
 . /etc/rc.d/functions
 DAEMON_NAME="shorewall6" # of course shorewall6 is NOT a deamon.
 export SHOREWALL_INIT_SCRIPT=1
 case "$1" in
 	start)
 		stat_busy "Starting $DAEMON_NAME"
 		/sbin/shorewall6 $OPTIONS start &>/dev/null
 		if [ $? -gt 0 ]; then
 			stat_fail
 		else
 			add_daemon $DAEMON_NAME
 			stat_done
 		fi
 		;;
 	stop)
 		stat_busy "Stopping $DAEMON_NAME"
 		/sbin/shorewall6 stop &>/dev/null
 		if [ $? -gt 0 ]; then
 			stat_fail
 		else
 			rm_daemon $DAEMON_NAME
 			stat_done
 		fi
 		;;
 	restart|reload)
 		stat_busy "Restarting $DAEMON_NAME"
 		/sbin/shorewall6 restart &>/dev/null
 		if [ $? -gt 0  ]; then
 			stat_fail
 		else
 			stat_done
 		fi
 		;;
 	*)
 		echo "usage: $0 {start|stop|restart}"
 esac
 exit 0
--- a/Shorewall6/manpages/shorewall6-accounting.xml
+++ b/Shorewall6/manpages/shorewall6-accounting.xml
@@ -291,7 +291,9 @@
        <listitem>
          <para>The name of a <emphasis>chain</emphasis>. If specified as
          <emphasis role="bold">-</emphasis> the <emphasis
-          role="bold">accounting</emphasis> chain is assumed. This is the
+          role="bold">accounting</emphasis> chain is assumed when the file is
          un-sectioned. When the file is sectioned, the default is one of
          accountin, accountout, etc. depending on the section. This is the
          chain where the accounting rule is added. The
          <emphasis>chain</emphasis> will be created if it doesn't already
          exist. The <emphasis>chain</emphasis> may not exceed 29 characters
@@ -312,7 +314,8 @@
          <para>The name of an <replaceable>interface</replaceable>, an
          <replaceable>address</replaceable> (host or net) or an
          <replaceable>interface</replaceable> name followed by ":" and a host
-          or net <replaceable>address</replaceable>.</para>
+          or net <replaceable>address</replaceable>. An ipset name is also
          accepted as an <replaceable>address</replaceable>.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall6/manpages/shorewall6-actions.xml
+++ b/Shorewall6/manpages/shorewall6-actions.xml
@@ -71,11 +71,11 @@
                    <member>DropSmurfs</member>
-                    <member>Invalid</member>
+                    <member>Invalid (Prior to Shorewall 4.5.13)</member>
-                    <member>NotSyn</member>
+                    <member>NotSyn (Prior to Shorewall 4.5.13)</member>
-                    <member>RST</member>
+                    <member>RST (Prior to Shorewall 4.5.13)</member>
                    <member>TCPFlags</member>
                  </simplelist>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -74,8 +74,41 @@
          <para>The only ACTIONs allowed in this section are ACCEPT, DROP,
          REJECT, LOG and QUEUE</para>
-          <para>There is an implicit ACCEPT rule inserted at the end of this
+          <para>There is an implicit rule added at the end of this section
-          section.</para>
+          that invokes the RELATED_DISPOSITION (<ulink
          url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">INVALID</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.5.13. Packets in the INVALID state are
          processed by rules in this section.</para>
          <para>The only Actions allowed in this section are ACCEPT, DROP,
          REJECT, LOG and QUEUE.</para>
          <para>There is an implicit rule added at the end of this section
          that invokes the INVALID_DISPOSITION (<ulink
          url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">UNTRACKED</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state are
          processed by rules in this section.</para>
          <para>The only Actions allowed in this section are ACCEPT, DROP,
          REJECT, LOG and QUEUE.</para>
          <para>There is an implicit rule added at the end of this section
          that invokes the UNTRACKED_DISPOSITION (<ulink
          url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
        </listitem>
      </varlistentry>
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -309,6 +309,26 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">BLACKLIST=</emphasis>[{<emphasis
        role="bold">ALL</emphasis>|<emphasis
        role="bold"><replaceable>state</replaceable>[,...]</emphasis>}]</term>
        <listitem>
          <para>where state is one of NEW, ESTABLISHED, RELATED, INVALID,or
          UNTRACKED.</para>
          <para>Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY
          option below. Specifies the connection tracking states that are to
          be subject to blacklist screening. If neither BLACKLIST nor
          BLACKLISTNEWONLY are specified then the states subject to
          blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED.</para>
          <para>Note: The ESTABLISHED state may not be specified if FASTACCEPT
          is specified.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">BLACKLIST_DISPOSITION=</emphasis>[<emphasis
@@ -354,11 +374,18 @@
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
        <listitem>
          <para>Deprecated in Shorewall 4.5.13 in favor of BLACKLIST
          above.</para>
          <para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
          role="bold">yes</emphasis>, blacklists are only consulted for new
-          connections. This includes entries in the <ulink
+          connections, for packets in the INVALID connection state (such as a
-          url="???">shorewall-blrules</ulink> (5) file and in the BLACKLIST
+          TCP SYN,ACK when there has been no corresponding SYN), and for
-          section of <ulink
+          packets that are UNTRACKED due to entries in <ulink
          url="shorewall6-conntrack.html">shorewall6-conntrack</ulink>(5).
          This includes entries in the <ulink
          url="shorewall6-blrules.html">shorewall6-blrules</ulink> (5) file
          and in the BLACKLIST section of <ulink
          url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
          <para>When set to <emphasis role="bold">No</emphasis> or <emphasis
@@ -814,6 +841,34 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
          INVALID packets through the NEW section of <ulink
          url="shorewall6-rules.html">shorewall-rules</ulink> (5). When a
          packet in INVALID state fails to match any rule in the INVALID
          section, the packet is disposed of based on this setting. The
          default value is CONTINUE for compatibility with earlier
          versions.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">INVALID_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.5.13. Packets in the INVALID state that
          do not match any rule in the INVALID section of <ulink
          url="manpages/shorewall6-rules.html">shorewall-rules</ulink> (5) are
          logged at this level. The default value is empty which means no
          logging is performed.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">IP</emphasis>=[<emphasis>pathname</emphasis>]</term>
@@ -1735,16 +1790,16 @@ LOG:info:,bar                        net                    fw</programlisting>
      <varlistentry>
        <term><emphasis
-        role="bold">RELATED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT]</emphasis></term>
+        role="bold">RELATED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.4.27. Shorewall has traditionally
          ACCEPTed RELATED packets that don't match any rule in the RELATED
          section of <ulink
-          url="manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5).
+          url="shorewall6-rules.html">shorewall6-rules</ulink> (5). Concern
-          Concern about the safety of this practice resulted in the addition
+          about the safety of this practice resulted in the addition of this
-          of this option. When a packet in RELATED state fails to match any
+          option. When a packet in RELATED state fails to match any rule in
-          rule in the RELATED section, the packet is disposed of based on this
+          the RELATED section, the packet is disposed of based on this
          setting. The default value is ACCEPT for compatibility with earlier
          versions.</para>
        </listitem>
@@ -2109,6 +2164,34 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">UNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
          UNTRACKED packets through the NEW section of <ulink
          url="shorewall6-rules.html">shorewall6-rules</ulink> (5). When a
          packet in UNTRACKED state fails to match any rule in the UNTRACKED
          section, the packet is disposed of based on this setting. The
          default value is CONTINUE for compatibility with earlier
          versions.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">UNTRACKED_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
          do not match any rule in the UNTRACKED section of <ulink
          url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are
          logged at this level. The default value is empty which means no
          logging is performed.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
--- a/Shorewall6/shorewall6.service
+++ b/Shorewall6/shorewall6.service
@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6
 StandardOutput=syslog
-ExecStart=/usr/sbin/shorewall6 $OPTIONS start
+ExecStart=/sbin/shorewall6 $OPTIONS start
-ExecStop=/usr/sbin/shorewall6 $OPTIONS stop
+ExecStop=/sbin/shorewall6 $OPTIONS stop
 [Install]
 WantedBy=multi-user.target
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -30,6 +30,8 @@
      <year>2012</year>
      <year>2013</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -392,6 +394,13 @@ REDIRECT       net     -       tcp     80      -       1.2.3.4</programlisting>
      <para>In the above example, $2 would expand to nothing.</para>
      <para>Beginning with Shorewall 4.5.13, completely omitting a arameter is
      equivalent to passing '-'.</para>
      <para>Example: ACTION(REDIRECT,,info)</para>
      <para>This example behaves the same as the one shown above.</para>
      <para>If you want to make '-' a parameter value, use '--' (e.g.,
      ACTION(REDIRECT,--.info)).</para>
@@ -405,10 +414,6 @@ REDIRECT       net     -       tcp     80      -       1.2.3.4</programlisting>
      for the second parameter and so on. You can specify an empty default
      using '-' (e.g. DEFAULTS DROP,-,audit).</para>
      <para>The DEFAULTS directive also determines the maximum number of
      parameters that an action may have. If more parameters are passed than
      have default values, an error message is issued.</para>
      <para>For additional information about actions, see the <ulink
      url="configuration_file_basics.htm#ActionVariables">Action Variables
      section</ulink> of the Configuration Basics article.</para>
@@ -684,7 +689,7 @@ bar:debug</programlisting>
    <para>The Shorewall compiler provides a set of services that are available
    to Perl code embedded in an action file. These services are not available
-    in in-line actions.</para>
+    in in-line actions when running Shorewall 4.5.12 or earlier.</para>
    <variablelist>
      <varlistentry>
@@ -744,7 +749,9 @@ bar:debug</programlisting>
        [, <replaceable>$expandports</replaceable> ] )</term>
        <listitem>
-          <para>This function adds a rule to a chain. Arguments are:</para>
+          <para>This function adds a rule to a chain. As of Shoreall 4.5.13,
          it is deprecated in favor of Shorewall::Rules::perl_action_helper().
          Arguments are:</para>
          <variablelist>
            <varlistentry>
@@ -774,6 +781,11 @@ bar:debug</programlisting>
              </listitem>
            </varlistentry>
          </variablelist>
          <warning>
            <para>Do not call this function in a inline action. Use
            perl_action_helper() instead (see below).</para>
          </warning>
        </listitem>
      </varlistentry>
@@ -788,8 +800,9 @@ bar:debug</programlisting>
        <replaceable>$matches</replaceable> )</term>
        <listitem>
-          <para>This function adds a logging rule to a chain. Arguments
+          <para>This function adds a logging rule to a chain. As of Shoreall
-          are:</para>
+          4.5.13, it is deprecated in favor of
          Shorewall::Rules::perl_action_helper(). Arguments are:</para>
          <variablelist>
            <varlistentry>
@@ -875,7 +888,7 @@ bar:debug</programlisting>
      <varlistentry>
        <term>Shorewall::Chains::allow::optimize(
-        <replaceable>chainref</replaceable> )</term>
+        <replaceable>$chainref</replaceable> )</term>
        <listitem>
          <para>This allows the passed action chain to be optimized away
@@ -884,6 +897,47 @@ bar:debug</programlisting>
          from get_action_chain() described above.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Shorewall::Rules::perl_action_helper( $target, $matches )</term>
        <listitem>
          <para>This function adds a rule to the current chain. For a regular
          action, the chain will be an action chain; for an inline action, the
          chain is determined by the invoking rule.</para>
          <para>To use this function, you must include:</para>
          <simplelist>
            <member><emphasis role="bold">use
            Shorewall::Rules;</emphasis></member>
          </simplelist>
          <para>Arguments are:</para>
          <variablelist>
            <varlistentry>
              <term>$target</term>
              <listitem>
                <para>The target of the rule. Legal values are anything that
                can appear in the TARGET column of in an action body and may
                include log level, tag, and parameters.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>$matches</term>
              <listitem>
                <para>ip[6]tables matches to be included in the rule. When
                called in an inline action, these matches are augmented by
                matches generated by the invoking rule.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
    </variablelist>
    <para>For an example of using these services, look at the standard action
--- a/docs/Shorewall-Lite.xml
+++ b/docs/Shorewall-Lite.xml
@@ -221,6 +221,13 @@
                  on the firewall system is
                  "/etc/shorewall-lite:/usr/share/shorewall-lite".</para>
                </listitem>
                <listitem>
                  <para>The export directory should contain a
                  <filename>params</filename> file, even if it is empty.
                  Otherwise, <filename>/sbin/shorewall</filename> will attempt
                  to read<filename> /etc/shorewall/params</filename>.</para>
                </listitem>
              </itemizedlist>
            </listitem>
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -1484,7 +1484,8 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
        <listitem>
          <para>The <replaceable>variable</replaceable> can be specified
          either with or without a leading '$' to allow using both Perl and
-          Shell variable representation.</para>
+          Shell variable representation. The ${...} form (e.g. ${foo}) is not
          allowed.</para>
          <para>The <replaceable>value</replaceable> is a Perl-compatible
          expression.</para>
@@ -1517,6 +1518,11 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
    <para>Action variables are read-only and cannot be ?SET (although you can
    change their values <ulink url="Actions.html#Embedded">using embedded
    Perl</ulink>).</para>
    <para>Beginning with Shorewall 4.5.13, <link
    linkend="ShorewallVariables">Shorewall Variables</link> may be set. When
    setting a Shorewall Variable, the <replaceable>variable</replaceable> must
    include the leading '@' and the @{...} form is not allowed.</para>
  </section>
  <section id="AddressVariables">
@@ -1861,7 +1867,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
    <para>Beginning with Shorewall 4.5.13, the values of @chain and
    @disposition are used to generated the --log-prefix in logging rules. When
    either is empty, the historical value is used to generate the
-    --log-prefix. </para>
+    --log-prefix.</para>
  </section>
  <section id="Conditional">
Author	SHA1	Message	Date
Tom Eastep	db8f90f182	Remove allow_optimize() call from action.New. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-11 06:45:33 -08:00
Tom Eastep	bda1e05d9a	Mention the requirement for a params file in the Shorewall Lite article. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-11 05:58:01 -08:00
Tom Eastep	b9d5b92f1b	Correct handling of expressions consisting of a single number. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-10 15:19:30 -08:00
Tom Eastep	b349cc0f22	A better fix for inline default action with parameters. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-10 09:29:30 -08:00
Tom Eastep	54c43396f0	Correct default action handling: - isolate basic target before testing for action/inline - delete the action chain if appropriate. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-10 09:00:13 -08:00
Tom Eastep	f9dc89dc61	Allow arbitrary $n variables when IGNOREUNKNOWNVARIABLES=Yes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-10 07:56:04 -08:00
Tom Eastep	cadf2747fe	Correct reset_optflags() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-09 17:53:40 -08:00
Tom Eastep	c04c61b314	Correct typos in check_rules(). Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-09 11:42:54 -08:00
Tom Eastep	a4297381e9	Don't ACCEPT untracked packets unless UNTRACKED_DISPOSITION=ACCEPT Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-09 09:15:05 -08:00
Tom Eastep	eaa6d72a4f	Allow parameters to be omitted in action invocations. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-09 07:07:01 -08:00
Tom Eastep	e664b6bafb	Correct action.TCPFlags - restore rule dropped when converted. - remove cruft - Correct parameter handling Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-08 15:39:04 -08:00
Tom Eastep	96d64d0a04	Remove extraneous default parameter from action.Untracked Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-08 13:00:54 -08:00
Tom Eastep	122a8358fc	Correct the default action description in the New action. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-08 12:59:22 -08:00
Tom Eastep	acbff91d87	Remove 'default action' comments from the xxxInvalid actions. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-08 12:57:44 -08:00
Tom Eastep	1bd9e8b015	Correct allowInvalid and dropInvalid Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-08 10:49:12 -08:00
Tom Eastep	62a567b550	Treat each -m conntrack subtype as a separate match Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-08 10:08:23 -08:00
Tom Eastep	e4f1c62e71	Improve handling of nested state actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-08 09:09:20 -08:00
Tom Eastep	b3caaaf707	Pass the state name to perl_action_helper() from the state actions. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-08 06:39:16 -08:00
Tom Eastep	b9e504683e	Prevent a state action from invoking another one. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-07 16:52:06 -08:00
Tom Eastep	aae6e001fe	Convert dropInvalid and allowInvalid to inline actions. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-07 11:21:13 -08:00
Tom Eastep	aa528dd075	Revert "Convert allowInvalid and dropInvalid into macros" This reverts commit `272e1d330c`.	2013-02-07 09:09:56 -08:00
Tom Eastep	e4ae242123	Another tweak to check_state() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-06 12:07:51 -08:00
Tom Eastep	272e1d330c	Convert allowInvalid and dropInvalid into macros Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-06 09:54:12 -08:00
Tom Eastep	a66256b25b	Additional refinements of check_state() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-06 08:16:42 -08:00
Tom Eastep	11b976fb36	Correct reference type in check_state() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-05 19:55:22 -08:00
Tom Eastep	a6ccd53fe0	Unconditionally use '-j' to branch to a state chain or DISPOSITION. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-04 15:17:49 -08:00
Tom Eastep	b22b63b1c3	Don't use '-g' when DISPOSITION is CONTINUE. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-04 15:09:17 -08:00
Tom Eastep	615df6ab8f	Handle 'RETURN' in state chain with terminating disposition. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-04 15:08:20 -08:00
Tom Eastep	3757607356	Remove cruft from two actions. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-04 10:11:51 -08:00
Tom Eastep	f6faef7cd0	Correct syntax error in action.Untracked Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-04 09:58:38 -08:00
Tom Eastep	d8214885f2	Assume that the conntrack state value in a rule is not a reference. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-04 08:29:50 -08:00
Tom Eastep	475942deb9	Normalize rules prior to combine_state tests. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-03 18:14:14 -08:00
Tom Eastep	f1707d2ace	More state rule check fixes. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-03 18:02:02 -08:00
Tom Eastep	c5dc69b750	Correct state actions. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-03 17:21:51 -08:00
Tom Eastep	30d96afb69	Push/pop $actionresult. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-03 12:43:28 -08:00
Tom Eastep	014b4ddc50	Combine adjacent rules differing only in conntrack state match. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-03 09:03:22 -08:00
Tom Eastep	61c219ed3a	Clarify the CHAIN column in the accounting manpage. Also mention ipset support. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-03 08:00:24 -08:00
Tom Eastep	5b9d1a6159	Handle UNTRACKED_DISPOSITION=ACCEPT correctly. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-03 07:59:47 -08:00
Tom Eastep	752463bfab	Fix TCPFlags Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-02 22:19:13 -08:00
Tom Eastep	ebef29e161	Handle port numbers being passed to one of the tcp-specific actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-02 12:48:54 -08:00
Tom Eastep	ca5a70aa6f	Clarify the <variable> forms allowed in a ?SET directive. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-02 11:08:29 -08:00
Tom Eastep	9b30f48ba0	Correct handling of actions when @chain is altered. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-02 10:57:08 -08:00
Tom Eastep	e013e218a2	Don't try to import process_rule1 in three action files. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-02 09:45:12 -08:00
Tom Eastep	0616dd9fcb	Add 'New' action for conntrack state NEW Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-02 09:33:24 -08:00
Tom Eastep	8249831e6d	Detect some state conflicts Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-02 09:32:57 -08:00
Tom Eastep	cc1054be66	Correct handling of audited dispositions. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-02 09:30:25 -08:00
Tom Eastep	c68d4c6e27	Simplify Perl from actions even further. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-01 15:55:39 -08:00
Tom Eastep	752e960f2f	Allow specification of the action type via perl_action_helper(). Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-01 12:59:48 -08:00
Tom Eastep	9f82d82a92	Update Shorewall6 actions.std Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-01 12:59:24 -08:00
Tom Eastep	a5d3b1f470	Remove requirement that matches and proto end with a space in perl helper API. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-01 12:29:30 -08:00
Evangelos Foutras	c9247c8074	Remove Arch Linux init file Arch Linux only supports systemd now. Signed-off-by: Evangelos Foutras <evangelos@foutrelis.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-01 10:13:54 -08:00
Evangelos Foutras	2d59f7e31a	Tweak shorewallrc.archlinux configuration Changes: - Remove reference to SysV init script - Define systemd system unit directory - Set SBINDIR to /usr/sbin - Unset BUILD; should be auto-detected Signed-off-by: Evangelos Foutras <evangelos@foutrelis.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-02-01 10:13:48 -08:00
Tom Eastep	abca3a2024	Improve maintainability of @colums vis a vis @rulecolumns. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-30 10:47:40 -08:00
Tom Eastep	8d28c44946	Remove 'audit' parameter handling from new state actions. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-30 10:45:10 -08:00
Tom Eastep	f407068d20	Update shorewall[6]-actions(5) regarding inline for some standard actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-30 08:27:30 -08:00
Tom Eastep	755d605578	Make %statetable global Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-30 08:26:47 -08:00
Tom Eastep	78db4abef5	Remove some redundant local variables from finish_chain_section() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-30 08:02:23 -08:00
Tom Eastep	fc73c3934b	Replace BLACKLISTNEWONLY with BLACKLIST Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-30 08:00:47 -08:00
Tom Eastep	75fb164234	Don't issue fatal error if a proto other than tcp is passed to a tcp-only inline Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-29 10:31:20 -08:00
Tom Eastep	27c5e67632	Rename process_rule to process_raw_rule and process_rule1 to process_rule Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-29 10:13:48 -08:00
Tom Eastep	61d8f704f9	Correct rule-generation detection in perl_action_helper Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-29 09:43:12 -08:00
Tom Eastep	221f4909b5	Document perl_action_helper Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-29 09:12:04 -08:00
Tom Eastep	f33e36b61e	Raise an error if a protocol other than TCP is passed to a TCP-only inline Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-29 07:46:50 -08:00
Tom Eastep	670931c987	Initialize the columns array to '-'s. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-29 07:46:07 -08:00
Tom Eastep	316b67473e	Merge branch 'master' into 4.5.13 Conflicts: Shorewall/Perl/Shorewall/Rules.pm Shorewall/action.Established Shorewall/actions.std	2013-01-29 07:30:52 -08:00
Tom Eastep	42f46ea5e7	Accurately determine if an inline action generates a rule. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-28 20:46:20 -08:00
Tom Eastep	49166efdca	Make the TCP standard actions inline Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-28 18:01:08 -08:00
Tom Eastep	5a2c1792cb	Inline the conntrack state actions. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-28 16:55:54 -08:00
Tom Eastep	de2cf6edf3	Correct typo in the actions.std files. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-28 12:08:00 -08:00
Tom Eastep	6b889e537f	Correct typo in the actions.std files. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-28 12:07:04 -08:00
Tom Eastep	a70c441458	Add CONTINUE as a possible setting for RELATED_DISPOSITION. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-28 11:47:45 -08:00
Tom Eastep	519861d7b2	Add CONTINUE as a possible setting for RELATED_DISPOSITION. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-28 07:58:03 -08:00
Tom Eastep	2e8eeff416	Correct error messages that include the section name. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-28 07:41:52 -08:00
Tom Eastep	2217f89902	Correctly initialize $chainref->{sections} vis-a-vis FASTACCEPT. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-28 07:41:45 -08:00
Tom Eastep	5c63444c14	Correct error messages that include the section name. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-28 07:41:09 -08:00
Tom Eastep	cfa5d86f5c	Correctly initialize $chainref->{sections} vis-a-vis FASTACCEPT. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-28 07:40:26 -08:00
Tom Eastep	f7bdb71aad	Add an Established action. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-27 15:40:53 -08:00
Tom Eastep	819c8bf492	Add Established action. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-27 15:38:25 -08:00
Tom Eastep	b3b074fb61	More infrastructure Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-27 15:37:23 -08:00
Tom Eastep	cbbcfe355e	Infrastructure for more powerful action handling Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-27 12:37:10 -08:00
Tom Eastep	2a2e23cb17	Merge branch '4.5.13'	2013-01-27 11:26:59 -08:00
Tom Eastep	1b94c3651d	Always handle ESTABLISHED before the other connection states. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-27 10:56:41 -08:00
Tom Eastep	b1b2aa910e	Correct section handling: - Correct typo (' INVALID' -> 'INVALID' ) - Don't jump to non-existent target in finish_chain_section() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-27 10:14:27 -08:00
Tom Eastep	aa609b87a9	Allow arbitrary actions for the various states. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-27 10:10:24 -08:00
Tom Eastep	a3a90d8d2e	Correct section handling: - Correct typo (' INVALID' -> 'INVALID' ) - Don't jump to non-existent target in finish_chain_section() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-27 10:08:02 -08:00
Tom Eastep	6c8761c7dd	Add a "matches" argument to process_rule1 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-27 08:21:30 -08:00
Tom Eastep	9194165e89	Handle explicit CONTINUE value for UNTRACKED_DISPOSITION Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-27 08:17:09 -08:00
Tom Eastep	6306103991	Clean up fix for optimize 8 performance issue Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-27 08:13:27 -08:00
Tom Eastep	749773f89a	Handle explicit CONTINUE value for UNTRACKED_DISPOSITION Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-27 08:12:49 -08:00
Tom Eastep	5db317b6f7	Clean up fix for optimize 8 performance issue Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-27 07:55:55 -08:00
Tom Eastep	380d427a5d	Dramatically reduce the CPU cost of optimize 8. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-26 17:46:31 -08:00
Tom Eastep	6ce392b08e	Correct handling of handle_first_entry() to avoid runaway recursion. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-26 12:18:17 -08:00
Tom Eastep	69b660ba56	Add Related and Untracked actions. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-26 09:45:16 -08:00
Tom Eastep	5fa01728ad	Pass UNTRACKED packets through the blacklist chain when BLACKLISTNEWONLY=Yes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-26 09:18:20 -08:00
Tom Eastep	7bc66da663	Call handle_first_entry in the warning/error-message generators. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-26 07:30:50 -08:00
Tom Eastep	b8cc9c5a6a	Drop chain-ending rules whose target is 'RETURN'. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-25 14:03:04 -08:00
Tom Eastep	b7273d6999	Favor low-numbered less complex synonym chains in optimization 8. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-25 13:55:04 -08:00
Tom Eastep	c958329d14	More manpage updates for RELATED and UNTRACKED rules sections. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-24 19:24:01 -08:00
Tom Eastep	e12b919dc1	Prefer shorter action chain names in optimize level 8. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-24 17:25:11 -08:00
Tom Eastep	18c0956374	Fix two bugs in the UNTRACKED section implementation. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-24 16:41:18 -08:00
Tom Eastep	575673a8f5	Correct broken links in the .conf manpages. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-24 15:42:20 -08:00
Tom Eastep	6403f4959d	Implement UNTRACKED SECTION Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-24 15:42:01 -08:00
Tom Eastep	0ca93c1ac9	Unify handling of the RELATED and INVALID sections within finish_chain_section() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-24 14:38:02 -08:00
Tom Eastep	a40c74ddec	Eliminate forward declaration of finish_chain_section() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-24 09:04:50 -08:00
Tom Eastep	c2bc74cdfe	Add INVALID section to the rules file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-24 08:33:59 -08:00
Tom Eastep	a03e793907	Added OUT-BANDWIDTH to the tcinterfaces column Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-22 16:33:57 -08:00
Tom Eastep	7fe2027229	Eliminate superfluous ESTABLISHED,RELATED rule Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-22 16:17:19 -08:00
Tom Eastep	8fe36422b5	Delete stale comment Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-22 10:44:12 -08:00
Tom Eastep	17eae4adee	Update the description of BLACKLISTNEWONLY to match the implementation. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-22 09:11:15 -08:00
Tom Eastep	f61f5a8183	Don't copy a chain that has a single RETURN rule. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-22 09:07:07 -08:00
Tom Eastep	4ed5c5fdfe	Sort the chain list in optimize_level8. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-21 16:00:32 -08:00
Tom Eastep	25d6164f21	Try to avoid ~combN chains when dealing with action chains. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-21 11:51:33 -08:00
Tom Eastep	32c475193f	Another fix for RELATED_DISPOSITION Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-21 11:50:46 -08:00
Tom Eastep	982fabc96f	Delete $caller argument from process_default_action() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-21 09:45:54 -08:00
Tom Eastep	5beae475f5	Make optimize 8 a multi-pass operation. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-21 09:12:42 -08:00
Tom Eastep	c820c54f41	Correctly handle audited RELATED_DISPOSITION Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-21 09:03:27 -08:00
Tom Eastep	4a354ba5a2	Avoid internal error during standard chain completion Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-21 08:02:50 -08:00
Tom Eastep	e23876b582	Rename '$inline' to '$action' in policy_rules() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-21 07:36:50 -08:00
Tom Eastep	64e76599e0	Correct handling of default actions that set Shorewall variables. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-20 16:15:04 -08:00
Tom Eastep	b5cb27e84e	Correct .service files. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-20 15:15:46 -08:00
Tom Eastep	c4a2f3d386	Set caller when possible in policy chains. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-20 14:51:16 -08:00
Tom Eastep	bc882af6c5	Allow RESET of Shorewall variables Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-20 07:32:34 -08:00
Tom Eastep	d31221b03c	Fix variable assignment. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-20 07:26:10 -08:00
Tom Eastep	56919703ef	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code	2013-01-19 16:55:15 -08:00
Tom Eastep	23a188f765	Merge branch '4.5.12'	2013-01-12 07:08:54 -08:00
Tom Eastep	20b551a1da	Merge branch '4.5.12' Conflicts: Shorewall/Perl/Shorewall/Chains.pm Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-10 17:21:02 -08:00
Tom Eastep	5818e106a5	Don't append rules that can't be matched. Also, delete chains whose only rule is a -j RETURN Signed-off-by: Tom Eastep <teastep@shorewall.net>	2013-01-08 11:33:06 -08:00