Remove allow_optimize() call from action.New.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/shorewallrc.archlinux

@@ -1,21 +1,21 @@
 #
-# Archlinux Shorewall 4.5 rc file
+# Arch Linux Shorewall 4.5 rc file
 #
-BUILD=archlinux
+BUILD=                                 #Default is to detect the build system
 HOST=archlinux
 PREFIX=/usr                            #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share               #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share             #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall   #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                           #Directory where subsystem configurations are installed
-SBINDIR=/sbin                          #Directory where system administration programs are installed
+SBINDIR=/usr/sbin                      #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                 #Directory where manpages are installed.
-INITDIR=/etc/rc.d                      #Directory where SysV init scripts are installed.
-INITFILE=$PRODUCT                      #Name of the product's installed SysV init script
-INITSOURCE=init.sh                     #Name of the distributed file to be installed as the SysV init script
+INITDIR=                               #Directory where SysV init scripts are installed.
+INITFILE=                              #Name of the product's installed SysV init script
+INITSOURCE=                            #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                             #If non-zero, annotated configuration files are installed
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
-SYSTEMD=                               #Directory where .service files are installed (systems running systemd only)
+SYSTEMD=/usr/lib/systemd/system        #Directory where .service files are installed (systems running systemd only)
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                        #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.

Shorewall-init/shorewall-init.service

@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-init $OPTIONS start
-ExecStop=/sbin/shorewall-init $OPTIONS stop
+ExecStart=/shorewall-init $OPTIONS start
+ExecStop=/shorewall-init $OPTIONS stop
 
 [Install]
 WantedBy=multi-user.target

Shorewall-lite/init.archlinux.sh

@@ -1,58 +0,0 @@
-#!/bin/bash
-
-OPTIONS="-f"
-
-if [ -f /etc/sysconfig/shorewall ] ; then
-	. /etc/sysconfig/shorewall
-elif [ -f /etc/default/shorewall ] ; then
-	. /etc/default/shorewall
-fi
-
-# if you want to override options, do so in /etc/sysconfig/shorewall or
-# in /etc/default/shorewall --
-# i strongly encourage you use the latter, since /etc/sysconfig/ does not exist.
-
-. /etc/rc.conf
-. /etc/rc.d/functions
-
-DAEMON_NAME="shorewall" # of course shorewall is NOT a deamon.
-
-case "$1" in
-	start)
-		stat_busy "Starting $DAEMON_NAME"
-		/sbin/shorewall-lite $OPTIONS start &>/dev/null
-		if [ $? -gt 0 ]; then
-			stat_fail
-		else
-			add_daemon $DAEMON_NAME
-			stat_done
-		fi
-		;;
-
-
-	stop)
-		stat_busy "Stopping $DAEMON_NAME"
-		/sbin/shorewall-lite stop &>/dev/null
-		if [ $? -gt 0 ]; then
-			stat_fail
-		else
-			rm_daemon $DAEMON_NAME
-			stat_done
-		fi
-		;;
-
-	restart|reload)
-		stat_busy "Restarting $DAEMON_NAME"
-		/sbin/shorewall-lite restart &>/dev/null
-		if [ $? -gt 0  ]; then
-			stat_fail
-		else
-			stat_done
-		fi
-		;;
-
-	*)
-		echo "usage: $0 {start|stop|restart}"
-esac
-exit 0
-

Shorewall-lite/shorewall-lite.service

@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
-ExecStart=/usr/sbin/shorewall-lite $OPTIONS start
-ExecStop=/usr/sbin/shorewall-lite $OPTIONS stop
+ExecStart=/sbin/shorewall-lite $OPTIONS start
+ExecStop=/sbin/shorewall-lite $OPTIONS stop
 
 [Install]
 WantedBy=multi-user.target

Shorewall/Perl/Shorewall/Chains.pm

@@ -72,23 +72,13 @@ our @EXPORT = ( qw(
 		    allow_move
 		    set_optflags
 		    reset_optflags
+		    has_return
 		    dont_optimize
 		    dont_delete
 		    dont_move
 		    add_interface_options
 
-		    %chain_table
-		    %targets
-		    $raw_table
-		    $rawpost_table
-		    $nat_table
-		    $mangle_table
-		    $filter_table
-		)
-	      );
-
-our %EXPORT_TAGS = (
-		    internal => [  qw( STANDARD
+		    STANDARD
 		    NATRULE
 		    BUILTIN
 		    NONAT
@@ -104,7 +94,21 @@ our %EXPORT_TAGS = (
 		    AUDIT
 		    HELPER
 		    INLINE
-				       NO_RESTRICT
+		    TERMINATING
+		    STATEMATCH
+
+		    %chain_table
+		    %targets
+		    $raw_table
+		    $rawpost_table
+		    $nat_table
+		    $mangle_table
+		    $filter_table
+		)
+	      );
+
+our %EXPORT_TAGS = (
+		    internal => [  qw( NO_RESTRICT
 				       PREROUTE_RESTRICT
 				       DESTIFACE_DISALLOW
 				       INPUT_RESTRICT
@@ -131,6 +135,8 @@ our %EXPORT_TAGS = (
 				       rules_chain
 				       blacklist_chain
 				       related_chain
+				       invalid_chain
+				       untracked_chain
 				       zone_forward_chain
 				       use_forward_chain
 				       input_chain
@@ -291,9 +297,9 @@ our $VERSION = 'MODULEVERSION';
 #                                               filtered     => Number of filter rules at the front of an interface forward chain
 #                                               digest       => string representation of the chain's rules for use in optimization
 #                                                               level 8.
-#                                               accepted     => A 'ESTABLISHED,RELATED' ACCEPT rule has been added to this chain.
 #                                               complete     => The last rule in the chain is a -g or a simple -j to a terminating target
 #                                                               Suppresses adding additional rules to the chain end of the chain
+#                                               sections     => { <section> = 1, ... } - Records sections that have been completed.
 #                                             } ,
 #                                <chain2> => ...
 #                              }
@@ -357,6 +363,7 @@ use constant { STANDARD    =>    0x1,       #defined by Netfilter
 	       HELPER       =>  0x2000,       #CT:helper
 	       NFLOG        =>  0x4000,       #NFLOG or ULOG
 	       INLINE       =>  0x8000,       #Inline action
+	       STATEMATCH   => 0x10000,       #action.Invalid, action.Related, etc.
 	   };
 #
 # Valid Targets -- value is a combination of one or more of the above
@@ -558,7 +565,9 @@ use constant { UNIQUE      => 1,
 	       TARGET      => 2,
 	       EXCLUSIVE   => 4,
 	       MATCH       => 8,
-	       CONTROL     => 16 };
+	       CONTROL     => 16,
+	       COMPLEX     => 32
+	   };
 
 our %opttype = ( rule          => CONTROL,
 		 cmd           => CONTROL,
@@ -584,6 +593,8 @@ our %opttype = ( rule          => CONTROL,
 		 policy        => MATCH,
 		 state         => EXCLUSIVE,
 
+		 conntrack     => COMPLEX,
+
 		 jump          => TARGET,
 		 target        => TARGET,
 		 targetopts    => TARGET,
@@ -723,6 +734,25 @@ sub set_rule_option( $$$ ) {
 
     my $opttype = $opttype{$option} || MATCH;
 
+    if ( $opttype == COMPLEX ) {
+	#
+	# Consider each subtype as a separate type
+	#
+	my ( $invert, $subtype, $val, $rest ) = split ' ', $value;
+
+	if ( $invert eq '!' ) {
+	    assert( ! supplied $rest );
+	    $option = join( ' ', $option, $invert, $subtype );
+	    $value  = $val;
+	} else {
+	    assert( ! supplied $val );
+	    $option  = join( ' ', $option, $invert );
+	    $value   = $subtype;
+	}
+
+	$opttype = EXCLUSIVE;
+    }
+
     if ( exists $ruleref->{$option} ) {
 	assert( defined( my $value1 = $ruleref->{$option} ) , $ruleref );
 
@@ -744,6 +774,15 @@ sub set_rule_option( $$$ ) {
 	} elsif ( $opttype == EXCLUSIVE ) {
 	    $ruleref->{$option} .= ",$value";
 	} elsif ( $opttype == UNIQUE ) {
+	    #
+	    # Shorewall::Rules::perl_action_tcp_helper() can produce rules that have two -p specifications.
+	    # The first will have a modifier like '! --syn' while the second will not.  We want to retain
+	    # the first while 
+	    if ( $option eq 'p' ) {
+		my ( $proto ) = split( ' ', $ruleref->{p} );
+		return if $proto eq $value;
+	    }
+
 	    fatal_error "Multiple $option settings in one rule is prohibited";
 	} else {
 	    assert(0, $opttype );
@@ -1629,6 +1668,20 @@ sub related_chain($$) {
     '+' . &rules_chain(@_);
 }
 
+#
+# Name of the invalid chain between an ordered pair of zones
+#
+sub invalid_chain($$) {
+    '_' . &rules_chain(@_);
+}
+
+#
+# Name of the untracked chain between an ordered pair of zones
+#
+sub untracked_chain($$) {
+    '&' . &rules_chain(@_);
+}
+
 #
 # Create the base for a chain involving the passed interface -- we make this a function so it will be
 # easy to change the mapping should the need ever arrive.
@@ -2165,7 +2218,7 @@ sub reset_optflags( $$ ) {
 
     my $chainref = reftype $chain ? $chain : $filter_table->{$chain};
 
-    $chainref->{optflags} ^= $flags;
+    $chainref->{optflags} ^= ( $flags & $chainref->{optflags} );
 
     trace( $chainref, "O${flags}", undef, '' ) if $debug;
 
@@ -2184,6 +2237,14 @@ sub set_optflags( $$ ) {
     $chainref;
 }
 
+#
+# Return true if the passed chain has a RETURN rule.
+#
+
+sub has_return( $ ) {
+    $_[0]->{optflags} & RETURNS;
+}
+
 #
 # Reset the dont_optimize flag for a chain
 #
@@ -2674,11 +2735,29 @@ sub delete_references( $ ) {
     $count;
 }
 
+#
+# Calculate a digest for the passed chain and store it in the {digest} member.
+#
+sub calculate_digest( $ ) {
+    my $chainref = shift;
+    my $digest = '';
+
+    for ( @{$chainref->{rules}} ) {
+	if ( $digest ) {
+	    $digest .= ' |' . format_rule( $chainref, $_, 1 );
+	} else {
+	    $digest = format_rule( $chainref, $_, 1 );
+	}
+    }
+
+    $chainref->{digest} = sha1 $digest;
+}
+
 #
 # Replace jumps to the passed chain with jumps to the passed target
 #
-sub replace_references( $$$ ) {
-    my ( $chainref, $target, $targetopts ) = @_;
+sub replace_references( $$$;$ ) {
+    my ( $chainref, $target, $targetopts, $digest ) = @_;
     my $tableref  = $chain_table{$chainref->{table}};
     my $count     = 0;
     my $name      = $chainref->{name};
@@ -2707,6 +2786,10 @@ sub replace_references( $$$ ) {
 		}
 	    }
 	    #
+	    # The chain has been modified, so the digest is now stale
+	    #
+	    calculate_digest( $fromref ) if $digest;
+	    #
 	    # The passed chain is no longer referenced by chain $fromref
 	    #
 	    delete $chainref->{references}{$fromref->{name}};
@@ -2925,6 +3008,7 @@ sub optimize_level4( $$ ) {
 				# A chain with a single 'RETURN' rule -- get rid of it
 				#
 				delete_chain_and_references( $chainref );
+				$progress = 1;
 			    } else {
 				#
 				# Replace all references to this chain with references to the target
@@ -2933,16 +3017,19 @@ sub optimize_level4( $$ ) {
 				$progress = 1;
 			    }
 			} elsif ( $firstrule->{target} ) {
+			    if ( $firstrule->{target} eq 'RETURN' ) {
 				#
-			    # Not so easy -- the rule contains matches
+				# A chain with a single 'RETURN' rule -- get rid of it
 				#
-			    if ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
+				delete_chain_and_references( $chainref );
+				$progress = 1;
+			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
 				#
 				# This case requires a new rule merging algorithm. Ignore this chain for
 				# now on.
 				#
 				$chainref->{optflags} |= DONT_OPTIMIZE;
-			    } else {
+			    } elsif ( ! ( $chainref->{optflags} & DONT_MOVE ) ) {
 				#
 				# Replace references to this chain with the target and add the matches
 				#
@@ -2956,6 +3043,15 @@ sub optimize_level4( $$ ) {
 			#
 			my $rulesref = $chainref->{rules};
 
+			if ( ( $lastref->{target} || '' ) eq 'RETURN' ) {
+			    #
+			    # The last rule is a RETURN -- get rid of it
+			    #
+			    pop @$rulesref;
+			    $lastref = $rulesref->[-1];
+			    $progress = 1;
+			}
+
 			if ( $lastref->{simple} && $lastref->{target} && ! $lastref->{targetopts} ) {
 			    my $target = $lastref->{target};
 			    my $count  = 0;
@@ -3083,38 +3179,44 @@ sub optimize_level4( $$ ) {
     $passes;
 }
 
+#
+# Compare two chains. Sort in reverse order except within names that have the
+# same first character, which are sorted in forward order.
+#
+sub level8_compare( $$ ) {
+    my ( $name1, $name2 ) = ( $_[0]->{name}, $_[1]->{name} );
+
+    if ( substr( $name1, 0, 1 ) eq substr( $name2, 0, 1 ) ) {
+	$name1 cmp $name2;
+    } else {
+	$name2 cmp $name1;
+    }
+}
+
 #
 # Delete duplicate chains replacing their references
 #
 sub optimize_level8( $$$ ) {
     my ( $table, $tableref , $passes ) = @_;
     my $progress = 1;
-    my @chains   = ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} );
-    my @chains1  = @chains;
-    my $chains   = @chains;
     my $chainseq = 0;
-    my %rename;
-    my %combined;
-
-    $passes++;
-
-    progress_message "\n Table $table pass $passes, $chains referenced user chains, level 8...";
 
     %renamed = ();
 
-    for my $chainref ( @chains ) {
-	my $digest = '';
+    while ( $progress ) {
+	my @chains   = ( sort level8_compare grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} );
+	my @chains1  = @chains;
+	my $chains   = @chains;
+	my %rename;
+	my %combined;
 
-	for ( @{$chainref->{rules}} ) {
-	    if ( $digest ) {
-		$digest .= ' |' . format_rule( $chainref, $_, 1 );
-	    } else {
-		$digest = format_rule( $chainref, $_, 1 );
-	    }
-	}
+	$progress = 0;
 
-	$chainref->{digest} = sha1 $digest;
-    }
+	progress_message "\n Table $table pass $passes, $chains referenced user chains, level 8...";
+
+	$passes++;
+
+	calculate_digest( $_ ) for ( grep ! $_->{digest}, @chains );
 
 	for my $chainref ( @chains ) {
 	    my $rules    = $chainref->{rules};
@@ -3130,9 +3232,10 @@ sub optimize_level8( $$$ ) {
 		next if $chainref1->{optflags} & DONT_DELETE;
 		if ( $chainref->{digest} eq $chainref1->{digest} ) {
 		    progress_message "  Chain $chainref1->{name} combined with $chainref->{name}";
-		replace_references $chainref1, $chainref->{name}, undef;
+		    $progress = 1;
+		    replace_references $chainref1, $chainref->{name}, undef, 1;
 
-		unless ( $chainref->{name} =~ /^~/ ) {
+		    unless ( $chainref->{name} =~ /^~/ || $chainref1->{name} =~ /^%/ ) {
 			#
 			# For simple use of the BLACKLIST section, we can end up with many identical
 			# chains. To distinguish them from other renamed chains, we keep track of
@@ -3146,9 +3249,8 @@ sub optimize_level8( $$$ ) {
 	    }
 	}
 
+	if ( $progress ) {
 	    my @rename = keys %rename;
-
-    if ( @rename ) {
 	    #
 	    # First create aliases for each renamed chain and change the {name} member.
 	    #
@@ -3198,13 +3300,16 @@ sub optimize_level8( $$$ ) {
 
 		    if ( my $newname = $renamed{$_->{target}} ) {
 			$_->{target} = $newname;
+			delete $chainref->{digest};
 			trace( $chainref, 'R', $rulenum, $_ ) if $debug;
 		    }
 		}
 	    }
 	}
+    }
 
     $passes;
+
 }
 
 #
@@ -3390,7 +3495,7 @@ sub combine_dports {
 # using any of these matches, because an intervening rule could modify the result of the match
 # of the second duplicate
 #
-my %bad_match = ( conntrack => 1, 
+my %bad_match = ( 'conntrack --ctstate' => 1, 
 		  dscp                  => 1,
 		  ecn                   => 1,
 		  mark                  => 1,
@@ -3482,6 +3587,142 @@ sub delete_duplicates {
     \@rules;
 }
 
+#
+# Get the 'conntrack' state(s) for the passed rule reference
+#
+sub get_conntrack( $ ) {
+    my $ruleref = $_[0];
+    if ( my $states = $ruleref->{'conntrack --ctstate'} ) {
+	#
+	# Normalize the rule and return the states.
+	#
+	delete $ruleref->{targetopts} unless $ruleref->{targetopts};
+	$ruleref->{simple} = ''       unless $ruleref->{simple};
+	return $states 
+    }
+
+    '';
+}
+
+#
+# Return an array of keys for the passed rule. 'conntrack' and 'comment' are omitted;
+#
+sub get_keys1( $ ) {
+    sort grep $_ ne 'conntrack --ctstate' && $_ ne 'comment',  keys %{$_[0]};
+}
+
+#
+# The arguments are a list of rule references; function returns a similar list with adjacent compatible rules combined
+#
+# Adjacent rules are compatible if:
+#
+#   - They all specify conntrack match
+#   - All of the rest of their members are identical with the possible exception of 'comment'.
+#
+#  Adjacent distinct comments are combined, separated by ', '. Redundant adjacent comments are dropped.
+#
+sub combine_states {
+    my @rules;
+    my $rulenum  = 1;
+    my $chainref = shift;
+    my $baseref  = shift;
+
+    while ( $baseref ) {
+	{
+	    my $ruleref;
+	    my $conntrack;
+	    my $basenum = $rulenum;
+
+	    if ( my $conntrack1 = get_conntrack( $baseref ) ) {
+		my @keys1         = get_keys1( $baseref );
+		my @states        = ( split ',', $conntrack1 );
+		my %states;
+
+		$states{$_} = 1 for @states;
+
+		my $origstates  = @states;
+		my $comment     = $baseref->{comment} || '';
+		my $lastcomment = $comment;
+
+	      RULE:
+
+		while ( ( $ruleref = shift ) ) {
+		    my $conntrack2;
+
+		    $rulenum++;
+
+		    if ( $conntrack2 = get_conntrack( $ruleref ) ) {
+			#
+			# We have a candidate
+			#
+			my $comment2 = $ruleref->{comment} || '';
+
+			last if $comment2 ne $lastcomment && length( $comment ) + length( $comment2 ) > 253;
+
+			my @keys2 = get_keys1( $ruleref );
+
+			last unless @keys1 == @keys2 ;
+
+			my $keynum = 0;
+
+			for my $key ( @keys1 ) {
+			    last RULE unless $key eq $keys2[$keynum++];
+			    last RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
+			}
+			
+			if ( $comment2 ) {
+			    if ( $comment ) {
+				$comment .= ", $comment2" unless $comment2 eq $lastcomment;
+			    } else {
+				$comment = 'Others and ';
+				last if length( $comment ) + length( $comment2 ) > 255;
+				$comment .= $comment2;
+			    }
+
+			    $lastcomment = $comment2;
+			} else {
+			    if ( $comment ) {
+				unless ( ( $comment2 = ' and others' ) eq $lastcomment ) {
+				    last if length( $comment ) + length( $comment2 ) > 255;
+				    $comment .= $comment2;
+				}
+			    }
+
+			    $lastcomment = $comment2;
+			}
+
+			for ( split ',', $conntrack2 ) {
+			    unless ( $states{$_} ) {
+				push @states, $_;
+				$states{$_} = 1;
+			    }
+			}
+
+			trace( $chainref, 'D', $rulenum, $ruleref ) if $debug;
+
+		    } else {
+			#
+			# Rule doesn't have the conntrack match
+			#
+			last;
+		    }
+		}
+
+		if ( @states > $origstates ) {
+		    $baseref->{'conntrack --ctstate'} = join( ',', @states );
+		    trace ( $chainref, 'R', $basenum, $baseref ) if $debug;
+		}
+	    }
+
+	    push @rules, $baseref;
+
+	    $baseref = $ruleref ? $ruleref : shift;
+	}
+    }
+
+    \@rules;
+}
+
 sub optimize_level16( $$$ ) {
     my ( $table, $tableref , $passes ) = @_;
     my @chains   = ( grep $_->{referenced}, values %{$tableref} );
@@ -3501,6 +3742,13 @@ sub optimize_level16( $$$ ) {
     }
 
     ++$passes;
+
+    if ( have_capability 'CONNTRACK_MATCH' ) {
+	for my $chainref ( @chains ) {
+	    $chainref->{rules} = combine_states( $chainref, @{$chainref->{rules}} );
+	}
+    }
+	
 }
 
 #
@@ -3810,7 +4058,9 @@ sub state_imatch( $ ) {
     my $state = shift;
 
     unless ( $state eq 'ALL' ) {
-	have_capability 'CONNTRACK_MATCH' ? ( conntrack => "--ctstate $state" ) : ( state => "--state $state" );
+	have_capability 'CONNTRACK_MATCH' ? ( 'conntrack --ctstate' => $state ) : ( state => "--state $state" );
+    } else {
+	();
     }
 }
 

Shorewall/Perl/Shorewall/Config.pm

@@ -545,13 +545,16 @@ our %deprecated = ( LOGRATE            => '' ,
 		    LOGBURST           => '' ,
 		    EXPORTPARAMS       => 'no',
 		    WIDE_TC_MARKS      => 'no',
-		    HIGH_ROUTE_MARKS   => 'no'
+		    HIGH_ROUTE_MARKS   => 'no',
+		    BLACKLISTNEWONLY   => 'yes',
 		  );
 #
 # Deprecated options that are eliminated via update
 #
 our %converted = ( WIDE_TC_MARKS => 1,
-		   HIGH_ROUTE_MARKS => 1 );
+		   HIGH_ROUTE_MARKS => 1,
+		   BLACKLISTNEWONLY => 1,
+		 );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
 #
@@ -642,7 +645,7 @@ sub initialize( $;$$) {
 		    EXPORT     => 0,
 		    KLUDGEFREE => '',
 		    STATEMATCH => '-m state --state',
-		    VERSION    => "4.5.13-Beta1",
+		    VERSION    => "4.5.13-Beta3",
 		    CAPVERSION => 40512 ,
 		  );
     #
@@ -672,6 +675,8 @@ sub initialize( $;$$) {
 	  STARTUP_LOG => undef,
 	  SFILTER_LOG_LEVEL => undef,
 	  RPFILTER_LOG_LEVEL => undef,
+	  INVALID_LOG_LEVEL => undef,
+	  UNTRACKED_LOG_LEVEL => undef,
 	  #
 	  # Location of Files
 	  #
@@ -720,6 +725,7 @@ sub initialize( $;$$) {
 	  DETECT_DNAT_IPADDRS => undef,
 	  MUTEX_TIMEOUT => undef,
 	  ADMINISABSENTMINDED => undef,
+	  BLACKLIST => undef,
 	  BLACKLISTNEWONLY => undef,
 	  DELAYBLACKLISTLOAD => undef,
 	  MODULE_SUFFIX => undef,
@@ -782,6 +788,8 @@ sub initialize( $;$$) {
 	  SFILTER_DISPOSITION => undef,
 	  RPFILTER_DISPOSITION => undef,
 	  RELATED_DISPOSITION => undef,
+	  INVALID_DISPOSITION => undef,
+	  UNTRACKED_DISPOSITION => undef,
 	  #
 	  # Mark Geometry
 	  #
@@ -942,7 +950,7 @@ sub initialize( $;$$) {
 
     %compiler_params = ();
 
-    %actparms = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => ''  );
+    %actparms = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
     $parmsmodified = 0;
 
     %helpers_enabled = (
@@ -1084,6 +1092,8 @@ sub currentlineinfo() {
     }
 }
 
+sub handle_first_entry();
+
 #
 # Issue a Warning Message
 #
@@ -1092,6 +1102,8 @@ sub warning_message
     my $currentlineinfo = currentlineinfo;
     our @localtime;
 
+    handle_first_entry if $first_entry;
+
     $| = 1; #Reset output buffering (flush any partially filled buffers).
 
     if ( $log ) {
@@ -1176,6 +1188,8 @@ sub cleanup() {
 sub fatal_error	{
     my $currentlineinfo = currentlineinfo;
 
+    handle_first_entry if $first_entry;
+
     $| = 1; #Reset output buffering (flush any partially filled buffers).
 
     if ( $log ) {
@@ -1204,6 +1218,8 @@ sub fatal_error	{
 }
 
 sub fatal_error1 {
+    handle_first_entry if $first_entry;
+
     $| = 1;
 
     if ( $log ) {
@@ -1796,8 +1812,12 @@ sub split_list2( $$ ) {
 
 sub split_list3( $$ ) {
     my ($list, $type ) = @_;
-
-    fatal_error "Invalid $type ($list)" if $list =~ /^,|,,/;
+    #
+    # We allow omitted arguments in action invocations.
+    #
+    $list =~ s/^,/-,/;
+    $list =~ s/,$/,-/;
+    $list =~ s/,,/,-,/g;
 
     my @list1 = split /,/, $list;
     my @list2;
@@ -2160,8 +2180,9 @@ sub evaluate_expression( $$$ ) {
 	#                         $1      $2   $3                     -     $4
 	while ( $expression =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
-	    $var = numeric_value( $var ) if $var;
+	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparms{$var} : $chain;
+	    $parmsmodified ||= $var eq 'caller';
 	    $expression = join_parts( $first, $val, $rest );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
 	}
@@ -2191,7 +2212,9 @@ sub evaluate_expression( $$$ ) {
 
     print "EXPR=> $expression\n" if $debug;
 
-    unless ( $expression =~ /^\d+$/ ) {
+    if ( $expression =~ /^\d+$/ ) {
+	$val = $expression
+    } else {
 	#
 	# Not a simple one-term expression -- compile it
 	#
@@ -2281,15 +2304,16 @@ sub process_compiler_directive( $$$$ ) {
 			       directive_error( "Missing SET expression"     , $filename, $linenumber) unless supplied $expression;
 
 			       if ( ( $1 || '' ) eq '@' ) {
+				   $var = $2;
 				   $var = numeric_value( $var ) if $var =~ /^\d/;
 				   $var = $2 || 'chain';
-				   directive_error( "Action variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparms{0};
+				   directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparms{0};
 				   my $val = $actparms{$var} = evaluate_expression ( $expression,
 										     $filename,
 										     $linenumber );
 				   $parmsmodified = 1;
 			       } else {
-				   $variables{$1} = evaluate_expression( $expression,
+				   $variables{$2} = evaluate_expression( $expression,
 									 $filename,
 									 $linenumber );
 			       }
@@ -2310,12 +2334,28 @@ sub process_compiler_directive( $$$$ ) {
 			   unless ( $omitting ) {
 			       my $var = $expression;
 			       directive_error( "Missing RESET variable", $filename, $linenumber)        unless supplied $var;
-			       directive_error( "Invalid RESET variable ($var)", $filename, $linenumber) unless $var =~ /^\$?([a-zA-Z]\w*)$/;
+			       directive_error( "Invalid RESET variable ($var)", $filename, $linenumber) unless $var =~ /^(\$)?([a-zA-Z]\w*)$/ || $var =~ /^(@)(\d+|[a-zA-Z]\w*)/;
 
-			       if ( exists $variables{$1} ) {
-				   delete $variables{$1};
+			       if ( ( $1 || '' ) eq '@' ) {
+				   $var = numeric_value( $var ) if $var =~ /^\d/;
+				   $var = $2 || 'chain';
+				   directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparms{0};
+				   if ( exists $actparms{$var} ) {
+				       if ( $var =~ /^loglevel|logtag|chain|disposition|caller$/ ) {
+					   $actparms{$var} = '';
 				       } else {
-				   directive_warning( "Variable $1 does not exist", $filename, $linenumber );
+					   delete $actparms{$var}
+				       }
+				   } else {
+				       directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber );
+				   }
+
+			       } else {
+				   if ( exists $variables{$2} ) {
+				       delete $variables{$2};
+				   } else {
+				       directive_warning( "Shell variable $2 does not exist", $filename, $linenumber );
+				   }
 			       }
 			   }
 		       } ,
@@ -2778,10 +2818,10 @@ sub embedded_perl( $ ) {
 }
 
 #
-# Push/pop action params
+# Push/pop acton params
 #
-sub push_action_params( $$$$$ ) {
-    my ( $chainref, $parms, $loglevel, $logtag, $caller ) = @_;
+sub push_action_params( $$$$$$ ) {
+    my ( $action, $chainref, $parms, $loglevel, $logtag, $caller ) = @_;
     my @parms = ( undef , split_list3( $parms , 'parameter' ) );
 
     $actparms{modified} = $parmsmodified;
@@ -2799,6 +2839,7 @@ sub push_action_params( $$$$$ ) {
     }
 
     $actparms{0}           = $chainref;
+    $actparms{action}      = $action;
     $actparms{loglevel}    = $loglevel;
     $actparms{logtag}      = $logtag;
     $actparms{caller}      = $caller;
@@ -2893,13 +2934,14 @@ sub expand_variables( \$ ) {
 	if ( $var =~ /^\d+$/ ) {
 	    fatal_error "Action parameters (\$$var) may only be referenced within the body of an action" unless $chain;
 
-	    unless ( $config{IGNOREUNKNOWNVARIABLES} ) {
+	    if ( $config{IGNOREUNKNOWNVARIABLES} ) {
+		fatal_error "Invalid action parameter (\$$var)" if ( length( $var ) > 1 && $var =~ /^0/ );
+	    } else {
 		fatal_error "Undefined parameter (\$$var)" unless ( defined $actparms{$var} &&
 								    ( length( $var ) == 1 ||
 								      $var !~ /^0/ ) );
 	    }
 
-	    fatal_error "Invalid action parameter (\$$var)" if ( ! defined $actparms{$var} ) || ( length( $var ) > 1 && $var =~ /^0/ );
 	    $val = $var ? $actparms{$var} : $actparms{0}->{name};
 	} elsif ( exists $variables{$var} ) {
 	    $val = $variables{$var};
@@ -2953,8 +2995,11 @@ sub handle_first_entry() {
     # $first_entry can contain either a function reference or a message. If it
     # contains a reference, call the function -- otherwise issue the message
     #
-    reftype( $first_entry ) ? $first_entry->() : progress_message2( $first_entry );
+    my $entry = $first_entry;
+
     $first_entry = 0;
+
+    reftype( $entry ) ? $entry->() : progress_message2( $entry );
 }
 
 #
@@ -5045,7 +5090,6 @@ sub get_configuration( $$$$ ) {
     }
 
     default_yes_no 'ADMINISABSENTMINDED'        , '';
-    default_yes_no 'BLACKLISTNEWONLY'           , '';
     default_yes_no 'DISABLE_IPV6'               , '';
 
     unsupported_yes_no_warning 'DYNAMIC_ZONES';
@@ -5064,8 +5108,48 @@ sub get_configuration( $$$$ ) {
 
     default_yes_no 'FASTACCEPT'                 , '';
 
+    if ( supplied( $val = $config{BLACKLIST} ) ) {
+	my %states;
+
+	if ( $val eq 'ALL' ) {
+	    $globals{BLACKLIST_STATES} = 'ALL';
+	} else {
+	    for ( split_list $val, 'BLACKLIST' ) {
+		fatal_error "Invalid BLACKLIST state ($_)" unless /^(?:NEW|RELATED|ESTABLISHED|INVALID|UNTRACKED)$/;
+		fatal_error "Duplicate BLACKLIST state($_)" if $states{$_};
+		$states{$_} = 1;
+	    }
+
+	    fatal_error "ESTABLISHED state may not be specified when FASTACCEPT=Yes" if $config{FASTACCEPT} && $states{ESTABLISHED};
+	    require_capability 'RAW_TABLE', 'UNTRACKED state', 's' if $states{UNTRACKED};
+	    #
+	    # Place the states in a predictable order
+	    #
+	    my @states;
+
+	    for ( qw( NEW ESTABLISHED RELATED INVALID UNTRACKED ) ) {
+		push @states, $_ if $states{$_};
+	    }
+
+	    $globals{BLACKLIST_STATES} = join ',', @states;
+	}
+    } elsif ( supplied $config{BLACKLISTNEWONLY} ) {
+	default_yes_no 'BLACKLISTNEWONLY'           , '';
 	fatal_error "BLACKLISTNEWONLY=No may not be specified with FASTACCEPT=Yes" if $config{FASTACCEPT} && ! $config{BLACKLISTNEWONLY};
 
+	if ( have_capability 'RAW_TABLE' ) {
+	    $globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID,UNTRACKED' : 'NEW,ESTABLISHED,INVALID,UNTRACKED';
+	} else {
+	    $globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID' : 'NEW,ESTABLISHED,INVALID';
+	}
+    } else {
+	if ( have_capability 'RAW_TABLE' ) {
+	    $globals{BLACKLIST_STATES} = $config{FASTACCEPT} ? 'NEW,INVALID,UNTRACKED' : 'NEW,ESTABLISHED,INVALID,UNTRACKED';
+	} else {
+	    $globals{BLACKLIST_STATES} = $config{FASTACCEPT} ? 'NEW,INVALID' : 'NEW,INVALID,ESTABLISHED';
+	}
+    }
+
     default_yes_no 'IMPLICIT_CONTINUE'          , '';
     default_yes_no 'HIGH_ROUTE_MARKS'           , '';
     default_yes_no 'TC_EXPERT'                  , '';
@@ -5206,6 +5290,8 @@ sub get_configuration( $$$$ ) {
     default_log_level 'TCP_FLAGS_LOG_LEVEL', '';
     default_log_level 'RFC1918_LOG_LEVEL',   '';
     default_log_level 'RELATED_LOG_LEVEL',   '';
+    default_log_level 'INVALID_LOG_LEVEL',   '';
+    default_log_level 'UNTRACKED_LOG_LEVEL', '';
 
     warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
 
@@ -5256,16 +5342,56 @@ sub get_configuration( $$$$ ) {
 	    $globals{RELATED_TARGET} = 'reject';
 	} elsif ( $val eq 'A_REJECT' ) {
 	    $globals{RELATED_TARGET} = $val;
+	} elsif ( $val eq 'CONTINUE' ) {
+	    $globals{RELATED_TARGET} = '';
 	} else {
 	    fatal_error "Invalid value ($config{RELATED_DISPOSITION}) for RELATED_DISPOSITION"
 	}
 
-	require_capability 'AUDIT_TARGET' , "MACLIST_DISPOSITION=$val", 's' if $val =~ /^A_/;
+	require_capability 'AUDIT_TARGET' , "RELATED_DISPOSITION=$val", 's' if $val =~ /^A_/;
     } else {
 	$config{RELATED_DISPOSITION}  =
 	$globals{RELATED_TARGET}      = 'ACCEPT';
     }
 
+    if ( $val = $config{INVALID_DISPOSITION} ) {
+	if ( $val =~ /^(?:A_)?DROP$/ ) {
+	    $globals{INVALID_TARGET} = $val;
+	} elsif ( $val eq 'REJECT' ) {
+	    $globals{INVALID_TARGET} = 'reject';
+	} elsif ( $val eq 'A_REJECT' ) {
+	    $globals{INVALID_TARGET} = $val;
+	} elsif ( $val eq 'CONTINUE' ) {
+	    $globals{INVALID_TARGET} = '';
+	} else {
+	    fatal_error "Invalid value ($config{INVALID_DISPOSITION}) for INVALID_DISPOSITION"
+	}
+
+	require_capability 'AUDIT_TARGET' , "INVALID_DISPOSITION=$val", 's' if $val =~ /^A_/;
+    } else {
+	$config{INVALID_DISPOSITION}  = 'CONTINUE';
+	$globals{INVALID_TARGET}      = '';
+    }
+
+    if ( $val = $config{UNTRACKED_DISPOSITION} ) {
+	if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
+	    $globals{UNTRACKED_TARGET} = $val;
+	} elsif ( $val eq 'REJECT' ) {
+	    $globals{UNTRACKED_TARGET} = 'reject';
+	} elsif ( $val eq 'A_REJECT' ) {
+	    $globals{UNTRACKED_TARGET} = $val;
+	} elsif ( $val eq 'CONTINUE' ) {
+	    $globals{UNTRACKED_TARGET} = '';
+	} else {
+	    fatal_error "Invalid value ($config{UNTRACKED_DISPOSITION}) for UNTRACKED_DISPOSITION"
+	}
+
+	require_capability 'AUDIT_TARGET' , "UNTRACKED_DISPOSITION=$val", 's' if $val =~ /^A_/;
+    } else {
+	$config{UNTRACKED_DISPOSITION}  = 'CONTINUE';
+	$globals{UNTRACKED_TARGET}        = '';
+    }
+
     if ( $val = $config{MACLIST_TABLE} ) {
 	if ( $val eq 'mangle' ) {
 	    fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
@@ -5283,7 +5409,6 @@ sub get_configuration( $$$$ ) {
 	$val = $config{TCP_FLAGS_DISPOSITION} = 'DROP';
     }
 
-
     default 'TC_ENABLED' , $family == F_IPV4 ? 'Internal' : 'no';
 
     $val = "\L$config{TC_ENABLED}";

Shorewall/Perl/Shorewall/Misc.pm

@@ -764,7 +764,7 @@ sub add_common_rules ( $ ) {
     my $chain;
     my $dynamicref;
 
-    my @state     = $config{BLACKLISTNEWONLY} ? have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
+    my @state     = state_imatch( $globals{BLACKLIST_STATES} );
     my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED';
     my $level     = $config{BLACKLIST_LOGLEVEL};
     my $rejectref = $filter_table->{reject};

Shorewall/Samples/Universal/rules

@@ -12,6 +12,8 @@
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
 SECTION NEW
 Invalid(DROP)	net		$FW		tcp
 SSH(ACCEPT)	net		$FW

Shorewall/Samples/Universal/shorewall.conf

@@ -23,6 +23,8 @@ VERBOSITY=1
 
 BLACKLIST_LOGLEVEL=
 
+INVALID_LOG_LEVEL=
+
 LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
@@ -51,6 +53,8 @@ STARTUP_LOG=/var/log/shorewall-init.log
 
 TCP_FLAGS_LOG_LEVEL=info
 
+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
@@ -124,7 +128,7 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CLAMPMSS=No
 
@@ -224,6 +228,8 @@ ZONE2ZONE=2
 
 BLACKLIST_DISPOSITION=DROP
 
+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
@@ -236,6 +242,8 @@ SFILTER_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################

Shorewall/Samples/one-interface/rules

@@ -16,6 +16,8 @@
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
 SECTION NEW
 
 # Drop packets in the INVALID state

Shorewall/Samples/one-interface/shorewall.conf

@@ -34,6 +34,8 @@ VERBOSITY=1
 
 BLACKLIST_LOGLEVEL=
 
+INVALID_LOG_LEVEL=
+
 LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
@@ -62,6 +64,8 @@ STARTUP_LOG=/var/log/shorewall-init.log
 
 TCP_FLAGS_LOG_LEVEL=info
 
+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
@@ -135,7 +139,7 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CLAMPMSS=No
 
@@ -235,6 +239,8 @@ ZONE2ZONE=2
 
 BLACKLIST_DISPOSITION=DROP
 
+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
@@ -247,6 +253,8 @@ SFILTER_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################

Shorewall/Samples/three-interfaces/rules

@@ -16,6 +16,8 @@
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
 SECTION NEW
 
 #       Don't allow connection pickup from the net

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -32,6 +32,8 @@ VERBOSITY=1
 
 BLACKLIST_LOGLEVEL=
 
+INVALID_LOG_LEVEL=
+
 LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
@@ -60,6 +62,8 @@ STARTUP_LOG=/var/log/shorewall-init.log
 
 TCP_FLAGS_LOG_LEVEL=info
 
+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
@@ -133,7 +137,7 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CLAMPMSS=Yes
 
@@ -233,6 +237,8 @@ ZONE2ZONE=2
 
 BLACKLIST_DISPOSITION=DROP
 
+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
@@ -245,6 +251,8 @@ SFILTER_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################

Shorewall/Samples/two-interfaces/rules

@@ -16,6 +16,8 @@
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
 SECTION NEW
 
 #       Don't allow connection pickup from the net

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -35,6 +35,8 @@ VERBOSITY=1
 
 BLACKLIST_LOGLEVEL=
 
+INVALID_LOG_LEVEL=
+
 LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
@@ -63,6 +65,8 @@ STARTUP_LOG=/var/log/shorewall-init.log
 
 TCP_FLAGS_LOG_LEVEL=info
 
+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
@@ -136,7 +140,7 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CLAMPMSS=Yes
 
@@ -236,6 +240,8 @@ ZONE2ZONE=2
 
 BLACKLIST_DISPOSITION=DROP
 
+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
@@ -248,6 +254,8 @@ SFILTER_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################

Shorewall/action.Established

@@ -0,0 +1,49 @@
+#
+# Shorewall 4 - Established Action
+#
+#    /usr/share/shorewall/action.Established
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   Established[([<action>])]
+#
+#       Default action is ACCEPT
+#
+##########################################################################################
+?FORMAT 2
+
+DEFAULTS ACCEPT
+
+?BEGIN PERL;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action ) = get_action_params( 1 );
+
+if ( my $check = check_state( 'ESTABLISHED' ) ) {
+    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} ESTABLISHED" : '', 'ESTABLISHED' );
+}
+
+1;
+
+?END PERL;

Shorewall/action.Invalid

@@ -5,7 +5,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Invalid[([<action>|-[,{audit|-}])]
+#   Invalid[([<action>])]
 #
 #       Default action is DROP
 #
@@ -36,21 +36,18 @@ DEFAULTS DROP,-
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
+use Shorewall::Rules;
 
 my ( $action, $audit ) = get_action_params( 2 );
 
-fatal_error "Invalid parameter ($audit) to action Invalid"   if supplied $audit && $audit ne 'audit';
-fatal_error "Invalid parameter ($action) to action Invalid"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
+     $action = "A_$action";
+}
 
-my $chainref         = get_action_chain;
-
-my ( $level, $tag )  = get_action_logging;
-my $target           = require_audit ( $action , $audit );
-
-log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
-add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID ";
-
-allow_optimize( $chainref );
+if ( my $check = check_state( 'INVALID' ) ) {
+    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} INVALID" : '' , 'INVALID' );
+}
 
 1;
 

Shorewall/action.New

@@ -0,0 +1,49 @@
+#
+# Shorewall 4 - New Action
+#
+#    /usr/share/shorewall/action.New
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   Untracked[([<action>])]
+#
+#       Default action is ACCEPT
+#
+##########################################################################################
+?FORMAT 2
+
+DEFAULTS ACCEPT
+
+?BEGIN PERL;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action ) = get_action_params( 1 );
+
+if ( my $check = check_state( 'NEW' ) ) {
+    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} NEW" : '' , 'NEW' );
+}
+
+1;
+
+?END PERL;

Shorewall/action.NotSyn

@@ -22,7 +22,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   NotSyn[([<action>|-[,{audit|-}])]
+#   NotSyn[([<action>])]
 #
 #       Default action is DROP
 #
@@ -33,24 +33,20 @@ DEFAULTS DROP,-
 
 ?BEGIN PERL;
 
+use strict;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
+use Shorewall::Rules;
 
 my ( $action, $audit ) = get_action_params( 2 );
 
-fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit && $audit ne 'audit';
-fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action NotSyn" if $audit ne 'audit';
+     $action = "A_$action";
+}    
 
-my $chainref         = get_action_chain;
-
-my ( $level, $tag )  = get_action_logging;
-my $target           = require_audit ( $action , $audit );
-
-log_rule_limit $level, $chainref, 'NotSyn' , $action, '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
-add_jump $chainref , $target, 0, '-p 6 ! --syn ';
-
-allow_optimize( $chainref );
+perl_action_tcp_helper( $action, '-p 6 ! --syn' );
 
 1;
 

Shorewall/action.RST

@@ -22,7 +22,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   RST[([<action>|-[,{audit|-}])]
+#   RST[([<action>])]
 #
 #       Default action is DROP
 #
@@ -35,21 +35,16 @@ DEFAULTS DROP,-
 
 use Shorewall::Config;
 use Shorewall::Chains;
+use Shorewall::Rules;
 
 my ( $action, $audit ) = get_action_params( 2 );
 
-fatal_error "Invalid parameter ($audit) to action RST"   if supplied $audit && $audit ne 'audit';
-fatal_error "Invalid parameter ($action) to action RST"  unless $action =~ /^(?:ACCEPT|DROP)$/;
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action RST" if $audit ne 'audit';
+     $action = "A_$action";
+}    
 
-my $chainref         = get_action_chain;
-
-my ( $level, $tag )  = get_action_logging;
-my $target           = require_audit ( $action , $audit );
-
-log_rule_limit $level, $chainref, 'RST' , $action, '', $tag, 'add', '-p 6 --tcp-flags RST RST ' if $level ne '';
-add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST ';
-
-allow_optimize( $chainref );
+perl_action_tcp_helper( $action, '-p 6 --tcp-flags RST RST' );
 
 1;
 

Shorewall/action.Related

@@ -0,0 +1,50 @@
+#
+# Shorewall 4 - Related Action
+#
+#    /usr/share/shorewall/action.Related
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   Related[([<action>])]
+#
+#       Default action is DROP
+#
+##########################################################################################
+?FORMAT 2
+
+DEFAULTS DROP
+
+?BEGIN PERL;
+
+use strict;
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action ) = get_action_params( 1 );
+
+if ( my $check = check_state( 'RELATED' ) ) {
+    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} RELATED" : '', 'RELATED' );
+}
+
+1;
+
+?END PERL;

Shorewall/action.TCPFlags

@@ -11,49 +11,28 @@
 #################################################################################
 ?FORMAT 2
 
-DEFAULTS DROP,-
+DEFAULTS -
 
 ?BEGIN PERL;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
 use Shorewall::Chains;
+use Shorewall::Rules;
 
-my ( $disposition, $audit ) = get_action_params( 2 );
+my $action = 'DROP';
 
-my $chainref        = get_action_chain;
+my ( $audit ) = get_action_params( 1 );
 
-my ( $level, $tag ) = get_action_logging;
-
-fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/;
-
-if ( $level ne '-' || $audit ne '-' ) {
-    my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
-
-    log_rule_limit( $level,
-		    $logchainref,
-		    $chainref->{name},
-		    $disposition,
-		    '',
-		    $tag,
-		    'add',
-		    '' ) if $level;
-
-    if ( supplied $audit ) {
-	fatal_error "Invalid argument ($audit) to TCPFlags" if $audit ne 'audit';
-	require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's';
-	add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition );
-    }
-
-    add_ijump( $logchainref, g => $disposition );
-
-    $disposition = $logchainref;
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action TCPFlags" if $audit ne 'audit';
+     $action = "A_DROP";
 }    
 
-add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL FIN,URG,PSH';
-add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL NONE';
-add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST';
-add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,FIN SYN,FIN';
-add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0';
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL FIN,URG,PSH' );
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL NONE' );
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,RST SYN,RST' );
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,FIN SYN,FIN' );
+perl_action_tcp_helper( $action, '-p tcp --syn --sport 0' );
 
 ?END PERL;
 

Shorewall/action.Untracked

@@ -0,0 +1,49 @@
+#
+# Shorewall 4 - Untracked Action
+#
+#    /usr/share/shorewall/action.Untracked
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   Untracked[([<action>])]
+#
+#       Default action is DROP
+#
+##########################################################################################
+?FORMAT 2
+
+DEFAULTS DROP
+
+?BEGIN PERL;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action ) = get_action_params( 1 );
+
+if ( my $check = check_state( 'UNTRACKED' ) ) {
+    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} UNTRACKED" : '' , 'UNTRACKED' );
+}
+
+1;
+
+?END PERL;

Shorewall/action.allowInvalid

@@ -0,0 +1,53 @@
+#
+# Shorewall 4 - allowInvalid Action
+#
+#    /usr/share/shorewall/action.allowInvalid
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   allowInvalid[([audit])]
+#
+##########################################################################################
+?FORMAT 2
+
+DEFAULTS -
+
+?BEGIN PERL;
+
+use strict;
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my $action = 'ACCEPT';
+
+my ( $audit ) = get_action_params( 1 );
+
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action allowInvalid" if $audit ne 'audit';
+     $action = "A_ACCEPT";
+}    
+
+perl_action_helper( "Invalid($action)", '' );
+
+1;
+
+?END PERL;

Shorewall/action.dropInvalid

@@ -0,0 +1,53 @@
+#
+# Shorewall 4 - dropInvalid Action
+#
+#    /usr/share/shorewall/action.dropInvalid
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   dropInvalid[([audit])]
+#
+##########################################################################################
+?FORMAT 2
+
+DEFAULTS -
+
+?BEGIN PERL;
+
+use strict;
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my $action = 'DROP';
+
+my ( $audit ) = get_action_params( 1 );
+
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action dropInvalid" if $audit ne 'audit';
+     $action = "A_DROP";
+}    
+
+perl_action_helper( "Invalid($action)", '' );
+
+1;
+
+?END PERL;

Shorewall/actions.std

@@ -15,19 +15,11 @@
 #    dropBcast		# Silently Drop Broadcast/multicast
 #    dropNotSyn		# Silently Drop Non-syn TCP packets
 #    rejNotSyn		# Silently Reject Non-syn TCP packets
-#    dropInvalid	# Silently Drop packets that are in the INVALID
-#			# conntrack state.
-#    allowInvalid	# Accept packets that are in the INVALID
-#			# conntrack state.
 #    allowoutUPnP	# Allow traffic from local command 'upnpd' (does not
 #                       # work with kernel 2.6.14 and later).
 #    allowinUPnP	# Allow UPnP inbound (to firewall) traffic
 #    forwardUPnP	# Allow traffic that upnpd has redirected from
 #			# 'upnp' interfaces.
-#    drop1918src        # Drop packets with an RFC 1918 source address
-#    drop1918dst        # Drop packets with an RFC 1918 original dest address
-#    rej1918src         # Reject packets with an RFC 1918 source address
-#    rej1918dst         # Reject packets with an RFC 1918 original dest address
 #    Limit              # Limit the rate of connections from each individual
 #                       # IP address
 #
@@ -35,11 +27,17 @@
 #ACTION
 A_Drop 		                # Audited Default Action for DROP policy
 A_Reject	                # Audited Default action for REJECT policy
+allowInvalid inline		# Accepts packets in the INVALID conntrack state
 Broadcast    noinline           # Handles Broadcast/Multicast/Anycast
 Drop		                # Default Action for DROP policy
+dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline           # Drop smurf packets
-Invalid    noinline             # Handles packets in the INVALID conntrack state
-NotSyn     noinline             # Handles TCP packets which do not have SYN=1 and ACK=0
+Established  inline		# Handles packets in the ESTABLISHED state
+Invalid      inline             # Handles packets in the INVALID conntrack state
+New	     inline             # Handles packets in the NEW conntrack state
+NotSyn       inline             # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject                          # Default Action for REJECT policy
-RST	   noinline             # Handle packets with RST set
-TCPFlags   noinline             # Handle bad flag combinations.
+Related      inline             # Handles packets in the RELATED conntrack state
+RST	     inline             # Handle packets with RST set
+TCPFlags    			# Handle bad flag combinations.
+Untracked    inline             # Handles packets in the UNTRACKED conntrack state

Shorewall/configfiles/rules

@@ -12,4 +12,6 @@
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
 SECTION NEW

Shorewall/configfiles/shorewall.conf

@@ -23,6 +23,8 @@ VERBOSITY=1
 
 BLACKLIST_LOGLEVEL=
 
+INVALID_LOG_LEVEL=
+
 LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
@@ -51,6 +53,8 @@ STARTUP_LOG=/var/log/shorewall-init.log
 
 TCP_FLAGS_LOG_LEVEL=info
 
+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
@@ -124,7 +128,7 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CLAMPMSS=No
 
@@ -224,6 +228,8 @@ ZONE2ZONE=2
 
 BLACKLIST_DISPOSITION=DROP
 
+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
@@ -236,6 +242,8 @@ SFILTER_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################

Shorewall/configfiles/tcinterfaces

@@ -7,4 +7,4 @@
 # information.
 #
 ###############################################################################
-#INTERFACE	TYPE		IN-BANDWIDTH
+#INTERFACE	TYPE		IN-BANDWIDTH		OUT-BANDWIDTH

Shorewall/init.archlinux.sh

@@ -1,60 +0,0 @@
-#!/bin/bash
-
-OPTIONS="-f"
-
-if [ -f /etc/sysconfig/shorewall ] ; then
-	. /etc/sysconfig/shorewall
-elif [ -f /etc/default/shorewall ] ; then
-	. /etc/default/shorewall
-fi
-
-# if you want to override options, do so in /etc/sysconfig/shorewall or
-# in /etc/default/shorewall --
-# i strongly encourage you use the latter, since /etc/sysconfig/ does not exist.
-
-. /etc/rc.conf
-. /etc/rc.d/functions
-
-DAEMON_NAME="shorewall" # of course shorewall is NOT a deamon.
-
-export SHOREWALL_INIT_SCRIPT=1
-
-case "$1" in
-	start)
-		stat_busy "Starting $DAEMON_NAME"
-		/sbin/shorewall $OPTIONS start &>/dev/null
-		if [ $? -gt 0 ]; then
-			stat_fail
-		else
-			add_daemon $DAEMON_NAME
-			stat_done
-		fi
-		;;
-
-
-	stop)
-		stat_busy "Stopping $DAEMON_NAME"
-		/sbin/shorewall stop &>/dev/null
-		if [ $? -gt 0 ]; then
-			stat_fail
-		else
-			rm_daemon $DAEMON_NAME
-			stat_done
-		fi
-		;;
-
-	restart|reload)
-		stat_busy "Restarting $DAEMON_NAME"
-		/sbin/shorewall restart &>/dev/null
-		if [ $? -gt 0  ]; then
-			stat_fail
-		else
-			stat_done
-		fi
-		;;
-
-	*)
-		echo "usage: $0 {start|stop|restart}"
-esac
-exit 0
-

Shorewall/manpages/shorewall-accounting.xml

@@ -349,7 +349,9 @@
         <listitem>
           <para>The name of a <emphasis>chain</emphasis>. If specified as
           <emphasis role="bold">-</emphasis> the <emphasis
-          role="bold">accounting</emphasis> chain is assumed. This is the
+          role="bold">accounting</emphasis> chain is assumed when the file is
+          un-sectioned. When the file is sectioned, the default is one of
+          accountin, accountout, etc. depending on the section. This is the
           chain where the accounting rule is added. The
           <emphasis>chain</emphasis> will be created if it doesn't already
           exist. The <emphasis>chain</emphasis> may not exceed 29 characters
@@ -370,7 +372,8 @@
           <para>The name of an <replaceable>interface</replaceable>, an
           <replaceable>address</replaceable> (host or net) or an
           <replaceable>interface</replaceable> name followed by ":" and a host
-          or net <replaceable>address</replaceable>.</para>
+          or net <replaceable>address</replaceable>. An ipset name is also
+          accepted as an <replaceable>address</replaceable>.</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-actions.xml

@@ -71,11 +71,11 @@
 
                     <member>DropSmurfs</member>
 
-                    <member>Invalid</member>
+                    <member>Invalid (Prior to Shorewall 4.5.13)</member>
 
-                    <member>NotSyn</member>
+                    <member>NotSyn (Prior to Shorewall 4.5.13)</member>
 
-                    <member>RST</member>
+                    <member>RST (Prior to Shorewall 4.5.13)</member>
 
                     <member>TCPFlags</member>
                   </simplelist>

Shorewall/manpages/shorewall-rules.xml

@@ -81,8 +81,41 @@
           <para>The only ACTIONs allowed in this section are ACCEPT, DROP,
           REJECT, LOG and QUEUE</para>
 
-          <para>There is an implicit ACCEPT rule inserted at the end of this
-          section.</para>
+          <para>There is an implicit rule added at the end of this section
+          that invokes the RELATED_DISPOSITION (<ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">INVALID</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Packets in the INVALID state are
+          processed by rules in this section.</para>
+
+          <para>The only Actions allowed in this section are ACCEPT, DROP,
+          REJECT, LOG and QUEUE.</para>
+
+          <para>There is an implicit rule added at the end of this section
+          that invokes the INVALID_DISPOSITION (<ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">UNTRACKED</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state are
+          processed by rules in this section.</para>
+
+          <para>The only Actions allowed in this section are ACCEPT, DROP,
+          REJECT, LOG and QUEUE.</para>
+
+          <para>There is an implicit rule added at the end of this section
+          that invokes the UNTRACKED_DISPOSITION (<ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall.conf.xml

@@ -372,6 +372,28 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">BLACKLIST=</emphasis>[{<emphasis
+        role="bold">ALL</emphasis>|<emphasis
+        role="bold"><replaceable>state</replaceable>[,...]</emphasis>}]</term>
+
+        <listitem>
+          <para>where state is one of NEW, ESTABLISHED, RELATED, INVALID,or
+          UNTRACKED.</para>
+
+          <para>Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY
+          option below. Specifies the connection tracking states that are to
+          be subject to blacklist screening. If neither BLACKLIST nor
+          BLACKLISTNEWONLY are specified then the states subject to
+          blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED.</para>
+
+          <para>ALL sends all packets through the blacklist chains.</para>
+
+          <para>Note: The ESTABLISHED state may not be specified if FASTACCEPT
+          is specified.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">BLACKLIST_DISPOSITION=</emphasis>[<emphasis
@@ -422,12 +444,16 @@
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
 
         <listitem>
+          <para>Deprecated in Shorewall 4.5.13 in favor of BLACKLIST
+          above.</para>
+
           <para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
           role="bold">yes</emphasis>, blacklists are only consulted for new
-          connections. That includes entries in the <ulink
-          url="???">shorewall-blrules</ulink> (5) file and in the BLACKLIST
-          section of <ulink url="shorewall-rules.html">shorewall-rules</ulink>
-          (5).</para>
+          connections and for packets in the INVALID connection state (such as
+          TCP SYN,ACK when there has been no corresponding SYN). That includes
+          entries in the <ulink url="???">shorewall-blrules</ulink> (5) file
+          and in the BLACKLIST section of <ulink
+          url="shorewall-rules.html">shorewall-rules</ulink> (5).</para>
 
           <para>When set to <emphasis role="bold">No</emphasis> or <emphasis
           role="bold">no</emphasis>, blacklists are consulted for every packet
@@ -941,6 +967,34 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
+          INVALID packets through the NEW section of <ulink
+          url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
+          packet in INVALID state fails to match any rule in the INVALID
+          section, the packet is disposed of based on this setting. The
+          default value is CONTINUE for compatibility with earlier
+          versions.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis
+        role="bold">INVALID_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Packets in the INVALID state that
+          do not match any rule in the INVALID section of <ulink
+          url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are
+          logged at this level. The default value is empty which means no
+          logging is performed.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">IP</emphasis>=[<emphasis>pathname</emphasis>]</term>
@@ -1970,18 +2024,17 @@ LOG:info:,bar                        net                    fw</programlisting>
 
       <varlistentry>
         <term><emphasis
-        role="bold">RELATED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT]</emphasis></term>
+        role="bold">RELATED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
 
         <listitem>
           <para>Added in Shorewall 4.4.27. Shorewall has traditionally
           ACCEPTed RELATED packets that don't match any rule in the RELATED
-          section of <ulink
-          url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5).
-          Concern about the safety of this practice resulted in the addition
-          of this option. When a packet in RELATED state fails to match any
-          rule in the RELATED section, the packet is disposed of based on this
-          setting. The default value is ACCEPT for compatibility with earlier
-          versions.</para>
+          section of <ulink url="shorewall-rules.html">shorewall-rules</ulink>
+          (5). Concern about the safety of this practice resulted in the
+          addition of this option. When a packet in RELATED state fails to
+          match any rule in the RELATED section, the packet is disposed of
+          based on this setting. The default value is ACCEPT for compatibility
+          with earlier versions.</para>
         </listitem>
       </varlistentry>
 
@@ -1992,9 +2045,9 @@ LOG:info:,bar                        net                    fw</programlisting>
         <listitem>
           <para>Added in Shorewall 4.4.27. Packets in the related state that
           do not match any rule in the RELATED section of <ulink
-          url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are
-          logged at this level. The default value is empty which means no
-          logging is performed.</para>
+          url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
+          this level. The default value is empty which means no logging is
+          performed.</para>
         </listitem>
       </varlistentry>
 
@@ -2438,6 +2491,34 @@ LOG:info:,bar                        net                    fw</programlisting>
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">UNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
+          UNTRACKED packets through the NEW section of <ulink
+          url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
+          packet in UNTRACKED state fails to match any rule in the UNTRACKED
+          section, the packet is disposed of based on this setting. The
+          default value is CONTINUE for compatibility with earlier
+          versions.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis
+        role="bold">UNTRACKED_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
+          do not match any rule in the UNTRACKED section of <ulink
+          url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
+          this level. The default value is empty which means no logging is
+          performed.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>

Shorewall/shorewall.service

@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall
 StandardOutput=syslog
-ExecStart=/usr/sbin/shorewall $OPTIONS start
-ExecStop=/usr/sbin/shorewall $OPTIONS stop
+ExecStart=/sbin/shorewall $OPTIONS start
+ExecStop=/sbin/shorewall $OPTIONS stop
 
 [Install]
 WantedBy=multi-user.target

Shorewall6-lite/init.archlinux.sh

@@ -1,58 +0,0 @@
-#!/bin/bash
-
-OPTIONS=""
-
-if [ -f /etc/sysconfig/shorewall6 ] ; then
-	. /etc/sysconfig/shorewall6
-elif [ -f /etc/default/shorewall6 ] ; then
-	. /etc/default/shorewall6
-fi
-
-# if you want to override options, do so in /etc/sysconfig/shorewall6 or
-# in /etc/default/shorewall6 --
-# i strongly encourage you use the latter, since /etc/sysconfig/ does not exist.
-
-. /etc/rc.conf
-. /etc/rc.d/functions
-
-DAEMON_NAME="shorewall6" # of course shorewall6 is NOT a deamon.
-
-case "$1" in
-	start)
-		stat_busy "Starting $DAEMON_NAME"
-		/sbin/shorewall6-lite $OPTIONS start &>/dev/null
-		if [ $? -gt 0 ]; then
-			stat_fail
-		else
-			add_daemon $DAEMON_NAME
-			stat_done
-		fi
-		;;
-
-
-	stop)
-		stat_busy "Stopping $DAEMON_NAME"
-		/sbin/shorewall6-lite stop &>/dev/null
-		if [ $? -gt 0 ]; then
-			stat_fail
-		else
-			rm_daemon $DAEMON_NAME
-			stat_done
-		fi
-		;;
-
-	restart|reload)
-		stat_busy "Restarting $DAEMON_NAME"
-		/sbin/shorewall6-lite restart &>/dev/null
-		if [ $? -gt 0  ]; then
-			stat_fail
-		else
-			stat_done
-		fi
-		;;
-
-	*)
-		echo "usage: $0 {start|stop|restart}"
-esac
-exit 0
-

Shorewall6-lite/shorewall6-lite.service

@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6-lite
 StandardOutput=syslog
-ExecStart=/usr/sbin/shorewall6-lite $OPTIONS start
-ExecStop=/usr/sbin/shorewall6-lite $OPTIONS stop
+ExecStart=/sbin/shorewall6-lite $OPTIONS start
+ExecStop=/sbin/shorewall6-lite $OPTIONS stop
 
 [Install]
 WantedBy=multi-user.target

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -24,6 +24,8 @@ VERBOSITY=1
 
 BLACKLIST_LOGLEVEL=
 
+INVALID_LOG_LEVEL=
+
 LOG_VERBOSITY=2
 
 LOGALLNEW=
@@ -50,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log
 
 TCP_FLAGS_LOG_LEVEL=info
 
+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
@@ -117,7 +121,7 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CLAMPMSS=No
 
@@ -197,6 +201,8 @@ ZONE2ZONE=2
 
 BLACKLIST_DISPOSITION=DROP
 
+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
@@ -209,6 +215,8 @@ SMURF_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -24,6 +24,8 @@ VERBOSITY=1
 
 BLACKLIST_LOGLEVEL=
 
+INVALID_LOG_LEVEL=
+
 LOG_VERBOSITY=2
 
 LOGALLNEW=
@@ -50,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log
 
 TCP_FLAGS_LOG_LEVEL=info
 
+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
@@ -117,7 +121,7 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CLAMPMSS=No
 
@@ -197,6 +201,8 @@ ZONE2ZONE=2
 
 BLACKLIST_DISPOSITION=DROP
 
+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
@@ -209,6 +215,8 @@ SMURF_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -24,6 +24,8 @@ VERBOSITY=1
 
 BLACKLIST_LOGLEVEL=
 
+INVALID_LOG_LEVEL=
+
 LOG_VERBOSITY=2
 
 LOGALLNEW=
@@ -50,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log
 
 TCP_FLAGS_LOG_LEVEL=info
 
+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
@@ -117,7 +121,7 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CLAMPMSS=No
 
@@ -197,6 +201,8 @@ ZONE2ZONE=2
 
 BLACKLIST_DISPOSITION=DROP
 
+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
@@ -209,6 +215,8 @@ SMURF_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -24,6 +24,8 @@ VERBOSITY=1
 
 BLACKLIST_LOGLEVEL=
 
+INVALID_LOG_LEVEL=
+
 LOG_VERBOSITY=2
 
 LOGALLNEW=
@@ -50,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log
 
 TCP_FLAGS_LOG_LEVEL=info
 
+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
@@ -117,7 +121,7 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CLAMPMSS=No
 
@@ -197,6 +201,8 @@ ZONE2ZONE=2
 
 BLACKLIST_DISPOSITION=DROP
 
+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
@@ -209,6 +215,8 @@ SMURF_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################

Shorewall6/actions.std

@@ -12,10 +12,6 @@
 #    dropBcasts         # Silently Drop multicast and anycast packets
 #    dropNotSyn		# Silently Drop Non-syn TCP packets
 #    rejNotSyn		# Silently Reject Non-syn TCP packets
-#    dropInvalid	# Silently Drop packets that are in the INVALID
-#			# conntrack state.
-#    allowInvalid	# Accept packets that are in the INVALID
-#			# conntrack state.
 #
 ###############################################################################
 #ACTION
@@ -23,11 +19,17 @@ A_Drop	                        # Audited Default Action for DROP policy
 A_Reject	                # Audited Default Action for REJECT policy
 A_AllowICMPs	                # Audited Accept needed ICMP6 types
 AllowICMPs   	                # Accept needed ICMP6 types
+allowInvalid inline		# Accepts packets in the INVALID conntrack state
 Broadcast    noinline      	# Handles Broadcast/Multicast/Anycast
 Drop		        	# Default Action for DROP policy
+dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline     	# Handles packets with a broadcast source address
-Invalid	   noinline		# Handles packets in the INVALID conntrack state
-NotSyn	   noinline 		# Handles TCP packets that do not have SYN=1 and ACK=0
+Established  inline		# Handles packets in the ESTABLISHED state
+Invalid	     inline		# Handles packets in the INVALID conntrack state
+New	     inline             # Handles packets in the NEW conntrack state
+NotSyn	     inline 		# Handles TCP packets that do not have SYN=1 and ACK=0
 Reject		        	# Default Action for REJECT policy
-TCPFlags   noinline		# Handles bad flags combinations
-
+Related      inline             # Handles packets in the RELATED conntrack state
+RST	     inline             # Handle packets with RST set
+TCPFlags    			# Handles bad flags combinations
+Untracked    inline             # Handles packets in the UNTRACKED conntrack state

Shorewall6/configfiles/rules

@@ -12,4 +12,6 @@
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
 SECTION NEW

Shorewall6/configfiles/shorewall6.conf

@@ -24,6 +24,8 @@ VERBOSITY=1
 
 BLACKLIST_LOGLEVEL=
 
+INVALID_LOG_LEVEL=
+
 LOG_VERBOSITY=2
 
 LOGALLNEW=
@@ -50,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log
 
 TCP_FLAGS_LOG_LEVEL=info
 
+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
@@ -117,7 +121,7 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CLAMPMSS=No
 
@@ -197,6 +201,8 @@ ZONE2ZONE=2
 
 BLACKLIST_DISPOSITION=DROP
 
+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
@@ -209,6 +215,8 @@ SMURF_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################

Shorewall6/configfiles/tcinterfaces

@@ -7,5 +7,5 @@
 # information.
 #
 ###############################################################################
-#INTERFACE		TYPE	IN-BANDWIDTH
+#INTERFACE		TYPE	IN-BANDWIDTH		OUT-INTERFACE
 

Shorewall6/init.archlinux.sh

@@ -1,60 +0,0 @@
-#!/bin/bash
-
-OPTIONS="-f"
-
-if [ -f /etc/sysconfig/shorewall6 ] ; then
-	. /etc/sysconfig/shorewall6
-elif [ -f /etc/default/shorewall6 ] ; then
-	. /etc/default/shorewall6
-fi
-
-# if you want to override options, do so in /etc/sysconfig/shorewall6 or
-# in /etc/default/shorewall6 --
-# i strongly encourage you use the latter, since /etc/sysconfig/ does not exist.
-
-. /etc/rc.conf
-. /etc/rc.d/functions
-
-DAEMON_NAME="shorewall6" # of course shorewall6 is NOT a deamon.
-
-export SHOREWALL_INIT_SCRIPT=1
-
-case "$1" in
-	start)
-		stat_busy "Starting $DAEMON_NAME"
-		/sbin/shorewall6 $OPTIONS start &>/dev/null
-		if [ $? -gt 0 ]; then
-			stat_fail
-		else
-			add_daemon $DAEMON_NAME
-			stat_done
-		fi
-		;;
-
-
-	stop)
-		stat_busy "Stopping $DAEMON_NAME"
-		/sbin/shorewall6 stop &>/dev/null
-		if [ $? -gt 0 ]; then
-			stat_fail
-		else
-			rm_daemon $DAEMON_NAME
-			stat_done
-		fi
-		;;
-
-	restart|reload)
-		stat_busy "Restarting $DAEMON_NAME"
-		/sbin/shorewall6 restart &>/dev/null
-		if [ $? -gt 0  ]; then
-			stat_fail
-		else
-			stat_done
-		fi
-		;;
-
-	*)
-		echo "usage: $0 {start|stop|restart}"
-esac
-exit 0
-

Shorewall6/manpages/shorewall6-accounting.xml

@@ -291,7 +291,9 @@
         <listitem>
           <para>The name of a <emphasis>chain</emphasis>. If specified as
           <emphasis role="bold">-</emphasis> the <emphasis
-          role="bold">accounting</emphasis> chain is assumed. This is the
+          role="bold">accounting</emphasis> chain is assumed when the file is
+          un-sectioned. When the file is sectioned, the default is one of
+          accountin, accountout, etc. depending on the section. This is the
           chain where the accounting rule is added. The
           <emphasis>chain</emphasis> will be created if it doesn't already
           exist. The <emphasis>chain</emphasis> may not exceed 29 characters
@@ -312,7 +314,8 @@
           <para>The name of an <replaceable>interface</replaceable>, an
           <replaceable>address</replaceable> (host or net) or an
           <replaceable>interface</replaceable> name followed by ":" and a host
-          or net <replaceable>address</replaceable>.</para>
+          or net <replaceable>address</replaceable>. An ipset name is also
+          accepted as an <replaceable>address</replaceable>.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6-actions.xml

@@ -71,11 +71,11 @@
 
                     <member>DropSmurfs</member>
 
-                    <member>Invalid</member>
+                    <member>Invalid (Prior to Shorewall 4.5.13)</member>
 
-                    <member>NotSyn</member>
+                    <member>NotSyn (Prior to Shorewall 4.5.13)</member>
 
-                    <member>RST</member>
+                    <member>RST (Prior to Shorewall 4.5.13)</member>
 
                     <member>TCPFlags</member>
                   </simplelist>

Shorewall6/manpages/shorewall6-rules.xml

@@ -74,8 +74,41 @@
           <para>The only ACTIONs allowed in this section are ACCEPT, DROP,
           REJECT, LOG and QUEUE</para>
 
-          <para>There is an implicit ACCEPT rule inserted at the end of this
-          section.</para>
+          <para>There is an implicit rule added at the end of this section
+          that invokes the RELATED_DISPOSITION (<ulink
+          url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">INVALID</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Packets in the INVALID state are
+          processed by rules in this section.</para>
+
+          <para>The only Actions allowed in this section are ACCEPT, DROP,
+          REJECT, LOG and QUEUE.</para>
+
+          <para>There is an implicit rule added at the end of this section
+          that invokes the INVALID_DISPOSITION (<ulink
+          url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">UNTRACKED</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state are
+          processed by rules in this section.</para>
+
+          <para>The only Actions allowed in this section are ACCEPT, DROP,
+          REJECT, LOG and QUEUE.</para>
+
+          <para>There is an implicit rule added at the end of this section
+          that invokes the UNTRACKED_DISPOSITION (<ulink
+          url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6.conf.xml

@@ -309,6 +309,26 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">BLACKLIST=</emphasis>[{<emphasis
+        role="bold">ALL</emphasis>|<emphasis
+        role="bold"><replaceable>state</replaceable>[,...]</emphasis>}]</term>
+
+        <listitem>
+          <para>where state is one of NEW, ESTABLISHED, RELATED, INVALID,or
+          UNTRACKED.</para>
+
+          <para>Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY
+          option below. Specifies the connection tracking states that are to
+          be subject to blacklist screening. If neither BLACKLIST nor
+          BLACKLISTNEWONLY are specified then the states subject to
+          blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED.</para>
+
+          <para>Note: The ESTABLISHED state may not be specified if FASTACCEPT
+          is specified.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">BLACKLIST_DISPOSITION=</emphasis>[<emphasis
@@ -354,11 +374,18 @@
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
 
         <listitem>
+          <para>Deprecated in Shorewall 4.5.13 in favor of BLACKLIST
+          above.</para>
+
           <para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
           role="bold">yes</emphasis>, blacklists are only consulted for new
-          connections. This includes entries in the <ulink
-          url="???">shorewall-blrules</ulink> (5) file and in the BLACKLIST
-          section of <ulink
+          connections, for packets in the INVALID connection state (such as a
+          TCP SYN,ACK when there has been no corresponding SYN), and for
+          packets that are UNTRACKED due to entries in <ulink
+          url="shorewall6-conntrack.html">shorewall6-conntrack</ulink>(5).
+          This includes entries in the <ulink
+          url="shorewall6-blrules.html">shorewall6-blrules</ulink> (5) file
+          and in the BLACKLIST section of <ulink
           url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
 
           <para>When set to <emphasis role="bold">No</emphasis> or <emphasis
@@ -814,6 +841,34 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
+          INVALID packets through the NEW section of <ulink
+          url="shorewall6-rules.html">shorewall-rules</ulink> (5). When a
+          packet in INVALID state fails to match any rule in the INVALID
+          section, the packet is disposed of based on this setting. The
+          default value is CONTINUE for compatibility with earlier
+          versions.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis
+        role="bold">INVALID_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Packets in the INVALID state that
+          do not match any rule in the INVALID section of <ulink
+          url="manpages/shorewall6-rules.html">shorewall-rules</ulink> (5) are
+          logged at this level. The default value is empty which means no
+          logging is performed.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">IP</emphasis>=[<emphasis>pathname</emphasis>]</term>
@@ -1735,16 +1790,16 @@ LOG:info:,bar                        net                    fw</programlisting>
 
       <varlistentry>
         <term><emphasis
-        role="bold">RELATED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT]</emphasis></term>
+        role="bold">RELATED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
 
         <listitem>
           <para>Added in Shorewall 4.4.27. Shorewall has traditionally
           ACCEPTed RELATED packets that don't match any rule in the RELATED
           section of <ulink
-          url="manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5).
-          Concern about the safety of this practice resulted in the addition
-          of this option. When a packet in RELATED state fails to match any
-          rule in the RELATED section, the packet is disposed of based on this
+          url="shorewall6-rules.html">shorewall6-rules</ulink> (5). Concern
+          about the safety of this practice resulted in the addition of this
+          option. When a packet in RELATED state fails to match any rule in
+          the RELATED section, the packet is disposed of based on this
           setting. The default value is ACCEPT for compatibility with earlier
           versions.</para>
         </listitem>
@@ -2109,6 +2164,34 @@ LOG:info:,bar                        net                    fw</programlisting>
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">UNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
+          UNTRACKED packets through the NEW section of <ulink
+          url="shorewall6-rules.html">shorewall6-rules</ulink> (5). When a
+          packet in UNTRACKED state fails to match any rule in the UNTRACKED
+          section, the packet is disposed of based on this setting. The
+          default value is CONTINUE for compatibility with earlier
+          versions.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis
+        role="bold">UNTRACKED_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
+          do not match any rule in the UNTRACKED section of <ulink
+          url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are
+          logged at this level. The default value is empty which means no
+          logging is performed.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>

Shorewall6/shorewall6.service

@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6
 StandardOutput=syslog
-ExecStart=/usr/sbin/shorewall6 $OPTIONS start
-ExecStop=/usr/sbin/shorewall6 $OPTIONS stop
+ExecStart=/sbin/shorewall6 $OPTIONS start
+ExecStop=/sbin/shorewall6 $OPTIONS stop
 
 [Install]
 WantedBy=multi-user.target

docs/Actions.xml

@@ -30,6 +30,8 @@
 
       <year>2012</year>
 
+      <year>2013</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -392,6 +394,13 @@ REDIRECT       net     -       tcp     80      -       1.2.3.4</programlisting>
 
       <para>In the above example, $2 would expand to nothing.</para>
 
+      <para>Beginning with Shorewall 4.5.13, completely omitting a arameter is
+      equivalent to passing '-'.</para>
+
+      <para>Example: ACTION(REDIRECT,,info)</para>
+
+      <para>This example behaves the same as the one shown above.</para>
+
       <para>If you want to make '-' a parameter value, use '--' (e.g.,
       ACTION(REDIRECT,--.info)).</para>
 
@@ -405,10 +414,6 @@ REDIRECT       net     -       tcp     80      -       1.2.3.4</programlisting>
       for the second parameter and so on. You can specify an empty default
       using '-' (e.g. DEFAULTS DROP,-,audit).</para>
 
-      <para>The DEFAULTS directive also determines the maximum number of
-      parameters that an action may have. If more parameters are passed than
-      have default values, an error message is issued.</para>
-
       <para>For additional information about actions, see the <ulink
       url="configuration_file_basics.htm#ActionVariables">Action Variables
       section</ulink> of the Configuration Basics article.</para>
@@ -684,7 +689,7 @@ bar:debug</programlisting>
 
     <para>The Shorewall compiler provides a set of services that are available
     to Perl code embedded in an action file. These services are not available
-    in in-line actions.</para>
+    in in-line actions when running Shorewall 4.5.12 or earlier.</para>
 
     <variablelist>
       <varlistentry>
@@ -744,7 +749,9 @@ bar:debug</programlisting>
         [, <replaceable>$expandports</replaceable> ] )</term>
 
         <listitem>
-          <para>This function adds a rule to a chain. Arguments are:</para>
+          <para>This function adds a rule to a chain. As of Shoreall 4.5.13,
+          it is deprecated in favor of Shorewall::Rules::perl_action_helper().
+          Arguments are:</para>
 
           <variablelist>
             <varlistentry>
@@ -774,6 +781,11 @@ bar:debug</programlisting>
               </listitem>
             </varlistentry>
           </variablelist>
+
+          <warning>
+            <para>Do not call this function in a inline action. Use
+            perl_action_helper() instead (see below).</para>
+          </warning>
         </listitem>
       </varlistentry>
 
@@ -788,8 +800,9 @@ bar:debug</programlisting>
         <replaceable>$matches</replaceable> )</term>
 
         <listitem>
-          <para>This function adds a logging rule to a chain. Arguments
-          are:</para>
+          <para>This function adds a logging rule to a chain. As of Shoreall
+          4.5.13, it is deprecated in favor of
+          Shorewall::Rules::perl_action_helper(). Arguments are:</para>
 
           <variablelist>
             <varlistentry>
@@ -875,7 +888,7 @@ bar:debug</programlisting>
 
       <varlistentry>
         <term>Shorewall::Chains::allow::optimize(
-        <replaceable>chainref</replaceable> )</term>
+        <replaceable>$chainref</replaceable> )</term>
 
         <listitem>
           <para>This allows the passed action chain to be optimized away
@@ -884,6 +897,47 @@ bar:debug</programlisting>
           from get_action_chain() described above.</para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>Shorewall::Rules::perl_action_helper( $target, $matches )</term>
+
+        <listitem>
+          <para>This function adds a rule to the current chain. For a regular
+          action, the chain will be an action chain; for an inline action, the
+          chain is determined by the invoking rule.</para>
+
+          <para>To use this function, you must include:</para>
+
+          <simplelist>
+            <member><emphasis role="bold">use
+            Shorewall::Rules;</emphasis></member>
+          </simplelist>
+
+          <para>Arguments are:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>$target</term>
+
+              <listitem>
+                <para>The target of the rule. Legal values are anything that
+                can appear in the TARGET column of in an action body and may
+                include log level, tag, and parameters.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>$matches</term>
+
+              <listitem>
+                <para>ip[6]tables matches to be included in the rule. When
+                called in an inline action, these matches are augmented by
+                matches generated by the invoking rule.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
     </variablelist>
 
     <para>For an example of using these services, look at the standard action

docs/Shorewall-Lite.xml

@@ -221,6 +221,13 @@
                   on the firewall system is
                   "/etc/shorewall-lite:/usr/share/shorewall-lite".</para>
                 </listitem>
+
+                <listitem>
+                  <para>The export directory should contain a
+                  <filename>params</filename> file, even if it is empty.
+                  Otherwise, <filename>/sbin/shorewall</filename> will attempt
+                  to read<filename> /etc/shorewall/params</filename>.</para>
+                </listitem>
               </itemizedlist>
             </listitem>
 

docs/configuration_file_basics.xml

@@ -1484,7 +1484,8 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
         <listitem>
           <para>The <replaceable>variable</replaceable> can be specified
           either with or without a leading '$' to allow using both Perl and
-          Shell variable representation.</para>
+          Shell variable representation. The ${...} form (e.g. ${foo}) is not
+          allowed.</para>
 
           <para>The <replaceable>value</replaceable> is a Perl-compatible
           expression.</para>
@@ -1517,6 +1518,11 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
     <para>Action variables are read-only and cannot be ?SET (although you can
     change their values <ulink url="Actions.html#Embedded">using embedded
     Perl</ulink>).</para>
+
+    <para>Beginning with Shorewall 4.5.13, <link
+    linkend="ShorewallVariables">Shorewall Variables</link> may be set. When
+    setting a Shorewall Variable, the <replaceable>variable</replaceable> must
+    include the leading '@' and the @{...} form is not allowed.</para>
   </section>
 
   <section id="AddressVariables">
@@ -1861,7 +1867,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
     <para>Beginning with Shorewall 4.5.13, the values of @chain and
     @disposition are used to generated the --log-prefix in logging rules. When
     either is empty, the historical value is used to generate the
-    --log-prefix. </para>
+    --log-prefix.</para>
   </section>
 
   <section id="Conditional">