Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -1,16 +1,17 @@
 #!/bin/bash
 #
-#     Shorewall Packet Filtering Firewall RPM configuration program - V4.5
+#     Shorewall Packet Filtering Firewall RPM configuration program - V4.6
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2012,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
+#       This program is part of Shorewall.
+#
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -18,8 +19,7 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #       Usage: ./configure [ <option>=<setting> ] ...
 #
@@ -93,15 +93,38 @@ done
 
 vendor=${params[HOST]}
 
+if [ -z "$vendor" ]; then
+    if [ -f /etc/os-release ]; then
+	eval $(cat /etc/os-release | grep ^ID=)
+
+	case $ID in
+	    fedora|rhel)
+		vendor=redhat
+		;;
+	    debian|ubuntu)
+		vendor=debian
+		;;
+	    opensuse)
+		vendor=suse
+		;;
+	    *)
+		vendor="$ID"
+		;;
+	esac
+
+	params[HOST]="$vendor"
+    fi
+fi
+
 if [ -z "$vendor" ]; then
     case `uname` in
 	Darwin)
-	    $params[HOST]=apple
+	    params[HOST]=apple
 	    rcfile=shorewallrc.apple
 	    ;;
 
-	cygwin*)
-	    $params[HOST]=cygwin
+	cygwin*|CYGWIN*)
+	    params[HOST]=cygwin
 	    rcfile=shorewallrc.cygwin
 	    ;;
 	*)
@@ -187,6 +210,7 @@ for on in \
     AUXINITSOURCE \
     AUXINITFILE \
     SYSTEMD \
+    SERVICEFILE \
     SYSCONFFILE \
     SYSCONFDIR \
     SPARSE \

Shorewall-core/configure.pl

@@ -2,15 +2,16 @@
 #
 #     Shorewall Packet Filtering Firewall RPM configuration program - V4.5
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2012, 2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
+#       This program is part of Shorewall.
+#
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -18,8 +19,7 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #       Usage: ./configure.pl <option>=<setting> ...
 #
@@ -56,6 +56,28 @@ my $vendor = $params{HOST};
 my $rcfile;
 my $rcfilename;
 
+unless ( defined $vendor ) {
+    if ( -f '/etc/os-release' ) {
+	my $id = `cat /etc/os-release | grep ^ID=`;
+
+	chomp $id;
+
+	$id =~ s/ID=//;
+	
+	if ( $id eq 'fedora' || $id eq 'rhel' ) {
+	    $vendor = 'redhat';
+	} elsif ( $id eq 'opensuse' ) {
+	    $vendor = 'suse';
+	} elsif ( $id eq 'ubuntu' ) {
+	    $vendor = 'debian';
+	} else {
+	    $vendor = $id;
+	}
+    }
+
+    $params{HOST} = $vendor;
+}
+
 if ( defined $vendor ) {
     $rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
     die qq("ERROR: $vendor" is not a recognized host type) unless -f $rcfilename;
@@ -78,7 +100,7 @@ if ( defined $vendor ) {
     } elsif ( `uname` =~ '^Darwin' ) {
 	$vendor = 'apple';
 	$rcfilename = 'shorewallrc.apple';
-    } elsif ( `uname` =~ '^Cygwin' ) {
+    } elsif ( `uname` =~ /^Cygwin/i ) {
 	$vendor = 'cygwin';
 	$rcfilename = 'shorewallrc.cygwin';
     } else {
@@ -146,6 +168,7 @@ for ( qw/ HOST
 	  AUXINITSOURCE
 	  AUXINITFILE
 	  SYSTEMD
+          SERVICEFILE
 	  SYSCONFFILE
 	  SYSCONFDIR
 	  SPARSE

Shorewall-core/install.sh

@@ -2,24 +2,24 @@
 #
 # Script to install Shoreline Firewall Core Modules
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+#       This program is part of Shorewall.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 
 VERSION=xxx #The Build script inserts the actual version
@@ -187,15 +187,37 @@ INSTALLD='-D'
 
 if [ -z "$BUILD" ]; then
     case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
 	    BUILD=apple
 	    ;;
 	*)
-	    if [ -f /etc/debian_version ]; then
+	    if [ -f /etc/os-release ]; then
+		eval $(cat /etc/os-release | grep ^ID)
+
+		case $ID in
+		    fedora|rhel)
+			BUILD=redhat
+			;;
+		    debian)
+			BUILD=debian
+			;;
+		    gentoo)
+			BUILD=gentoo
+			;;
+		    opensuse)
+			BUILD=suse
+			;;
+		    *)
+			BUILD="$ID"
+			;;
+		esac
+	    elif [ -f /etc/debian_version ]; then
 		BUILD=debian
+	    elif [ -f /etc/gentoo-release ]; then
+		BUILD=gentoo
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f /etc/slackware-version ] ; then
@@ -254,7 +276,7 @@ case "$HOST" in
     apple)
 	echo "Installing Mac-specific configuration...";
 	;;
-    debian|redhat|slackware|archlinux|linux|suse)
+    debian|gentoo|redhat|slackware|archlinux|linux|suse)
 	;;
     *)
 	echo "ERROR: Unknown HOST \"$HOST\"" >&2
@@ -325,7 +347,7 @@ if [ -n "${INITFILE}" ]; then
     if [ -n "$AUXINITSOURCE" -a -f "$AUXINITSOURCE" ]; then
 	install_file $AUXINITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
 	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$AUXINITFILE
-	echo  "$Product script installed in ${DESTDIR}${INITDIR}/$AUXINITFILE"
+	echo  "SysV init script $AUXINITSOURCE installed in ${DESTDIR}${INITDIR}/$AUXINITFILE"
     fi
 fi
 #
@@ -371,12 +393,13 @@ if [ -z "${DESTDIR}" ]; then
 
 	echo 'VARDIR=${VARLIB}/${PRODUCT}' >> $file
     fi
-
-    [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
 fi
 
 [ $file != "${DESTDIR}${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc
 
+
+[ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
+
 if [ ${SHAREDIR} != /usr/share ]; then
     for f in lib.*; do
 	if [ $BUILD != apple ]; then

Shorewall-core/lib.base

@@ -1,15 +1,16 @@
 #
 # Shorewall 4.5 -- /usr/share/shorewall/lib.base
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 1999-2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
+#       This program is part of Shorewall.
+#
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -17,8 +18,7 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # This library contains the code common to all Shorewall components except the
 # generated scripts.

Shorewall-core/lib.cli

@@ -1,15 +1,16 @@
 #
 # Shorewall 4.5 -- /usr/share/shorewall/lib.cli.
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 1999-2013 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
+#       This program is part of Shorewall.
+#
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -17,15 +18,14 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # This library contains the command processing code common to /sbin/shorewall[6] and
 # /sbin/shorewall[6]-lite. In Shorewall and Shorewall6, the lib.cli-std library is 
 # loaded after this one and replaces some of the functions declared here.
 #
 
-SHOREWALL_CAPVERSION=40515
+SHOREWALL_CAPVERSION=40600
 
 [ -n "${g_program:=shorewall}" ]
 
@@ -252,7 +252,15 @@ show_classifiers() {
 
 	if [ -n "$qdisc" ]; then
 	    echo Device $device:
-	    tc -s filter ls dev $device
+	    qt tc -s filter ls root dev $device && tc -s filter ls root dev $device | grep -v '^$'
+	    tc filter show dev $device
+	    tc class show dev $device | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
+		if [ -n "$class" ]; then
+		    echo
+		    echo Node $class
+		    tc filter show dev $device parent $class
+		fi
+	    done
 	    echo
 	fi
     }
@@ -263,6 +271,19 @@ show_classifiers() {
 
 }
 
+#
+# Display blacklist chains
+#
+show_bl() {
+    $g_tool -L $g_ipt_options | \
+	awk 'BEGIN           {prnt=0; };
+            /^$/             {if (prnt == 1) print ""; prnt=0; };
+            /Chain .*~ /     {prnt=1; };
+            /Chain dynamic / {prnt=1; };
+            {if (prnt == 1)  print; };
+            END {if (prnt == 1 ) print "" };'
+}
+
 #
 # Watch the Firewall Log
 #
@@ -559,7 +580,7 @@ show_routing() {
 	ip -$g_family rule list | find_tables | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
-		ip -$g_family -o route list table $table | fgrep -v cache | sort_routes
+		ip -$g_family -o route list table $table | grep -vF cache | sort_routes
 	    else
 		ip -4 -o route list table $table | sort_routes
 	    fi
@@ -572,7 +593,7 @@ show_routing() {
     else
 	heading "Routing Table"
 	if [ $g_family -eq 6 ]; then
-	    ip -$g_family -o route list | fgrep -v cache | sort_routes
+	    ip -$g_family -o route list | grep -vF cache | sort_routes
 	else
 	    ip -4 -o route list table $table | sort_routes
 	fi
@@ -582,7 +603,7 @@ show_routing() {
 determine_ipset_version() {
     local setname
 
-    if [ -z "$IPSET" -o $IPSET = ipset ]; then
+    if [ -z "$IPSET" -o "$IPSET" = "ipset" ]; then
 	IPSET=$(mywhich ipset)
 	[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
     fi
@@ -679,6 +700,11 @@ version_command() {
 		echo "$product: $(cat ${SHAREDIR}/$product/version)"
 	    fi
 	done
+
+	if [ "$(id -u)" -eq 0 -a -f $g_firewall ]; then
+	    echo $g_echo_n "$g_firewall was compiled by Shorewall version "
+	    $g_firewall version
+	fi
     else
 	echo $SHOREWALL_VERSION
     fi
@@ -728,6 +754,104 @@ show_nfacct() {
 	echo
     fi
 }
+
+show_event() {
+    local address
+    local ttl_label
+    local ttl
+    local last_seen
+    local last
+    local oldest_pkt
+    local oldest
+    local intimes
+    local outtimes1
+    local outtimes2
+    local time
+    local count
+
+    while read address ttl_label ttl last_seen last oldest_pkt oldest intimes; do
+	case $address in
+	    *.*)
+		[ $g_family -eq 4 ] || continue
+		;;
+	    *:*)
+		[ $g_family -eq 6 ] || continue
+		;;
+	    *)
+		continue
+		;;
+	esac
+
+	outtimes1=''
+	outtimes2=''
+	count=0
+	last=$((($currenttime - $last)/1000))
+	for time in $intimes; do
+	    time=${time%,}
+	    time=$(($currenttime - $time))
+	    if [ $time -lt 10 ]; then
+		time="000$time"
+	    elif [ $time -lt 100 ]; then
+		time="00$time"
+	    elif [ $time -lt 1000 ]; then
+		time="0$time"
+	    fi
+
+	    if [ $count -lt $oldest ]; then
+		outtimes2="$outtimes2 $time"
+	    else
+		outtimes1="$outtimes1 $time"
+	    fi
+
+	    count=$(($count + 1))
+	done
+
+	outtimes1="${outtimes1}${outtimes2}"
+
+	[ -n "$outtimes1" ] && outtimes1=$(echo "$outtimes1 " | sed -r 's/([[:digit:]]{3}) /\.\1, /g') && outtimes1=${outtimes1%, }
+
+	echo "   $address : ${outtimes1}"
+    done < /proc/net/xt_recent/$1
+}
+
+show_events() {
+    local file
+    local base
+    local currenttime
+
+    if [ -f /proc/net/xt_recent/%CURRENTTIME ]; then
+	echo -127.0.0.1 > /proc/net/xt_recent/%CURRENTTIME
+	echo +127.0.0.1 > /proc/net/xt_recent/%CURRENTTIME
+	currenttime=$(cat /proc/net/xt_recent/%CURRENTTIME | cut -d ' ' -f 5 -)
+	# echo Current time: $currenttime
+	# echo
+    else
+	currenttime=0
+    fi
+
+    if [ $# -gt 0 ]; then
+	for event in $@ ; do
+	    if [ -f /proc/net/xt_recent/$event ]; then
+		echo $event:
+		show_event $event
+		echo
+	    else
+		error_message "WARNING: Event $event not found"
+	    fi
+	done
+    else
+	for file in /proc/net/xt_recent/*; do
+	    base=$(basename $file)
+
+	    if [ $base != %CURRENTTIME ]; then
+		echo $base
+		show_event $base
+		echo
+	    fi
+	done
+    fi
+}
+
 #
 # Show Command Executor
 #
@@ -1066,6 +1190,25 @@ show_command() {
 		error_message "Cannot locate the arptables executable"
 	    fi
 	    ;;
+	event)
+	    [ $# -gt 1 ] || usage 1
+	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
+	    echo
+	    shift
+	    show_events $@
+	    ;;
+	events)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
+	    echo
+	    show_events
+	    ;;
+	bl|blacklists)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
+	    echo
+	    show_bl;
+	    ;;
 	*)
 	    case "$g_program" in
 		*-lite)
@@ -1360,6 +1503,9 @@ do_dump_command() {
     heading "NF Accounting"
     show_nfacct
 
+    heading "Events"
+    show_events
+
     if qt mywhich setkey; then
 	heading "PFKEY SPD"
 	setkey -DP
@@ -1389,7 +1535,12 @@ do_dump_command() {
 
     if [ $g_family -eq 4 ]; then
 	heading "ARP"
-	arp -na
+	if qt mywhich arp; then
+	    arp -na
+	else
+	    ip -4 neigh ls
+	    ip -4 neigh ls proxy
+	fi
     else
 	heading "Neighbors"
 	ip -6 neigh ls
@@ -1411,11 +1562,7 @@ do_dump_command() {
 
     echo
 
-    if qt netstat -4; then
-	netstat -${g_family}tunap
-    else
-	netstat -tunap
-    fi
+    ss -${g_family}tunap
 
     if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
@@ -1426,7 +1573,7 @@ do_dump_command() {
 }
 
 dump_command() {
-    do_dump_command | dump_filter
+    do_dump_command $@ | dump_filter
 }
 
 #
@@ -1776,6 +1923,8 @@ add_command() {
 		ipset=6_${zone}_${interface};
 	    fi
 
+	    ipset=$(echo $ipset | sed 's/./_/g');
+
 	    if ! qt $IPSET -L $ipset; then
 		fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
 	    fi
@@ -1864,6 +2013,8 @@ delete_command() {
 		ipset=6_${zone}_${interface};
 	    fi
 
+	    ipset=$(echo $ipset | sed 's/./_/g');
+
 	    if ! qt $IPSET -L $ipset -n; then
 		fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
 	    fi
@@ -2140,10 +2291,13 @@ determine_capabilities() {
     PHYSDEV_BRIDGE=
     IPRANGE_MATCH=
     RECENT_MATCH=
+    REAP_OPTION=
     OWNER_MATCH=
     OWNER_NAME_MATCH=
     IPSET_MATCH=
     OLD_IPSET_MATCH=
+    IPSET_MATCH_NOMATCH=
+    IPSET_MATCH_COUNTERS=
     IPSET_V5=
     CONNMARK=
     XCONNMARK=
@@ -2188,6 +2342,7 @@ determine_capabilities() {
     CONDITION_MATCH=
     IPTABLES_S=
     BASIC_FILTER=
+    BASIC_EMATCH=
     CT_TARGET=
     STATISTIC_MATCH=
     IMQ_TARGET=
@@ -2309,7 +2464,11 @@ determine_capabilities() {
 	fi
     fi
 
-    qt $g_tool -A $chain -m recent --update -j ACCEPT     && RECENT_MATCH=Yes
+    if qt $g_tool -A $chain -m recent --update -j ACCEPT; then
+	RECENT_MATCH=Yes
+	qt $g_tool -A $chain -m recent --rcheck --seconds 10 --reap && REAP_OPTION=Yes
+    fi
+
     qt $g_tool -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
 
     local name
@@ -2427,6 +2586,8 @@ determine_capabilities() {
 
 	    if [ -n "$have_ipset" ]; then
 		if qt $g_tool -A $chain -m set --match-set $chain src -j ACCEPT; then
+		    qt $g_tool -A $chain -m set --match-set $chain src --return-nomatch  -j ACCEPT && IPSET_MATCH_NOMATCH=Yes
+		    qt $g_tool -A $chain -m set --match-set $chain src --packets-lt 100  -j ACCEPT && IPSET_MATCH_COUNTERS=Yes
 		    qt $g_tool -F $chain
 		    IPSET_MATCH=Yes
 		elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT; then
@@ -2510,8 +2671,15 @@ determine_capabilities() {
     qt $g_tool -F $chain1
     qt $g_tool -X $chain1
 
-    [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
-    [ -n "$TC" ] && $TC filter add basic help 2>&1 | grep -q ^Usage && BASIC_FILTER=Yes
+    if [ -n "$TC" ]; then
+	$TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
+
+	if $TC filter add basic help 2>&1 | grep -q ^Usage; then
+	    BASIC_FILTER=Yes
+	    $TC filter add basic help 2>&1 | egrep -q match && BASIC_EMATCH=Yes
+	fi
+    fi
+
     [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
 
     CAPVERSION=$SHOREWALL_CAPVERSION
@@ -2556,11 +2724,14 @@ report_capabilities_unsorted() {
     report_capability "Packet length Match (LENGTH_MATCH)" $LENGTH_MATCH
     report_capability "IP range Match(IPRANGE_MATCH)" $IPRANGE_MATCH
     report_capability "Recent Match (RECENT_MATCH)" $RECENT_MATCH
+    [ -n "$RECENT_MATCH" ] && report_capability 'Recent Match "--reap" option (REAP_OPTION)' $REAP_OPTION
     report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
     report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
     if [ -n "$IPSET_MATCH" ]; then
 	report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
-	[ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)" $OLD_IPSET_MATCH
+	[ -n "$OLD_IPSET_MATCH" ]     && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)"           $OLD_IPSET_MATCH
+	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Nomatch (IPSET_MATCH_NOMATCH)"   $IPSET_MATCH_NOMATCH
+	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Counters (IPSET_MATCH_COUNTERS)" $IPSET_MATCH_COUNTERS
     fi
     report_capability "CONNMARK Target (CONNMARK)" $CONNMARK
     [ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target (XCONNMARK)" $XCONNMARK
@@ -2597,7 +2768,7 @@ report_capabilities_unsorted() {
     report_capability "TPROXY Target (TPROXY_TARGET)" $TPROXY_TARGET
     report_capability "FLOW Classifier (FLOW_FILTER)" $FLOW_FILTER
     report_capability "fwmark route mask (FWMARK_RT_MASK)" $FWMARK_RT_MASK
-    report_capability "Mark in any table (MARK_ANYWHERE)" $MARK_ANYWHERE
+    report_capability "Mark in the filter table (MARK_ANYWHERE)" $MARK_ANYWHERE
     report_capability "Header Match (HEADER_MATCH)" $HEADER_MATCH
     report_capability "ACCOUNT Target (ACCOUNT_TARGET)" $ACCOUNT_TARGET
     report_capability "AUDIT Target (AUDIT_TARGET)" $AUDIT_TARGET
@@ -2639,6 +2810,7 @@ report_capabilities_unsorted() {
     fi
 
     report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
+    report_capability "Basic Ematch (BASIC_EMATCH)" $BASIC_EMATCH
     report_capability "CT Target (CT_TARGET)" $CT_TARGET
 
     echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
@@ -2677,10 +2849,13 @@ report_capabilities_unsorted1() {
     report_capability1 LENGTH_MATCH
     report_capability1 IPRANGE_MATCH
     report_capability1 RECENT_MATCH
+    report_capability1 REAP_OPTION
     report_capability1 OWNER_MATCH
     report_capability1 OWNER_NAME_MATCH
     report_capability1 IPSET_MATCH
     report_capability1 OLD_IPSET_MATCH
+    report_capability1 IPSET_MATCH_NOMATCH
+    report_capability1 IPSET_MATCH_COUNTERS
     report_capability1 CONNMARK
     report_capability1 XCONNMARK
     report_capability1 CONNMARK_MATCH
@@ -2724,6 +2899,7 @@ report_capabilities_unsorted1() {
     report_capability1 CONDITION_MATCH
     report_capability1 IPTABLES_S
     report_capability1 BASIC_FILTER
+    report_capability1 BASIC_EMATCH
     report_capability1 CT_TARGET
     report_capability1 STATISTIC_MATCH
     report_capability1 IMQ_TARGET
@@ -2767,10 +2943,10 @@ report_capabilities1() {
 
 show_status() {
     if product_is_started ; then
-	echo "$g_product is running"
+	[ $VERBOSITY -ge 1 ] && echo "$g_product is running"
 	status=0
     else
-	echo "$g_product is stopped"
+	[ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
 	status=4
     fi
 
@@ -2784,14 +2960,85 @@ show_status() {
     else
 	state=Unknown
     fi
-    echo "State:$state"
+
+    if [ $VERBOSITY -ge 1 ]; then 
+	if [ -f $g_firewall ]; then
+	    state="$state ($g_firewall compiled by Shorewall version $($g_firewall version))"
+	fi
+	echo "State:$state"
+	echo
+    fi
+
+}
+
+interface_status() {
+    case $(cat $1) in
+	0)
+	    echo Enabled
+	    ;;
+	1)
+	    echo Disabled
+	    ;;
+	*)
+	    echo Unknown
+	    ;;
+    esac
+}
+
+show_interfaces() {
+    local f
+    local interface
+    local printed
+
+    for f in ${VARDIR}/*.status; do
+	interface=$(basename $f)
+	echo "   Interface ${interface%.status} is $(interface_status $f)"
+	printed=Yes
+    done
+
+    [ -n "$printed" ] && echo
 }
 
 status_command() {
-    echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)"
-    echo
+     local finished
+    finished=0
+    local option
+    local interfaces
+
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
+	option=$1
+	case $option in
+	    -*)
+		option=${option#-}
+
+		while [ -n "$option" ]; do
+		    case $option in
+			-)
+			    finished=1
+			    option=
+			    ;;
+			i*)
+			    interfaces=Yes
+			    option=${option#i}
+			    ;;
+			*)
+			    usage 1
+			    ;;
+		    esac
+		done
+		shift
+		;;
+	    *)
+		finished=1
+		;;
+	esac
+    done
+
+    [ $# -eq 0 ] || usage 1
+
+    [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
     show_status
-    echo
+    [ -n "$interfaces" ] && show_interfaces
     exit $status
 }
 
@@ -3281,7 +3528,7 @@ usage() # $1 = exit status
     echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   disable <interface>"
     echo "   drop <address> ..."
-    echo "   dump [ -x ]"
+    echo "   dump [ -x ] [ -l ] [ -m ]"
     echo "   enable <interface>"
     echo "   forget [ <file name> ]"
     echo "   help"
@@ -3300,30 +3547,33 @@ usage() # $1 = exit status
     echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
-    echo "   show [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
-    echo "   show [ -f ] capabilities"
-    echo "   show arptables"
-    echo "   show classifiers"
-    echo "   show config"
-    echo "   show connections"
-    echo "   show filters"
-    echo "   show ip"
+    echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
+    echo "   [ show | list | ls ] [ -f ] capabilities"
+    echo "   [ show | list | ls ] arptables"
+    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
+    echo "   [ show | list | ls ] classifiers"
+    echo "   [ show | list | ls ] config"
+    echo "   [ show | list | ls ] connections"
+    echo "   [ show | list | ls ] event [ <event> ...]"
+    echo "   [ show | list | ls ] events"
+    echo "   [ show | list | ls ] filters"
+    echo "   [ show | list | ls ] ip"
 
     if [ $g_family -eq 4 ]; then
-	echo "   show ipa"
+	echo "   [ show | list | ls ] ipa"
     fi
 
-    echo "   show [ -m ] log [<regex>]"
-    echo "   show [ -x ] mangle|nat|raw|rawpost"
-    echo "   show nfacct"
-    echo "   show policies"
-    echo "   show routing"
-    echo "   show tc [ device ]"
-    echo "   show vardir"
-    echo "   show zones"
+    echo "   [ show | list | ls ] [ -m ] log [<regex>]"
+    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
+    echo "   [ show | list | ls ] nfacct"
+    echo "   [ show | list | ls ] policies"
+    echo "   [ show | list | ls ] routing"
+    echo "   [ show | list | ls ] tc [ device ]"
+    echo "   [ show | list | ls ] vardir"
+    echo "   [ show | list | ls ] zones"
     echo "   start [ -f ] [ -p ] [ <directory> ]"
     echo "   stop"
-    echo "   status"
+    echo "   status [ -i ]"
     echo "   version [ -a ]"
     echo
     exit $1
@@ -3367,6 +3617,12 @@ shorewall_cli() {
     g_timestamp=
     g_shorewalldir=
     g_haveconfig=
+    g_conditional=
+    g_file=
+    g_doing="Compiling"
+    g_directives=
+    g_inline=
+    g_tcrules=
 
     VERBOSE=
     VERBOSITY=1
@@ -3419,8 +3675,16 @@ shorewall_cli() {
 			    g_fast=Yes
 			    option=${option#f}
 			    ;;
-			v*)
-			    option=${option#v}
+			[vV]*)
+			    case $option in
+				v*)
+				    option=${option#v}
+				    ;;
+				*)
+				    option=${option#V}
+				    ;;
+			    esac
+
 			    case $option in
 				-1*)
 				    g_use_verbosity=-1
@@ -3554,16 +3818,16 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
-	show|list)
+	show|list|ls)
 	    get_config Yes No Yes
     	    shift
     	    show_command $@
 	    ;;
 	status)
-	    [ $# -eq 1 ] || usage 1
 	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	    get_config
-	    status_command
+	    shift
+	    status_command $@
 	    ;;
 	dump)
 	    get_config Yes No Yes

Shorewall-core/lib.common

@@ -1,15 +1,16 @@
 #
 # Shorewall 4.5 -- /usr/share/shorewall/lib.common.
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010-2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
+#       This program is part of Shorewall.
+#
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -17,8 +18,7 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # The purpose of this library is to hold those functions used by both the CLI and by the
 # generated firewall scripts. To avoid versioning issues, it is copied into generated
@@ -65,6 +65,7 @@ startup_error() # $* = Error Message
 	esac
     fi
 
+    mutex_off
     kill $$
     exit 2
 }
@@ -272,8 +273,11 @@ shorewall6_is_started() {
 # Echos the fully-qualified name of the calling shell program
 #
 my_pathname() {
+    local pwd
+    pwd=$PWD
     cd $(dirname $0)
     echo $PWD/$(basename $0)
+    cd $pwd
 }
 
 #
@@ -601,7 +605,7 @@ find_first_interface_address() # $1 = interface
 	#
 	# get the line of output containing the first IP address
 	#
-	addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1)
+	addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | grep -F 'inet6 ' | grep -vF 'scope link' | head -n1)
 	#
 	# If there wasn't one, bail out now
 	#
@@ -630,7 +634,7 @@ find_first_interface_address_if_any() # $1 = interface
 	#
 	# get the line of output containing the first IP address
 	#
-	addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1)
+	addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | grep -F 'inet6 ' | grep -vF 'scope link' | head -n1)
 	#
 	# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
 	# along with everything else on the line

Shorewall-core/shorewallrc.apple

@@ -15,6 +15,7 @@ INITFILE=                              #Unused on OS X
 INITSOURCE=                            #Unused on OS X
 ANNOTATED=                             #Unused on OS X
 SYSTEMD=                               #Unused on OS X
+SERVICEFILE=                           #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                        #Unused on OS X

Shorewall-core/shorewallrc.archlinux

@@ -16,6 +16,7 @@ INITSOURCE=                            #Name of the distributed file to be insta
 ANNOTATED=                             #If non-zero, annotated configuration files are installed
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
 SYSTEMD=/usr/lib/systemd/system        #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=                           #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                        #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.

Shorewall-core/shorewallrc.cygwin

@@ -15,6 +15,7 @@ INITFILE=                             #Unused on Cygwin
 INITSOURCE=                           #Unused on Cygwin
 ANNOTATED=                            #Unused on Cygwin
 SYSTEMD=                              #Unused on Cygwin
+SERVICEFILE=                          #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                       #Unused on Cygwin

Shorewall-core/shorewallrc.debian

@@ -15,6 +15,7 @@ INITFILE=$PRODUCT                       #Name of the product's installed SysV in
 INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
 SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
+SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
 SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR

Shorewall-core/shorewallrc.default

@@ -15,6 +15,7 @@ INITFILE=$PRODUCT                       #Name of the product's installed SysV in
 INITSOURCE=init.sh                      #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
 SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=                            #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                            #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                             #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR

Shorewall-core/shorewallrc.redhat

@@ -16,6 +16,7 @@ INITSOURCE=init.fedora.sh               #Name of the distributed file to be inst
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
 SYSTEMD=/lib/systemd/system             #Directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
+SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.

Shorewall-core/shorewallrc.slackware

@@ -16,6 +16,7 @@ AUXINITFILE=rc.firewall                    #Name of the product's installed SysV
 INITSOURCE=init.slackware.$PRODUCT.sh      #Name of the distributed file to be installed as a second SysV init script
 INITFILE=rc.$PRODUCT                       #Name of the product's installed second init script
 SYSTEMD=                                   #Name of the directory where .service files are installed (systems running systemd only)
+SERVICEFILE=                               #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.
 ANNOTATED=                                 #If non-empty, install annotated configuration files

Shorewall-core/shorewallrc.suse

@@ -15,7 +15,8 @@ INITFILE=$PRODUCT                                     #Name of the product's Sys
 INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
 SYSTEMD=                                              #Directory where .service files are installed (systems running systemd only)
-SYSCONFFILE=                                          #Name of the distributed file to be installed in $SYSCONFDIR
+SERVICEFILE=                      		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SYSCONFFILE=sysconfig                                 #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                                       #Directory where persistent product data is stored.

Shorewall-core/uninstall.sh

@@ -2,24 +2,24 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+#       This program is part of Shorewall.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #    Usage:
 #

Shorewall-core/wait4ifup

@@ -2,17 +2,18 @@
 #
 #     Shorewall interface helper utility - V4.2
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2007 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file is installed in /usr/share/shorewall/wait4ifup
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
+#       This program is part of Shorewall.
+#
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -20,8 +21,7 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #	If an error occurs while starting or restarting the firewall, the
 #	firewall is automatically stopped.

Shorewall-init/ifupdown.fedora.sh

@@ -22,6 +22,9 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
+# Get startup options (override default)
+OPTIONS=
+
 setstatedir() {
     local statedir
     if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
@@ -30,9 +33,9 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
 
-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile
+    if [ ! -x "$STATEDIR/firewall" ]; then
+	if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT $OPTIONS compile
 	fi
     fi
 }
@@ -99,8 +102,9 @@ esac
 for PRODUCT in $PRODUCTS; do
     setstatedir
 
-    if [ -x $VARLIB/$PRODUCT/firewall ]; then
-	  ( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+    if [ -x "$STATEDIR/firewall" ]; then
+	  echo "`date --rfc-3339=seconds` $0: Executing $STATEDIR/firewall $OPTIONS $COMMAND $INTERFACE" >> $LOGFILE 2>&1
+	  ( $STATEDIR/firewall $OPTIONS $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
     fi
 done
 

Shorewall-init/init.debian.sh

@@ -36,6 +36,8 @@
 #                    bringing up the network
 ### END INIT INFO
 
+. /lib/lsb/init-functions
+
 export VERBOSITY=0
 
 if [ "$(id -u)" != "0" ]
@@ -50,16 +52,16 @@ echo_notdone () {
 }
 
 not_configured () {
-	echo "#### WARNING ####"
-	echo "the firewall won't be initialized unless it is configured"
-	if [ "$1" != "stop" ]
-	then
-		echo ""
-		echo "Please read about Debian specific customization in"
-		echo "/usr/share/doc/shorewall-init/README.Debian.gz."
-	fi
-	echo "#################"
-	exit 0
+    echo "#### WARNING ####"
+    echo "the firewall won't be initialized unless it is configured"
+    if [ "$1" != "stop" ]
+    then
+	echo ""
+	echo "Please read about Debian specific customization in"
+	echo "/usr/share/doc/shorewall-init/README.Debian.gz."
+    fi
+    echo "#################"
+    exit 0
 }
 
 # set the STATEDIR variable
@@ -71,10 +73,8 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
 
-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile
-	fi
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || echo_notdone
     fi
 }
 
@@ -83,18 +83,16 @@ setstatedir() {
 #
 . /usr/share/shorewall/shorewallrc
 
-vardir=$VARDIR
-
 # check if shorewall-init is configured or not
 if [ -f "$SYSCONFDIR/shorewall-init" ]
 then
-	. $SYSCONFDIR/shorewall-init
-	if [ -z "$PRODUCTS" ]
-	then
-		not_configured
-	fi
-else
+    . $SYSCONFDIR/shorewall-init
+    if [ -z "$PRODUCTS" ]
+    then
 	not_configured
+    fi
+else
+    not_configured
 fi
 
 # Initialize the firewall
@@ -103,24 +101,23 @@ shorewall_start () {
   local STATEDIR
 
   echo -n "Initializing \"Shorewall-based firewalls\": "
+
   for PRODUCT in $PRODUCTS; do
       setstatedir
 
-      if [ ! -x ${VARDIR}/$PRODUCT/firewall ]; then
-	  if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	      ${SBINDIR}/$PRODUCT compile
-	  fi
-      fi
-
-      if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
-	  #
+      if [ -x ${STATEDIR}/firewall ]; then
+          #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
-	      if ! ${VARDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
-		  ${VARDIR}/$PRODUCT/firewall stop || echo_notdone
+	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop || echo_notdone
+	      else
+		  echo_notdone
 	      fi
 	  )
+      else
+	  echo_notdone
       fi
   done
 
@@ -132,20 +129,14 @@ shorewall_start () {
 # Clear the firewall
 shorewall_stop () {
   local PRODUCT
-  local VARDIR
+  local STATEDIR
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       setstatedir
 
-      if [ ! -x ${VARDIR}/$PRODUCT/firewall ]; then
-	  if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	      ${SBINDIR}/$PRODUCT compile
-	  fi
-      fi
-
-      if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
-	  ${VARDIR}/$PRODUCT/firewall clear || echo_notdone
+      if [ -x ${STATEDIR}/firewall ]; then
+	  ${STATEDIR}/firewall ${OPTIONS} clear || echo_notdone
       fi
   done
 
@@ -164,7 +155,7 @@ case "$1" in
   reload|force-reload)
      ;;
   *)
-     echo "Usage: /etc/init.d/shorewall-init {start|stop|reload|force-reload}"
+     echo "Usage: $0 {start|stop|reload|force-reload}"
      exit 1
 esac
 

Shorewall-init/init.fedora.sh

@@ -24,8 +24,6 @@ lockfile="/var/lock/subsys/shorewall-init"
 # Source function library.
 . /etc/rc.d/init.d/functions
 
-vardir=$VARDIR
-
 # Get startup options (override default)
 OPTIONS=
 
@@ -46,17 +44,17 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
 
-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile
-	fi
+    if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+	${SBINDIR}/$PRODUCT $OPTIONS compile -c
+    else
+	return 0
     fi
 }
 
 # Initialize the firewall
 start () {
     local PRODUCT
-    local vardir
+    local STATEDIR
 
     if [ -z "$PRODUCTS" ]; then
 	echo "No firewalls configured for shorewall-init"
@@ -65,23 +63,26 @@ start () {
     fi
 
     echo -n "Initializing \"Shorewall-based firewalls\": "
+
     for PRODUCT in $PRODUCTS; do
 	setstatedir
+	retval=$?
 
-	if [ ! -x ${VARDIR}/firewall ]; then
-	    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-		${SBINDIR}/$PRODUCT compile
+	if [ $retval -eq 0 ]; then
+	    if [ -x "${STATEDIR}/firewall" ]; then
+		${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
+		retval=${PIPESTATUS[0]}
+		[ $retval -ne 0 ] && break
+	    else
+		retval=6 #Product not configured
+		break
 	    fi
-	fi
-
-	if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
-	    ${VARDIR}/$PRODUCT/firewall stop 2>&1 | $logger
-	    retval=${PIPESTATUS[0]}
-	    [ $retval -ne 0 ] && break
+	else
+	    break
 	fi
     done
 
-    if [ retval -eq 0 ]; then
+    if [ $retval -eq 0 ]; then
 	touch $lockfile 
 	success
     else
@@ -94,26 +95,29 @@ start () {
 # Clear the firewall
 stop () {
     local PRODUCT
-    local vardir
+    local STATEDIR
 
     echo -n "Clearing \"Shorewall-based firewalls\": "
+
     for PRODUCT in $PRODUCTS; do
 	setstatedir
+	retval=$?
 
-	if [ ! -x ${VARDIR}/firewall ]; then
-	    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-		${SBINDIR}/$PRODUCT compile
+	if [ $retval -eq 0 ]; then
+	    if [ -x "${STATEDIR}/firewall" ]; then
+		${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
+		retval=${PIPESTATUS[0]}
+		[ $retval -ne 0 ] && break
+	    else
+		retval=6 #Product not configured
+		break
 	    fi
-	fi
-
-	if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
-	    ${VARDIR}/$PRODUCT/firewall clear 2>&1 | $logger
-	    retval=${PIPESTATUS[0]}
-	    [ $retval -ne 0 ] && break
+	else
+	    break
 	fi
     done
 
-    if [ retval -eq 0 ]; then
+    if [ $retval -eq 0 ]; then
 	rm -f $lockfile
 	success
     else
@@ -144,7 +148,7 @@ case "$1" in
 	status $prog
 	;;
   *)
-	echo "Usage: /etc/init.d/shorewall-init {start|stop|status}"
+	echo "Usage: $0 {start|stop|status}"
 	exit 1
 esac
 

Shorewall-init/init.sh

@@ -1,22 +1,24 @@
 #! /bin/bash
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#       Complete documentation is available at http://shorewall.net
+#       This program is part of Shorewall.
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
@@ -69,7 +71,7 @@ setstatedir() {
 
     if [ ! -x $STATEDIR/firewall ]; then
 	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile $STATEDIR/firewall
+	    ${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
 	fi
     fi
 }
@@ -85,7 +87,7 @@ shorewall_start () {
 
       if [ -x ${STATEDIR}/firewall ]; then
 	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      ${STATEDIR}/firewall stop || echo_notdone
+	      ${STATEDIR}/firewall ${OPTIONS} stop || exit 1
 	  fi
       fi
   done
@@ -100,20 +102,14 @@ shorewall_start () {
 # Clear the firewall
 shorewall_stop () {
   local PRODUCT
-  local VARDIR
+  local STATEDIR
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       setstatedir
 
-      if [ ! -x ${VARDIR}/firewall ]; then
-	  if [ $PRODUCT = shorewall -o $product = shorewall6 ]; then
-	      ${SBINDIR}/$PRODUCT compile
-	  fi
-      fi
-
-      if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall clear || exit 1
+      if [ -x ${STATEDIR}/firewall ]; then
+	  ${STATEDIR}/firewall ${OPTIONS} clear || exit 1
       fi
   done
 

Shorewall-init/init.suse.sh

@@ -34,22 +34,35 @@
 #                    prior to bringing up the network.  
 ### END INIT INFO
 
+#Return values acc. to LSB for all commands but status:
+# 0 - success
+# 1 - generic or unspecified error
+# 2 - invalid or excess argument(s)
+# 3 - unimplemented feature (e.g. "reload")
+# 4 - insufficient privilege
+# 5 - program is not installed
+# 6 - program is not configured
+# 7 - program is not running
+
 if [ "$(id -u)" != "0" ]
 then
   echo "You must be root to start, stop or restart \"Shorewall \"."
-  exit 1
+  exit 4
 fi
 
 # check if shorewall-init is configured or not
 if [ -f "/etc/sysconfig/shorewall-init" ]
 then
-	. /etc/sysconfig/shorewall-init
-	if [ -z "$PRODUCTS" ]
-	then
-		exit 0
-	fi
+    . /etc/sysconfig/shorewall-init
+
+    if [ -z "$PRODUCTS" ]
+    then
+	echo "No PRODUCTS configured"
+	exit 6
+    fi
 else
-	exit 0
+    echo "/etc/sysconfig/shorewall-init not found"
+    exit 6
 fi
 
 #
@@ -66,10 +79,8 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
 
-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile
-	fi
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit
     fi
 }
 
@@ -84,16 +95,16 @@ shorewall_start () {
 
       if [ -x $STATEDIR/firewall ]; then
 	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      $STATEDIR/$PRODUCT/firewall stop || echo_notdone
+	      $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop || exit
 	  fi
+      else
+	  exit 6
       fi
   done
 
   if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
       ipset -R < "$SAVE_IPSETS"
   fi
-
-  return 0
 }
 
 # Clear the firewall
@@ -106,7 +117,9 @@ shorewall_stop () {
       setstatedir
 
       if [ -x ${STATEDIR}/firewall ]; then
-	  ${STATEDIR}/firewall clear || exit 1
+	  ${STATEDIR}/firewall ${OPTIONS} clear || exit
+      else
+	  exit 6
       fi
   done
 
@@ -116,20 +129,21 @@ shorewall_stop () {
 	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
       fi
   fi
-
-  return 0
 }
 
 case "$1" in
-  start)
-     shorewall_start
-     ;;
-  stop)
-     shorewall_stop
-     ;;
-  *)
-     echo "Usage: /etc/init.d/shorewall-init {start|stop}"
-     exit 1
+    start)
+	shorewall_start
+	;;
+    stop)
+	shorewall_stop
+	;;
+    reload|forced-reload)
+	;;
+    *)
+	echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+	exit 1
+	;;
 esac
 
 exit 0

Shorewall-init/install.sh

@@ -2,21 +2,25 @@
 #
 # Script to install Shoreline Firewall Init
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-20114 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+#       This program is part of Shorewall.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
@@ -59,7 +63,6 @@ mywhich() {
 
     for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
 	    return 0
 	fi
     done
@@ -99,6 +102,8 @@ PRODUCT=shorewall-init
 #
 # Parse the run line
 #
+T='-T'
+
 finished=0
 
 while [ $finished -eq 0 ] ; do
@@ -182,8 +187,29 @@ if [ -z "$BUILD" ]; then
 	    BUILD=apple
 	    ;;
 	*)
-	    if [ -f /etc/debian_version ]; then
+	    if [ -f /etc/os-release ]; then
+		eval $(cat /etc/os-release | grep ^ID=)
+
+		case $ID in
+		    fedora|rhel)
+			BUILD=redhat
+			;;
+		    debian|ubuntu)
+			BUILD=debian
+			;;
+		    opensuse)
+			BUILD=suse
+			;;
+		    *)
+			BUILD="$ID"
+			;;
+		esac
+	    elif [ -f /etc/debian_version ]; then
 		BUILD=debian
+	    elif [ -f /etc/ubuntu_version ]; then
+		BUILD=debian
+	    elif [ -f /etc/gentoo-release ]; then
+		BUILD=gentoo
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f /etc/SuSE-release ]; then
@@ -206,7 +232,7 @@ case $BUILD in
     apple)
 	T=
 	;;
-    debian|redhat|suse|slackware|archlinux)
+    debian|gentoo|redhat|suse|slackware|archlinux)
 	;;
     *)
 	[ -n "$BUILD" ] && echo "ERROR: Unknown BUILD environment ($BUILD)" >&2 || echo "ERROR: Unknown BUILD environment"
@@ -222,7 +248,10 @@ case "$HOST" in
     debian)
 	echo "Installing Debian-specific configuration..."
 	;;
-    redhat|redhat)
+    gentoo)
+	echo "Installing Gentoo-specific configuration..."
+	;;
+    redhat)
 	echo "Installing Redhat/Fedora-specific configuration..."
 	;;
     slackware)
@@ -233,11 +262,12 @@ case "$HOST" in
 	echo "Shorewall-init is currently not supported on Arch Linux" >&2
 	exit 1
 	;;
-    suse|suse)
+    suse)
 	echo "Installing SuSE-specific configuration..."
 	;;
     linux)
 	echo "ERROR: Shorewall-init is not supported on this system" >&2
+	exit 1
 	;;
     *)
 	echo "ERROR: Unsupported HOST distribution: \"$HOST\"" >&2
@@ -283,7 +313,7 @@ if [ -n "$INITFILE" ]; then
 	install_file $INITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
     fi
 
-    echo  "Shorewall-init script installed in ${DESTDIR}${INITDIR}/$INITFILE"
+    echo  "SysV init script $INITSOURCE installed in ${DESTDIR}${INITDIR}/$INITFILE"
 fi
 
 #
@@ -291,14 +321,16 @@ fi
 #
 if [ -n "$SYSTEMD" ]; then
     mkdir -p ${DESTDIR}${SYSTEMD}
-    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}${SYSTEMD}/shorewall-init.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/shorewall-init.service
-    echo "Service file installed as ${DESTDIR}${SYSTEMD}/shorewall-init.service"
+    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
     if [ -n "$DESTDIR" ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
         chmod 755 ${DESTDIR}${SBINDIR}
     fi
     run_install $OWNERSHIP -m 700 shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init
+    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall-init
     echo "CLI installed as ${DESTDIR}${SBINDIR}/shorewall-init"
 fi
 
@@ -353,14 +385,18 @@ else
 	    if [ $HOST = suse ]; then
 		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
 		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d
+	    elif [ $HOST = gentoo ]; then
+		# Gentoo does not support if-{up,down}.d
+		/bin/true
 	    else
 		mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d
 	    fi
 	fi
     fi
 
-    if [ -d ${DESTDIR}${SYSCONFDIR} -a ! -f ${DESTDIR}${SYSCONFDIR}/shorewall-init ]; then
-	install_file sysconfig ${DESTDIR}${SYSCONFDIR}/shorewall-init 0644
+    if [ -n "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
+	run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
+	echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
     fi
 
     [ $HOST = suse ] && IFUPDOWN=ifupdown.suse.sh || IFUPDOWN=ifupdown.fedora.sh
@@ -399,7 +435,7 @@ case $HOST in
 	    install_local=
 
 	    if [ -f ${SBINDIR}/ifup-local -o -f ${SBINDIR}/ifdown-local ]; then
-		if ! fgrep -q Shorewall-based ${SBINDIR}/ifup-local || ! fgrep -q Shorewall-based ${SBINDIR}/ifdown-local; then
+		if ! grep -qF Shorewall-based ${SBINDIR}/ifup-local || ! grep -qF Shorewall-based ${SBINDIR}/ifdown-local; then
 		    echo "WARNING: ${SBINDIR}/ifup-local and/or ${SBINDIR}/ifdown-local already exist; up/down events will not be handled"
 		else
 		    install_local=Yes
@@ -419,10 +455,26 @@ esac
 if [ -z "$DESTDIR" ]; then
     if [ -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
-	    
-	    update-rc.d shorewall-init enable
-
-	    echo "Shorewall Init will start automatically at boot"
+	    if mywhich insserv; then
+		if insserv ${INITDIR}/shorewall-init; then
+		    echo "Shorewall Init will start automatically at boot"
+		else
+		    cant_autostart
+		fi
+	    elif mywhich update-rc.d ; then
+		if update-rc.d $PRODUCT enable; then
+		    echo "$PRODUCT will start automatically at boot"
+		    echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
+		else
+		    cant_autostart
+		fi
+	    else
+		cant_autostart
+	    fi
+	elif [ $HOST = gentoo ]; then
+	    # On Gentoo, a service must be enabled manually by the user,
+	    # not by the installer
+	    /bin/true
 	else
 	    if [ -n "$SYSTEMD" ]; then
 		if systemctl enable shorewall-init.service; then
@@ -482,7 +534,7 @@ if [ -f ${DESTDIR}/etc/ppp ]; then
 	    for file in ip-up.local ip-down.local; do
 		FILE=${DESTDIR}/etc/ppp/$file
 		if [ -f $FILE ]; then
-		    if fgrep -q Shorewall-based $FILE ; then
+		    if grep -qF Shorewall-based $FILE ; then
 			cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
 		    else
 			echo "$FILE already exists -- ppp devices will not be handled"

Shorewall-init/shorewall-init

@@ -1,28 +1,42 @@
 #! /bin/bash
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2012-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
 #       Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+#       This program is part of Shorewall.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #########################################################################################
+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit 1
+    fi
+}
+
 #
 # This is modified by the installer when ${SHAREDIR} <> /usr/share
 #
@@ -36,21 +50,32 @@ if [ -f "$SYSCONFDIR/shorewall-init" ]; then
 	exit 1
     fi
 else
-    echo "ERROR: /etc/sysconfig/shorewall-init not found" >&2
+    echo "ERROR: ${SYSCONFDIR}/shorewall-init not found" >&2
     exit 1
 fi
 
 # Initialize the firewall
 shorewall_start () {
   local PRODUCT
-  local VARDIR
+  local STATEDIR
 
   echo -n "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      if [ -x ${VARDIR}/firewall ]; then
-	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
-	      ${VARDIR}/firewall stop || exit 1
-	  fi
+      setstatedir
+
+      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+          #
+	  # Run in a sub-shell to avoid name collisions
+	  #
+	  (
+	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
+		  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || exit 1
+	      else
+		  exit 1
+	      fi
+	  )
+      else
+	  exit 1
       fi
   done
 
@@ -64,14 +89,14 @@ shorewall_start () {
 # Clear the firewall
 shorewall_stop () {
   local PRODUCT
-  local VARDIR
+  local STATEDIR
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      VARDIR=/var/lib/$PRODUCT
-      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
-      if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall clear || exit 1
+      setstatedir
+
+      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+	  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || exit 1
       fi
   done
 

Shorewall-init/shorewall-init.service

@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
-ExecStart=/shorewall-init $OPTIONS start
-ExecStop=/shorewall-init $OPTIONS stop
+ExecStart=/sbin/shorewall-init $OPTIONS start
+ExecStop=/sbin/shorewall-init $OPTIONS stop
 
 [Install]
 WantedBy=multi-user.target

Shorewall-init/sysconfig

@@ -21,3 +21,6 @@ SAVE_IPSETS=""
 #
 LOGFILE=/var/log/shorewall-ifupdown.log
 
+# Startup options - set verbosity to 0 (minimal reporting)
+OPTIONS="-V0"
+

Shorewall-init/uninstall.sh

@@ -2,24 +2,24 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+#       This program is part of Shorewall.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #    Usage:
 #
@@ -140,6 +140,7 @@ remove_file ${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall
 
 remove_file ${CONFDIR}/network/if-up.d/shorewall
 remove_file ${CONFDIR}/network/if-down.d/shorewall
+remove_file ${CONFDIR}/network/if-post-down.d/shorewall
 
 remove_file ${CONFDIR}/sysconfig/network/if-up.d/shorewall
 remove_file ${CONFDIR}/sysconfig/network/if-down.d/shorewall
@@ -152,7 +153,7 @@ if [ -d ${CONFDIR}/ppp ]; then
     done
 
     for file in if-up.local if-down.local; do
-	if fgrep -q Shorewall-based ${CONFDIR}/ppp/$FILE; then
+	if grep -qF Shorewall-based ${CONFDIR}/ppp/$FILE; then
 	    remove_file ${CONFDIR}/ppp/$FILE
 	fi
     done

Shorewall-lite/init.debian.sh

@@ -11,7 +11,7 @@
 #                    /etc/shorewall-lite
 ### END INIT INFO
 
-
+. /lib/lsb/init-functions
 
 SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"

Shorewall-lite/init.sh

@@ -3,17 +3,18 @@ RCDLINKS="2,S41 3,S41 6,K41"
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
 #	Complete documentation is available at http://shorewall.net
 #
+#       This program is part of Shorewall.
+#
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -21,8 +22,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #	If an error occurs while starting or restarting the firewall, the
 #	firewall is automatically stopped.

Shorewall-lite/install.sh

@@ -2,24 +2,24 @@
 #
 # Script to install Shoreline Firewall Lite
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+#       This program is part of Shorewall.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 
 VERSION=xxx #The Build script inserts the actual version
@@ -182,6 +182,8 @@ for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARLIB VARDIR; do
     require $var
 done
 
+[ -n "${INITFILE}" ] && require INITSOURCE && require INITDIR
+
 PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}
 
 #
@@ -193,15 +195,37 @@ T='-T'
 
 if [ -z "$BUILD" ]; then
     case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
 	    BUILD=apple
 	    ;;
 	*)
-	    if [ -f ${CONFDIR}/debian_version ]; then
+	    if [ -f /etc/os-release ]; then
+		eval $(cat /etc/os-release | grep ^ID)
+
+		case $ID in
+		    fedora|rhel)
+			BUILD=redhat
+			;;
+		    debian)
+			BUILD=debian
+			;;
+		    gentoo)
+			BUILD=gentoo
+			;;
+		    opensuse)
+			BUILD=suse
+			;;
+		    *)
+			BUILD="$ID"
+			;;
+		esac
+	    elif [ -f ${CONFDIR}/debian_version ]; then
 		BUILD=debian
+	    elif [ -f /etc/gentoo-release ]; then
+		BUILD=gentoo
 	    elif [ -f ${CONFDIR}/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f ${CONFDIR}/SuSE-release ]; then
@@ -218,7 +242,7 @@ if [ -z "$BUILD" ]; then
 fi
 
 case $BUILD in
-    cygwin*)
+    cygwin*|CYGWIN*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
@@ -250,6 +274,9 @@ case "$HOST" in
     debian)
 	echo "Installing Debian-specific configuration..."
 	;;
+    gentoo)
+	echo "Installing Gentoo-specific configuration..."
+	;;
     redhat)
 	echo "Installing Redhat/Fedora-specific configuration..."
 	;;
@@ -281,7 +308,7 @@ if [ -n "$DESTDIR" ]; then
     install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR}
     install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
 else
-    if [ ! -f /usr/share/shorewall/coreversion ]; then
+    if [ ! -f ${SHAREDIR}/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
 	exit 1
     fi
@@ -293,7 +320,7 @@ echo "Installing $Product Version $VERSION"
 # Check for ${CONFDIR}/$PRODUCT
 #
 if [ -z "$DESTDIR" -a -d ${CONFDIR}/$PRODUCT ]; then
-    if [ ! -f /usr/share/shorewall/coreversion ]; then
+    if [ ! -f ${SHAREDIR}/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
 	exit 1
     fi
@@ -341,24 +368,25 @@ if [ -n "$DESTDIR" ]; then
 fi
 
 if [ -n "$INITFILE" ]; then
+    if [ -f "${INITSOURCE}" ]; then
+	initfile="${DESTDIR}/${INITDIR}/${INITFILE}"
+	install_file ${INITSOURCE} "$initfile" 0544
 
-    initfile="${DESTDIR}/${INITDIR}/${INITFILE}"
-    install_file ${INITSOURCE} "$initfile" 0544
+	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"
 
-    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"
-
-    echo  "$Product init script installed in $initfile"
+	echo  "SysV init script $INITSOURCE installed in $initfile"
+    fi
 fi
 #
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
     mkdir -p ${DESTDIR}${SYSTEMD}
-    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/${SYSTEMD}/$PRODUCT.service
+    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
     [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
-    echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
 fi
-
 #
 # Install the config file
 #
@@ -369,6 +397,9 @@ fi
 
 if [ $HOST = archlinux ] ; then
    sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
+elif [ $HOST = gentoo ]; then
+    # Adjust SUBSYSLOCK path (see https://bugs.gentoo.org/show_bug.cgi?id=459316)
+    perl -p -w -i -e "s|^SUBSYSLOCK=.*|SUBSYSLOCK=/run/lock/$PRODUCT|;" ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
 fi
 
 #
@@ -477,13 +508,16 @@ delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.common
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.cli
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/wait4ifup
 
-if [ -n "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
+#
+# Note -- not all packages will have the SYSCONFFILE so we need to check for its existance here
+#
+if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
     if [ ${DESTDIR} ]; then
 	mkdir -p ${DESTDIR}${SYSCONFDIR}
 	chmod 755 ${DESTDIR}${SYSCONFDIR}
     fi
 
-    run_install $OWNERSHIP -m 0644 default.debian ${DESTDIR}${SYSCONFDIR}/${PRODUCT}
+    run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT}
     echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
 
@@ -493,20 +527,20 @@ if [ ${SHAREDIR} != /usr/share ]; then
 fi
 
 if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
-    if mywhich update-rc.d ; then
-	echo "$PRODUCT will start automatically at boot"
-	echo "Set startup=1 in ${SYSCONFDIR}/$PRODUCT to enable"
-	touch /var/log/$PRODUCT-init.log
-	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/${PRODUCT}/${PRODUCT}.conf
-	update-rc.d $PRODUCT enable defaults
-    elif [ -n "$SYSTEMD" ]; then
+    if [ -n "$SYSTEMD" ]; then
 	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
 	fi
     elif mywhich insserv; then
 	if insserv ${INITDIR}/${INITFILE} ; then
 	    echo "$PRODUCT will start automatically at boot"
-	    echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/${PRODUCT}.conf to enable"
+	    if [ $HOST = debian ]; then
+		echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
+		touch /var/log/$PRODUCT-init.log
+		perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/$PRODUCT/$PRODUCT.conf
+	    else
+		echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/$PRODUCT.conf to enable"
+	    fi
 	else
 	    cant_autostart
 	fi
@@ -518,10 +552,22 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
 	else
 	    cant_autostart
 	fi
+    elif mywhich update-rc.d ; then
+	echo "$PRODUCT will start automatically at boot"
+	echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
+	touch /var/log/$PRODUCT-init.log
+	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/$PRODUCT/$PRODUCT.conf
+	update-rc.d $PRODUCT enable
     elif mywhich rc-update ; then
 	if rc-update add $PRODUCT default; then
 	    echo "$PRODUCT will start automatically at boot"
-	    echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/$PRODUCT.conf to enable"
+	    if [ $HOST = debian ]; then
+		echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
+		touch /var/log/$PRODUCT-init.log
+		perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/$PRODUCT/$PRODUCT.conf
+	    else
+		echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/$PRODUCT.conf to enable"
+	    fi
 	else
 	    cant_autostart
 	fi

Shorewall-lite/lib.base

@@ -1,15 +1,16 @@
 #
 # Shorewall 4.4 -- /usr/share/shorewall-lite/lib.base
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
-#	This program is free software; you can redisribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -17,8 +18,7 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # This library contains the code common to all Shorewall components.
 

Shorewall-lite/manpages/shorewall-lite-vardir.xml

@@ -6,6 +6,8 @@
     <refentrytitle>shorewall-lite-vardir</refentrytitle>
 
     <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
   </refmeta>
 
   <refnamediv>
@@ -54,7 +56,7 @@
         /opt/var/lib/shorewall-lite/.</para>
       </blockquote>
 
-      <para> When VARDIR is set in /etc/shorewall-lite/vardir, Shorewall Lite
+      <para>When VARDIR is set in /etc/shorewall-lite/vardir, Shorewall Lite
       will save its state in the <replaceable>directory</replaceable>
       specified.</para>
     </note>

Shorewall-lite/manpages/shorewall-lite.conf.xml

@@ -6,6 +6,8 @@
     <refentrytitle>shorewall-lite.conf</refentrytitle>
 
     <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
   </refmeta>
 
   <refnamediv>
@@ -141,7 +143,7 @@
           stops. Creating and removing this file allows Shorewall to work with
           your distribution's initscripts. For RedHat, this should be set to
           /var/lock/subsys/shorewall. For Debian, the value is
-          /var/state/shorewall and in LEAF it is /var/run/shorwall.</para>
+          /var/state/shorewall and in LEAF it is /var/run/shorewall.</para>
         </listitem>
       </varlistentry>
 

Shorewall-lite/manpages/shorewall-lite.xml

@@ -6,6 +6,8 @@
     <refentrytitle>shorewall-lite</refentrytitle>
 
     <manvolnum>8</manvolnum>
+
+    <refmiscinfo>Administrative Commands</refmiscinfo>
   </refmeta>
 
   <refnamediv>
@@ -335,7 +337,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>show</option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
 
       <arg><option>-b</option></arg>
 
@@ -357,7 +359,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>show</option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
 
       <arg><option>-f</option></arg>
 
@@ -371,10 +373,10 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>show</option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
 
       <arg
-      choice="req"><option>classifiers|connections|config|filters|ip|ipa|zones|policies|marks</option></arg>
+      choice="req"><option>classifiers|connections|config|events|filters|ip|ipa|zones|policies|marks</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -384,7 +386,20 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>show</option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
+
+      <arg choice="plain"><option>event</option><arg
+      choice="plain"><replaceable>event</replaceable></arg></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="opt"><option>show | list | ls </option></arg>
 
       <arg><option>-x</option></arg>
 
@@ -398,7 +413,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>show</option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
 
       <arg choice="plain"><option>tc</option></arg>
     </cmdsynopsis>
@@ -410,7 +425,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>show</option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
 
       <arg><option>-m</option></arg>
 
@@ -492,9 +507,9 @@
     url="shorewall.conf.html">shorewall.conf</ulink>(5). Each <emphasis
     role="bold">v</emphasis> adds one to the effective verbosity and each
     <emphasis role="bold">q</emphasis> subtracts one from the effective
-    VERBOSITY. Anternately, <emphasis role="bold">v</emphasis> may be followed
+    VERBOSITY. Alternately, <emphasis role="bold">v</emphasis> may be followed
     immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
-    be no white space between <emphasis role="bold">v</emphasis> and the
+    be no white-space between <emphasis role="bold">v</emphasis> and the
     VERBOSITY.</para>
 
     <para>The <emphasis>options</emphasis> may also include the letter
@@ -632,7 +647,7 @@
         <term><emphasis role="bold">forget</emphasis></term>
 
         <listitem>
-          <para>Deletes /var/lib/shorewall-lite/<emphasis>filenam</emphasis>e
+          <para>Deletes /var/lib/shorewall-lite/<emphasis>filename</emphasis>
           and /var/lib/shorewall-lite/save. If no
           <emphasis>filename</emphasis> is given then the file specified by
           RESTOREFILE in <ulink
@@ -690,7 +705,7 @@
           and raw table PREROUTING chains.</para>
 
           <para>The trace records are written to the kernel's log buffer with
-          faciility = kernel and priority = warning, and they are routed from
+          facility = kernel and priority = warning, and they are routed from
           there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
           Shorewall-lite has no control over where the messages go; consult
           your logging daemon's documentation.</para>
@@ -747,7 +762,7 @@
 
           <para>The <replaceable>iptables match expression</replaceable> must
           be one given in the <command>iptrace</command> command being
-          cancelled.</para>
+          canceled.</para>
         </listitem>
       </varlistentry>
 
@@ -875,7 +890,7 @@
               <term><emphasis role="bold">config</emphasis></term>
 
               <listitem>
-                <para>Dispays distribution-specific defaults.</para>
+                <para>Displays distribution-specific defaults.</para>
               </listitem>
             </varlistentry>
 
@@ -888,6 +903,24 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">event</emphasis><replaceable>
+              event</replaceable></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.19. Displays the named
+                event.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">events</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.19. Displays all events.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">ip</emphasis></term>
 
@@ -1055,6 +1088,23 @@
     </variablelist>
   </refsect1>
 
+  <refsect1>
+    <title>EXIT STATUS</title>
+
+    <para>In general, when a command succeeds, status 0 is returned; when the
+    command fails, a non-zero status is returned.</para>
+
+    <para>The <command>status</command> command returns exit status as
+    follows:</para>
+
+    <para>0 - Firewall is started.</para>
+
+    <para>3 - Firewall is stopped or cleared</para>
+
+    <para>4 - Unknown state; usually means that the firewall has never been
+    started.</para>
+  </refsect1>
+
   <refsect1>
     <title>FILES</title>
 

Shorewall-lite/shorecap

@@ -2,17 +2,18 @@
 #
 #     Shorewall Lite Packet Filtering Firewall Capabilities Detector
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006,2007,2008,2009,2010,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall.
 #
 #	Shorewall documentation is available at http://shorewall.sourceforge.net
 #
+#       This program is part of Shorewall.
+#
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -20,9 +21,7 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #   This program may be used to create a /etc/shorewall/capabilities file for
 #   use in compiling Shorewall firewalls on another system.

Shorewall-lite/shorewall-lite

@@ -2,16 +2,17 @@
 #
 #     Shorewall Lite Packet Filtering Firewall Control Program - V4.5
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 -
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014 -
 #         Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
+#       This program is part of Shorewall.
+#
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -19,8 +20,7 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #

Shorewall-lite/uninstall.sh

@@ -2,24 +2,24 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+#       This program is part of Shorewall.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #    Usage:
 #
@@ -118,14 +118,14 @@ fi
 
 if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
     FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
-elIF [ -n "$INITFILE" ]; then
+elif [ -n "$INITFILE" ]; then
     FIREWALL=${INITDIR}/${INITFILE}
 fi
 
 if [ -f "$FIREWALL" ]; then
     if mywhich updaterc.d ; then
 	updaterc.d shorewall-lite remove
-    elif if mywhich insserv ; then
+    elif mywhich insserv ; then
         insserv -r $FIREWALL
     elif [ mywhich chkconfig ; then
 	chkconfig --del $(basename $FIREWALL)

Shorewall/Macros/macro.AMQP

@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - AMQP Macro
+#
+# /usr/share/shorewall/macro.AMQP
+#
+#	This macro handles AMQP traffic.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	5672
+PARAM	-	-	udp	5672

Shorewall/Macros/macro.A_AllowICMPs

@@ -1,13 +1,15 @@
 #
 # Shorewall version 4 - Audited AllowICMPs Macro
 #
-# /usr/share/shorewall/macro.AAllowICMPs
+# /usr/share/shorewall/macro.A_AllowICMPs
 #
 #	This macro A_ACCEPTs needed ICMP types
 #
 ###############################################################################
-#ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#					PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#					PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?COMMENT Needed ICMP types
 

Shorewall/Macros/macro.A_DropDNSrep

@@ -1,13 +1,15 @@
 #
 # Shorewall version 4 - Audited DropDNSrep Macro
 #
-# /usr/share/shorewall/macro.ADropDNSrep
+# /usr/share/shorewall/macro.A_DropDNSrep
 #
 #	This macro silently audites and drops DNS UDP replies
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?COMMENT Late DNS Replies
 

Shorewall/Macros/macro.A_DropUPnP

@@ -1,13 +1,15 @@
 #
 # Shorewall version 4 - ADropUPnP Macro
 #
-# /usr/share/shorewall/macro.ADropUPnP
+# /usr/share/shorewall/macro.A_DropUPnP
 #
 #	This macro silently drops UPnP probes on UDP port 1900
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?COMMENT UPnP
 

Shorewall/Macros/macro.AllowICMPs

@@ -6,8 +6,10 @@
 #	This macro ACCEPTs needed ICMP types
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?COMMENT Needed ICMP types
 

Shorewall/Macros/macro.Amanda

@@ -9,11 +9,12 @@
 #
 ###############################################################################
 ?FORMAT 2
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
- PARAM	-	-	udp	10080 ; helper=amanda
+ PARAM	-	-	udp	10080 { helper=amanda }
 ?else
  PARAM	-	-	udp	10080
 ?endif

Shorewall/Macros/macro.Auth

@@ -6,6 +6,8 @@
 #	This macro handles Auth (identd) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	113

Shorewall/Macros/macro.BGP

@@ -6,6 +6,8 @@
 #	This macro handles BGP4 traffic.
 #
 ###############################################################################
-#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S) PORT(S) LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	179	# BGP4

Shorewall/Macros/macro.BLACKLIST

@@ -6,8 +6,10 @@
 #	This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if $BLACKLIST_LOGLEVEL
 blacklog
 ?else

Shorewall/Macros/macro.BitTorrent

@@ -7,9 +7,12 @@
 #
 #	If you are running BitTorrent 3.2 or later, you should use the
 #	BitTorrent32 macro.
+#
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	6881:6889
 #
 # It may also be necessary to allow UDP traffic:

Shorewall/Macros/macro.BitTorrent32

@@ -6,8 +6,10 @@
 #	This macro handles BitTorrent traffic for BitTorrent 3.2 and later.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	6881:6999
 #
 # It may also be necessary to allow UDP traffic:

Shorewall/Macros/macro.CVS

@@ -6,6 +6,8 @@
 #	This macro handles connections to the CVS pserver.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	2401

Shorewall/Macros/macro.Citrix

@@ -6,9 +6,11 @@
 #	This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a.
 #	ICA Session Reliability)
 #
-####################################################################################
-#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S) PORT(S) LIMIT	GROUP
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	1494	# ICA
 PARAM	-	-	udp	1604	# ICA Browser
 PARAM	-	-	tcp	2598	# CGP Session Reliabilty

Shorewall/Macros/macro.DAAP

@@ -7,7 +7,9 @@
 #	The protocol is used by iTunes, Rythmbox and other similar daemons.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	3689
 PARAM	-	-	udp	3689

Shorewall/Macros/macro.DCC

@@ -7,6 +7,8 @@
 #	DCC is a distributed spam filtering mechanism.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	6277

Shorewall/Macros/macro.DHCPfwd

@@ -6,7 +6,9 @@
 #	This macro (bidirectional) handles forwarded DHCP traffic
 #
 ###############################################################################
-#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S) PORT(S) LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	67:68	67:68	# DHCP
 PARAM	DEST	SOURCE	udp	67:68	67:68	# DHCP

Shorewall/Macros/macro.DNS

@@ -6,7 +6,9 @@
 #	This macro handles DNS traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	53
 PARAM	-	-	tcp	53

Shorewall/Macros/macro.Distcc

@@ -6,6 +6,8 @@
 #	This macro handles connections to the Distributed Compiler service.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	3632

Shorewall/Macros/macro.Drop

@@ -11,12 +11,14 @@
 #		Drop	net	all
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 #
-# Don't log 'auth' REJECT
+# Don't log 'auth' DROP
 #
-REJECT	-	-	tcp	113
+DROP	-	-	tcp	113
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).

Shorewall/Macros/macro.DropDNSrep

@@ -6,8 +6,10 @@
 #	This macro silently drops DNS UDP replies
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?COMMENT Late DNS Replies
 

Shorewall/Macros/macro.DropUPnP

@@ -6,8 +6,10 @@
 #	This macro silently drops UPnP probes on UDP port 1900
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?COMMENT UPnP
 

Shorewall/Macros/macro.Edonkey

@@ -28,7 +28,9 @@
 #	applications such as aMule WebServer or aMuleCMD.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	4662
 PARAM	-	-	udp	4665

Shorewall/Macros/macro.FTP

@@ -7,10 +7,11 @@
 #
 ###############################################################################
 ?FORMAT 2
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
- PARAM	-	-	tcp	21 ; helper=ftp
+ PARAM	-	-	tcp	21 { helper=ftp }
 ?else
  PARAM	-	-	tcp	21
 ?endif

Shorewall/Macros/macro.Finger

@@ -7,6 +7,8 @@
 #	your finger information to internet.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	79

Shorewall/Macros/macro.GNUnet

@@ -6,8 +6,10 @@
 #	This macro handles GNUnet (secure peer-to-peer networking) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	2086
 PARAM	-	-	udp	2086
 PARAM	-	-	tcp	1080

Shorewall/Macros/macro.GRE

@@ -7,7 +7,9 @@
 #	traffic (RFC 1701)
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	47	# GRE
 PARAM	DEST	SOURCE	47	# GRE

Shorewall/Macros/macro.Git

@@ -6,6 +6,8 @@
 #	This macro handles Git traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	9418

Shorewall/Macros/macro.Gnutella

@@ -6,7 +6,9 @@
 #	This macro handles Gnutella traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	6346
 PARAM	-	-	udp	6346

Shorewall/Macros/macro.HKP

@@ -6,6 +6,8 @@
 #	This macro handles OpenPGP HTTP keyserver protocol traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	11371

Shorewall/Macros/macro.HTTP

@@ -6,6 +6,8 @@
 #	This macro handles plaintext HTTP (WWW) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	80

Shorewall/Macros/macro.HTTPS

@@ -6,6 +6,8 @@
 #	This macro handles HTTPS (WWW over SSL) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	443

Shorewall/Macros/macro.ICPV2

@@ -6,6 +6,8 @@
 #	This macro handles Internet Cache Protocol V2 (Squid) traffic
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	3130

Shorewall/Macros/macro.ICQ

@@ -6,6 +6,8 @@
 #	This macro handles ICQ, now called AOL Instant Messenger (or AIM).
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	5190

Shorewall/Macros/macro.ILO

@@ -0,0 +1,23 @@
+#
+# Shorewall version 4 - ILO Macro
+#
+# /usr/share/shorewall/macro.ILO
+#
+#	This macro handles console redirection with HP ILO 2+,
+#	Use this macro to open access to your ILO interface from management
+#	workstations.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	3002		# Raw serial data
+PARAM	-	-	tcp	9300		# Shared Remote Console
+PARAM	-	-	tcp	17988		# Virtual Media
+PARAM	-	-	tcp	17990		# Console Replay
+HTTP
+HTTPS
+RDP
+SSH
+Telnet						# Remote Console/Telnet

Shorewall/Macros/macro.IMAP

@@ -7,6 +7,8 @@
 #	see macro.IMAPS.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	143

Shorewall/Macros/macro.IMAPS

@@ -7,6 +7,8 @@
 #	(not recommended), see macro.IMAP.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	993

Shorewall/Macros/macro.IPIP

@@ -6,7 +6,9 @@
 #	This macro (bidirectional) handles IPIP capsulation traffic
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	94	# IPIP
 PARAM	DEST	SOURCE	94	# IPIP

Shorewall/Macros/macro.IPMI

@@ -0,0 +1,26 @@
+#
+# Shorewall version 4 - IPMI Macro
+#
+# /usr/share/shorewall/macro.IPMI
+#
+#	This macro handles IPMI console redirection with Asus (AMI),
+#	Dell DRAC5+ (Avocent), and Supermicro (Aten or AMI).
+#	Use this macro to open access to your IPMI interface from management
+#	workstations.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	623		# RMCP
+PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
+PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
+PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
+PARAM	-	-	tcp	7578		# Remote Console (AMI)
+PARAM	-	-	udp	623		# RMCP
+HTTP
+HTTPS
+SNMP
+SSH						# Serial over Lan
+Telnet

Shorewall/Macros/macro.IPP

@@ -6,6 +6,8 @@
 #	This macro handles Internet Printing Protocol (IPP).
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	631

Shorewall/Macros/macro.IPPbrd

@@ -6,7 +6,10 @@
 #	This macro handles Internet Printing Protocol (IPP) broadcasts.
 #       If you also need to handle TCP 631 connections in the opposite
 #       direction, use the IPPserver Macro
+#
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	631

Shorewall/Macros/macro.IPPserver

@@ -23,7 +23,9 @@
 #		IPPserver/ACCEPT $FW loc
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	SOURCE	DEST	tcp	631
 PARAM	DEST	SOURCE	udp	631

Shorewall/Macros/macro.IPsec

@@ -6,8 +6,10 @@
 #	This macro (bidirectional) handles IPsec traffic
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	500	500	# IKE
 PARAM	-	-	50			# ESP
 PARAM	DEST	SOURCE	udp	500	500	# IKE

Shorewall/Macros/macro.IPsecah

@@ -7,8 +7,10 @@
 #       This is insecure. You should use ESP with encryption for security.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	500	500	# IKE
 PARAM	-	-	51			# AH
 PARAM	DEST	SOURCE	udp	500	500	# IKE

Shorewall/Macros/macro.IPsecnat

@@ -6,8 +6,10 @@
 #	This macro (bidirectional) handles IPsec traffic and Nat-Traversal
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	500	# IKE
 PARAM	-	-	udp	4500	# NAT-T
 PARAM	-	-	50		# ESP

Shorewall/Macros/macro.IRC

@@ -7,11 +7,12 @@
 #
 ###############################################################################
 ?FORMAT 2
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
- PARAM	-	-	tcp	6667 ; helper=irc
+ PARAM	-	-	tcp	6667 { helper=irc }
 ?else
  PARAM	-	-	tcp	6667
 ?endif

Shorewall/Macros/macro.JAP

@@ -8,8 +8,10 @@
 #	to browse anonymously!
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	8080 # HTTP port
 PARAM	-	-	tcp	6544 # HTTP port
 PARAM	-	-	tcp	6543 # InfoService port

Shorewall/Macros/macro.JabberPlain

@@ -6,6 +6,8 @@
 #	This macro accepts Jabber traffic (plaintext).
 #
 ###############################################################################
-#TARGET	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	5222

Shorewall/Macros/macro.JabberSecure

@@ -6,6 +6,8 @@
 #	This macro accepts Jabber traffic (ssl).
 #
 ###############################################################################
-#TARGET	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	5223

Shorewall/Macros/macro.Jabberd

@@ -6,6 +6,8 @@
 #	This macro accepts Jabberd intercommunication traffic
 #
 ###############################################################################
-#TARGET	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	5269

Shorewall/Macros/macro.Jetdirect

@@ -6,6 +6,8 @@
 #	This macro handles HP Jetdirect printing.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	9100

Shorewall/Macros/macro.Kerberos

@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - Kerberos Macro
+#
+# /usr/share/shorewall/macro.Kerberos
+#
+#	This macro handles Kerberos traffic.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	88
+PARAM	-	-	udp	88

Shorewall/Macros/macro.L2TP

@@ -7,7 +7,9 @@
 #	(RFC 2661)
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	1701	# L2TP
 PARAM	DEST	SOURCE	udp	1701	# L2TP

Shorewall/Macros/macro.LDAP

@@ -11,6 +11,8 @@
 #	Consult your LDAP server documentation for details.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	389

Shorewall/Macros/macro.LDAPS

@@ -11,6 +11,8 @@
 #	Consult your LDAP server documentation for details.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	636

Shorewall/Macros/macro.MSNP

@@ -6,6 +6,8 @@
 #	This macro handles MSNP (MicroSoft Notification Protocol)
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	1863

Shorewall/Macros/macro.MSSQL

@@ -6,6 +6,8 @@
 #	This macro handles MSSQL (Microsoft SQL Server)
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	1433

Shorewall/Macros/macro.Mail

@@ -12,8 +12,10 @@
 #	the POP3 or IMAP macros.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	25
 PARAM	-	-	tcp	465
 PARAM	-	-	tcp	587

Shorewall/Macros/macro.MongoDB

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - MongoDB Macro
+#
+# /usr/share/shorewall/macro.MongoDB
+#
+#	This macro handles MongoDB Daemon/Router traffic.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	27017

Shorewall/Macros/macro.Munin

@@ -6,6 +6,8 @@
 #	This macro handles Munin networked resource monitoring traffic
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	4949

Shorewall/Macros/macro.MySQL

@@ -6,6 +6,8 @@
 #	This macro handles connections to the MySQL server.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	3306

Shorewall/Macros/macro.NNTP

@@ -7,6 +7,8 @@
 #	encrypted NNTP, see macro.NNTPS.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	119

Shorewall/Macros/macro.NNTPS

@@ -7,6 +7,8 @@
 #	plaintext NNTP, see macro.NNTP.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	563

Shorewall/Macros/macro.NTP

@@ -7,6 +7,8 @@
 #	For broadcast NTP traffic, use NTPbrd Macro.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	123

Shorewall/Macros/macro.NTPbi

@@ -6,7 +6,9 @@
 #        This macro handles  bi-directional NTP (for NTP peers)
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	123
 PARAM	DEST	SOURCE	udp	123