Replace spaces with tabs in rules files.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -56,7 +56,7 @@ getfileparams() {
 	esac
 
     done
-    
+
     return 0
 }
 
@@ -70,22 +70,19 @@ for p in $@; do
 	pv=${p#*=}
 
 	if [ -n "${pn}" ]; then
-	    
+
 	    case ${pn} in
 		VENDOR)
 		    pn=HOST
 		    ;;
 		SHAREDSTATEDIR)
-		    pn=VARDIR
+		    pn=VARLIB
 		    ;;
 		DATADIR)
 		    pn=SHAREDIR
 		    ;;
-		SYSCONFDIR)
-		    pn=CONFDIR
-		    ;;
 	    esac
-    
+
 	    params[${pn}]="${pv}"
 	else
 	    echo "ERROR: Invalid option ($p)" >&2
@@ -102,7 +99,7 @@ if [ -z "$vendor" ]; then
 	    $params[HOST]=apple
 	    rcfile=shorewallrc.apple
 	    ;;
-	
+
 	cygwin*)
 	    $params[HOST]=cygwin
 	    rcfile=shorewallrc.cygwin
@@ -132,7 +129,7 @@ if [ -z "$vendor" ]; then
 
     vendor=${params[HOST]}
 elif [ $vendor = linux ]; then
-    rcfile=$shorewallrc.default;
+    rcfile=shorewallrc.default;
 else
     rcfile=shorewallrc.$vendor
     if [ ! -f $rcfile ]; then
@@ -164,6 +161,17 @@ if [ $# -gt 0 ]; then
     echo '#'           >> shorewallrc
 fi
 
+if [ -n "${options[VARLIB]}" ]; then
+    if [ -z "${options[VARDIR]}" ]; then
+	options[VARDIR]='${VARLIB}/${PRODUCT}'
+    fi
+elif [ -n "${options[VARDIR]}" ]; then
+    if [ -z "{$options[VARLIB]}" ]; then
+	options[VARLIB]=${options[VARDIR]}
+	options[VARDIR]='${VARLIB}/${PRODUCT}'
+    fi
+fi
+
 for on in \
     HOST \
     PREFIX \
@@ -181,7 +189,9 @@ for on in \
     SYSTEMD \
     SYSCONFFILE \
     SYSCONFDIR \
+    SPARSE \
     ANNOTATED \
+    VARLIB \
     VARDIR
 do
     echo "$on=${options[${on}]}"

Shorewall-core/configure.pl

@@ -30,7 +30,7 @@ use strict;
 #
 # Build updates this
 #
-use constant { 
+use constant {
     VERSION => '4.5.2.1'
 };
 
@@ -38,9 +38,8 @@ my %params;
 my %options;
 
 my %aliases = ( VENDOR         => 'HOST',
-		SHAREDSTATEDIR => 'VARDIR',
+		SHAREDSTATEDIR => 'VARLIB',
-		DATADIR        => 'SHAREDIR',
+		DATADIR        => 'SHAREDIR' );
-		SYSCONFDIR     => 'CONFDIR' );
 
 for ( @ARGV ) {
     die "ERROR: Invalid option specification ( $_ )" unless /^(?:--)?(\w+)=(.*)$/;
@@ -124,6 +123,15 @@ printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d
 
 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;
 
+if ( $options{VARLIB} ) {
+    unless ( $options{VARDIR} ) {
+	$options{VARDIR} = '${VARLIB}/${PRODUCT}';
+    }
+} elsif ( $options{VARDIR} ) {
+    $options{VARLIB} = $options{VARDIR};
+    $options{VARDIR} = '${VARLIB}/${PRODUCT}';
+}
+
 for ( qw/ HOST
 	  PREFIX
 	  SHAREDIR
@@ -131,7 +139,7 @@ for ( qw/ HOST
 	  PERLLIBDIR
 	  CONFDIR
 	  SBINDIR
-	  MANDIR 
+	  MANDIR
 	  INITDIR
 	  INITSOURCE
 	  INITFILE
@@ -140,7 +148,9 @@ for ( qw/ HOST
 	  SYSTEMD
 	  SYSCONFFILE
 	  SYSCONFDIR
+	  SPARSE
 	  ANNOTATED
+	  VARLIB
 	  VARDIR / ) {
 
     my $val = $options{$_} || '';

Shorewall-core/install.sh

@@ -33,7 +33,7 @@ usage() # $1 = exit status
     exit $1
 }
 
-fatal_error() 
+fatal_error()
 {
     echo "   ERROR: $@" >&2
     exit 1
@@ -91,7 +91,7 @@ install_file() # $1 = source $2 = target $3 = mode
     run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
 
-require() 
+require()
 {
     eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
@@ -164,7 +164,18 @@ else
     usage 1
 fi
 
-for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARDIR; do
+update=0
+
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR="${VARLIB}/${PRODUCT}"
+    update=1
+elif [ -z "${VARDIR}" ]; then
+    VARDIR="${VARLIB}/${PRODUCT}"
+    update=2
+fi
+
+for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARLIB VARDIR; do
     require $var
 done
 
@@ -307,6 +318,16 @@ chmod 755 ${DESTDIR}${SBINDIR}
 mkdir -p ${DESTDIR}${MANDIR}
 chmod 755 ${DESTDIR}${MANDIR}
 
+if [ -n "${INITFILE}" ]; then
+    mkdir -p ${DESTDIR}${INITDIR}
+    chmod 755 ${DESTDIR}${INITDIR}
+
+    if [ -n "$AUXINITSOURCE" -a -f "$AUXINITSOURCE" ]; then
+	install_file $AUXINITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
+	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$AUXINITFILE
+	echo  "$Product script installed in ${DESTDIR}${INITDIR}/$AUXINITFILE"
+    fi
+fi
 #
 # Note: ${VARDIR} is created at run-time since it has always been
 #       a relocatable directory on a per-product basis
@@ -336,9 +357,25 @@ ln -sf lib.base ${DESTDIR}${SHAREDIR}/shorewall/functions
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/shorewall/coreversion
 chmod 644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
 
-[ $file != "${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc
+if [ -z "${DESTDIR}" ]; then
+    if [ $update -ne 0 ]; then
+	echo "Updating $file - original saved in $file.bak"
 
-[ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
+	cp $file $file.bak
+
+	echo '#'                                             >> $file
+	echo "# Updated by Shorewall-core $VERSION -" `date` >> $file
+	echo '#'                                             >> $file
+
+	[ $update -eq 1 ] && sed -i 's/VARDIR/VARLIB/' $file
+
+	echo 'VARDIR=${VARLIB}/${PRODUCT}' >> $file
+    fi
+
+    [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
+fi
+
+[ $file != "${DESTDIR}${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc
 
 if [ ${SHAREDIR} != /usr/share ]; then
     for f in lib.*; do

Shorewall-core/lib.base

@@ -20,15 +20,11 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# This library contains the code common to all Shorewall components.
+# This library contains the code common to all Shorewall components except the
-#
+# generated scripts.
-# - It is loaded by /sbin/shorewall.
-# - It is released as part of Shorewall[6] Lite where it is used by /sbin/shorewall[6]-lite
-#   and /usr/share/shorewall[6]-lite/shorecap.
 #
 
-SHOREWALL_LIBVERSION=40502
+SHOREWALL_LIBVERSION=40509
-SHOREWALL_CAPVERSION=40502
 
 [ -n "${g_program:=shorewall}" ]
 
@@ -38,11 +34,7 @@ if [ -z "$g_readrc" ]; then
     #
     . /usr/share/shorewall/shorewallrc
 
-    g_libexec="$LIBEXECDIR"
     g_sharedir="$SHAREDIR"/$g_program
-    g_sbindir="$SBINDIR"
-    g_perllib="$PERLLIBDIR"
-    g_vardir="$VARDIR"
     g_confdir="$CONFDIR"/$g_program
     g_readrc=1
 fi
@@ -53,13 +45,13 @@ case $g_program in
     shorewall)
 	g_product="Shorewall"
 	g_family=4
-	g_tool=
+	g_tool=iptables
 	g_lite=
 	;;
     shorewall6)
 	g_product="Shorewall6"
 	g_family=6
-	g_tool=
+	g_tool=ip6tables
 	g_lite=
 	;;
     shorewall-lite)
@@ -76,7 +68,12 @@ case $g_program in
 	;;
 esac
 
-VARDIR=${VARDIR}/${g_program}
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/$g_program
+elif [ -z "${VARDIR}" ]; then
+    VARDIR="${VARLIB}/${PRODUCT}"
+fi
 
 #
 # Conditionally produce message
@@ -130,71 +127,6 @@ combine_list()
     echo $o
 }
 
-#
-# Call this function to assert mutual exclusion with Shorewall. If you invoke the
-# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
-# the first argument. Example "shorewall nolock refresh"
-#
-# This function uses the lockfile utility from procmail if it exists.
-# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
-# behavior of lockfile.
-#
-mutex_on()
-{
-    local try
-    try=0
-    local lockf
-    lockf=${LOCKFILE:=${VARDIR}/lock}
-    local lockpid
-
-    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
-
-    if [ $MUTEX_TIMEOUT -gt 0 ]; then
-
-	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-
-	if [ -f $lockf ]; then
-	    lockpid=`cat ${lockf} 2> /dev/null`
-	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
-		rm -f ${lockf}
-		error_message "WARNING: Stale lockfile ${lockf} removed"
-	    elif ! qt ps p ${lockpid}; then
-		rm -f ${lockf}
-		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
-	    fi
-	fi
-
-	if qt mywhich lockfile; then
-	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
-	    chmod u+w ${lockf}
-	    echo $$ > ${lockf}
-	    chmod u-w ${lockf}
-	else
-	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
-		sleep 1
-		try=$((${try} + 1))
-	    done
-
-	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
-	        # Create the lockfile
-		echo $$ > ${lockf}
-	    else
-		echo "Giving up on lock file ${lockf}" >&2
-	    fi
-	fi
-    fi
-}
-
-#
-# Call this function to release mutual exclusion
-#
-mutex_off()
-{
-    rm -f ${LOCKFILE:=${VARDIR}/lock}
-}
-
-[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
-
 #
 # Validate an IP address
 #
@@ -323,6 +255,8 @@ ip_range_explicit() {
     done
 }
 
+[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
+
 #
 # Netmask to VLSM
 #

Shorewall-core/lib.common

@@ -84,7 +84,7 @@ get_script_version() { # $1 = script
 
     temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 | sed 's/-.*//' )
 
-    if [ $? -ne 0 ]; then
+    if [ -z "$temp" ]; then
 	version=0
     else
 	ifs=$IFS
@@ -593,7 +593,7 @@ find_first_interface_address() # $1 = interface
 	#
 	[ -n "$addr" ] || startup_error "Can't determine the IP address of $1"
 	#
-	# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)	
+	# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
 	# along with everything else on the line
 	#
 	echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
@@ -717,3 +717,69 @@ truncate() # $1 = length
 {
     cut -b -${1}
 }
+
+#
+# Call this function to assert mutual exclusion with Shorewall. If you invoke the
+# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
+# the first argument. Example "shorewall nolock refresh"
+#
+# This function uses the lockfile utility from procmail if it exists.
+# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
+# behavior of lockfile.
+#
+mutex_on()
+{
+    local try
+    try=0
+    local lockf
+    lockf=${LOCKFILE:=${VARDIR}/lock}
+    local lockpid
+
+    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
+
+    if [ $MUTEX_TIMEOUT -gt 0 ]; then
+
+	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+
+	if [ -f $lockf ]; then
+	    lockpid=`cat ${lockf} 2> /dev/null`
+	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} removed"
+	    elif [ $lockpid -eq $$ ]; then
+                return 0
+	    elif ! qt ps p ${lockpid}; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
+	    fi
+	fi
+
+	if qt mywhich lockfile; then
+	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	    chmod u+w ${lockf}
+	    echo $$ > ${lockf}
+	    chmod u-w ${lockf}
+	else
+	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
+		sleep 1
+		try=$((${try} + 1))
+	    done
+
+	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
+	        # Create the lockfile
+		echo $$ > ${lockf}
+	    else
+		echo "Giving up on lock file ${lockf}" >&2
+	    fi
+	fi
+    fi
+}
+
+#
+# Call this function to release mutual exclusion
+#
+mutex_off()
+{
+    rm -f ${LOCKFILE:=${VARDIR}/lock}
+}
+

Shorewall-core/shorewallrc.apple

@@ -17,4 +17,4 @@ ANNOTATED=                             #Unused on OS X
 SYSTEMD=                               #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
-VARDIR=/var/lib                        #Unused on OS X
+VARLIB=/var/lib                        #Unused on OS X

Shorewall-core/shorewallrc.archlinux

@@ -17,4 +17,5 @@ ANNOTATED=                             #If non-zero, annotated configuration fil
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
 SYSTEMD=                               #Directory where .service files are installed (systems running systemd only)
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                        #Directory where product variable data is stored.
+VARLIB=/var/lib                        #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.

Shorewall-core/shorewallrc.cygwin

@@ -16,5 +16,5 @@ INITSOURCE=                           #Unused on Cygwin
 ANNOTATED=                            #Unused on Cygwin
 SYSTEMD=                              #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
-SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.                     
+SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
-VARDIR=/var/lib                       #Unused on Cygwin
+VARLIB=/var/lib                       #Unused on Cygwin

Shorewall-core/shorewallrc.debian

@@ -18,4 +18,5 @@ SYSCONFFILE=default.debian              #Name of the distributed file to be inst
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
 SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                         #Directory where product variable data is stored.
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.

Shorewall-core/shorewallrc.default

@@ -10,7 +10,7 @@ PERLLIBDIR=${PREFIX}/share/shorewall    #Directory to install Shorewall Perl mod
 CONFDIR=/etc                            #Directory where subsystem configurations are installed
 SBINDIR=/sbin                           #Directory where system administration programs are installed
 MANDIR=${PREFIX}/man                    #Directory where manpages are installed.
-INITDIR=etc/init.d                      #Directory where SysV init scripts are installed.
+INITDIR=/etc/init.d                     #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.sh                      #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
@@ -18,4 +18,5 @@ SYSTEMD=                                #Directory where .service files are inst
 SYSCONFFILE=                            #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                             #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                         #Directory where product variable data is stored.
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.

Shorewall-core/shorewallrc.redhat

@@ -18,4 +18,5 @@ SYSTEMD=/lib/systemd/system             #Directory where .service files are inst
 SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
 SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                         #Directory where product variable data is stored.
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.

Shorewall-core/shorewallrc.slackware

@@ -11,12 +11,13 @@ CONFDIR=/etc                               #Directory where subsystem configurat
 SBINDIR=/sbin                              #Directory where system administration programs are installed
 MANDIR=${PREFIX}/man                       #Directory where manpages are installed.
 INITDIR=/etc/rc.d                          #Directory where SysV init scripts are installed.
-INITSOURCE=init.slackware.firewall.sh      #Name of the distributed file to be installed as the SysV init script
+AUXINITSOURCE=init.slackware.firewall.sh   #Name of the distributed file to be installed as the SysV init script
-INITFILE=rc.firewall                       #Name of the product's installed SysV init script
+AUXINITFILE=rc.firewall                    #Name of the product's installed SysV init script
-AUXINITSOURCE=init.slackware.$PRODUCT.sh   #Name of the distributed file to be installed as a second SysV init script
+INITSOURCE=init.slackware.$PRODUCT.sh      #Name of the distributed file to be installed as a second SysV init script
-AUXINITFILE=rc.$PRODUCT                    #Name of the product's installed second init script
+INITFILE=rc.$PRODUCT                       #Name of the product's installed second init script
 SYSTEMD=                                   #Name of the directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.
 ANNOTATED=                                 #If non-empty, install annotated configuration files
-VARDIR=/var/lib                            #Directory where product variable data is stored.
+VARLIB=/var/lib                            #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT                  #Directory where product variable data is stored.

Shorewall-core/shorewallrc.suse

@@ -12,10 +12,11 @@ SBINDIR=/sbin                                         #Directory where system ad
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                                     #Name of the product's SysV init script
-INITSOURCE=init.sh                                    #Name of the distributed file to be installed as the SysV init script
+INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
 SYSTEMD=                                              #Directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=                                          #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                                       #Directory where persistent product data is stored.
+VARLIB=/var/lib                                       #Directory where persistent product data is stored.
+VARDIR=${VARLIB}/$PRODUCT                             #Directory where product variable data is stored.

Shorewall-init/ifupdown.sh

@@ -22,6 +22,21 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
 Debian_SuSE_ppp() {
     NEWPRODUCTS=
     INTERFACE="$1"
@@ -106,15 +121,11 @@ if [ -f /etc/debian_version ]; then
 	    else
 		exit 0
 	    fi
-
-	    case "$PHASE" in
-		pre-*)
-		    exit 0
-		    ;;
-	    esac
 	    ;;
     esac
 elif [ -f /etc/SuSE-release ]; then
+    PHASE=''
+
     case $0 in
 	/etc/ppp*)
 	    #
@@ -146,6 +157,8 @@ else
     #
     # Assume RedHat/Fedora/CentOS/Foobar/...
     #
+    PHASE=''
+
     case $0 in
 	/etc/ppp*)
 	    INTERFACE="$1"
@@ -186,20 +199,14 @@ else
     esac
 fi
 
+[ -n "$LOGFILE" ] || LOGFILE=/dev/null
+
 for PRODUCT in $PRODUCTS; do
-    #
+    setstatedir
-    # For backward compatibility, lib.base appends the product name to VARDIR
+
-    # Save it here and restore it below
+    if [ -x $VARLIB/$PRODUCT/firewall ]; then
-    #
+	  ( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
-    save_vardir=${VARDIR}
-    if [ -x $VARDIR/$PRODUCT/firewall ]; then
-	  ( . ${SHAREDIR}/shorewall/lib.base
-	    mutex_on
-	    ${VARDIR}/firewall -V0 $COMMAND $INTERFACE || echo_notdone
-	    mutex_off
-	  )
     fi
-    VARDIR=${save_vardir}
 done
 
 exit 0

Shorewall-init/init.debian.sh

@@ -62,11 +62,29 @@ not_configured () {
 	exit 0
 }
 
+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 
+vardir=$VARDIR
+
 # check if shorewall-init is configured or not
 if [ -f "$SYSCONFDIR/shorewall-init" ]
 then
@@ -81,27 +99,27 @@ fi
 
 # Initialize the firewall
 shorewall_start () {
-  local product
+  local PRODUCT
-  local VARDIR
+  local STATEDIR
 
   echo -n "Initializing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
+  for PRODUCT in $PRODUCTS; do
-      VARDIR=/var/lib/$product
+      setstatedir
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
+
-      if [ -x ${VARDIR}/firewall ]; then
+      if [ ! -x ${VARDIR}/$PRODUCT/firewall ]; then
+	  if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	      ${SBINDIR}/$PRODUCT compile
+	  fi
+      fi
+
+      if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
 	  #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
-	      . /usr/share/$product/lib.base
+	      if ! ${VARDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
-	      #
+		  ${VARDIR}/$PRODUCT/firewall stop || echo_notdone
-	      # Get mutex so the firewall state is stable
-	      #
-	      mutex_on
-	      if ! ${VARDIR}/firewall status > /dev/null 2>&1; then
-		  ${VARDIR}/firewall stop || echo_notdone
 	      fi
-	      mutex_off
 	  )
       fi
   done
@@ -113,19 +131,21 @@ shorewall_start () {
 
 # Clear the firewall
 shorewall_stop () {
-  local product
+  local PRODUCT
   local VARDIR
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
+  for PRODUCT in $PRODUCTS; do
-      VARDIR=/var/lib/$product
+      setstatedir
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
+
-      if [ -x ${VARDIR}/firewall ]; then
+      if [ ! -x ${VARDIR}/$PRODUCT/firewall ]; then
-	  ( . /usr/share/$product/lib.base
+	  if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    mutex_on
+	      ${SBINDIR}/$PRODUCT compile
-	    ${VARDIR}/firewall clear || echo_notdone
+	  fi
-	    mutex_off
+      fi
-	  )
+
+      if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
+	  ${VARDIR}/$PRODUCT/firewall clear || echo_notdone
       fi
   done
 

Shorewall-init/init.fedora.sh

@@ -14,13 +14,8 @@
 #                    prior to bringing up the network.  
 ### END INIT INFO
 #determine where the files were installed
-if [ -f ~/.shorewallrc ]; then
+
-    . ~/.shorewallrc || exit 1
+. /usr/share/shorewall/shorewallrc
-else
-    SBINDIR=/sbin
-    SYSCONFDIR=/etc/default
-    VARDIR=/var/lib
-fi
 
 prog="shorewall-init"
 logger="logger -i -t $prog"
@@ -29,6 +24,8 @@ lockfile="/var/lock/subsys/shorewall-init"
 # Source function library.
 . /etc/rc.d/init.d/functions
 
+vardir=$VARDIR
+
 # Get startup options (override default)
 OPTIONS=
 
@@ -40,9 +37,25 @@ else
     exit 6
 fi
 
+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
 # Initialize the firewall
 start () {
-    local product
+    local PRODUCT
     local vardir
 
     if [ -z "$PRODUCTS" ]; then
@@ -52,11 +65,19 @@ start () {
     fi
 
     echo -n "Initializing \"Shorewall-based firewalls\": "
-    for product in $PRODUCTS; do
+    for PRODUCT in $PRODUCTS; do
-	if [ -x ${VARDIR}/$product/firewall ]; then
+	setstatedir
-	    ${VARDIR}/$product/firewall stop 2>&1 | $logger
+
+	if [ ! -x ${VARDIR}/firewall ]; then
+	    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+		${SBINDIR}/$PRODUCT compile
+	    fi
+	fi
+
+	if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
+	    ${VARDIR}/$PRODUCT/firewall stop 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
-	    [ retval -ne 0 ] && break
+	    [ $retval -ne 0 ] && break
 	fi
     done
 
@@ -72,15 +93,23 @@ start () {
 
 # Clear the firewall
 stop () {
-    local product
+    local PRODUCT
     local vardir
 
     echo -n "Clearing \"Shorewall-based firewalls\": "
-    for product in $PRODUCTS; do
+    for PRODUCT in $PRODUCTS; do
-	if [ -x ${VARDIR}/$product/firewall ]; then
+	setstatedir
-	    ${VARDIR}/$product/firewall clear 2>&1 | $logger
+
+	if [ ! -x ${VARDIR}/firewall ]; then
+	    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+		${SBINDIR}/$PRODUCT compile
+	    fi
+	fi
+
+	if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
+	    ${VARDIR}/$PRODUCT/firewall clear 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
-	    [ retval -ne 0 ] && break
+	    [ $retval -ne 0 ] && break
 	fi
     done
 
@@ -107,19 +136,15 @@ case "$1" in
 	status_q || exit 0
 	$1
 	;;
-    restart|reload|force-reload)
+    restart|reload|force-reload|condrestart|try-restart)
 	echo "Not implemented"
 	exit 3
 	;;
-    condrestart|try-restart)
-	echo "Not implemented"
-	exit 3
-        ;;
     status)
 	status $prog
 	;;
   *)
-	echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+	echo "Usage: /etc/init.d/shorewall-init {start|stop|status}"
 	exit 1
 esac
 

Shorewall-init/init.sh

@@ -58,16 +58,34 @@ fi
 #
 . /usr/share/shorewall/shorewallrc
 
+# Locate the current PRODUCT's statedir
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile $STATEDIR/firewall
+	fi
+    fi
+}
+
 # Initialize the firewall
 shorewall_start () {
   local PRODUCT
-  local VARDIR
+  local STATEDIR
 
   echo -n "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      if [ -x ${VARDIR}/firewall ]; then
+      setstatedir
+
+      if [ -x ${STATEDIR}/firewall ]; then
 	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      ${VARDIR}/firewall stop || echo_notdone
+	      ${STATEDIR}/firewall stop || echo_notdone
 	  fi
       fi
   done
@@ -86,6 +104,14 @@ shorewall_stop () {
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ ! -x ${VARDIR}/firewall ]; then
+	  if [ $PRODUCT = shorewall -o $product = shorewall6 ]; then
+	      ${SBINDIR}/$PRODUCT compile
+	  fi
+      fi
+
       if [ -x ${VARDIR}/firewall ]; then
 	  ${VARDIR}/firewall clear || exit 1
       fi

Shorewall-init/init.suse.sh

@@ -0,0 +1,135 @@
+#! /bin/bash
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2010,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#
+### BEGIN INIT INFO
+# Provides: shorewall-init
+# Required-Start: $local_fs
+# Required-Stop:  $local_fs
+# Default-Start:  2 3 5
+# Default-Stop:   0 1 6
+# Short-Description: Initialize the firewall at boot time
+# Description:       Place the firewall in a safe state at boot time
+#                    prior to bringing up the network.  
+### END INIT INFO
+
+if [ "$(id -u)" != "0" ]
+then
+  echo "You must be root to start, stop or restart \"Shorewall \"."
+  exit 1
+fi
+
+# check if shorewall-init is configured or not
+if [ -f "/etc/sysconfig/shorewall-init" ]
+then
+	. /etc/sysconfig/shorewall-init
+	if [ -z "$PRODUCTS" ]
+	then
+		exit 0
+	fi
+else
+	exit 0
+fi
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
+# Initialize the firewall
+shorewall_start () {
+  local PRODUCT
+  local STATEDIR
+
+  echo -n "Initializing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ -x $STATEDIR/firewall ]; then
+	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+	      $STATEDIR/$PRODUCT/firewall stop || echo_notdone
+	  fi
+      fi
+  done
+
+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+      ipset -R < "$SAVE_IPSETS"
+  fi
+
+  return 0
+}
+
+# Clear the firewall
+shorewall_stop () {
+  local PRODUCT
+  local STATEDIR
+
+  echo -n "Clearing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ -x ${STATEDIR}/firewall ]; then
+	  ${STATEDIR}/firewall clear || exit 1
+      fi
+  done
+
+  if [ -n "$SAVE_IPSETS" ]; then
+      mkdir -p $(dirname "$SAVE_IPSETS")
+      if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+      fi
+  fi
+
+  return 0
+}
+
+case "$1" in
+  start)
+     shorewall_start
+     ;;
+  stop)
+     shorewall_stop
+     ;;
+  *)
+     echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+     exit 1
+esac
+
+exit 0

Shorewall-init/install.sh

@@ -160,7 +160,14 @@ else
     usage 1
 fi
 
-for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARDIR; do
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/${PRODUCT}
+elif [ -z "${VARDIR}" ]; then
+    VARDIR=${VARLIB}/${PRODUCT}
+fi
+
+for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
     require $var
 done
 
@@ -260,6 +267,11 @@ else
     first_install="Yes"
 fi
 
+if [ -n "$DESTDIR" ]; then
+    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
+    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
+fi
+
 #
 # Install the Firewall Script
 #
@@ -280,6 +292,7 @@ fi
 if [ -n "$SYSTEMD" ]; then
     mkdir -p ${DESTDIR}${SYSTEMD}
     run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}${SYSTEMD}/shorewall-init.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/shorewall-init.service
     echo "Service file installed as ${DESTDIR}${SYSTEMD}/shorewall-init.service"
     if [ -n "$DESTDIR" ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
@@ -292,27 +305,35 @@ fi
 #
 # Create /usr/share/shorewall-init if needed
 #
-mkdir -p ${DESTDIR}/usr/share/shorewall-init
+mkdir -p ${DESTDIR}${SHAREDIR}/shorewall-init
-chmod 755 ${DESTDIR}/usr/share/shorewall-init
+chmod 755 ${DESTDIR}${SHAREDIR}/shorewall-init
+
+#
+# Install logrotate file
+#
+if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
+    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
+fi
 
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-init/version
+echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/shorewall-init/version
-chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
+chmod 644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
 
 #
 # Remove and create the symbolic link to the init script
 #
 if [ -z "$DESTDIR" ]; then
-    rm -f /usr/share/shorewall-init/init
+    rm -f ${SHAREDIR}/shorewall-init/init
     ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
 fi
 
 if [ $HOST = debian ]; then
     if [ -n "${DESTDIR}" ]; then
 	mkdir -p ${DESTDIR}/etc/network/if-up.d/
-	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
+	mkdir -p ${DESTDIR}/etc/network/if-down.d/
     fi
 
     if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
@@ -347,7 +368,7 @@ fi
 
 cp ifupdown.sh ifupdown
 
-d[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
+[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
 
 mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
 
@@ -360,6 +381,7 @@ fi
 case $HOST in
     debian)
 	install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
+	install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
 	install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
 	;;
     suse)
@@ -382,12 +404,12 @@ if [ -z "$DESTDIR" ]; then
     if [ -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
 	    
-	    update-rc.d shorewall-init defaults
+	    update-rc.d shorewall-init enable
 
 	    echo "Shorewall Init will start automatically at boot"
 	else
 	    if [ -n "$SYSTEMD" ]; then
-		if systemctl enable shorewall-init; then
+		if systemctl enable shorewall-init.service; then
 		    echo "Shorewall Init will start automatically at boot"
 		fi
 	    elif [ -x ${SBINDIR}/insserv -o -x /usr${SBINDIR}/insserv ]; then

Shorewall-init/logrotate

@@ -0,0 +1,5 @@
+/var/log/shorewall-ifupdown.log {
+  missingok
+  notifempty
+  create 0600 root root
+}

Shorewall-init/sysconfig

@@ -16,3 +16,8 @@ IFUPDOWN=0
 # during 'start' and will save them there during 'stop'.
 #
 SAVE_IPSETS=""
+#
+# Where Up/Down events get logged
+#
+LOGFILE=/var/log/shorewall-ifupdown.log
+

Shorewall-lite/init.debian.sh

@@ -23,7 +23,7 @@ export SHOREWALL_INIT_SCRIPT
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
 test -n "$INITLOG" || {
-	echo "INITLOG cannot be empty, please configure $0" ; 
+	echo "INITLOG cannot be empty, please configure $0" ;
 	exit 1;
 }
 
@@ -35,9 +35,9 @@ fi
 
 echo_notdone () {
 
-  if [ "$INITLOG" = "/dev/null" ] ; then 
+  if [ "$INITLOG" = "/dev/null" ] ; then
 	  echo "not done."
-  else 
+  else
 	  echo "not done (check $INITLOG)."
   fi
 

Shorewall-lite/init.fedora.sh

@@ -41,10 +41,10 @@ start() {
     echo -n $"Starting Shorewall: "
     $shorewall $OPTIONS start 2>&1 | $logger
     retval=${PIPESTATUS[0]}
-    if [[ $retval == 0 ]]; then 
+    if [[ $retval == 0 ]]; then
 	touch $lockfile
 	success
-    else 
+    else
 	failure
     fi
     echo
@@ -55,10 +55,10 @@ stop() {
     echo -n $"Stopping Shorewall: "
     $shorewall $OPTIONS stop 2>&1 | $logger
     retval=${PIPESTATUS[0]}
-    if [[ $retval == 0 ]]; then 
+    if [[ $retval == 0 ]]; then
 	rm -f $lockfile
 	success
-    else 
+    else
 	failure
     fi
     echo
@@ -71,7 +71,7 @@ restart() {
     echo -n $"Restarting Shorewall: "
     $shorewall $OPTIONS restart 2>&1 | $logger
     retval=${PIPESTATUS[0]}
-    if [[ $retval == 0 ]]; then 
+    if [[ $retval == 0 ]]; then
 	touch $lockfile
 	success
     else # Failed to start, clean up lock file if present

Shorewall-lite/init.suse.sh

@@ -0,0 +1,92 @@
+#!/bin/sh
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#	On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#	If an error occurs while starting or restarting the firewall, the
+#	firewall is automatically stopped.
+#
+#	Commands are:
+#
+#	   shorewall start			  Starts the firewall
+#	   shorewall restart			  Restarts the firewall
+#	   shorewall reload			  Reload the firewall
+#						  (same as restart)
+#	   shorewall stop			  Stops the firewall
+#	   shorewall status			  Displays firewall status
+#
+
+
+### BEGIN INIT INFO
+# Provides:	  shorewall-lite
+# Required-Start: $network $remote_fs
+# Required-Stop:  
+# Default-Start:  2 3 5
+# Default-Stop:	  0 1 6
+# Description:	  starts and stops the shorewall firewall
+# Short-Description: Packet filtering firewall
+### END INIT INFO
+
+################################################################################
+# Give Usage Information						       #
+################################################################################
+usage() {
+    echo "Usage: $0 start|stop|reload|restart|status"
+    exit 1
+}
+
+################################################################################
+# Get startup options (override default)
+################################################################################
+OPTIONS=
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+if [ -f ${SYSCONFDIR}/shorewall-lite ]; then
+    . ${SYSCONFDIR}/shorewall-lite
+fi
+
+SHOREWALL_INIT_SCRIPT=1
+
+################################################################################
+# E X E C U T I O N    B E G I N S   H E R E				       #
+################################################################################
+command="$1"
+
+case "$command" in
+    start)
+	exec ${SBINDIR}/shorewall-lite $OPTIONS start $STARTOPTIONS
+	;;
+    restart|reload)
+	exec ${SBINDIR}/shorewall-lite $OPTIONS restart $RESTARTOPTIONS
+	;;
+    status|stop)
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
+	;;
+    *)
+	usage
+	;;
+esac

Shorewall-lite/install.sh

@@ -33,7 +33,7 @@ usage() # $1 = exit status
     exit $1
 }
 
-fatal_error() 
+fatal_error()
 {
     echo "   ERROR: $@" >&2
     exit 1
@@ -91,7 +91,7 @@ install_file() # $1 = source $2 = target $3 = mode
     run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
 
-require() 
+require()
 {
     eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
@@ -118,7 +118,7 @@ while [ $finished -eq 0 ] ; do
     case "$1" in
 	-*)
 	    option=${option#-}
-	    
+
 	    while [ -n "$option" ]; do
 		case $option in
 		    h)
@@ -171,7 +171,14 @@ else
     usage 1
 fi
 
-for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARDIR; do
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/${PRODUCT}
+elif [ -z "${VARDIR}" ]; then
+    VARDIR=${VARLIB}/${PRODUCT}
+fi
+
+for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARLIB VARDIR; do
     require $var
 done
 
@@ -182,7 +189,6 @@ PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}
 #
 cygwin=
 INSTALLD='-D'
-INITFILE=$PRODUCT
 T='-T'
 
 if [ -z "$BUILD" ]; then
@@ -253,7 +259,10 @@ case "$HOST" in
     archlinux)
 	echo "Installing ArchLinux-specific configuration..."
 	;;
-    linux|suse)
+    suse)
+	echo "Installing Suse-specific configuration..."
+	;;
+    linux)
 	;;
     *)
 	echo "ERROR: Unknown HOST \"$HOST\"" >&2
@@ -268,24 +277,14 @@ if [ -n "$DESTDIR" ]; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
     fi
-    
+
     install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR}
     install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
-
-    if [ -n "$SYSTEMD" ]; then
-	mkdir -p ${DESTDIR}/lib/systemd/system
-	INITFILE=
-    fi
 else
     if [ ! -f /usr/share/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
 	exit 1
     fi
-
-    if [ -f /lib/systemd/system ]; then
-	SYSTEMD=Yes
-	INITFILE=
-    fi
 fi
 
 echo "Installing $Product Version $VERSION"
@@ -303,8 +302,8 @@ if [ -z "$DESTDIR" -a -d ${CONFDIR}/$PRODUCT ]; then
 	mv -f ${CONFDIR}/$PRODUCT/shorewall.conf ${CONFDIR}/$PRODUCT/$PRODUCT.conf
 else
     rm -rf ${DESTDIR}${CONFDIR}/$PRODUCT
-    rm -rf ${DESTDIR}/usr/share/$PRODUCT
+    rm -rf ${DESTDIR}${SHAREDIR}/$PRODUCT
-    rm -rf ${DESTDIR}/var/lib/$PRODUCT
+    rm -rf ${DESTDIR}${VARDIR}
     [ "$LIBEXECDIR" = /usr/share ] || rm -rf ${DESTDIR}/usr/share/$PRODUCT/wait4ifup ${DESTDIR}/usr/share/$PRODUCT/shorecap
 fi
 
@@ -327,9 +326,9 @@ echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
 mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
-mkdir -p ${DESTDIR}/usr/share/$PRODUCT
+mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
-mkdir -p ${DESTDIR}/var/lib/$PRODUCT
+mkdir -p ${DESTDIR}${VARDIR}
 
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}/usr/share/$PRODUCT
@@ -354,7 +353,9 @@ fi
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}${SYSTEMD}
     run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
     echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
 fi
 
@@ -403,6 +404,7 @@ echo "Common functions linked through ${DESTDIR}${SHAREDIR}/$PRODUCT/functions"
 #
 
 install_file shorecap ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap 0755
+[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${LIBEXECDIR}/$PRODUCT/shorecap
 
 echo
 echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap"
@@ -498,7 +500,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
 	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/${PRODUCT}/${PRODUCT}.conf
 	update-rc.d $PRODUCT enable defaults
     elif [ -n "$SYSTEMD" ]; then
-	if systemctl enable $PRODUCT; then
+	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
 	fi
     elif mywhich insserv; then

Shorewall-lite/manpages/shorewall-lite.xml

@@ -337,6 +337,8 @@
 
       <arg choice="plain"><option>show</option></arg>
 
+      <arg><option>-b</option></arg>
+
       <arg><option>-x</option></arg>
 
       <arg><option>-l</option></arg>
@@ -841,6 +843,12 @@
                 Netfilter table to display. The default is <emphasis
                 role="bold">filter</emphasis>.</para>
 
+                <para>The <emphasis role="bold">-b</emphasis> ('brief') option
+                causes rules which have not been used (i.e. which have zero
+                packet and byte counts) to be omitted from the output. Chains
+                with no rules displayed are also omitted from the
+                output.</para>
+
                 <para>The <emphasis role="bold">-l</emphasis> option causes
                 the rule number for each Netfilter rule to be
                 displayed.</para>

Shorewall-lite/shorecap

@@ -45,17 +45,19 @@
 #    used during firewall compilation, then the generated firewall program will likewise not
 #    require Shorewall to be installed.
 
-SHAREDIR=/usr/share/shorewall-lite
-VARDIR=/var/lib/shorewall-lite
-CONFDIR=/etc/shorewall-lite
-g_program=shorewall-lite
-g_product="Shorewall Lite"
-g_family=4
-g_base=shorewall
-g_basedir=/usr/share/shorewall-lite
 
-. /usr/share/shorewall-lite/lib.base
+g_program=shorewall-lite
-. /usr/share/shorewall/lib.cli
+
+#
+# This is modified by the installer when ${SHAREDIR} != /usr/share
+#
+. /usr/share/shorewall/shorewallrc
+
+g_sharedir="$SHAREDIR"/shorewall-lite
+g_confdir="$CONFDIR"/shorewall-lite
+g_readrc=1
+
+. ${SHAREDIR}/shorewall/lib.cli
 . /usr/share/shorewall-lite/configpath
 
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

Shorewall-lite/shorewall-lite

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 - 
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 -
 #         Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
@@ -25,17 +25,15 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
-g_program=shorewall-lite
+PRODUCT=shorewall-lite
 
 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 
-g_libexec="$LIBEXECDIR"
+g_program=$PRODUCT
 g_sharedir="$SHAREDIR"/shorewall-lite
-g_sbindir="$SBINDIR"
-g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1
 

Shorewall-lite/shorewall-lite.conf

@@ -1,5 +1,5 @@
 ###############################################################################
-#  /etc/shorewall-lite/shorewall-lite.conf Version 4 - Change the following 
+#  /etc/shorewall-lite/shorewall-lite.conf Version 4 - Change the following
 #  variables to override the values in the shorewall.conf file used to
 #  compile /var/lib/shorewall-lite/firewall. Those values may be found in
 #  /var/lib/shorewall-lite/firewall.conf.

Shorewall-lite/shorewall-lite.service

@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-lite $OPTIONS start
+ExecStart=/usr/sbin/shorewall-lite $OPTIONS start
-ExecStop=/sbin/shorewall-lite $OPTIONS stop
+ExecStop=/usr/sbin/shorewall-lite $OPTIONS stop
 
 [Install]
 WantedBy=multi-user.target

Shorewall/Macros/macro.Amanda

@@ -8,9 +8,16 @@
 #	files from those nodes.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	10080
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
+ PARAM	-	-	udp	10080 ; helper=amanda
+?else
+ PARAM	-	-	udp	10080
+?endif
+
 PARAM	-	-	tcp	10080
 #
 # You may also need this rule.  With AMANDA 2.4.4 on Linux kernel 2.6,

Shorewall/Macros/macro.BLACKLIST

@@ -8,4 +8,8 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-$BLACKLIST_DISPOSITION:$BLACKLIST_LOGLEVEL
+?if $BLACKLIST_LOGLEVEL
+blacklog
+?else
+$BLACKLIST_DISPOSITION
+?endif

Shorewall/Macros/macro.FTP

@@ -6,6 +6,11 @@
 #	This macro handles FTP traffic.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	21
+?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
+ PARAM	-	-	tcp	21 ; helper=ftp
+?else
+ PARAM	-	-	tcp	21
+?endif

Shorewall/Macros/macro.IRC

@@ -6,6 +6,12 @@
 #	This macro handles IRC traffic (Internet Relay Chat).
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	6667
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
+ PARAM	-	-	tcp	6667 ; helper=irc
+?else
+ PARAM	-	-	tcp	6667
+?endif

Shorewall/Macros/macro.MSSQL

@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - MSSQL Macro
+#
+# /usr/share/shorewall/macro.MSSQL
+#
+#	This macro handles MSSQL (Microsoft SQL Server)
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	tcp	1433

Shorewall/Macros/macro.PPtP

@@ -6,8 +6,14 @@
 #	This macro handles PPTP traffic.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	47
 PARAM	DEST	SOURCE	47
-PARAM	-	-	tcp	1723
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
+ PARAM	-	-	tcp	1723 ; helper=pptp
+?else
+ PARAM	-	-	tcp	1723
+?endif

Shorewall/Macros/macro.Puppet

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - Puppet Macro
+#
+# /usr/share/shorewall/macro.Puppet
+#
+#	This macro handles client-to-server for the Puppet configuration
+#	management system.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	tcp	8140

Shorewall/Macros/macro.SANE

@@ -6,9 +6,16 @@
 #	This macro handles SANE network scanning.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	6566
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
+ PARAM	-	-	tcp	6566 ; helper=sane
+?else
+ PARAM	-	-	tcp	6566
+?endif
+
 #
 # Kernels 2.6.23+ has nf_conntrack_sane module which will handle
 # sane data connection.

Shorewall/Macros/macro.SIP

@@ -0,0 +1,17 @@
+#
+# Shorewall version 4 - SIP Macro
+#
+# /usr/share/shorewall/macro.SIP
+#
+#	This macro handles SIP traffic.
+#
+###############################################################################
+FORMAT 2
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER  )
+ PARAM	-	-	udp	5060 ; helper=sip
+?else
+ PARAM	-	-	udp	5060
+?endif

Shorewall/Macros/macro.SMB

@@ -10,9 +10,17 @@
 #	between hosts you fully trust.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
-PARAM	-	-	udp	137:139
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
+ PARAM	-	-	udp	137 ; helper=netbios-ns
+ PARAM	-	-	udp	138:139
+?else
+ PARAM	-	-	udp	137:139
+?endif
+
 PARAM	-	-	udp	1024:	137
 PARAM	-	-	tcp	135,139,445

Shorewall/Macros/macro.SMBBI

@@ -10,13 +10,28 @@
 #	allow SMB traffic between hosts you fully trust.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
-PARAM	-	-	udp	137:139
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
+ PARAM	-	-	udp	137 ; helper=netbios-ns
+ PARAM	-	-	udp	138:139
+?else
+ PARAM	-	-	udp	137:139
+?endif
+
 PARAM	-	-	udp	1024:	137
 PARAM	-	-	tcp	135,139,445
 PARAM	DEST	SOURCE	udp	135,445
-PARAM	DEST	SOURCE	udp	137:139
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
+ PARAM	DEST	SOURCE	udp	137 ; helper=netbios-ns
+ PARAM	DEST	SOURCE	udp	138:139
+?else
+ PARAM	DEST	SOURCE	udp	137:139
+?endif
+
 PARAM	DEST	SOURCE	udp	1024:	137
 PARAM	DEST	SOURCE	tcp	135,139,445

Shorewall/Macros/macro.SNMP

@@ -3,10 +3,17 @@
 #
 # /usr/share/shorewall/macro.SNMP
 #
-#	This macro handles SNMP traffic (including traps).
+#	This macro handles SNMP traffic.
+#
+#       Note: To allow SNMP Traps, use the SNMPTrap macro
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	161:162
+
-PARAM	-	-	tcp	161
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
+ PARAM	-	-  	udp     161 ; helper=snmp
+?else
+ PARAM	-	-	udp	161
+?endif

Shorewall/Macros/macro.SNMPTrap

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - SNMP Trap Macro
+#
+# /usr/share/shorewall/macro.SNMP
+#
+#	This macro handles SNMP traps.
+#
+###############################################################################
+FORMAT 2
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	udp	162

Shorewall/Macros/macro.TFTP

@@ -8,6 +8,12 @@
 #	Internet.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	69
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
+ PARAM	-	-	udp	69 ; helper=tftp
+?else
+ PARAM	-	-	udp	69
+?endif

Shorewall/Macros/macro.Teredo

@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - Teredo Macro
+#
+# /usr/share/shorewall/macro.Teredo
+#
+#	This macro handles Teredo IPv6 over UDP tunneling traffic
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	udp	3544

Shorewall/Macros/macro.mDNS

@@ -1,9 +1,11 @@
 #
-# Shorewall version 4 - Multicast DNS Macro
+# Shorewall version 4 - Multicast DNS Macro -- this macro assumes that only
+#                       the DEST zone sends mDNS queries. If both zones send
+#                       queries, use the mDNSbi macro.
 #
 # /usr/share/shorewall/macro.mDNS
 #
-#	This macro handles multicast DNS traffic.
+#	This macro handles multicast DNS traffic
 #
 ###############################################################################
 #ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/

Shorewall/Macros/macro.mDNSbi

@@ -0,0 +1,16 @@
+#
+# Shorewall version 4 - Bi-directional Multicast DNS Macro.
+#
+# /usr/share/shorewall/macro.mDNSbi
+#
+#	This macro handles multicast DNS traffic
+#
+###############################################################################
+#ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
+#						PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	224.0.0.251		udp	5353
+PARAM	-	-			udp	32768:	5353
+PARAM	-	224.0.0.251		2
+PARAM	DEST	SOURCE:224.0.0.251	udp	5353
+PARAM	DEST	SOURCE			udp	32768:	5353
+PARAM	DEST	SOURCE:224.0.0.251	2

Shorewall/Macros/macro.template

@@ -71,9 +71,17 @@
 #	Remaining		Any value in the rules file REPLACES the value
 #	columns			given in the macro file.
 #
+# Multiple parameters may be passed to a macro. Within this file, $1 refers to the first parameter,
+# $2 to the second an so on. $1 is a synonym for PARAM but may be used anywhere in the file whereas
+# PARAM may only be used in the ACTION column.
+#
+# You can specify default values for parameters by using DEFAULT or DEFAULTS entry:
+#
+#      DEFAULTS  <default for $1>,<default for $2>,...
+#
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
 FORMAT 2
-####################################################################################################################################################################
+#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Shorewall/Perl/.includepath

@@ -1,3 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<includepath />
-

Shorewall/Perl/Shorewall/Accounting.pm

@@ -46,6 +46,7 @@ my $jumpchainref;
 my %accountingjumps;
 my $asection;
 my $defaultchain;
+my $ipsecdir;
 my $defaultrestriction;
 my $restriction;
 my $accounting_commands = { COMMENT => 0, SECTION => 2 };
@@ -85,13 +86,14 @@ sub initialize() {
     # The section number is initialized to a value less thatn LEGACY. It will be set to LEGACY if a
     # the first non-commentary line in the accounting file isn't a section header
     #
-    # This allows the section header processor to quickly check for correct order 
+    # This allows the section header processor to quickly check for correct order
     #
     $asection           = -1;
     #
     # These are the legacy values
     #
     $defaultchain       = 'accounting';
+    $ipsecdir           = '';
     $defaultrestriction = NO_RESTRICT;
     $sectionname        = '';
 }
@@ -111,20 +113,25 @@ sub process_section ($) {
 
     if ( $sectionname eq 'INPUT' ) {
 	$defaultchain = 'accountin';
+	$ipsecdir     = 'in';
 	$defaultrestriction = INPUT_RESTRICT;
     } elsif ( $sectionname eq 'OUTPUT' ) {
 	$defaultchain = 'accountout';
+	$ipsecdir     = 'out';
 	$defaultrestriction = OUTPUT_RESTRICT;
     } elsif ( $sectionname eq 'FORWARD' ) {
 	$defaultchain = 'accountfwd';
+	$ipsecdir     = '';
 	$defaultrestriction = NO_RESTRICT;
      } else {
 	 fatal_error "The $sectionname SECTION is not allowed when ACCOUNTING_TABLE=filter" unless $acctable eq 'mangle';
 	 if ( $sectionname eq 'PREROUTING' ) {
 	     $defaultchain = 'accountpre';
+	     $ipsecdir     = 'in';
 	     $defaultrestriction = PREROUTE_RESTRICT;
 	 } else {
 	     $defaultchain = 'accountpost';
+	     $ipsecdir     = 'out';
 	     $defaultrestriction = POSTROUTE_RESTRICT;
 	 }
      }
@@ -194,7 +201,7 @@ sub process_accounting_rule( ) {
     $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
     $sports = ''    if $sports eq 'any' || $sports eq 'all';
 
-    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT; 
+    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT;
 
     my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
     my $rule2 = 0;
@@ -229,6 +236,11 @@ sub process_accounting_rule( ) {
 	    }
 	} elsif ( $action =~ /^NFLOG/ ) {
 	    $target = validate_level $action;
+	} elsif ( $action =~ /^NFACCT\((\w+)\)$/ ) {
+	    require_capability 'NFACCT_MATCH', 'The NFACCT action', 's';
+	    $nfobjects{$1} = 1;
+	    $target = '';
+	    $rule .= "-m nfacct --nfacct-name $1 ";
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;
 
@@ -250,7 +262,7 @@ sub process_accounting_rule( ) {
 
     if ( $source eq 'any' || $source eq 'all' ) {
         $source = ALLIP;
-    } else { 
+    } else {
 	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT || ! $asection );
     }
 
@@ -285,11 +297,25 @@ sub process_accounting_rule( ) {
     }
 
     my $chainref = $chain_table{$config{ACCOUNTING_TABLE}}{$chain};
-    my $dir;
+    my $dir = $ipsecdir;
+
+    if ( $asection && $ipsec ne '-' ) {
+	if ( $ipsecdir ) {
+	    fatal_error "Invalid IPSEC ($ipsec)" if $ipsec =~ /^(?:in|out)\b/;
+	} else {
+	    if ( $ipsec =~ s/^(?:(in|out)\b)// ) {
+		$dir = $1;
+	    } else {
+		fatal_error q(IPSEC rules in the $asection section require that the value begin with 'in' or 'out');
+	    }
+	}
+
+	$rule .= do_ipsec( $dir, $ipsec );
+    }
 
     if ( ! $chainref ) {
 	if ( reserved_chain_name( $chain ) ) {
-	    fatal_error "May not use chain $chain in the $sectionname section" if $asection && $chain ne $defaultchain; 
+	    fatal_error "May not use chain $chain in the $sectionname section" if $asection && $chain ne $defaultchain;
 	    $chainref = ensure_accounting_chain $chain, 0 , $restriction;
 	} elsif ( $asection ) {
 	    fatal_error "Unknown accounting chain ($chain)";
@@ -297,28 +323,32 @@ sub process_accounting_rule( ) {
 	    $chainref = ensure_accounting_chain $chain, 0 , $restriction;
 	}
 
-	$dir      = ipsec_chain_name( $chain );
+	unless ( $asection ) {
+	    $dir = ipsec_chain_name( $chain );
 
-	if ( $ipsec ne '-' ) {
+	    if ( $ipsec ne '-' ) {
-	    if ( $dir ) {
+		if ( $dir ) {
-		$rule .= do_ipsec( $dir, $ipsec );
+		    $rule .= do_ipsec( $dir, $ipsec );
-		$chainref->{ipsec} = $dir;
+		    $chainref->{ipsec} = $dir;
+		} else {
+		    fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
+		}
 	    } else {
-		fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
+		warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
+		$chainref->{ipsec} = $dir;
 	    }
-	} else {
-	    warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
-	    $chainref->{ipsec} = $dir;
 	}
     } else {
 	fatal_error "$chain is not an accounting chain" unless $chainref->{accounting};
-    
+
-	if ( $ipsec ne '-' ) {
+	unless ( $asection ) {
-	    $dir = $chainref->{ipsec};
+	    if ( $ipsec ne '-' ) {
-	    fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
+		$dir = $chainref->{ipsec};
-	    $rule .= do_ipsec( $dir , $ipsec );
+		fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
-	} elsif ( $asection ) {
+		$rule .= do_ipsec( $dir , $ipsec );
-	    $restriction |= $chainref->{restriction};
+	    } elsif ( $asection ) {
+		$restriction |= $chainref->{restriction};
+	    }
 	}
     }
 
@@ -338,7 +368,7 @@ sub process_accounting_rule( ) {
     }
 
     fatal_error "$chain is not an accounting chain" unless $chainref->{accounting};
-    
+
     $restriction = $dir eq 'in' ? INPUT_RESTRICT : OUTPUT_RESTRICT if $dir;
 
     expand_rule
@@ -366,7 +396,6 @@ sub process_accounting_rule( ) {
 	} else {
 	    $jumpchainref->{ipsec} = $chainref->{ipsec};
 	}
-
     }
 
     if ( $rule2 ) {
@@ -394,7 +423,7 @@ sub setup_accounting() {
 
 	my $nonEmpty = 0;
 
-	$nonEmpty |= process_accounting_rule while read_a_line;
+	$nonEmpty |= process_accounting_rule while read_a_line( NORMAL_READ );
 
 	clear_comment;
 

Shorewall/Perl/Shorewall/Compiler.pm

@@ -34,7 +34,6 @@ use Shorewall::Accounting;
 use Shorewall::Rules;
 use Shorewall::Proc;
 use Shorewall::Proxyarp;
-use Shorewall::IPAddrs;
 use Shorewall::Raw;
 use Shorewall::Misc;
 
@@ -54,8 +53,8 @@ my $family;
 #
 # Initilize the package-globals in the other modules
 #
-sub initialize_package_globals( $$ ) {
+sub initialize_package_globals( $$$ ) {
-    Shorewall::Config::initialize($family, $_[1]);
+    Shorewall::Config::initialize($family, $_[1], $_[2]);
     Shorewall::Chains::initialize ($family, 1, $export );
     Shorewall::Zones::initialize ($family, $_[0]);
     Shorewall::Nat::initialize;
@@ -158,7 +157,7 @@ sub generate_script_2() {
 
     push_indent;
 
-    if ( $shorewallrc{TEMPDIR} ) {
+    if ( $shorewallrc1{TEMPDIR} ) {
 	emit( '',
 	      qq(TMPDIR="$shorewallrc{TEMPDIR}") ,
 	      q(export TMPDIR) );
@@ -168,14 +167,14 @@ sub generate_script_2() {
 	emit( 'g_family=4' );
 
 	if ( $export ) {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall-lite),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall-lite),
 		   'g_product="Shorewall Lite"',
 		   'g_program=shorewall-lite',
 		   'g_basedir=/usr/share/shorewall-lite',
-		   qq(CONFIG_PATH="$shorewallrc{CONFDIR}/shorewall-lite:$shorewallrc{SHAREDIR}/shorewall-lite") ,
+		   qq(CONFIG_PATH="$shorewallrc1{CONFDIR}/shorewall-lite:$shorewallrc1{SHAREDIR}/shorewall-lite") ,
 		 );
 	} else {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall),
 		   'g_product=Shorewall',
 		   'g_program=shorewall',
 		   'g_basedir=/usr/share/shorewall',
@@ -186,14 +185,14 @@ sub generate_script_2() {
 	emit( 'g_family=6' );
 
 	if ( $export ) {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall6-lite),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall6-lite),
 		   'g_product="Shorewall6 Lite"',
 		   'g_program=shorewall6-lite',
 		   'g_basedir=/usr/share/shorewall6',
-		   qq(CONFIG_PATH="$shorewallrc{CONFDIR}/shorewall6-lite:$shorewallrc{SHAREDIR}/shorewall6-lite") ,
+		   qq(CONFIG_PATH="$shorewallrc1{CONFDIR}/shorewall6-lite:$shorewallrc{SHAREDIR}/shorewall6-lite") ,
 		 );
 	} else {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall6),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall6),
 		   'g_product=Shorewall6',
 		   'g_program=shorewall6',
 		   'g_basedir=/usr/share/shorewall',
@@ -202,21 +201,9 @@ sub generate_script_2() {
 	}
     }
 
-    emit( '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
+    emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
-
+    emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
-    if ( $family == F_IPV4 ) {
+    emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );
-	if ( $export ) {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall-lite}" ]' );
-	} else {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall}" ]' );
-	}
-    } else {
-	if ( $export ) {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall6-lite}" ]' );
-	} else {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall6}" ]' );
-	}
-    }
 
     emit 'TEMPFILE=';
 
@@ -354,7 +341,7 @@ sub generate_script_3($) {
 	    emit 'cat > ${VARDIR}/.modules << EOF';
 	    open_file $fn;
 
-	    emit_unindented $currentline while read_a_line;
+	    emit_unindented $currentline while read_a_line( NORMAL_READ );
 
 	    emit_unindented 'EOF';
 	    emit '', 'reload_kernel_modules < ${VARDIR}/.modules';
@@ -368,6 +355,7 @@ sub generate_script_3($) {
     emit '';
 
     load_ipsets;
+    create_nfobjects;
 
     if ( $family == F_IPV4 ) {
 	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
@@ -425,7 +413,7 @@ sub generate_script_3($) {
 	emit 'cat > ${VARDIR}/proxyarp << __EOF__';
     } else {
 	emit 'cat > ${VARDIR}/proxyndp << __EOF__';
-    } 
+    }
 
     dump_proxy_arp;
     emit_unindented '__EOF__';
@@ -471,49 +459,56 @@ sub generate_script_3($) {
         fatal_error "$iptables_save_file does not exist"
     fi
 EOF
-    pop_indent;
+    push_indent;
     setup_load_distribution;
     setup_forwarding( $family , 1 );
-    push_indent;
+    pop_indent;
 
     my $config_dir = $globals{CONFIGDIR};
 
     emit<<"EOF";
     set_state Started $config_dir
     run_restored_exit
-else
+elif [ \$COMMAND = refresh ]; then
-    if [ \$COMMAND = refresh ]; then
+    chainlist_reload
-        chainlist_reload
 EOF
+    push_indent;
     setup_load_distribution;
     setup_forwarding( $family , 0 );
-
+    pop_indent;
-    emit( '        run_refreshed_exit' ,
+    #
-	  '        do_iptables -N shorewall' ,
+    # Use a parameter list rather than 'here documents' to avoid an extra blank line
-	  "        set_state Started $config_dir" ,
+    #
-	  '    else' ,
+    emit(
-	  '        setup_netfilter' );
+'    run_refreshed_exit',
-    
+'    do_iptables -N shorewall',
+"    set_state Started $config_dir",
+'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
+'else',
+'    setup_netfilter'
+	);
+    push_indent;
     setup_load_distribution;
+    pop_indent;
 
-    emit<<"EOF";
+    emit<<'EOF';
-        conditionally_flush_conntrack
+    conditionally_flush_conntrack
 EOF
+    push_indent;
+    initialize_switches;
     setup_forwarding( $family , 0 );
+    pop_indent;
 
     emit<<"EOF";
-        run_start_exit
+    run_start_exit
-        do_iptables -N shorewall
+    do_iptables -N shorewall
-        set_state Started $config_dir
+    set_state Started $config_dir
-        run_started_exit
+    [ \$0 = \${VARDIR}/firewall ] || cp -f \$(my_pathname) \${VARDIR}/firewall
-    fi
+    run_started_exit
-
+fi
 EOF
 
     emit<<'EOF';
-    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall
-fi
-
 date > ${VARDIR}/restarted
 
 case $COMMAND in
@@ -545,8 +540,8 @@ EOF
 #
 sub compiler {
 
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc ) =
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc                      , $shorewallrc1 ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '');
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '/usr/share/shorewall/shorewallrc', '' );
 
     $export = 0;
     $test   = 0;
@@ -578,13 +573,14 @@ sub compiler {
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
-		  preview       => { store => \$preview,       validate=> \&validate_boolean    } ,    
+		  preview       => { store => \$preview,       validate=> \&validate_boolean    } ,
 		  confess       => { store => \$confess,       validate=> \&validate_boolean    } ,
 		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
 		  convert       => { store => \$convert,       validate=> \&validate_boolean    } ,
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
+		  shorewallrc1  => { store => \$shorewallrc1 } ,
 		);
     #
     #                               P A R A M E T E R    P R O C E S S I N G
@@ -602,7 +598,7 @@ sub compiler {
     #
     # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
     #
-    initialize_package_globals( $update, $shorewallrc );
+    initialize_package_globals( $update, $shorewallrc, $shorewallrc1 );
 
     set_config_path( $config_path ) if $config_path;
 
@@ -665,11 +661,6 @@ sub compiler {
     #                           (Produces no output to the compiled script)
     #
     process_policies;
-    #
-    #                                       N O T R A C K
-    #                           (Produces no output to the compiled script)
-    #
-    setup_notrack;
 
     enable_script;
 
@@ -709,6 +700,14 @@ sub compiler {
     #
     setup_proxy_arp;
 
+    emit( "#\n# Disable automatic helper association on kernel 3.5.0 and later\n#" ,
+	  'if [ -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then' ,
+	  '    progress_message "Disabling Kernel Automatic Helper Association"',
+	  "    echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper",
+	  'fi',
+	  ''
+	);
+
     if ( $scriptfilename || $debug ) {
 	emit 'return 0';
 	pop_indent;
@@ -788,6 +787,10 @@ sub compiler {
     #
     process_rules( $convert );
     #
+    # Process the conntrack file
+    #
+    setup_conntrack;
+    #
     # Add Tunnel rules.
     #
     setup_tunnels;
@@ -812,16 +815,16 @@ sub compiler {
 
 	optimize_level0;
 
-	if ( $config{OPTIMIZE} & 0x1E ) {
+	if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1E ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains
 	    #
-	    optimize_policy_chains if $config{OPTIMIZE} & 2;
+	    optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
 	    #
 	    # More Optimization
 	    #
-	    optimize_ruleset if $config{OPTIMIZE} & 0x1C;
+	    optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
 	}
 
 	enable_script;
@@ -877,16 +880,16 @@ sub compiler {
 
 	    optimize_level0;
 
-	    if ( $config{OPTIMIZE} & OPTIMIZE_MASK ) {
+	    if ( ( my $optimize = $config{OPTIMIZE} & OPTIMIZE_MASK ) ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
 		# Optimize Policy Chains
 		#
-		optimize_policy_chains if $config{OPTIMIZE} & OPTIMIZE_POLICY_MASK;
+		optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
 		#
 		# Ruleset Optimization
 		#
-		optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
+		optimize_ruleset if $optimize & OPTIMIZE_RULESET_MASK;
 	    }
 
 	    enable_script if $debug;
@@ -911,6 +914,7 @@ sub compiler {
 	    # call that function during normal 'check', we must validate routestopped here.
 	    #
 	    process_routestopped;
+	    process_stoppedrules;
 	}
 
 	if ( $family == F_IPV4 ) {

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -26,13 +26,13 @@
 #
 package Shorewall::IPAddrs;
 require Exporter;
-use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 );
+use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 :protocols );
 use Socket;
 
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( ALLIPv4
+our @EXPORT = ( qw( ALLIPv4
                   ALLIPv6
 		  NILIPv4
 		  NILIPv6
@@ -48,14 +48,6 @@ our @EXPORT = qw( ALLIPv4
 		  ALLIP
 		  NILIP
 		  ALL
-		  TCP
-		  UDP
-		  UDPLITE
-		  ICMP
-		  DCCP
-		  IPv6_ICMP
-		  SCTP
-		  GRE
 
 		  validate_address
 		  validate_net
@@ -80,7 +72,7 @@ our @EXPORT = qw( ALLIPv4
 		  validate_port_list
 		  validate_icmp
 		  validate_icmp6
-		 );
+		 ) );
 our @EXPORT_OK = qw( );
 our $VERSION = 'MODULEVERSION';
 
@@ -115,14 +107,7 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       IPv6_LINK_ALLRTRS   => 'ff01::2' ,
 	       IPv6_SITE_ALLNODES  => 'ff02::1' ,
 	       IPv6_SITE_ALLRTRS   => 'ff02::2' ,
-	       ICMP                => 1,
+	   };
-	       TCP                 => 6,
-	       UDP                 => 17,
-	       DCCP                => 33,
-	       GRE                 => 47,
-	       IPv6_ICMP           => 58,
-	       SCTP                => 132,
-	       UDPLITE             => 136 };
 
 my @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
 
@@ -222,11 +207,13 @@ sub validate_4net( $$ ) {
     }
 
     if ( defined wantarray ) {
-	assert ( ! $allow_name );
 	if ( wantarray ) {
+	    assert( ! $allow_name );
 	    ( decodeaddr( $net ) , $vlsm );
+	} elsif ( valid_4address $net ) {
+	    $vlsm == 32 ? $net : "$net/$vlsm";
 	} else {
-	    "$net/$vlsm";
+	    $net;
 	}
     }
 }
@@ -241,6 +228,8 @@ sub validate_4range( $$ ) {
     my $last  = decodeaddr $high;
 
     fatal_error "Invalid IP Range ($low-$high)" unless $first <= $last;
+
+    "$low-$high";
 }
 
 sub validate_4host( $$ ) {
@@ -293,9 +282,9 @@ sub compare_nets( $$ ) {
 
     @net1 = decompose_net( $_[0] );
     @net2 = decompose_net( $_[1] );
-    
+
     $net1[0] eq $net2[0] && $net1[1] == $net2[1];
-}			    
+}
 
 sub allipv4() {
     @allipv4;
@@ -392,7 +381,7 @@ sub validate_portpair( $$ ) {
 	$what = 'port';
     }
 
-    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless 
+    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
 	defined $protonum && ( $protonum == TCP  ||
 			       $protonum == UDP  ||
 			       $protonum == SCTP ||
@@ -423,7 +412,7 @@ sub validate_portpair1( $$ ) {
 	$what = 'port';
     }
 
-    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless 
+    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
 	defined $protonum && ( $protonum == TCP  ||
 			       $protonum == UDP  ||
 			       $protonum == SCTP ||
@@ -623,7 +612,7 @@ sub validate_6address( $$ ) {
 
 sub validate_6net( $$ ) {
     my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
-    my $allow_name = $_[1];
+    my $allow_name = $_[0];
 
     if ( $net =~ /\+(\[?)/ ) {
 	if ( $1 ) {
@@ -635,22 +624,28 @@ sub validate_6net( $$ ) {
 	}
     }
 
+    fatal_error "Invalid Network address ($_[0])" unless supplied $net;
+
+    $net = $1 if $net =~ /^\[(.*)\]$/;
+
     if ( defined $vlsm ) {
         fatal_error "Invalid VLSM ($vlsm)"              unless $vlsm =~ /^\d+$/ && $vlsm <= 128;
 	fatal_error "Invalid Network address ($_[0])"   if defined $rest;
 	fatal_error "Invalid IPv6 address ($net)"       unless valid_6address $net;
     } else {
-	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
+	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/';
 	validate_6address $net, $allow_name;
 	$vlsm = 128;
     }
 
     if ( defined wantarray ) {
-	assert ( ! $allow_name );
 	if ( wantarray ) {
+	    assert( ! $allow_name );
 	    ( $net , $vlsm );
+	} elsif ( valid_6address ( $net ) ) {
+	    $vlsm == 32 ? $net : "$net/$vlsm";
 	} else {
-	    "$net/$vlsm";
+	    $net;
 	}
     }
 }
@@ -697,11 +692,13 @@ sub validate_6range( $$ ) {
     while ( @low ) {
 	my ( $l, $h) = ( shift @low, shift @high );
 	next     if hex "0x$l" == hex "0x$h";
-	return 1 if hex "0x$l"  < hex "0x$h";
+	return "$low-$high" if hex "0x$l"  < hex "0x$h";
 	last;
     }
 
     fatal_error "Invalid IPv6 Range ($low-$high)";
+
+    
 }
 
 sub validate_6host( $$ ) {

Shorewall/Perl/Shorewall/Nat.pm

@@ -35,7 +35,11 @@ use strict;
 
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
+our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule ) ] );
 our @EXPORT_OK = ();
+
+Exporter::export_ok_tags('rules');
+
 our $VERSION = 'MODULEVERSION';
 
 my @addresses_to_add;
@@ -54,8 +58,8 @@ sub initialize() {
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition ) = 
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest ) =
-	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8 };
+	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 };
 
     if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
@@ -119,7 +123,7 @@ sub process_one_masq( )
     #
     # Handle Protocol, Ports and Condition
     #
-    $baserule .= do_proto( $proto, $ports, '' ) . do_condition( $condition );
+    $baserule .= do_proto( $proto, $ports, '' );
     #
     # Handle Mark
     #
@@ -154,6 +158,8 @@ sub process_one_masq( )
 
 	my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
 
+	$baserule .= do_condition( $condition , $chainref->{name} );
+
 	my $detectaddress = 0;
 	my $exceptionrule = '';
 	my $randomize     = '';
@@ -208,7 +214,7 @@ sub process_one_masq( )
 			    $addrlist .= "--to-source $addr ";
 			    $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			} else {
-			    my $ports = $addr; 
+			    my $ports = $addr;
 			    $ports =~ s/^://;
 			    validate_portpair1( $proto, $ports );
 			    $addrlist .= "--to-ports $ports ";
@@ -233,7 +239,7 @@ sub process_one_masq( )
 		     $baserule . $rule ,
 		     $networks ,
 		     $destnets ,
-		     '' ,
+		     $origdest ,
 		     $target ,
 		     '' ,
 		     '' ,
@@ -276,7 +282,7 @@ sub setup_masq()
 
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
 
-	process_one_masq while read_a_line;
+	process_one_masq while read_a_line( NORMAL_READ );
 
 	clear_comment;
     }
@@ -373,7 +379,7 @@ sub setup_nat() {
 
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
 
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 
 	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 0, interface => 1, internal => 2, allints => 3, local => 4 };
 
@@ -409,7 +415,7 @@ sub setup_netmap() {
 
 	first_entry "$doing $fn...";
 
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 
 	    my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 'netmap file', { type => 0, net1 => 1, interface => 2, net2 => 3, net3 => 4, proto => 5, dport => 6, sport => 7 };
 
@@ -426,9 +432,9 @@ sub setup_netmap() {
 		unless ( $type =~ /:/ ) {
 		    my @rulein;
 		    my @ruleout;
-		    
+
-		    validate_net $net1, 0;
+		    $net1 = validate_net $net1, 0;
-		    validate_net $net2, 0;
+		    $net2 = validate_net $net2, 0;
 
 		    unless ( $interfaceref->{root} ) {
 			@rulein  = imatch_source_dev( $interface );
@@ -439,7 +445,7 @@ sub setup_netmap() {
 		    require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';
 
 		    if ( $type eq 'DNAT' ) {
-			dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) , 
+			dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) ,
 					  j => 'NETMAP' ,
 					  "--to $net2",
 					  $net1 ,
@@ -462,13 +468,13 @@ sub setup_netmap() {
 
 		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
 
-		    validate_net $net2, 0;
+		    $net2 = validate_net $net2, 0;
 
 		    unless ( $interfaceref->{root} ) {
-			@match = imatch_dest_dev(  $interface ); 
+			@match = imatch_dest_dev(  $interface );
 			$interface = $interfaceref->{name};
 		    }
-			
+
 		    if ( $chain eq 'P' ) {
 			$chain = prerouting_chain $interface;
 			@match = imatch_source_dev( $iface ) unless $iface eq $interface;
@@ -481,7 +487,7 @@ sub setup_netmap() {
 
 		    my $chainref = ensure_chain( $table, $chain );
 
-		    
+
 		    if ( $target eq 'DNAT' ) {
 			dest_iexclusion( $chainref ,
 					 j => 'RAWDNAT' ,
@@ -504,7 +510,7 @@ sub setup_netmap() {
 		    fatal_error 'TYPE must be specified' if $type eq '-';
 		    fatal_error "Invalid TYPE ($type)";
 		}
-		
+
 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
 	    }
 	}
@@ -514,6 +520,227 @@ sub setup_netmap() {
 
 }
 
+#
+# Called from process_rule1 to add a rule to the NAT table
+#
+sub handle_nat_rule( $$$$$$$$$$$$ ) {
+    my ( $dest,           # <server>[:port]
+	 $proto,          # Protocol
+	 $ports,          # Destination port list
+	 $origdest,       # Original Destination
+	 $action_target,  # If the target is an action, the name of the log action chain to jump to
+	 $action,         # The Action
+	 $sourceref,      # Reference to the Source Zone's table entry in the Zones module
+	 $action_chain,   # Name of the action chain if the rule is in an action
+	 $rule,           # Matches 
+	 $source,         # Source Address
+	 $loglevel,       # [<level>[:<tag>]]
+	 $log_action,     # Action name to include in the log message
+       ) = @_;
+
+    my ( $server, $serverport , $origdstports ) = ( '', '', '' );
+    my $randomize = $dest =~ s/:random$// ? ' --random' : '';
+
+    #
+    # Isolate server port
+    #
+    if ( $dest =~ /^(.*)(?::(.+))$/ ) {
+	#
+	# Server IP and Port
+	#
+	$server = $1;      # May be empty
+	$serverport = $2;  # Not Empty due to RE
+
+	$origdstports = validate_port( $proto, $ports )	if $ports && $ports ne '-' && port_count( $ports ) == 1;
+
+	if ( $serverport =~ /^(\d+)-(\d+)$/ ) {
+	    #
+	    # Server Port Range
+	    #
+	    fatal_error "Invalid port range ($serverport)" unless $1 < $2;
+	    my @ports = ( $1, $2 );
+	    $_ = validate_port( proto_name( $proto ), $_) for ( @ports );
+	    ( $ports = $serverport ) =~ tr/-/:/;
+	} else {
+	    $serverport = $ports = validate_port( proto_name( $proto ), $serverport );
+	}
+    } elsif ( $dest ne ':' ) {
+	#
+	# Simple server IP address (may be empty or "-")
+	#
+	$server = $dest;
+    }
+    #
+    # Generate the target
+    #
+    my $target = '';
+
+    if ( $action eq 'REDIRECT' ) {
+	fatal_error "A server IP address ($server) may not be specified in a REDIRECT rule" if $server;
+	$target  = 'REDIRECT';
+	$target .= " --to-port $serverport" if $serverport;
+	if ( $origdest eq '' || $origdest eq '-' ) {
+	    $origdest = ALLIP;
+	} elsif ( $origdest eq 'detect' ) {
+	    fatal_error 'ORIGINAL DEST "detect" is invalid in an action' if $action_chain;
+
+	    if ( $config{DETECT_DNAT_IPADDRS} ) {
+		my $interfacesref = $sourceref->{interfaces};
+		my @interfaces = keys %$interfacesref;
+		$origdest = @interfaces ? "detect:@interfaces" : ALLIP;
+	    } else {
+		$origdest = ALLIP;
+	    }
+	}
+    } elsif ( $action_target ) {
+	fatal_error "A server port ($serverport) is not allowed in $action rule" if $serverport;
+	$target = $action_target;
+    } else {
+	if ( $server eq '' ) {
+	    fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport;
+	} elsif ( $server =~ /^(.+)-(.+)$/ ) {
+	    validate_range( $1, $2 );
+	} else {
+	    unless ( $server eq ALLIP ) {
+		my @servers = validate_address $server, 1;
+		$server = join ',', @servers;
+	    }
+	}
+
+	if ( $action eq 'DNAT' ) {
+	    $target = $action;
+	    if ( $server ) {
+		$serverport = ":$serverport" if $serverport;
+		for my $serv ( split /,/, $server ) {
+		    $target .= " --to-destination ${serv}${serverport}";
+		}
+	    } else {
+		$target .= " --to-destination :$serverport";
+	    }
+	}
+
+	unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) {
+	    if ( ! $action_chain && $config{DETECT_DNAT_IPADDRS} ) {
+		my $interfacesref = $sourceref->{interfaces};
+		my @interfaces = keys %$interfacesref;
+		$origdest = @interfaces ? "detect:@interfaces" : ALLIP;
+	    } else {
+		$origdest = ALLIP;
+	    }
+	}
+    }
+
+    $target .= $randomize;
+    #
+    # And generate the nat table rule(s)
+    #
+    my $firewallsource = $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
+
+    expand_rule ( ensure_chain ('nat' ,
+				( $action_chain   ? $action_chain :
+				  $firewallsource ? 'OUTPUT' :
+				  dnat_chain $sourceref->{name} ) ) ,
+		  $firewallsource ? OUTPUT_RESTRICT : PREROUTE_RESTRICT ,
+		  $rule ,
+		  $source ,
+		  $origdest ,
+		  '' ,
+		  $target ,
+		  $loglevel ,
+		  $log_action ,
+		  $serverport ? do_proto( $proto, '', '' ) : '',
+		);
+
+    ( $ports, $origdstports, $server );
+}
+
+#
+# Called from process_rule1() to handle the nat table part of the NONAT and ACCEPT+ actions
+#
+sub handle_nonat_rule( $$$$$$$$$$ ) {
+    my ( $action, $source, $dest, $origdest, $sourceref, $inaction, $chain, $loglevel, $log_action, $rule ) = @_;
+
+    my $sourcezone = $sourceref->{name};
+    #
+    # NONAT or ACCEPT+ may not specify a destination interface
+    #
+    fatal_error "Invalid DEST ($dest) in $action rule" if $dest =~ /:/;
+
+    $origdest = '' unless $origdest and $origdest ne '-';
+
+    if ( $origdest eq 'detect' ) {
+	my $interfacesref = $sourceref->{interfaces};
+	my $interfaces = [ ( keys %$interfacesref ) ];
+	$origdest = $interfaces ? "detect:@$interfaces" : ALLIP;
+    }
+
+    my $tgt = 'RETURN';
+
+    my $nonat_chain;
+
+    my $chn;
+
+    if ( $inaction ) {
+	$nonat_chain = ensure_chain( 'nat', $chain );
+    } elsif ( $sourceref->{type} == FIREWALL ) {
+	$nonat_chain = $nat_table->{OUTPUT};
+    } else {
+	$nonat_chain = ensure_chain( 'nat', dnat_chain( $sourcezone ) );
+
+	my @interfaces = keys %{zone_interfaces $sourcezone};
+
+	for ( @interfaces ) {
+	    my $ichain = input_chain $_;
+
+	    if ( $nat_table->{$ichain} ) {
+		#
+		# Static NAT is defined on this interface
+		#
+		$chn = new_chain( 'nat', newnonatchain ) unless $chn;
+		add_ijump $chn, j => $nat_table->{$ichain}, @interfaces > 1 ? imatch_source_dev( $_ )  : ();
+	    }
+	}
+
+	if ( $chn ) {
+	    #
+	    # Call expand_rule() to correctly handle logging. Because
+	    # the 'logname' argument is passed, expand_rule() will
+	    # not create a separate logging chain but will rather emit
+	    # any logging rule in-line.
+	    #
+	    expand_rule( $chn,
+			 PREROUTE_RESTRICT,
+			 '', # Rule
+			 '', # Source
+			 '', # Dest
+			 '', # Original dest
+			 'ACCEPT',
+			 $loglevel,
+			 $log_action,
+			 '',
+			 dnat_chain( $sourcezone  ) );
+	    $loglevel = '';
+	    $tgt = $chn->{name};
+	} else {
+	    $tgt = 'ACCEPT';
+	}
+    }
+
+    set_optflags( $nonat_chain, DONT_MOVE | DONT_OPTIMIZE ) if $tgt eq 'RETURN';
+
+    expand_rule( $nonat_chain ,
+		 PREROUTE_RESTRICT ,
+		 $rule ,
+		 $source ,
+		 $dest ,
+		 $origdest ,
+		 $tgt,
+		 $loglevel ,
+		 $log_action ,
+		 '',
+	       );
+}
+
 sub add_addresses () {
     if ( @addresses_to_add ) {
 	my @addrs = @addresses_to_add;

Shorewall/Perl/Shorewall/Proc.pm

@@ -219,30 +219,30 @@ sub setup_forwarding( $$ ) {
 
     if ( $family == F_IPV4 ) {
 	if ( $config{IP_FORWARDING} eq 'on' ) {
-	    emit '        echo 1 > /proc/sys/net/ipv4/ip_forward';
+	    emit 'echo 1 > /proc/sys/net/ipv4/ip_forward';
-	    emit '        progress_message2 IPv4 Forwarding Enabled';
+	    emit 'progress_message2 IPv4 Forwarding Enabled';
 	} elsif ( $config{IP_FORWARDING} eq 'off' ) {
-	    emit '        echo 0 > /proc/sys/net/ipv4/ip_forward';
+	    emit 'echo 0 > /proc/sys/net/ipv4/ip_forward';
-	    emit '        progress_message2 IPv4 Forwarding Disabled!';
+	    emit 'progress_message2 IPv4 Forwarding Disabled!';
 	}
 
 	emit '';
 
-	emit ( '        echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables' ,
+	emit ( 'echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables' ,
 	       ''
 	     ) if have_bridges;
     } else {
 	if ( $config{IP_FORWARDING} eq 'on' ) {
-	    emit '        echo 1 > /proc/sys/net/ipv6/conf/all/forwarding';
+	    emit 'echo 1 > /proc/sys/net/ipv6/conf/all/forwarding';
-	    emit '        progress_message2 IPv6 Forwarding Enabled';
+	    emit 'progress_message2 IPv6 Forwarding Enabled';
 	} elsif ( $config{IP_FORWARDING} eq 'off' ) {
-	    emit '        echo 0 > /proc/sys/net/ipv6/conf/all/forwarding';
+	    emit 'echo 0 > /proc/sys/net/ipv6/conf/all/forwarding';
-	    emit '        progress_message2 IPv6 Forwarding Disabled!';
+	    emit 'progress_message2 IPv6 Forwarding Disabled!';
 	}
 
 	emit '';
 
-	emit ( '        echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables' ,
+	emit ( 'echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables' ,
 	       ''
 	     ) if have_bridges;
 
@@ -251,9 +251,6 @@ sub setup_forwarding( $$ ) {
 	if ( @$interfaces ) {
 	    progress_message2 "$doing Interface forwarding..." if $first;
 
-	    push_indent;
-	    push_indent;
-
 	    save_progress_message 'Setting up IPv6 Interface Forwarding...';
 
 	    for my $interface ( @$interfaces ) {
@@ -270,9 +267,6 @@ sub setup_forwarding( $$ ) {
 		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }
-
-	    pop_indent;
-	    pop_indent;
 	}
     }
 }
@@ -286,7 +280,7 @@ sub setup_interface_proc( $ ) {
     if ( interface_has_option( $interface, 'arp_filter' , $value ) ) {
 	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_filter";
     }
-	 
+
     if ( interface_has_option( $interface, 'arp_ignore' , $value ) ) {
 	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_ignore";
     }
@@ -315,6 +309,6 @@ sub setup_interface_proc( $ ) {
 	emit "fi\n";
     }
 }
-	 
+
 
 1;

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -120,7 +120,7 @@ sub setup_proxy_arp() {
 
 	my ( %set, %reset );
 
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 
 	    my ( $address, $interface, $external, $haveroute, $persistent ) =
 		split_line $file_opt . 'file ', { address => 0, interface => 1, external => 2, haveroute => 3, persistent => 4 };

Shorewall/Perl/Shorewall/Raw.pm

@@ -20,7 +20,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   This module contains the code that handles the /etc/shorewall/notrack file.
+#   This module contains the code that handles the /etc/shorewall/conntrack file.
 #
 package Shorewall::Raw;
 require Exporter;
@@ -32,8 +32,8 @@ use Shorewall::Chains qw(:DEFAULT :internal);
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( setup_notrack );
+our @EXPORT = qw( setup_conntrack );
-our @EXPORT_OK = qw( );
+our @EXPORT_OK = qw( handle_helper_rule );
 our $VERSION = 'MODULEVERSION';
 
 my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured => 1, protoinfo => 1, helper => 1, mark => 1, natseqinfo => 1, secmark => 1 );
@@ -41,54 +41,91 @@ my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured
 #
 # Notrack
 #
-sub process_notrack_rule( $$$$$$$ ) {
+sub process_conntrack_rule( $$$$$$$$$$ ) {
 
-    my ($action, $source, $dest, $proto, $ports, $sports, $user ) = @_;
+    my ($chainref, $zoneref, $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = @_;
+
+    require_capability 'RAW_TABLE', 'conntrack rules', '';
 
     $proto  = ''    if $proto  eq 'any';
     $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
     $sports = ''    if $sports eq 'any' || $sports eq 'all';
 
-    ( my $zone, $source) = split /:/, $source, 2;
+    my $zone;
-    my $zoneref  = find_zone $zone;
+    my $restriction = PREROUTE_RESTRICT;
-    my $chainref = ensure_raw_chain( notrack_chain $zone );
-    my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
 
-    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
+    if ( $chainref ) {
-    require_capability 'RAW_TABLE', 'Notrack rules', '';
+	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
+    } else {
+	#
+	# Entry in the conntrack file
+	#
+	if ( $zoneref ) {
+	    $zone = $zoneref->{name};
+	} else {
+	    ($zone, $source) = split /:/, $source, 2;
+	    $zoneref = find_zone ( $zone );
+	}
+
+	$chainref = ensure_raw_chain( notrack_chain $zone );
+	$restriction = OUTPUT_RESTRICT if $zoneref->{type}  & (FIREWALL | VSERVER );
+	fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
+    }
 
     my $target = $action;
     my $exception_rule = '';
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );
 
-    unless ( $action eq 'NOTRACK' ) {
+    if ( $action eq 'NOTRACK' ) {
+	#
+	# A patch that deimplements the NOTRACK target has been posted on the
+	# Netfilter development list
+	#
+	$action = 'CT --notrack' if have_capability 'CT_TARGET';
+    } elsif ( $action ne 'DROP' ) {
 	(  $target, my ( $option, $args, $junk ) ) = split ':', $action, 4;
 
 	fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT';
 
-	require_capability 'CT_TARGET', 'CT entries in the notrack file', '';
+	require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';
 
 	if ( $option eq 'notrack' ) {
-	    fatal_error "Invalid notrack ACTION ( $action )" if supplied $args;
+	    fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
 	    $action = 'CT --notrack';
 	} else {
 	    fatal_error "Invalid or missing CT option and arguments" unless supplied $option && supplied $args;
 
 	    if ( $option eq 'helper' ) {
-		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
+		my $modifiers = '';
-		validate_helper( $args, $proto );
+
-		$action = "CT --helper $args";
+		if ( $args =~ /^([-\w.]+)\((.+)\)$/ ) {
-		$exception_rule = do_proto( $proto, '-', '-' );
+		    $args      = $1;
-	    } elsif ( $option eq 'ctevents' ) {
+		    $modifiers = $2;
-		for ( split ',', $args ) {
-		    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
 		}
 
-		$action = "CT --ctevents $args";
+		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
-	    } elsif ( $option eq 'expevent' ) {
+		validate_helper( $args, $proto );
-		fatal_error "Invalid expevent argument ($args)" unless $args eq 'new';
+		$action = "CT --helper $helpers_aliases{$args}";
-	    } elsif ( $option eq 'zone' ) {
+		$exception_rule = do_proto( $proto, '-', '-' );
-		fatal_error "Invalid zone id ($args)" unless $args =~ /^\d+$/;
+
+		for my $mod ( split_list1( $modifiers, 'ctevents' ) ) {
+		    fatal_error "Invalid helper option ($mod)" unless $mod =~ /^(\w+)=(.+)$/;
+		    $mod    = $1;
+		    my $val = $2;
+		    
+		    if ( $mod eq 'ctevents' ) {
+			for ( split_list( $val, 'ctevents' ) ) {
+			    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
+			}
+
+			$action .= " --ctevents $val";
+		    } elsif ( $mod eq 'expevents' ) {
+			fatal_error "Invalid expevent argument ($val)" unless $val eq 'new';
+			$action .= ' --expevents new';
+		    } else {
+			fatal_error "Invalid helper option ($mod)";
+		    }
+		}
 	    } else {
 		fatal_error "Invalid CT option ($option)";
 	    }
@@ -105,65 +142,159 @@ sub process_notrack_rule( $$$$$$$ ) {
 		 '' ,
 		 $target ,
 		 $exception_rule );
-    
-    progress_message "  Notrack rule \"$currentline\" $done";
 
-    $globals{UNTRACKED} = 1;
+    progress_message "  Conntrack rule \"$currentline\" $done";
+}
+
+sub handle_helper_rule( $$$$$$$$$$$ ) {
+    my ( $helper, $source, $dest, $proto, $ports, $sports, $sourceref, $action_target, $actionchain, $user, $rule ) = @_;
+
+    if ( $helper ne '-' ) {
+	fatal_error "A HELPER is not allowed with this ACTION" if $action_target;
+	#
+	# This means that an ACCEPT or NAT rule with a helper is being processed
+	#
+	process_conntrack_rule( $actionchain ? ensure_raw_chain( $actionchain ) : undef ,
+				$sourceref ,
+				"CT:helper:$helper",
+				$source ,
+				$dest ,
+				$proto ,
+				$ports ,
+				$sports ,
+				$user,
+				'-',
+			      );
+    } else {
+	assert( $action_target );
+	#
+	# The target is an action
+	#
+	if ( $actionchain ) {
+	    #
+	    # And the source is another action chain
+	    #
+	    expand_rule( ensure_raw_chain( $actionchain ) ,
+			 PREROUTE_RESTRICT ,
+			 $rule ,
+			 $source ,
+			 $dest ,
+			 '' ,
+			 $action_target ,
+			 '',
+			 'CT' ,
+			 '' );
+	} else {
+	    expand_rule( ensure_raw_chain( notrack_chain( $sourceref->{name} ) ) ,
+			 ( $sourceref->{type} == FIREWALL || $sourceref->{type} == VSERVER ?
+			   OUTPUT_RESTRICT :
+			   PREROUTE_RESTRICT ) ,
+			 $rule ,
+			 $source ,
+			 $dest ,
+			 '' ,
+			 $action_target ,
+			 '' ,
+			 'CT' ,
+			 '' );
+	}
+    }
 }
 
 sub process_format( $ ) {
     my $format = shift;
 
-    fatal_error q(FORMAT must be '1' or '2') unless $format =~ /^[12]$/;
+    fatal_error q(FORMAT must be '1', '2' or '3') unless $format =~ /^[123]$/;
 
     $format;
 }
 
-sub setup_notrack() {
+sub setup_conntrack() {
 
-    my $format = 1;
+    for my $name ( qw/notrack conntrack/ ) {
-    my $action = 'NOTRACK';
 
-    if ( my $fn = open_file 'notrack' ) {
+	my $fn = open_file( $name );
 
-	first_entry "$doing $fn...";
+	if ( $fn ) {
 
-	my $nonEmpty = 0;
+	    my $format = 1;
 
-	while ( read_a_line ) {	    
+	    my $action = 'NOTRACK';
-	    my ( $source, $dest, $proto, $ports, $sports, $user );
 
-	    if ( $format == 1 ) {
+	    my $empty = 1;
-		( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
+
-		
+	    first_entry( "$doing $fn..." );
-		if ( $source eq 'FORMAT' ) {
+
-		    $format = process_format( $dest );
+	    while ( read_a_line( NORMAL_READ ) ) {
-		    next;
+		my ( $source, $dest, $proto, $ports, $sports, $user, $switch );
+
+		if ( $format == 1 ) {
+		    ( $source, $dest, $proto, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 };
+
+		    if ( $source eq 'FORMAT' ) {
+			$format = process_format( $dest );
+			next;
+		    }
+		} else {
+		    ( $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }, { COMMENT => 0, FORMAT => 2 };
+
+		    if ( $action eq 'FORMAT' ) {
+			$format = process_format( $source );
+			$action = 'NOTRACK';
+			next;
+		    }
 		}
-		
+
-		if ( $source eq 'COMMENT' ) {
-		    process_comment;
-		    next;
-		}	    
-	    } else {
-		( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
-		
-		if ( $action eq 'FORMAT' ) {
-		    $format = process_format( $source );
-		    $action = 'NOTRACK';
-		    next;
-		}
-		
 		if ( $action eq 'COMMENT' ) {
 		    process_comment;
 		    next;
-		}	    
+		}
-	    }
-	    
-	    process_notrack_rule $action, $source, $dest, $proto, $ports, $sports, $user;
-	}
 
-	clear_comment;
+		$empty = 0;
+
+		if ( $format < 3 ) {
+		    if ( $source =~ /^all(-)?(:(.+))?$/ ) {
+			fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
+			for my $zone ( $1 ? off_firewall_zones : all_zones ) {
+			    process_conntrack_rule( undef ,
+						    undef,
+						    $action,
+						    $zone . ( $2 || ''),
+						    $dest,
+						    $proto,
+						    $ports,
+						    $sports,
+						    $user ,
+						    $switch );
+			}
+		    } else {
+			process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		    }
+		} elsif ( $action =~ s/:O$// ) {
+		    process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		} elsif ( $action =~ s/:OP// || $action =~ s/:PO// ) {
+		    process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		    process_conntrack_rule( $raw_table->{OUTPUT},     undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		} else {
+		    $action =~ s/:P//;
+		    process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		}		    
+	    }
+
+	    clear_comment;
+
+	    if ( $name eq 'notrack') {
+		if ( $empty ) {
+		    if ( unlink( $fn ) ) {
+			warning_message "Empty notrack file ($fn) removed";
+		    } else {
+			warning_message "Unable to remove empty notrack file ($fn): $!";
+		    }
+		} else {
+		    warning_message "Non-empty notrack file ($fn); please move its contents to the conntrack file";
+		}
+	    }
+	}
     }
 }
 

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -2,7 +2,6 @@
 # Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Tunnels.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
 #     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
@@ -62,7 +61,7 @@ sub setup_tunnels() {
 	    }
 	}
 
-	my @options = $globals{UNTRACKED} ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
+	my @options = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
 
 	add_tunnel_rule $inchainref,  p => 50, @$source;
 	add_tunnel_rule $outchainref, p => 50, @$dest;
@@ -126,9 +125,9 @@ sub setup_tunnels() {
     sub setup_pptp_server {
 	my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;
 
-	add_tunnel_rule $inchainref,  p => 47, @$dest;
+	add_tunnel_rule $inchainref,  p => 47, @$source;
-	add_tunnel_rule $outchainref, p => 47, @$source;
+	add_tunnel_rule $outchainref, p => 47, @$dest;
-	add_tunnel_rule $inchainref,  p => 'tcp --dport 1723', @$dest
+	add_tunnel_rule $inchainref,  p => 'tcp --dport 1723', @$source
 	}
 
     sub setup_one_openvpn {
@@ -234,7 +233,7 @@ sub setup_tunnels() {
     }
 
     sub setup_one_tunnel($$$$) {
-	my ( $kind , $zone, $gateway, $gatewayzones ) = @_;
+	my ( $kind , $zone, $gateways, $gatewayzones ) = @_;
 
 	my $zonetype = zone_type( $zone );
 
@@ -243,35 +242,42 @@ sub setup_tunnels() {
 	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
 	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
 
-	$gateway = ALLIP if $gateway eq '-';
+	$gateways = ALLIP if $gateways eq '-';
 
-	my @source = imatch_source_net $gateway;
+	my ( $net, $excl ) = handle_network_list( $gateways , 'src' );
-	my @dest   = imatch_dest_net   $gateway;
+	( $net, $excl )    = handle_network_list( $gateways , 'dst' );
 
-	my %tunneltypes = ( 'ipsec'         => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
+	fatal_error "Exclusion is not allowed in the GATEWAYS column" if $excl;
-			    'ipsecnat'      => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
-			    'ipip'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 4 ] } ,
-			    'gre'           => { function => \&setup_one_other,          params   => [ \@source, \@dest , 47 ] } ,
-			    '6to4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
-			    '6in4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
-			    'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, \@source, \@dest ] } ,
-			    'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, \@source, \@dest ] } ,
-			    'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, \@source, \@dest ] } ,
-			    'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, \@source, \@dest ] } ,
-			    'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, \@source, \@dest ] } ,
-			    'l2tp'          => { function => \&setup_one_l2tp ,          params   => [ $kind, \@source, \@dest ] } ,
-			    'generic'       => { function => \&setup_one_generic ,       params   => [ $kind, \@source, \@dest ] } ,
-			  );
 
-	$kind = "\L$kind";
+	for my $gateway ( split_list $gateways, 'GATEWAYS' ) {
+	    my @source = imatch_source_net $gateway;
+	    my @dest   = imatch_dest_net   $gateway;
 
-	(my $type) = split /:/, $kind;
+	    my %tunneltypes = ( 'ipsec'         => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
+				'ipsecnat'      => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
+				'ipip'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 4 ] } ,
+				'gre'           => { function => \&setup_one_other,          params   => [ \@source, \@dest , 47 ] } ,
+				'6to4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
+				'6in4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
+				'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, \@source, \@dest ] } ,
+				'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, \@source, \@dest ] } ,
+				'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, \@source, \@dest ] } ,
+				'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, \@source, \@dest ] } ,
+				'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, \@source, \@dest ] } ,
+				'l2tp'          => { function => \&setup_one_l2tp ,          params   => [ $kind, \@source, \@dest ] } ,
+				'generic'       => { function => \&setup_one_generic ,       params   => [ $kind, \@source, \@dest ] } ,
+			      );
 
-	my $tunnelref = $tunneltypes{ $type };
+	    $kind = "\L$kind";
 
-	fatal_error "Tunnels of type $type are not supported" unless $tunnelref;
+	    (my $type) = split /:/, $kind;
 
-	$tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} );
+	    my $tunnelref = $tunneltypes{ $type };
+
+	    fatal_error "Tunnels of type $type are not supported" unless $tunnelref;
+
+	    $tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} );
+	}
 
 	progress_message "   Tunnel \"$currentline\" $done";
     }
@@ -283,16 +289,16 @@ sub setup_tunnels() {
 
 	first_entry "$doing $fn...";
 
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 
-	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateway_zone => 3 };
+	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 , gateway_zones => 3 }, undef, 4;
 
 	    fatal_error 'TYPE must be specified' if $kind eq '-';
-	    fatal_error 'ZONE must be specified' if $zone eq '-';
 
 	    if ( $kind eq 'COMMENT' ) {
 		process_comment;
 	    } else {
+		fatal_error 'ZONE must be specified' if $zone eq '-';
 		setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
 	    }
 	}

Shorewall/Perl/Shorewall/Zones.pm

@@ -31,63 +31,69 @@ use Shorewall::IPAddrs;
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( NOTHING
+our @EXPORT = ( qw( NOTHING
-		  NUMERIC
+		    NUMERIC
-		  NETWORK
+		    NETWORK
-		  IPSECPROTO
+		    IPSECPROTO
-		  IPSECMODE
+		    IPSECMODE
-		  FIREWALL
+		    FIREWALL
-		  VSERVER
+		    VSERVER
-		  IP
+		    IP
-		  BPORT
+		    BPORT
-		  IPSEC
+		    IPSEC
+		    GROUP
+		    NO_UPDOWN
+		    NO_SFILTER
 
-		  determine_zones
+		    determine_zones
-		  zone_report
+		    zone_report
-		  dump_zone_contents
+		    dump_zone_contents
-		  find_zone
+		    find_zone
-		  firewall_zone
+		    firewall_zone
-		  defined_zone
+		    defined_zone
-		  zone_type
+		    zone_type
-		  zone_interfaces
+		    zone_interfaces
-		  zone_mark
+		    zone_mark
-		  all_zones
+		    all_zones
-		  all_parent_zones
+		    all_parent_zones
-		  complex_zones
+		    complex_zones
-		  vserver_zones
+		    vserver_zones
-		  off_firewall_zones
+		    on_firewall_zones
-		  non_firewall_zones
+		    off_firewall_zones
-		  single_interface
+		    non_firewall_zones
-		  chain_base
+		    single_interface
-		  validate_interfaces_file
+		    chain_base
-		  all_interfaces
+		    validate_interfaces_file
-		  all_real_interfaces
+		    all_interfaces
-		  all_bridges
+		    all_real_interfaces
-		  interface_number
+		    all_plain_interfaces
-		  find_interface
+		    all_bridges
-		  known_interface
+		    interface_number
-		  get_physical
+		    find_interface
-		  physical_name
+		    known_interface
-		  have_bridges
+		    get_physical
-		  port_to_bridge
+		    physical_name
-		  source_port_to_bridge
+		    have_bridges
-		  interface_is_optional
+		    port_to_bridge
-		  find_interfaces_by_option
+		    source_port_to_bridge
-		  find_interfaces_by_option1
+		    interface_is_optional
-		  get_interface_option
+		    interface_is_required
-		  interface_has_option
+		    find_interfaces_by_option
-		  set_interface_option
+		    find_interfaces_by_option1
-		  set_interface_provider
+		    get_interface_option
-		  interface_zones
+		    interface_has_option
-		  verify_required_interfaces
+		    set_interface_option
-		  compile_updown
+		    set_interface_provider
-		  validate_hosts_file
+		    interface_zones
-		  find_hosts_by_option
+		    verify_required_interfaces
-		  find_zone_hosts_by_option
+		    validate_hosts_file
-		  find_zones_by_option
+		    find_hosts_by_option
-		  all_ipsets
+		    find_zone_hosts_by_option
-		  have_ipsec
+		    find_zones_by_option
-		 );
+		    all_ipsets
+		    have_ipsec
+		 ),
+	      );
 
 our @EXPORT_OK = qw( initialize );
 our $VERSION = 'MODULEVERSION';
@@ -114,7 +120,8 @@ use constant { IN_OUT     => 1,
 #
 #     @zones contains the ordered list of zones with sub-zones appearing before their parents.
 #
-#     %zones{<zone1> => {type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
+#     %zones{<zone1> => {name =>       <name>,
+#                        type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
 #                        complex =>    0|1
 #                        super   =>    0|1
 #                        options =>    { in_out  => < policy match string >
@@ -173,6 +180,7 @@ my  %reservedName = ( all => 1,
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
+#                                     provider    => <Provider Name, if interface is associated with a provider>
 #                                     zones       => { zone1 => 1, ... }
 #                                   }
 #                 }
@@ -187,7 +195,9 @@ my @bport_zones;
 my %ipsets;
 my %physical;
 my %basemap;
+my %basemap1;
 my %mapbase;
+my %mapbase1;
 my $family;
 my $upgrade;
 my $have_ipsec;
@@ -219,32 +229,36 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       IF_OPTION_WILDOK   => 64
 	   };
 
+use constant { NO_UPDOWN   => 1, 
+	       NO_SFILTER  => 2 };
+
 my %validinterfaceoptions;
 
 my %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
 
-my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 );
+my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN );
 
 my %validhostoptions;
 
-my %validzoneoptions = ( mss          => NUMERIC,
+my %validzoneoptions = ( mss            => NUMERIC,
-			 nomark       => NOTHING,
+			 nomark         => NOTHING,
-			 blacklist    => NOTHING,
+			 blacklist      => NOTHING,
-			 strict       => NOTHING,
+			 dynamic_shared => NOTHING,
-			 next         => NOTHING,
+			 strict         => NOTHING,
-			 reqid        => NUMERIC,
+			 next           => NOTHING,
-			 spi          => NUMERIC,
+			 reqid          => NUMERIC,
-			 proto        => IPSECPROTO,
+			 spi            => NUMERIC,
-			 mode         => IPSECMODE,
+			 proto          => IPSECPROTO,
-			 "tunnel-src" => NETWORK,
+			 mode           => IPSECMODE,
-			 "tunnel-dst" => NETWORK,
+			 "tunnel-src"   => NETWORK,
+			 "tunnel-dst"   => NETWORK,
 		       );
 
 use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
 #
 # Hash of options that have their own key in the returned hash.
 #
-my %zonekey = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );
+my %zonekey = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY, dynamic_shared => IN_OUT_ONLY );
 
 #
 # Rather than initializing globals in an INIT block or during declaration,
@@ -270,7 +284,9 @@ sub initialize( $$ ) {
     %ipsets = ();
     %physical = ();
     %basemap = ();
+    %basemap1 = ();
     %mapbase = ();
+    %mapbase1 = ();
     $baseseq = 0;
     $minroot = 0;
 
@@ -281,6 +297,7 @@ sub initialize( $$ ) {
 				  bridge      => SIMPLE_IF_OPTION,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
+				  ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				  maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  logmartians => BINARY_IF_OPTION,
 				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
@@ -291,6 +308,7 @@ sub initialize( $$ ) {
 				  required    => SIMPLE_IF_OPTION,
 				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				  routefilter => NUMERIC_IF_OPTION ,
+				  rpfilter    => SIMPLE_IF_OPTION,
 				  sfilter     => IPLIST_IF_OPTION,
 				  sourceroute => BINARY_IF_OPTION,
 				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -316,6 +334,7 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
 				    dhcp        => SIMPLE_IF_OPTION,
+				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -323,6 +342,7 @@ sub initialize( $$ ) {
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
 				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
+				    rpfilter    => SIMPLE_IF_OPTION,
 				    sfilter     => IPLIST_IF_OPTION,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -384,7 +404,7 @@ sub parse_zone_option_list($$\$$)
 
 	    if ( $key ) {
 		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype & ( FIREWALL | VSERVER) );
-		fatal_error "Opeion '$e' is only permitted in the OPTIONS columns" if $key & IN_OUT_ONLY && $column != IN_OUT;
+		fatal_error "Option '$e' is only permitted in the OPTIONS columns" if $key & IN_OUT_ONLY && $column != IN_OUT;
 		$$complexref = 1 if $key & COMPLEX;
 		$h{$e} = $val || 1;
 	    } else {
@@ -483,7 +503,8 @@ sub process_zone( \$ ) {
 
     my $complex = 0;
 
-    my $zoneref = $zones{$zone} = { type       => $type,
+    my $zoneref = $zones{$zone} = { name       => $zone,
+				    type       => $type,
 				    parents    => \@parents,
 				    bridge     => '',
 				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex , IN_OUT ) ,
@@ -519,6 +540,7 @@ sub process_zone( \$ ) {
     }
 
     if ( $zoneref->{options}{in_out}{blacklist} ) {
+	warning_message q(The 'blacklist' option is deprecated);
 	for ( qw/in out/ ) {
 	    unless ( $zoneref->{options}{$_}{blacklist} ) {
 		$zoneref->{options}{$_}{blacklist} = 1;
@@ -526,6 +548,10 @@ sub process_zone( \$ ) {
 		warning_message( "Redundant 'blacklist' in " . uc( $_ ) . '_OPTIONS' );
 	    }
 	}
+    } else {
+	for ( qw/in out/ ) {
+	    warning_message q(The 'blacklist' option is deprecated), last if  $zoneref->{options}{$_}{blacklist};
+	}
     }
 
     return $zone;
@@ -545,7 +571,7 @@ sub determine_zones()
 
     if ( my $fn = open_file 'zones' ) {
 	first_entry "$doing $fn...";
-	push @z, process_zone( $ip ) while read_a_line;
+	push @z, process_zone( $ip ) while read_a_line( NORMAL_READ );
     } else {
 	fatal_error q(The 'zones' file does not exist or has zero size);
     }
@@ -565,6 +591,7 @@ sub determine_zones()
 		for ( @{$zones{$zone}{children}} ) {
 		    next ZONE unless $ordered{$_};
 		}
+
 		$ordered{$zone} = 1;
 		push @zones, $zone;
 		redo PUSHED;
@@ -572,7 +599,7 @@ sub determine_zones()
 	}
     }
 
-    assert( scalar @zones == scalar @z );
+    assert( @zones == @z );
 
 }
 
@@ -711,7 +738,7 @@ sub add_group_to_zone($$$$$)
     my $interfaceref;
     my $zoneref  = $zones{$zone};
     my $zonetype = $zoneref->{type};
-    
+
 
     $zoneref->{interfaces}{$interface} = 1;
 
@@ -737,6 +764,13 @@ sub add_group_to_zone($$$$$)
 	    $new = \@exclusions;
 	}
 
+	if ( substr( $host, 0, 1 ) eq '+' ) {
+	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+(6_)?[a-zA-Z][-\w]*$/;
+	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
+	} else {
+	    $host = validate_host $host, 0;
+	}
+
 	unless ( $switched ) {
 	    if ( $type == $zonetype ) {
 		fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $interfaces{$interface}{zone} eq $zone;
@@ -755,13 +789,6 @@ sub add_group_to_zone($$$$$)
 	    }
 	}
 
-	if ( substr( $host, 0, 1 ) eq '+' ) {
-	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+(6_)?[a-zA-Z]\w*$/;
-	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
-	} else {
-	    validate_host $host, 0;
-	}
-
 	push @$new, $host;
     }
 
@@ -825,6 +852,10 @@ sub all_zones() {
     @zones;
 }
 
+sub on_firewall_zones() {
+   grep ( ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
+}
+
 sub off_firewall_zones() {
    grep ( ! ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
 }
@@ -909,6 +940,55 @@ sub chain_base($) {
     $basemap{$key} = $name;
 }
 
+#
+# This is a slightly relaxed version of the above that allows '-' in the generated name.
+#
+sub chain_base1($) {
+    my $chain = $_[0];
+    my $name  = $basemap1{$chain};
+    #
+    # Return existing mapping, if any
+    #
+    return $name if $name;
+    #
+    # Remember initial value
+    #
+    my $key = $chain;
+    #
+    # Handle VLANs and wildcards
+    #
+    $chain =~ s/\+$//;
+    $chain =~ tr/./_/;
+
+    if ( $chain eq '' || $chain =~ /^[0-9]/ || $chain =~ /[^-\w]/ ) {
+	#
+	# Must map. Remove all illegal characters
+	#
+	$chain =~ s/[^\w]//g;
+	#
+	# Prefix with if_ if it begins with a digit
+	#
+	$chain = join( '' , 'if_', $chain ) if $chain =~ /^[0-9]/;
+	#
+	# Create a new unique name
+	#
+	1 while $mapbase1{$name = join ( '_', $chain, ++$baseseq )};
+    } else {
+	#
+	# We'll store the identity mapping if it is unique
+	#
+	$chain = join( '_', $key , ++$baseseq ) while $mapbase1{$name = $chain};
+    }
+    #
+    # Store the reverse mapping
+    #
+    $mapbase1{$name} = $key;
+    #
+    # Store the mapping
+    #
+    $basemap1{$key} = $name;
+}
+
 #
 # Process a record in the interfaces file
 #
@@ -934,9 +1014,9 @@ sub process_interface( $$ ) {
 	    return;
 	}
 
-	fatal_error "Invalid FORMAT ($1)";
+	fatal_error "Invalid FORMAT ($originalinterface)";
     }
-	
+
     if ( $zone eq '-' ) {
 	$zone = '';
     } else {
@@ -992,7 +1072,7 @@ sub process_interface( $$ ) {
 	$root = substr( $interface, 0, -1 );
 	$roots{$root} = $interface;
 	my $len = length $root;
-	
+
 	if ( $minroot ) {
 	    $minroot = $len if $minroot > $len;
 	} else {
@@ -1029,7 +1109,7 @@ sub process_interface( $$ ) {
 
     if ( $options eq 'ignore' ) {
 	fatal_error "Ignored interfaces may not be associated with a zone" if $zone;
-	$options{ignore} = 1;
+	$options{ignore} = NO_UPDOWN | NO_SFILTER;
 	$options = '-';
     }
 
@@ -1090,7 +1170,7 @@ sub process_interface( $$ ) {
 		    assert( 0 );
 		}
 	    } elsif ( $type == NUMERIC_IF_OPTION ) {
-		fatal_error "The '$option' option may not be specified on a wildcard interface" if $wildcard && ! $type && IF_OPTION_WILDOK; 
+		fatal_error "The '$option' option may not be specified on a wildcard interface" if $wildcard && ! $type && IF_OPTION_WILDOK;
 		$value = $defaultinterfaceoptions{$option} unless defined $value;
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
@@ -1127,7 +1207,7 @@ sub process_interface( $$ ) {
 		    $hostoptions{broadcast} = 1;
 		} elsif ( $option eq 'sfilter' ) {
 		    $filterref = [ split_list $value, 'address' ];
-		    validate_net( $_, 1) for @{$filterref}
+		    $_ = validate_net( $_, 1) for @{$filterref}
 		} else {
 		    assert(0);
 		}
@@ -1149,10 +1229,27 @@ sub process_interface( $$ ) {
 	    }
 	}
 
-	fatal_error "Invalid combination of interface options" if $options{required} && $options{optional};
+	fatal_error q(The 'required', 'optional' and 'ignore' options are mutually exclusive)
+	    if ( ( $options{required} && $options{optional} ) ||
+		 ( $options{required} && $options{ignore}   ) ||
+		 ( $options{optional} && $options{ignore}   ) );
+
+	if ( $options{rpfilter} ) {
+	    require_capability( 'RPFILTER_MATCH', q(The 'rpfilter' option), 's' ) ;
+	    fatal_error q(The 'routefilter', 'sfilter' and 'rpfilter' options are mutually exclusive) if $options{routefilter} || @$filterref;
+	} else {
+	    fatal_error q(The 'routefilter', 'sfilter' and 'rpfilter' options are mutually exclusive) if $options{routefilter} && @$filterref;
+	}
+
+	if ( supplied( my $ignore = $options{ignore} ) ) {
+	    fatal_error "Invalid value ignore=0" if ! $ignore;
+	} else {
+	    $options{ignore} = 0;
+	}
 
 	if ( $netsref eq 'dynamic' ) {
-	    my $ipset = $family == F_IPV4 ? "${zone}_" . chain_base $physical : "6_${zone}_" . chain_base $physical;
+	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
+	    $ipset = join( '_', $ipset, chain_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
 	    $netsref = [ "+$ipset" ];
 	    $ipsets{$ipset} = 1;
 	}
@@ -1171,6 +1268,10 @@ sub process_interface( $$ ) {
 	# No options specified -- auto-detect bridge
 	#
 	$hostoptionsref->{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export;
+	#
+	# And give the 'ignore' option a defined value
+	#
+	$options{ignore} ||= 0;
     }
 
     $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
@@ -1208,13 +1309,13 @@ sub process_interface( $$ ) {
 sub validate_interfaces_file( $ ) {
     my  $export = shift;
     our $format = 1;
-    
+
     my @ifaces;
     my $nextinum = 1;
 
     if ( my $fn = open_file 'interfaces' ) {
 	first_entry "$doing $fn...";
-	push @ifaces, process_interface( $nextinum++, $export ) while read_a_line;
+	push @ifaces, process_interface( $nextinum++, $export ) while read_a_line( NORMAL_READ );
     } else {
 	fatal_error q(The 'interfaces' file does not exist or has zero size);
     }
@@ -1297,7 +1398,7 @@ sub known_interface($)
     if ( $minroot ) {
 	while ( length $iface > $minroot ) {
 	    chop $iface;
-	
+
 	    if ( my $i = $roots{$iface} ) {
 		$interfaceref = $interfaces{$i};
 
@@ -1373,7 +1474,7 @@ sub physical_name( $ ) {
 
     $devref ? $devref->{physical} : $device;
 }
-    
+
 #
 # Returns true if there are bridge port zones defined in the config
 #
@@ -1416,11 +1517,65 @@ sub interface_is_optional($) {
     $optionsref && $optionsref->{optional};
 }
 
+#
+# Return the 'required' setting of the passed interface
+#
+sub interface_is_required($) {
+    my $optionsref = $interfaces{$_[0]}{options};
+    $optionsref && $optionsref->{required};
+}
+
+#
+# Return true if the interface is 'plain'
+#
+sub interface_is_plain($) {
+    my $interfaceref = $interfaces{$_[0]};
+    my $optionsref   = $interfaceref->{options};
+
+    $interfaceref->{bridge} eq $interfaceref->{name} && ! ( $optionsref && ( $optionsref->{required} || $optionsref->{optional} || $optionsref->{ignore} ) )
+}
+
+#
+# Return a minimal list of physical interfaces that are neither ignored, optional, required nor a bridge port.
+#
+sub all_plain_interfaces() {
+    my @plain1 = map get_physical($_), grep $_ ne '%vserver%' && interface_is_plain( $_ ), @interfaces;
+    my @plain2;
+    my @wild1;
+    my @wild2;
+   
+    for ( @plain1 ) {
+	if ( /\+$/ ) {
+	    return ( '+' ) if $_ eq '+';
+	    push @wild1, $_;
+	    chop;
+	    push @wild2, $_;
+	} else {
+	    push @plain2, $_;
+	}
+    }
+
+    return @plain2 unless @wild1;
+
+    @plain1 = ();
+
+NAME:
+    for my $name ( @plain2) {
+	for ( @wild2 ) {
+	    next NAME if substr( $name, 0, length( $_ ) ) eq $_;
+	}
+
+	push @plain1, $name;
+    }
+
+    ( @plain1, @wild1 );
+}
+
 #
 # Returns reference to array of interfaces with the passed option
 #
-sub find_interfaces_by_option( $ ) {
+sub find_interfaces_by_option( $;$ ) {
-    my $option = $_[0];
+    my ( $option , $nonzero ) = @_;
     my @ints = ();
 
     for my $interface ( @interfaces ) {
@@ -1429,7 +1584,11 @@ sub find_interfaces_by_option( $ ) {
 	next unless $interfaceref->{root};
 
 	my $optionsref = $interfaceref->{options};
-	if ( $optionsref && defined $optionsref->{$option} ) {
+	if ( $nonzero ) {
+	    if ( $optionsref && $optionsref->{$option} ) {
+		push @ints , $interface
+	    }
+	} elsif ( $optionsref && defined $optionsref->{$option} ) {
 	    push @ints , $interface
 	}
     }
@@ -1479,7 +1638,7 @@ sub get_interface_option( $$ ) {
     assert( $ref = known_interface( $interface ) );
 
     $ref->{options}{$option};
-    
+
 }
 
 #
@@ -1540,16 +1699,16 @@ sub verify_required_interfaces( $ ) {
 		my $physical = get_physical $interface;
 
 		if ( $physical =~ /\+$/ ) {
-		    my $base = uc chain_base $physical;
-
 		    $physical =~ s/\+$/*/;
 
-		    emit( 'for interface in $(find_all_interfaces); do',
+		    emit( "waittime=$wait",
+			  '',
+			  'for interface in $(find_all_interfaces); do',
 			  '    case $interface in',
 			  "        $physical)",
-			  "            waittime=$wait",
 			  '            while [ $waittime -gt 0 ]; do',
 			  '                interface_is_usable $interface && break',
+			  '                sleep 1',
 			  '                waittime=$(($waittime - 1))',
 			  '            done',
 			  '            ;;',
@@ -1562,8 +1721,8 @@ sub verify_required_interfaces( $ ) {
 		    emit qq(    waittime=$wait);
 		    emit  '';
 		    emit  q(    while [ $waittime -gt 0 ]; do);
-		    emit qq(        interface_is_usable $physical && break);
 		    emit  q(        sleep 1);
+		    emit qq(        interface_is_usable $physical && break);
 		    emit   '        waittime=$(($waittime - 1))';
 		    emit  q(    done);
 		    emit  q(fi);
@@ -1634,181 +1793,12 @@ sub verify_required_interfaces( $ ) {
     $returnvalue;
 }
 
-#
-# Emit the updown() function
-#
-sub compile_updown() {
-    emit( '',
-	  '#',
-	  '# Handle the "up" and "down" commands',
-	  '#',
-	  'updown() # $1 = interface',
-	  '{',
-	);
-
-    push_indent;
-
-    emit( 'local state',
-	  'state=cleared',
-	  '' );
-
-    emit 'progress_message3 "$g_product $COMMAND triggered by $1"';
-    emit '';
-
-    if ( $family == F_IPV4 ) {
-	emit 'if shorewall_is_started; then';
-    } else {
-	emit 'if shorewall6_is_started; then';
-    }
-
-    emit( '    state=started',
-	  'elif [ -f ${VARDIR}/state ]; then',
-	  '    case "$(cat ${VARDIR}/state)" in',
-	  '        Stopped*)',
-	  '            state=stopped',
-	  '            ;;',
-	  '        Cleared*)',
-	  '            ;;',
-	  '        *)',
-	  '            state=unknown',
-	  '            ;;',
-	  '    esac',
-	  'else',
-	  '    state=unknown',
-	  'fi',
-	  ''
-	);
-
-    emit( 'case $1 in' );
-
-    push_indent;
-
-    my $ignore   = find_interfaces_by_option 'ignore';
-    my $required = find_interfaces_by_option 'required';
-    my $optional = find_interfaces_by_option 'optional';
-
-    if ( @$ignore ) {
-	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$ignore;
-
-	$interfaces =~ s/\+/*/g;
-
-	emit( "$interfaces)",
-	      '    progress_message3 "$COMMAND on interface $1 ignored"',
-	      '    exit 0',
-	      '    ;;'
-	    );
-    }
-
-    if ( @$required ) {
-	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$required;
-
-	my $wildcard = ( $interfaces =~ s/\+/*/g );
-
-	emit( "$interfaces)",
-	      '    if [ "$COMMAND" = up ]; then' );
-
-	if ( $wildcard ) {
-	    emit( '        if [ "$state" = started ]; then',
-		  '            COMMAND=restart',
-		  '        else',
-		  '            COMMAND=start',
-		  '        fi' );
-	} else {
-	    emit( '        COMMAND=start' );
-	}
-
-	emit( '        progress_message3 "$g_product attempting $COMMAND"',
-	      '        detect_configuration',
-	      '        define_firewall' );
-
-	if ( $wildcard ) {
-	    emit( '    elif [ "$state" = started ]; then',
-		  '        progress_message3 "$g_product attempting restart"',
-		  '        COMMAND=restart',
-		  '        detect_configuration',
-		  '        define_firewall' );
-	} else {
-	    emit( '    else',
-		  '        COMMAND=stop',
-		  '        progress_message3 "$g_product attempting stop"',
-		  '        detect_configuration',
-		  '        stop_firewall' );
-	}
-
-	emit( '    fi',
-	      '    ;;'
-	    );
-    }
-
-    if ( @$optional ) {
-	my @interfaces = map $interfaces{$_}->{physical}, @$optional;
-	my $interfaces = join '|', @interfaces; 
-
-	if ( $interfaces =~ s/\+/*/g || @interfaces > 1 ) {
-	    emit( "$interfaces)",
-		  '    if [ "$COMMAND" = up ]; then',
-		  '        echo 0 > ${VARDIR}/${1}.state',
-		  '    else',
-		  '        echo 1 > ${VARDIR}/${1}.state',
-		  '    fi' );
-	} else {
-	    emit( "$interfaces)",
-		  '    if [ "$COMMAND" = up ]; then',
-		  "        echo 0 > \${VARDIR}/$interfaces.state",
-		  '    else',
-		  "        echo 1 > \${VARDIR}/$interfaces.state",
-		  '    fi' );
-	}
-
-	emit( '',
-	      '    if [ "$state" = started ]; then',
-	      '        COMMAND=restart',
-	      '        progress_message3 "$g_product attempting restart"',
-	      '        detect_configuration',
-	      '        define_firewall',
-	      '    elif [ "$state" = stopped ]; then',
-	      '        COMMAND=start',
-	      '        progress_message3 "$g_product attempting start"',
-	      '        detect_configuration',
-	      '        define_firewall',
-	      '    else',
-	      '        progress_message3 "$COMMAND on interface $1 ignored"',
-	      '    fi',
-	      '    ;;',
-	    );
-    }
-
-    emit( "*)",
-	  '    case $state in',
-	  '        started)',
-	  '            COMMAND=restart',
-	  '            progress_message3 "$g_product attempting restart"',
-	  '            detect_configuration',
-	  '            define_firewall',
-	  '            ;;',
-	  '        *)',
-	  '            progress_message3 "$COMMAND on interface $1 ignored"',
-	  '            ;;',
-	  '    esac',
-	);
-
-    pop_indent;
-
-    emit( 'esac' );
-
-    pop_indent;
-
-    emit( '}',
-	  '',
-	);
-}
-
 #
 # Process a record in the hosts file
 #
 sub process_host( ) {
     my $ipsec = 0;
-    my ($zone, $hosts, $options ) = split_line 'hosts file', { zone => 0, hosts => 1, options => 2 };
+    my ($zone, $hosts, $options ) = split_line1 'hosts file', { zone => 0, host => 1, hosts => 1, options => 2 }, {}, 3;
 
     fatal_error 'ZONE must be specified'  if $zone eq '-';
     fatal_error 'HOSTS must be specified' if $hosts eq '-';
@@ -1829,22 +1819,23 @@ sub process_host( ) {
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
-    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/   ||
+    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/               ||
-	      $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]$/ ||
+	      $hosts =~ /^([\w.@%-]+\+?)\[(.*)\]$/              ||
-	      $hosts =~ /^([\w.@%-]+\+?):(!?\+.*)$/   ||
+	      $hosts =~ /^([\w.@%-]+\+?):(!?\[.+\](?:\/\d+)?)$/ ||
+	      $hosts =~ /^([\w.@%-]+\+?):(!?\+.*)$/             ||
 	      $hosts =~ /^([\w.@%-]+\+?):(dynamic)$/ ) {
 	$interface = $1;
 	$hosts = $2;
 
 	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
     } else {
-	fatal_error "Invalid HOST(S) column contents: $hosts" 
+	fatal_error "Invalid HOST(S) column contents: $hosts"
     }
 
     if ( $hosts =~ /^!?\+/ ) {
-	$zoneref->{complex} = 1;
+       $zoneref->{complex} = 1;
-	fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
+       fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
-	fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
+       fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
     }
 
     if ( $type & BPORT ) {
@@ -1871,6 +1862,7 @@ sub process_host( ) {
 	    } elsif ( $option eq 'norfc1918' ) {
 		warning_message "The 'norfc1918' host option is no longer supported"
 	    } elsif ( $option eq 'blacklist' ) {
+		warning_message "The 'blacklist' option is deprecated";
 		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $option =~ /^mss=(\d+)$/ ) {
 		fatal_error "Invalid mss ($1)" unless $1 >= 500;
@@ -1907,8 +1899,14 @@ sub process_host( ) {
     if ( $hosts eq 'dynamic' ) {
 	fatal_error "Vserver zones may not be dynamic" if $type & VSERVER;
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
-	my $physical = chain_base( physical_name $interface );
+
-	my $set      = $family == F_IPV4 ? "${zone}_${physical}" : "6_${zone}_${physical}";
+	my $set = $family == F_IPV4 ? "${zone}" : "6_${zone}";
+	
+	unless ( $zoneref->{options}{in_out}{dynamic_shared} ) {
+	    my $physical = chain_base1( physical_name $interface );
+	    $set = join( '_', $set, $physical );
+	}
+
 	$hosts = "+$set";
 	$optionsref->{dynamic} = 1;
 	$ipsets{$set} = 1;
@@ -1935,7 +1933,7 @@ sub validate_hosts_file()
 
     if ( my $fn = open_file 'hosts' ) {
 	first_entry "$doing $fn...";
-	$ipsec |= process_host while read_a_line;
+	$ipsec |= process_host while read_a_line( NORMAL_READ );
     }
 
     $have_ipsec = $ipsec || haveipseczones;

Shorewall/Perl/compiler.pl

@@ -37,6 +37,8 @@
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
 #         --preview                   # Preview the ruleset.
+#         --shorewallrc=<path>        # Path to global shorewallrc file.
+#         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #
 use strict;
@@ -65,7 +67,8 @@ sub usage( $ ) {
     [ --annotate ]
     [ --update ]
     [ --convert ]
-    [ --shorewallrc ]
+    [ --shorewallrc=<pathname> ]
+    [ --shorewallrc1=<pathname> ]
     [ --config_path=<path-list> ]
 ';
 
@@ -93,6 +96,7 @@ my $update        = 0;
 my $convert       = 0;
 my $config_path   = '';
 my $shorewallrc   = '';
+my $shorewallrc1  = '';
 
 Getopt::Long::Configure ('bundling');
 
@@ -125,6 +129,7 @@ my $result = GetOptions('h'               => \$help,
 			'convert'         => \$convert,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
+			'shorewallrc1=s'  => \$shorewallrc1,
 		       );
 
 usage(1) unless $result && @ARGV < 2;
@@ -147,5 +152,6 @@ compiler( script          => $ARGV[0] || '',
 	  convert         => $convert,
 	  annotate        => $annotate,
 	  config_path     => $config_path,
-	  shorewallrc     => $shorewallrc
+	  shorewallrc     => $shorewallrc,
+	  shorewallrc1    => $shorewallrc1,
 	);

Shorewall/Perl/getparams

@@ -25,12 +25,12 @@
 #
 #      $1 = Path name of params file
 #      $2 = $CONFIG_PATH
-#      $3 = Address family (4 o4 6)
+#      $3 = Address family (4 or 6)
 #
 if [ "$3" = 6 ]; then
-    g_program=shorewall6
+    PRODUCT=shorewall6
 else
-    g_program=shorewall
+    PRODUCT=shorewall
 fi
 
 #
@@ -38,11 +38,9 @@ fi
 #
 . /usr/share/shorewall/shorewallrc
 
-g_libexec="$LIBEXECDIR"
+g_program=$PRODUCT
-g_sharedir="$SHAREDIR"/shorewall
+g_sharedir="$SHAREDIR/shorewall"
-g_sbindir="$SBINDIR"
+g_confdir="$CONFDIR/$PRODUCT"
-g_perllib="$PERLLIBDIR"
-g_confdir="$CONFDIR"/shorewall
 g_readrc=1
 
 . $g_sharedir/lib.cli

Shorewall/Perl/lib.core

@@ -171,28 +171,6 @@ interface_is_up() {
     [ -n "$($IP -$g_family link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
 }
 
-#
-# Determine if interface is usable from a Netfilter perspective
-#
-interface_is_usable() # $1 = interface
-{
-    [ "$1" = lo ] && return 0
-    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
-}
-
-#
-# Find interface addresses--returns the set of addresses assigned to the passed
-# device
-#
-find_interface_addresses() # $1 = interface
-{
-    if [ $g_family -eq 4 ]; then
-	$IP -f inet addr show $1 2> /dev/null | grep inet\  | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
-    else
-	$IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
-    fi
-}
-
 #
 #  echo the list of networks routed out of a given interface
 #
@@ -203,7 +181,6 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
     local mask
 
     [ $g_family -eq 4 ] && mask=32 || mask=128
-    
 
     $IP -$g_family route show dev $1 2> /dev/null |
 	while read address rest; do
@@ -362,6 +339,16 @@ replace_default_route() # $1 = USE_DEFAULT_RT
     fi
 }
 
+#
+# Delete default routes with metric 0 from the passed routing table
+#
+delete_default_routes() # $1 = table number
+{
+    $IP -$g_family route ls table $1 | fgrep default | fgrep -v metric | while read route; do
+	qt $IP -$g_family route del $route
+    done
+} 
+
 restore_default_route() # $1 = USE_DEFAULT_RT
 {
     local result
@@ -385,7 +372,7 @@ restore_default_route() # $1 = USE_DEFAULT_RT
 	done < ${VARDIR}/default_route
 
 	replace_default_route $1
-	
+
 	if [ $result = 1 ]; then
 	    #
 	    # We didn't restore a default route with metric 0
@@ -443,7 +430,7 @@ run_iptables()
     local status
 
     while [ 1 ]; do
-	$g_tool $@
+	eval $g_tool $@
 	status=$?
 	[ $status -ne 4 ] && break
     done
@@ -594,6 +581,7 @@ distribute_load() {
     local interface
     local totalload
     local load
+    local mark
     local maxload
 
     maxload=$1
@@ -605,6 +593,8 @@ distribute_load() {
 	if interface_up $interface; then
 	    load=$(cat ${VARDIR}/${interface}_load)
 	    eval ${interface}_load=$load
+	    mark=$(cat ${VARDIR}/${interface}_mark)
+	    eval ${interface}_mark=$mark
 	    totalload=$( bc <<EOF
 scale=8
 $totalload + $load
@@ -617,7 +607,8 @@ EOF
 	for interface in $@; do
 	    qt $g_tool -t mangle -F ~$interface
 	    eval load=\$${interface}_load
-	
+	    eval mark=\$${interface}_mark
+
 	    if [ -n "$load" ]; then
 		load=$(bc <<EOF
 scale=8
@@ -629,19 +620,47 @@ scale=8
 $totalload - $load
 EOF
 )
-		run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $load
+		run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $load -j MARK --set-mark $mark
 	    fi
 	done
     fi
 }
 
-?IF __IPV4
+?if __IPV4
 #################################################################################
 #                        IPv4-specific Functions
 #################################################################################
+#
+# Determine if interface is usable from a Netfilter perspective
+#
+interface_is_usable() # $1 = interface
+{
+    local status;
+    status=0
+
+    if [ "$1" != lo ]; then
+	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
+	    [ "$COMMAND" = enable ] || run_isusable_exit $1
+	    status=$?
+	else
+	    status=1
+	fi
+    fi
+
+    return $status
+}
+
+#
+# Find interface addresses--returns the set of addresses assigned to the passed device
+#
+find_interface_addresses() # $1 = interface
+{
+    $IP -f inet addr show $1 2> /dev/null | grep inet\  | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
+}
+
+#
 # Find the value 'weight' in the passed arguments then echo the next value
 #
-
 find_weight() {
     while [ $# -gt 1 ]; do
 	[ "x$1" = xweight ] && echo $2 && return
@@ -819,13 +838,13 @@ detect_dynamic_gateway() { # $1 = interface
 	gateway=$( find_peer $($IP addr list $interface ) )
     fi
 
-    if [ -z "$gateway" -a -f /var/lib/dhcpcd/dhcpcd-${1}.info ]; then
+    if [ -z "$gateway" -a -f ${VARLIB}/dhcpcd/dhcpcd-${1}.info ]; then
-	eval $(grep ^GATEWAYS=  /var/lib/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
+	eval $(grep ^GATEWAYS=  ${VARLIB}/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
 	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
     fi
 
-    if [ -z "$gateway" -a -f /var/lib/dhcp/dhclient-${1}.lease ]; then
+    if [ -z "$gateway" -a -f ${VARLIB}/dhcp/dhclient-${1}.lease ]; then
-	gateway=$(grep 'option routers' /var/lib/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
+	gateway=$(grep 'option routers' ${VARLIB}/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
     fi
 
     [ -n "$gateway" ] && echo $gateway
@@ -888,7 +907,7 @@ add_gateway() # $1 = Delta $2 = Table Number
     local weight
     local delta
     local dev
-    
+
     route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`
 
     if [ -z "$route" ]; then
@@ -897,7 +916,12 @@ add_gateway() # $1 = Delta $2 = Table Number
 	delta=$1
 
 	if ! echo $route | fgrep -q ' nexthop '; then
-	    route=`echo $route | sed 's/via/nexthop via/'`
+	    if echo $route | fgrep -q via; then
+		route=`echo $route | sed 's/via/nexthop via/'`
+	    else
+		route="nexthop $route"
+	    fi
+
 	    dev=$(find_device $route)
 	    if [ -f ${VARDIR}/${dev}_weight ]; then
 		weight=`cat ${VARDIR}/${dev}_weight`
@@ -920,7 +944,7 @@ delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
 
     route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
     gateway=$1
-  
+
     if [ -n "$route" ]; then
 	if echo $route | fgrep -q ' nexthop '; then
 	    gateway="nexthop $gateway"
@@ -1008,10 +1032,38 @@ get_all_bcasts()
     $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
 
-?ELSE
+?else
 #################################################################################
 #                        IPv6-specific Functions
 #################################################################################
+#
+# Determine if interface is usable from a Netfilter perspective
+#
+interface_is_usable() # $1 = interface
+{
+    local status;
+    status=0
+
+    if [ "$1" != lo ]; then
+	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
+	    [ "$COMMAND" = enable ] || run_isusable_exit $1
+	    status=$?
+	else
+	    status=1
+	fi
+    fi
+
+    return $status
+}
+
+#
+# Find interface addresses--returns the set of addresses assigned to the passed device
+#
+find_interface_addresses() # $1 = interface
+{
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
+}
+
 #
 # Get all interface addresses with VLSMs
 #
@@ -1214,7 +1266,7 @@ add_gateway() # $1 = Delta $2 = Table Number
     local weight
     local delta
     local dev
-    
+
     run_ip route add default scope global table $2 $1
 }
 
@@ -1229,7 +1281,7 @@ delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
 
     route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
     gateway=$1
-  
+
     dev=$(find_device $route)
     [ "$dev" = "$3" ] && run_ip route delete default table $2
 }
@@ -1272,4 +1324,4 @@ clear_firewall() {
     logger -p kern.info "$g_product Cleared"
 }
 
-?ENDIF
+?endif

Shorewall/Perl/macro.BLACKLIST

@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - blacklist Macro
-#
-# /usr/share/shorewall/macro.blacklist
-#
-#	This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-$BLACKLIST_DISPOSITION:$BLACKLIST_LOGLEVEL

Shorewall/Perl/prog.footer

@@ -33,25 +33,25 @@ usage() {
 }
 
 checkkernelversion() {
+?if __IPV6
     local kernel
 
-    if [ $g_family -eq 6 ]; then
+    kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
-	kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
 
-	case "$kernel" in 
+    case "$kernel" in
-	    *.*.*)
+	*.*.*)
-		kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+	    kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
-		;;
+	    ;;
-	    *)
+	*)
-		kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
+	    kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
-		;;
+	    ;;
-	esac
+    esac
 
-	if [ $kernel -lt 20624 ]; then
+    if [ $kernel -lt 20624 ]; then
-	    error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
+	error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
-	    return 1
+	return 1
-	fi
     fi
+?endif
 
     return 0
 }
@@ -348,7 +348,9 @@ case "$COMMAND" in
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	updown $1
+	mutex_on
+	( updown $1 )
+	mutex_off
 	status=0
 	;;
     enable)

Shorewall/Samples/LICENSE

@@ -55,7 +55,7 @@ modified by someone else and passed on, the recipients should know
 that what they have is not the original version, so that the original
 author's reputation will not be affected by problems that might be
 introduced by others.
-
+
   Finally, software patents pose a constant threat to the existence of
 any free program.  We wish to make sure that a company cannot
 effectively restrict the users of a free program by obtaining a
@@ -111,7 +111,7 @@ modification follow.  Pay close attention to the difference between a
 "work based on the library" and a "work that uses the library".  The
 former contains code derived from the library, whereas the latter must
 be combined with the library in order to run.
-
+
 		  GNU LESSER GENERAL PUBLIC LICENSE
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 
@@ -146,7 +146,7 @@ such a program is covered only if its contents constitute a work based
 on the Library (independent of the use of the Library in a tool for
 writing it).  Whether that is true depends on what the Library does
 and what the program that uses the Library does.
-  
+
   1. You may copy and distribute verbatim copies of the Library's
 complete source code as you receive it, in any medium, provided that
 you conspicuously and appropriately publish on each copy an
@@ -158,7 +158,7 @@ Library.
   You may charge a fee for the physical act of transferring a copy,
 and you may at your option offer warranty protection in exchange for a
 fee.
-
+
   2. You may modify your copy or copies of the Library or any portion
 of it, thus forming a work based on the Library, and copy and
 distribute such modifications or work under the terms of Section 1
@@ -216,7 +216,7 @@ instead of to this License.  (If a newer version than version 2 of the
 ordinary GNU General Public License has appeared, then you can specify
 that version instead if you wish.)  Do not make any other change in
 these notices.
-
+
   Once this change is made in a given copy, it is irreversible for
 that copy, so the ordinary GNU General Public License applies to all
 subsequent copies and derivative works made from that copy.
@@ -267,7 +267,7 @@ Library will still fall under Section 6.)
 distribute the object code for the work under the terms of Section 6.
 Any executables containing that work also fall under Section 6,
 whether or not they are linked directly with the Library itself.
-
+
   6. As an exception to the Sections above, you may also combine or
 link a "work that uses the Library" with the Library to produce a
 work containing portions of the Library, and distribute that work
@@ -329,7 +329,7 @@ restrictions of other proprietary libraries that do not normally
 accompany the operating system.  Such a contradiction means you cannot
 use both them and the Library together in an executable that you
 distribute.
-
+
   7. You may place library facilities that are a work based on the
 Library side-by-side in a single library together with other library
 facilities not covered by this License, and distribute such a combined
@@ -370,7 +370,7 @@ subject to these terms and conditions.  You may not impose any further
 restrictions on the recipients' exercise of the rights granted herein.
 You are not responsible for enforcing compliance by third parties with
 this License.
-
+
   11. If, as a consequence of a court judgment or allegation of patent
 infringement or for any other reason (not limited to patent issues),
 conditions are imposed on you (whether by court order, agreement or
@@ -422,7 +422,7 @@ conditions either of that version or of any later version published by
 the Free Software Foundation.  If the Library does not specify a
 license version number, you may choose any version ever published by
 the Free Software Foundation.
-
+
   14. If you wish to incorporate parts of the Library into other free
 programs whose distribution conditions are incompatible with these,
 write to the author to ask for permission.  For software which is
@@ -456,7 +456,7 @@ SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
 DAMAGES.
 
 		     END OF TERMS AND CONDITIONS
-
+
            How to Apply These Terms to Your New Libraries
 
   If you develop a new library, and you want it to be of the greatest

Shorewall/Samples/Universal/interfaces

@@ -7,6 +7,8 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
+FORMAT 2
--	lo		-		ignore
+###############################################################################
-net	all		-		dhcp,physical=+,routeback,optional
+#ZONE	INTERFACE	OPTIONS
+-	lo		ignore
+net	all		dhcp,physical=+,routeback,optional

Shorewall/Samples/Universal/rules

@@ -6,13 +6,13 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-###################################################################################################################################################################################
+#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS	 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
-
+Invalid(DROP)	net		$FW		tcp
 SSH(ACCEPT)	net		$FW
 Ping(ACCEPT)	net		$FW

Shorewall/Samples/Universal/shorewall.conf

@@ -41,6 +41,8 @@ MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
+RPFILTER_LOG_LEVEL=info
+
 SFILTER_LOG_LEVEL=info
 
 SMURF_LOG_LEVEL=info
@@ -55,14 +57,20 @@ TCP_FLAGS_LOG_LEVEL=info
 
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 
+GEOIPDIR=/usr/share/xt_geoip/LE
+
 IPTABLES=
 
 IP=
 
 IPSET=
 
+LOCKFILE=
+
 MODULESDIR=
 
+NFACCT=
+
 PERL=/usr/bin/perl
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -106,7 +114,9 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
@@ -136,6 +146,8 @@ FASTACCEPT=Yes
 
 FORWARD_CLEAR_MARK=
 
+HELPERS=
+
 IMPLICIT_CONTINUE=No
 
 IPSET_WARNINGS=Yes
@@ -166,7 +178,7 @@ MUTEX_TIMEOUT=60
 
 NULL_ROUTE_RFC1918=No
 
-OPTIMIZE=15
+OPTIMIZE=31
 
 OPTIMIZE_ACCOUNTING=No
 
@@ -174,6 +186,8 @@ REQUIRE_INTERFACE=Yes
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No
@@ -204,6 +218,8 @@ MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
 
+RPFILTER_DISPOSITION=DROP
+
 SMURF_DISPOSITION=DROP
 
 SFILTER_DISPOSITION=DROP

Shorewall/Samples/one-interface/interfaces

@@ -11,5 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
+FORMAT 2
-net     eth0            detect          dhcp,tcpflags,logmartians,nosmurfs
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+net     eth0            dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0

Shorewall/Samples/one-interface/rules

@@ -10,14 +10,18 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
+#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS	 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
 
+# Drop packets in the INVALID state
+
+Invalid(DROP)  net    	        $FW		tcp
+
 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
 
 Ping(DROP)	net		$FW

Shorewall/Samples/one-interface/shorewall.conf

@@ -13,7 +13,7 @@
 #
 # For information about the settings in this file, type "man shorewall.conf"
 #
-# The manpage is also online at 
+# The manpage is also online at
 # http://shorewall.net/manpages/shorewall.conf.html
 #
 ###############################################################################
@@ -52,6 +52,8 @@ MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
+RPFILTER_LOG_LEVEL=info
+
 SFILTER_LOG_LEVEL=info
 
 SMURF_LOG_LEVEL=info
@@ -66,14 +68,20 @@ TCP_FLAGS_LOG_LEVEL=info
 
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 
+GEOIPDIR=/usr/share/xt_geoip/LE
+
 IPTABLES=
 
 IP=
 
 IPSET=
 
+LOCKFILE=
+
 MODULESDIR=
 
+NFACCT=
+
 PERL=/usr/bin/perl
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -117,7 +125,9 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
@@ -147,6 +157,8 @@ FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=
 
+HELPERS=
+
 IMPLICIT_CONTINUE=No
 
 IPSET_WARNINGS=Yes
@@ -177,7 +189,7 @@ MUTEX_TIMEOUT=60
 
 NULL_ROUTE_RFC1918=No
 
-OPTIMIZE=1
+OPTIMIZE=31
 
 OPTIMIZE_ACCOUNTING=No
 
@@ -185,6 +197,8 @@ REQUIRE_INTERFACE=No
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No
@@ -215,6 +229,8 @@ MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
 
+RPFILTER_DISPOSITION=DROP
+
 SMURF_DISPOSITION=DROP
 
 SFILTER_DISPOSITION=DROP

Shorewall/Samples/three-interfaces/interfaces

@@ -11,7 +11,9 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
+FORMAT 2
-net     eth0            detect          tcpflags,dhcp,nosmurfs,routefilter,logmartians
+###############################################################################
-loc     eth1            detect          tcpflags,nosmurfs,routefilter,logmartians
+#ZONE	INTERFACE	OPTIONS
-dmz     eth2            detect		tcpflags,nosmurfs,routefilter,logmartians
+net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0
+loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
+dmz     eth2            tcpflags,nosmurfs,routefilter,logmartians

Shorewall/Samples/three-interfaces/masq

@@ -10,8 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-##############################################################################
+################################################################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
+#											GROUP		DEST
 eth0			10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\

Shorewall/Samples/three-interfaces/rules

@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
+#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS	 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
@@ -20,7 +20,7 @@ SECTION NEW
 
 #       Don't allow connection pickup from the net
 #
-Invalid(DROP)	net		all
+Invalid(DROP)	net		all		tcp
 #
 #	Accept DNS connections from the firewall to the Internet
 #

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -14,7 +14,7 @@
 #
 # For information about the settings in this file, type "man shorewall.conf"
 #
-# The manpage is also online at 
+# The manpage is also online at
 # http://shorewall.net/manpages/shorewall.conf.html
 #
 ###############################################################################
@@ -50,6 +50,8 @@ MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
+RPFILTER_LOG_LEVEL=info
+
 SFILTER_LOG_LEVEL=info
 
 SMURF_LOG_LEVEL=info
@@ -64,14 +66,20 @@ TCP_FLAGS_LOG_LEVEL=info
 
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 
+GEOIPDIR=/usr/share/xt_geoip/LE
+
 IPTABLES=
 
 IP=
 
 IPSET=
 
+LOCKFILE=
+
 MODULESDIR=
 
+NFACCT=
+
 PERL=/usr/bin/perl
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -115,7 +123,9 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
@@ -145,6 +155,8 @@ FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=
 
+HELPERS=
+
 IMPLICIT_CONTINUE=No
 
 IPSET_WARNINGS=Yes
@@ -175,7 +187,7 @@ MUTEX_TIMEOUT=60
 
 NULL_ROUTE_RFC1918=No
 
-OPTIMIZE=1
+OPTIMIZE=31
 
 OPTIMIZE_ACCOUNTING=No
 
@@ -183,6 +195,8 @@ REQUIRE_INTERFACE=No
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No
@@ -213,6 +227,8 @@ MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
 
+RPFILTER_DISPOSITION=DROP
+
 SMURF_DISPOSITION=DROP
 
 SFILTER_DISPOSITION=DROP

Shorewall/Samples/three-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
-# Shorewall6 version 4.0 - Sample Routestopped File for two-interface configuration.
+# Shorewall version 4.5 - Sample Stoppedrules File for three-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2012 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -9,11 +9,12 @@
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall6-routestopped"
+# For information about entries in this file, type "man shorewall-stoppedrules"
-#
+###############################################################################
-# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
+#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
-# information.
+#							PORT(S)		PORT(S)
-#
+ACCEPT		eth1		-
-##############################################################################
+ACCEPT		-		eth1
-#INTERFACE	HOST(S)                  OPTIONS
+ACCEPT		eth2		-
-eth1		-
+ACCEPT		-		eth2
+

Shorewall/Samples/two-interfaces/interfaces

@@ -11,6 +11,8 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
+FORMAT 2
-net     eth0            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians
+###############################################################################
-loc     eth1            detect          tcpflags,nosmurfs,routefilter,logmartians
+#ZONE	INTERFACE	OPTIONS
+net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
+loc     eth1            tcpflags,nosmurfs,routefilter,logmartians

Shorewall/Samples/two-interfaces/masq

@@ -10,8 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-###############################################################################
+################################################################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
+#											GROUP		DEST
 eth0			10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\

Shorewall/Samples/two-interfaces/rules

@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
+#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS	 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
@@ -20,7 +20,7 @@ SECTION NEW
 
 #       Don't allow connection pickup from the net
 #
-Invalid(DROP)	net		all
+Invalid(DROP)	net		all		tcp
 #
 #	Accept DNS connections from the firewall to the network
 #

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -3,7 +3,7 @@
 # Shorewall version 4.0 - Sample shorewall.conf for two-interface
 #                         configuration.
 # Copyright (C) 2006,2007 by the Shorewall Team
-#               2011 by Thomas M. Eastep            
+#               2011 by Thomas M. Eastep
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,7 +14,7 @@
 #
 # For information about the settings in this file, type "man shorewall.conf"
 #
-# The manpage is also online at 
+# The manpage is also online at
 # http://shorewall.net/manpages/shorewall.conf.html
 #
 ###############################################################################
@@ -53,6 +53,8 @@ MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
+RPFILTER_LOG_LEVEL=info
+
 SFILTER_LOG_LEVEL=info
 
 SMURF_LOG_LEVEL=info
@@ -67,14 +69,20 @@ TCP_FLAGS_LOG_LEVEL=info
 
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 
+GEOIPDIR=/usr/share/xt_geoip/LE
+
 IPTABLES=
 
 IP=
 
 IPSET=
 
+LOCKFILE=
+
 MODULESDIR=
 
+NFACCT=
+
 PERL=/usr/bin/perl
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -118,7 +126,9 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
@@ -148,6 +158,8 @@ FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=
 
+HELPERS=
+
 IMPLICIT_CONTINUE=No
 
 IPSET_WARNINGS=Yes
@@ -178,7 +190,7 @@ MUTEX_TIMEOUT=60
 
 NULL_ROUTE_RFC1918=No
 
-OPTIMIZE=1
+OPTIMIZE=31
 
 OPTIMIZE_ACCOUNTING=No
 
@@ -186,6 +198,8 @@ REQUIRE_INTERFACE=No
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No
@@ -216,6 +230,8 @@ MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
 
+RPFILTER_DISPOSITION=DROP
+
 SMURF_DISPOSITION=DROP
 
 SFILTER_DISPOSITION=DROP

Shorewall/Samples/two-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
-# Shorewall version 4.0 - Sample Routestopped File for two-interface configuration.
+# Shorewall version 4.5 - Sample Stoppedrules File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2012 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -9,7 +9,9 @@
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall-routestopped"
+# For information about entries in this file, type "man shorewall-stoppedrules"
-##############################################################################
+###############################################################################
-#INTERFACE	HOST(S)                  OPTIONS
+#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
-eth1		-
+#							PORT(S)		PORT(S)
+ACCEPT		eth1		-
+ACCEPT		-		eth1

Shorewall/action.Broadcast

@@ -22,7 +22,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Broadcast[([<action>|-[,{audit|-}])] 
+#   Broadcast[([<action>|-[,{audit|-}])]
 #
 #       Default action is DROP
 #
@@ -31,7 +31,7 @@ FORMAT 2
 
 DEFAULTS DROP,-
 
-BEGIN PERL;
+?BEGIN PERL;
 
 use Shorewall::IPAddrs;
 use Shorewall::Config;
@@ -43,6 +43,7 @@ fatal_error "Invalid parameter ($audit) to action Broadcast"   if supplied $audi
 fatal_error "Invalid parameter ($action) to action Broadcast"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
 
 my $chainref           = get_action_chain;
+
 my ( $level, $tag )    = get_action_logging;
 my $target             = require_audit ( $action , $audit );
 
@@ -51,7 +52,7 @@ if ( have_capability( 'ADDRTYPE' ) ) {
 	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
 	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
 	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
-    }	
+    }
 
     add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
     add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
@@ -64,10 +65,10 @@ if ( have_capability( 'ADDRTYPE' ) ) {
     decr_cmd_level $chainref;
     add_commands $chainref, 'done';
 }
-    
+
 log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';
 
 1;
 
-END PERL;
+?END PERL;

Shorewall/action.Drop

@@ -33,15 +33,15 @@
 ###############################################################################
 FORMAT 2
 #
-# The following magic provides different defaults for $2 thru $5, when $1 is 
+# The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
-BEGIN PERL;
+?BEGIN PERL;
 use Shorewall::Config;
 
 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
 
-if ( defined $p1 ) { 
+if ( defined $p1 ) {
     if ( $p1 eq 'audit' ) {
 	set_action_param( 2, 'A_REJECT')   unless supplied $p2;
 	set_action_param( 3, 'A_DROP')     unless supplied $p3;
@@ -54,7 +54,7 @@ if ( defined $p1 ) {
 
 1;
 
-END PERL;
+?END PERL;
 
 DEFAULTS -,REJECT,DROP,ACCEPT,DROP
 

Shorewall/action.DropSmurfs

@@ -13,15 +13,17 @@ FORMAT 2
 
 DEFAULTS -
 
-BEGIN PERL;
+?BEGIN PERL;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
+use Shorewall::IPAddrs qw( IPv6_MULTICAST );
 use Shorewall::Chains;
 use Shorewall::Rules;
 
 my ( $audit ) = get_action_params( 1 );
 
 my $chainref        = get_action_chain;
+
 my ( $level, $tag ) = get_action_logging;
 my $target;
 
@@ -41,15 +43,15 @@ if ( $level ne '-' || $audit ne '-' ) {
 	fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit';
 	require_capability 'AUDIT_TARGET', q(Passing 'audit' to the DropSmurfs action), 's';
 	add_ijump( $logchainref, j => 'AUDIT --type DROP' );
-    } 
+    }
-	
+
     add_ijump( $logchainref, j => 'DROP' );
 
     $target = $logchainref;
 } else {
     $target = 'DROP';
 }
-		    
+
 if ( have_capability( 'ADDRTYPE' ) ) {
     if ( $family == F_IPV4 ) {
 	add_ijump $chainref , j => 'RETURN', s => '0.0.0.0';         ;
@@ -64,7 +66,7 @@ if ( have_capability( 'ADDRTYPE' ) ) {
     } else {
 	add_commands $chainref, 'for address in $ALL_ACASTS; do';
     }
-    
+
     incr_cmd_level $chainref;
     add_ijump( $chainref, g => $target, s => '$address' );
     decr_cmd_level $chainref;
@@ -77,9 +79,9 @@ if ( $family == F_IPV4 ) {
     add_ijump( $chainref, g => $target, s => IPv6_MULTICAST );
 }
 
-END PERL;
+?END PERL;
+
 
 
-    
 
 

Shorewall/action.Invalid

@@ -22,7 +22,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Invalid[([<action>|-[,{audit|-}])] 
+#   Invalid[([<action>|-[,{audit|-}])]
 #
 #       Default action is DROP
 #
@@ -31,7 +31,7 @@ FORMAT 2
 
 DEFAULTS DROP,-
 
-BEGIN PERL;
+?BEGIN PERL;
 
 use Shorewall::IPAddrs;
 use Shorewall::Config;
@@ -43,6 +43,7 @@ fatal_error "Invalid parameter ($audit) to action Invalid"   if supplied $audit
 fatal_error "Invalid parameter ($action) to action Invalid"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
 
 my $chainref         = get_action_chain;
+
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );
 
@@ -53,4 +54,4 @@ allow_optimize( $chainref );
 
 1;
 
-END PERL;
+?END PERL;

Shorewall/action.NotSyn

@@ -22,7 +22,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   NotSyn[([<action>|-[,{audit|-}])] 
+#   NotSyn[([<action>|-[,{audit|-}])]
 #
 #       Default action is DROP
 #
@@ -31,7 +31,7 @@ FORMAT 2
 
 DEFAULTS DROP,-
 
-BEGIN PERL;
+?BEGIN PERL;
 
 use Shorewall::IPAddrs;
 use Shorewall::Config;
@@ -43,6 +43,7 @@ fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit &
 fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
 
 my $chainref         = get_action_chain;
+
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );
 
@@ -53,4 +54,4 @@ allow_optimize( $chainref );
 
 1;
 
-END PERL;
+?END PERL;

Shorewall/action.RST

@@ -0,0 +1,56 @@
+#
+# Shorewall 4 - RST Action
+#
+#    /usr/share/shorewall/action.RST
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   RST[([<action>|-[,{audit|-}])]
+#
+#       Default action is DROP
+#
+##########################################################################################
+FORMAT 2
+
+DEFAULTS DROP,-
+
+?BEGIN PERL;
+
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my ( $action, $audit ) = get_action_params( 2 );
+
+fatal_error "Invalid parameter ($audit) to action RST"   if supplied $audit && $audit ne 'audit';
+fatal_error "Invalid parameter ($action) to action RST"  unless $action =~ /^(?:ACCEPT|DROP)$/;
+
+my $chainref         = get_action_chain;
+
+my ( $level, $tag )  = get_action_logging;
+my $target           = require_audit ( $action , $audit );
+
+log_rule_limit $level, $chainref, 'RST' , $action, '', $tag, 'add', '-p 6 --tcp-flags RST RST ' if $level ne '';
+add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST ';
+
+allow_optimize( $chainref );
+
+1;
+
+?END PERL;

Shorewall/action.Reject

@@ -29,15 +29,15 @@
 ###############################################################################
 FORMAT 2
 #
-# The following magic provides different defaults for $2 thru $5, when $1 is 
+# The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
-BEGIN PERL;
+?BEGIN PERL;
 use Shorewall::Config;
 
 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
 
-if ( defined $p1 ) { 
+if ( defined $p1 ) {
     if ( $p1 eq 'audit' ) {
 	set_action_param( 2, 'A_REJECT')  unless supplied $p2;
 	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
@@ -50,7 +50,7 @@ if ( defined $p1 ) {
 
 1;
 
-END PERL;
+?END PERL;
 
 DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
 

Shorewall/action.TCPFlags

@@ -1,7 +1,7 @@
 #
-# Shorewall version 4 - Drop Smurfs Action
+# Shorewall version 4 - Drop TCPFlags Action
 #
-# /usr/share/shorewall/action.DropSmurfs
+# /usr/share/shorewall/action.TCPFlags
 #
 #   Accepts a single optional parameter:
 #
@@ -13,18 +13,18 @@ FORMAT 2
 
 DEFAULTS DROP,-
 
-BEGIN PERL;
+?BEGIN PERL;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
 use Shorewall::Chains;
 
-
 my ( $disposition, $audit ) = get_action_params( 2 );
 
 my $chainref        = get_action_chain;
+
 my ( $level, $tag ) = get_action_logging;
 
-fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/; 
+fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/;
 
 if ( $level ne '-' || $audit ne '-' ) {
     my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
@@ -42,22 +42,22 @@ if ( $level ne '-' || $audit ne '-' ) {
 	fatal_error "Invalid argument ($audit) to TCPFlags" if $audit ne 'audit';
 	require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's';
 	add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition );
-    } 
+    }
 
     add_ijump( $logchainref, g => $disposition );
 
     $disposition = $logchainref;
 }
-		    
+
 add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL FIN,URG,PSH';
 add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL NONE';
 add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST';
 add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,FIN SYN,FIN';
 add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0';
 
-END PERL;
+?END PERL;
+
 
 
-    
 
 

Shorewall/action.template

@@ -21,6 +21,6 @@
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
 FORMAT 2
-####################################################################################################################################################################
+#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Shorewall/actions.std

@@ -33,12 +33,13 @@
 #
 ###############################################################################
 #ACTION
-A_Drop 		    # Audited Default Action for DROP policy
+A_Drop 		                # Audited Default Action for DROP policy
-A_Reject	    # Audited Default action for REJECT policy
+A_Reject	                # Audited Default action for REJECT policy
-Broadcast	    # Handles Broadcast/Multicast/Anycast
+Broadcast  noinline             # Handles Broadcast/Multicast/Anycast
-Drop		    # Default Action for DROP policy
+Drop		                # Default Action for DROP policy
-DropSmurfs          # Drop smurf packets
+DropSmurfs noinline             # Drop smurf packets
-Invalid             # Handles packets in the INVALID conntrack state
+Invalid    noinline             # Handles packets in the INVALID conntrack state
-NotSyn              # Handles TCP packets which do not have SYN=1 and ACK=0
+NotSyn     noinline             # Handles TCP packets which do not have SYN=1 and ACK=0
-Reject		    # Default Action for REJECT policy
+Reject                          # Default Action for REJECT policy
-TCPFlags            # Handle bad flag combinations.
+RST	   noinline             # Handle packets with RST set
+TCPFlags   noinline             # Handle bad flag combinations.

Shorewall/configfiles/actions

@@ -7,6 +7,6 @@
 #
 # Please see http://shorewall.net/Actions.html for additional information.
 #
-###############################################################################
+########################################################################################
-#ACTION             COMMENT (place '# ' below the 'C' in comment followed by
+#ACTION    OPTIONS		COMMENT (place '# ' below the 'C' in comment followed by
-#                           a comment describing the action)
+#                        	v        a comment describing the action)

Shorewall/configfiles/blacklist

@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - Blacklist File
-#
-# For information about entries in this file, type "man shorewall-blacklist"
-#
-# Please see http://shorewall.net/blacklisting_support.htm for additional
-# information.
-#
-###############################################################################
-#ADDRESS/SUBNET		PROTOCOL	PORT	OPTIONS
-