Correct configure and configure.pl to output SPARSE

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -159,7 +159,7 @@ echo '#'                                                                 > shore
 echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
 echo '#'                                                                >> shorewallrc
 
-if [ -n "$@" ]; then
+if [ $# -gt 0 ]; then
     echo "# Input: $@" >> shorewallrc
     echo '#'           >> shorewallrc
 fi
@@ -181,6 +181,7 @@ for on in \
     SYSTEMD \
     SYSCONFFILE \
     SYSCONFDIR \
+    SPARSE \
     ANNOTATED \
     VARDIR
 do

Shorewall-core/configure.pl

@@ -140,6 +140,7 @@ for ( qw/ HOST
 	  SYSTEMD
 	  SYSCONFFILE
 	  SYSCONFDIR
+	  SPARSE
 	  ANNOTATED
 	  VARDIR / ) {
 

Shorewall-core/install.sh

@@ -307,6 +307,16 @@ chmod 755 ${DESTDIR}${SBINDIR}
 mkdir -p ${DESTDIR}${MANDIR}
 chmod 755 ${DESTDIR}${MANDIR}
 
+if [ -n "${INITFILE}" ]; then
+    mkdir -p ${DESTDIR}${INITDIR}
+    chmod 755 ${DESTDIR}${INITDIR}
+
+    if [ -n "$AUXINITSOURCE" -a -f "$AUXINITSOURCE" ]; then
+	install_file $AUXINITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
+	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$AUXINITFILE
+	echo  "$Product script installed in ${DESTDIR}${INITDIR}/$AUXINITFILE"
+    fi
+fi
 #
 # Note: ${VARDIR} is created at run-time since it has always been
 #       a relocatable directory on a per-product basis

Shorewall-core/lib.base

@@ -41,6 +41,7 @@ if [ -z "$g_readrc" ]; then
     g_libexec="$LIBEXECDIR"
     g_sharedir="$SHAREDIR"/$g_program
     g_sbindir="$SBINDIR"
+    g_perllib="$PERLLIBDIR"
     g_vardir="$VARDIR"
     g_confdir="$CONFDIR"/$g_program
     g_readrc=1

Shorewall-core/lib.cli

@@ -31,9 +31,11 @@ if [ -z "$g_readrc" ]; then
     . /usr/share/shorewall/shorewallrc
 
     g_libexec="$LIBEXECDIR"
-    g_sbindir="$SBINDIR"
-    g_confdir="$CONFDIR"/$g_program
     g_sharedir="$SHAREDIR"/$g_program
+    g_sbindir="$SBINDIR"
+    g_perllib="$PERLLIBDIR"
+    g_vardir="$VARDIR"
+    g_confdir="$CONFDIR"/$g_program
     g_readrc=1
 fi
 
@@ -454,16 +456,28 @@ sort_routes() {
     done | sort -r | while read dest rest; do echo $rest; done
 }
 
+#
+# Isolate the table in the routing rules being read from stdin.
+# Piping through sed to remove trailing whitespace works around
+# recent 'features' in dash and ip.
+#
+find_tables() {
+    sed -r 's/[[:space:]]+$//' | while read rule; do
+	echo ${rule##* }
+    done
+}
+
 #
 # Show routing configuration
 #
 show_routing() {
+    local rule
+    local table
+
     if [ -n "$(ip -$g_family rule list)" ]; then
 	heading "Routing Rules"
 	ip -$g_family rule list
-	ip -$g_family rule list | while read rule; do
-	    echo ${rule##* }
-	done | sort -u | while read table; do
+	ip -$g_family rule list | find_tables | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
 		ip -$g_family -o route list table $table | fgrep -v cache

Shorewall-core/shorewallrc.debian

@@ -9,7 +9,7 @@ LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall    #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                            #Directory where subsystem configurations are installed
 SBINDIR=/sbin                           #Directory where system administration programs are installed
-MANDIR=${PREFIX}/man                    #Directory where manpages are installed.
+MANDIR=${PREFIX}/share/man              #Directory where manpages are installed.
 INITDIR=/etc/init.d                     #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script

Shorewall-core/shorewallrc.redhat

@@ -6,7 +6,7 @@ HOST=redhat
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/libexec            #Directory for executable scripts.
-PERLLIBDIR=/usr/share/perl5             #Directory to install Shorewall Perl module directory
+PERLLIBDIR=/usr/share/perl5/vendor_perl #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                            #Directory where subsystem configurations are installed
 SBINDIR=/sbin                           #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                  #Directory where manpages are installed.

Shorewall-core/shorewallrc.slackware

@@ -11,10 +11,10 @@ CONFDIR=/etc                               #Directory where subsystem configurat
 SBINDIR=/sbin                              #Directory where system administration programs are installed
 MANDIR=${PREFIX}/man                       #Directory where manpages are installed.
 INITDIR=/etc/rc.d                          #Directory where SysV init scripts are installed.
-INITSOURCE=init.slackware.firewall         #Name of the distributed file to be installed as the SysV init script
-INITFILE=rc.firewall                       #Name of the product's installed SysV init script
-AUXINITSOURCE=init.slackware.$PRODUCT      #Name of the distributed file to be installed as a second SysV init script
-AUXINITFILE=rc.$PRODUCT                    #Name of the product's installed second init script
+AUXINITSOURCE=init.slackware.firewall.sh   #Name of the distributed file to be installed as the SysV init script
+AUXINITFILE=rc.firewall                    #Name of the product's installed SysV init script
+INITSOURCE=init.slackware.$PRODUCT.sh      #Name of the distributed file to be installed as a second SysV init script
+INITFILE=rc.$PRODUCT                       #Name of the product's installed second init script
 SYSTEMD=                                   #Name of the directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.

Shorewall-lite/Makefile

@@ -3,9 +3,9 @@ VARDIR=$(shell /sbin/shorewall-lite show vardir)
 SHAREDIR=/usr/share/shorewall-lite
 RESTOREFILE?=.restore
 
-all: $(VARDIR)/${RESTOREFILE}
+all: $(VARDIR)/$(RESTOREFILE)
 
-$(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
+$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
 	@/sbin/shorewall-lite -q save >/dev/null; \
 	if \
 	    /sbin/shorewall-lite -q restart >/dev/null 2>&1; \

Shorewall-lite/install.sh

@@ -496,6 +496,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
 	echo "Set startup=1 in ${SYSCONFDIR}/$PRODUCT to enable"
 	touch /var/log/$PRODUCT-init.log
 	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/${PRODUCT}/${PRODUCT}.conf
+	update-rc.d $PRODUCT enable defaults
     elif [ -n "$SYSTEMD" ]; then
 	if systemctl enable $PRODUCT; then
 	    echo "$Product will start automatically at boot"

Shorewall-lite/shorewall-lite

@@ -35,6 +35,7 @@ g_program=shorewall-lite
 g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall-lite
 g_sbindir="$SBINDIR"
+g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1
 

Shorewall/Macros/macro.Amanda

@@ -11,6 +11,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	10080
+PARAM	-	-	tcp	10080
 #
 # You may also need this rule.  With AMANDA 2.4.4 on Linux kernel 2.6,
 # it should not be necessary to use this.  The ip_conntrack_amanda

Shorewall/Macros/macro.BLACKLIST

@@ -8,4 +8,8 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-$BLACKLIST_DISPOSITION:$BLACKLIST_LOGLEVEL
+?IF $BLACKLIST_LOGLEVEL
+blacklog
+?ELSE
+$BLACKLIST_DISPOSITION
+?ENDIF

Shorewall/Makefile

@@ -3,9 +3,9 @@ VARDIR=$(shell /sbin/shorewall show vardir)
 CONFDIR=/etc/shorewall
 RESTOREFILE?=firewall
 
-all: $(VARDIR)/${RESTOREFILE}
+all: $(VARDIR)/$(RESTOREFILE)
 
-$(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
+$(VARDIR)/$(RESTOREFILE): $(CONFDIR)/*
 	@/sbin/shorewall -q save >/dev/null; \
 	if \
 	    /sbin/shorewall -q restart >/dev/null 2>&1; \

Shorewall/Perl/.includepath

@@ -1,3 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<includepath />
-

Shorewall/Perl/Shorewall/Accounting.pm

@@ -394,7 +394,7 @@ sub setup_accounting() {
 
 	my $nonEmpty = 0;
 
-	$nonEmpty |= process_accounting_rule while read_a_line;
+	$nonEmpty |= process_accounting_rule while read_a_line( NORMAL_READ );
 
 	clear_comment;
 

Shorewall/Perl/Shorewall/Chains.pm

@@ -219,6 +219,7 @@ our %EXPORT_TAGS = (
 				       do_ipsec_options
 				       do_ipsec
 				       log_rule
+				       handle_network_list
 				       expand_rule
 				       addnatjump
 				       set_chain_variables
@@ -699,7 +700,7 @@ sub incr_cmd_level( $ ) {
 }
 
 sub decr_cmd_level( $ ) {
-    assert( --$_[0]->{cmdlevel} >= 0);
+    assert( --$_[0]->{cmdlevel} >= 0, $_[0] );
 }
 
 #
@@ -714,14 +715,14 @@ sub decr_cmd_level( $ ) {
 sub set_rule_option( $$$ ) {
     my ( $ruleref, $option, $value ) = @_;
 
-    assert( defined $value && reftype $ruleref );
+    assert( defined $value && reftype $ruleref , $value, $ruleref );
 
     $ruleref->{simple} = 0;
 
     my $opttype = $opttype{$option} || MATCH;
 
     if ( exists $ruleref->{$option} ) {
-	assert( defined( my $value1 = $ruleref->{$option} ) );
+	assert( defined( my $value1 = $ruleref->{$option} ) , $ruleref );
 
 	if ( $opttype == MATCH ) {
 	    if ( $globals{KLUDGEFREE} ) {
@@ -735,14 +736,14 @@ sub set_rule_option( $$$ ) {
 
 		push @{$ruleref->{$option}}, ( reftype $value ? @$value : $value );
 	    } else {
-		$ruleref->{$option} = join(' ', $value1, $value );
+		$ruleref->{$option} = join(' ', $value1, $value ) unless $value1 eq $value;
 	    }
 	} elsif ( $opttype == EXCLUSIVE ) {
 	    $ruleref->{$option} .= ",$value";
 	} elsif ( $opttype == UNIQUE ) {
 	    fatal_error "Multiple $option settings in one rule is prohibited";
 	} else {
-	    assert(0);
+	    assert(0, $opttype );
 	}
     } else {
 	$ruleref->{$option} = $value;
@@ -823,7 +824,7 @@ sub rule_target( $ ) {
 sub clear_rule_target( $ ) {
     my $ruleref = shift;
 
-    assert( reftype $ruleref );
+    assert( reftype $ruleref , $ruleref );
 
     delete $ruleref->{jump};
     delete $ruleref->{targetopts};
@@ -835,7 +836,7 @@ sub clear_rule_target( $ ) {
 sub set_rule_target( $$$ ) {
     my ( $ruleref, $target, $opts) = @_;
 
-    assert( reftype $ruleref );
+    assert( reftype $ruleref , $ruleref );
 
     $ruleref->{jump}     = 'j';
     $ruleref->{target}   = $target;
@@ -1033,7 +1034,7 @@ sub push_rule( $$ ) {
 sub add_trule( $$ ) {
     my ( $chainref, $ruleref ) = @_;
 
-    assert( reftype $ruleref );
+    assert( reftype $ruleref , $ruleref );
     push @{$chainref->{rules}}, $ruleref;
     $chainref->{referenced} = 1;
 
@@ -1129,7 +1130,7 @@ sub add_rule($$;$) {
 
     our $splitcount;
 
-    assert( ! reftype $rule );
+    assert( ! reftype $rule , $rule );
 
     $iprangematch = 0;
     #
@@ -1180,7 +1181,7 @@ sub push_matches {
     my $dont_optimize = 0;
 
     while ( @_ ) {
-	my ( $option, $value ) = ( shift , shift );
+	my ( $option, $value ) = ( shift, shift );
 
 	assert( defined $value );
 
@@ -1301,7 +1302,7 @@ sub insert_rule1($$$)
     my $ruleref = transform_rule( $rule );
 
     $ruleref->{comment}  = "$comment" if $comment;
-    assert( ! ( $ruleref->{cmdlevel} = $chainref->{cmdlevel}) );
+    assert( ! ( $ruleref->{cmdlevel} = $chainref->{cmdlevel}) , $chainref->{name} );
     $ruleref->{mode} = CAT_MODE;
 
     splice( @{$chainref->{rules}}, $number, 0, $ruleref );
@@ -1435,7 +1436,7 @@ sub decrement_reference_count( $$ ) {
     my ($toref, $chain) = @_;
 
     if ( $toref && $toref->{referenced} ) {
-	assert($toref->{references}{$chain} > 0 );
+	assert($toref->{references}{$chain} > 0 , $toref, $chain );
 	delete $toref->{references}{$chain} unless --$toref->{references}{$chain};
 	delete_chain( $toref )              unless ( keys %{$toref->{references}} );
     }
@@ -2085,7 +2086,7 @@ sub delete_jumps ( $$ ) {
 	    }
 	}
 
-	assert( ! $refs );
+	assert( ! $refs , $from, $to );
     }
 
     delete $toref->{references}{$from};
@@ -2588,7 +2589,7 @@ sub delete_references( $ ) {
     #
     # Make sure the above loop found all references
     #
-    assert ( ! $toref->{referenced} );
+    assert ( ! $toref->{referenced}, $toref->{name} );
 
     $count;
 }
@@ -3969,7 +3970,7 @@ sub do_ratelimit( $$ ) {
 	if ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
 	    fatal_error "Invalid Rate ($3)" unless $4;
 	    fatal_error "Invalid Burst ($7)" unless $7;
-	    $limit .= "--hashlimit $3 --hashlimit-burst $7 --hashlimit-name ";
+	    $limit .= "--$match $3 --hashlimit-burst $7 --hashlimit-name ";
 	    $limit .= $2 ? $2 : 'shorewall' . $hashlimitset++;
 	    $limit .= ' --hashlimit-mode ';
 	    $units = $6;
@@ -6622,7 +6623,7 @@ sub create_netfilter_load( $ ) {
 	for my $chain ( @builtins ) {
 	    my $chainref = $chain_table{$table}{$chain};
 	    if ( $chainref ) {
-		assert( $chainref->{cmdlevel} == 0 );
+		assert( $chainref->{cmdlevel} == 0, $chainref->{name} );
 		emit_unindented ":$chain $chainref->{policy} [0:0]";
 		push @chains, $chainref;
 	    }
@@ -6633,7 +6634,7 @@ sub create_netfilter_load( $ ) {
 	for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
 	    my $chainref =  $chain_table{$table}{$chain};
 	    unless ( $chainref->{builtin} ) {
-		assert( $chainref->{cmdlevel} == 0 );
+		assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
 		emit_unindented ":$chainref->{name} - [0:0]";
 		push @chains, $chainref;
 	    }
@@ -6705,7 +6706,7 @@ sub preview_netfilter_load() {
 	for my $chain ( @builtins ) {
 	    my $chainref = $chain_table{$table}{$chain};
 	    if ( $chainref ) {
-		assert( $chainref->{cmdlevel} == 0 );
+		assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
 		print ":$chain $chainref->{policy} [0:0]\n";
 		push @chains, $chainref;
 	    }
@@ -6716,7 +6717,7 @@ sub preview_netfilter_load() {
 	for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
 	    my $chainref =  $chain_table{$table}{$chain};
 	    unless ( $chainref->{builtin} ) {
-		assert( $chainref->{cmdlevel} == 0 );
+		assert( $chainref->{cmdlevel} == 0, $chainref->{name} );
 		print ":$chainref->{name} - [0:0]\n";
 		push @chains, $chainref;
 	    }
@@ -6935,7 +6936,7 @@ sub create_stop_load( $ ) {
 	for my $chain ( @builtins ) {
 	    my $chainref = $chain_table{$table}{$chain};
 	    if ( $chainref ) {
-		assert( $chainref->{cmdlevel} == 0 );
+		assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
 		emit_unindented ":$chain $chainref->{policy} [0:0]";
 		push @chains, $chainref;
 	    }
@@ -6946,7 +6947,7 @@ sub create_stop_load( $ ) {
 	for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
 	    my $chainref =  $chain_table{$table}{$chain};
 	    unless ( $chainref->{builtin} ) {
-		assert( $chainref->{cmdlevel} == 0 );
+		assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
 		emit_unindented ":$chainref->{name} - [0:0]";
 		push @chains, $chainref;
 	    }

Shorewall/Perl/Shorewall/Compiler.pm

@@ -354,7 +354,7 @@ sub generate_script_3($) {
 	    emit 'cat > ${VARDIR}/.modules << EOF';
 	    open_file $fn;
 
-	    emit_unindented $currentline while read_a_line;
+	    emit_unindented $currentline while read_a_line( NORMAL_READ );
 
 	    emit_unindented 'EOF';
 	    emit '', 'reload_kernel_modules < ${VARDIR}/.modules';

Shorewall/Perl/Shorewall/Config.pm

@@ -150,6 +150,15 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 
 				       MIN_VERBOSITY
 				       MAX_VERBOSITY
+
+				       PLAIN_READ
+				       EMBEDDED_ENABLED
+				       EXPAND_VARIABLES
+				       STRIP_COMMENTS
+				       SUPPRESS_WHITESPACE
+				       CONFIG_CONTINUATION
+				       DO_INCLUDE
+				       NORMAL_READ
 				     ) ] );
 
 Exporter::export_ok_tags('internal');
@@ -438,6 +447,20 @@ my $ifstack;
 # From .shorewallrc
 #
 our %shorewallrc;
+#
+# read_a_line options
+#
+use constant { PLAIN_READ          => 0,     # No read_a_line options
+               EMBEDDED_ENABLED    => 1,     # Look for embedded Shell and Perl
+	       EXPAND_VARIABLES    => 2,     # Expand Shell variables
+	       STRIP_COMMENTS      => 4,     # Remove comments
+	       SUPPRESS_WHITESPACE => 8,     # Ignore blank lines
+	       CHECK_GUNK          => 16,    # Look for unprintable characters
+	       CONFIG_CONTINUATION => 32,    # Suppress leading whitespace if
+                                             # continued line ends in ',' or ':'
+	       DO_INCLUDE          => 64,    # Look for INCLUDE <filename>
+               NORMAL_READ         => -1     # All options
+	   };
 
 sub process_shorewallrc($);
 #
@@ -759,35 +782,73 @@ sub initialize( $;$ ) {
 		    CONFDIR  => '/etc/',
 		    );
 
-    if ( $shorewallrc ) {
-	process_shorewallrc( $shorewallrc );
+    process_shorewallrc( $shorewallrc ) if $shorewallrc;
 
-	$globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";
+    $globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";
 
-	if ( $family == F_IPV4 ) {
-	    $globals{SHAREDIR}      = "$shorewallrc{SHAREDIR}/shorewall";
-	    $globals{CONFDIR}       = "$shorewallrc{CONFDIR}/shorewall";
-	    $globals{PRODUCT}       = 'shorewall';
-	    $config{IPTABLES}       = undef;
-	    $validlevels{ULOG}      = 'ULOG';
-	} else {
-	    $globals{SHAREDIR}      = "$shorewallrc{SHAREDIR}/shorewall6";
-	    $globals{CONFDIR}       = "$shorewallrc{CONFDIR}/shorewall6";
-	    $globals{PRODUCT}       = 'shorewall6';
-	    $config{IP6TABLES}      = undef;
-	}
+    if ( $family == F_IPV4 ) {
+	$globals{SHAREDIR}      = "$shorewallrc{SHAREDIR}/shorewall";
+	$globals{CONFDIR}       = "$shorewallrc{CONFDIR}/shorewall";
+	$globals{PRODUCT}       = 'shorewall';
+	$config{IPTABLES}       = undef;
+	$validlevels{ULOG}      = 'ULOG';
+    } else {
+	$globals{SHAREDIR}      = "$shorewallrc{SHAREDIR}/shorewall6";
+	$globals{CONFDIR}       = "$shorewallrc{CONFDIR}/shorewall6";
+	$globals{PRODUCT}       = 'shorewall6';
+	$config{IP6TABLES}      = undef;
     }
 }
 
 my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
 
+#
+# Create 'currentlineinfo'
+#
+sub currentlineinfo() {
+    my $linenumber = $currentlinenumber || 1;
+
+    if ( $currentfile ) {
+	my $lineinfo = " $currentfilename ";
+	
+	if ( $linenumber eq 'EOF' ) {
+	    $lineinfo .= '(EOF)'
+	} else {
+	    $lineinfo .= "(line $linenumber)";
+	}
+	#
+	# Unwind the current include stack
+	#
+	for ( my $i = @includestack - 1; $i >= 0; $i-- ) {
+	    my $info = $includestack[$i];
+	    $linenumber = $info->[2] || 1;
+	    $lineinfo .= "\n      from $info->[1] (line $linenumber)";
+	}
+	#
+	# Now unwind the open stack; each element is an include stack
+	#
+	for ( my $i = @openstack - 1; $i >= 0; $i-- ) {
+	    my $istack = $openstack[$i];
+	    for ( my $j = ( @$istack - 1 ); $j >= 0; $j-- ) {
+		my $info = $istack->[$j];
+		$linenumber = $info->[2] || 1;
+		$lineinfo .= "\n      from $info->[1] (line $linenumber)";
+	    }
+	}
+
+	$lineinfo;
+
+    } else {
+	'';
+    }
+}
+
 #
 # Issue a Warning Message
 #
 sub warning_message
 {
-    my $linenumber = $currentlinenumber || 1;
-    my $currentlineinfo = $currentfile ?  " : $currentfilename " . ( $linenumber eq 'EOF' ? '(EOF)' : "(line $linenumber)" ) : '';
+    my $currentlineinfo = currentlineinfo;
     our @localtime;
 
     $| = 1; #Reset output buffering (flush any partially filled buffers).
@@ -815,6 +876,30 @@ sub cleanup() {
     close  $script, $script = undef         if $script;
     close  $perlscript, $perlscript = undef if $perlscript;
     close  $log, $log = undef               if $log;
+
+    if ( $currentfile ) {
+	#
+	# We have a current input file; close it
+	#
+	close $currentfile;
+	#
+	# Unwind the current include stack
+	#
+	for ( my $i = @includestack - 1; $i >= 0; $i-- ) {
+	    my $info = $includestack[$i];
+	    close $info->[0];
+	}
+	#
+	# Now unwind the open stack; each element is an include stack
+	#
+	for ( my $i = @openstack - 1; $i >= 0; $i-- ) {
+	    my $istack = $openstack[$i];
+	    for ( my $j = ( @$istack - 1 ); $j >= 0; $j-- ) {
+		my $info = $istack->[$j];
+		close $info->[0];
+	    }
+	}
+    }
     #
     # Unlink temporary files
     #
@@ -842,8 +927,7 @@ sub cleanup() {
 # Issue fatal error message and die
 #
 sub fatal_error	{
-    my $linenumber = $currentlinenumber || 1;
-    my $currentlineinfo = $currentfile ?  " : $currentfilename " . ( $linenumber eq 'EOF' ? '(EOF)' : "(line $linenumber)" ) : '';
+    my $currentlineinfo = currentlineinfo;
 
     $| = 1; #Reset output buffering (flush any partially filled buffers).
 
@@ -889,13 +973,16 @@ sub fatal_error1 {
 }
 
 #
-# C/C++-like assertion checker
+# C/C++-like assertion checker -- the optional arguments are not used but will
+#                                 appear in the stack trace
 #
-sub assert( $;$ ) {
+sub assert( $;@ ) {
     unless ( $_[0] ) {
 	my @caller0 = caller 0; # Where assert() was called
 	my @caller1 = caller 1; # Who called assert()
 
+	$confess = 1;
+
 	fatal_error "Internal error in $caller1[3] at $caller0[1] line $caller0[2]";
     }
 }
@@ -943,7 +1030,9 @@ sub normalize_hex( $ ) {
 # Return the argument expressed in Hex
 #
 sub in_hex( $ ) {
-    sprintf '0x%x', $_[0];
+    my $value = $_[0];
+
+    $value =~ /^0x/ ? $value : sprintf '0x%x', $_[0];
 }
 
 sub in_hex2( $ ) {
@@ -1334,9 +1423,7 @@ sub find_file($)
 
     return $filename if $filename =~ '/';
 
-    my $directory;
-
-    for $directory ( @config_path ) {
+    for my $directory ( @config_path ) {
 	my $file = "$directory$filename";
 	return $file if -f $file;
     }
@@ -1405,11 +1492,13 @@ sub supplied( $ ) {
 #    supply '-' in omitted trailing columns.
 #    Handles all of the supported forms of column/pair specification
 #
-sub split_line1( $$;$ ) {
-    my ( $description, $columnsref, $nopad) = @_;
+sub split_line1( $$;$$ ) {
+    my ( $description, $columnsref, $nopad, $maxcolumns ) = @_;
 
-    my @maxcolumns = ( keys %$columnsref );
-    my $maxcolumns = @maxcolumns;
+    unless ( defined $maxcolumns ) {
+	my @maxcolumns = ( keys %$columnsref );
+	$maxcolumns = @maxcolumns;
+    }
     #
     # First see if there is a semicolon on the line; what follows will be column/value paris
     #
@@ -1574,7 +1663,7 @@ sub process_conditional( $$$ ) {
 
 	fatal_error "Invalid IF variable ($rest)" unless ($rest =~ s/^\$// || $rest =~ /^__/ ) && $rest =~ /^\w+$/;
 
-	push @ifstack, [ 'IF', $lastomit, $omitting, $linenumber ];
+	push @ifstack, [ 'IF', $omitting, $omitting, $linenumber ];
 
 	if ( $rest eq '__IPV6' ) {
 	    $omitting = $family == F_IPV4;
@@ -1877,7 +1966,7 @@ EOF
 #
 sub push_open( $ ) {
 
-    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack ];
+    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack ] if $currentfile;
     my @a = @includestack;
     push @openstack, \@a;
     @includestack = ();
@@ -1930,12 +2019,10 @@ sub shorewall {
 sub first_entry( $ ) {
     $first_entry = $_[0];
     my $reftype = reftype $first_entry;
-    if ( $reftype ) {
-	fatal_error "Invalid argument to first_entry()" unless $reftype eq 'CODE';
-    }
+    assert( $reftype eq 'CODE' ) if $reftype;
 }
 
-sub read_a_line(;$$$$);
+sub read_a_line($);
 
 sub embedded_shell( $ ) {
     my $multiline = shift;
@@ -1952,7 +2039,7 @@ sub embedded_shell( $ ) {
 
 	my $last = 0;
 
-	while ( read_a_line( 0, 0, 0, 0 ) ) {
+	while ( read_a_line( PLAIN_READ ) ) {
 	    last if $last = $currentline =~ s/^\s*END(\s+SHELL)?\s*;?//;
 	    $command .= "$currentline\n";
 	}
@@ -1986,7 +2073,7 @@ sub embedded_perl( $ ) {
 
 	my $last = 0;
 
-	while ( read_a_line( 0, 0, 0, 0 ) ) {
+	while ( read_a_line( PLAIN_READ ) ) {
 	    last if $last = $currentline =~ s/^\s*END(\s+PERL)?\s*;?//;
 	    $command .= "$currentline\n";
 	}
@@ -2100,11 +2187,11 @@ sub set_action_param( $$ ) {
 }
 
 #
-# Expand Shell Variables in the passed buffer using %params and @actparms
+# Expand Shell Variables in the passed buffer using @actparms, %params, %shorewallrc and %config, 
 #
 sub expand_variables( \$ ) {
     my ( $lineref, $count ) = ( $_[0], 0 );
-    #                    $1      $2   $3      -     $4
+    #                         $1      $2   $3      -     $4
     while ( $$lineref =~ m( ^(.*?) \$({)? (\w+) (?(2)}) (.*)$ )x ) {
 
 	my ( $first, $var, $rest ) = ( $1, $3, $4);
@@ -2142,7 +2229,7 @@ sub handle_first_entry() {
 }
 
 #
-# Read a line from the current include stack.
+# Read a line from the current include stack. Based on the passed options, it will conditionally:
 #
 #   - Ignore blank or comment-only lines.
 #   - Remove trailing comments.
@@ -2153,11 +2240,8 @@ sub handle_first_entry() {
 #   - Handle ?IF, ?ELSE, ?ENDIF
 #
 
-sub read_a_line(;$$$$) {
-    my $embedded_enabled    = defined $_[0] ? shift : 1;
-    my $expand_variables    = defined $_[0] ? shift : 1;
-    my $strip_comments      = defined $_[0] ? shift : 1;
-    my $suppress_whitespace = defined $_[0] ? shift : 1;
+sub read_a_line($) {
+    my $options = $_[0];
 
     while ( $currentfile ) {
 
@@ -2172,12 +2256,12 @@ sub read_a_line(;$$$$) {
 	    #
 	    # Suppress leading whitespace in certain continuation lines
 	    #
-	    s/^\s*// if $currentline =~ /[,:]$/ && $suppress_whitespace;
+	    s/^\s*// if $currentline =~ /[,:]$/ && $options & CONFIG_CONTINUATION;
 	    #
 	    # If this is a continued line with a trailing comment, remove comment. Note that
 	    # the result will now end in '\'.
 	    #
-	    s/\s*#.*$// if $strip_comments && /[\\]\s*#.*$/;
+	    s/\s*#.*$// if ($options & STRIP_COMMENTS) && /[\\]\s*#.*$/;
 	    #
 	    # Continuation
 	    #
@@ -2200,7 +2284,7 @@ sub read_a_line(;$$$$) {
 	    #
 	    # Must check for shell/perl before doing variable expansion
 	    #
-	    if ( $embedded_enabled ) {
+	    if ( $options & EMBEDDED_ENABLED ) {
 		if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) {
 		    handle_first_entry if $first_entry;
 		    embedded_shell( $1 );
@@ -2214,13 +2298,20 @@ sub read_a_line(;$$$$) {
 		}
 	    }
 	    #
-	    # Now remove concatinated comments
+	    # Now remove concatinated comments if asked
 	    #
-	    $currentline =~ s/\s*#.*$// if $strip_comments;
-	    #
-	    # Ignore ( concatenated ) Blank Lines after comments are removed.
-	    #
-	    $currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/ && $suppress_whitespace;
+	    $currentline =~ s/\s*#.*$// if $options & STRIP_COMMENTS;
+
+	    if ( $options & SUPPRESS_WHITESPACE ) {
+		#
+		# Ignore (concatinated) blank lines
+		#
+		$currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/;
+		#
+		# Eliminate trailing whitespace
+		#
+		$currentline =~ s/\s*$//;
+	    }
 	    #
 	    # Line not blank -- Handle any first-entry message/capabilities check
 	    #
@@ -2228,9 +2319,9 @@ sub read_a_line(;$$$$) {
 	    #
 	    # Expand Shell Variables using %params and @actparms
 	    #
-	    expand_variables( $currentline ) if $expand_variables;
+	    expand_variables( $currentline ) if $options & EXPAND_VARIABLES;
 
-	    if ( $currentline =~ /^\s*\??INCLUDE\s/ ) {
+	    if ( ( $options & DO_INCLUDE ) && $currentline =~ /^\s*\??INCLUDE\s/ ) {
 
 		my @line = split ' ', $currentline;
 
@@ -2252,6 +2343,7 @@ sub read_a_line(;$$$$) {
 
 		$currentline = '';
 	    } else {
+		fatal_error "Non-ASCII gunk in file" if ( $options && CHECK_GUNK ) && $currentline =~ /[^\s[:print:]]/;
 		print "IN===> $currentline\n" if $debug;
 		return 1;
 	    }
@@ -2261,33 +2353,13 @@ sub read_a_line(;$$$$) {
     }
 }
 
-#
-# Simple version of the above. Doesn't do line concatenation, shell variable expansion or INCLUDE processing
-#
-sub read_a_line1() {
-    while ( $currentfile ) {
-	while ( $currentline = <$currentfile> ) {
-	    next if $currentline =~ /^\s*#/;
-	    chomp $currentline;
-	    next if $currentline =~ /^\s*$/;
-	    $currentline =~ s/#.*$//;       # Remove Trailing Comments
-	    fatal_error "Non-ASCII gunk in file" if $currentline =~ /[^\s[:print:]]/;
-	    $currentlinenumber = $.;
-	    print "IN===> $currentline\n" if $debug;
-	    return 1;
-	}
-
-	close_file;
-    }
-}
-
 sub process_shorewallrc( $ ) {
     my $shorewallrc = shift;
 
     $shorewallrc{PRODUCT} = $family == F_IPV4 ? 'shorewall' : 'shorewall6';
 
     if ( open_file $shorewallrc ) {
-	while ( read_a_line1 ) {
+	while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE | CHECK_GUNK ) ) {
 	    if ( $currentline =~ /^([a-zA-Z]\w*)=(.*)$/ ) {
 		my ($var, $val) = ($1, $2);
 		$val = $1 if $val =~ /^\"([^\"]*)\"$/;
@@ -2568,7 +2640,7 @@ sub load_kernel_modules( ) {
 
 	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};
 
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 	    fatal_error "Invalid modules file entry" unless ( $currentline =~ /^loadmodule\s+([a-zA-Z]\w*)\s*(.*)$/ );
 	    my ( $module, $arguments ) = ( $1, $2 );
 	    unless ( $loadedmodules{ $module } ) {
@@ -3245,7 +3317,7 @@ sub ensure_config_path() {
 
 	add_param( CONFDIR => $globals{CONFDIR} );
 
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 	    if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
 		my ($var, $val) = ($1, $2);
 		$config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val ) if exists $config{$var};
@@ -3324,7 +3396,7 @@ sub update_config_file( $ ) {
 	#
 	# Debian or derivative
 	#
-	$fn = $annotate ? "/usr/share/doc/${product}/default-config/${product}.conf.annotated" : "/usr/share/doc/${product}/default-config/${product}.conf";
+	$fn = $annotate ? "$shorewallrc{SHAREDIR}/doc/${product}/default-config/${product}.conf.annotated" : "$shorewallrc{SHAREDIR}/doc/${product}/default-config/${product}.conf";
     } else {
 	#
 	# The rest of the World
@@ -3443,7 +3515,7 @@ sub process_shorewall_conf( $$ ) {
 	    #
 	    # Don't expand shell variables or allow embedded scripting
 	    #
-	    while ( read_a_line1 ) {
+	    while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
 		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
 		    my ($var, $val) = ($1, $2);
 
@@ -3483,7 +3555,7 @@ sub process_shorewall_conf( $$ ) {
 # Process the records in the capabilities file
 #
 sub read_capabilities() {
-    while ( read_a_line1 ) {
+    while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
 	if ( $currentline =~ /^([a-zA-Z]\w*)=(.*)$/ ) {
 	    my ($var, $val) = ($1, $2);
 	    unless ( exists $capabilities{$var} ) {
@@ -4268,7 +4340,7 @@ sub append_file( $;$$ ) {
 
     $indent = '' if $unindented;
 
-    unless ( $user_exit =~ m(^/usr/share/shorewall6?/) ) {
+    unless ( $user_exit =~ m(^$shorewallrc{SHAREDIR}/shorewall6?/) ) {
 	if ( -f $user_exit ) {
 	    if ( $nomsg ) {
 		#
@@ -4327,8 +4399,9 @@ sub run_user_exit1( $ ) {
 	#
 	push_open $file;
 
-	if ( read_a_line1 ) {
+	if ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
 	    close_file;
+	    pop_open;
 
 	    my $command = qq(package Shorewall::User;\n# line 1 "$file"\n) . `cat $file`;
 
@@ -4358,8 +4431,9 @@ sub run_user_exit2( $$ ) {
 	#
 	push_open $file;
 
-	if ( read_a_line1 ) {
+	if ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
 	    close_file;
+	    pop_open;
 
 	    unless (my $return = eval `cat $file` ) {
 		fatal_error "Couldn't parse $file: $@" if $@;

Shorewall/Perl/Shorewall/Misc.pm

@@ -79,7 +79,7 @@ sub process_tos() {
 		       }
 		   );
 
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 
 	    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) = split_line 'tos file entry', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } ;
 
@@ -149,7 +149,7 @@ sub setup_ecn()
 			   warning_message 'ECN will not be applied to forwarded packets' unless have_capability 'MANGLE_FORWARD';
 		       } );
 
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 
 	    my ($interface, $hosts ) = split_line 'ecn file entry', { interface => 0, hosts => 1 };
 
@@ -227,7 +227,7 @@ sub setup_blacklist() {
 
 	    first_entry "$doing $fn...";
 
-	    while ( read_a_line ) {
+	    while ( read_a_line ( NORMAL_READ ) ) {
 
 		if ( $first_entry ) {
 		    unless  ( @$zones || @$zones1 ) {
@@ -346,7 +346,7 @@ sub remove_blacklist( $ ) {
 
     open $newfile, '>', "$fn.new" or fatal_error "Unable to open $fn.new for output: $!";
 
-    while ( read_a_line(1,1,0) ) {
+    while ( read_a_line( EMBEDDED_ENABLED | EXPAND_VARIABLES ) ) {
 	my ( $rule, $comment ) = split '#', $currentline, 2;
 
 	if ( $rule =~ /blacklist/ ) {
@@ -396,7 +396,7 @@ sub convert_blacklist() {
 
 	first_entry "Converting $fn...";
 
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $networks, $protocol, $ports, $options ) = split_line 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 };
 
 	    if ( $options eq '-' ) {
@@ -468,7 +468,7 @@ sub convert_blacklist() {
 		open $blrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
 		print $blrules <<'EOF';
 #
-# Shorewall version 5 - Blacklist Rules File
+# Shorewall version 4.5 - Blacklist Rules File
 #
 # For information about entries in this file, type "man shorewall-blrules"
 #
@@ -554,7 +554,7 @@ sub process_routestopped() {
 
 	first_entry "$doing $fn...";
 
-	while ( read_a_line ) {
+	while ( read_a_line ( NORMAL_READ ) ) {
 
 	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
 		split_line 'routestopped file', { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 };
@@ -1097,7 +1097,7 @@ sub setup_mac_lists( $ ) {
 
 	    first_entry "$doing $fn...";
 
-	    while ( read_a_line ) {
+	    while ( read_a_line( NORMAL_READ ) ) {
 
 		my ( $original_disposition, $interface, $mac, $addresses  ) = split_line1 'maclist file', { disposition => 0, interface => 1, mac => 2, addresses => 3 };
 
@@ -1403,11 +1403,12 @@ sub add_interface_jumps {
 
 	if ( $interfaceref->{options}{port} ) {
 	    my $bridge = $interfaceref->{bridge};
+
 	    add_ijump ( $filter_table->{forward_chain $bridge},
 			j => 'ACCEPT',
 			imatch_source_dev( $interface, 1),
 			imatch_dest_dev( $interface, 1)
-		     ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
+		     ) unless $interfaceref->{nets};
 
 	    add_ijump( $filter_table->{forward_chain $bridge} ,
 		       j => $forwardref ,
@@ -1476,22 +1477,26 @@ sub generate_matrix() {
     progress_message  '  Handling complex zones...';
 
     #
-    # Special processing for complex configurations
+    # Special processing for configurations with more than 2 off-firewall zones or with other special considerations like IPSEC.
     #
     for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
 
 	next if  @zones <= 2 && ! $zoneref->{complex};
 	#
-	# Complex zone or we have more than one non-firewall zone -- process_rules created a zone forwarding chain
+	# Complex zone or we have more than two off-firewall zones -- Shorewall::Rules::classic_blacklist created a zone forwarding chain
 	#
 	my $frwd_ref = $filter_table->{zone_forward_chain( $zone )};
 
+	assert( $frwd_ref, $zone );
+	#
+	# Add Zone mark if any
+	#
 	add_ijump( $frwd_ref , j => 'MARK --set-mark ' . in_hex( $zoneref->{mark} ) . '/' . in_hex( $globals{ZONE_MASK} ) ) if $zoneref->{mark};
 
 	if ( have_ipsec ) {
 	    #
-	    # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
+	    # Prior to KLUDGEFREE, policy match could only match an 'in' or an 'out' policy (but not both), so we place the
 	    # '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
 	    # can match '--pol none --dir out' rules and send the packets down the wrong rules chain.
 	    #
@@ -1509,6 +1514,9 @@ sub generate_matrix() {
 			copy_rules( $sourcechainref, $frwd_ref, 1 ) unless $ipsec_jump_added{$zone}++;
 			$sourcechainref = $filter_table->{FORWARD};
 		    } elsif ( $interfaceref->{options}{port} ) {
+			#
+			# The forwarding chain for a bridge with ports is always used
+			#
 			add_ijump( $filter_table->{ forward_chain $interfaceref->{bridge} } ,
 				   j => $sourcechainref ,
 				   imatch_source_dev( $interface , 1 ) )
@@ -1518,6 +1526,9 @@ sub generate_matrix() {
 		    }
 		} else {
 		    if ( $interfaceref->{options}{port} ) {
+			#
+			# The forwarding chain for a bridge with ports is always used
+			#
 			$sourcechainref = $filter_table->{ forward_chain $interfaceref->{bridge} };
 			@interfacematch = imatch_source_dev $interface, 1;
 		    } else {

Shorewall/Perl/Shorewall/Nat.pm

@@ -276,7 +276,7 @@ sub setup_masq()
 
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
 
-	process_one_masq while read_a_line;
+	process_one_masq while read_a_line( NORMAL_READ );
 
 	clear_comment;
     }
@@ -373,7 +373,7 @@ sub setup_nat() {
 
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
 
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 
 	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 0, interface => 1, internal => 2, allints => 3, local => 4 };
 
@@ -409,7 +409,7 @@ sub setup_netmap() {
 
 	first_entry "$doing $fn...";
 
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 
 	    my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 'netmap file', { type => 0, net1 => 1, interface => 2, net2 => 3, net3 => 4, proto => 5, dport => 6, sport => 7 };
 

Shorewall/Perl/Shorewall/Providers.pm

@@ -608,7 +608,8 @@ sub add_a_provider( $$ ) {
 	}
     }
 
-    emit( qq(echo $load > \${VARDIR}/${physical}_load) ) if $load;
+    emit( "echo $load > \${VARDIR}/${physical}_load",
+	  'echo ' . in_hex( $mark ) . '/' . in_hex( $globals{PROVIDER_MASK} ) . " > \${VARDIR}/${physical}_mark" ) if $load;
 
     emit( '',
 	  "cat <<EOF >> \${VARDIR}/undo_${table}_routing" );
@@ -618,6 +619,7 @@ sub add_a_provider( $$ ) {
     emit_unindented '        ;;';
     emit_unindented '    *)';
     emit_unindented "        rm -f \${VARDIR}/${physical}_load" if $load;
+    emit_unindented "        rm -f \${VARDIR}/${physical}_mark" if $load;
     emit_unindented <<"CEOF", 1;
         rm -f \${VARDIR}/${physical}.status
         ;;
@@ -630,12 +632,13 @@ CEOF
     setup_interface_proc( $interface );
 
     if ( $mark ne '-' ) {
+	my $hexmark = in_hex( $mark );
 	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '';
 
-	emit ( "qt \$IP -$family rule del fwmark ${mark}${mask}" ) if $config{DELETE_THEN_ADD};
+	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};
 
-	emit ( "run_ip rule add fwmark ${mark}${mask} pref $pref table $number",
-	       "echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_${table}_routing"
+	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $number",
+	       "echo \"qt \$IP -$family rule del fwmark ${hexmark}${mask}\" >> \${VARDIR}/undo_${table}_routing"
 	     );
     }
 
@@ -759,7 +762,7 @@ CEOF
 		if ( $gateway ) {
 		    emit qq(add_gateway "via $gateway dev $physical $realm" ) . $tbl;
 		} else {
-		    emit qq(add_gateway "nexthop dev $physical $realm" ) . $tbl;
+		    emit qq(add_gateway "dev $physical $realm" ) . $tbl;
 		}
 	    }
 	    	} else {
@@ -861,7 +864,8 @@ CEOF
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}
 
-	emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
+	emit( "echo 1 > \${VARDIR}/${physical}.status",
+	      "progress_message2 \"   Provider $table ($number) stopped\"" );
 
 	pop_indent;
 
@@ -928,7 +932,7 @@ sub add_an_rtrule( ) {
 	    validate_net ( $source, 0 );
 	    $source = "from $source";
 	} else {
-	    $source = "iif $source";
+	    $source = 'iif ' . physical_name $source;
 	}
     } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ ) {
 	my ($interface, $source ) = ($1, $2);
@@ -939,7 +943,7 @@ sub add_an_rtrule( ) {
 	validate_net ( $source, 0 );
 	$source = "from $source";
     } else {
-	$source = "iif $source";
+	$source = 'iif ' . physical_name $source;
     }
 
     my $mark = '';
@@ -1114,6 +1118,10 @@ sub finish_providers() {
 	       '# We don\'t have any \'balance\' providers so we restore any default route that we\'ve saved',
 	       '#',
 	       "restore_default_route $config{USE_DEFAULT_RT}" ,
+	       '#',
+	       '# And delete any routes in the \'balance\' table',
+	       '#',
+	       "qt \$IP -$family route del default table " . BALANCE_TABLE,
 	       '' );
     }
 
@@ -1164,7 +1172,7 @@ sub process_providers( $ ) {
 
     if ( my $fn = open_file 'providers' ) {
 	first_entry "$doing $fn...";
-	process_a_provider, $providers++ while read_a_line;
+	process_a_provider, $providers++ while read_a_line( NORMAL_READ );
     }
 
     if ( $providers ) {
@@ -1183,7 +1191,7 @@ sub process_providers( $ ) {
 
 	    emit '';
 
-	    add_an_rtrule while read_a_line;
+	    add_an_rtrule while read_a_line( NORMAL_READ );
 	}
 
 	$fn = open_file 'routes';
@@ -1191,7 +1199,7 @@ sub process_providers( $ ) {
 	if ( $fn ) {
 	    first_entry "$doing $fn...";
 	    emit '';
-	    add_a_route while read_a_line;
+	    add_a_route while read_a_line( NORMAL_READ );
 	}
     }
 

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -120,7 +120,7 @@ sub setup_proxy_arp() {
 
 	my ( %set, %reset );
 
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 
 	    my ( $address, $interface, $external, $haveroute, $persistent ) =
 		split_line $file_opt . 'file ', { address => 0, interface => 1, external => 2, haveroute => 3, persistent => 4 };

Shorewall/Perl/Shorewall/Raw.pm

@@ -130,7 +130,7 @@ sub setup_notrack() {
 
 	my $nonEmpty = 0;
 
-	while ( read_a_line ) {	    
+	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $source, $dest, $proto, $ports, $sports, $user );
 
 	    if ( $format == 1 ) {

Shorewall/Perl/Shorewall/Rules.pm

@@ -529,7 +529,7 @@ sub process_policies()
 
     if ( my $fn = open_file 'policy' ) {
 	first_entry "$doing $fn...";
-	process_a_policy while read_a_line;
+	process_a_policy while read_a_line( NORMAL_READ );
     } else {
 	fatal_error q(The 'policy' file does not exist or has zero size);
     }
@@ -1394,7 +1394,7 @@ sub process_actions() {
     for my $file ( qw/actions.std actions/ ) {
 	open_file $file;
 
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $action ) = split_line 'action file' , { action => 0 };
 
 	    if ( $action =~ /:/ ) {
@@ -1454,7 +1454,7 @@ sub process_action( $) {
 
 	push_comment( '' );
 
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 
 	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition );
 
@@ -1547,7 +1547,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
 
     push_open $macrofile;
 
-    while ( read_a_line ) {
+    while ( read_a_line( NORMAL_READ ) ) {
 
 	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition );
 
@@ -1589,7 +1589,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
 
 	my $actiontype = $targets{$action} || find_macro( $action );
 
-	fatal_error "Invalid Action ($mtarget) in macro" unless $actiontype & ( ACTION +  STANDARD + NATRULE +  MACRO );
+	fatal_error "Invalid Action ($mtarget) in macro" unless $actiontype & ( ACTION +  STANDARD + NATRULE + MACRO + CHAIN );
 
 	if ( $msource ) {
 	    if ( $msource eq '-' ) {
@@ -2567,7 +2567,7 @@ sub process_rules( $ ) {
 		     }
 		   );
 
-	process_rule while read_a_line;
+	process_rule while read_a_line( NORMAL_READ );
     }
 
     $section = '';
@@ -2585,7 +2585,7 @@ sub process_rules( $ ) {
 
 	first_entry "$doing $fn...";
 
-	process_rule while read_a_line;
+	process_rule while read_a_line( NORMAL_READ );
 
 	clear_comment;
     }

Shorewall/Perl/Shorewall/Tc.pm

@@ -197,11 +197,11 @@ sub process_tc_rule( ) {
     my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp );
     if ( $family == F_IPV4 ) {
 	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp ) =
-	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 };
+	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 }, undef , 14;
 	$headers = '-';
     } else {
 	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) =
-	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 };
+	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 }, undef, 15;
     }
 
     our @tccmd;
@@ -1455,7 +1455,7 @@ sub process_tcfilters() {
 
 	first_entry( "$doing $fn..." );
 
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 	    if ( $currentline =~ /^\s*IPV4\s*$/ ) {
 		Shorewall::IPAddrs::initialize( $family = F_IPV4 ) unless $family == F_IPV4;
 	    } elsif ( $currentline =~ /^\s*IPV6\s*$/ ) {
@@ -1555,7 +1555,7 @@ sub process_tcinterfaces() {
 
     if ( $fn ) {
 	first_entry "$doing $fn...";
-	process_simple_device while read_a_line;
+	process_simple_device while read_a_line( NORMAL_READ );
     }
 }
 
@@ -1573,7 +1573,7 @@ sub process_tcpri() {
 		warning_message "There are entries in $fn1 but $fn was empty" unless @tcdevices || $family == F_IPV6;
 	    };
 
-	process_tc_priority while read_a_line;
+	process_tc_priority while read_a_line( NORMAL_READ );
 
 	clear_comment;
 
@@ -1604,7 +1604,7 @@ sub process_traffic_shaping() {
     if ( $fn ) {
 	first_entry "$doing $fn...";
 
-	validate_tc_device while read_a_line;
+	validate_tc_device while read_a_line( NORMAL_READ );
     }
 
     $devnum = $devnum > 10 ? 10 : 1;
@@ -1614,7 +1614,7 @@ sub process_traffic_shaping() {
     if ( $fn ) {
 	first_entry "$doing $fn...";
 
-	validate_tc_class while read_a_line;
+	validate_tc_class while read_a_line( NORMAL_READ );
     }
 
     process_tcfilters;
@@ -1959,13 +1959,13 @@ sub setup_tc() {
     if ( $config{TC_ENABLED} ) {
 	our  @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 			  target    => 'CONNMARK --save-mark --mask' ,
-			  mark      => SMALLMARK ,
+			  mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK,
 			  mask      => in_hex( $globals{TC_MASK} ) ,
 			  connmark  => 1
 			} ,
 			{ match     => sub ( $ ) { $_[0] eq 'RESTORE' },
 			  target    => 'CONNMARK --restore-mark --mask' ,
-			  mark      => SMALLMARK ,
+			  mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK ,
 			  mask      => in_hex( $globals{TC_MASK} ) ,
 			  connmark  => 1
 			} ,
@@ -2038,7 +2038,7 @@ sub setup_tc() {
 
 	    first_entry "$doing $fn...";
 
-	    process_tc_rule while read_a_line;
+	    process_tc_rule while read_a_line( NORMAL_READ );
 
 	    clear_comment;
 	}
@@ -2049,7 +2049,7 @@ sub setup_tc() {
 
 	    first_entry "$doing $fn...";
 
-	    process_secmark_rule while read_a_line;
+	    process_secmark_rule while read_a_line( NORMAL_READ );
 
 	    clear_comment;
 	}

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -234,7 +234,7 @@ sub setup_tunnels() {
     }
 
     sub setup_one_tunnel($$$$) {
-	my ( $kind , $zone, $gateway, $gatewayzones ) = @_;
+	my ( $kind , $zone, $gateways, $gatewayzones ) = @_;
 
 	my $zonetype = zone_type( $zone );
 
@@ -243,35 +243,42 @@ sub setup_tunnels() {
 	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
 	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
 
-	$gateway = ALLIP if $gateway eq '-';
+	$gateways = ALLIP if $gateways eq '-';
 
-	my @source = imatch_source_net $gateway;
-	my @dest   = imatch_dest_net   $gateway;
+	my ( $net, $excl ) = handle_network_list( $gateways , 'src' );
+	( $net, $excl )    = handle_network_list( $gateways , 'dst' );
 
-	my %tunneltypes = ( 'ipsec'         => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
-			    'ipsecnat'      => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
-			    'ipip'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 4 ] } ,
-			    'gre'           => { function => \&setup_one_other,          params   => [ \@source, \@dest , 47 ] } ,
-			    '6to4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
-			    '6in4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
-			    'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, \@source, \@dest ] } ,
-			    'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, \@source, \@dest ] } ,
-			    'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, \@source, \@dest ] } ,
-			    'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, \@source, \@dest ] } ,
-			    'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, \@source, \@dest ] } ,
-			    'l2tp'          => { function => \&setup_one_l2tp ,          params   => [ $kind, \@source, \@dest ] } ,
-			    'generic'       => { function => \&setup_one_generic ,       params   => [ $kind, \@source, \@dest ] } ,
-			  );
+	fatal_error "Exclusion is not allowed in the GATEWAYS column" if $excl;
 
-	$kind = "\L$kind";
+	for my $gateway ( split_list $gateways, 'GATEWAYS' ) {
+	    my @source = imatch_source_net $gateway;
+	    my @dest   = imatch_dest_net   $gateway;
 
-	(my $type) = split /:/, $kind;
+	    my %tunneltypes = ( 'ipsec'         => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
+				'ipsecnat'      => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
+				'ipip'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 4 ] } ,
+				'gre'           => { function => \&setup_one_other,          params   => [ \@source, \@dest , 47 ] } ,
+				'6to4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
+				'6in4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
+				'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, \@source, \@dest ] } ,
+				'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, \@source, \@dest ] } ,
+				'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, \@source, \@dest ] } ,
+				'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, \@source, \@dest ] } ,
+				'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, \@source, \@dest ] } ,
+				'l2tp'          => { function => \&setup_one_l2tp ,          params   => [ $kind, \@source, \@dest ] } ,
+				'generic'       => { function => \&setup_one_generic ,       params   => [ $kind, \@source, \@dest ] } ,
+			      );
 
-	my $tunnelref = $tunneltypes{ $type };
+	    $kind = "\L$kind";
 
-	fatal_error "Tunnels of type $type are not supported" unless $tunnelref;
+	    (my $type) = split /:/, $kind;
 
-	$tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} );
+	    my $tunnelref = $tunneltypes{ $type };
+
+	    fatal_error "Tunnels of type $type are not supported" unless $tunnelref;
+
+	    $tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} );
+	}
 
 	progress_message "   Tunnel \"$currentline\" $done";
     }
@@ -283,16 +290,16 @@ sub setup_tunnels() {
 
 	first_entry "$doing $fn...";
 
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 
-	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateway_zone => 3 };
+	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 }, undef, 4;
 
 	    fatal_error 'TYPE must be specified' if $kind eq '-';
-	    fatal_error 'ZONE must be specified' if $zone eq '-';
 
 	    if ( $kind eq 'COMMENT' ) {
 		process_comment;
 	    } else {
+		fatal_error 'ZONE must be specified' if $zone eq '-';
 		setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
 	    }
 	}

Shorewall/Perl/Shorewall/Zones.pm

@@ -545,7 +545,7 @@ sub determine_zones()
 
     if ( my $fn = open_file 'zones' ) {
 	first_entry "$doing $fn...";
-	push @z, process_zone( $ip ) while read_a_line;
+	push @z, process_zone( $ip ) while read_a_line( NORMAL_READ );
     } else {
 	fatal_error q(The 'zones' file does not exist or has zero size);
     }
@@ -934,7 +934,7 @@ sub process_interface( $$ ) {
 	    return;
 	}
 
-	fatal_error "Invalid FORMAT ($1)";
+	fatal_error "Invalid FORMAT ($originalinterface)";
     }
 
     if ( $zone eq '-' ) {
@@ -1214,7 +1214,7 @@ sub validate_interfaces_file( $ ) {
 
     if ( my $fn = open_file 'interfaces' ) {
 	first_entry "$doing $fn...";
-	push @ifaces, process_interface( $nextinum++, $export ) while read_a_line;
+	push @ifaces, process_interface( $nextinum++, $export ) while read_a_line( NORMAL_READ );
     } else {
 	fatal_error q(The 'interfaces' file does not exist or has zero size);
     }
@@ -1935,7 +1935,7 @@ sub validate_hosts_file()
 
     if ( my $fn = open_file 'hosts' ) {
 	first_entry "$doing $fn...";
-	$ipsec |= process_host while read_a_line;
+	$ipsec |= process_host while read_a_line( NORMAL_READ );
     }
 
     $have_ipsec = $ipsec || haveipseczones;

Shorewall/Perl/compiler.pl

@@ -37,6 +37,7 @@
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
 #         --preview                   # Preview the ruleset.
+#         --shorewallrc=<path>        # Path to shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #
 use strict;
@@ -65,7 +66,7 @@ sub usage( $ ) {
     [ --annotate ]
     [ --update ]
     [ --convert ]
-    [ --shorewallrc ]
+    [ --shorewallrc=<pathname> ]
     [ --config_path=<path-list> ]
 ';
 

Shorewall/Perl/macro.BLACKLIST

@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - blacklist Macro
-#
-# /usr/share/shorewall/macro.blacklist
-#
-#	This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-$BLACKLIST_DISPOSITION:$BLACKLIST_LOGLEVEL

Shorewall/Perl/prog.footer

@@ -235,8 +235,8 @@ case "$COMMAND" in
 	    status=2
 	elif checkkernelversion; then
 	    if [ $# -eq 1 ]; then
-		$IP6TABLES -Z
-		$IP6TABLES -t mangle -Z
+		$g_tool -Z
+		$g_tool -t mangle -Z
 		date > ${VARDIR}/restarted
 		status=0
 		progress_message3 "$g_product Counters Reset"
@@ -245,7 +245,7 @@ case "$COMMAND" in
 		status=0
 		for chain in $@; do
 		    if chain_exists $chain; then
-			if qt $IP6TABLES -Z $chain; then
+			if qt $g_tool-Z $chain; then
 			    progress_message3 "Filter $chain Counters Reset"
 			else
 			    error_message "ERROR: Reset of chain $chain failed"

Shorewall/Samples/LICENSE

@@ -55,7 +55,7 @@ modified by someone else and passed on, the recipients should know
 that what they have is not the original version, so that the original
 author's reputation will not be affected by problems that might be
 introduced by others.
-
+
   Finally, software patents pose a constant threat to the existence of
 any free program.  We wish to make sure that a company cannot
 effectively restrict the users of a free program by obtaining a
@@ -111,7 +111,7 @@ modification follow.  Pay close attention to the difference between a
 "work based on the library" and a "work that uses the library".  The
 former contains code derived from the library, whereas the latter must
 be combined with the library in order to run.
-
+
 		  GNU LESSER GENERAL PUBLIC LICENSE
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 
@@ -158,7 +158,7 @@ Library.
   You may charge a fee for the physical act of transferring a copy,
 and you may at your option offer warranty protection in exchange for a
 fee.
-
+
   2. You may modify your copy or copies of the Library or any portion
 of it, thus forming a work based on the Library, and copy and
 distribute such modifications or work under the terms of Section 1
@@ -216,7 +216,7 @@ instead of to this License.  (If a newer version than version 2 of the
 ordinary GNU General Public License has appeared, then you can specify
 that version instead if you wish.)  Do not make any other change in
 these notices.
-
+
   Once this change is made in a given copy, it is irreversible for
 that copy, so the ordinary GNU General Public License applies to all
 subsequent copies and derivative works made from that copy.
@@ -267,7 +267,7 @@ Library will still fall under Section 6.)
 distribute the object code for the work under the terms of Section 6.
 Any executables containing that work also fall under Section 6,
 whether or not they are linked directly with the Library itself.
-
+
   6. As an exception to the Sections above, you may also combine or
 link a "work that uses the Library" with the Library to produce a
 work containing portions of the Library, and distribute that work
@@ -329,7 +329,7 @@ restrictions of other proprietary libraries that do not normally
 accompany the operating system.  Such a contradiction means you cannot
 use both them and the Library together in an executable that you
 distribute.
-
+
   7. You may place library facilities that are a work based on the
 Library side-by-side in a single library together with other library
 facilities not covered by this License, and distribute such a combined
@@ -370,7 +370,7 @@ subject to these terms and conditions.  You may not impose any further
 restrictions on the recipients' exercise of the rights granted herein.
 You are not responsible for enforcing compliance by third parties with
 this License.
-
+
   11. If, as a consequence of a court judgment or allegation of patent
 infringement or for any other reason (not limited to patent issues),
 conditions are imposed on you (whether by court order, agreement or
@@ -422,7 +422,7 @@ conditions either of that version or of any later version published by
 the Free Software Foundation.  If the Library does not specify a
 license version number, you may choose any version ever published by
 the Free Software Foundation.
-
+
   14. If you wish to incorporate parts of the Library into other free
 programs whose distribution conditions are incompatible with these,
 write to the author to ask for permission.  For software which is
@@ -456,7 +456,7 @@ SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
 DAMAGES.
 
 		     END OF TERMS AND CONDITIONS
-
+
            How to Apply These Terms to Your New Libraries
 
   If you develop a new library, and you want it to be of the greatest

Shorewall/Samples/Universal/interfaces

@@ -7,6 +7,8 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
--	lo		-		ignore
-net	all		-		dhcp,physical=+,routeback,optional
+FORMAT 2
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+-	lo		ignore
+net	all		dhcp,physical=+,routeback,optional

Shorewall/Samples/Universal/shorewall.conf

@@ -61,6 +61,8 @@ IP=
 
 IPSET=
 
+LOCKFILE=
+
 MODULESDIR=
 
 PERL=/usr/bin/perl

Shorewall/Samples/one-interface/interfaces

@@ -11,5 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          dhcp,tcpflags,logmartians,nosmurfs
+FORMAT 2
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+net     eth0            dhcp,tcpflags,logmartians,nosmurfs

Shorewall/Samples/one-interface/shorewall.conf

@@ -72,6 +72,8 @@ IP=
 
 IPSET=
 
+LOCKFILE=
+
 MODULESDIR=
 
 PERL=/usr/bin/perl

Shorewall/Samples/three-interfaces/interfaces

@@ -11,7 +11,9 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          tcpflags,dhcp,nosmurfs,routefilter,logmartians
-loc     eth1            detect          tcpflags,nosmurfs,routefilter,logmartians
-dmz     eth2            detect		tcpflags,nosmurfs,routefilter,logmartians
+FORMAT 2
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians
+loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
+dmz     eth2            tcpflags,nosmurfs,routefilter,logmartians

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -70,6 +70,8 @@ IP=
 
 IPSET=
 
+LOCKFILE=
+
 MODULESDIR=
 
 PERL=/usr/bin/perl

Shorewall/Samples/two-interfaces/interfaces

@@ -11,6 +11,8 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians
-loc     eth1            detect          tcpflags,nosmurfs,routefilter,logmartians
+FORMAT 2
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians
+loc     eth1            tcpflags,nosmurfs,routefilter,logmartians

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -73,6 +73,8 @@ IP=
 
 IPSET=
 
+LOCKFILE=
+
 MODULESDIR=
 
 PERL=/usr/bin/perl

Shorewall/action.RST

@@ -0,0 +1,56 @@
+#
+# Shorewall 4 - RST Action
+#
+#    /usr/share/shorewall/action.RST
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   RST[([<action>|-[,{audit|-}])]
+#
+#       Default action is DROP
+#
+##########################################################################################
+FORMAT 2
+
+DEFAULTS DROP,-
+
+BEGIN PERL;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my ( $action, $audit ) = get_action_params( 2 );
+
+fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit && $audit ne 'audit';
+fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
+
+my $chainref         = get_action_chain;
+my ( $level, $tag )  = get_action_logging;
+my $target           = require_audit ( $action , $audit );
+
+log_rule_limit $level, $chainref, 'RST' , $action, '', $tag, 'add', '-p 6 --tcp-flags RST RST ' if $level ne '';
+add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST, ';
+
+allow_optimize( $chainref );
+
+1;
+
+END PERL;

Shorewall/actions.std

@@ -41,4 +41,5 @@ DropSmurfs          # Drop smurf packets
 Invalid             # Handles packets in the INVALID conntrack state
 NotSyn              # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject		    # Default Action for REJECT policy
+RST		    # Handle packets with RST set
 TCPFlags            # Handle bad flag combinations.

Shorewall/configfiles/interfaces

@@ -7,8 +7,6 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
-FORMAT 1
-#ZONE	INTERFACE	BROADCAST	OPTIONS
-
 FORMAT 2
+###############################################################################
 #ZONE		INTERFACE		OPTIONS

Shorewall/configfiles/shorewall.conf

@@ -61,6 +61,8 @@ IP=
 
 IPSET=
 
+LOCKFILE=
+
 MODULESDIR=
 
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"

Shorewall/configfiles/tunnels

@@ -7,5 +7,5 @@
 # http://www.shorewall.net/manpages/shorewall-tunnels.html
 #
 ###############################################################################
-#TYPE			ZONE	GATEWAY		GATEWAY
-#						ZONE
+#TYPE			ZONE	GATEWAYS			GATEWAY
+#								ZONES

Shorewall/install.sh

@@ -248,12 +248,18 @@ OWNERSHIP="-o $OWNER -g $GROUP"
 # Determine where to install the firewall script
 #
 
-if [ $PRODUCT = shorewall -a -z "${DESTDIR}" ]; then
+if [ $PRODUCT = shorewall -a "$BUILD" = "$HOST" ]; then
+    #
+    # Fix up 'use Digest::' if SHA is installed
+    #
+    if perl -e 'use Digest::SHA;' 2> /dev/null ; then
+	sed -i 's/Digest::SHA1/Digest::SHA/' Perl/Shorewall/Chains.pm
+    fi
     #
     # Verify that Perl is installed
     #
     if ! perl -c Perl/compiler.pl; then
-	echo "ERROR: $Product $VERSION requires Perl which either is not installed or is not able to compile the $Product Perl code" >&2
+	echo "ERROR: $Product $VERSION requires Perl which either is not installed or is not able to compile the Shorewall Perl code" >&2
 	echo "       Try perl -c $PWD/Perl/compiler.pl" >&2
 	exit 1
     fi
@@ -327,14 +333,11 @@ echo "$PRODUCT control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 # Install the Firewall Script
 #
 if [ -n "$INITFILE" ]; then
-    install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
-    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
-  
-    if [ -n "${AUXINITSOURCE}" ]; then
+    if [ -f "${INITSOURCE}" ]; then
 	install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
+	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
+	echo  "$Product script installed in ${DESTDIR}${INITDIR}/$INITFILE"
     fi
-
-    echo  "$Product script installed in ${DESTDIR}${INITDIR}/$INITFILE"
 fi
 
 #
@@ -957,11 +960,9 @@ echo "Standard actions file installed as ${DESTDIR}${SHAREDIR}d/$PRODUCT/actions
 # Install the  Makefiles
 #
 run_install $OWNERSHIP -m 0644 Makefile-lite ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/Makefile
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/$PRODUCT/configfiles/Makefile
-[ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}/${SHAREDIR}/$PRODUCT/configfiles/Makefile
 
 if [ -z "$SPARSE" ]; then
-    run_install $OWNERSHIP -m 0600 ${DESTDIR}/${SHAREDIR}/$PRODUCT/configfiles/Makefile ${DESTDIR}${CONFDIR}/$PRODUCT
+    run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}${CONFDIR}/$PRODUCT
     echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
 fi
 #
@@ -1068,13 +1069,13 @@ cd manpages
 [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
 
 for f in *.5; do
-    gzip -c $f > $f.gz
+    gzip -9c $f > $f.gz
     run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz
     echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
 done
 
 for f in *.8; do
-    gzip -c $f > $f.gz
+    gzip -9c $f > $f.gz
     run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
     echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
 done
@@ -1104,6 +1105,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
 	echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
 	touch /var/log/$PRODUCT-init.log
 	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/$PRODUCT/$PRODUCT.conf
+	update-rc.d $PRODUCT enable
     elif [ -n "$SYSTEMD" ]; then
 	if systemctl enable $PRODUCT; then
 	    echo "$Product will start automatically at boot"

Shorewall/lib.cli-std

@@ -508,6 +508,10 @@ start_command() {
 			    AUTOMAKE=
 			    option=${option#c}
 			    ;;
+			T*)
+			    g_confess=Yes
+			    option=${option#T}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -880,6 +884,10 @@ restart_command() {
 			    g_purge=Yes
 			    option=${option%p}
 			    ;;
+			T*)
+			    g_confess=Yes
+			    option=${option#T}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -964,6 +972,27 @@ refresh_command() {
 			    finished=1
 			    option=
 			    ;;
+			d*)
+			    g_debug=Yes
+			    option=${option#d}
+			    ;;
+			n*)
+			    g_noroutes=Yes
+			    option=${option#n}
+			    ;;
+			T*)
+			    g_confess=Yes
+			    option=${option#T}
+			    ;;
+			D)
+			    if [ $# -gt 1 ]; then
+				g_shorewalldir="$2"
+				option=
+				shift
+			    else
+				fatal_error "ERROR: the -D option requires a directory name"
+			    fi
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1341,6 +1370,10 @@ reload_command() # $* = original arguments less the command.
 			    option=
 			    shift
 			    ;;
+			T*)
+			    g_confess=Yes
+			    option=${option#T}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1556,7 +1589,7 @@ usage() # $1 = exit status
     fi
 
     echo "   iptrace <iptables match expression>"
-    echo "   load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
+    echo "   load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ <directory> ] <system>"
     echo "   logdrop <address> ..."
     echo "   logreject <address> ..."
     echo "   logwatch [<refresh interval>]"
@@ -1567,11 +1600,11 @@ usage() # $1 = exit status
 	echo "   noiptrace <ip6tables match expression>"
     fi
 
-    echo "   refresh [ <chain>... ]"
+    echo "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
     echo "   reject <address> ..."
-    echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
+    echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ <directory> ] <system>"
     echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ <directory> ]"
+    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ <directory> ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
     echo "   safe-start [ -t <timeout> ] [ <directory> ]"
@@ -1599,7 +1632,7 @@ usage() # $1 = exit status
     echo "   show tc [ device ]"
     echo "   show vardir"
     echo "   show zones"
-    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ <directory> ]"
+    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ <directory> ]"
     echo "   status"
     echo "   stop"
     echo "   try <directory> [ <timeout> ]"

Shorewall/lib.core

@@ -176,8 +176,28 @@ interface_is_up() {
 #
 interface_is_usable() # $1 = interface
 {
-    [ "$1" = lo ] && return 0
-    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
+    local status;
+    status=0
+
+    if [ "$1" != lo ]; then
+	if [ $g_family -eq 4 ]; then
+	    if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
+		[ "$COMMAND" = enable ] || run_isusable_exit $1
+		status=$?
+	    else
+		status=1
+	    fi
+	else
+	    if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" ]; then
+		[ "$COMMAND" = enable ] || run_isusable_exit $1
+		status=$?
+	    else
+		status=1
+	    fi
+	fi
+    fi
+
+    return $status
 }
 
 #
@@ -594,6 +614,7 @@ distribute_load() {
     local interface
     local totalload
     local load
+    local mark
     local maxload
 
     maxload=$1
@@ -605,6 +626,8 @@ distribute_load() {
 	if interface_up $interface; then
 	    load=$(cat ${VARDIR}/${interface}_load)
 	    eval ${interface}_load=$load
+	    mark=$(cat ${VARDIR}/${interface}_mark)
+	    eval ${interface}_mark=$mark
 	    totalload=$( bc <<EOF
 scale=8
 $totalload + $load
@@ -617,6 +640,7 @@ EOF
 	for interface in $@; do
 	    qt $g_tool -t mangle -F ~$interface
 	    eval load=\$${interface}_load
+	    eval mark=\$${interface}_mark
 
 	    if [ -n "$load" ]; then
 		load=$(bc <<EOF
@@ -629,7 +653,7 @@ scale=8
 $totalload - $load
 EOF
 )
-		run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $load
+		run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $load -j MARK --set-mark $mark
 	    fi
 	done
     fi

Shorewall/manpages/shorewall-blrules.xml

@@ -60,7 +60,31 @@
 
           <variablelist>
             <varlistentry>
-              <term>blacklog</term>
+              <term><emphasis role="bold">BLACKLIST</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.3. This is actually a macro that
+                expands as follows:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>If BLACKLIST_LOGLEVEL is specified in <ulink
+                    url="shorewall.conf.html">shorewall.conf</ulink>(5), then
+                    the macro expands to <emphasis
+                    role="bold">blacklog</emphasis>.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Otherwise it expands to the action specified for
+                    BLACKLIST_DISPOSITION in <ulink
+                    url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+                  </listitem>
+                </itemizedlist>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">blacklog</emphasis></term>
 
               <listitem>
                 <para>May only be used if BLACKLIST_LOGLEVEL is specified in

Shorewall/manpages/shorewall-interfaces.xml

@@ -27,6 +27,34 @@
     interfaces to Shorewall. The order of entries in this file is not
     significant in determining zone composition.</para>
 
+    <para>Beginning with Shorewall 4.5.3, the interfaces file supports two
+    different formats:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>FORMAT 1 (default - deprecated)</term>
+
+        <listitem>
+          <para>There is a BROADCAST column which can be used to specify the
+          broadcast address associated with the interface.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>FORMAT 2</term>
+
+        <listitem>
+          <para>The BROADCAST column is omitted.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>The format is specified by a line as follows:</para>
+
+    <blockquote>
+      <para><emphasis role="bold">FORMAT {1|2}</emphasis></para>
+    </blockquote>
+
     <para>The columns in the file are as follows.</para>
 
     <variablelist>
@@ -128,6 +156,8 @@ loc     eth2            -</programlisting>
         role="bold">detect</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...}</term>
 
         <listitem>
+          <para>Only available if FORMAT 1.</para>
+
           <para>If you use the special value <emphasis
           role="bold">detect</emphasis>, Shorewall will detect the broadcast
           address(es) for you if your iptables and kernel include Address Type
@@ -172,7 +202,7 @@ loc     eth2            -</programlisting>
                 changed; the value assigned to the setting will be the value
                 specified (if any) or 1 if no value is given.</para>
 
-                <para></para>
+                <para/>
 
                 <note>
                   <para>This option does not work with a wild-card
@@ -206,7 +236,7 @@ loc     eth2            -</programlisting>
 
                 <para>8 - do not reply for all local addresses</para>
 
-                <para></para>
+                <para/>
 
                 <note>
                   <para>This option does not work with a wild-card
@@ -214,7 +244,7 @@ loc     eth2            -</programlisting>
                   the INTERFACE column.</para>
                 </note>
 
-                <para></para>
+                <para/>
 
                 <warning>
                   <para>Do not specify <emphasis
@@ -355,7 +385,7 @@ loc     eth2            -</programlisting>
         1
         teastep@lists:~$ </programlisting>
 
-                <para></para>
+                <para/>
 
                 <note>
                   <para>This option does not work with a wild-card
@@ -629,7 +659,7 @@ loc     eth2            -</programlisting>
                 changed; the value assigned to the setting will be the value
                 specified (if any) or 1 if no value is given.</para>
 
-                <para></para>
+                <para/>
 
                 <note>
                   <para>This option does not work with a wild-card
@@ -705,11 +735,14 @@ loc     eth2            -</programlisting>
           connected to your local network and that your local subnet is
           192.168.1.0/24. The interface gets its IP address via DHCP from
           subnet 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24
-          using eth2.</para>
+          using eth2. Your iptables and/or kernel do not support "Address Type
+          Match" and you prefer to specify broadcast addresses explicitly
+          rather than having Shorewall detect them.</para>
 
           <para>Your entries for this setup would look like:</para>
 
-          <programlisting>#ZONE   INTERFACE BROADCAST        OPTIONS
+          <programlisting>FORMAT 1
+#ZONE   INTERFACE BROADCAST        OPTIONS
 net     eth0      206.191.149.223  dhcp
 loc     eth1      192.168.1.255
 dmz     eth2      192.168.2.255</programlisting>
@@ -723,10 +756,11 @@ dmz     eth2      192.168.2.255</programlisting>
           <para>The same configuration without specifying broadcast addresses
           is:</para>
 
-          <programlisting>#ZONE   INTERFACE BROADCAST        OPTIONS
-net     eth0      detect           dhcp
-loc     eth1      detect
-dmz     eth2      detect</programlisting>
+          <programlisting>FORMAT 2
+#ZONE   INTERFACE OPTIONS
+net     eth0      dhcp
+loc     eth1      
+dmz     eth2</programlisting>
         </listitem>
       </varlistentry>
 
@@ -737,7 +771,8 @@ dmz     eth2      detect</programlisting>
           <para>You have a simple dial-in system with no ethernet
           connections.</para>
 
-          <programlisting>#ZONE   INTERFACE BROADCAST        OPTIONS
+          <programlisting>FORMAT 2
+#ZONE   INTERFACE OPTIONS
 net     ppp0      -</programlisting>
         </listitem>
       </varlistentry>
@@ -749,8 +784,9 @@ net     ppp0      -</programlisting>
           <para>You have a bridge with no IP address and you want to allow
           traffic through the bridge.</para>
 
-          <programlisting>#ZONE   INTERFACE BROADCAST        OPTIONS
--       br0       -                routeback</programlisting>
+          <programlisting>FORMAT 2
+#ZONE   INTERFACE OPTIONS
+-       br0       routeback</programlisting>
         </listitem>
       </varlistentry>
     </variablelist>
@@ -772,10 +808,9 @@ net     ppp0      -</programlisting>
     shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
+    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall/manpages/shorewall-providers.xml

@@ -87,8 +87,7 @@
           being zero). Otherwise, the value must be between 1 and 255. Each
           provider must be assigned a unique mark value. This column may be
           omitted if you don't use packet marking to direct connections to a
-          particular provider and you don't specify <option>track</option> in
-          the OPTIONS column.</para>
+          particular provider.</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-tcrules.xml

@@ -407,39 +407,6 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               classes will have a value &gt; 256.</para>
             </listitem>
 
-            <listitem>
-              <para><emphasis
-              role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
-
-              <para>Transparently redirects a packet without altering the IP
-              header. Requires a local provider to be defined in <ulink
-              url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
-
-              <para>There are three parameters to TPROXY - only the first
-              (mark) is required:</para>
-
-              <itemizedlist>
-                <listitem>
-                  <para><replaceable>mark</replaceable> - the MARK value
-                  corresponding to the local provider in <ulink
-                  url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
-                </listitem>
-
-                <listitem>
-                  <para><replaceable>port</replaceable> - the port on which
-                  the proxy server is listening. If omitted, the original
-                  destination port.</para>
-                </listitem>
-
-                <listitem>
-                  <para><replaceable>address</replaceable> - a local (to the
-                  firewall) IP address on which the proxy server is listening.
-                  If omitted, the IP address of the interface on which the
-                  request arrives.</para>
-                </listitem>
-              </itemizedlist>
-            </listitem>
-
             <listitem>
               <para><emphasis role="bold">TTL</emphasis>([<emphasis
               role="bold">-</emphasis>|<emphasis
@@ -569,7 +536,7 @@ Normal-Service       =&gt; 0x00</programlisting>
                   <term>T</term>
 
                   <listitem>
-                    <para>POSTROUTING chain (default).</para>
+                    <para>POSTROUTING chain.</para>
                   </listitem>
                 </varlistentry>
               </variablelist>

Shorewall/manpages/shorewall-tunnels.xml

@@ -125,8 +125,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">GATEWAY</emphasis> -
-        <emphasis>address-or-range</emphasis></term>
+        <term><emphasis role="bold">GATEWAY</emphasis>S -
+        <emphasis>address-or-range</emphasis> <emphasis role="bold">[ , ...
+        ]</emphasis></term>
 
         <listitem>
           <para>The IP address of the remote tunnel gateway. If the remote
@@ -134,6 +135,11 @@
           as <emphasis role="bold">0.0.0.0/0</emphasis>. May be specified as a
           network address and if your kernel and iptables include iprange
           match support then IP address ranges are also allowed.</para>
+
+          <para>Beginning with Shorewall 4.5.3, a list of addresses or ranges
+          may be given. Exclusion (<ulink
+          url="shorewall-exclusion.html">shorewall-exclusion</ulink> (5) ) is
+          not supported.</para>
         </listitem>
       </varlistentry>
 
@@ -148,7 +154,7 @@
           comma-separated list of the names of the zones that the host might
           be in. This column only applies to IPSEC tunnels where it enables
           ISAKMP traffic to flow through the tunnel to the remote
-          gateway.</para>
+          gateway(s).</para>
         </listitem>
       </varlistentry>
     </variablelist>

Shorewall/manpages/shorewall.conf.xml

@@ -96,7 +96,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para></para>
+          <para/>
         </listitem>
       </varlistentry>
 
@@ -106,7 +106,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para></para>
+          <para/>
         </listitem>
       </varlistentry>
 
@@ -116,7 +116,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para></para>
+          <para/>
         </listitem>
       </varlistentry>
 
@@ -126,7 +126,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para></para>
+          <para/>
         </listitem>
       </varlistentry>
 
@@ -482,7 +482,7 @@
           </itemizedlist>
 
           <blockquote>
-            <para></para>
+            <para/>
 
             <para>If CONFIG_PATH is not given or if it is set to the empty
             value then the contents of /usr/share/shorewall/configpath are
@@ -814,7 +814,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
             </varlistentry>
           </variablelist>
 
-          <para></para>
+          <para/>
 
           <blockquote>
             <para>If this variable is not set or is given an empty value
@@ -938,6 +938,19 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">LOCKFILE</emphasis>=[<emphasis>pathname</emphasis>]</term>
+
+        <listitem>
+          <para>Specifies the name of the Shorewall lock file, used to prevent
+          simultaneous state-changing commands. If not specified,
+          ${VARDIR}/shorewall/lock is assumed (${VARDIR} is normally /var/lib
+          but can be changed when Shorewall-core is installed -- see the
+          output of <command>shorewall show vardir</command>).</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis
@@ -1011,7 +1024,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
             </listitem>
           </itemizedlist>
 
-          <para></para>
+          <para/>
 
           <blockquote>
             <para>For example, using the default LOGFORMAT, the log prefix for
@@ -1028,7 +1041,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
               control your firewall after you enable this option.</para>
             </important>
 
-            <para></para>
+            <para/>
 
             <caution>
               <para>Do not use this option if the resulting log messages will
@@ -1664,7 +1677,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         role="bold">"</emphasis></term>
 
         <listitem>
-          <para></para>
+          <para/>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall.xml

@@ -283,6 +283,8 @@
 
       <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
 
+      <arg><option>-T</option></arg>
+
       <arg><replaceable>directory</replaceable></arg>
 
       <arg choice="plain"><replaceable>system</replaceable></arg>
@@ -349,7 +351,9 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>refresh</option><arg
+      <arg
+      choice="plain"><option>refresh</option><arg><option>-n</option></arg><arg><option>-d</option></arg><arg><option>-T</option></arg><arg>-<option>D</option>
+      <replaceable>directory</replaceable> </arg><arg
       rep="repeat"><replaceable>chain</replaceable></arg></arg>
     </cmdsynopsis>
 
@@ -381,6 +385,8 @@
 
       <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
 
+      <arg><option>-T</option></arg>
+
       <arg><replaceable>directory</replaceable></arg>
 
       <arg choice="plain"><replaceable>system</replaceable></arg>
@@ -415,6 +421,8 @@
 
       <arg><option>-c</option></arg>
 
+      <arg><option>-T</option></arg>
+
       <arg><replaceable>directory</replaceable></arg>
     </cmdsynopsis>
 
@@ -599,6 +607,8 @@
 
       <arg><option>-c</option></arg>
 
+      <arg><option>-T</option></arg>
+
       <arg><replaceable>directory</replaceable></arg>
     </cmdsynopsis>
 
@@ -1038,6 +1048,10 @@
           <para>If <option>-r</option> is included, it specifies that the root
           user on <replaceable>system</replaceable> is named
           <replaceable>root-user-name</replaceable> rather than "root".</para>
+
+          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+          and causes a Perl stack trace to be included with each
+          compiler-generated error and warning message.</para>
         </listitem>
       </varlistentry>
 
@@ -1113,6 +1127,20 @@
           list or until an entry in the list names another table. Built-in
           chains such as FORWARD may not be refreshed.</para>
 
+          <para>The <option>-n</option> option was added in Shorewall 4.5.3
+          causes Shorewall to avoid updating the routing table(s).</para>
+
+          <para>The <option>-d </option>option was added in Shorewall 4.5.3
+          causes the compiler to run under the Perl debugger.</para>
+
+          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+          and causes a Perl stack trace to be included with each
+          compiler-generated error and warning message.</para>
+
+          <para>The -<option>D</option> option was added in Shorewall 4.5.3
+          and causes Shorewall to look in the given
+          <emphasis>directory</emphasis> first for configuration files.</para>
+
           <para>Example:<programlisting><command>shorewall refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para>
 
           <para>The <emphasis role="bold">refresh</emphasis> command has
@@ -1166,6 +1194,10 @@
           <para>If <option>-r</option> is included, it specifies that the root
           user on <replaceable>system</replaceable> is named
           <replaceable>root-user-name</replaceable> rather than "root".</para>
+
+          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+          and causes a Perl stack trace to be included with each
+          compiler-generated error and warning message.</para>
         </listitem>
       </varlistentry>
 
@@ -1210,6 +1242,10 @@
           url="shorewall.conf.html">shorewall.conf</ulink>(5). When both
           <option>-f</option> and <option>-c</option>are present, the result
           is determined by the option that appears last.</para>
+
+          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+          and causes a Perl stack trace to be included with each
+          compiler-generated error and warning message.</para>
         </listitem>
       </varlistentry>
 
@@ -1541,6 +1577,10 @@
           url="shorewall.conf.html">shorewall.conf</ulink>(5). When both
           <option>-f</option> and <option>-c</option>are present, the result
           is determined by the option that appears last.</para>
+
+          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+          and causes a Perl stack trace to be included with each
+          compiler-generated error and warning message.</para>
         </listitem>
       </varlistentry>
 

Shorewall/modules

@@ -16,24 +16,24 @@
 #
 # Essential Modules
 #
-INCLUDE modules.essential
+?INCLUDE modules.essential
 #
 # Other xtables modules
 #
-INCLUDE modules.xtables
+?INCLUDE modules.xtables
 #
 # Helpers
 #
-INCLUDE helpers
+?INCLUDE helpers
 #
 # Ipset
 #
-INCLUDE modules.ipset
+?INCLUDE modules.ipset
 #
 # Traffic Shaping
 #
-INCLUDE modules.tc
+?INCLUDE modules.tc
 #
 # Extensions
 #
-INCLUDE modules.extensions
+?INCLUDE modules.extensions

Shorewall/shorewall

@@ -36,6 +36,7 @@ g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall
 g_sbindir="$SBINDIR"
 g_perllib="$PERLLIBDIR"
+g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall
 g_readrc=1
 

Shorewall6-lite/Makefile

@@ -3,9 +3,9 @@ VARDIR=$(shell /sbin/shorewall6-lite show vardir)
 SHAREDIR=/usr/share/shorewall6-lite
 RESTOREFILE?=.restore
 
-all: $(VARDIR)/${RESTOREFILE}
+all: $(VARDIR)/$(RESTOREFILE)
 
-$(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
+$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
 	@/sbin/shorewall6-lite -q save >/dev/null; \
 	if \
 	    /sbin/shorewall6-lite -q restart >/dev/null 2>&1; \

Shorewall6-lite/shorewall6-lite

@@ -35,7 +35,7 @@ g_program=shorewall6-lite
 g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall6-lite
 g_sbindir="$SBINDIR"
-g_perllib="$PERLLIBDIR"
+g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall6-lite
 g_readrc=1
 

Shorewall6/Makefile

@@ -3,9 +3,9 @@ VARDIR=$(shell /sbin/shorewall6 show vardir)
 CONFDIR=/etc/shorewall6
 RESTOREFILE?=firewall
 
-all: $(VARDIR)/${RESTOREFILE}
+all: $(VARDIR)/$(RESTOREFILE)
 
-$(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
+$(VARDIR)/$(RESTOREFILE): $(CONFDIR)/*
 	@/sbin/shorewall6 -q save >/dev/null; \
 	if \
 	    /sbin/shorewall6 -q restart >/dev/null 2>&1; \

Shorewall6/Samples6/LICENSE

@@ -55,7 +55,7 @@ modified by someone else and passed on, the recipients should know
 that what they have is not the original version, so that the original
 author's reputation will not be affected by problems that might be
 introduced by others.
-
+
   Finally, software patents pose a constant threat to the existence of
 any free program.  We wish to make sure that a company cannot
 effectively restrict the users of a free program by obtaining a
@@ -111,7 +111,7 @@ modification follow.  Pay close attention to the difference between a
 "work based on the library" and a "work that uses the library".  The
 former contains code derived from the library, whereas the latter must
 be combined with the library in order to run.
-
+
 		  GNU LESSER GENERAL PUBLIC LICENSE
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 
@@ -158,7 +158,7 @@ Library.
   You may charge a fee for the physical act of transferring a copy,
 and you may at your option offer warranty protection in exchange for a
 fee.
-
+
   2. You may modify your copy or copies of the Library or any portion
 of it, thus forming a work based on the Library, and copy and
 distribute such modifications or work under the terms of Section 1
@@ -216,7 +216,7 @@ instead of to this License.  (If a newer version than version 2 of the
 ordinary GNU General Public License has appeared, then you can specify
 that version instead if you wish.)  Do not make any other change in
 these notices.
-
+
   Once this change is made in a given copy, it is irreversible for
 that copy, so the ordinary GNU General Public License applies to all
 subsequent copies and derivative works made from that copy.
@@ -267,7 +267,7 @@ Library will still fall under Section 6.)
 distribute the object code for the work under the terms of Section 6.
 Any executables containing that work also fall under Section 6,
 whether or not they are linked directly with the Library itself.
-
+
   6. As an exception to the Sections above, you may also combine or
 link a "work that uses the Library" with the Library to produce a
 work containing portions of the Library, and distribute that work
@@ -329,7 +329,7 @@ restrictions of other proprietary libraries that do not normally
 accompany the operating system.  Such a contradiction means you cannot
 use both them and the Library together in an executable that you
 distribute.
-
+
   7. You may place library facilities that are a work based on the
 Library side-by-side in a single library together with other library
 facilities not covered by this License, and distribute such a combined
@@ -370,7 +370,7 @@ subject to these terms and conditions.  You may not impose any further
 restrictions on the recipients' exercise of the rights granted herein.
 You are not responsible for enforcing compliance by third parties with
 this License.
-
+
   11. If, as a consequence of a court judgment or allegation of patent
 infringement or for any other reason (not limited to patent issues),
 conditions are imposed on you (whether by court order, agreement or
@@ -422,7 +422,7 @@ conditions either of that version or of any later version published by
 the Free Software Foundation.  If the Library does not specify a
 license version number, you may choose any version ever published by
 the Free Software Foundation.
-
+
   14. If you wish to incorporate parts of the Library into other free
 programs whose distribution conditions are incompatible with these,
 write to the author to ask for permission.  For software which is
@@ -456,7 +456,7 @@ SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
 DAMAGES.
 
 		     END OF TERMS AND CONDITIONS
-
+
            How to Apply These Terms to Your New Libraries
 
   If you develop a new library, and you want it to be of the greatest

Shorewall6/Samples6/Universal/interfaces

@@ -7,7 +7,9 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
--	lo		-		ignore
-net	all		-		dhcp,physical=+,routeback
+FORMAT 2
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+-	lo		ignore
+net	all		dhcp,physical=+,routeback
 

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -60,6 +60,8 @@ IP=
 
 IPSET=
 
+LOCKFILE=
+
 MODULESDIR=
 
 PERL=/usr/bin/perl

Shorewall6/Samples6/one-interface/interfaces

@@ -11,5 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-interfaces"
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          tcpflags
+FORMAT 2
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+net     eth0            tcpflags

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -60,6 +60,8 @@ IP=
 
 IPSET=
 
+LOCKFILE=
+
 MODULESDIR=
 
 PERL=/usr/bin/perl

Shorewall6/Samples6/three-interfaces/interfaces

@@ -11,7 +11,9 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-interfaces"
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          tcpflags,forward=1
-loc     eth1            detect          tcpflags,forward=1
-dmz     eth2            detect		tcpflags,forward=1
+FORMAT 2
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+net     eth0            tcpflags,forward=1
+loc     eth1            tcpflags,forward=1
+dmz     eth2            tcpflags,forward=1

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -60,6 +60,8 @@ IP=
 
 IPSET=
 
+LOCKFILE=
+
 MODULESDIR=
 
 PERL=/usr/bin/perl

Shorewall6/Samples6/two-interfaces/interfaces

@@ -11,6 +11,8 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-interfaces"
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          tcpflags,forward=1
-loc     eth1            detect          tcpflags,forward=1
+FORMAT 2
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+net     eth0            tcpflags,forward=1
+loc     eth1            tcpflags,forward=1

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -60,6 +60,8 @@ IP=
 
 IPSET=
 
+LOCKFILE=
+
 MODULESDIR=
 
 PERL=/usr/bin/perl

Shorewall6/configfiles/interfaces

@@ -7,8 +7,6 @@
 # http://www.shorewall.net/manpages6/shorewall6-interfaces.html
 #
 ###############################################################################
-FORMAT 1
-#ZONE	INTERFACE	ANYCAST		OPTIONS
-
 FORMAT 2
+###############################################################################
 #ZONE		INTERFACE		OPTIONS

Shorewall6/configfiles/shorewall6.conf

@@ -60,6 +60,8 @@ IP=
 
 IPSET=
 
+LOCKFILE=
+
 MODULESDIR=
 
 PERL=/usr/bin/perl

Shorewall6/configfiles/tunnels

@@ -7,5 +7,5 @@
 # http://www.shorewall.net/manpages6/shorewall6-tunnels.html
 #
 ###############################################################################
-#TYPE			ZONE	GATEWAY		GATEWAY
-#						ZONE
+#TYPE			ZONE	GATEWAYS			GATEWAY
+#								ZONES

Shorewall6/manpages/shorewall6-blrules.xml

@@ -61,7 +61,31 @@
 
           <variablelist>
             <varlistentry>
-              <term>blacklog</term>
+              <term><emphasis role="bold">BLACKLIST</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.3. This is actually a macro that
+                expands as follows:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>If BLACKLIST_LOGLEVEL is specified in <ulink
+                    url="shorewall6.conf.html">shorewall6.conf</ulink>(5),
+                    then the macro expands to <emphasis
+                    role="bold">blacklog</emphasis>.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Otherwise it expands to the action specified for
+                    BLACKLIST_DISPOSITION in <ulink
+                    url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+                  </listitem>
+                </itemizedlist>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">blacklog</emphasis></term>
 
               <listitem>
                 <para>May only be used if BLACKLIST_LOGLEVEL is specified in

Shorewall6/manpages/shorewall6-interfaces.xml

@@ -27,6 +27,34 @@
     interfaces to shorewall6. The order of entries in this file is not
     significant in determining zone composition.</para>
 
+    <para>Beginning with Shorewall 4.5.3, the interfaces file supports two
+    different formats:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>FORMAT 1 (default - deprecated)</term>
+
+        <listitem>
+          <para>There is a ANYCAST column which provides compatibility with
+          older versions of Shorewall..</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>FORMAT 2</term>
+
+        <listitem>
+          <para>The BROADCAST column is omitted.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>The format is specified by a line as follows:</para>
+
+    <blockquote>
+      <para><emphasis role="bold">FORMAT {1|2}</emphasis></para>
+    </blockquote>
+
     <para>The columns in the file are as follows.</para>
 
     <variablelist>
@@ -101,7 +129,8 @@ loc     eth2            -</programlisting>
 
         <listitem>
           <para>Enter '<emphasis role="bold">-'</emphasis> in this column. It
-          is here for compatibility between Shorewall6 and Shorewall.</para>
+          is here for compatibility between Shorewall6 and Shorewall and is
+          omitted if FORMAT is 2.</para>
         </listitem>
       </varlistentry>
 
@@ -438,7 +467,8 @@ loc     eth2            -</programlisting>
 
           <para>Your entries for this setup would look like:</para>
 
-          <programlisting>#ZONE   INTERFACE UNICAST        OPTIONS
+          <programlisting>FORMAT 2
+#ZONE   INTERFACE OPTIONS
 net     eth0      -
 loc     eth1      -
 dmz     eth2      -</programlisting>
@@ -452,8 +482,9 @@ dmz     eth2      -</programlisting>
           <para>You have a bridge with no IP address and you want to allow
           traffic through the bridge.</para>
 
-          <programlisting>#ZONE   INTERFACE BROADCAST        OPTIONS
--       br0       -                routeback</programlisting>
+          <programlisting>FORMAT 2
+#ZONE   INTERFACE        OPTIONS
+-       br0              routeback</programlisting>
         </listitem>
       </varlistentry>
     </variablelist>

Shorewall6/manpages/shorewall6-providers.xml

@@ -87,8 +87,7 @@
           of the value being zero). Otherwise, the value must be between 1 and
           255. Each provider must be assigned a unique mark value. This column
           may be omitted if you don't use packet marking to direct connections
-          to a particular provider and you don't specify
-          <option>track</option> in the OPTIONS column.</para>
+          to a particular provider.</para>
         </listitem>
       </varlistentry>
 
@@ -321,10 +320,9 @@
     <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
     shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
     shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5),
-    shorewall6-policy(5), shorewall6-rtrules(5),
-    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
-    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
-    shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
-    shorewall6-zones(5)</para>
+    shorewall6-policy(5), shorewall6-rtrules(5), shorewall6-routestopped(5),
+    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
+    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
+    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall6/manpages/shorewall6-tcrules.xml

@@ -304,39 +304,6 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               simply include COMMENT on a line by itself.</para>
             </listitem>
 
-            <listitem>
-              <para><emphasis
-              role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
-
-              <para>Transparently redirects a packet without altering the IP
-              header. Requires a local provider to be defined in <ulink
-              url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
-
-              <para>There are three parameters to TPROXY - only the first
-              (mark) is required:</para>
-
-              <itemizedlist>
-                <listitem>
-                  <para><replaceable>mark</replaceable> - the MARK value
-                  corresponding to the local provider in <ulink
-                  url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
-                </listitem>
-
-                <listitem>
-                  <para><replaceable>port</replaceable> - the port on which
-                  the proxy server is listening. If omitted, the original
-                  destination port.</para>
-                </listitem>
-
-                <listitem>
-                  <para><replaceable>address</replaceable> - a local (to the
-                  firewall) IP address on which the proxy server is listening.
-                  If omitted, the IP address of the interface on which the
-                  request arrives.</para>
-                </listitem>
-              </itemizedlist>
-            </listitem>
-
             <listitem>
               <para><emphasis role="bold">HL</emphasis>([<emphasis
               role="bold">-</emphasis>|<emphasis
@@ -416,7 +383,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
                   <term>T</term>
 
                   <listitem>
-                    <para>POSTROUTING chain (default).</para>
+                    <para>POSTROUTING chain.</para>
                   </listitem>
                 </varlistentry>
               </variablelist>

Shorewall6/manpages/shorewall6-tunnels.xml

@@ -101,10 +101,10 @@
       </varlistentry>
 
       <varlistentry>
-        <term></term>
+        <term/>
 
         <listitem>
-          <para></para>
+          <para/>
         </listitem>
       </varlistentry>
 
@@ -120,8 +120,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">GATEWAY</emphasis> -
-        <emphasis>address-or-range</emphasis></term>
+        <term><emphasis role="bold">GATEWAY</emphasis>S -
+        <emphasis>address-or-range</emphasis> <emphasis role="bold">[ , ...
+        ]</emphasis></term>
 
         <listitem>
           <para>The IP address of the remote tunnel gateway. If the remote
@@ -129,6 +130,11 @@
           as <emphasis role="bold">::/0</emphasis>. May be specified as a
           network address and if your kernel and ip6tables include iprange
           match support then IP address ranges are also allowed.</para>
+
+          <para>Beginning with Shorewall 4.5.3, a list of addresses or ranges
+          may be given. Exclusion (<ulink
+          url="shorewall6-exclusion.html">shorewall6-exclusion</ulink> (5) )
+          is not supported.</para>
         </listitem>
       </varlistentry>
 
@@ -143,7 +149,7 @@
           comma-separated list of the names of the zones that the host might
           be in. This column only applies to IPSEC tunnels where it enables
           ISAKMP traffic to flow through the tunnel to the remote
-          gateway.</para>
+          gateway(s).</para>
         </listitem>
       </varlistentry>
     </variablelist>

Shorewall6/manpages/shorewall6.conf.xml

@@ -82,7 +82,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para></para>
+          <para/>
         </listitem>
       </varlistentry>
 
@@ -92,7 +92,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para></para>
+          <para/>
         </listitem>
       </varlistentry>
 
@@ -102,7 +102,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para></para>
+          <para/>
         </listitem>
       </varlistentry>
 
@@ -112,7 +112,7 @@
         role="bold">none</emphasis>}</term>
 
         <listitem>
-          <para></para>
+          <para/>
         </listitem>
       </varlistentry>
 
@@ -829,6 +829,19 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">LOCKFILE</emphasis>=[<emphasis>pathname</emphasis>]</term>
+
+        <listitem>
+          <para>Specifies the name of the Shorewall6 lock file, used to
+          prevent simultaneous state-changing commands. If not specified,
+          ${VARDIR}/shorewall6/lock is assumed (${VARDIR} is normally /var/lib
+          but can be changed when Shorewall-core is installed -- see the
+          output of <command>shorewall6 show vardir</command>).</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">LOG_VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>
@@ -874,7 +887,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
             </listitem>
           </itemizedlist>
 
-          <para></para>
+          <para/>
 
           <blockquote>
             <para>For example, using the default LOGFORMAT, the log prefix for
@@ -891,7 +904,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
               control your firewall after you enable this option.</para>
             </important>
 
-            <para></para>
+            <para/>
 
             <caution>
               <para>Do not use this option if the resulting log messages will
@@ -1462,7 +1475,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         role="bold">"</emphasis></term>
 
         <listitem>
-          <para></para>
+          <para/>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6.xml

@@ -222,6 +222,8 @@
 
       <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
 
+      <arg><option>-T</option></arg>
+
       <arg><replaceable>directory</replaceable></arg>
 
       <arg choice="plain"><replaceable>system</replaceable></arg>
@@ -288,7 +290,9 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>refresh</option><arg
+      <arg
+      choice="plain"><option>refresh</option><arg><option>-n</option></arg><arg><option>-d</option></arg><arg><option>-T</option></arg><arg>-<option>D</option>
+      <replaceable>directory</replaceable> </arg><arg
       rep="repeat"><replaceable>chain</replaceable></arg></arg>
     </cmdsynopsis>
 
@@ -320,6 +324,8 @@
 
       <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
 
+      <arg><option>-T</option></arg>
+
       <arg><replaceable>directory</replaceable></arg>
 
       <arg choice="plain"><replaceable>system</replaceable></arg>
@@ -352,6 +358,8 @@
 
       <arg><option>-c</option></arg>
 
+      <arg><option>-T</option></arg>
+
       <arg><replaceable>directory</replaceable></arg>
     </cmdsynopsis>
 
@@ -499,7 +507,11 @@
 
       <arg><option>-n</option></arg>
 
-      <arg><option>-f</option><arg><option>-c</option></arg></arg>
+      <arg><option>-f</option></arg>
+
+      <arg><option>-c</option></arg>
+
+      <arg><option>-T</option></arg>
 
       <arg><replaceable>directory</replaceable></arg>
     </cmdsynopsis>
@@ -906,6 +918,10 @@
           <para>If <option>-r</option> is included, it specifies that the root
           user on <replaceable>system</replaceable> is named
           <replaceable>root-user-name</replaceable> rather than "root".</para>
+
+          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+          and causes a Perl stack trace to be included with each
+          compiler-generated error and warning message.</para>
         </listitem>
       </varlistentry>
 
@@ -983,6 +999,20 @@
           list or until an entry in the list names another table. Built-in
           chains such as FORWARD may not be refreshed.</para>
 
+          <para>The <option>-n</option> option was added in Shorewall 4.5.3
+          causes Shorewall to avoid updating the routing table(s).</para>
+
+          <para>The <option>-d </option>option was added in Shorewall 4.5.3
+          causes the compiler to run under the Perl debugger.</para>
+
+          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+          and causes a Perl stack trace to be included with each
+          compiler-generated error and warning message.</para>
+
+          <para>The -<option>D</option> option was added in Shorewall 4.5.3
+          and causes Shorewall to look in the given
+          <emphasis>directory</emphasis> first for configuration files.</para>
+
           <para>Example:<programlisting><command>shorewall6 refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para>
         </listitem>
       </varlistentry>
@@ -1028,12 +1058,16 @@
           <para>If <option>-r</option> is included, it specifies that the root
           user on <replaceable>system</replaceable> is named
           <replaceable>root-user-name</replaceable> rather than "root".</para>
+
+          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+          and causes a Perl stack trace to be included with each
+          compiler-generated error and warning message.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
         <term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
-        ...]</emphasis><acronym></acronym></term>
+        ...]</emphasis><acronym/></term>
 
         <listitem>
           <para>Resets the packet and byte counters in the specified
@@ -1075,6 +1109,10 @@
           url="shorewall6.conf.html">shorewall6.conf</ulink>(5). When both
           <option>-f</option> and <option>-c </option>are present, the result
           is determined by the option that appears last.</para>
+
+          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+          and causes a Perl stack trace to be included with each
+          compiler-generated error and warning message.</para>
         </listitem>
       </varlistentry>
 
@@ -1369,6 +1407,10 @@
           url="shorewall6.conf.html">shorewall6.conf</ulink>(5). When both
           <option>-f</option> and <option>-c </option>are present, the result
           is determined by the option that appears last.</para>
+
+          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+          and causes a Perl stack trace to be included with each
+          compiler-generated error and warning message.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/modules

@@ -16,24 +16,24 @@
 #
 # Essential Modules
 #
-INCLUDE modules.essential
+?INCLUDE modules.essential
 #
 # Other xtables modules
 #
-INCLUDE modules.xtables
+?INCLUDE modules.xtables
 #
 # Helpers
 #
-INCLUDE helpers
+?INCLUDE helpers
 #
 # Ipset
 #
-INCLUDE modules.ipset
+?INCLUDE modules.ipset
 #
 # Traffic Shaping
 #
-INCLUDE modules.tc
+?INCLUDE modules.tc
 #
 # Extensions
 #
-INCLUDE modules.extensions
+?INCLUDE modules.extensions

Shorewall6/shorewall6

@@ -36,6 +36,7 @@ g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall6
 g_sbindir="$SBINDIR"
 g_perllib="$PERLLIBDIR"
+g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall6
 g_readrc=1
 

docs/FAQ.xml

@@ -1486,8 +1486,11 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
 
       <variablelist>
         <varlistentry id="all2all">
-          <term>all2<emphasis>zone</emphasis>, <emphasis>zone</emphasis>2all
-          or all2all</term>
+          <term><emphasis role="bold"><replaceable>zone</replaceable>2all,
+          <replaceable>zone</replaceable>-all,
+          all2<replaceable>zone</replaceable>,
+          all-<replaceable>zone</replaceable>, all2all or
+          all-all</emphasis></term>
 
           <listitem>
             <para>You have a <filename><ulink
@@ -1506,7 +1509,9 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
         </varlistentry>
 
         <varlistentry>
-          <term><emphasis>zone</emphasis>12<emphasis>zone2</emphasis></term>
+          <term><emphasis
+          role="bold"><replaceable>zone1</replaceable>2<replaceable>zone2</replaceable>
+          or <replaceable>zone1-zone2</replaceable></emphasis></term>
 
           <listitem>
             <para>Either you have a <ulink
@@ -1520,23 +1525,39 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
         </varlistentry>
 
         <varlistentry>
-          <term>@<emphasis>source</emphasis>2<emphasis>dest</emphasis></term>
+          <term><emphasis
+          role="bold">@<replaceable>zone1</replaceable>2<replaceable>zone2</replaceable>
+          or
+          @<replaceable>zone1</replaceable>-<replaceable>zone2</replaceable></emphasis></term>
 
           <listitem>
             <para>You have a policy for traffic from
-            <emphasis>source</emphasis> to <emphasis>dest</emphasis> that
-            specifies TCP connection rate limiting (value in the LIMIT:BURST
-            column). The logged packet exceeds that limit and was dropped.
-            Note that these log messages themselves are severely rate-limited
-            so that a syn-flood won't generate a secondary DOS because of
-            excessive log message. These log messages were added in Shorewall
-            2.2.0 Beta 7.</para>
+            <replaceable>zone1</replaceable> to
+            <replaceable>zone2</replaceable> that specifies TCP connection
+            rate limiting (value in the LIMIT:BURST column). The logged packet
+            exceeds that limit and was dropped. Note that these log messages
+            themselves are severely rate-limited so that a syn-flood won't
+            generate a secondary DOS because of excessive log message. These
+            log messages were added in Shorewall 2.2.0 Beta 7.</para>
           </listitem>
         </varlistentry>
 
         <varlistentry>
-          <term><emphasis>interface</emphasis>_mac or
-          <emphasis>interface</emphasis>_rec</term>
+          <term><emphasis
+          role="bold"><replaceable>zone1</replaceable>2<replaceable>zone2</replaceable>~,
+          <replaceable>zone1</replaceable>-<replaceable>zone2</replaceable>~
+          or ~blacklist<replaceable>nn</replaceable></emphasis></term>
+
+          <listitem>
+            <para>These are the result of entries in the <ulink
+            url="manpages/shorewall-blrules.html">/etc/shorewall/blrules</ulink>
+            file.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><emphasis role="bold"><emphasis>interface</emphasis>_mac or
+          <emphasis>interface</emphasis>_rec</emphasis></term>
 
           <listitem>
             <para>The packet is being logged under the <emphasis
@@ -1547,7 +1568,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
         </varlistentry>
 
         <varlistentry>
-          <term>blacklist</term>
+          <term><emphasis role="bold">blacklist</emphasis></term>
 
           <listitem>
             <para>The packet is being logged because the source IP is
@@ -1558,7 +1579,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
         </varlistentry>
 
         <varlistentry>
-          <term>INPUT or FORWARD</term>
+          <term><emphasis role="bold">INPUT or FORWARD</emphasis></term>
 
           <listitem>
             <para>The packet has a source IP address that isn't in any of your
@@ -1585,7 +1606,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
         </varlistentry>
 
         <varlistentry>
-          <term>OUTPUT</term>
+          <term><emphasis role="bold">OUTPUT</emphasis></term>
 
           <listitem>
             <para>The packet has a destination IP address that isn't in any of
@@ -1600,7 +1621,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
         </varlistentry>
 
         <varlistentry>
-          <term>logflags</term>
+          <term><emphasis role="bold">logflags</emphasis></term>
 
           <listitem>
             <para>The packet is being logged because it failed the checks
@@ -1611,7 +1632,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
         </varlistentry>
 
         <varlistentry>
-          <term>sfilter</term>
+          <term><emphasis role="bold">sfilter</emphasis></term>
 
           <listitem>
             <para>On systems running Shorewall 4.4.20 or later, either the

docs/MultiISP.xml

@@ -50,7 +50,7 @@
 
   <warning>
     <para>This document describes the Multi-ISP facility in <emphasis
-    role="bold">Shorewall 4.5.0 and later</emphasis>. If you are running an
+    role="bold">Shorewall 4.4.26 and later</emphasis>. If you are running an
     earlier release, please see the documentation for that release.</para>
   </warning>
 
@@ -251,25 +251,25 @@
 
                 <itemizedlist>
                   <listitem>
-                    <para>These mark values must be a multiple of 256 in the
-                    range 256-65280 (hex equivalent 0x100 - 0xFF00 with the
+                    <para>With HIGH_ROUTE_MARKS=Yes (PROVIDER_OFFSET=8), these
+                    mark values must be a multiple of 256 in the range
+                    256-65280 (hex equivalent 0x100 - 0xFF00 with the
                     low-order 8 bits being zero); or</para>
                   </listitem>
 
                   <listitem>
                     <para>Set WIDE_TC_MARKS=Yes in <ulink
                     url="manpages/shorewall.conf.html">shorewall.conf
-                    </ulink>(5) and use mark values in the range 0x10000 -
-                    0xFF0000 with the low-order 16 bits being zero.</para>
+                    </ulink>(5) (PROVIDER_OFFSET=16), and use mark values in
+                    the range 0x10000 - 0xFF0000 with the low-order 16 bits
+                    being zero.</para>
                   </listitem>
                 </itemizedlist>
               </listitem>
             </itemizedlist>
 
             <para>This column may be omitted if you don´t use packet marking
-            to direct connections to a particular provider and you don´t
-            specify <emphasis role="bold">track</emphasis> in the OPTIONS
-            column.</para>
+            to direct connections to a particular provider.</para>
           </listitem>
         </varlistentry>
 
@@ -417,27 +417,6 @@
                         url="FAQ.htm#faq58">FAQ 58</ulink>.</para>
                       </note></para>
                   </important>
-
-                  <important>
-                    <para>If you specify <emphasis
-                    role="bold">balance</emphasis> and still find that all
-                    traffic is going out through only one provider, you may
-                    need to install a kernel built with
-                    CONFIG_IP_ROUTE_MULTIPATH_CACHED=n. Several users have
-                    reported that this change has corrected similar
-                    problems.</para>
-
-                    <para>The SuSE 10.0 kernel is subject to this problem, and
-                    <ulink
-                    url="https://bugzilla.novell.com/show_bug.cgi?id=190908">
-                    a kernel oops may result in this circumstance.</ulink>
-                    SUSE 10.1 and SLES 10 have
-                    CONFIG_IP_ROUTE_MULTIPATH_CACHED=n set by default. The
-                    source of the problem seems to be <ulink
-                    url="http://news.gmane.org/find-root.php?message_id=%3c00da01c5b35a%24b12b9860%241b00a8c0%40cruncher%3e">an
-                    incompatibility between the LARTC patches and
-                    CONFIG_IP_ROUTE_MULTIPATH_CACHED.</ulink></para>
-                  </important>
                 </listitem>
               </varlistentry>
 
@@ -1343,6 +1322,133 @@ shorewall     2    2    -        eth0    192.168.1.254 track,balance=2,optional<
 999:    from all lookup main 
 10000:  from all fwmark 0x100 lookup ISP1 
 10001:  from all fwmark 0x200 lookup ISP2</programlisting>
+
+      <section>
+        <title>DHCP with USE_DEFAULT_RT</title>
+
+        <para>When USE_DEFAULT_RT=Yes, you don't want your DHCP client
+        inserting a default route into the main routing table.</para>
+
+        <section>
+          <title>Debian</title>
+
+          <para>In this Debian-specific example, eth0 is managed by
+          dhcpcd.</para>
+
+          <para><filename>/etc/default/dhcpcd</filename>:</para>
+
+          <programlisting># Config file for dhcpcd. Note that you have to edit the interface
+# name below, or duplicate the configuration for different interfaces.
+# If you are editing this file just to get DNS servers set by DHCP,
+# then you should consider installing the resolvconf package instead.
+
+case ${INTERFACE} in
+<emphasis role="bold">eth0</emphasis>) 
+
+# Uncomment this to allow dhcpcd to set the DNS servers in /etc/resolv.conf
+# If you are using resolvconf then you can leave this commented out.
+#SET_DNS='yes'
+
+# Uncomment this to allow dhcpcd to set hostname of the host to the
+# hostname option supplied by DHCP server.
+#SET_HOSTNAME='yes'
+
+# Uncomment this to allow dhcpcd to set the NTP servers in /etc/ntp.conf
+#SET_NTP='yes'
+
+# Uncomment this to allow dhcpcd to set the YP servers in /etc/yp.conf
+#SET_YP='yes'
+
+# Add other options here, see man 8 dhcpcd-bin for details.
+OPTIONS=(<emphasis role="bold">--nogateway</emphasis> --nodns --nontp <emphasis
+              role="bold">--script /etc/shorewall/dhcpcd.sh</emphasis>)
+;;
+
+# Add other interfaces here
+*)
+;;
+
+esac
+</programlisting>
+
+          <para><filename>/etc/shorewall/start</filename>:</para>
+
+          <programlisting>cat &lt;&lt;EOF &gt; /var/lib/shorewall/eth0.info
+ETH0_GATEWAY=$SW_ETH0_GATEWAY
+ETH0_ADDRESS=$SW_ETH0_ADDRESS
+EOF</programlisting>
+
+          <para><filename>/etc/shorewall/dhcpd.sh</filename>:</para>
+
+          <programlisting>#!/bin/sh
+
+if [ $2 != down ]; then
+    if [ -f /var/lib/dhcpcd/dhcpcd-eth0.info ]; then
+        . /var/lib/dhcpcd/dhcpcd-eth0.info
+    else
+        logger -p daemon.err "/var/lib/dhcpcd/dhcpcd-eth0.info does not exist!"
+        exit 1
+    fi
+
+    logger -p daemon.info "DHCP-assigned address/gateway for eth0 is $IPADDR/$GATEWAYS"
+
+    [ -f /var/lib/shorewall/eth0.info ] &amp;&amp; . /var/lib/shorewall/eth0.info
+    
+    if [ "$GATEWAYS" != "$ETH0_GATEWAY" -o "$IPADDR" != "$ETH0_ADDRESS" ]; then
+        logger -p daemon.info "eth0 IP configuration changed - restarting lsm and Shorewall"
+        killall lsm
+        /sbin/shorewall restart
+    fi
+fi
+</programlisting>
+
+          <para>A couple of things to notice about
+          <filename>/etc/shorewall/dhcpcd.sh</filename>:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>It is hard-coded for eth0</para>
+            </listitem>
+
+            <listitem>
+              <para>It assumes the use of <link linkend="lsm">LSM</link>; If
+              you aren't using lSM, you can change the log message and remove
+              the 'killall lsm'</para>
+            </listitem>
+
+            <listitem>
+              <para>It restarts Shorewall if the current IPv4 address of eth0
+              and the gateway through eth0 are not the same as they were when
+              Shorewall was last started.</para>
+            </listitem>
+          </itemizedlist>
+        </section>
+
+        <section>
+          <title>RedHat and Derivatives</title>
+
+          <para>On Redhat-based systems, specify DEFROUTE=No in the device's
+          ifcfg file.</para>
+
+          <para><filename>/etc/sysconfig/networking/network-scripts/ifcfg-eth2</filename>:</para>
+
+          <programlisting>BOOTPROTO=dhcp
+<emphasis role="bold">PERSISTENT_DHCLIENT=yes</emphasis>
+PEERDNS=no
+PEERNTP=no
+<emphasis role="bold">DEFROUTE=no</emphasis>
+DHCLIENTARGS="-nc"
+DEVICE=eth2
+ONBOOT=yes</programlisting>
+        </section>
+
+        <section>
+          <title>SuSE and Derivatives</title>
+
+          <para>On these systems, set DHCLIENT_SET_DEFAULT_ROUTE=No in the
+          device's ifcfg file.</para>
+        </section>
+      </section>
     </section>
 
     <section id="load">

docs/Shorewall-perl.xml

@@ -182,7 +182,7 @@
 
                   <entry>init</entry>
 
-                  <entry></entry>
+                  <entry/>
                 </row>
 
                 <row>
@@ -191,39 +191,39 @@
 
                   <entry>start</entry>
 
-                  <entry></entry>
+                  <entry/>
                 </row>
 
                 <row>
-                  <entry></entry>
+                  <entry/>
 
                   <entry>started</entry>
 
-                  <entry></entry>
+                  <entry/>
                 </row>
 
                 <row>
-                  <entry></entry>
+                  <entry/>
 
                   <entry>stop</entry>
 
-                  <entry></entry>
+                  <entry/>
                 </row>
 
                 <row>
-                  <entry></entry>
+                  <entry/>
 
                   <entry>stopped</entry>
 
-                  <entry></entry>
+                  <entry/>
                 </row>
 
                 <row>
-                  <entry></entry>
+                  <entry/>
 
                   <entry>tcclear</entry>
 
-                  <entry></entry>
+                  <entry/>
                 </row>
               </tbody>
             </tgroup>
@@ -821,6 +821,14 @@ DNAT-              net                192.168.1.3      tcp          21</programl
       <para>Added in Shorewall 4.4.26. Search path for configuration
       files.</para>
 
+      <simplelist>
+        <member><emphasis
+        role="bold">--shorewallrc=<replaceable>path</replaceable></emphasis></member>
+      </simplelist>
+
+      <para>Added in Shorewall 4.5.1. Specifies the location of the
+      <filename>shorewallrc</filename> file.</para>
+
       <para>Example (compiles the configuration in the current directory
       generating a script named 'firewall' and using VERBOSITY
       2).<programlisting><emphasis role="bold">/usr/share/shorewall/compiler.pl -v 2 -d . firewall</emphasis></programlisting><note>
@@ -965,6 +973,15 @@ set +a
             for input files.</para>
           </listitem>
         </varlistentry>
+
+        <varlistentry>
+          <term>shorewallrc</term>
+
+          <listitem>
+            <para>Pathname of the shorewallrc file. Added in Shorewall
+            4.5.1.</para>
+          </listitem>
+        </varlistentry>
       </variablelist>
 
       <para>Those parameters that are supplied must have defined values.
@@ -998,7 +1015,9 @@ set +a
           <member>config_path: Contents of
           <filename>/var/lib/shorewall/configpath</filename> or
           <filename>/var/lib/shorewall6/configpath</filename> depending on the
-          setting of <emphasis role="bold">family</emphasis>. </member>
+          setting of <emphasis role="bold">family</emphasis>.</member>
+
+          <member>shorewallrc: ''.</member>
         </simplelist></para>
 
       <para>Example: <programlisting>use lib '/usr/share/shorewall/';
@@ -1035,7 +1054,7 @@ my $chainref7 = $filter_table{$name};</programlisting>Shorewall::Chains is
       (<filename>/usr/share/shorewall-perl/Shorewall/Chains.pm</filename>).</para>
 
       <para>The module export the chain table along with three hash references
-      into the table:<literal></literal></para>
+      into the table:<literal/></para>
 
       <variablelist>
         <varlistentry>

docs/Shorewall_Squid_Usage.xml

@@ -308,40 +308,4 @@ ACCEPT    loc      $FW    tcp      8080
 ACCEPT    $FW      net    tcp      80,443</programlisting></para>
     </example>
   </section>
-
-  <section id="TPROXY">
-    <title>Transparent with TPROXY</title>
-
-    <para>Shorewall 4.4.7 contains support for TPROXY. TPROXY differs from
-    REDIRECT in that it does not modify the IP header. Because the IP header
-    stays intact, TPROXY requires policy routing to direct the packets to the
-    proxy server running on the firewall. This approach requires TPROXY
-    support in your kernel and iptables and Squid 3. See <ulink
-    url="http://wiki.squid-cache.org/Features/Tproxy4">http://wiki.squid-cache.org/Features/Tproxy4</ulink>.</para>
-
-    <para>The following configuration works with Squid running on the firewall
-    itself (assume that Squid is listening on port 3128).</para>
-
-    <para><filename>/etc/shorewall/interfaces:</filename></para>
-
-    <programlisting>#ZONE        INTERFACE        BROADCAST         OPTIONS
--            lo               -                 -</programlisting>
-
-    <para><filename>/etc/shorewall/providers</filename>:</para>
-
-    <programlisting>#NAME   NUMBER   MARK    DUPLICATE  INTERFACE  GATEWAY         OPTIONS               COPY
-Tproxy    1        1        -           lo        -            local</programlisting>
-
-    <para><filename>/etc/shorewall/tcrules</filename> (assume loc interface is
-    eth1):</para>
-
-    <programlisting>MARK            SOURCE      DEST        PROTO      PORT(S)
-TPROXY(1,3128)  eth1        0.0.0.0/0   tcp        80</programlisting>
-
-    <para>/etc/shorewall/rules:</para>
-
-    <programlisting>#ACTION   SOURCE   DEST   PROTO   DEST PORT(S)
-ACCEPT    loc      $FW    tcp     80
-ACCEPT    $FW      net    tcp     80</programlisting>
-  </section>
 </article>

docs/configuration_file_basics.xml

@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2011</year>
+      <year>2001-2012</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -705,7 +705,9 @@ ACCEPT      net:\
           <row>
             <entry>tcrules</entry>
 
-            <entry>mark,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers</entry>
+            <entry>mark,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers.
+            Beginning with Shorewall 4.5.3, 'action' is a synonym for
+            'mark'.</entry>
           </row>
 
           <row>
@@ -717,7 +719,8 @@ ACCEPT      net:\
           <row>
             <entry>tunnels</entry>
 
-            <entry>type,zone,gateway,gateway_zone</entry>
+            <entry>type,zone,gateway,gateway_zone. Beginning with Shorewall
+            4.5.3, 'gateways' is a synonym for 'gateway'.</entry>
           </row>
 
           <row>
@@ -2326,7 +2329,8 @@ Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>
     </itemizedlist>
 
     <para>If you don't want the firewall to start unless a given interface is
-    usable, then specify required in the OPTIONS column of <ulink
+    usable, then specify <emphasis role="bold">required</emphasis> in the
+    OPTIONS column of <ulink
     url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> (5).
     If you have installed and configured the Shorewall-init package, then when
     the interface becomes available, an automatic attempt will be made to