Correct allowInvalid and dropInvalid

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -76,14 +76,11 @@ for p in $@; do
 		    pn=HOST
 		    ;;
 		SHAREDSTATEDIR)
-		    pn=VARDIR
+		    pn=VARLIB
 		    ;;
 		DATADIR)
 		    pn=SHAREDIR
 		    ;;
-		SYSCONFDIR)
-		    pn=CONFDIR
-		    ;;
 	    esac
 
 	    params[${pn}]="${pv}"
@@ -132,7 +129,7 @@ if [ -z "$vendor" ]; then
 
     vendor=${params[HOST]}
 elif [ $vendor = linux ]; then
-    rcfile=$shorewallrc.default;
+    rcfile=shorewallrc.default;
 else
     rcfile=shorewallrc.$vendor
     if [ ! -f $rcfile ]; then
@@ -164,6 +161,17 @@ if [ $# -gt 0 ]; then
     echo '#'           >> shorewallrc
 fi
 
+if [ -n "${options[VARLIB]}" ]; then
+    if [ -z "${options[VARDIR]}" ]; then
+	options[VARDIR]='${VARLIB}/${PRODUCT}'
+    fi
+elif [ -n "${options[VARDIR]}" ]; then
+    if [ -z "{$options[VARLIB]}" ]; then
+	options[VARLIB]=${options[VARDIR]}
+	options[VARDIR]='${VARLIB}/${PRODUCT}'
+    fi
+fi
+
 for on in \
     HOST \
     PREFIX \
@@ -183,6 +191,7 @@ for on in \
     SYSCONFDIR \
     SPARSE \
     ANNOTATED \
+    VARLIB \
     VARDIR
 do
     echo "$on=${options[${on}]}"

Shorewall-core/configure.pl

@@ -38,9 +38,8 @@ my %params;
 my %options;
 
 my %aliases = ( VENDOR         => 'HOST',
-		SHAREDSTATEDIR => 'VARDIR',
+		SHAREDSTATEDIR => 'VARLIB',
-		DATADIR        => 'SHAREDIR',
+		DATADIR        => 'SHAREDIR' );
-		SYSCONFDIR     => 'CONFDIR' );
 
 for ( @ARGV ) {
     die "ERROR: Invalid option specification ( $_ )" unless /^(?:--)?(\w+)=(.*)$/;
@@ -124,6 +123,15 @@ printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d
 
 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;
 
+if ( $options{VARLIB} ) {
+    unless ( $options{VARDIR} ) {
+	$options{VARDIR} = '${VARLIB}/${PRODUCT}';
+    }
+} elsif ( $options{VARDIR} ) {
+    $options{VARLIB} = $options{VARDIR};
+    $options{VARDIR} = '${VARLIB}/${PRODUCT}';
+}
+
 for ( qw/ HOST
 	  PREFIX
 	  SHAREDIR
@@ -142,6 +150,7 @@ for ( qw/ HOST
 	  SYSCONFDIR
 	  SPARSE
 	  ANNOTATED
+	  VARLIB
 	  VARDIR / ) {
 
     my $val = $options{$_} || '';

Shorewall-core/install.sh

@@ -164,7 +164,18 @@ else
     usage 1
 fi
 
-for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARDIR; do
+update=0
+
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR="${VARLIB}/${PRODUCT}"
+    update=1
+elif [ -z "${VARDIR}" ]; then
+    VARDIR="${VARLIB}/${PRODUCT}"
+    update=2
+fi
+
+for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARLIB VARDIR; do
     require $var
 done
 
@@ -346,9 +357,25 @@ ln -sf lib.base ${DESTDIR}${SHAREDIR}/shorewall/functions
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/shorewall/coreversion
 chmod 644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
 
-[ $file != "${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc
+if [ -z "${DESTDIR}" ]; then
+    if [ $update -ne 0 ]; then
+	echo "Updating $file - original saved in $file.bak"
 
-[ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
+	cp $file $file.bak
+
+	echo '#'                                             >> $file
+	echo "# Updated by Shorewall-core $VERSION -" `date` >> $file
+	echo '#'                                             >> $file
+
+	[ $update -eq 1 ] && sed -i 's/VARDIR/VARLIB/' $file
+
+	echo 'VARDIR=${VARLIB}/${PRODUCT}' >> $file
+    fi
+
+    [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
+fi
+
+[ $file != "${DESTDIR}${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc
 
 if [ ${SHAREDIR} != /usr/share ]; then
     for f in lib.*; do

Shorewall-core/lib.base

@@ -20,15 +20,11 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# This library contains the code common to all Shorewall components.
+# This library contains the code common to all Shorewall components except the
-#
+# generated scripts.
-# - It is loaded by /sbin/shorewall.
-# - It is released as part of Shorewall[6] Lite where it is used by /sbin/shorewall[6]-lite
-#   and /usr/share/shorewall[6]-lite/shorecap.
 #
 
-SHOREWALL_LIBVERSION=40502
+SHOREWALL_LIBVERSION=40509
-SHOREWALL_CAPVERSION=40504
 
 [ -n "${g_program:=shorewall}" ]
 
@@ -38,11 +34,7 @@ if [ -z "$g_readrc" ]; then
     #
     . /usr/share/shorewall/shorewallrc
 
-    g_libexec="$LIBEXECDIR"
     g_sharedir="$SHAREDIR"/$g_program
-    g_sbindir="$SBINDIR"
-    g_perllib="$PERLLIBDIR"
-    g_vardir="$VARDIR"
     g_confdir="$CONFDIR"/$g_program
     g_readrc=1
 fi
@@ -53,13 +45,13 @@ case $g_program in
     shorewall)
 	g_product="Shorewall"
 	g_family=4
-	g_tool=
+	g_tool=iptables
 	g_lite=
 	;;
     shorewall6)
 	g_product="Shorewall6"
 	g_family=6
-	g_tool=
+	g_tool=ip6tables
 	g_lite=
 	;;
     shorewall-lite)
@@ -76,7 +68,12 @@ case $g_program in
 	;;
 esac
 
-VARDIR=${VARDIR}/${g_program}
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/$g_program
+elif [ -z "${VARDIR}" ]; then
+    VARDIR="${VARLIB}/${PRODUCT}"
+fi
 
 #
 # Conditionally produce message
@@ -130,71 +127,6 @@ combine_list()
     echo $o
 }
 
-#
-# Call this function to assert mutual exclusion with Shorewall. If you invoke the
-# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
-# the first argument. Example "shorewall nolock refresh"
-#
-# This function uses the lockfile utility from procmail if it exists.
-# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
-# behavior of lockfile.
-#
-mutex_on()
-{
-    local try
-    try=0
-    local lockf
-    lockf=${LOCKFILE:=${VARDIR}/lock}
-    local lockpid
-
-    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
-
-    if [ $MUTEX_TIMEOUT -gt 0 ]; then
-
-	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-
-	if [ -f $lockf ]; then
-	    lockpid=`cat ${lockf} 2> /dev/null`
-	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
-		rm -f ${lockf}
-		error_message "WARNING: Stale lockfile ${lockf} removed"
-	    elif ! qt ps p ${lockpid}; then
-		rm -f ${lockf}
-		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
-	    fi
-	fi
-
-	if qt mywhich lockfile; then
-	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
-	    chmod u+w ${lockf}
-	    echo $$ > ${lockf}
-	    chmod u-w ${lockf}
-	else
-	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
-		sleep 1
-		try=$((${try} + 1))
-	    done
-
-	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
-	        # Create the lockfile
-		echo $$ > ${lockf}
-	    else
-		echo "Giving up on lock file ${lockf}" >&2
-	    fi
-	fi
-    fi
-}
-
-#
-# Call this function to release mutual exclusion
-#
-mutex_off()
-{
-    rm -f ${LOCKFILE:=${VARDIR}/lock}
-}
-
-[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
-
 #
 # Validate an IP address
 #
@@ -323,6 +255,8 @@ ip_range_explicit() {
     done
 }
 
+[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
+
 #
 # Netmask to VLSM
 #

Shorewall-core/lib.common

@@ -84,7 +84,7 @@ get_script_version() { # $1 = script
 
     temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 | sed 's/-.*//' )
 
-    if [ $? -ne 0 ]; then
+    if [ -z "$temp" ]; then
 	version=0
     else
 	ifs=$IFS
@@ -717,3 +717,69 @@ truncate() # $1 = length
 {
     cut -b -${1}
 }
+
+#
+# Call this function to assert mutual exclusion with Shorewall. If you invoke the
+# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
+# the first argument. Example "shorewall nolock refresh"
+#
+# This function uses the lockfile utility from procmail if it exists.
+# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
+# behavior of lockfile.
+#
+mutex_on()
+{
+    local try
+    try=0
+    local lockf
+    lockf=${LOCKFILE:=${VARDIR}/lock}
+    local lockpid
+
+    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
+
+    if [ $MUTEX_TIMEOUT -gt 0 ]; then
+
+	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+
+	if [ -f $lockf ]; then
+	    lockpid=`cat ${lockf} 2> /dev/null`
+	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} removed"
+	    elif [ $lockpid -eq $$ ]; then
+                return 0
+	    elif ! qt ps p ${lockpid}; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
+	    fi
+	fi
+
+	if qt mywhich lockfile; then
+	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	    chmod u+w ${lockf}
+	    echo $$ > ${lockf}
+	    chmod u-w ${lockf}
+	else
+	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
+		sleep 1
+		try=$((${try} + 1))
+	    done
+
+	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
+	        # Create the lockfile
+		echo $$ > ${lockf}
+	    else
+		echo "Giving up on lock file ${lockf}" >&2
+	    fi
+	fi
+    fi
+}
+
+#
+# Call this function to release mutual exclusion
+#
+mutex_off()
+{
+    rm -f ${LOCKFILE:=${VARDIR}/lock}
+}
+

Shorewall-core/shorewallrc.apple

@@ -17,4 +17,4 @@ ANNOTATED=                             #Unused on OS X
 SYSTEMD=                               #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
-VARDIR=/var/lib                        #Unused on OS X
+VARLIB=/var/lib                        #Unused on OS X

Shorewall-core/shorewallrc.archlinux

@@ -1,20 +1,21 @@
 #
-# Archlinux Shorewall 4.5 rc file
+# Arch Linux Shorewall 4.5 rc file
 #
-BUILD=archlinux
+BUILD=                                 #Default is to detect the build system
 HOST=archlinux
 PREFIX=/usr                            #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share               #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share             #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall   #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                           #Directory where subsystem configurations are installed
-SBINDIR=/sbin                          #Directory where system administration programs are installed
+SBINDIR=/usr/sbin                      #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                 #Directory where manpages are installed.
-INITDIR=/etc/rc.d                      #Directory where SysV init scripts are installed.
+INITDIR=                               #Directory where SysV init scripts are installed.
-INITFILE=$PRODUCT                      #Name of the product's installed SysV init script
+INITFILE=                              #Name of the product's installed SysV init script
-INITSOURCE=init.sh                     #Name of the distributed file to be installed as the SysV init script
+INITSOURCE=                            #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                             #If non-zero, annotated configuration files are installed
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
-SYSTEMD=                               #Directory where .service files are installed (systems running systemd only)
+SYSTEMD=/usr/lib/systemd/system        #Directory where .service files are installed (systems running systemd only)
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                        #Directory where product variable data is stored.
+VARLIB=/var/lib                        #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.

Shorewall-core/shorewallrc.cygwin

@@ -17,4 +17,4 @@ ANNOTATED=                            #Unused on Cygwin
 SYSTEMD=                              #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
-VARDIR=/var/lib                       #Unused on Cygwin
+VARLIB=/var/lib                       #Unused on Cygwin

Shorewall-core/shorewallrc.debian

@@ -18,4 +18,5 @@ SYSCONFFILE=default.debian              #Name of the distributed file to be inst
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
 SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                         #Directory where product variable data is stored.
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.

Shorewall-core/shorewallrc.default

@@ -10,7 +10,7 @@ PERLLIBDIR=${PREFIX}/share/shorewall    #Directory to install Shorewall Perl mod
 CONFDIR=/etc                            #Directory where subsystem configurations are installed
 SBINDIR=/sbin                           #Directory where system administration programs are installed
 MANDIR=${PREFIX}/man                    #Directory where manpages are installed.
-INITDIR=etc/init.d                      #Directory where SysV init scripts are installed.
+INITDIR=/etc/init.d                     #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.sh                      #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
@@ -18,4 +18,5 @@ SYSTEMD=                                #Directory where .service files are inst
 SYSCONFFILE=                            #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                             #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                         #Directory where product variable data is stored.
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.

Shorewall-core/shorewallrc.redhat

@@ -18,4 +18,5 @@ SYSTEMD=/lib/systemd/system             #Directory where .service files are inst
 SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
 SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                         #Directory where product variable data is stored.
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.

Shorewall-core/shorewallrc.slackware

@@ -19,4 +19,5 @@ SYSTEMD=                                   #Name of the directory where .service
 SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.
 ANNOTATED=                                 #If non-empty, install annotated configuration files
-VARDIR=/var/lib                            #Directory where product variable data is stored.
+VARLIB=/var/lib                            #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT                  #Directory where product variable data is stored.

Shorewall-core/shorewallrc.suse

@@ -12,10 +12,11 @@ SBINDIR=/sbin                                         #Directory where system ad
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                                     #Name of the product's SysV init script
-INITSOURCE=init.sh                                    #Name of the distributed file to be installed as the SysV init script
+INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
 SYSTEMD=                                              #Directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=                                          #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                                       #Directory where persistent product data is stored.
+VARLIB=/var/lib                                       #Directory where persistent product data is stored.
+VARDIR=${VARLIB}/$PRODUCT                             #Directory where product variable data is stored.

Shorewall-init/ifupdown.sh

@@ -22,6 +22,21 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
 Debian_SuSE_ppp() {
     NEWPRODUCTS=
     INTERFACE="$1"
@@ -106,15 +121,11 @@ if [ -f /etc/debian_version ]; then
 	    else
 		exit 0
 	    fi
-
-	    case "$PHASE" in
-		pre-*)
-		    exit 0
-		    ;;
-	    esac
 	    ;;
     esac
 elif [ -f /etc/SuSE-release ]; then
+    PHASE=''
+
     case $0 in
 	/etc/ppp*)
 	    #
@@ -146,6 +157,8 @@ else
     #
     # Assume RedHat/Fedora/CentOS/Foobar/...
     #
+    PHASE=''
+
     case $0 in
 	/etc/ppp*)
 	    INTERFACE="$1"
@@ -186,20 +199,14 @@ else
     esac
 fi
 
+[ -n "$LOGFILE" ] || LOGFILE=/dev/null
+
 for PRODUCT in $PRODUCTS; do
-    #
+    setstatedir
-    # For backward compatibility, lib.base appends the product name to VARDIR
+
-    # Save it here and restore it below
+    if [ -x $VARLIB/$PRODUCT/firewall ]; then
-    #
+	  ( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
-    save_vardir=${VARDIR}
-    if [ -x $VARDIR/$PRODUCT/firewall ]; then
-	  ( . ${SHAREDIR}/shorewall/lib.base
-	    mutex_on
-	    ${VARDIR}/firewall -V0 $COMMAND $INTERFACE || echo_notdone
-	    mutex_off
-	  )
     fi
-    VARDIR=${save_vardir}
 done
 
 exit 0

Shorewall-init/init.debian.sh

@@ -62,11 +62,29 @@ not_configured () {
 	exit 0
 }
 
+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 
+vardir=$VARDIR
+
 # check if shorewall-init is configured or not
 if [ -f "$SYSCONFDIR/shorewall-init" ]
 then
@@ -81,27 +99,27 @@ fi
 
 # Initialize the firewall
 shorewall_start () {
-  local product
+  local PRODUCT
-  local VARDIR
+  local STATEDIR
 
   echo -n "Initializing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
+  for PRODUCT in $PRODUCTS; do
-      VARDIR=/var/lib/$product
+      setstatedir
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
+
-      if [ -x ${VARDIR}/firewall ]; then
+      if [ ! -x ${VARDIR}/$PRODUCT/firewall ]; then
+	  if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	      ${SBINDIR}/$PRODUCT compile
+	  fi
+      fi
+
+      if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
 	  #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
-	      . /usr/share/$product/lib.base
+	      if ! ${VARDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
-	      #
+		  ${VARDIR}/$PRODUCT/firewall stop || echo_notdone
-	      # Get mutex so the firewall state is stable
-	      #
-	      mutex_on
-	      if ! ${VARDIR}/firewall status > /dev/null 2>&1; then
-		  ${VARDIR}/firewall stop || echo_notdone
 	      fi
-	      mutex_off
 	  )
       fi
   done
@@ -113,19 +131,21 @@ shorewall_start () {
 
 # Clear the firewall
 shorewall_stop () {
-  local product
+  local PRODUCT
   local VARDIR
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
+  for PRODUCT in $PRODUCTS; do
-      VARDIR=/var/lib/$product
+      setstatedir
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
+
-      if [ -x ${VARDIR}/firewall ]; then
+      if [ ! -x ${VARDIR}/$PRODUCT/firewall ]; then
-	  ( . /usr/share/$product/lib.base
+	  if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    mutex_on
+	      ${SBINDIR}/$PRODUCT compile
-	    ${VARDIR}/firewall clear || echo_notdone
+	  fi
-	    mutex_off
+      fi
-	  )
+
+      if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
+	  ${VARDIR}/$PRODUCT/firewall clear || echo_notdone
       fi
   done
 

Shorewall-init/init.fedora.sh

@@ -14,13 +14,8 @@
 #                    prior to bringing up the network.  
 ### END INIT INFO
 #determine where the files were installed
-if [ -f ~/.shorewallrc ]; then
+
-    . ~/.shorewallrc || exit 1
+. /usr/share/shorewall/shorewallrc
-else
-    SBINDIR=/sbin
-    SYSCONFDIR=/etc/default
-    VARDIR=/var/lib
-fi
 
 prog="shorewall-init"
 logger="logger -i -t $prog"
@@ -29,6 +24,8 @@ lockfile="/var/lock/subsys/shorewall-init"
 # Source function library.
 . /etc/rc.d/init.d/functions
 
+vardir=$VARDIR
+
 # Get startup options (override default)
 OPTIONS=
 
@@ -40,9 +37,25 @@ else
     exit 6
 fi
 
+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
 # Initialize the firewall
 start () {
-    local product
+    local PRODUCT
     local vardir
 
     if [ -z "$PRODUCTS" ]; then
@@ -52,11 +65,19 @@ start () {
     fi
 
     echo -n "Initializing \"Shorewall-based firewalls\": "
-    for product in $PRODUCTS; do
+    for PRODUCT in $PRODUCTS; do
-	if [ -x ${VARDIR}/$product/firewall ]; then
+	setstatedir
-	    ${VARDIR}/$product/firewall stop 2>&1 | $logger
+
+	if [ ! -x ${VARDIR}/firewall ]; then
+	    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+		${SBINDIR}/$PRODUCT compile
+	    fi
+	fi
+
+	if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
+	    ${VARDIR}/$PRODUCT/firewall stop 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
-	    [ retval -ne 0 ] && break
+	    [ $retval -ne 0 ] && break
 	fi
     done
 
@@ -72,15 +93,23 @@ start () {
 
 # Clear the firewall
 stop () {
-    local product
+    local PRODUCT
     local vardir
 
     echo -n "Clearing \"Shorewall-based firewalls\": "
-    for product in $PRODUCTS; do
+    for PRODUCT in $PRODUCTS; do
-	if [ -x ${VARDIR}/$product/firewall ]; then
+	setstatedir
-	    ${VARDIR}/$product/firewall clear 2>&1 | $logger
+
+	if [ ! -x ${VARDIR}/firewall ]; then
+	    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+		${SBINDIR}/$PRODUCT compile
+	    fi
+	fi
+
+	if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
+	    ${VARDIR}/$PRODUCT/firewall clear 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
-	    [ retval -ne 0 ] && break
+	    [ $retval -ne 0 ] && break
 	fi
     done
 
@@ -107,19 +136,15 @@ case "$1" in
 	status_q || exit 0
 	$1
 	;;
-    restart|reload|force-reload)
+    restart|reload|force-reload|condrestart|try-restart)
 	echo "Not implemented"
 	exit 3
 	;;
-    condrestart|try-restart)
-	echo "Not implemented"
-	exit 3
-        ;;
     status)
 	status $prog
 	;;
   *)
-	echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+	echo "Usage: /etc/init.d/shorewall-init {start|stop|status}"
 	exit 1
 esac
 

Shorewall-init/init.sh

@@ -58,16 +58,34 @@ fi
 #
 . /usr/share/shorewall/shorewallrc
 
+# Locate the current PRODUCT's statedir
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile $STATEDIR/firewall
+	fi
+    fi
+}
+
 # Initialize the firewall
 shorewall_start () {
   local PRODUCT
-  local VARDIR
+  local STATEDIR
 
   echo -n "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      if [ -x ${VARDIR}/firewall ]; then
+      setstatedir
+
+      if [ -x ${STATEDIR}/firewall ]; then
 	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      ${VARDIR}/firewall stop || echo_notdone
+	      ${STATEDIR}/firewall stop || echo_notdone
 	  fi
       fi
   done
@@ -86,6 +104,14 @@ shorewall_stop () {
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ ! -x ${VARDIR}/firewall ]; then
+	  if [ $PRODUCT = shorewall -o $product = shorewall6 ]; then
+	      ${SBINDIR}/$PRODUCT compile
+	  fi
+      fi
+
       if [ -x ${VARDIR}/firewall ]; then
 	  ${VARDIR}/firewall clear || exit 1
       fi

Shorewall-init/init.suse.sh

@@ -0,0 +1,135 @@
+#! /bin/bash
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2010,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#
+### BEGIN INIT INFO
+# Provides: shorewall-init
+# Required-Start: $local_fs
+# Required-Stop:  $local_fs
+# Default-Start:  2 3 5
+# Default-Stop:   0 1 6
+# Short-Description: Initialize the firewall at boot time
+# Description:       Place the firewall in a safe state at boot time
+#                    prior to bringing up the network.  
+### END INIT INFO
+
+if [ "$(id -u)" != "0" ]
+then
+  echo "You must be root to start, stop or restart \"Shorewall \"."
+  exit 1
+fi
+
+# check if shorewall-init is configured or not
+if [ -f "/etc/sysconfig/shorewall-init" ]
+then
+	. /etc/sysconfig/shorewall-init
+	if [ -z "$PRODUCTS" ]
+	then
+		exit 0
+	fi
+else
+	exit 0
+fi
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
+# Initialize the firewall
+shorewall_start () {
+  local PRODUCT
+  local STATEDIR
+
+  echo -n "Initializing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ -x $STATEDIR/firewall ]; then
+	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+	      $STATEDIR/$PRODUCT/firewall stop || echo_notdone
+	  fi
+      fi
+  done
+
+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+      ipset -R < "$SAVE_IPSETS"
+  fi
+
+  return 0
+}
+
+# Clear the firewall
+shorewall_stop () {
+  local PRODUCT
+  local STATEDIR
+
+  echo -n "Clearing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ -x ${STATEDIR}/firewall ]; then
+	  ${STATEDIR}/firewall clear || exit 1
+      fi
+  done
+
+  if [ -n "$SAVE_IPSETS" ]; then
+      mkdir -p $(dirname "$SAVE_IPSETS")
+      if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+      fi
+  fi
+
+  return 0
+}
+
+case "$1" in
+  start)
+     shorewall_start
+     ;;
+  stop)
+     shorewall_stop
+     ;;
+  *)
+     echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+     exit 1
+esac
+
+exit 0

Shorewall-init/install.sh

@@ -160,7 +160,14 @@ else
     usage 1
 fi
 
-for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARDIR; do
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/${PRODUCT}
+elif [ -z "${VARDIR}" ]; then
+    VARDIR=${VARLIB}/${PRODUCT}
+fi
+
+for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
     require $var
 done
 
@@ -260,6 +267,11 @@ else
     first_install="Yes"
 fi
 
+if [ -n "$DESTDIR" ]; then
+    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
+    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
+fi
+
 #
 # Install the Firewall Script
 #
@@ -280,6 +292,7 @@ fi
 if [ -n "$SYSTEMD" ]; then
     mkdir -p ${DESTDIR}${SYSTEMD}
     run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}${SYSTEMD}/shorewall-init.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/shorewall-init.service
     echo "Service file installed as ${DESTDIR}${SYSTEMD}/shorewall-init.service"
     if [ -n "$DESTDIR" ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
@@ -292,27 +305,35 @@ fi
 #
 # Create /usr/share/shorewall-init if needed
 #
-mkdir -p ${DESTDIR}/usr/share/shorewall-init
+mkdir -p ${DESTDIR}${SHAREDIR}/shorewall-init
-chmod 755 ${DESTDIR}/usr/share/shorewall-init
+chmod 755 ${DESTDIR}${SHAREDIR}/shorewall-init
+
+#
+# Install logrotate file
+#
+if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
+    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
+fi
 
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-init/version
+echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/shorewall-init/version
-chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
+chmod 644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
 
 #
 # Remove and create the symbolic link to the init script
 #
 if [ -z "$DESTDIR" ]; then
-    rm -f /usr/share/shorewall-init/init
+    rm -f ${SHAREDIR}/shorewall-init/init
     ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
 fi
 
 if [ $HOST = debian ]; then
     if [ -n "${DESTDIR}" ]; then
 	mkdir -p ${DESTDIR}/etc/network/if-up.d/
-	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
+	mkdir -p ${DESTDIR}/etc/network/if-down.d/
     fi
 
     if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
@@ -347,7 +368,7 @@ fi
 
 cp ifupdown.sh ifupdown
 
-d[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
+[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
 
 mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
 
@@ -360,6 +381,7 @@ fi
 case $HOST in
     debian)
 	install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
+	install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
 	install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
 	;;
     suse)
@@ -382,12 +404,12 @@ if [ -z "$DESTDIR" ]; then
     if [ -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
 	    
-	    update-rc.d shorewall-init defaults
+	    update-rc.d shorewall-init enable
 
 	    echo "Shorewall Init will start automatically at boot"
 	else
 	    if [ -n "$SYSTEMD" ]; then
-		if systemctl enable shorewall-init; then
+		if systemctl enable shorewall-init.service; then
 		    echo "Shorewall Init will start automatically at boot"
 		fi
 	    elif [ -x ${SBINDIR}/insserv -o -x /usr${SBINDIR}/insserv ]; then

Shorewall-init/logrotate

@@ -0,0 +1,5 @@
+/var/log/shorewall-ifupdown.log {
+  missingok
+  notifempty
+  create 0600 root root
+}

Shorewall-init/shorewall-init.service

@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-init $OPTIONS start
+ExecStart=/shorewall-init $OPTIONS start
-ExecStop=/sbin/shorewall-init $OPTIONS stop
+ExecStop=/shorewall-init $OPTIONS stop
 
 [Install]
 WantedBy=multi-user.target

Shorewall-init/sysconfig

@@ -16,3 +16,8 @@ IFUPDOWN=0
 # during 'start' and will save them there during 'stop'.
 #
 SAVE_IPSETS=""
+#
+# Where Up/Down events get logged
+#
+LOGFILE=/var/log/shorewall-ifupdown.log
+

Shorewall-lite/init.archlinux.sh

@@ -1,58 +0,0 @@
-#!/bin/bash
-
-OPTIONS="-f"
-
-if [ -f /etc/sysconfig/shorewall ] ; then
-	. /etc/sysconfig/shorewall
-elif [ -f /etc/default/shorewall ] ; then
-	. /etc/default/shorewall
-fi
-
-# if you want to override options, do so in /etc/sysconfig/shorewall or
-# in /etc/default/shorewall --
-# i strongly encourage you use the latter, since /etc/sysconfig/ does not exist.
-
-. /etc/rc.conf
-. /etc/rc.d/functions
-
-DAEMON_NAME="shorewall" # of course shorewall is NOT a deamon.
-
-case "$1" in
-	start)
-		stat_busy "Starting $DAEMON_NAME"
-		/sbin/shorewall-lite $OPTIONS start &>/dev/null
-		if [ $? -gt 0 ]; then
-			stat_fail
-		else
-			add_daemon $DAEMON_NAME
-			stat_done
-		fi
-		;;
-
-
-	stop)
-		stat_busy "Stopping $DAEMON_NAME"
-		/sbin/shorewall-lite stop &>/dev/null
-		if [ $? -gt 0 ]; then
-			stat_fail
-		else
-			rm_daemon $DAEMON_NAME
-			stat_done
-		fi
-		;;
-
-	restart|reload)
-		stat_busy "Restarting $DAEMON_NAME"
-		/sbin/shorewall-lite restart &>/dev/null
-		if [ $? -gt 0  ]; then
-			stat_fail
-		else
-			stat_done
-		fi
-		;;
-
-	*)
-		echo "usage: $0 {start|stop|restart}"
-esac
-exit 0
-

Shorewall-lite/init.suse.sh

@@ -0,0 +1,92 @@
+#!/bin/sh
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#	On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#	If an error occurs while starting or restarting the firewall, the
+#	firewall is automatically stopped.
+#
+#	Commands are:
+#
+#	   shorewall start			  Starts the firewall
+#	   shorewall restart			  Restarts the firewall
+#	   shorewall reload			  Reload the firewall
+#						  (same as restart)
+#	   shorewall stop			  Stops the firewall
+#	   shorewall status			  Displays firewall status
+#
+
+
+### BEGIN INIT INFO
+# Provides:	  shorewall-lite
+# Required-Start: $network $remote_fs
+# Required-Stop:  
+# Default-Start:  2 3 5
+# Default-Stop:	  0 1 6
+# Description:	  starts and stops the shorewall firewall
+# Short-Description: Packet filtering firewall
+### END INIT INFO
+
+################################################################################
+# Give Usage Information						       #
+################################################################################
+usage() {
+    echo "Usage: $0 start|stop|reload|restart|status"
+    exit 1
+}
+
+################################################################################
+# Get startup options (override default)
+################################################################################
+OPTIONS=
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+if [ -f ${SYSCONFDIR}/shorewall-lite ]; then
+    . ${SYSCONFDIR}/shorewall-lite
+fi
+
+SHOREWALL_INIT_SCRIPT=1
+
+################################################################################
+# E X E C U T I O N    B E G I N S   H E R E				       #
+################################################################################
+command="$1"
+
+case "$command" in
+    start)
+	exec ${SBINDIR}/shorewall-lite $OPTIONS start $STARTOPTIONS
+	;;
+    restart|reload)
+	exec ${SBINDIR}/shorewall-lite $OPTIONS restart $RESTARTOPTIONS
+	;;
+    status|stop)
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
+	;;
+    *)
+	usage
+	;;
+esac

Shorewall-lite/install.sh

@@ -171,7 +171,14 @@ else
     usage 1
 fi
 
-for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARDIR; do
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/${PRODUCT}
+elif [ -z "${VARDIR}" ]; then
+    VARDIR=${VARLIB}/${PRODUCT}
+fi
+
+for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARLIB VARDIR; do
     require $var
 done
 
@@ -182,7 +189,6 @@ PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}
 #
 cygwin=
 INSTALLD='-D'
-INITFILE=$PRODUCT
 T='-T'
 
 if [ -z "$BUILD" ]; then
@@ -253,7 +259,10 @@ case "$HOST" in
     archlinux)
 	echo "Installing ArchLinux-specific configuration..."
 	;;
-    linux|suse)
+    suse)
+	echo "Installing Suse-specific configuration..."
+	;;
+    linux)
 	;;
     *)
 	echo "ERROR: Unknown HOST \"$HOST\"" >&2
@@ -271,21 +280,11 @@ if [ -n "$DESTDIR" ]; then
 
     install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR}
     install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
-
-    if [ -n "$SYSTEMD" ]; then
-	mkdir -p ${DESTDIR}/lib/systemd/system
-	INITFILE=
-    fi
 else
     if [ ! -f /usr/share/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
 	exit 1
     fi
-
-    if [ -f /lib/systemd/system ]; then
-	SYSTEMD=Yes
-	INITFILE=
-    fi
 fi
 
 echo "Installing $Product Version $VERSION"
@@ -303,8 +302,8 @@ if [ -z "$DESTDIR" -a -d ${CONFDIR}/$PRODUCT ]; then
 	mv -f ${CONFDIR}/$PRODUCT/shorewall.conf ${CONFDIR}/$PRODUCT/$PRODUCT.conf
 else
     rm -rf ${DESTDIR}${CONFDIR}/$PRODUCT
-    rm -rf ${DESTDIR}/usr/share/$PRODUCT
+    rm -rf ${DESTDIR}${SHAREDIR}/$PRODUCT
-    rm -rf ${DESTDIR}/var/lib/$PRODUCT
+    rm -rf ${DESTDIR}${VARDIR}
     [ "$LIBEXECDIR" = /usr/share ] || rm -rf ${DESTDIR}/usr/share/$PRODUCT/wait4ifup ${DESTDIR}/usr/share/$PRODUCT/shorecap
 fi
 
@@ -327,9 +326,9 @@ echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
 mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
-mkdir -p ${DESTDIR}/usr/share/$PRODUCT
+mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
-mkdir -p ${DESTDIR}/var/lib/$PRODUCT
+mkdir -p ${DESTDIR}${VARDIR}
 
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}/usr/share/$PRODUCT
@@ -354,7 +353,9 @@ fi
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}${SYSTEMD}
     run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
     echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
 fi
 
@@ -403,6 +404,7 @@ echo "Common functions linked through ${DESTDIR}${SHAREDIR}/$PRODUCT/functions"
 #
 
 install_file shorecap ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap 0755
+[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${LIBEXECDIR}/$PRODUCT/shorecap
 
 echo
 echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap"
@@ -498,7 +500,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
 	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/${PRODUCT}/${PRODUCT}.conf
 	update-rc.d $PRODUCT enable defaults
     elif [ -n "$SYSTEMD" ]; then
-	if systemctl enable $PRODUCT; then
+	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
 	fi
     elif mywhich insserv; then

Shorewall-lite/manpages/shorewall-lite.xml

@@ -337,6 +337,8 @@
 
       <arg choice="plain"><option>show</option></arg>
 
+      <arg><option>-b</option></arg>
+
       <arg><option>-x</option></arg>
 
       <arg><option>-l</option></arg>
@@ -841,6 +843,12 @@
                 Netfilter table to display. The default is <emphasis
                 role="bold">filter</emphasis>.</para>
 
+                <para>The <emphasis role="bold">-b</emphasis> ('brief') option
+                causes rules which have not been used (i.e. which have zero
+                packet and byte counts) to be omitted from the output. Chains
+                with no rules displayed are also omitted from the
+                output.</para>
+
                 <para>The <emphasis role="bold">-l</emphasis> option causes
                 the rule number for each Netfilter rule to be
                 displayed.</para>

Shorewall-lite/shorecap

@@ -45,17 +45,19 @@
 #    used during firewall compilation, then the generated firewall program will likewise not
 #    require Shorewall to be installed.
 
-SHAREDIR=/usr/share/shorewall-lite
-VARDIR=/var/lib/shorewall-lite
-CONFDIR=/etc/shorewall-lite
-g_program=shorewall-lite
-g_product="Shorewall Lite"
-g_family=4
-g_base=shorewall
-g_basedir=/usr/share/shorewall-lite
 
-. /usr/share/shorewall-lite/lib.base
+g_program=shorewall-lite
-. /usr/share/shorewall/lib.cli
+
+#
+# This is modified by the installer when ${SHAREDIR} != /usr/share
+#
+. /usr/share/shorewall/shorewallrc
+
+g_sharedir="$SHAREDIR"/shorewall-lite
+g_confdir="$CONFDIR"/shorewall-lite
+g_readrc=1
+
+. ${SHAREDIR}/shorewall/lib.cli
 . /usr/share/shorewall-lite/configpath
 
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

Shorewall-lite/shorewall-lite

@@ -25,17 +25,15 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
-g_program=shorewall-lite
+PRODUCT=shorewall-lite
 
 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 
-g_libexec="$LIBEXECDIR"
+g_program=$PRODUCT
 g_sharedir="$SHAREDIR"/shorewall-lite
-g_sbindir="$SBINDIR"
-g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1
 

Shorewall/Macros/macro.A_AllowICMPs

@@ -9,7 +9,7 @@
 #ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #					PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT Needed ICMP types
+?COMMENT Needed ICMP types
 
 A_ACCEPT       -	-	icmp	fragmentation-needed
 A_ACCEPT       -	-	icmp	time-exceeded

Shorewall/Macros/macro.A_DropDNSrep

@@ -9,6 +9,6 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT Late DNS Replies
+?COMMENT Late DNS Replies
 
 A_DROP	-	-	udp	-	53

Shorewall/Macros/macro.A_DropUPnP

@@ -9,6 +9,6 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT UPnP
+?COMMENT UPnP
 
 A_DROP	-	-	udp	1900

Shorewall/Macros/macro.ActiveDir

@@ -0,0 +1,40 @@
+#
+# Shorewall version 4 - Samba 4 Macro
+#
+# /usr/share/shorewall/macro.ActiveDir
+#
+#       This macro handles ports for Samba 4 Active Directory Service
+#
+# You can comment out the ports you do not want open
+#
+# 
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
+#                               PORT(S) PORT(S) LIMIT   GROUP
+PARAM   -       -       tcp     389 	#LDAP services
+PARAM   -       -       udp	389  
+PARAM   -       -       tcp     636	#LDAP SSL
+PARAM   -       -       tcp     3268	#LDAP GC
+PARAM   -       -       tcp     3269	#LDAP GC SSL
+PARAM   -       -       tcp     88	#Kerberos
+PARAM   -       -       udp	88
+
+# Use macro.DNS for DNS sevice
+
+PARAM   -       -       tcp     445	#Replication, User and Computer Authentication, Group Policy, Trusts
+PARAM   -       -       udp	445
+
+# Use macro.SMTP for Mail service
+
+PARAM   -       -       tcp     135	#RPC, EPM
+PARAM   -       -       tcp     5722	#RPC, DFSR (SYSVOL)
+PARAM   -       -       udp	123	#Windows Time
+PARAM   -       -       tcp     464	#Kerberosb change/set password
+PARAM   -       -       udp	464
+PARAM   -       -       udp	138	#DFS, Group Policy
+PARAM   -       -       tcp     9389	#SOAP
+PARAM   -       -       tcp     2535	#MADCAP
+PARAM   -       -       udp	2535
+PARAM   -       -       udp     137	#NetLogon, NetBIOS Name Resolution
+PARAM   -       -       tcp	139	#DFSN, NetBIOS Session Service, NetLogon    
+  

Shorewall/Macros/macro.AllowICMPs

@@ -9,7 +9,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT Needed ICMP types
+?COMMENT Needed ICMP types
 
 DEFAULT ACCEPT
 PARAM	-	-	icmp	fragmentation-needed

Shorewall/Macros/macro.Amanda

@@ -8,9 +8,16 @@
 #	files from those nodes.
 #
 ###############################################################################
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	10080
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
+ PARAM	-	-	udp	10080 ; helper=amanda
+?else
+ PARAM	-	-	udp	10080
+?endif
+
 PARAM	-	-	tcp	10080
 #
 # You may also need this rule.  With AMANDA 2.4.4 on Linux kernel 2.6,

Shorewall/Macros/macro.BLACKLIST

@@ -8,8 +8,8 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-?IF $BLACKLIST_LOGLEVEL
+?if $BLACKLIST_LOGLEVEL
 blacklog
-?ELSE
+?else
 $BLACKLIST_DISPOSITION
-?ENDIF
+?endif

Shorewall/Macros/macro.DropDNSrep

@@ -9,7 +9,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT Late DNS Replies
+?COMMENT Late DNS Replies
 
 DEFAULT DROP
 PARAM	-	-	udp	-	53

Shorewall/Macros/macro.DropUPnP

@@ -9,7 +9,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT UPnP
+?COMMENT UPnP
 
 DEFAULT DROP
 PARAM	-	-	udp	1900

Shorewall/Macros/macro.FTP

@@ -6,6 +6,11 @@
 #	This macro handles FTP traffic.
 #
 ###############################################################################
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	21
+?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
+ PARAM	-	-	tcp	21 ; helper=ftp
+?else
+ PARAM	-	-	tcp	21
+?endif

Shorewall/Macros/macro.IRC

@@ -6,6 +6,12 @@
 #	This macro handles IRC traffic (Internet Relay Chat).
 #
 ###############################################################################
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	6667
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
+ PARAM	-	-	tcp	6667 ; helper=irc
+?else
+ PARAM	-	-	tcp	6667
+?endif

Shorewall/Macros/macro.PPtP

@@ -6,8 +6,14 @@
 #	This macro handles PPTP traffic.
 #
 ###############################################################################
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	47
 PARAM	DEST	SOURCE	47
-PARAM	-	-	tcp	1723
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
+ PARAM	-	-	tcp	1723 ; helper=pptp
+?else
+ PARAM	-	-	tcp	1723
+?endif

Shorewall/Macros/macro.Puppet

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - Puppet Macro
+#
+# /usr/share/shorewall/macro.Puppet
+#
+#	This macro handles client-to-server for the Puppet configuration
+#	management system.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	tcp	8140

Shorewall/Macros/macro.Rfc1918

@@ -7,7 +7,7 @@
 #############################################################################################
 #ACTION		SOURCE		DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
 #						PORT(S)	PORT(S)	DEST		LIMIT	GROUP
-FORMAT 2
+?FORMAT 2
 PARAM		SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \
 				DEST	-	-	-	-	-	-
 PARAM		SOURCE		DEST	-	-	-	10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

Shorewall/Macros/macro.SANE

@@ -6,9 +6,16 @@
 #	This macro handles SANE network scanning.
 #
 ###############################################################################
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	6566
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
+ PARAM	-	-	tcp	6566 ; helper=sane
+?else
+ PARAM	-	-	tcp	6566
+?endif
+
 #
 # Kernels 2.6.23+ has nf_conntrack_sane module which will handle
 # sane data connection.

Shorewall/Macros/macro.SIP

@@ -0,0 +1,17 @@
+#
+# Shorewall version 4 - SIP Macro
+#
+# /usr/share/shorewall/macro.SIP
+#
+#	This macro handles SIP traffic.
+#
+###############################################################################
+?FORMAT 2
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER  )
+ PARAM	-	-	udp	5060 ; helper=sip
+?else
+ PARAM	-	-	udp	5060
+?endif

Shorewall/Macros/macro.SMB

@@ -10,9 +10,17 @@
 #	between hosts you fully trust.
 #
 ###############################################################################
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
-PARAM	-	-	udp	137:139
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
+ PARAM	-	-	udp	137 ; helper=netbios-ns
+ PARAM	-	-	udp	138:139
+?else
+ PARAM	-	-	udp	137:139
+?endif
+
 PARAM	-	-	udp	1024:	137
 PARAM	-	-	tcp	135,139,445

Shorewall/Macros/macro.SMBBI

@@ -10,13 +10,28 @@
 #	allow SMB traffic between hosts you fully trust.
 #
 ###############################################################################
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
-PARAM	-	-	udp	137:139
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
+ PARAM	-	-	udp	137 ; helper=netbios-ns
+ PARAM	-	-	udp	138:139
+?else
+ PARAM	-	-	udp	137:139
+?endif
+
 PARAM	-	-	udp	1024:	137
 PARAM	-	-	tcp	135,139,445
 PARAM	DEST	SOURCE	udp	135,445
-PARAM	DEST	SOURCE	udp	137:139
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
+ PARAM	DEST	SOURCE	udp	137 ; helper=netbios-ns
+ PARAM	DEST	SOURCE	udp	138:139
+?else
+ PARAM	DEST	SOURCE	udp	137:139
+?endif
+
 PARAM	DEST	SOURCE	udp	1024:	137
 PARAM	DEST	SOURCE	tcp	135,139,445

Shorewall/Macros/macro.SNMP

@@ -3,10 +3,17 @@
 #
 # /usr/share/shorewall/macro.SNMP
 #
-#	This macro handles SNMP traffic (including traps).
+#	This macro handles SNMP traffic.
+#
+#       Note: To allow SNMP Traps, use the SNMPTrap macro
 #
 ###############################################################################
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	161:162
+
-PARAM	-	-	tcp	161
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
+ PARAM	-	-  	udp     161 ; helper=snmp
+?else
+ PARAM	-	-	udp	161
+?endif

Shorewall/Macros/macro.SNMPTrap

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - SNMP Trap Macro
+#
+# /usr/share/shorewall/macro.SNMP
+#
+#	This macro handles SNMP traps.
+#
+###############################################################################
+?FORMAT 2
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	udp	162

Shorewall/Macros/macro.TFTP

@@ -8,6 +8,12 @@
 #	Internet.
 #
 ###############################################################################
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	69
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
+ PARAM	-	-	udp	69 ; helper=tftp
+?else
+ PARAM	-	-	udp	69
+?endif

Shorewall/Macros/macro.Teredo

@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - Teredo Macro
+#
+# /usr/share/shorewall/macro.Teredo
+#
+#	This macro handles Teredo IPv6 over UDP tunneling traffic
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	udp	3544

Shorewall/Macros/macro.mDNS

@@ -1,9 +1,11 @@
 #
-# Shorewall version 4 - Multicast DNS Macro
+# Shorewall version 4 - Multicast DNS Macro -- this macro assumes that only
+#                       the DEST zone sends mDNS queries. If both zones send
+#                       queries, use the mDNSbi macro.
 #
 # /usr/share/shorewall/macro.mDNS
 #
-#	This macro handles multicast DNS traffic.
+#	This macro handles multicast DNS traffic
 #
 ###############################################################################
 #ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/

Shorewall/Macros/macro.mDNSbi

@@ -0,0 +1,16 @@
+#
+# Shorewall version 4 - Bi-directional Multicast DNS Macro.
+#
+# /usr/share/shorewall/macro.mDNSbi
+#
+#	This macro handles multicast DNS traffic
+#
+###############################################################################
+#ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
+#						PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	224.0.0.251		udp	5353
+PARAM	-	-			udp	32768:	5353
+PARAM	-	224.0.0.251		2
+PARAM	DEST	SOURCE:224.0.0.251	udp	5353
+PARAM	DEST	SOURCE			udp	32768:	5353
+PARAM	DEST	SOURCE:224.0.0.251	2

Shorewall/Macros/macro.template

@@ -71,9 +71,17 @@
 #	Remaining		Any value in the rules file REPLACES the value
 #	columns			given in the macro file.
 #
+# Multiple parameters may be passed to a macro. Within this file, $1 refers to the first parameter,
+# $2 to the second an so on. $1 is a synonym for PARAM but may be used anywhere in the file whereas
+# PARAM may only be used in the ACTION column.
+#
+# You can specify default values for parameters by using DEFAULT or DEFAULTS entry:
+#
+#      DEFAULTS  <default for $1>,<default for $2>,...
+#
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
-FORMAT 2
+?FORMAT 2
-####################################################################################################################################################################
+#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Shorewall/Perl/Shorewall/ARP.pm

@@ -0,0 +1,314 @@
+#
+# Shorewall 4.5 -- /usr/share/shorewall/Shorewall/ARP.pm
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2013 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#  This file is responsible for Shorewall's arptables support
+#
+package Shorewall::ARP;
+require Exporter;
+
+use Shorewall::Config qw(:DEFAULT :internal);
+use Shorewall::Zones;
+use Shorewall::IPAddrs;
+use strict;
+
+our @ISA = qw(Exporter);
+our @EXPORT = ( qw( process_arprules create_arptables_load preview_arptables_load ) );
+
+our %arp_table;
+our $arp_input;
+our $arp_output;
+our $arp_forward;
+our $sourcemac;
+our $destmac;
+our $addrlen;
+our $hw;
+our @builtins;
+our $arptablesjf;
+our @map = ( qw( 0 Request Reply Request_Reverse Reply_Reverse DRARP_Request DRARP_Reply DRARP_Error InARP_Request ARP_NAK ) );
+
+
+#
+# Handles the network and mac parts of the SOURCE ($source == 1 ) and DEST ($source == 0) columns in the arprules file.
+# Returns any match(es) specified.
+#
+sub match_arp_net( $$$ ) {
+    my ( $net, $mac, $source ) = @_;
+
+    my $return = '';
+
+    if ( supplied $net ) {
+	my $invert = ( $net =~ s/^!// ) ? '! ' : '';
+	validate_net $net, 0;
+	$return = $source ? "-s ${invert}$net " : "-d ${invert}$net ";
+    }
+
+    if ( supplied $mac ) {
+	my ( $addr , $mask ) = split( '/', $mac, 2 );
+
+	my $invert = ( $addr =~ s/^!// ) ? '! ' : '';
+
+	fatal_error "Invalid MAC address ($addr)" unless $addr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+	if ( supplied $mask ) {
+	    fatal_error "Invalid MAC Mask ($mask)" unless $mask =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+	    $return .= $source ? "$sourcemac $invert$addr/$mask " : "$destmac $invert$addr/mask ";
+	} else {
+	    $return .= $source ? "$sourcemac $invert$addr " : "$destmac $invert$addr ";
+	}
+    }
+
+    $return;
+}
+
+#
+# Process a rule in the arprules file
+#
+sub process_arprule() {
+    my ( $originalaction, $source, $dest, $opcode ) = split_line( 'arprules file entry', {action => 0, source => 1, dest => 2, opcode => 3 } );
+
+    my $chainref;
+    my $iifaceref;
+    my $iiface;
+    my $difaceref;
+    my $diface;
+    my $saddr;
+    my $smac;
+    my $daddr;
+    my $dmac;
+    my $rule = '';
+
+    fatal_error "ACTION must be specified" if $originalaction eq '-';
+
+    my ( $action, $newaddr ) = split( ':', $originalaction, 2 );
+
+    my %functions = ( DROP   => sub() { $rule .= "-j DROP" },
+		      ACCEPT => sub() { $rule .= "-j ACCEPT" },
+		      SNAT   => sub() { validate_address $newaddr, 0;
+					$rule .= "-j mangle --mangle-ip-s $newaddr"; },
+		      DNAT   => sub() { validate_address $newaddr, 0;
+					$rule .= "-j mangle --mangle-ip-d $newaddr"; },
+		      SMAT   => sub() { fatal_error "Invalid MAC address ($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+					$rule .= "$addrlen 6 -j mangle --mangle-$hw-s $newaddr"; },
+		      DMAT   => sub() { fatal_error "Invalid MAC address ($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+					$rule .= "$addrlen 6 -j mangle --mangle-$hw-d $newaddr"; },
+		      SNATC  => sub() { validate_address $newaddr, 0;
+					$rule .= "-j mangle --mangle-ip-s $newaddr --mangle-target CONTINUE"; },
+		      DNATC  => sub() { validate_address $newaddr, 0;
+					$rule .= "-j mangle --mangle-ip-d $newaddr --mangle-target CONTINUE"; },
+		      SMATC  => sub() { fatal_error "Invalid MAC address ($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+					$rule .= "$addrlen 6 -j mangle --mangle-$hw-s $newaddr --mangle-target CONTINUE"; },
+		      DMATC  => sub() { fatal_error "Invalid MAC address ($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+					$rule .= "$addrlen 6 -j mangle --mangle-$hw-d $newaddr --mangle-target CONTINUE"; },
+		    );
+
+    if ( supplied $newaddr ) {
+	fatal_error "The $action ACTION does not allow a new address" unless $action =~ /^(?:SNAT|DNAT|SMAT|DMAT)C?$/;
+    } else {
+	fatal_error "The $action ACTION requires a new address" if $action =~ /^(?:SNAT|DNAT|SMAT|DMAT)C?$/;
+    }
+
+    my $function = $functions{$action};
+
+    fatal_error "Unknown ACTION ($action)" unless $function;
+
+    if ( $source ne '-' ) {
+	( $iiface, $saddr, $smac ) = split /:/, $source, 3;
+
+	fatal_error "SOURCE interface missing" unless supplied $iiface; 
+
+	$iiface = ( $iifaceref = find_interface( $iiface ) )->{physical};
+
+	fatal_error "Wildcard Interfaces ( $iiface )may not be used in this context" if $iiface =~ /\+$/;
+
+	$rule .= "-i $iiface ";
+	$rule .= match_arp_net( $saddr , $smac, 1 ) if supplied( $saddr );
+	$chainref = $arp_input;
+    }
+
+    if ( $dest ne '-' ) {
+	( $diface, $daddr, $dmac ) = split /:/, $dest, 3;
+
+	fatal_error "DEST interface missing" unless supplied $diface; 
+
+	$diface = ( $difaceref = find_interface( $diface ) )->{physical};
+
+	fatal_error "A wildcard interfaces ( $diface) may not be used in this context" if $diface =~ /\+$/;
+
+	if ( $iiface ) {
+	    fatal_error "When both SOURCE and DEST are given, the interfaces must be ports on the same bridge"
+		if $iifaceref->{bridge} ne $difaceref->{bridge};
+	    $chainref = $arp_forward;
+	} else {
+	    $chainref = $arp_output;
+	}
+
+	$rule .= "-o $diface ";
+	$rule .= match_arp_net( $daddr , $dmac, 0 ) if supplied( $daddr );
+
+    }
+
+    if ( $opcode ne '-' ) {
+	my $invert = ( $opcode =~ s/^!// ) ? '! ' : '';
+	warning_message q(arptables versions through 0.3.4 ignore '!' after '--opcode') if $invert && ! $arptablesjf;
+	fatal_error "Invalid ARP OPCODE ($opcode)" unless $opcode =~ /^\d$/ && $opcode;
+	$rule .= $arptablesjf ? " --arpop ${invert}$map[$opcode] " : "--opcode ${invert}$opcode ";
+    }
+
+    $function ->();
+
+    fatal_error "Either SOURCE or DEST must be specified" unless $chainref;
+
+    push @$chainref, $rule;
+
+}
+
+#
+# Process the arprules file -- returns true if there were any arp rules
+#
+sub process_arprules() {
+    my $result = 0;
+
+    if ( $arptablesjf = have_capability 'ARPTABLESJF' ) {
+	$arp_input  = $arp_table{IN}       = [];
+	$arp_output = $arp_table{OUT}      = [];
+	$arp_forward = $arp_table{FORWARD} = [];
+	@builtins = qw( IN OUT FORWARD );
+	$sourcemac = '-z';
+	$destmac   = '-y';
+	$addrlen   = '--arhln';
+	$hw        = 'hw';
+    } else {
+	$arp_input   = $arp_table{INPUT}   = [];
+	$arp_output  = $arp_table{OUTPUT}  = [];
+	$arp_forward = $arp_table{FORWARD} = [];
+	@builtins = qw( INPUT OUTPUT FORWARD );
+	$sourcemac = '--source-mac';
+	$destmac   = '--destination-mac';
+	$addrlen   = '--h-length';
+	$hw        = 'mac';
+    }
+
+    my $fn = open_file 'arprules';
+
+    if ( $fn ) {
+	first_entry( sub() {
+			 $result = 1;
+			 progress_message2 "$doing $fn..."; }
+		   );
+	process_arprule while read_a_line( NORMAL_READ );
+    }
+
+    $result;
+}
+
+#
+# Generate the arptables_load() function
+#
+sub create_arptables_load( $ ) {
+    my $test = shift;
+
+    emit ( '#',
+	   '# Create the input to arptables-restore and pass that input to the utility',
+	   '#',
+	   'setup_arptables()',
+	   '{'
+	   );
+
+    push_indent;
+
+    save_progress_message "Preparing arptables-restore input...";
+
+    emit '';
+
+    emit "exec 3>\${VARDIR}/.arptables-input";
+
+    my $date = localtime;
+
+    unless ( $test ) {
+	emit_unindented '#';
+	emit_unindented "# Generated by Shorewall $globals{VERSION} - $date";
+	emit_unindented '#';
+    }
+
+    emit '';
+    emit 'cat >&3 << __EOF__';
+
+    emit_unindented "*filter";
+
+    emit_unindented ":$_ ACCEPT" for @builtins;
+
+    for ( @builtins ) {
+	my $rules = $arp_table{$_};
+
+	while ( my $rule = shift @$rules ) {
+	    emit_unindented "-A $_ $rule";
+	}
+    }
+
+    emit_unindented "COMMIT\n" if $arptablesjf;
+
+    emit_unindented "__EOF__";
+
+    #
+    # Now generate the actual ip[6]tables-restore command
+    #
+    emit(  'exec 3>&-',
+	   '',
+	   'progress_message2 "Running $ARPTABLES_RESTORE..."',
+	   '',
+	   'cat ${VARDIR}/.arptables-input | $ARPTABLES_RESTORE # Use this nonsensical form to appease SELinux',
+	   'if [ $? != 0 ]; then',
+	   qq(    fatal_error "arptables-restore Failed. Input is in \${VARDIR}/.arptables-input"),
+	   "fi\n",
+	   "run_ip neigh flush nud stale nud reachable\n",
+	   );    
+
+    pop_indent;
+    emit "}\n";
+}	  
+
+#
+# Preview the generated ARP rules
+#
+sub preview_arptables_load() {
+
+    my $date = localtime;
+
+    print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
+
+    print "*filter\n";
+
+    print ":$_ ACCEPT\n" for qw( INPUT OUTPUT FORWARD );
+
+    for ( @builtins ) {
+	my $rules = $arp_table{$_};
+
+	while ( my $rule = shift @$rules ) {
+	    print "-A $rule\n";
+	}
+    }
+
+    print "COMMIT\n" if $arptablesjf;
+
+    print "\n";
+}	  
+
+1;

Shorewall/Perl/Shorewall/Accounting.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -40,18 +40,17 @@ our $VERSION = 'MODULEVERSION';
 #
 # Per-IP accounting tables. Each entry contains the associated network.
 #
-my %tables;
+our %tables;
 
-my $jumpchainref;
+our $jumpchainref;
-my %accountingjumps;
+our %accountingjumps;
-my $asection;
+our $asection;
-my $defaultchain;
+our $defaultchain;
-my $ipsecdir;
+our $ipsecdir;
-my $defaultrestriction;
+our $defaultrestriction;
-my $restriction;
+our $restriction;
-my $accounting_commands = { COMMENT => 0, SECTION => 2 };
+our $sectionname;
-my $sectionname;
+our $acctable;
-my $acctable;
 
 #
 # Sections in the Accounting File
@@ -142,27 +141,14 @@ sub process_section ($) {
 #
 # Accounting
 #
-sub process_accounting_rule( ) {
+sub process_accounting_rule1( $$$$$$$$$$$ ) {
+
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = @_;
 
     $acctable = $config{ACCOUNTING_TABLE};
 
     $jumpchainref = 0;
 
-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) =
-	split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 }, $accounting_commands;
-
-    fatal_error 'ACTION must be specified' if $action eq '-';
-
-    if ( $action eq 'COMMENT' ) {
-	process_comment;
-	return 0;
-    }
-
-    if ( $action eq 'SECTION' ) {
-	process_section( $chain );
-	return 0;
-    }
-
     $asection = LEGACY if $asection < 0;
 
     our $disposition = '';
@@ -236,6 +222,11 @@ sub process_accounting_rule( ) {
 	    }
 	} elsif ( $action =~ /^NFLOG/ ) {
 	    $target = validate_level $action;
+	} elsif ( $action =~ /^NFACCT\((\w+)\)$/ ) {
+	    require_capability 'NFACCT_MATCH', 'The NFACCT action', 's';
+	    $nfobjects{$1} = 1;
+	    $target = '';
+	    $rule .= "-m nfacct --nfacct-name $1 ";
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;
 
@@ -410,9 +401,31 @@ sub process_accounting_rule( ) {
     return 1;
 }
 
+sub process_accounting_rule( ) {
+
+    my ($action, $chain, $source, $dest, $protos, $ports, $sports, $user, $mark, $ipsec, $headers ) =
+	split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 };
+
+    my $nonempty = 0;
+
+    for my $proto ( split_list $protos, 'Protocol' ) {
+	fatal_error 'ACTION must be specified' if $action eq '-';
+
+	if ( $action eq 'SECTION' ) {
+	    process_section( $chain );
+	} else {
+	    for my $proto ( split_list $protos, 'Protocol' ) {
+		$nonempty |= process_accounting_rule1( $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers );
+	    }
+	}
+    }
+
+    $nonempty;
+}
+
 sub setup_accounting() {
 
-    if ( my $fn = open_file 'accounting' ) {
+    if ( my $fn = open_file 'accounting', 1, 1 ) {
 
 	first_entry "$doing $fn...";
 
@@ -420,8 +433,6 @@ sub setup_accounting() {
 
 	$nonEmpty |= process_accounting_rule while read_a_line( NORMAL_READ );
 
-	clear_comment;
-
 	if ( $nonEmpty ) {
 	    my $tableref = $chain_table{$acctable};
 

Shorewall/Perl/Shorewall/Compiler.pm

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -34,9 +34,9 @@ use Shorewall::Accounting;
 use Shorewall::Rules;
 use Shorewall::Proc;
 use Shorewall::Proxyarp;
-use Shorewall::IPAddrs;
 use Shorewall::Raw;
 use Shorewall::Misc;
+use Shorewall::ARP;
 
 use strict;
 
@@ -45,17 +45,19 @@ our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
 our $VERSION = 'MODULEVERSION';
 
-my $export;
+our $export;
 
-my $test;
+our $test;
 
-my $family;
+our $family;
+
+our $have_arptables;
 
 #
 # Initilize the package-globals in the other modules
 #
-sub initialize_package_globals( $$ ) {
+sub initialize_package_globals( $$$ ) {
-    Shorewall::Config::initialize($family, $_[1]);
+    Shorewall::Config::initialize($family, $_[1], $_[2]);
     Shorewall::Chains::initialize ($family, 1, $export );
     Shorewall::Zones::initialize ($family, $_[0]);
     Shorewall::Nat::initialize;
@@ -158,7 +160,7 @@ sub generate_script_2() {
 
     push_indent;
 
-    if ( $shorewallrc{TEMPDIR} ) {
+    if ( $shorewallrc1{TEMPDIR} ) {
 	emit( '',
 	      qq(TMPDIR="$shorewallrc{TEMPDIR}") ,
 	      q(export TMPDIR) );
@@ -168,14 +170,14 @@ sub generate_script_2() {
 	emit( 'g_family=4' );
 
 	if ( $export ) {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall-lite),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall-lite),
 		   'g_product="Shorewall Lite"',
 		   'g_program=shorewall-lite',
 		   'g_basedir=/usr/share/shorewall-lite',
-		   qq(CONFIG_PATH="$shorewallrc{CONFDIR}/shorewall-lite:$shorewallrc{SHAREDIR}/shorewall-lite") ,
+		   qq(CONFIG_PATH="$shorewallrc1{CONFDIR}/shorewall-lite:$shorewallrc1{SHAREDIR}/shorewall-lite") ,
 		 );
 	} else {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall),
 		   'g_product=Shorewall',
 		   'g_program=shorewall',
 		   'g_basedir=/usr/share/shorewall',
@@ -186,14 +188,14 @@ sub generate_script_2() {
 	emit( 'g_family=6' );
 
 	if ( $export ) {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall6-lite),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall6-lite),
 		   'g_product="Shorewall6 Lite"',
 		   'g_program=shorewall6-lite',
 		   'g_basedir=/usr/share/shorewall6',
-		   qq(CONFIG_PATH="$shorewallrc{CONFDIR}/shorewall6-lite:$shorewallrc{SHAREDIR}/shorewall6-lite") ,
+		   qq(CONFIG_PATH="$shorewallrc1{CONFDIR}/shorewall6-lite:$shorewallrc{SHAREDIR}/shorewall6-lite") ,
 		 );
 	} else {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall6),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall6),
 		   'g_product=Shorewall6',
 		   'g_program=shorewall6',
 		   'g_basedir=/usr/share/shorewall',
@@ -202,21 +204,9 @@ sub generate_script_2() {
 	}
     }
 
-    emit( '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
+    emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
-
+    emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
-    if ( $family == F_IPV4 ) {
+    emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );
-	if ( $export ) {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall-lite}" ]' );
-	} else {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall}" ]' );
-	}
-    } else {
-	if ( $export ) {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall6-lite}" ]' );
-	} else {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall6}" ]' );
-	}
-    }
 
     emit 'TEMPFILE=';
 
@@ -239,6 +229,22 @@ sub generate_script_2() {
 
     set_chain_variables;
 
+    my $need_arptables = $have_arptables || $config{SAVE_ARPTABLES};
+
+    if ( my $arptables = $config{ARPTABLES} ) {
+	emit( qq(ARPTABLES="$arptables"),
+	      '[ -x "$ARPTABLES" ] || startup_error "ARPTABLES=$ARPTABLES does not exist or is not executable"',
+	    );
+    } elsif ( $need_arptables ) {
+	emit( '[ -z "$ARPTABLES" ] && ARPTABLES=$(mywhich arptables)',
+	      '[ -n "$ARPTABLES" -a -x "$ARPTABLES" ] || startup_error "Can\'t find arptables executable"' );
+    }
+
+    if ( $need_arptables ) {
+	emit( 'ARPTABLES_RESTORE=${ARPTABLES}-restore',
+	      '[ -x "$ARPTABLES_RESTORE" ] || startup_error "$ARPTABLES_RESTORE does not exist or is not executable"' );
+    }
+
     if ( $config{EXPORTPARAMS} ) {
 	append_file 'params';
     } else {
@@ -336,6 +342,7 @@ sub generate_script_3($) {
     }
 
     create_netfilter_load( $test );
+    create_arptables_load( $test ) if $have_arptables;
     create_chainlist_reload( $_[0] );
 
     emit "#\n# Start/Restart the Firewall\n#";
@@ -368,6 +375,7 @@ sub generate_script_3($) {
     emit '';
 
     load_ipsets;
+    create_nfobjects;
 
     if ( $family == F_IPV4 ) {
 	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
@@ -377,8 +385,8 @@ sub generate_script_3($) {
 	       'fi',
 	       '' );
 
+	verify_address_variables;
 	save_dynamic_chains;
-
 	mark_firewall_not_started;
 
 	emit ( '',
@@ -406,6 +414,7 @@ sub generate_script_3($) {
 	       'fi',
 	       '' );
 
+	verify_address_variables;
 	save_dynamic_chains;
 	mark_firewall_not_started;
 
@@ -461,59 +470,76 @@ sub generate_script_3($) {
 	  '    if [ -f $iptables_save_file ]; then' );
 
     if ( $family == F_IPV4 ) {
-	emit '        cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux'
+	emit( '        cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux' );
+
+	emit( '',
+	      '        arptables_save_file=${VARDIR}/$(basename $0)-arptables',
+	      '        if [ -f $arptables_save_file ]; then',
+	      '            cat $arptables_save_file | $ARPTABLES_RESTORE',
+	      '        fi')
+	    if $config{SAVE_ARPTABLES};
+
     } else {
 	emit '        cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux'
     }
 
-    emit<<'EOF';
+    emit( '    else',
-    else
+	  '       fatal_error "$iptables_save_file does not exist"',
-        fatal_error "$iptables_save_file does not exist"
+	  '    fi',
-    fi
+	  ''
-EOF
+	);
-    pop_indent;
+
+    push_indent;
     setup_load_distribution;
     setup_forwarding( $family , 1 );
-    push_indent;
+    pop_indent;
 
     my $config_dir = $globals{CONFIGDIR};
 
     emit<<"EOF";
     set_state Started $config_dir
     run_restored_exit
-else
+elif [ \$COMMAND = refresh ]; then
-    if [ \$COMMAND = refresh ]; then
+    chainlist_reload
-        chainlist_reload
 EOF
+    push_indent;
     setup_load_distribution;
     setup_forwarding( $family , 0 );
-
+    pop_indent;
-    emit( '        run_refreshed_exit' ,
+    #
-	  '        do_iptables -N shorewall' ,
+    # Use a parameter list rather than 'here documents' to avoid an extra blank line
-	  "        set_state Started $config_dir" ,
+    #
-	  '    else' ,
+    emit(
-	  '        setup_netfilter' );
+'    run_refreshed_exit',
-
+'    do_iptables -N shorewall',
+"    set_state Started $config_dir",
+'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
+'else',
+'    setup_netfilter'
+	);
+    push_indent;
+    emit 'setup_arptables' if $have_arptables;
     setup_load_distribution;
+    pop_indent;
 
-    emit<<"EOF";
+    emit<<'EOF';
-        conditionally_flush_conntrack
+    conditionally_flush_conntrack
 EOF
+    push_indent;
+    initialize_switches;
     setup_forwarding( $family , 0 );
+    pop_indent;
 
     emit<<"EOF";
-        run_start_exit
+    run_start_exit
-        do_iptables -N shorewall
+    do_iptables -N shorewall
-        set_state Started $config_dir
+    set_state Started $config_dir
-        run_started_exit
+    [ \$0 = \${VARDIR}/firewall ] || cp -f \$(my_pathname) \${VARDIR}/firewall
-    fi
+    run_started_exit
-
+fi
 EOF
 
     emit<<'EOF';
-    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall
-fi
-
 date > ${VARDIR}/restarted
 
 case $COMMAND in
@@ -545,11 +571,12 @@ EOF
 #
 sub compiler {
 
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc ) =
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc                      , $shorewallrc1 , $directives ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '');
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 );
 
-    $export = 0;
+    $export         = 0;
-    $test   = 0;
+    $test           = 0;
+    $have_arptables = 0;
 
     sub validate_boolean( $ ) {
 	 my $val = numeric_value( shift );
@@ -583,8 +610,10 @@ sub compiler {
 		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
 		  convert       => { store => \$convert,       validate=> \&validate_boolean    } ,
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
+		  directives    => { store => \$directives,    validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
+		  shorewallrc1  => { store => \$shorewallrc1 } ,
 		);
     #
     #                               P A R A M E T E R    P R O C E S S I N G
@@ -602,7 +631,7 @@ sub compiler {
     #
     # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
     #
-    initialize_package_globals( $update, $shorewallrc );
+    initialize_package_globals( $update, $shorewallrc, $shorewallrc1 );
 
     set_config_path( $config_path ) if $config_path;
 
@@ -620,7 +649,7 @@ sub compiler {
     #
     #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
     #
-    get_configuration( $export , $update , $annotate );
+    get_configuration( $export , $update , $annotate , $directives );
     #
     # Create a temp file to hold the script
     #
@@ -665,11 +694,6 @@ sub compiler {
     #                           (Produces no output to the compiled script)
     #
     process_policies;
-    #
-    #                                       N O T R A C K
-    #                           (Produces no output to the compiled script)
-    #
-    setup_notrack;
 
     enable_script;
 
@@ -709,6 +733,14 @@ sub compiler {
     #
     setup_proxy_arp;
 
+    emit( "#\n# Disable automatic helper association on kernel 3.5.0 and later\n#" ,
+	  'if [ -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then' ,
+	  '    progress_message "Disabling Kernel Automatic Helper Association"',
+	  "    echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper",
+	  'fi',
+	  ''
+	);
+
     if ( $scriptfilename || $debug ) {
 	emit 'return 0';
 	pop_indent;
@@ -753,6 +785,8 @@ sub compiler {
 	emit "}\n"; # End of setup_routing_and_traffic_shaping()
     }
 
+    $have_arptables = process_arprules if $family == F_IPV4;
+
     disable_script;
     #
     #                                       N E T F I L T E R
@@ -788,6 +822,10 @@ sub compiler {
     #
     process_rules( $convert );
     #
+    # Process the conntrack file
+    #
+    setup_conntrack;
+    #
     # Add Tunnel rules.
     #
     setup_tunnels;
@@ -817,11 +855,11 @@ sub compiler {
 	    #
 	    # Optimize Policy Chains
 	    #
-	    optimize_policy_chains if $optimize & 6 == 2; # Level 2 but not 4
+	    optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
 	    #
 	    # More Optimization
 	    #
-	    optimize_ruleset if $config{OPTIMIZE} & 0x1C;
+	    optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
 	}
 
 	enable_script;
@@ -832,7 +870,7 @@ sub compiler {
 	generate_script_2;
 	#
 	#                          N E T F I L T E R   L O A D
-	#    (Produces setup_netfilter(), chainlist_reload() and define_firewall() )
+	#    (Produces setup_netfilter(), setup_arptables(), chainlist_reload() and define_firewall() )
 	#
 	generate_script_3( $chains );
 	#
@@ -845,7 +883,7 @@ sub compiler {
 	#                           S T O P _ F I R E W A L L
 	#         (Writes the stop_firewall() function to the compiled script)
 	#
-	compile_stop_firewall( $test, $export );
+	compile_stop_firewall( $test, $export , $have_arptables );
 	#
 	#                               U P D O W N
 	#               (Writes the updown() function to the compiled script)
@@ -877,23 +915,26 @@ sub compiler {
 
 	    optimize_level0;
 
-	    if ( $config{OPTIMIZE} & OPTIMIZE_MASK ) {
+	    if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1e ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
 		# Optimize Policy Chains
 		#
-		optimize_policy_chains if $config{OPTIMIZE} & OPTIMIZE_POLICY_MASK;
+		optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
 		#
 		# Ruleset Optimization
 		#
-		optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
+		optimize_ruleset if $optimize & OPTIMIZE_RULESET_MASK;
 	    }
 
 	    enable_script if $debug;
 
 	    generate_script_2 if $debug;
 
-	    preview_netfilter_load if $preview;
+	    if ( $preview ) {
+		preview_netfilter_load;
+		preview_arptables_load if $have_arptables;
+	    }
 	}
 	#
 	# Re-initialize the chain table so that process_routestopped() has the same
@@ -903,7 +944,7 @@ sub compiler {
 	initialize_chain_table(0);
 
 	if ( $debug ) {
-	    compile_stop_firewall( $test, $export );
+	    compile_stop_firewall( $test, $export, $have_arptables );
 	    disable_script;
 	} else {
 	    #
@@ -911,6 +952,7 @@ sub compiler {
 	    # call that function during normal 'check', we must validate routestopped here.
 	    #
 	    process_routestopped;
+	    process_stoppedrules;
 	}
 
 	if ( $family == F_IPV4 ) {

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -26,13 +26,13 @@
 #
 package Shorewall::IPAddrs;
 require Exporter;
-use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 );
+use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 :protocols %config );
 use Socket;
 
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( ALLIPv4
+our @EXPORT = ( qw( ALLIPv4
                   ALLIPv6
 		  NILIPv4
 		  NILIPv6
@@ -48,15 +48,8 @@ our @EXPORT = qw( ALLIPv4
 		  ALLIP
 		  NILIP
 		  ALL
-		  TCP
-		  UDP
-		  UDPLITE
-		  ICMP
-		  DCCP
-		  IPv6_ICMP
-		  SCTP
-		  GRE
 
+		  valid_address
 		  validate_address
 		  validate_net
 		  decompose_net
@@ -73,6 +66,7 @@ our @EXPORT = qw( ALLIPv4
 		  nilip
 		  rfc1918_networks
 		  resolve_proto
+		  resolve_dnsname
 		  proto_name
 		  validate_port
 		  validate_portpair
@@ -80,27 +74,28 @@ our @EXPORT = qw( ALLIPv4
 		  validate_port_list
 		  validate_icmp
 		  validate_icmp6
-		 );
+		 ) );
 our @EXPORT_OK = qw( );
 our $VERSION = 'MODULEVERSION';
 
 #
 # Some IPv4/6 useful stuff
 #
-my @allipv4 = ( '0.0.0.0/0' );
+our @allipv4 = ( '0.0.0.0/0' );
-my @allipv6 = ( '::/0' );
+our @allipv6 = ( '::/0' );
-my $allip;
+our $allip;
-my @allip;
+our @allip;
-my @nilipv4 = ( '0.0.0.0' );
+our @nilipv4 = ( '0.0.0.0' );
-my @nilipv6 = ( '::' );
+our @nilipv6 = ( '::' );
-my $nilip;
+our $nilip;
-my @nilip;
+our @nilip;
-my $valid_address;
+our $valid_address;
-my $validate_address;
+our $validate_address;
-my $validate_net;
+our $validate_net;
-my $validate_range;
+our $resolve_dnsname;
-my $validate_host;
+our $validate_range;
-my $family;
+our $validate_host;
+our $family;
 
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
@@ -115,16 +110,9 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       IPv6_LINK_ALLRTRS   => 'ff01::2' ,
 	       IPv6_SITE_ALLNODES  => 'ff02::1' ,
 	       IPv6_SITE_ALLRTRS   => 'ff02::2' ,
-	       ICMP                => 1,
+	   };
-	       TCP                 => 6,
-	       UDP                 => 17,
-	       DCCP                => 33,
-	       GRE                 => 47,
-	       IPv6_ICMP           => 58,
-	       SCTP                => 132,
-	       UDPLITE             => 136 };
 
-my @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
+our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
 
 #
 # Note: initialize() is declared at the bottom of the file
@@ -167,6 +155,21 @@ sub validate_4address( $$ ) {
     defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
 }
 
+sub resolve_4dnsname( $ ) {
+    my $net = $_[0];
+    my @addrs;
+
+    fatal_error "Unknown Host ($net)" unless  @addrs = gethostbyname( $net );
+
+    shift @addrs for (1..4);
+    for ( @addrs ) {
+	$_ = ( inet_ntoa( $_ ) );
+    }
+
+    @addrs;
+} 
+    
+
 sub decodeaddr( $ ) {
     my $address = $_[0];
 
@@ -217,16 +220,19 @@ sub validate_4net( $$ ) {
 	fatal_error "Invalid IP address ($net)"       unless valid_4address $net;
     } else {
 	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
-	validate_4address $net, $_[1];
+	my $net1 = validate_4address $net, $allow_name;
+	$net  = $net1 unless $config{DEFER_DNS_RESOLUTION};
 	$vlsm = 32;
     }
 
     if ( defined wantarray ) {
-	assert ( ! $allow_name );
 	if ( wantarray ) {
+	    assert( ! $allow_name );
 	    ( decodeaddr( $net ) , $vlsm );
+	} elsif ( valid_4address $net ) {
+	    $vlsm == 32 ? $net : "$net/$vlsm";
 	} else {
-	    "$net/$vlsm";
+	    $net;
 	}
     }
 }
@@ -241,6 +247,8 @@ sub validate_4range( $$ ) {
     my $last  = decodeaddr $high;
 
     fatal_error "Invalid IP Range ($low-$high)" unless $first <= $last;
+
+    "$low-$high";
 }
 
 sub validate_4host( $$ ) {
@@ -335,6 +343,7 @@ sub resolve_proto( $ ) {
 	$number = numeric_value ( $proto );
 	defined $number && $number <= 255 ? $number : undef;
     } else {
+	fatal_error "A protocol list  ($proto) is not allowed in this context" if $proto =~ /,/; 
 	#
 	# Allow 'icmp' as a synonym for 'ipv6-icmp' in IPv6 compilations
 	#
@@ -621,9 +630,24 @@ sub validate_6address( $$ ) {
     defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
 }
 
+sub resolve_6dnsname( $ ) {
+    my $net = $_[0];
+    my @addrs;
+    
+    require Socket6;
+    fatal_error "Unknown Host ($net)" unless (@addrs = Socket6::gethostbyname2( $net, Socket6::AF_INET6()));
+
+    shift @addrs for (1..4);
+    for ( @addrs ) {
+	$_ = Socket6::inet_ntop( Socket6::AF_INET6(), $_ );
+    }
+
+    @addrs;
+} 
+
 sub validate_6net( $$ ) {
     my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
-    my $allow_name = $_[1];
+    my $allow_name = $_[0];
 
     if ( $net =~ /\+(\[?)/ ) {
 	if ( $1 ) {
@@ -635,22 +659,29 @@ sub validate_6net( $$ ) {
 	}
     }
 
+    fatal_error "Invalid Network address ($_[0])" unless supplied $net;
+
+    $net = $1 if $net =~ /^\[(.*)\]$/;
+
     if ( defined $vlsm ) {
         fatal_error "Invalid VLSM ($vlsm)"              unless $vlsm =~ /^\d+$/ && $vlsm <= 128;
 	fatal_error "Invalid Network address ($_[0])"   if defined $rest;
 	fatal_error "Invalid IPv6 address ($net)"       unless valid_6address $net;
     } else {
-	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
+	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/';
-	validate_6address $net, $allow_name;
+	my $net1 = validate_6address $net, $allow_name;
+	$net  = $net1 unless $config{DEFER_DNS_RESOLUTION};
 	$vlsm = 128;
     }
 
     if ( defined wantarray ) {
-	assert ( ! $allow_name );
 	if ( wantarray ) {
+	    assert( ! $allow_name );
 	    ( $net , $vlsm );
+	} elsif ( valid_6address ( $net ) ) {
+	    $vlsm == 32 ? $net : "$net/$vlsm";
 	} else {
-	    "$net/$vlsm";
+	    $net;
 	}
     }
 }
@@ -697,11 +728,13 @@ sub validate_6range( $$ ) {
     while ( @low ) {
 	my ( $l, $h) = ( shift @low, shift @high );
 	next     if hex "0x$l" == hex "0x$h";
-	return 1 if hex "0x$l"  < hex "0x$h";
+	return "$low-$high" if hex "0x$l"  < hex "0x$h";
 	last;
     }
 
     fatal_error "Invalid IPv6 Range ($low-$high)";
+
+    
 }
 
 sub validate_6host( $$ ) {
@@ -780,6 +813,10 @@ sub validate_net ( $$ ) {
     $validate_net->(@_);
 }
 
+sub resolve_dnsname( $ ) {
+    $resolve_dnsname->(@_);
+}
+
 sub validate_range ($$ ) {
     $validate_range->(@_);
 }
@@ -811,6 +848,7 @@ sub initialize( $ ) {
 	$validate_net     = \&validate_4net;
 	$validate_range   = \&validate_4range;
 	$validate_host    = \&validate_4host;
+	$resolve_dnsname  = \&resolve_4dnsname;
     } else {
 	$allip            = ALLIPv6;
 	@allip            = @allipv6;
@@ -821,6 +859,7 @@ sub initialize( $ ) {
 	$validate_net     = \&validate_6net;
 	$validate_range   = \&validate_6range;
 	$validate_host    = \&validate_6host;
+	$resolve_dnsname  = \&resolve_6dnsname;
     }
 }
 

Shorewall/Perl/Shorewall/Nat.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,11 +35,15 @@ use strict;
 
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
+our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule ) ] );
 our @EXPORT_OK = ();
+
+Exporter::export_ok_tags('rules');
+
 our $VERSION = 'MODULEVERSION';
 
-my @addresses_to_add;
+our @addresses_to_add;
-my %addresses_to_add;
+our %addresses_to_add;
 
 #
 # Called by the compiler
@@ -52,17 +56,9 @@ sub initialize() {
 #
 # Process a single rule from the the masq file
 #
-sub process_one_masq( )
+sub process_one_masq1( $$$$$$$$$$ )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition ) =
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest ) = @_;
-	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8 };
-
-    if ( $interfacelist eq 'COMMENT' ) {
-	process_comment;
-	return 1;
-    }
-
-    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
 
     my $pre_nat;
     my $add_snat_aliases = $config{ADD_SNAT_ALIASES};
@@ -119,7 +115,7 @@ sub process_one_masq( )
     #
     # Handle Protocol, Ports and Condition
     #
-    $baserule .= do_proto( $proto, $ports, '' ) . do_condition( $condition );
+    $baserule .= do_proto( $proto, $ports, '' );
     #
     # Handle Mark
     #
@@ -154,6 +150,8 @@ sub process_one_masq( )
 
 	my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
 
+	$baserule .= do_condition( $condition , $chainref->{name} );
+
 	my $detectaddress = 0;
 	my $exceptionrule = '';
 	my $randomize     = '';
@@ -190,12 +188,16 @@ sub process_one_masq( )
 		} else {
 		    my $addrlist = '';
 		    for my $addr ( split_list $addresses , 'address' ) {
-			if ( $addr =~ /^&(.+)$/ ) {
+			if ( $addr =~ /^([&%])(.+)$/ ) {
+			    my ( $type, $interface ) = ( $1, $2 );
 			    $target = 'SNAT ';
-			    if ( $conditional = conditional_rule( $chainref, $addr ) ) {
+			    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
-				$addrlist .= '--to-source ' . get_interface_address $1;
+				$conditional = conditional_rule( $chainref, $addr );
+				$addrlist .= '--to-source ' . "\$$1 ";
+			    } elsif ( $conditional = conditional_rule( $chainref, $addr ) ) {
+				$addrlist .= '--to-source ' . get_interface_address $interface;
 			    } else {
-				$addrlist .= '--to-source ' . record_runtime_address( '&', $1 );
+				$addrlist .= '--to-source ' . record_runtime_address( $type, $interface );
 			    }
 			} elsif ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = 'SNAT ';
@@ -233,7 +235,7 @@ sub process_one_masq( )
 		     $baserule . $rule ,
 		     $networks ,
 		     $destnets ,
-		     '' ,
+		     $origdest ,
 		     $target ,
 		     '' ,
 		     '' ,
@@ -267,18 +269,28 @@ sub process_one_masq( )
 
 }
 
+sub process_one_masq( )
+{
+    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest ) =
+	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 };
+
+    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+
+    for my $proto ( split_list $protos, 'Protocol' ) {
+	process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest );
+    }
+}
+
 #
 # Process the masq file
 #
 sub setup_masq()
 {
-    if ( my $fn = open_file 'masq' ) {
+    if ( my $fn = open_file( 'masq', 1, 1 ) ) {
 
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
 
 	process_one_masq while read_a_line( NORMAL_READ );
-
-	clear_comment;
     }
 }
 
@@ -369,7 +381,7 @@ sub do_one_nat( $$$$$ )
 #
 sub setup_nat() {
 
-    if ( my $fn = open_file 'nat' ) {
+    if ( my $fn = open_file( 'nat', 1, 1 ) ) {
 
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
 
@@ -377,26 +389,20 @@ sub setup_nat() {
 
 	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 0, interface => 1, internal => 2, allints => 3, local => 4 };
 
-	    if ( $external eq 'COMMENT' ) {
+	    ( $interfacelist, my $digit ) = split /:/, $interfacelist;
-		process_comment;
-	    } else {
-		( $interfacelist, my $digit ) = split /:/, $interfacelist;
 
-		$digit = defined $digit ? ":$digit" : '';
+	    $digit = defined $digit ? ":$digit" : '';
 
-		fatal_error 'EXTERNAL must be specified' if $external eq '-';
+	    fatal_error 'EXTERNAL must be specified' if $external eq '-';
-		fatal_error 'INTERNAL must be specified' if $interfacelist eq '-';
+	    fatal_error 'INTERNAL must be specified' if $interfacelist eq '-';
 
-		for my $interface ( split_list $interfacelist , 'interface' ) {
+	    for my $interface ( split_list $interfacelist , 'interface' ) {
-		    fatal_error "Invalid Interface List ($interfacelist)" unless supplied $interface;
+		fatal_error "Invalid Interface List ($interfacelist)" unless supplied $interface;
-		    do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
+		do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
-		}
-
-		progress_message "   NAT entry \"$currentline\" $done";
 	    }
-	}
 
-	clear_comment;
+	    progress_message "   NAT entry \"$currentline\" $done";
+	}
     }
 }
 
@@ -405,7 +411,7 @@ sub setup_nat() {
 #
 sub setup_netmap() {
 
-    if ( my $fn = open_file 'netmap' ) {
+    if ( my $fn = open_file 'netmap', 1, 1 ) {
 
 	first_entry "$doing $fn...";
 
@@ -427,8 +433,8 @@ sub setup_netmap() {
 		    my @rulein;
 		    my @ruleout;
 
-		    validate_net $net1, 0;
+		    $net1 = validate_net $net1, 0;
-		    validate_net $net2, 0;
+		    $net2 = validate_net $net2, 0;
 
 		    unless ( $interfaceref->{root} ) {
 			@rulein  = imatch_source_dev( $interface );
@@ -462,7 +468,7 @@ sub setup_netmap() {
 
 		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
 
-		    validate_net $net2, 0;
+		    $net2 = validate_net $net2, 0;
 
 		    unless ( $interfaceref->{root} ) {
 			@match = imatch_dest_dev(  $interface );
@@ -508,12 +514,229 @@ sub setup_netmap() {
 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
 	    }
 	}
-
-	clear_comment;
     }
 
 }
 
+#
+# Called from process_rule1 to add a rule to the NAT table
+#
+sub handle_nat_rule( $$$$$$$$$$$$ ) {
+    my ( $dest,           # <server>[:port]
+	 $proto,          # Protocol
+	 $ports,          # Destination port list
+	 $origdest,       # Original Destination
+	 $action_target,  # If the target is an action, the name of the log action chain to jump to
+	 $action,         # The Action
+	 $sourceref,      # Reference to the Source Zone's table entry in the Zones module
+	 $action_chain,   # Name of the action chain if the rule is in an action
+	 $rule,           # Matches 
+	 $source,         # Source Address
+	 $loglevel,       # [<level>[:<tag>]]
+	 $log_action,     # Action name to include in the log message
+       ) = @_;
+
+    my ( $server, $serverport , $origdstports ) = ( '', '', '' );
+    my $randomize = $dest =~ s/:random$// ? ' --random' : '';
+
+    #
+    # Isolate server port
+    #
+    if ( $dest =~ /^(.*)(?::(.+))$/ ) {
+	#
+	# Server IP and Port
+	#
+	$server = $1;      # May be empty
+	$serverport = $2;  # Not Empty due to RE
+
+	$origdstports = validate_port( $proto, $ports )	if $ports && $ports ne '-' && port_count( $ports ) == 1;
+
+	if ( $serverport =~ /^(\d+)-(\d+)$/ ) {
+	    #
+	    # Server Port Range
+	    #
+	    fatal_error "Invalid port range ($serverport)" unless $1 < $2;
+	    my @ports = ( $1, $2 );
+	    $_ = validate_port( proto_name( $proto ), $_) for ( @ports );
+	    ( $ports = $serverport ) =~ tr/-/:/;
+	} else {
+	    $serverport = $ports = validate_port( proto_name( $proto ), $serverport );
+	}
+    } elsif ( $dest ne ':' ) {
+	#
+	# Simple server IP address (may be empty or "-")
+	#
+	$server = $dest;
+    }
+    #
+    # Generate the target
+    #
+    my $target = '';
+
+    if ( $action eq 'REDIRECT' ) {
+	fatal_error "A server IP address ($server) may not be specified in a REDIRECT rule" if $server;
+	$target  = 'REDIRECT';
+	$target .= " --to-port $serverport" if $serverport;
+	if ( $origdest eq '' || $origdest eq '-' ) {
+	    $origdest = ALLIP;
+	} elsif ( $origdest eq 'detect' ) {
+	    fatal_error 'ORIGINAL DEST "detect" is invalid in an action' if $action_chain;
+
+	    if ( $config{DETECT_DNAT_IPADDRS} ) {
+		my $interfacesref = $sourceref->{interfaces};
+		my @interfaces = keys %$interfacesref;
+		$origdest = @interfaces ? "detect:@interfaces" : ALLIP;
+	    } else {
+		$origdest = ALLIP;
+	    }
+	}
+    } elsif ( $action_target ) {
+	fatal_error "A server port ($serverport) is not allowed in $action rule" if $serverport;
+	$target = $action_target;
+    } else {
+	if ( $server eq '' ) {
+	    fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport;
+	} elsif ( $server =~ /^(.+)-(.+)$/ ) {
+	    validate_range( $1, $2 );
+	} else {
+	    unless ( $server eq ALLIP ) {
+		my @servers = validate_address $server, 1;
+		$server = join ',', @servers;
+	    }
+	}
+
+	if ( $action eq 'DNAT' ) {
+	    $target = $action;
+	    if ( $server ) {
+		$serverport = ":$serverport" if $serverport;
+		for my $serv ( split /,/, $server ) {
+		    $target .= " --to-destination ${serv}${serverport}";
+		}
+	    } else {
+		$target .= " --to-destination :$serverport";
+	    }
+	}
+
+	unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) {
+	    if ( ! $action_chain && $config{DETECT_DNAT_IPADDRS} ) {
+		my $interfacesref = $sourceref->{interfaces};
+		my @interfaces = keys %$interfacesref;
+		$origdest = @interfaces ? "detect:@interfaces" : ALLIP;
+	    } else {
+		$origdest = ALLIP;
+	    }
+	}
+    }
+
+    $target .= $randomize;
+    #
+    # And generate the nat table rule(s)
+    #
+    my $firewallsource = $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
+
+    expand_rule ( ensure_chain ('nat' ,
+				( $action_chain   ? $action_chain :
+				  $firewallsource ? 'OUTPUT' :
+				  dnat_chain $sourceref->{name} ) ) ,
+		  $firewallsource ? OUTPUT_RESTRICT : PREROUTE_RESTRICT ,
+		  $rule ,
+		  $source ,
+		  $origdest ,
+		  '' ,
+		  $target ,
+		  $loglevel ,
+		  $log_action ,
+		  $serverport ? do_proto( $proto, '', '' ) : '',
+		);
+
+    ( $ports, $origdstports, $server );
+}
+
+#
+# Called from process_rule1() to handle the nat table part of the NONAT and ACCEPT+ actions
+#
+sub handle_nonat_rule( $$$$$$$$$$ ) {
+    my ( $action, $source, $dest, $origdest, $sourceref, $inaction, $chain, $loglevel, $log_action, $rule ) = @_;
+
+    my $sourcezone = $sourceref->{name};
+    #
+    # NONAT or ACCEPT+ may not specify a destination interface
+    #
+    fatal_error "Invalid DEST ($dest) in $action rule" if $dest =~ /:/;
+
+    $origdest = '' unless $origdest and $origdest ne '-';
+
+    if ( $origdest eq 'detect' ) {
+	my $interfacesref = $sourceref->{interfaces};
+	my $interfaces = [ ( keys %$interfacesref ) ];
+	$origdest = $interfaces ? "detect:@$interfaces" : ALLIP;
+    }
+
+    my $tgt = 'RETURN';
+
+    my $nonat_chain;
+
+    my $chn;
+
+    if ( $inaction ) {
+	$nonat_chain = ensure_chain( 'nat', $chain );
+    } elsif ( $sourceref->{type} == FIREWALL ) {
+	$nonat_chain = $nat_table->{OUTPUT};
+    } else {
+	$nonat_chain = ensure_chain( 'nat', dnat_chain( $sourcezone ) );
+
+	my @interfaces = keys %{zone_interfaces $sourcezone};
+
+	for ( @interfaces ) {
+	    my $ichain = input_chain $_;
+
+	    if ( $nat_table->{$ichain} ) {
+		#
+		# Static NAT is defined on this interface
+		#
+		$chn = new_chain( 'nat', newnonatchain ) unless $chn;
+		add_ijump $chn, j => $nat_table->{$ichain}, @interfaces > 1 ? imatch_source_dev( $_ )  : ();
+	    }
+	}
+
+	if ( $chn ) {
+	    #
+	    # Call expand_rule() to correctly handle logging. Because
+	    # the 'logname' argument is passed, expand_rule() will
+	    # not create a separate logging chain but will rather emit
+	    # any logging rule in-line.
+	    #
+	    expand_rule( $chn,
+			 PREROUTE_RESTRICT,
+			 '', # Rule
+			 '', # Source
+			 '', # Dest
+			 '', # Original dest
+			 'ACCEPT',
+			 $loglevel,
+			 $log_action,
+			 '',
+			 dnat_chain( $sourcezone  ) );
+	    $loglevel = '';
+	    $tgt = $chn->{name};
+	} else {
+	    $tgt = 'ACCEPT';
+	}
+    }
+
+    expand_rule( $nonat_chain ,
+		 PREROUTE_RESTRICT ,
+		 $rule ,
+		 $source ,
+		 $dest ,
+		 $origdest ,
+		 $tgt,
+		 $loglevel ,
+		 $log_action ,
+		 '',
+	       );
+}
+
 sub add_addresses () {
     if ( @addresses_to_add ) {
 	my @addrs = @addresses_to_add;

Shorewall/Perl/Shorewall/Proc.pm

@@ -219,30 +219,30 @@ sub setup_forwarding( $$ ) {
 
     if ( $family == F_IPV4 ) {
 	if ( $config{IP_FORWARDING} eq 'on' ) {
-	    emit '        echo 1 > /proc/sys/net/ipv4/ip_forward';
+	    emit 'echo 1 > /proc/sys/net/ipv4/ip_forward';
-	    emit '        progress_message2 IPv4 Forwarding Enabled';
+	    emit 'progress_message2 IPv4 Forwarding Enabled';
 	} elsif ( $config{IP_FORWARDING} eq 'off' ) {
-	    emit '        echo 0 > /proc/sys/net/ipv4/ip_forward';
+	    emit 'echo 0 > /proc/sys/net/ipv4/ip_forward';
-	    emit '        progress_message2 IPv4 Forwarding Disabled!';
+	    emit 'progress_message2 IPv4 Forwarding Disabled!';
 	}
 
 	emit '';
 
-	emit ( '        echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables' ,
+	emit ( 'echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables' ,
 	       ''
 	     ) if have_bridges;
     } else {
 	if ( $config{IP_FORWARDING} eq 'on' ) {
-	    emit '        echo 1 > /proc/sys/net/ipv6/conf/all/forwarding';
+	    emit 'echo 1 > /proc/sys/net/ipv6/conf/all/forwarding';
-	    emit '        progress_message2 IPv6 Forwarding Enabled';
+	    emit 'progress_message2 IPv6 Forwarding Enabled';
 	} elsif ( $config{IP_FORWARDING} eq 'off' ) {
-	    emit '        echo 0 > /proc/sys/net/ipv6/conf/all/forwarding';
+	    emit 'echo 0 > /proc/sys/net/ipv6/conf/all/forwarding';
-	    emit '        progress_message2 IPv6 Forwarding Disabled!';
+	    emit 'progress_message2 IPv6 Forwarding Disabled!';
 	}
 
 	emit '';
 
-	emit ( '        echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables' ,
+	emit ( 'echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables' ,
 	       ''
 	     ) if have_bridges;
 
@@ -251,9 +251,6 @@ sub setup_forwarding( $$ ) {
 	if ( @$interfaces ) {
 	    progress_message2 "$doing Interface forwarding..." if $first;
 
-	    push_indent;
-	    push_indent;
-
 	    save_progress_message 'Setting up IPv6 Interface Forwarding...';
 
 	    for my $interface ( @$interfaces ) {
@@ -270,9 +267,6 @@ sub setup_forwarding( $$ ) {
 		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }
-
-	    pop_indent;
-	    pop_indent;
 	}
     }
 }

Shorewall/Perl/Shorewall/Providers.pm

@@ -39,7 +39,9 @@ our @EXPORT = qw( process_providers
 		  @routemarked_interfaces
 		  handle_stickiness
 		  handle_optional_interfaces
+		  compile_updown
 		  setup_load_distribution
+		  have_providers
 	       );
 our @EXPORT_OK = qw( initialize lookup_provider );
 our $VERSION = '4.4_24';
@@ -51,26 +53,28 @@ use constant { LOCAL_TABLE   => 255,
 	       UNSPEC_TABLE  => 0
 	       };
 
-my  @routemarked_providers;
+our @routemarked_providers;
-my  %routemarked_interfaces;
+our %routemarked_interfaces;
 our @routemarked_interfaces;
-my  %provider_interfaces;
+our %provider_interfaces;
-my  @load_providers;
+our @load_providers;
-my  @load_interfaces;
+our @load_interfaces;
 
-my $balancing;
+our $balancing;
-my $fallback;
+our $fallback;
-my $first_default_route;
+our $metrics;
-my $first_fallback_route;
+our $first_default_route;
-my $maxload;
+our $first_fallback_route;
+our $maxload;
+our $tproxies;
 
-my %providers;
+our %providers;
 
-my @providers;
+our @providers;
 
-my $family;
+our $family;
 
-my $lastmark;
+our $lastmark;
 
 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 
@@ -95,9 +99,11 @@ sub initialize( $ ) {
     @load_interfaces        = ();
     $balancing              = 0;
     $fallback               = 0;
+    $metrics                = 0;
     $first_default_route    = 1;
     $first_fallback_route   = 1;
     $maxload                = 0;
+    $tproxies               = 0;
 
     %providers  = ( local   => { number => LOCAL_TABLE   , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
 		    main    => { number => MAIN_TABLE    , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
@@ -112,10 +118,15 @@ sub initialize( $ ) {
 #
 sub setup_route_marking() {
     my $mask = in_hex( $globals{PROVIDER_MASK} );
+    my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';
 
     require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
 
-    add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;
+    if ( $config{RESTORE_ROUTEMARKS} ) {
+	add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
+    } else {
+	add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;
+    }
 
     my $chainref  = new_chain 'mangle', 'routemark';
 
@@ -139,10 +150,10 @@ sub setup_route_marking() {
 
 	    if ( $providerref->{shared} ) {
 		add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
 		decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
 	    } else {
-		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface );
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface );
 	    }
 	}
 
@@ -327,24 +338,35 @@ sub balance_fallback_route( $$$$ ) {
     }
 }
 
-sub start_provider( $$$ ) {
+sub start_provider( $$$$ ) {
-    my ($table, $number, $test ) = @_;
+    my ($what, $table, $number, $test ) = @_;
 
-    emit "\n#\n# Add Provider $table ($number)\n#";
+    emit "\n#\n# Add $what $table ($number)\n#";
+
+    if ( $number ) {
+	emit "start_provider_$table() {";
+    } else {
+	emit "start_interface_$table() {";
+    }
 
-    emit "start_provider_$table() {";
     push_indent;
     emit $test;
     push_indent;
 
-    emit "qt ip -$family route flush table $number";
+
-    emit "echo \"qt \$IP -$family route flush table $number\" > \${VARDIR}/undo_${table}_routing";
+    if ( $number ) {
+	emit "qt ip -$family route flush table $number";
+	emit "echo \"qt \$IP -$family route flush table $number\" > \${VARDIR}/undo_${table}_routing";
+    } else {
+	emit( "> \${VARDIR}/undo_${table}_routing" );
+    }
 }
 
 #
 # Process a record in the providers file
 #
-sub process_a_provider() {
+sub process_a_provider( $ ) {
+    my $pseudo = $_[0]; # When true, this is an optional interface that we are treating somewhat like a provider.
 
     my ($table, $number, $mark, $duplicate, $interface, $gateway,  $options, $copy ) =
 	split_line 'providers file', { table => 0, number => 1, mark => 2, duplicate => 3, interface => 4, gateway => 5, options => 6, copy => 7 };
@@ -352,17 +374,20 @@ sub process_a_provider() {
     fatal_error "Duplicate provider ($table)" if $providers{$table};
 
     fatal_error 'NAME must be specified' if $table eq '-';
-    fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;
 
-    my $num = numeric_value $number;
+    unless ( $pseudo ) {
+	fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;
 
-    fatal_error 'NUMBER must be specified' if $number eq '-';
+	my $num = numeric_value $number;
-    fatal_error "Invalid Provider number ($number)" unless defined $num;
 
-    $number = $num;
+	fatal_error 'NUMBER must be specified' if $number eq '-';
+	fatal_error "Invalid Provider number ($number)" unless defined $num;
 
-    for my $providerref ( values %providers  ) {
+	$number = $num;
-	fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
+
+	for my $providerref ( values %providers  ) {
+	    fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
+	}
     }
 
     fatal_error 'INTERFACE must be specified' if $interface eq '-';
@@ -383,6 +408,11 @@ sub process_a_provider() {
     my $physical    = get_physical $interface;
     my $gatewaycase = '';
 
+    if ( $physical =~ /\+$/ ) {
+	return 0 if $pseudo;
+	fatal_error "Wildcard interfaces ($physical) may not be used as provider interfaces";
+    }
+
     if ( $gateway eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
 	$gateway = get_interface_gateway $interface;
@@ -396,8 +426,15 @@ sub process_a_provider() {
 	$gateway = '';
     }
 
-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load ) =
+    my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what );
-	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0 );
+
+    if ( $pseudo ) {	
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what ) =
+	( 0,      0                       , 0 ,        0,        0,                               1                                  , ''  , 0       , 0,      0,     'interface');
+    } else {
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what )=
+	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider');
+    }
 
     unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
@@ -461,10 +498,11 @@ sub process_a_provider() {
     }
 
     if ( $local ) {
-	fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
+	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'none';
-	fatal_error "'track' not valid with 'local'"          if $track;
+	fatal_error "'track' not valid with 'local'"           if $track;
-	fatal_error "DUPLICATE not valid with 'local'"        if $duplicate ne '-';
+	fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
     } elsif ( $tproxy ) {
+	fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
 	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none';
 	fatal_error "'track' not valid with 'tproxy'"          if $track;
 	fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
@@ -506,7 +544,7 @@ sub process_a_provider() {
 
     }
 
-    unless ( $loose ) {
+    unless ( $loose || $pseudo ) {
 	warning_message q(The 'proxyarp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyarp' );
 	warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
     }
@@ -544,10 +582,14 @@ sub process_a_provider() {
 			   local       => $local ,
 			   tproxy      => $tproxy ,
 			   load        => $load ,
+			   pseudo      => $pseudo ,
+			   what        => $what ,
 			   rules       => [] ,
 			   routes      => [] ,
 			 };
 
+    $provider_interfaces{$interface} = $table unless $shared;
+
     if ( $track ) {
 	fatal_error "The 'track' option requires a numeric value in the MARK column" if $mark eq '-';
 
@@ -566,7 +608,22 @@ sub process_a_provider() {
 
     push @providers, $table;
 
-    progress_message "   Provider \"$currentline\" $done";
+    progress_message "   Provider \"$currentline\" $done" unless $pseudo;
+
+    return 1;
+}
+
+#
+# Emit a 'started' message
+#
+sub emit_started_message( $$$$$ ) {
+    my ( $spaces, $level, $pseudo, $name, $number ) = @_;
+
+    if ( $pseudo ) {
+	emit qq(${spaces}progress_message${level} "   Optional interface $name Started");
+    } else {
+	emit qq(${spaces}progress_message${level} "   Provider $name ($number) Started");
+    }
 }
 
 #
@@ -597,22 +654,27 @@ sub add_a_provider( $$ ) {
     my $local       = $providerref->{local};
     my $tproxy      = $providerref->{tproxy};
     my $load        = $providerref->{load};
+    my $pseudo      = $providerref->{pseudo};
+    my $what        = $providerref->{what};
+    my $label       = $pseudo ? 'Optional Interface' : 'Provider';
 
-    my $dev         = chain_base $physical;
+    my $dev         = var_base $physical;
     my $base        = uc $dev;
     my $realm = '';
 
     if ( $shared ) {
 	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
 	$realm = "realm $number";
-	start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
+	start_provider( $label , $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
+    } elsif ( $pseudo ) {
+	start_provider( $label , $table, $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
     } else {
 	if ( $optional ) {
-	    start_provider( $table, $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
+	    start_provider( $label, $table , $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
 	} elsif ( $gatewaycase eq 'detect' ) {
-	    start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
+	    start_provider( $label, $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
 	} else {
-	    start_provider( $table, $number, "if interface_is_usable $physical; then" );
+	    start_provider( $label, $table, $number, "if interface_is_usable $physical; then" );
 	}
 	$provider_interfaces{$interface} = $table;
 
@@ -695,19 +757,20 @@ CEOF
 	emit '';
 	if ( $gateway ) {
 	    if ( $family == F_IPV4 ) {
-		emit qq(run_ip route replace $gateway dev $physical table ) . DEFAULT_TABLE;
+		emit qq(run_ip route replace $gateway/32 dev $physical table ) . DEFAULT_TABLE;
 		emit qq(run_ip route replace default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 	    } else {
 		emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 		emit qq(run_ip route add default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 	    }
 	    emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
+	    emit qq(echo "qt \$IP -4  route del $gateway/32 dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
 	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
 	    emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
 	}
 
-	$fallback = 1;
+	$metrics = 1;
     }
 
     emit( qq(\n) ,
@@ -729,7 +792,7 @@ CEOF
 	    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
 	    emit( "run_ip rule add from $address pref 20000 table $number" ,
 		  "echo \"qt \$IP -$family rule del from $address\" >> \${VARDIR}/undo_${table}_routing" );
-	} else {
+	} elsif ( ! $pseudo ) {
 	    emit  ( "find_interface_addresses $physical | while read address; do" );
 	    emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
 	    emit  ( "    run_ip rule add from \$address pref 20000 table $number",
@@ -792,15 +855,17 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}
 
-	emit ( qq(progress_message2 "   Provider $table ($number) Started") );
+	emit_started_message( '', 2, $pseudo, $table, $number );
 
 	pop_indent;
 
-	emit( 'else' );
+	unless ( $pseudo ) {
-	emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) ,
+	    emit( 'else' );
-	      qq(    progress_message "   Provider $table ($number) Started"),
+	    emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) );
-	      qq(fi\n)
+	    emit_started_message( '    ', '', $pseudo, $table, $number );
-	    );
+	}
+
+	emit "fi\n";
     } else {
 	emit( qq(echo 0 > \${VARDIR}/${physical}.status) );
 	emit( qq(progress_message "Provider $table ($number) Started") );
@@ -817,6 +882,8 @@ CEOF
     if ( $optional ) {
 	if ( $shared ) {
 	    emit ( "error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Started\"" );
+	} elsif ( $pseudo ) {
+	    emit ( "error_message \"WARNING: Optional Interface $physical is not usable -- $table not Started\"" );
 	} else {
 	    emit ( "error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Started\"" );
 	}
@@ -834,14 +901,14 @@ CEOF
 
     pop_indent;
 
-    emit '}'; # End of start_provider_$table();
+    emit "} # End of start_${what}_${table}();";
 
     if ( $optional ) {
 	emit( '',
 	      '#',
-	      "# Stop provider $table",
+	      "# Stop $what $table",
 	      '#',
-	      "stop_provider_$table() {" );
+	      "stop_${what}_${table}() {" );
 
 	push_indent;
 
@@ -869,8 +936,13 @@ CEOF
 	    emit( qq(delete_gateway "$via" $tbl $physical) );
 	}
 
-	emit (". $undo",
+	emit (". $undo" );
-	      "> $undo" );
+
+	if ( $pseudo ) {
+	    emit( "rm -f $undo" );
+	} else {
+	    emit( "> $undo" );
+	}
 
 	emit ( '',
 	       "distribute_load $maxload @load_interfaces" ) if $load;
@@ -881,8 +953,13 @@ CEOF
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}
 
-	emit( "echo 1 > \${VARDIR}/${physical}.status",
+	emit( "echo 1 > \${VARDIR}/${physical}.status" );
-	      "progress_message2 \"   Provider $table ($number) stopped\"" );
+
+	if ( $pseudo ) {
+	    emit( "progress_message2 \"   Optional Interface $table stopped\"" );
+	} else {
+	    emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
+	}
 
 	pop_indent;
 
@@ -930,7 +1007,7 @@ sub add_an_rtrule( ) {
     if ( $dest eq '-' ) {
 	$dest = 'to ' . ALLIP;
     } else {
-	validate_net( $dest, 0 );
+	$dest = validate_net( $dest, 0 );
 	$dest = "to $dest";
     }
 
@@ -942,22 +1019,22 @@ sub add_an_rtrule( ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
 	    fatal_error "Invalid SOURCE" if defined $remainder;
-	    validate_net ( $source, 0 );
+	    $source = validate_net ( $source, 0 );
 	    $interface = physical_name $interface;
 	    $source = "iif $interface from $source";
 	} elsif ( $source =~ /\..*\..*/ ) {
-	    validate_net ( $source, 0 );
+	    $source = validate_net ( $source, 0 );
 	    $source = "from $source";
 	} else {
 	    $source = 'iif ' . physical_name $source;
 	}
-    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ ) {
+    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ || $source =~ /^(.+?):(\[.+?\](?:\/\d+))$/ ) {
 	my ($interface, $source ) = ($1, $2);
-	validate_net ($source, 0);
+	$source = validate_net ($source, 0);
 	$interface = physical_name $interface;
 	$source = "iif $interface from $source";
     } elsif (  $source =~ /:.*:/ || $source =~ /\..*\..*/ ) {
-	validate_net ( $source, 0 );
+	$source = validate_net ( $source, 0 );
 	$source = "from $source";
     } else {
 	$source = 'iif ' . physical_name $source;
@@ -1012,7 +1089,7 @@ sub add_a_route( ) {
     }
 
     fatal_error 'DEST must be specified' if $dest eq '-';
-    validate_net ( $dest, 1 );
+    $dest = validate_net ( $dest, 0 );
 
     validate_address ( $gateway, 1 ) if $gateway ne '-';
 
@@ -1153,14 +1230,16 @@ sub finish_providers() {
 
 	emit( "    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
 	      'else',
-	      '#',
+	      '    #',
-	      '# We don\'t have any \'fallback\' providers so we delete any default routes in the default table',
+	      '    # We don\'t have any \'fallback\' providers so we delete any default routes in the default table',
-	      '#',
+	      '    #',
-	      "    while qt \$IP -$family route del default table " . DEFAULT_TABLE . '; do true; done',
+	      '    delete_default_routes ' . DEFAULT_TABLE,
 	      'fi',
 	      '' );
     } elsif ( $config{USE_DEFAULT_RT} ) {
-	emit "while qt \$IP -$family route del default table " . DEFAULT_TABLE . '; do true; done';
+	emit( 'delete_default_routes ' . DEFAULT_TABLE,
+	      ''
+	    );
     }
 
     unless ( $config{KEEP_RT_TABLES} ) {
@@ -1189,20 +1268,33 @@ sub process_providers( $ ) {
     my $tcdevices = shift;
 
     our $providers = 0;
+    our $pseudoproviders = 0;
 
     $lastmark = 0;
 
     if ( my $fn = open_file 'providers' ) {
 	first_entry "$doing $fn...";
-	process_a_provider, $providers++ while read_a_line( NORMAL_READ );
+	$providers += process_a_provider(0) while read_a_line( NORMAL_READ );
+    }
+    #
+    # Treat optional interfaces as pseudo-providers
+    #
+    for ( grep interface_is_optional( $_ ) && ! $provider_interfaces{ $_ }, all_real_interfaces ) {
+	#
+	#               TABLE             NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
+	$currentline =  var_base($_) ." 0      -    -         $_        -       -       -";
+	#
+	$pseudoproviders += process_a_provider(1);
     }
 
     if ( $providers ) {
+	fatal_error q(Either all 'fallback' providers must specify a weight or non of them can specify a weight) if $fallback && $metrics;
+
 	my $fn = open_file( 'route_rules' );
 
 	if ( $fn ){
 	    if ( -f ( my $fn1 = find_file 'rtrules' ) ) {
-		warning_message "Both $fn and $fn1 exists: $fn1 will be ignored";
+		warning_message "Both $fn and $fn1 exist: $fn1 will be ignored";
 	    }
 	} else {
 	    $fn = open_file( 'rtrules' );
@@ -1215,17 +1307,19 @@ sub process_providers( $ ) {
 
 	    add_an_rtrule while read_a_line( NORMAL_READ );
 	}
+    }
 
-	$fn = open_file 'routes';
+    if ( $providers || $pseudoproviders ) {
+	my $fn = open_file 'routes';
 
 	if ( $fn ) {
 	    first_entry "$doing $fn...";
 	    emit '';
 	    add_a_route while read_a_line( NORMAL_READ );
 	}
-    }
 
-    add_a_provider( $providers{$_}, $tcdevices ) for @providers;
+	add_a_provider( $providers{$_}, $tcdevices ) for @providers;
+    }
 
     emit << 'EOF';;
 
@@ -1246,14 +1340,20 @@ EOF
 
 	if ( $providerref->{optional} ) {
 	    if ( $providerref->{shared} || $providerref->{physical} eq $provider) {
-		emit "$provider})";
+		emit "$provider)";
 	    } else {
 		emit( "$providerref->{physical}|$provider)" );
 	    }
 
-	    emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
+	    if ( $providerref->{pseudo} ) {
-		   "        start_provider_$provider",
+		emit ( "    if [ ! -f \${VARDIR}/$product/undo_${provider}_routing ]; then",
-		   '    else',
+		       "        start_interface_$provider" );
+	    } else {
+		emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
+		       "        start_provider_$provider" );
+	    }
+
+	    emit ( '    else',
 		   "        startup_error \"Interface $providerref->{physical} is already enabled\"",
 		   '    fi',
 		   '    ;;'
@@ -1266,9 +1366,10 @@ EOF
 
     emit << 'EOF';;
         *)
-            startup_error "$g_interface is not an optional provider or provider interface"
+            startup_error "$g_interface is not an optional provider or interface"
             ;;
     esac
+
 }
 
 #
@@ -1286,14 +1387,26 @@ EOF
     for my $provider (@providers ) {
 	my $providerref = $providers{$provider};
 
-	emit( "$providerref->{physical}|$provider)",
+	if ( $providerref->{optional} ) {
-	      "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
+	    if ( $provider eq $providerref->{physical} ) {
-	      "        stop_provider_$provider",
+		emit( "$provider)" );
-	      '    else',
+	    } else {
-	      "        startup_error \"Interface $providerref->{physical} is already disabled\"",
+		emit( "$providerref->{physical}|$provider)" );
-	      '    fi',
+	    }
-	      '    ;;'
+
-	    ) if $providerref->{optional};
+	    if ( $providerref->{pseudo} ) {
+		emit( "    if [ -f \${VARDIR}/$product/undo_${provider}_routing ]; then" );
+	    } else {
+		emit( "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then" );
+	    }
+
+	    emit( "        stop_$providerref->{what}_$provider",
+		  '    else',
+		  "        startup_error \"Interface $providerref->{physical} is already disabled\"",
+		  '    fi',
+		  '    ;;'
+		);
+	}
     }
 
     pop_indent;
@@ -1309,6 +1422,10 @@ EOF
 
 }
 
+sub have_providers() {
+    return our $providers;
+}
+
 sub setup_providers() {
     our $providers;
 
@@ -1321,7 +1438,7 @@ sub setup_providers() {
 
 	emit '';
 
-	emit "start_provider_$_" for @providers;
+	emit "start_$providers{$_}->{what}_$_" for @providers;
 
 	emit '';
 
@@ -1354,6 +1471,228 @@ sub setup_providers() {
 
 }
 
+#
+# Emit the updown() function
+#
+sub compile_updown() {
+    emit( '',
+	  '#',
+	  '# Handle the "up" and "down" commands',
+	  '#',
+	  'updown() # $1 = interface',
+	  '{',
+	);
+
+    push_indent;
+
+    emit( 'local state',
+	  'state=cleared',
+	  ''
+	);
+
+    emit 'progress_message3 "$g_product $COMMAND triggered by $1"';
+    emit '';
+
+    if ( $family == F_IPV4 ) {
+	emit 'if shorewall_is_started; then';
+    } else {
+	emit 'if shorewall6_is_started; then';
+    }
+
+    emit( '    state=started',
+	  'elif [ -f ${VARDIR}/state ]; then',
+	  '    case "$(cat ${VARDIR}/state)" in',
+	  '        Stopped*)',
+	  '            state=stopped',
+	  '            ;;',
+	  '        Cleared*)',
+	  '            ;;',
+	  '        *)',
+	  '            state=unknown',
+	  '            ;;',
+	  '    esac',
+	  'else',
+	  '    state=unknown',
+	  'fi',
+	  ''
+	);
+
+    emit( 'case $1 in' );
+
+    push_indent;
+
+    my $ignore   = find_interfaces_by_option 'ignore', 1;
+    my $required = find_interfaces_by_option 'required';
+    my $optional = find_interfaces_by_option 'optional';
+
+    if ( @$ignore ) {
+	my $interfaces = join '|', map get_physical( $_ ), @$ignore;
+
+	$interfaces =~ s/\+/*/g;
+
+	emit( "$interfaces)",
+	      '    progress_message3 "$COMMAND on interface $1 ignored"',
+	      '    exit 0',
+	      '    ;;'
+	    );
+    }
+
+    my @nonshared = ( grep $providers{$_}->{optional},
+		      sort( { $providers{$a}->{number} <=> $providers{$b}->{number} } values %provider_interfaces ) );
+
+    if ( @nonshared ) {
+	my $interfaces = join( '|', map $providers{$_}->{physical}, @nonshared );
+
+	emit "$interfaces)";
+
+	push_indent;
+
+	emit( q(if [ "$state" = started ]; then) ,
+	      q(    if [ "$COMMAND" = up ]; then) , 
+	      q(        progress_message3 "Attempting enable on interface $1") ,
+	      q(        COMMAND=enable) ,
+	      q(        detect_configuration),        
+	      q(        enable_provider $1),
+	      q(    elif [ "$PHASE" != post-down ]; then # pre-down or not Debian) ,
+	      q(        progress_message3 "Attempting disable on interface $1") ,
+	      q(        COMMAND=disable) ,
+	      q(        detect_configuration),        
+	      q(        disable_provider $1) ,
+	      q(    fi) ,
+	      q(elif [ "$COMMAND" = up ]; then) ,
+	      q(    echo 0 > ${VARDIR}/${1}.status) ,
+	      q(    COMMAND=start),
+	      q(    progress_message3 "$g_product attempting start") ,
+	      q(    detect_configuration),
+	      q(    define_firewall),
+	      q(else),
+	      q(    progress_message3 "$COMMAND on interface $1 ignored") ,
+	      q(fi) ,
+	      q(;;) );
+
+	pop_indent;
+    }
+
+    if ( @$required ) {
+	my $interfaces = join '|', map get_physical( $_ ), @$required;
+
+	my $wildcard = ( $interfaces =~ s/\+/*/g );
+
+	emit( "$interfaces)",
+	      '    if [ "$COMMAND" = up ]; then' );
+
+	if ( $wildcard ) {
+	    emit( '        if [ "$state" = started ]; then',
+		  '            COMMAND=restart',
+		  '        else',
+		  '            COMMAND=start',
+		  '        fi' );
+	} else {
+	    emit( '        COMMAND=start' );
+	}
+
+	emit( '        progress_message3 "$g_product attempting $COMMAND"',
+	      '        detect_configuration',
+	      '        define_firewall',
+	      '    elif [ "$PHASE" != pre-down ]; then # Not Debian pre-down phase'
+	    );
+
+	push_indent;
+
+	if ( $wildcard ) {
+
+	    emit( '    if [ "$state" = started ]; then',
+		  '        progress_message3 "$g_product attempting restart"',
+		  '        COMMAND=restart',
+		  '        detect_configuration',
+		  '        define_firewall',
+		  '    fi' );
+
+	} else {
+	    emit( '    COMMAND=stop',
+		  '    progress_message3 "$g_product attempting stop"',
+		  '    detect_configuration',
+		  '    stop_firewall' );
+	}
+
+	pop_indent;
+
+	emit( '    fi',
+	      '    ;;'
+	    );
+    }
+
+    if ( @$optional ) {
+	my @interfaces = map( get_physical( $_ ), grep( ! $provider_interfaces{$_} , @$optional ) );
+	my $interfaces = join '|', @interfaces;
+
+	if ( $interfaces ) {
+	    if ( $interfaces =~ s/\+/*/g || @interfaces > 1 ) {
+		emit( "$interfaces)",
+		      '    if [ "$COMMAND" = up ]; then',
+		      '        echo 0 > ${VARDIR}/${1}.state',
+		      '    else',
+		      '        echo 1 > ${VARDIR}/${1}.state',
+		      '    fi' );
+	    } else {
+		emit( "$interfaces)",
+		      '    if [ "$COMMAND" = up ]; then',
+		      "        echo 0 > \${VARDIR}/$interfaces.state",
+		      '    else',
+		      "        echo 1 > \${VARDIR}/$interfaces.state",
+		      '    fi' );
+	    }
+
+	    emit( '',
+		  '    if [ "$state" = started ]; then',
+		  '        COMMAND=restart',
+		  '        progress_message3 "$g_product attempting restart"',
+		  '        detect_configuration',
+		  '        define_firewall',
+		  '    elif [ "$state" = stopped ]; then',
+		  '        COMMAND=start',
+		  '        progress_message3 "$g_product attempting start"',
+		  '        detect_configuration',
+		  '        define_firewall',
+		  '    else',
+		  '        progress_message3 "$COMMAND on interface $1 ignored"',
+		  '    fi',
+		  '    ;;',
+		);
+	}
+    }
+
+    if ( my @plain_interfaces = all_plain_interfaces ) {			
+	my $interfaces = join ( '|', @plain_interfaces );
+
+	$interfaces =~ s/\+/*/g;
+	
+	emit( "$interfaces)",
+	      '    case $state in',
+	      '        started)',
+	      '            COMMAND=restart',
+	      '            progress_message3 "$g_product attempting restart"',
+	      '            detect_configuration',
+	      '            define_firewall',
+	      '            ;;',
+	      '        *)',
+	      '            progress_message3 "$COMMAND on interface $1 ignored"',
+	      '            ;;',
+	      '    esac',
+	    );
+    }
+
+    pop_indent;
+
+    emit( 'esac' );
+
+    pop_indent;
+
+    emit( '}',
+	  '',
+	);
+}
+
 sub lookup_provider( $ ) {
     my $provider    = $_[0];
     my $providerref = $providers{ $provider };
@@ -1393,7 +1732,7 @@ sub handle_optional_interfaces( $ ) {
 	#
 	# Clear the '_IS_USABLE' variables
 	#
-	emit( join( '_', 'SW', uc chain_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
+	emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
 
 	if ( $wildcards ) {
 	    #
@@ -1413,7 +1752,7 @@ sub handle_optional_interfaces( $ ) {
 	for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
 	    my $provider    = $provider_interfaces{$interface};
 	    my $physical    = get_physical $interface;
-	    my $base        = uc chain_base( $physical );
+	    my $base        = uc var_base( $physical );
 	    my $providerref = $providers{$provider};
 
 	    emit( "$physical)" ), push_indent if $wildcards;
@@ -1434,7 +1773,7 @@ sub handle_optional_interfaces( $ ) {
 
 	for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
 	    my $physical    = get_physical $interface;
-	    my $base        = uc chain_base( $physical );
+	    my $base        = uc var_base( $physical );
 	    my $case        = $physical;
 	    my $wild        = $case =~ s/\+$/*/;
 
@@ -1522,7 +1861,7 @@ sub handle_stickiness( $ ) {
 
 	for my $providerref ( @routemarked_providers ) {
 	    my $interface = $providerref->{physical};
-	    my $base      = uc chain_base $interface;
+	    my $base      = uc var_base $interface;
 	    my $mark      = $providerref->{mark};
 
 	    for ( grep rule_target($_) eq 'sticky', @{$tcpreref->{rules}} ) {
@@ -1613,7 +1952,7 @@ sub handle_stickiness( $ ) {
 
 sub setup_load_distribution() {
     emit ( '',
-	   "        distribute_load $maxload @load_interfaces" ,
+	   "distribute_load $maxload @load_interfaces" ,
 	   ''
 	 ) if @load_interfaces;
 }

Shorewall/Perl/Shorewall/Raw.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -20,7 +20,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   This module contains the code that handles the /etc/shorewall/notrack file.
+#   This module contains the code that handles the /etc/shorewall/conntrack file.
 #
 package Shorewall::Raw;
 require Exporter;
@@ -32,63 +32,109 @@ use Shorewall::Chains qw(:DEFAULT :internal);
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( setup_notrack );
+our @EXPORT = qw( setup_conntrack );
-our @EXPORT_OK = qw( );
+our @EXPORT_OK = qw( handle_helper_rule );
 our $VERSION = 'MODULEVERSION';
 
-my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured => 1, protoinfo => 1, helper => 1, mark => 1, natseqinfo => 1, secmark => 1 );
+our %valid_ctevent = ( new        => 1,
+		       related    => 1,
+		       destroy    => 1,
+		       reply      => 1,
+		       assured    => 1,
+		       protoinfo  => 1,
+		       helper     => 1,
+		       mark       => 1,
+		       natseqinfo => 1,
+		       secmark    => 1 );
 
 #
 # Notrack
 #
-sub process_notrack_rule( $$$$$$$ ) {
+sub process_conntrack_rule( $$$$$$$$$$ ) {
 
-    my ($action, $source, $dest, $proto, $ports, $sports, $user ) = @_;
+    my ($chainref, $zoneref, $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = @_;
+
+    require_capability 'RAW_TABLE', 'conntrack rules', '';
 
     $proto  = ''    if $proto  eq 'any';
     $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
     $sports = ''    if $sports eq 'any' || $sports eq 'all';
 
-    ( my $zone, $source) = split /:/, $source, 2;
+    my $zone;
-    my $zoneref  = find_zone $zone;
+    my $restriction = PREROUTE_RESTRICT;
-    my $chainref = ensure_raw_chain( notrack_chain $zone );
-    my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
 
-    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
+    if ( $chainref ) {
-    require_capability 'RAW_TABLE', 'Notrack rules', '';
+	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
+    } else {
+	#
+	# Entry in the conntrack file
+	#
+	if ( $zoneref ) {
+	    $zone = $zoneref->{name};
+	} else {
+	    ($zone, $source) = split /:/, $source, 2;
+	    $zoneref = find_zone ( $zone );
+	}
+
+	$chainref = ensure_raw_chain( notrack_chain $zone );
+	$restriction = OUTPUT_RESTRICT if $zoneref->{type}  & (FIREWALL | VSERVER );
+	fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
+    }
 
     my $target = $action;
     my $exception_rule = '';
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );
 
-    unless ( $action eq 'NOTRACK' ) {
+    if ( $action eq 'NOTRACK' ) {
+	#
+	# A patch that deimplements the NOTRACK target has been posted on the
+	# Netfilter development list
+	#
+	$action = 'CT --notrack' if have_capability 'CT_TARGET';
+    } elsif ( $action ne 'DROP' ) {
 	(  $target, my ( $option, $args, $junk ) ) = split ':', $action, 4;
 
 	fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT';
 
-	require_capability 'CT_TARGET', 'CT entries in the notrack file', '';
+	require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';
 
 	if ( $option eq 'notrack' ) {
-	    fatal_error "Invalid notrack ACTION ( $action )" if supplied $args;
+	    fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
 	    $action = 'CT --notrack';
 	} else {
 	    fatal_error "Invalid or missing CT option and arguments" unless supplied $option && supplied $args;
 
 	    if ( $option eq 'helper' ) {
-		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
+		my $modifiers = '';
-		validate_helper( $args, $proto );
+
-		$action = "CT --helper $args";
+		if ( $args =~ /^([-\w.]+)\((.+)\)$/ ) {
-		$exception_rule = do_proto( $proto, '-', '-' );
+		    $args      = $1;
-	    } elsif ( $option eq 'ctevents' ) {
+		    $modifiers = $2;
-		for ( split ',', $args ) {
-		    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
 		}
 
-		$action = "CT --ctevents $args";
+		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
-	    } elsif ( $option eq 'expevent' ) {
+		validate_helper( $args, $proto );
-		fatal_error "Invalid expevent argument ($args)" unless $args eq 'new';
+		$action = "CT --helper $helpers_aliases{$args}";
-	    } elsif ( $option eq 'zone' ) {
+		$exception_rule = do_proto( $proto, '-', '-' );
-		fatal_error "Invalid zone id ($args)" unless $args =~ /^\d+$/;
+
+		for my $mod ( split_list1( $modifiers, 'ctevents' ) ) {
+		    fatal_error "Invalid helper option ($mod)" unless $mod =~ /^(\w+)=(.+)$/;
+		    $mod    = $1;
+		    my $val = $2;
+		    
+		    if ( $mod eq 'ctevents' ) {
+			for ( split_list( $val, 'ctevents' ) ) {
+			    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
+			}
+
+			$action .= " --ctevents $val";
+		    } elsif ( $mod eq 'expevents' ) {
+			fatal_error "Invalid expevent argument ($val)" unless $val eq 'new';
+			$action .= ' --expevents new';
+		    } else {
+			fatal_error "Invalid helper option ($mod)";
+		    }
+		}
 	    } else {
 		fatal_error "Invalid CT option ($option)";
 	    }
@@ -106,64 +152,142 @@ sub process_notrack_rule( $$$$$$$ ) {
 		 $target ,
 		 $exception_rule );
 
-    progress_message "  Notrack rule \"$currentline\" $done";
+    progress_message "  Conntrack rule \"$currentline\" $done";
+}
 
-    $globals{UNTRACKED} = 1;
+sub handle_helper_rule( $$$$$$$$$$$ ) {
+    my ( $helper, $source, $dest, $proto, $ports, $sports, $sourceref, $action_target, $actionchain, $user, $rule ) = @_;
+
+    if ( $helper ne '-' ) {
+	fatal_error "A HELPER is not allowed with this ACTION" if $action_target;
+	#
+	# This means that an ACCEPT or NAT rule with a helper is being processed
+	#
+	process_conntrack_rule( $actionchain ? ensure_raw_chain( $actionchain ) : undef ,
+				$sourceref ,
+				"CT:helper:$helper",
+				$source ,
+				$dest ,
+				$proto ,
+				$ports ,
+				$sports ,
+				$user,
+				'-',
+			      );
+    } else {
+	assert( $action_target );
+	#
+	# The target is an action
+	#
+	if ( $actionchain ) {
+	    #
+	    # And the source is another action chain
+	    #
+	    expand_rule( ensure_raw_chain( $actionchain ) ,
+			 PREROUTE_RESTRICT ,
+			 $rule ,
+			 $source ,
+			 $dest ,
+			 '' ,
+			 $action_target ,
+			 '',
+			 'CT' ,
+			 '' );
+	} else {
+	    expand_rule( ensure_raw_chain( notrack_chain( $sourceref->{name} ) ) ,
+			 ( $sourceref->{type} == FIREWALL || $sourceref->{type} == VSERVER ?
+			   OUTPUT_RESTRICT :
+			   PREROUTE_RESTRICT ) ,
+			 $rule ,
+			 $source ,
+			 $dest ,
+			 '' ,
+			 $action_target ,
+			 '' ,
+			 'CT' ,
+			 '' );
+	}
+    }
 }
 
 sub process_format( $ ) {
     my $format = shift;
 
-    fatal_error q(FORMAT must be '1' or '2') unless $format =~ /^[12]$/;
+    fatal_error q(FORMAT must be '1', '2' or '3') unless $format =~ /^[123]$/;
+    format_warning;
 
-    $format;
+    $file_format = $format;
 }
 
-sub setup_notrack() {
+sub setup_conntrack() {
 
-    my $format = 1;
+    for my $name ( qw/notrack conntrack/ ) {
-    my $action = 'NOTRACK';
 
-    if ( my $fn = open_file 'notrack' ) {
+	my $fn = open_file( $name, 3 , 1 );
 
-	first_entry "$doing $fn...";
+	if ( $fn ) {
 
-	my $nonEmpty = 0;
+	    my $action;
 
-	while ( read_a_line( NORMAL_READ ) ) {
+	    my $empty = 1;
-	    my ( $source, $dest, $proto, $ports, $sports, $user );
 
-	    if ( $format == 1 ) {
+	    first_entry( "$doing $fn..." );
-		( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
 
-		if ( $source eq 'FORMAT' ) {
+	    while ( read_a_line( NORMAL_READ ) ) {
-		    $format = process_format( $dest );
+		my ( $source, $dest, $protos, $ports, $sports, $user, $switch );
-		    next;
-		}
 
-		if ( $source eq 'COMMENT' ) {
+		if ( $file_format == 1 ) {
-		    process_comment;
+		    ( $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 };
-		    next;
-		}
-	    } else {
-		( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
-
-		if ( $action eq 'FORMAT' ) {
-		    $format = process_format( $source );
 		    $action = 'NOTRACK';
-		    next;
+		} else {
+		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };
 		}
 
-		if ( $action eq 'COMMENT' ) {
+		$empty = 0;
-		    process_comment;
+
-		    next;
+		for my $proto ( split_list $protos, 'Protocol' ) {
+		    if ( $file_format < 3 ) {
+			if ( $source =~ /^all(-)?(:(.+))?$/ ) {
+			    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
+			    for my $zone ( $1 ? off_firewall_zones : all_zones ) {
+				process_conntrack_rule( undef ,
+							undef,
+							$action,
+							$zone . ( $2 || ''),
+							$dest,
+							$proto,
+							$ports,
+							$sports,
+							$user ,
+							$switch );
+			    }
+			} else {
+			    process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+			}
+		    } elsif ( $action =~ s/:O$// ) {
+			process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		    } elsif ( $action =~ s/:OP// || $action =~ s/:PO// ) {
+			process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+			process_conntrack_rule( $raw_table->{OUTPUT},     undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		    } else {
+			$action =~ s/:P//;
+			process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		    }
 		}
 	    }
 
-	    process_notrack_rule $action, $source, $dest, $proto, $ports, $sports, $user;
+	    if ( $name eq 'notrack') {
+		if ( $empty ) {
+		    if ( unlink( $fn ) ) {
+			warning_message "Empty notrack file ($fn) removed";
+		    } else {
+			warning_message "Unable to remove empty notrack file ($fn): $!";
+		    }
+		} else {
+		    warning_message "Non-empty notrack file ($fn); please move its contents to the conntrack file";
+		}
+	    }
 	}
-
-	clear_comment;
     }
 }
 

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -61,7 +61,7 @@ sub setup_tunnels() {
 	    }
 	}
 
-	my @options = $globals{UNTRACKED} ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
+	my @options = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
 
 	add_tunnel_rule $inchainref,  p => 50, @$source;
 	add_tunnel_rule $outchainref, p => 50, @$dest;
@@ -285,25 +285,19 @@ sub setup_tunnels() {
     #
     # Setup_Tunnels() Starts Here
     #
-    if ( my $fn = open_file 'tunnels' ) {
+    if ( my $fn = open_file( 'tunnels', 1, 1 ) ) {
 
 	first_entry "$doing $fn...";
 
 	while ( read_a_line( NORMAL_READ ) ) {
 
-	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 , gateway_zones => 3 }, undef, 4;
+	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 , gateway_zones => 3 }, {}, 4;
 
 	    fatal_error 'TYPE must be specified' if $kind eq '-';
 
-	    if ( $kind eq 'COMMENT' ) {
+	    fatal_error 'ZONE must be specified' if $zone eq '-';
-		process_comment;
+	    setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
-	    } else {
-		fatal_error 'ZONE must be specified' if $zone eq '-';
-		setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
-	    }
 	}
-
-	clear_comment;
     }
 }
 

Shorewall/Perl/Shorewall/Zones.pm

@@ -31,63 +31,69 @@ use Shorewall::IPAddrs;
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( NOTHING
+our @EXPORT = ( qw( NOTHING
-		  NUMERIC
+		    NUMERIC
-		  NETWORK
+		    NETWORK
-		  IPSECPROTO
+		    IPSECPROTO
-		  IPSECMODE
+		    IPSECMODE
-		  FIREWALL
+		    FIREWALL
-		  VSERVER
+		    VSERVER
-		  IP
+		    IP
-		  BPORT
+		    BPORT
-		  IPSEC
+		    IPSEC
+		    GROUP
+		    NO_UPDOWN
+		    NO_SFILTER
 
-		  determine_zones
+		    determine_zones
-		  zone_report
+		    zone_report
-		  dump_zone_contents
+		    dump_zone_contents
-		  find_zone
+		    find_zone
-		  firewall_zone
+		    firewall_zone
-		  defined_zone
+		    defined_zone
-		  zone_type
+		    zone_type
-		  zone_interfaces
+		    zone_interfaces
-		  zone_mark
+		    zone_mark
-		  all_zones
+		    all_zones
-		  all_parent_zones
+		    all_parent_zones
-		  complex_zones
+		    complex_zones
-		  vserver_zones
+		    vserver_zones
-		  off_firewall_zones
+		    on_firewall_zones
-		  non_firewall_zones
+		    off_firewall_zones
-		  single_interface
+		    non_firewall_zones
-		  chain_base
+		    single_interface
-		  validate_interfaces_file
+		    var_base
-		  all_interfaces
+		    validate_interfaces_file
-		  all_real_interfaces
+		    all_interfaces
-		  all_bridges
+		    all_real_interfaces
-		  interface_number
+		    all_plain_interfaces
-		  find_interface
+		    all_bridges
-		  known_interface
+		    interface_number
-		  get_physical
+		    find_interface
-		  physical_name
+		    known_interface
-		  have_bridges
+		    get_physical
-		  port_to_bridge
+		    physical_name
-		  source_port_to_bridge
+		    have_bridges
-		  interface_is_optional
+		    port_to_bridge
-		  find_interfaces_by_option
+		    source_port_to_bridge
-		  find_interfaces_by_option1
+		    interface_is_optional
-		  get_interface_option
+		    interface_is_required
-		  interface_has_option
+		    find_interfaces_by_option
-		  set_interface_option
+		    find_interfaces_by_option1
-		  set_interface_provider
+		    get_interface_option
-		  interface_zones
+		    interface_has_option
-		  verify_required_interfaces
+		    set_interface_option
-		  compile_updown
+		    set_interface_provider
-		  validate_hosts_file
+		    interface_zones
-		  find_hosts_by_option
+		    verify_required_interfaces
-		  find_zone_hosts_by_option
+		    validate_hosts_file
-		  find_zones_by_option
+		    find_hosts_by_option
-		  all_ipsets
+		    find_zone_hosts_by_option
-		  have_ipsec
+		    find_zones_by_option
-		 );
+		    all_ipsets
+		    have_ipsec
+		 ),
+	      );
 
 our @EXPORT_OK = qw( initialize );
 our $VERSION = 'MODULEVERSION';
@@ -114,7 +120,8 @@ use constant { IN_OUT     => 1,
 #
 #     @zones contains the ordered list of zones with sub-zones appearing before their parents.
 #
-#     %zones{<zone1> => {type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
+#     %zones{<zone1> => {name =>       <name>,
+#                        type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
 #                        complex =>    0|1
 #                        super   =>    0|1
 #                        options =>    { in_out  => < policy match string >
@@ -141,12 +148,12 @@ use constant { IN_OUT     => 1,
 #
 #     $firewall_zone names the firewall zone.
 #
-my @zones;
+our @zones;
-my %zones;
+our %zones;
-my %zonetypes;
+our %zonetypes;
-my $firewall_zone;
+our $firewall_zone;
 
-my  %reservedName = ( all => 1,
+our %reservedName = ( all => 1,
 		      any => 1,
 		      none => 1,
 		      SOURCE => 1,
@@ -166,13 +173,14 @@ my  %reservedName = ( all => 1,
 #                                     zone        => <zone name>
 #                                     multizone   => undef|1   #More than one zone interfaces through this interface
 #                                     nets        => <number of nets in interface/hosts records referring to this interface>
-#                                     bridge      => <bridge name>
+#                                     bridge      => <bridge name> # Same as ->{name} if not a bridge port.
 #                                     ports       => <number of port on this bridge>
 #                                     ipsec       => undef|1 # Has an ipsec host group
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
+#                                     provider    => <Provider Name, if interface is associated with a provider>
 #                                     zones       => { zone1 => 1, ... }
 #                                   }
 #                 }
@@ -180,22 +188,24 @@ my  %reservedName = ( all => 1,
 #    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
 #    the same order as the interfaces are encountered in the configuration files.
 #
-my @interfaces;
+our @interfaces;
-my %interfaces;
+our %interfaces;
-my %roots;
+our %roots;
-my @bport_zones;
+our @bport_zones;
-my %ipsets;
+our %ipsets;
-my %physical;
+our %physical;
-my %basemap;
+our %basemap;
-my %mapbase;
+our %basemap1;
-my $family;
+our %mapbase;
-my $upgrade;
+our %mapbase1;
-my $have_ipsec;
+our $family;
-my $baseseq;
+our $upgrade;
-my $minroot;
+our $have_ipsec;
-my $zonemark;
+our $baseseq;
-my $zonemarkincr;
+our $minroot;
-my $zonemarklimit;
+our $zonemark;
+our $zonemarkincr;
+our $zonemarklimit;
 
 use constant { FIREWALL => 1,
 	       IP       => 2,
@@ -219,32 +229,39 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       IF_OPTION_WILDOK   => 64
 	   };
 
-my %validinterfaceoptions;
+use constant { NO_UPDOWN   => 1, 
+	       NO_SFILTER  => 2 };
 
-my %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
+our %validinterfaceoptions;
 
-my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 );
+our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
 
-my %validhostoptions;
+our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN );
 
-my %validzoneoptions = ( mss          => NUMERIC,
+our %validhostoptions;
-			 nomark       => NOTHING,
+
-			 blacklist    => NOTHING,
+our %validzoneoptions = ( mss            => NUMERIC,
-			 strict       => NOTHING,
+			  nomark         => NOTHING,
-			 next         => NOTHING,
+			  blacklist      => NOTHING,
-			 reqid        => NUMERIC,
+			  dynamic_shared => NOTHING,
-			 spi          => NUMERIC,
+			  strict         => NOTHING,
-			 proto        => IPSECPROTO,
+			  next           => NOTHING,
-			 mode         => IPSECMODE,
+			  reqid          => NUMERIC,
-			 "tunnel-src" => NETWORK,
+			  spi            => NUMERIC,
-			 "tunnel-dst" => NETWORK,
+			  proto          => IPSECPROTO,
+			  mode           => IPSECMODE,
+			 "tunnel-src"   => NETWORK,
+			 "tunnel-dst"   => NETWORK,
 		       );
 
 use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
 #
 # Hash of options that have their own key in the returned hash.
 #
-my %zonekey = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );
+our %zonekey = ( mss            => UNRESTRICTED | COMPLEX ,
+		 blacklist      => NOFW, 
+		 nomark         => NOFW | IN_OUT_ONLY,
+		 dynamic_shared => IN_OUT_ONLY );
 
 #
 # Rather than initializing globals in an INIT block or during declaration,
@@ -270,7 +287,9 @@ sub initialize( $$ ) {
     %ipsets = ();
     %physical = ();
     %basemap = ();
+    %basemap1 = ();
     %mapbase = ();
+    %mapbase1 = ();
     $baseseq = 0;
     $minroot = 0;
 
@@ -281,6 +300,7 @@ sub initialize( $$ ) {
 				  bridge      => SIMPLE_IF_OPTION,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
+				  ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				  maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  logmartians => BINARY_IF_OPTION,
 				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
@@ -291,6 +311,7 @@ sub initialize( $$ ) {
 				  required    => SIMPLE_IF_OPTION,
 				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				  routefilter => NUMERIC_IF_OPTION ,
+				  rpfilter    => SIMPLE_IF_OPTION,
 				  sfilter     => IPLIST_IF_OPTION,
 				  sourceroute => BINARY_IF_OPTION,
 				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -316,6 +337,7 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
 				    dhcp        => SIMPLE_IF_OPTION,
+				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -323,6 +345,7 @@ sub initialize( $$ ) {
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
 				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
+				    rpfilter    => SIMPLE_IF_OPTION,
 				    sfilter     => IPLIST_IF_OPTION,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -384,7 +407,7 @@ sub parse_zone_option_list($$\$$)
 
 	    if ( $key ) {
 		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype & ( FIREWALL | VSERVER) );
-		fatal_error "Opeion '$e' is only permitted in the OPTIONS columns" if $key & IN_OUT_ONLY && $column != IN_OUT;
+		fatal_error "Option '$e' is only permitted in the OPTIONS columns" if $key & IN_OUT_ONLY && $column != IN_OUT;
 		$$complexref = 1 if $key & COMPLEX;
 		$h{$e} = $val || 1;
 	    } else {
@@ -483,7 +506,8 @@ sub process_zone( \$ ) {
 
     my $complex = 0;
 
-    my $zoneref = $zones{$zone} = { type       => $type,
+    my $zoneref = $zones{$zone} = { name       => $zone,
+				    type       => $type,
 				    parents    => \@parents,
 				    bridge     => '',
 				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex , IN_OUT ) ,
@@ -519,6 +543,7 @@ sub process_zone( \$ ) {
     }
 
     if ( $zoneref->{options}{in_out}{blacklist} ) {
+	warning_message q(The 'blacklist' option is deprecated);
 	for ( qw/in out/ ) {
 	    unless ( $zoneref->{options}{$_}{blacklist} ) {
 		$zoneref->{options}{$_}{blacklist} = 1;
@@ -526,6 +551,10 @@ sub process_zone( \$ ) {
 		warning_message( "Redundant 'blacklist' in " . uc( $_ ) . '_OPTIONS' );
 	    }
 	}
+    } else {
+	for ( qw/in out/ ) {
+	    warning_message q(The 'blacklist' option is deprecated), last if  $zoneref->{options}{$_}{blacklist};
+	}
     }
 
     return $zone;
@@ -565,6 +594,7 @@ sub determine_zones()
 		for ( @{$zones{$zone}{children}} ) {
 		    next ZONE unless $ordered{$_};
 		}
+
 		$ordered{$zone} = 1;
 		push @zones, $zone;
 		redo PUSHED;
@@ -572,7 +602,7 @@ sub determine_zones()
 	}
     }
 
-    assert( scalar @zones == scalar @z );
+    assert( @zones == @z );
 
 }
 
@@ -737,6 +767,13 @@ sub add_group_to_zone($$$$$)
 	    $new = \@exclusions;
 	}
 
+	if ( substr( $host, 0, 1 ) eq '+' ) {
+	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+(6_)?[a-zA-Z][-\w]*$/;
+	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
+	} else {
+	    $host = validate_host $host, 0;
+	}
+
 	unless ( $switched ) {
 	    if ( $type == $zonetype ) {
 		fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $interfaces{$interface}{zone} eq $zone;
@@ -755,13 +792,6 @@ sub add_group_to_zone($$$$$)
 	    }
 	}
 
-	if ( substr( $host, 0, 1 ) eq '+' ) {
-	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+(6_)?[a-zA-Z]\w*$/;
-	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
-	} else {
-	    validate_host $host, 0;
-	}
-
 	push @$new, $host;
     }
 
@@ -825,6 +855,10 @@ sub all_zones() {
     @zones;
 }
 
+sub on_firewall_zones() {
+   grep ( ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
+}
+
 sub off_firewall_zones() {
    grep ( ! ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
 }
@@ -863,9 +897,9 @@ sub is_a_bridge( $ ) {
 #
 # Transform the passed interface name into a legal shell variable name.
 #
-sub chain_base($) {
+sub var_base($) {
-    my $chain = $_[0];
+    my $var = $_[0];
-    my $name  = $basemap{$chain};
+    my $name  = $basemap{$var};
     #
     # Return existing mapping, if any
     #
@@ -873,31 +907,31 @@ sub chain_base($) {
     #
     # Remember initial value
     #
-    my $key = $chain;
+    my $key = $var;
     #
     # Handle VLANs and wildcards
     #
-    $chain =~ s/\+$//;
+    $var =~ s/\+$/_plus/;
-    $chain =~ tr/./_/;
+    $var =~ tr/./_/;
 
-    if ( $chain eq '' || $chain =~ /^[0-9]/ || $chain =~ /[^\w]/ ) {
+    if ( $var eq '' || $var =~ /^[0-9]/ || $var =~ /[^\w]/ ) {
 	#
 	# Must map. Remove all illegal characters
 	#
-	$chain =~ s/[^\w]//g;
+	$var =~ s/[^\w]//g;
 	#
 	# Prefix with if_ if it begins with a digit
 	#
-	$chain = join( '' , 'if_', $chain ) if $chain =~ /^[0-9]/;
+	$var = join( '' , 'if_', $var ) if $var =~ /^[0-9]/;
 	#
 	# Create a new unique name
 	#
-	1 while $mapbase{$name = join ( '_', $chain, ++$baseseq )};
+	1 while $mapbase{$name = join ( '_', $var, ++$baseseq )};
     } else {
 	#
 	# We'll store the identity mapping if it is unique
 	#
-	$chain = join( '_', $key , ++$baseseq ) while $mapbase{$name = $chain};
+	$var = join( '_', $key , ++$baseseq ) while $mapbase{$name = $var};
     }
     #
     # Store the reverse mapping
@@ -909,6 +943,55 @@ sub chain_base($) {
     $basemap{$key} = $name;
 }
 
+#
+# This is a slightly relaxed version of the above that allows '-' in the generated name.
+#
+sub var_base1($) {
+    my $var = $_[0];
+    my $name  = $basemap1{$var};
+    #
+    # Return existing mapping, if any
+    #
+    return $name if $name;
+    #
+    # Remember initial value
+    #
+    my $key = $var;
+    #
+    # Handle VLANs and wildcards
+    #
+    $var =~ s/\+$//;
+    $var =~ tr/./_/;
+
+    if ( $var eq '' || $var =~ /^[0-9]/ || $var =~ /[^-\w]/ ) {
+	#
+	# Must map. Remove all illegal characters
+	#
+	$var =~ s/[^\w]//g;
+	#
+	# Prefix with if_ if it begins with a digit
+	#
+	$var = join( '' , 'if_', $var ) if $var =~ /^[0-9]/;
+	#
+	# Create a new unique name
+	#
+	1 while $mapbase1{$name = join ( '_', $var, ++$baseseq )};
+    } else {
+	#
+	# We'll store the identity mapping if it is unique
+	#
+	$var = join( '_', $key , ++$baseseq ) while $mapbase1{$name = $var};
+    }
+    #
+    # Store the reverse mapping
+    #
+    $mapbase1{$name} = $key;
+    #
+    # Store the mapping
+    #
+    $basemap1{$key} = $name;
+}
+
 #
 # Process a record in the interfaces file
 #
@@ -919,24 +1002,14 @@ sub process_interface( $$ ) {
     my ($zone, $originalinterface, $bcasts, $options );
     my $zoneref;
     my $bridge = '';
-    our $format;
 
-    if ( $format == 1 ) {
+    if ( $file_format == 1 ) {
-	($zone, $originalinterface, $bcasts, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 }, { COMMENT => 0, FORMAT => 2 };
+	($zone, $originalinterface, $bcasts, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 };
     } else {
-	($zone, $originalinterface, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, options => 2 }, { COMMENT => 0, FORMAT => 2 };
+	($zone, $originalinterface, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, options => 2 };
 	$bcasts = '-';
     }
 
-    if ( $zone eq 'FORMAT' ) {
-	if ( $originalinterface =~ /^([12])$/ ) {
-	    $format = $1;
-	    return;
-	}
-
-	fatal_error "Invalid FORMAT ($originalinterface)";
-    }
-
     if ( $zone eq '-' ) {
 	$zone = '';
     } else {
@@ -1029,7 +1102,7 @@ sub process_interface( $$ ) {
 
     if ( $options eq 'ignore' ) {
 	fatal_error "Ignored interfaces may not be associated with a zone" if $zone;
-	$options{ignore} = 1;
+	$options{ignore} = NO_UPDOWN | NO_SFILTER;
 	$options = '-';
     }
 
@@ -1127,7 +1200,7 @@ sub process_interface( $$ ) {
 		    $hostoptions{broadcast} = 1;
 		} elsif ( $option eq 'sfilter' ) {
 		    $filterref = [ split_list $value, 'address' ];
-		    validate_net( $_, 1) for @{$filterref}
+		    validate_net( $_, 0) for @{$filterref}
 		} else {
 		    assert(0);
 		}
@@ -1149,10 +1222,27 @@ sub process_interface( $$ ) {
 	    }
 	}
 
-	fatal_error "Invalid combination of interface options" if $options{required} && $options{optional};
+	fatal_error q(The 'required', 'optional' and 'ignore' options are mutually exclusive)
+	    if ( ( $options{required} && $options{optional} ) ||
+		 ( $options{required} && $options{ignore}   ) ||
+		 ( $options{optional} && $options{ignore}   ) );
+
+	if ( $options{rpfilter} ) {
+	    require_capability( 'RPFILTER_MATCH', q(The 'rpfilter' option), 's' ) ;
+	    fatal_error q(The 'routefilter', 'sfilter' and 'rpfilter' options are mutually exclusive) if $options{routefilter} || @$filterref;
+	} else {
+	    fatal_error q(The 'routefilter', 'sfilter' and 'rpfilter' options are mutually exclusive) if $options{routefilter} && @$filterref;
+	}
+
+	if ( supplied( my $ignore = $options{ignore} ) ) {
+	    fatal_error "Invalid value ignore=0" if ! $ignore;
+	} else {
+	    $options{ignore} = 0;
+	}
 
 	if ( $netsref eq 'dynamic' ) {
-	    my $ipset = $family == F_IPV4 ? "${zone}_" . chain_base $physical : "6_${zone}_" . chain_base $physical;
+	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
+	    $ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
 	    $netsref = [ "+$ipset" ];
 	    $ipsets{$ipset} = 1;
 	}
@@ -1171,6 +1261,10 @@ sub process_interface( $$ ) {
 	# No options specified -- auto-detect bridge
 	#
 	$hostoptionsref->{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export;
+	#
+	# And give the 'ignore' option a defined value
+	#
+	$options{ignore} ||= 0;
     }
 
     $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
@@ -1183,7 +1277,7 @@ sub process_interface( $$ ) {
 						       options    => \%options ,
 						       zone       => '',
 						       physical   => $physical ,
-						       base       => chain_base( $physical ),
+						       base       => var_base( $physical ),
 						       zones      => {},
 						     };
 
@@ -1207,12 +1301,11 @@ sub process_interface( $$ ) {
 #
 sub validate_interfaces_file( $ ) {
     my  $export = shift;
-    our $format = 1;
 
     my @ifaces;
     my $nextinum = 1;
 
-    if ( my $fn = open_file 'interfaces' ) {
+    if ( my $fn = open_file 'interfaces', 2 ) {
 	first_entry "$doing $fn...";
 	push @ifaces, process_interface( $nextinum++, $export ) while read_a_line( NORMAL_READ );
     } else {
@@ -1308,7 +1401,7 @@ sub known_interface($)
 						   name     => $i ,
 						   number   => $interfaceref->{number} ,
 						   physical => $physical ,
-						   base     => chain_base( $physical ) ,
+						   base     => var_base( $physical ) ,
 						 };
 	    }
 	}
@@ -1416,11 +1509,65 @@ sub interface_is_optional($) {
     $optionsref && $optionsref->{optional};
 }
 
+#
+# Return the 'required' setting of the passed interface
+#
+sub interface_is_required($) {
+    my $optionsref = $interfaces{$_[0]}{options};
+    $optionsref && $optionsref->{required};
+}
+
+#
+# Return true if the interface is 'plain'
+#
+sub interface_is_plain($) {
+    my $interfaceref = $interfaces{$_[0]};
+    my $optionsref   = $interfaceref->{options};
+
+    $interfaceref->{bridge} eq $interfaceref->{name} && ! ( $optionsref && ( $optionsref->{required} || $optionsref->{optional} || $optionsref->{ignore} ) )
+}
+
+#
+# Return a minimal list of physical interfaces that are neither ignored, optional, required nor a bridge port.
+#
+sub all_plain_interfaces() {
+    my @plain1 = map get_physical($_), grep $_ ne '%vserver%' && interface_is_plain( $_ ), @interfaces;
+    my @plain2;
+    my @wild1;
+    my @wild2;
+   
+    for ( @plain1 ) {
+	if ( /\+$/ ) {
+	    return ( '+' ) if $_ eq '+';
+	    push @wild1, $_;
+	    chop;
+	    push @wild2, $_;
+	} else {
+	    push @plain2, $_;
+	}
+    }
+
+    return @plain2 unless @wild1;
+
+    @plain1 = ();
+
+NAME:
+    for my $name ( @plain2) {
+	for ( @wild2 ) {
+	    next NAME if substr( $name, 0, length( $_ ) ) eq $_;
+	}
+
+	push @plain1, $name;
+    }
+
+    ( @plain1, @wild1 );
+}
+
 #
 # Returns reference to array of interfaces with the passed option
 #
-sub find_interfaces_by_option( $ ) {
+sub find_interfaces_by_option( $;$ ) {
-    my $option = $_[0];
+    my ( $option , $nonzero ) = @_;
     my @ints = ();
 
     for my $interface ( @interfaces ) {
@@ -1429,7 +1576,11 @@ sub find_interfaces_by_option( $ ) {
 	next unless $interfaceref->{root};
 
 	my $optionsref = $interfaceref->{options};
-	if ( $optionsref && defined $optionsref->{$option} ) {
+	if ( $nonzero ) {
+	    if ( $optionsref && $optionsref->{$option} ) {
+		push @ints , $interface
+	    }
+	} elsif ( $optionsref && defined $optionsref->{$option} ) {
 	    push @ints , $interface
 	}
     }
@@ -1540,16 +1691,16 @@ sub verify_required_interfaces( $ ) {
 		my $physical = get_physical $interface;
 
 		if ( $physical =~ /\+$/ ) {
-		    my $base = uc chain_base $physical;
-
 		    $physical =~ s/\+$/*/;
 
-		    emit( 'for interface in $(find_all_interfaces); do',
+		    emit( "waittime=$wait",
+			  '',
+			  'for interface in $(find_all_interfaces); do',
 			  '    case $interface in',
 			  "        $physical)",
-			  "            waittime=$wait",
 			  '            while [ $waittime -gt 0 ]; do',
 			  '                interface_is_usable $interface && break',
+			  '                sleep 1',
 			  '                waittime=$(($waittime - 1))',
 			  '            done',
 			  '            ;;',
@@ -1562,8 +1713,8 @@ sub verify_required_interfaces( $ ) {
 		    emit qq(    waittime=$wait);
 		    emit  '';
 		    emit  q(    while [ $waittime -gt 0 ]; do);
-		    emit qq(        interface_is_usable $physical && break);
 		    emit  q(        sleep 1);
+		    emit qq(        interface_is_usable $physical && break);
 		    emit   '        waittime=$(($waittime - 1))';
 		    emit  q(    done);
 		    emit  q(fi);
@@ -1597,7 +1748,7 @@ sub verify_required_interfaces( $ ) {
 	    my $physical = get_physical $interface;
 
 	    if ( $physical =~ /\+$/ ) {
-		my $base = uc chain_base $physical;
+		my $base = uc var_base $physical;
 
 		$physical =~ s/\+$/*/;
 
@@ -1634,175 +1785,6 @@ sub verify_required_interfaces( $ ) {
     $returnvalue;
 }
 
-#
-# Emit the updown() function
-#
-sub compile_updown() {
-    emit( '',
-	  '#',
-	  '# Handle the "up" and "down" commands',
-	  '#',
-	  'updown() # $1 = interface',
-	  '{',
-	);
-
-    push_indent;
-
-    emit( 'local state',
-	  'state=cleared',
-	  '' );
-
-    emit 'progress_message3 "$g_product $COMMAND triggered by $1"';
-    emit '';
-
-    if ( $family == F_IPV4 ) {
-	emit 'if shorewall_is_started; then';
-    } else {
-	emit 'if shorewall6_is_started; then';
-    }
-
-    emit( '    state=started',
-	  'elif [ -f ${VARDIR}/state ]; then',
-	  '    case "$(cat ${VARDIR}/state)" in',
-	  '        Stopped*)',
-	  '            state=stopped',
-	  '            ;;',
-	  '        Cleared*)',
-	  '            ;;',
-	  '        *)',
-	  '            state=unknown',
-	  '            ;;',
-	  '    esac',
-	  'else',
-	  '    state=unknown',
-	  'fi',
-	  ''
-	);
-
-    emit( 'case $1 in' );
-
-    push_indent;
-
-    my $ignore   = find_interfaces_by_option 'ignore';
-    my $required = find_interfaces_by_option 'required';
-    my $optional = find_interfaces_by_option 'optional';
-
-    if ( @$ignore ) {
-	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$ignore;
-
-	$interfaces =~ s/\+/*/g;
-
-	emit( "$interfaces)",
-	      '    progress_message3 "$COMMAND on interface $1 ignored"',
-	      '    exit 0',
-	      '    ;;'
-	    );
-    }
-
-    if ( @$required ) {
-	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$required;
-
-	my $wildcard = ( $interfaces =~ s/\+/*/g );
-
-	emit( "$interfaces)",
-	      '    if [ "$COMMAND" = up ]; then' );
-
-	if ( $wildcard ) {
-	    emit( '        if [ "$state" = started ]; then',
-		  '            COMMAND=restart',
-		  '        else',
-		  '            COMMAND=start',
-		  '        fi' );
-	} else {
-	    emit( '        COMMAND=start' );
-	}
-
-	emit( '        progress_message3 "$g_product attempting $COMMAND"',
-	      '        detect_configuration',
-	      '        define_firewall' );
-
-	if ( $wildcard ) {
-	    emit( '    elif [ "$state" = started ]; then',
-		  '        progress_message3 "$g_product attempting restart"',
-		  '        COMMAND=restart',
-		  '        detect_configuration',
-		  '        define_firewall' );
-	} else {
-	    emit( '    else',
-		  '        COMMAND=stop',
-		  '        progress_message3 "$g_product attempting stop"',
-		  '        detect_configuration',
-		  '        stop_firewall' );
-	}
-
-	emit( '    fi',
-	      '    ;;'
-	    );
-    }
-
-    if ( @$optional ) {
-	my @interfaces = map $interfaces{$_}->{physical}, @$optional;
-	my $interfaces = join '|', @interfaces;
-
-	if ( $interfaces =~ s/\+/*/g || @interfaces > 1 ) {
-	    emit( "$interfaces)",
-		  '    if [ "$COMMAND" = up ]; then',
-		  '        echo 0 > ${VARDIR}/${1}.state',
-		  '    else',
-		  '        echo 1 > ${VARDIR}/${1}.state',
-		  '    fi' );
-	} else {
-	    emit( "$interfaces)",
-		  '    if [ "$COMMAND" = up ]; then',
-		  "        echo 0 > \${VARDIR}/$interfaces.state",
-		  '    else',
-		  "        echo 1 > \${VARDIR}/$interfaces.state",
-		  '    fi' );
-	}
-
-	emit( '',
-	      '    if [ "$state" = started ]; then',
-	      '        COMMAND=restart',
-	      '        progress_message3 "$g_product attempting restart"',
-	      '        detect_configuration',
-	      '        define_firewall',
-	      '    elif [ "$state" = stopped ]; then',
-	      '        COMMAND=start',
-	      '        progress_message3 "$g_product attempting start"',
-	      '        detect_configuration',
-	      '        define_firewall',
-	      '    else',
-	      '        progress_message3 "$COMMAND on interface $1 ignored"',
-	      '    fi',
-	      '    ;;',
-	    );
-    }
-
-    emit( "*)",
-	  '    case $state in',
-	  '        started)',
-	  '            COMMAND=restart',
-	  '            progress_message3 "$g_product attempting restart"',
-	  '            detect_configuration',
-	  '            define_firewall',
-	  '            ;;',
-	  '        *)',
-	  '            progress_message3 "$COMMAND on interface $1 ignored"',
-	  '            ;;',
-	  '    esac',
-	);
-
-    pop_indent;
-
-    emit( 'esac' );
-
-    pop_indent;
-
-    emit( '}',
-	  '',
-	);
-}
-
 #
 # Process a record in the hosts file
 #
@@ -1829,9 +1811,10 @@ sub process_host( ) {
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
-    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/   ||
+    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/               ||
-	      $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]$/ ||
+	      $hosts =~ /^([\w.@%-]+\+?)\[(.*)\]$/              ||
-	      $hosts =~ /^([\w.@%-]+\+?):(!?\+.*)$/   ||
+	      $hosts =~ /^([\w.@%-]+\+?):(!?\[.+\](?:\/\d+)?)$/ ||
+	      $hosts =~ /^([\w.@%-]+\+?):(!?\+.*)$/             ||
 	      $hosts =~ /^([\w.@%-]+\+?):(dynamic)$/ ) {
 	$interface = $1;
 	$hosts = $2;
@@ -1842,9 +1825,9 @@ sub process_host( ) {
     }
 
     if ( $hosts =~ /^!?\+/ ) {
-	$zoneref->{complex} = 1;
+       $zoneref->{complex} = 1;
-	fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
+       fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
-	fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
+       fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
     }
 
     if ( $type & BPORT ) {
@@ -1871,6 +1854,7 @@ sub process_host( ) {
 	    } elsif ( $option eq 'norfc1918' ) {
 		warning_message "The 'norfc1918' host option is no longer supported"
 	    } elsif ( $option eq 'blacklist' ) {
+		warning_message "The 'blacklist' option is deprecated";
 		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $option =~ /^mss=(\d+)$/ ) {
 		fatal_error "Invalid mss ($1)" unless $1 >= 500;
@@ -1907,8 +1891,14 @@ sub process_host( ) {
     if ( $hosts eq 'dynamic' ) {
 	fatal_error "Vserver zones may not be dynamic" if $type & VSERVER;
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
-	my $physical = chain_base( physical_name $interface );
+
-	my $set      = $family == F_IPV4 ? "${zone}_${physical}" : "6_${zone}_${physical}";
+	my $set = $family == F_IPV4 ? "${zone}" : "6_${zone}";
+	
+	unless ( $zoneref->{options}{in_out}{dynamic_shared} ) {
+	    my $physical = var_base1( physical_name $interface );
+	    $set = join( '_', $set, $physical );
+	}
+
 	$hosts = "+$set";
 	$optionsref->{dynamic} = 1;
 	$ipsets{$set} = 1;

Shorewall/Perl/compiler.pl

@@ -37,7 +37,8 @@
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
 #         --preview                   # Preview the ruleset.
-#         --shorewallrc=<path>        # Path to shorewallrc file.
+#         --shorewallrc=<path>        # Path to global shorewallrc file.
+#         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #
 use strict;
@@ -66,7 +67,9 @@ sub usage( $ ) {
     [ --annotate ]
     [ --update ]
     [ --convert ]
+    [ --directives ]
     [ --shorewallrc=<pathname> ]
+    [ --shorewallrc1=<pathname> ]
     [ --config_path=<path-list> ]
 ';
 
@@ -92,8 +95,10 @@ my $preview       = 0;
 my $annotate      = 0;
 my $update        = 0;
 my $convert       = 0;
+my $directives    = 0;
 my $config_path   = '';
 my $shorewallrc   = '';
+my $shorewallrc1  = '';
 
 Getopt::Long::Configure ('bundling');
 
@@ -121,11 +126,14 @@ my $result = GetOptions('h'               => \$help,
 			'confess'         => \$confess,
 			'a'               => \$annotate,
 			'annotate'        => \$annotate,
+			'directives'      => \$directives,
+			'D'               => \$directives,
 			'u'               => \$update,
 			'update'          => \$update,
 			'convert'         => \$convert,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
+			'shorewallrc1=s'  => \$shorewallrc1,
 		       );
 
 usage(1) unless $result && @ARGV < 2;
@@ -147,6 +155,8 @@ compiler( script          => $ARGV[0] || '',
 	  update          => $update,
 	  convert         => $convert,
 	  annotate        => $annotate,
+	  directives      => $directives,
 	  config_path     => $config_path,
-	  shorewallrc     => $shorewallrc
+	  shorewallrc     => $shorewallrc,
+	  shorewallrc1    => $shorewallrc1,
 	);

Shorewall/Perl/getparams

@@ -25,12 +25,12 @@
 #
 #      $1 = Path name of params file
 #      $2 = $CONFIG_PATH
-#      $3 = Address family (4 o4 6)
+#      $3 = Address family (4 or 6)
 #
 if [ "$3" = 6 ]; then
-    g_program=shorewall6
+    PRODUCT=shorewall6
 else
-    g_program=shorewall
+    PRODUCT=shorewall
 fi
 
 #
@@ -38,11 +38,9 @@ fi
 #
 . /usr/share/shorewall/shorewallrc
 
-g_libexec="$LIBEXECDIR"
+g_program=$PRODUCT
-g_sharedir="$SHAREDIR"/shorewall
+g_sharedir="$SHAREDIR/shorewall"
-g_sbindir="$SBINDIR"
+g_confdir="$CONFDIR/$PRODUCT"
-g_perllib="$PERLLIBDIR"
-g_confdir="$CONFDIR"/shorewall
 g_readrc=1
 
 . $g_sharedir/lib.cli

Shorewall/Perl/lib.core

@@ -182,7 +182,6 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
 
     [ $g_family -eq 4 ] && mask=32 || mask=128
 
-
     $IP -$g_family route show dev $1 2> /dev/null |
 	while read address rest; do
 	    case "$address" in
@@ -217,8 +216,8 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
 delete_tc1()
 {
     clear_one_tc() {
-        $TC qdisc del dev $1 root 2> /dev/null
+        $TC qdisc del dev ${1%@*} root 2> /dev/null
-        $TC qdisc del dev $1 ingress 2> /dev/null
+        $TC qdisc del dev ${1%@*} ingress 2> /dev/null
 
     }
 
@@ -340,6 +339,16 @@ replace_default_route() # $1 = USE_DEFAULT_RT
     fi
 }
 
+#
+# Delete default routes with metric 0 from the passed routing table
+#
+delete_default_routes() # $1 = table number
+{
+    $IP -$g_family route ls table $1 | fgrep default | fgrep -v metric | while read route; do
+	qt $IP -$g_family route del $route
+    done
+} 
+
 restore_default_route() # $1 = USE_DEFAULT_RT
 {
     local result
@@ -421,7 +430,7 @@ run_iptables()
     local status
 
     while [ 1 ]; do
-	$g_tool $@
+	eval $g_tool $@
 	status=$?
 	[ $status -ne 4 ] && break
     done
@@ -617,7 +626,7 @@ EOF
     fi
 }
 
-?IF __IPV4
+?if __IPV4
 #################################################################################
 #                        IPv4-specific Functions
 #################################################################################
@@ -829,13 +838,13 @@ detect_dynamic_gateway() { # $1 = interface
 	gateway=$( find_peer $($IP addr list $interface ) )
     fi
 
-    if [ -z "$gateway" -a -f /var/lib/dhcpcd/dhcpcd-${1}.info ]; then
+    if [ -z "$gateway" -a -f ${VARLIB}/dhcpcd/dhcpcd-${1}.info ]; then
-	eval $(grep ^GATEWAYS=  /var/lib/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
+	eval $(grep ^GATEWAYS=  ${VARLIB}/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
 	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
     fi
 
-    if [ -z "$gateway" -a -f /var/lib/dhcp/dhclient-${1}.lease ]; then
+    if [ -z "$gateway" -a -f ${VARLIB}/dhcp/dhclient-${1}.lease ]; then
-	gateway=$(grep 'option routers' /var/lib/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
+	gateway=$(grep 'option routers' ${VARLIB}/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
     fi
 
     [ -n "$gateway" ] && echo $gateway
@@ -907,7 +916,12 @@ add_gateway() # $1 = Delta $2 = Table Number
 	delta=$1
 
 	if ! echo $route | fgrep -q ' nexthop '; then
-	    route=`echo $route | sed 's/via/nexthop via/'`
+	    if echo $route | fgrep -q via; then
+		route=`echo $route | sed 's/via/nexthop via/'`
+	    else
+		route="nexthop $route"
+	    fi
+
 	    dev=$(find_device $route)
 	    if [ -f ${VARDIR}/${dev}_weight ]; then
 		weight=`cat ${VARDIR}/${dev}_weight`
@@ -1018,7 +1032,7 @@ get_all_bcasts()
     $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
 
-?ELSE
+?else
 #################################################################################
 #                        IPv6-specific Functions
 #################################################################################
@@ -1310,4 +1324,4 @@ clear_firewall() {
     logger -p kern.info "$g_product Cleared"
 }
 
-?ENDIF
+?endif # IPv6-specific functions.

Shorewall/Perl/prog.footer

@@ -33,25 +33,25 @@ usage() {
 }
 
 checkkernelversion() {
+?if __IPV6
     local kernel
 
-    if [ $g_family -eq 6 ]; then
+    kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
-	kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
 
-	case "$kernel" in
+    case "$kernel" in
-	    *.*.*)
+	*.*.*)
-		kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+	    kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
-		;;
+	    ;;
-	    *)
+	*)
-		kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
+	    kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
-		;;
+	    ;;
-	esac
+    esac
 
-	if [ $kernel -lt 20624 ]; then
+    if [ $kernel -lt 20624 ]; then
-	    error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
+	error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
-	    return 1
+	return 1
-	fi
     fi
+?endif
 
     return 0
 }
@@ -348,7 +348,9 @@ case "$COMMAND" in
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	updown $1
+	mutex_on
+	( updown $1 )
+	mutex_off
 	status=0
 	;;
     enable)

Shorewall/Samples/Universal/interfaces

@@ -7,7 +7,7 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 -	lo		ignore

Shorewall/Samples/Universal/rules

@@ -6,13 +6,15 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-###################################################################################################################################################################################
+######################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
 SECTION NEW
-
+Invalid(DROP)	net		$FW		tcp
 SSH(ACCEPT)	net		$FW
 Ping(ACCEPT)	net		$FW

Shorewall/Samples/Universal/shorewall.conf

@@ -23,6 +23,8 @@ VERBOSITY=1
 
 BLACKLIST_LOGLEVEL=
 
+INVALID_LOG_LEVEL=
+
 LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
@@ -41,6 +43,8 @@ MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
+RPFILTER_LOG_LEVEL=info
+
 SFILTER_LOG_LEVEL=info
 
 SMURF_LOG_LEVEL=info
@@ -49,10 +53,14 @@ STARTUP_LOG=/var/log/shorewall-init.log
 
 TCP_FLAGS_LOG_LEVEL=info
 
+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
+ARPTABLES=
+
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -67,6 +75,8 @@ LOCKFILE=
 
 MODULESDIR=
 
+NFACCT=
+
 PERL=/usr/bin/perl
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -110,11 +120,15 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-AUTO_COMMENT=Yes
+IGNOREUNKNOWNVARIABLES=No
+
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CLAMPMSS=No
 
@@ -122,6 +136,8 @@ CLEAR_TC=Yes
 
 COMPLETE=Yes
 
+DEFER_DNS_RESOLUTION=Yes
+
 DISABLE_IPV6=No
 
 DELETE_THEN_ADD=Yes
@@ -140,6 +156,8 @@ FASTACCEPT=Yes
 
 FORWARD_CLEAR_MARK=
 
+HELPERS=
+
 IMPLICIT_CONTINUE=No
 
 IPSET_WARNINGS=Yes
@@ -170,7 +188,7 @@ MUTEX_TIMEOUT=60
 
 NULL_ROUTE_RFC1918=No
 
-OPTIMIZE=15
+OPTIMIZE=31
 
 OPTIMIZE_ACCOUNTING=No
 
@@ -178,10 +196,14 @@ REQUIRE_INTERFACE=Yes
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No
 
+SAVE_ARPTABLES=No
+
 SAVE_IPSETS=No
 
 TC_ENABLED=Internal
@@ -196,6 +218,8 @@ USE_DEFAULT_RT=No
 
 USE_PHYSICAL_NAMES=No
 
+WARNOLDCAPVERSION=Yes
+
 ZONE2ZONE=2
 
 ###############################################################################
@@ -204,16 +228,22 @@ ZONE2ZONE=2
 
 BLACKLIST_DISPOSITION=DROP
 
+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
 
+RPFILTER_DISPOSITION=DROP
+
 SMURF_DISPOSITION=DROP
 
 SFILTER_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################

Shorewall/Samples/one-interface/interfaces

@@ -11,7 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            dhcp,tcpflags,logmartians,nosmurfs
+net     eth0            dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0

Shorewall/Samples/one-interface/rules

@@ -10,14 +10,20 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
+######################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
 SECTION NEW
 
+# Drop packets in the INVALID state
+
+Invalid(DROP)  net    	        $FW		tcp
+
 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
 
 Ping(DROP)	net		$FW

Shorewall/Samples/one-interface/shorewall.conf

@@ -34,6 +34,8 @@ VERBOSITY=1
 
 BLACKLIST_LOGLEVEL=
 
+INVALID_LOG_LEVEL=
+
 LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
@@ -52,6 +54,8 @@ MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
+RPFILTER_LOG_LEVEL=info
+
 SFILTER_LOG_LEVEL=info
 
 SMURF_LOG_LEVEL=info
@@ -60,10 +64,14 @@ STARTUP_LOG=/var/log/shorewall-init.log
 
 TCP_FLAGS_LOG_LEVEL=info
 
+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
+ARPTABLES=
+
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -78,6 +86,8 @@ LOCKFILE=
 
 MODULESDIR=
 
+NFACCT=
+
 PERL=/usr/bin/perl
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -121,11 +131,15 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-AUTO_COMMENT=Yes
+IGNOREUNKNOWNVARIABLES=No
+
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CLAMPMSS=No
 
@@ -133,6 +147,8 @@ CLEAR_TC=Yes
 
 COMPLETE=No
 
+DEFER_DNS_RESOLUTION=Yes
+
 DISABLE_IPV6=No
 
 DELETE_THEN_ADD=Yes
@@ -151,6 +167,8 @@ FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=
 
+HELPERS=
+
 IMPLICIT_CONTINUE=No
 
 IPSET_WARNINGS=Yes
@@ -181,7 +199,7 @@ MUTEX_TIMEOUT=60
 
 NULL_ROUTE_RFC1918=No
 
-OPTIMIZE=1
+OPTIMIZE=31
 
 OPTIMIZE_ACCOUNTING=No
 
@@ -189,10 +207,14 @@ REQUIRE_INTERFACE=No
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No
 
+SAVE_ARPTABLES=No
+
 SAVE_IPSETS=No
 
 TC_ENABLED=Internal
@@ -207,6 +229,8 @@ USE_DEFAULT_RT=No
 
 USE_PHYSICAL_NAMES=No
 
+WARNOLDCAPVERSION=Yes
+
 ZONE2ZONE=2
 
 ###############################################################################
@@ -215,16 +239,22 @@ ZONE2ZONE=2
 
 BLACKLIST_DISPOSITION=DROP
 
+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
 
+RPFILTER_DISPOSITION=DROP
+
 SMURF_DISPOSITION=DROP
 
 SFILTER_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################

Shorewall/Samples/three-interfaces/interfaces

@@ -11,9 +11,9 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians
+net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0
 loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
 dmz     eth2            tcpflags,nosmurfs,routefilter,logmartians

Shorewall/Samples/three-interfaces/masq

@@ -10,8 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-##############################################################################
+################################################################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
+#											GROUP		DEST
 eth0			10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\

Shorewall/Samples/three-interfaces/rules

@@ -10,17 +10,19 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
+######################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
 SECTION NEW
 
 #       Don't allow connection pickup from the net
 #
-Invalid(DROP)	net		all
+Invalid(DROP)	net		all		tcp
 #
 #	Accept DNS connections from the firewall to the Internet
 #

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -32,6 +32,8 @@ VERBOSITY=1
 
 BLACKLIST_LOGLEVEL=
 
+INVALID_LOG_LEVEL=
+
 LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
@@ -50,6 +52,8 @@ MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
+RPFILTER_LOG_LEVEL=info
+
 SFILTER_LOG_LEVEL=info
 
 SMURF_LOG_LEVEL=info
@@ -58,10 +62,14 @@ STARTUP_LOG=/var/log/shorewall-init.log
 
 TCP_FLAGS_LOG_LEVEL=info
 
+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
+ARPTABLES=
+
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -76,6 +84,8 @@ LOCKFILE=
 
 MODULESDIR=
 
+NFACCT=
+
 PERL=/usr/bin/perl
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -119,11 +129,15 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-AUTO_COMMENT=Yes
+IGNOREUNKNOWNVARIABLES=No
+
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CLAMPMSS=Yes
 
@@ -131,6 +145,8 @@ CLEAR_TC=Yes
 
 COMPLETE=No
 
+DEFER_DNS_RESOLUTION=Yes
+
 DISABLE_IPV6=No
 
 DELETE_THEN_ADD=Yes
@@ -149,6 +165,8 @@ FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=
 
+HELPERS=
+
 IMPLICIT_CONTINUE=No
 
 IPSET_WARNINGS=Yes
@@ -179,7 +197,7 @@ MUTEX_TIMEOUT=60
 
 NULL_ROUTE_RFC1918=No
 
-OPTIMIZE=1
+OPTIMIZE=31
 
 OPTIMIZE_ACCOUNTING=No
 
@@ -187,10 +205,14 @@ REQUIRE_INTERFACE=No
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No
 
+SAVE_ARPTABLES=No
+
 SAVE_IPSETS=No
 
 TC_ENABLED=Internal
@@ -205,6 +227,8 @@ USE_DEFAULT_RT=No
 
 USE_PHYSICAL_NAMES=No
 
+WARNOLDCAPVERSION=Yes
+
 ZONE2ZONE=2
 
 ###############################################################################
@@ -213,16 +237,22 @@ ZONE2ZONE=2
 
 BLACKLIST_DISPOSITION=DROP
 
+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
 
+RPFILTER_DISPOSITION=DROP
+
 SMURF_DISPOSITION=DROP
 
 SFILTER_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################

Shorewall/Samples/three-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
-# Shorewall6 version 4.0 - Sample Routestopped File for two-interface configuration.
+# Shorewall version 4.5 - Sample Stoppedrules File for three-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2012 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -9,11 +9,12 @@
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall6-routestopped"
+# For information about entries in this file, type "man shorewall-stoppedrules"
-#
+###############################################################################
-# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
+#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
-# information.
+#							PORT(S)		PORT(S)
-#
+ACCEPT		eth1		-
-##############################################################################
+ACCEPT		-		eth1
-#INTERFACE	HOST(S)                  OPTIONS
+ACCEPT		eth2		-
-eth1		-
+ACCEPT		-		eth2
+

Shorewall/Samples/two-interfaces/interfaces

@@ -11,8 +11,8 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians
+net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
 loc     eth1            tcpflags,nosmurfs,routefilter,logmartians

Shorewall/Samples/two-interfaces/masq

@@ -10,8 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-###############################################################################
+################################################################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
+#											GROUP		DEST
 eth0			10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\

Shorewall/Samples/two-interfaces/rules

@@ -10,17 +10,19 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
+######################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
 SECTION NEW
 
 #       Don't allow connection pickup from the net
 #
-Invalid(DROP)	net		all
+Invalid(DROP)	net		all		tcp
 #
 #	Accept DNS connections from the firewall to the network
 #

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -35,6 +35,8 @@ VERBOSITY=1
 
 BLACKLIST_LOGLEVEL=
 
+INVALID_LOG_LEVEL=
+
 LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
@@ -53,6 +55,8 @@ MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
+RPFILTER_LOG_LEVEL=info
+
 SFILTER_LOG_LEVEL=info
 
 SMURF_LOG_LEVEL=info
@@ -61,10 +65,14 @@ STARTUP_LOG=/var/log/shorewall-init.log
 
 TCP_FLAGS_LOG_LEVEL=info
 
+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
+ARPTABLES=
+
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -79,6 +87,8 @@ LOCKFILE=
 
 MODULESDIR=
 
+NFACCT=
+
 PERL=/usr/bin/perl
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -122,11 +132,15 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-AUTO_COMMENT=Yes
+IGNOREUNKNOWNVARIABLES=No
+
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CLAMPMSS=Yes
 
@@ -134,6 +148,8 @@ CLEAR_TC=Yes
 
 COMPLETE=No
 
+DEFER_DNS_RESOLUTION=Yes
+
 DISABLE_IPV6=No
 
 DELETE_THEN_ADD=Yes
@@ -152,6 +168,8 @@ FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=
 
+HELPERS=
+
 IMPLICIT_CONTINUE=No
 
 IPSET_WARNINGS=Yes
@@ -182,7 +200,7 @@ MUTEX_TIMEOUT=60
 
 NULL_ROUTE_RFC1918=No
 
-OPTIMIZE=1
+OPTIMIZE=31
 
 OPTIMIZE_ACCOUNTING=No
 
@@ -190,10 +208,14 @@ REQUIRE_INTERFACE=No
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No
 
+SAVE_ARPTABLES=No
+
 SAVE_IPSETS=No
 
 TC_ENABLED=Internal
@@ -208,6 +230,8 @@ USE_DEFAULT_RT=No
 
 USE_PHYSICAL_NAMES=No
 
+WARNOLDCAPVERSION=Yes
+
 ZONE2ZONE=2
 
 ###############################################################################
@@ -216,16 +240,22 @@ ZONE2ZONE=2
 
 BLACKLIST_DISPOSITION=DROP
 
+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
 
+RPFILTER_DISPOSITION=DROP
+
 SMURF_DISPOSITION=DROP
 
 SFILTER_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################

Shorewall/Samples/two-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
-# Shorewall version 4.0 - Sample Routestopped File for two-interface configuration.
+# Shorewall version 4.5 - Sample Stoppedrules File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2012 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -9,7 +9,9 @@
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall-routestopped"
+# For information about entries in this file, type "man shorewall-stoppedrules"
-##############################################################################
+###############################################################################
-#INTERFACE	HOST(S)                  OPTIONS
+#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
-eth1		-
+#							PORT(S)		PORT(S)
+ACCEPT		eth1		-
+ACCEPT		-		eth1

Shorewall/action.Broadcast

@@ -27,11 +27,11 @@
 #       Default action is DROP
 #
 ##########################################################################################
-FORMAT 2
+?FORMAT 2
 
 DEFAULTS DROP,-
 
-BEGIN PERL;
+?BEGIN PERL;
 
 use Shorewall::IPAddrs;
 use Shorewall::Config;
@@ -43,6 +43,7 @@ fatal_error "Invalid parameter ($audit) to action Broadcast"   if supplied $audi
 fatal_error "Invalid parameter ($action) to action Broadcast"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
 
 my $chainref           = get_action_chain;
+
 my ( $level, $tag )    = get_action_logging;
 my $target             = require_audit ( $action , $audit );
 
@@ -70,4 +71,4 @@ add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';
 
 1;
 
-END PERL;
+?END PERL;

Shorewall/action.Drop

@@ -31,12 +31,12 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #
-# The following magic provides different defaults for $2 thru $5, when $1 is
+# The following magic provides different defaults for @2 thru @5, when @1 is
 # 'audit'.
 #
-BEGIN PERL;
+?BEGIN PERL;
 use Shorewall::Config;
 
 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
@@ -54,7 +54,7 @@ if ( defined $p1 ) {
 
 1;
 
-END PERL;
+?END PERL;
 
 DEFAULTS -,REJECT,DROP,ACCEPT,DROP
 
@@ -66,31 +66,31 @@ COUNT
 #
 # Reject 'auth'
 #
-Auth($2)
+Auth(@2)
 #
 # Don't log broadcasts
 #
-Broadcast(DROP,$1)
+Broadcast(DROP,@1)
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs($4)	-	-	icmp
+AllowICMPs(@4)	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
-Invalid(DROP,$1)
+Invalid(DROP,@1)
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
-SMB($3)
+SMB(@3)
-DropUPnP($5)
+DropUPnP(@5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-NotSyn(DROP,$1)	-	-	tcp
+NotSyn(DROP,@1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep($5)
+DropDNSrep(@5)

Shorewall/action.DropSmurfs

@@ -9,19 +9,21 @@
 #          audit = Audit dropped packets.
 #
 #################################################################################
-FORMAT 2
+?FORMAT 2
 
 DEFAULTS -
 
-BEGIN PERL;
+?BEGIN PERL;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
+use Shorewall::IPAddrs qw( IPv6_MULTICAST );
 use Shorewall::Chains;
 use Shorewall::Rules;
 
 my ( $audit ) = get_action_params( 1 );
 
 my $chainref        = get_action_chain;
+
 my ( $level, $tag ) = get_action_logging;
 my $target;
 
@@ -77,7 +79,7 @@ if ( $family == F_IPV4 ) {
     add_ijump( $chainref, g => $target, s => IPv6_MULTICAST );
 }
 
-END PERL;
+?END PERL;
 
 
 

Shorewall/action.Established

@@ -0,0 +1,49 @@
+#
+# Shorewall 4 - Established Action
+#
+#    /usr/share/shorewall/action.Established
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   Established[([<action>])]
+#
+#       Default action is ACCEPT
+#
+##########################################################################################
+?FORMAT 2
+
+DEFAULTS ACCEPT
+
+?BEGIN PERL;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action ) = get_action_params( 1 );
+
+if ( my $check = check_state( 'ESTABLISHED' ) ) {
+    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} ESTABLISHED" : '', 'ESTABLISHED' );
+}
+
+1;
+
+?END PERL;

Shorewall/action.Invalid

@@ -5,7 +5,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -22,35 +22,33 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Invalid[([<action>|-[,{audit|-}])]
+#   Invalid[([<action>])]
 #
 #       Default action is DROP
 #
 ##########################################################################################
-FORMAT 2
+?FORMAT 2
 
 DEFAULTS DROP,-
 
-BEGIN PERL;
+?BEGIN PERL;
 
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
+use Shorewall::Rules;
 
 my ( $action, $audit ) = get_action_params( 2 );
 
-fatal_error "Invalid parameter ($audit) to action Invalid"   if supplied $audit && $audit ne 'audit';
+if ( supplied $audit ) {
-fatal_error "Invalid parameter ($action) to action Invalid"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
+     fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
+     $action = "A_$action";
+}
 
-my $chainref         = get_action_chain;
+if ( my $check = check_state( 'INVALID' ) ) {
-my ( $level, $tag )  = get_action_logging;
+    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} INVALID" : '' , 'INVALID' );
-my $target           = require_audit ( $action , $audit );
+}
-
-log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
-add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID ";
-
-allow_optimize( $chainref );
 
 1;
 
-END PERL;
+?END PERL;

Shorewall/action.New

@@ -0,0 +1,51 @@
+#
+# Shorewall 4 - New Action
+#
+#    /usr/share/shorewall/action.New
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   Untracked[([<action>])]
+#
+#       Default action is DROP
+#
+##########################################################################################
+?FORMAT 2
+
+DEFAULTS ACCEPT
+
+?BEGIN PERL;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action ) = get_action_params( 1 );
+
+if ( my $check = check_state( 'NEW' ) ) {
+    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} NEW" : '' , 'NEW' );
+}
+
+allow_optimize( get_action_chain );
+
+1;
+
+?END PERL;

Shorewall/action.NotSyn

@@ -22,35 +22,32 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   NotSyn[([<action>|-[,{audit|-}])]
+#   NotSyn[([<action>])]
 #
 #       Default action is DROP
 #
 ##########################################################################################
-FORMAT 2
+?FORMAT 2
 
 DEFAULTS DROP,-
 
-BEGIN PERL;
+?BEGIN PERL;
 
+use strict;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
+use Shorewall::Rules;
 
 my ( $action, $audit ) = get_action_params( 2 );
 
-fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit && $audit ne 'audit';
+if ( supplied $audit ) {
-fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
+     fatal_error "Invalid parameter ($audit) to action NotSyn" if $audit ne 'audit';
+     $action = "A_$action";
+}    
 
-my $chainref         = get_action_chain;
+perl_action_tcp_helper( $action, '-p 6 ! --syn' );
-my ( $level, $tag )  = get_action_logging;
-my $target           = require_audit ( $action , $audit );
-
-log_rule_limit $level, $chainref, 'NotSyn' , $action, '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
-add_jump $chainref , $target, 0, '-p 6 ! --syn ';
-
-allow_optimize( $chainref );
 
 1;
 
-END PERL;
+?END PERL;

Shorewall/action.RST

@@ -22,34 +22,30 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   RST[([<action>|-[,{audit|-}])]
+#   RST[([<action>])]
 #
 #       Default action is DROP
 #
 ##########################################################################################
-FORMAT 2
+?FORMAT 2
 
 DEFAULTS DROP,-
 
-BEGIN PERL;
+?BEGIN PERL;
 
 use Shorewall::Config;
 use Shorewall::Chains;
+use Shorewall::Rules;
 
 my ( $action, $audit ) = get_action_params( 2 );
 
-fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit && $audit ne 'audit';
+if ( supplied $audit ) {
-fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP)$/;
+     fatal_error "Invalid parameter ($audit) to action RST" if $audit ne 'audit';
+     $action = "A_$action";
+}    
 
-my $chainref         = get_action_chain;
+perl_action_tcp_helper( $action, '-p 6 --tcp-flags RST RST' );
-my ( $level, $tag )  = get_action_logging;
-my $target           = require_audit ( $action , $audit );
-
-log_rule_limit $level, $chainref, 'RST' , $action, '', $tag, 'add', '-p 6 --tcp-flags RST RST ' if $level ne '';
-add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST, ';
-
-allow_optimize( $chainref );
 
 1;
 
-END PERL;
+?END PERL;

Shorewall/action.Reject

@@ -27,12 +27,12 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #
-# The following magic provides different defaults for $2 thru $5, when $1 is
+# The following magic provides different defaults for @2 thru @5, when @1 is
 # 'audit'.
 #
-BEGIN PERL;
+?BEGIN PERL;
 use Shorewall::Config;
 
 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
@@ -50,7 +50,7 @@ if ( defined $p1 ) {
 
 1;
 
-END PERL;
+?END PERL;
 
 DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
 
@@ -62,33 +62,33 @@ COUNT
 #
 # Don't log 'auth' -- REJECT
 #
-Auth($2)
+Auth(@2)
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
-Broadcast(DROP,$1)
+Broadcast(DROP,@1)
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs($4)	-	-	icmp
+AllowICMPs(@4)	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
-Invalid(DROP,$1)
+Invalid(DROP,@1)
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
-SMB($3)
+SMB(@3)
-DropUPnP($5)
+DropUPnP(@5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-NotSyn(DROP,$1)	-	-	tcp
+NotSyn(DROP,@1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep($5)
+DropDNSrep(@5)

Shorewall/action.Related

@@ -0,0 +1,50 @@
+#
+# Shorewall 4 - Related Action
+#
+#    /usr/share/shorewall/action.Related
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   Related[([<action>])]
+#
+#       Default action is DROP
+#
+##########################################################################################
+?FORMAT 2
+
+DEFAULTS DROP
+
+?BEGIN PERL;
+
+use strict;
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action ) = get_action_params( 1 );
+
+if ( my $check = check_state( 'RELATED' ) ) {
+    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} RELATED" : '', 'RELATED' );
+}
+
+1;
+
+?END PERL;