Replace spaces with tabs in rules files.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -76,7 +76,7 @@ for p in $@; do
 		    pn=HOST
 		    ;;
 		SHAREDSTATEDIR)
-		    pn=VARDIR
+		    pn=VARLIB
 		    ;;
 		DATADIR)
 		    pn=SHAREDIR
@@ -161,6 +161,17 @@ if [ $# -gt 0 ]; then
     echo '#'           >> shorewallrc
 fi
 
+if [ -n "${options[VARLIB]}" ]; then
+    if [ -z "${options[VARDIR]}" ]; then
+	options[VARDIR]='${VARLIB}/${PRODUCT}'
+    fi
+elif [ -n "${options[VARDIR]}" ]; then
+    if [ -z "{$options[VARLIB]}" ]; then
+	options[VARLIB]=${options[VARDIR]}
+	options[VARDIR]='${VARLIB}/${PRODUCT}'
+    fi
+fi
+
 for on in \
     HOST \
     PREFIX \
@@ -180,6 +191,7 @@ for on in \
     SYSCONFDIR \
     SPARSE \
     ANNOTATED \
+    VARLIB \
     VARDIR
 do
     echo "$on=${options[${on}]}"

Shorewall-core/configure.pl

@@ -38,7 +38,7 @@ my %params;
 my %options;
 
 my %aliases = ( VENDOR         => 'HOST',
-		SHAREDSTATEDIR => 'VARDIR',
+		SHAREDSTATEDIR => 'VARLIB',
 		DATADIR        => 'SHAREDIR' );
 
 for ( @ARGV ) {
@@ -123,6 +123,15 @@ printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d
 
 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;
 
+if ( $options{VARLIB} ) {
+    unless ( $options{VARDIR} ) {
+	$options{VARDIR} = '${VARLIB}/${PRODUCT}';
+    }
+} elsif ( $options{VARDIR} ) {
+    $options{VARLIB} = $options{VARDIR};
+    $options{VARDIR} = '${VARLIB}/${PRODUCT}';
+}
+
 for ( qw/ HOST
 	  PREFIX
 	  SHAREDIR
@@ -141,6 +150,7 @@ for ( qw/ HOST
 	  SYSCONFDIR
 	  SPARSE
 	  ANNOTATED
+	  VARLIB
 	  VARDIR / ) {
 
     my $val = $options{$_} || '';

Shorewall-core/install.sh

@@ -164,7 +164,18 @@ else
     usage 1
 fi
 
-for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARDIR; do
+update=0
+
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR="${VARLIB}/${PRODUCT}"
+    update=1
+elif [ -z "${VARDIR}" ]; then
+    VARDIR="${VARLIB}/${PRODUCT}"
+    update=2
+fi
+
+for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARLIB VARDIR; do
     require $var
 done
 
@@ -346,9 +357,25 @@ ln -sf lib.base ${DESTDIR}${SHAREDIR}/shorewall/functions
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/shorewall/coreversion
 chmod 644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
 
-[ $file != "${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc
+if [ -z "${DESTDIR}" ]; then
+    if [ $update -ne 0 ]; then
+	echo "Updating $file - original saved in $file.bak"
 
-[ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
+	cp $file $file.bak
+
+	echo '#'                                             >> $file
+	echo "# Updated by Shorewall-core $VERSION -" `date` >> $file
+	echo '#'                                             >> $file
+
+	[ $update -eq 1 ] && sed -i 's/VARDIR/VARLIB/' $file
+
+	echo 'VARDIR=${VARLIB}/${PRODUCT}' >> $file
+    fi
+
+    [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
+fi
+
+[ $file != "${DESTDIR}${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc
 
 if [ ${SHAREDIR} != /usr/share ]; then
     for f in lib.*; do

Shorewall-core/lib.base

@@ -20,15 +20,11 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# This library contains the code common to all Shorewall components.
-#
-# - It is loaded by /sbin/shorewall.
-# - It is released as part of Shorewall[6] Lite where it is used by /sbin/shorewall[6]-lite
-#   and /usr/share/shorewall[6]-lite/shorecap.
+# This library contains the code common to all Shorewall components except the
+# generated scripts.
 #
 
-SHOREWALL_LIBVERSION=40502
-SHOREWALL_CAPVERSION=40504
+SHOREWALL_LIBVERSION=40509
 
 [ -n "${g_program:=shorewall}" ]
 
@@ -38,11 +34,7 @@ if [ -z "$g_readrc" ]; then
     #
     . /usr/share/shorewall/shorewallrc
 
-    g_libexec="$LIBEXECDIR"
     g_sharedir="$SHAREDIR"/$g_program
-    g_sbindir="$SBINDIR"
-    g_perllib="$PERLLIBDIR"
-    g_vardir="$VARDIR"
     g_confdir="$CONFDIR"/$g_program
     g_readrc=1
 fi
@@ -53,13 +45,13 @@ case $g_program in
     shorewall)
 	g_product="Shorewall"
 	g_family=4
-	g_tool=
+	g_tool=iptables
 	g_lite=
 	;;
     shorewall6)
 	g_product="Shorewall6"
 	g_family=6
-	g_tool=
+	g_tool=ip6tables
 	g_lite=
 	;;
     shorewall-lite)
@@ -76,7 +68,12 @@ case $g_program in
 	;;
 esac
 
-VARDIR=${VARDIR}/${g_program}
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/$g_program
+elif [ -z "${VARDIR}" ]; then
+    VARDIR="${VARLIB}/${PRODUCT}"
+fi
 
 #
 # Conditionally produce message

Shorewall-core/lib.cli

@@ -21,20 +21,21 @@
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # This library contains the command processing code common to /sbin/shorewall[6] and
-# /sbin/shorewall[6]-lite.
+# /sbin/shorewall[6]-lite. In Shorewall and Shorewall6, the lib.cli-std library is 
+# loaded after this one and replaces some of the functions declared here.
 #
 
+SHOREWALL_CAPVERSION=40509
+
+[ -n "${g_program:=shorewall}" ]
+
 if [ -z "$g_readrc" ]; then
     #
     # This is modified by the installer when ${SHAREDIR} <> /usr/share
     #
     . /usr/share/shorewall/shorewallrc
 
-    g_libexec="$LIBEXECDIR"
     g_sharedir="$SHAREDIR"/$g_program
-    g_sbindir="$SBINDIR"
-    g_perllib="$PERLLIBDIR"
-    g_vardir="$VARDIR"
     g_confdir="$CONFDIR"/$g_program
     g_readrc=1
 fi
@@ -435,21 +436,42 @@ save_config() {
 #
 sort_routes() {
     local dest
+    local second
     local rest
-    local crvsn
+    local vlsm
+    local maxvlsm
+    local rule
 
-    while read dest rest; do
+    if [ $g_family -eq 4 ]; then
+	maxvlsm=032
+    else
+	maxvlsm=128
+    fi
+
+    while read dest second rest; do
 	if [ -n "$dest" ]; then
+	    rule="$dest $second $rest"
 	    case "$dest" in
 		default)
-		    echo "00 $dest $rest"
+		    echo "000 $rule"
 		    ;;
+		blackhole|local)
+		    case "$second" in
 			*/*)
-		    crvsn=${dest#*/}
-		    printf "%02d %s\n" $crvsn "$dest $rest"
+			    vlsm=${second#*/}
+			    printf "%03d %s\n" $vlsm "$rule"
 			    ;;
 			*)
-		    echo "32 $dest $rest"
+			    echo "$maxvlsm $rule"
+			    ;;
+		    esac
+		    ;;
+		*/*)
+		    vlsm=${dest#*/}
+		    printf "%03d %s\n" $vlsm "$rule"
+		    ;;
+		*)
+		    echo "$maxvlsm $rule"
 		    ;;
 	    esac
 	fi
@@ -480,7 +502,7 @@ show_routing() {
 	ip -$g_family rule list | find_tables | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
-		ip -$g_family -o route list table $table | fgrep -v cache
+		ip -$g_family -o route list table $table | fgrep -v cache | sort_routes
 	    else
 		ip -4 -o route list table $table | sort_routes
 	    fi
@@ -493,13 +515,33 @@ show_routing() {
     else
 	heading "Routing Table"
 	if [ $g_family -eq 6 ]; then
-	    ip -$g_family -o route list | fgrep -v cache
+	    ip -$g_family -o route list | fgrep -v cache | sort_routes
 	else
 	    ip -4 -o route list table $table | sort_routes
 	fi
     fi
 }
 
+determine_ipset_version() {
+    local setname
+
+    if [ -z "$IPSET" -o $IPSET = ipset ]; then
+	IPSET=$(mywhich ipset)
+	[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
+    fi
+
+    setname=fooX$$
+
+    qt ipset -X $setname # Just in case something went wrong the last time
+
+    if qt ipset -N $setname hash:ip family inet; then
+	qt ipset -X $setname
+	IPSETN="$IPSET"
+    else
+	IPSETN="$IPSET -n"
+    fi
+}
+
 #
 # 'list dynamic' command executor
 #
@@ -507,7 +549,7 @@ find_sets() {
     local junk
     local setname
 
-    ipset -L -n | grep "^Name: ${1}_" | while read junk setname; do echo $setname; done
+    $IPSETN -L | egrep "^Name: ${1}(_.+)?$" | while read junk setname; do echo $setname; done
 }
 
 list_zone() {
@@ -515,19 +557,19 @@ list_zone() {
     local sets
     local setname
 
-    [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"
+    determine_ipset_version
 
     if [ $g_family -eq 4 ]; then
-	sets=$(ipset -L -n | grep '^$1_');
+	sets=$($IPSETN -L | egrep "^$1(_.+)?");
      else
-	sets=$(ipset -L -n | grep "^6_$1_")
+	sets=$($IPSETN -L | egrep "^6_$1(_.+)?")
     fi
 
     [ -n "$sets" ] || sets=$(find_sets $1)
 
     for setname in $sets; do
 	echo "${setname#${1}_}:"
-	ipset -L $setname -n | awk 'BEGIN        {prnt=0;}; \
+	$IPSETN -L $setname | awk 'BEGIN        {prnt=0;}; \
                                    /^Members:/  {prnt=1; next; }; \
                                    /^Bindings:/ {prnt=0; }; \
                                                 { if (prnt == 1) print "   ", $1; };'
@@ -615,6 +657,20 @@ show_connections_filter() {
     fi
 }
 
+show_nfacct() {
+    if [ -n "$NFACCT" -a ! -x "$NFACCT" ]; then
+	error_message "WARNING: NFACCT=$NFACCT does not exist or is not executable"
+	NFACCT=
+    else
+	NFACCT=$(mywhich nfacct)
+	[ -n "$NFACCT" ] || echo "No NF Accounting defined (nfacct not found)"
+    fi
+
+    if [ -n "$NFACCT" ]; then
+	$NFACCT list
+	echo
+    fi
+}
 #
 # Show Command Executor
 #
@@ -625,6 +681,8 @@ show_command() {
     table=filter
     local table_given
     table_given=
+    local output_filter
+    output_filter=cat
 
     show_macro() {
 	foo=`grep 'This macro' $macro | sed 's/This macro //'`
@@ -639,6 +697,16 @@ show_command() {
 	fi
     }
 
+    # eliminates rules which have not been used from ip*tables' output
+    brief_output() {
+	awk \
+	'/^Chain /  { heading1 = $0; getline heading2; printed = 0; next; };
+         /^ +0 +0 / { next; };
+         /^$/       { if ( printed == 1 ) { print $0; }; next; };
+                    { if ( printed == 0 ) { print heading1; print heading2; printed = 1 }; };
+	            { print; }';
+    }
+
     while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
 	case $option in
@@ -691,6 +759,10 @@ show_command() {
 			    g_routecache=Yes
 			    option=${option#c}
 			    ;;
+			b*)
+			    output_filter=brief_output
+			    option=${option#b}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -708,6 +780,7 @@ show_command() {
 
 
     [ -n "$g_debugging" ] && set -x
+
     case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
@@ -751,28 +824,28 @@ show_command() {
 	    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t nat -L $g_ipt_options
+	    $g_tool -t nat -L $g_ipt_options | $output_filter
 	    ;;
 	raw)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t raw -L $g_ipt_options
+	    $g_tool -t raw -L $g_ipt_options | $output_filter
 	    ;;
 	rawpost)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t rawpost -L $g_ipt_options
+	    $g_tool -t rawpost -L $g_ipt_options | $output_filter
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t mangle -L $g_ipt_options
+	    $g_tool -t mangle -L $g_ipt_options | $output_filter
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
@@ -808,7 +881,7 @@ show_command() {
 	    shift
 
 	    if [ -z "$1" ]; then
-		$g_tool -t mangle -L -n -v
+		$g_tool -t mangle -L -n -v | $output_filter
 		echo
 	    fi
 
@@ -871,15 +944,15 @@ show_command() {
 	    if [ -n "$g_filemode" ]; then
 		echo "CONFIG_PATH=$CONFIG_PATH"
 		echo "VARDIR=$VARDIR"
-		echo "LIBEXEC=$g_libexec"
-		echo "SBINDIR=$g_sbindir"
+		echo "LIBEXEC=${LIBEXECDIR}"
+		echo "SBINDIR=${SBINDIR}"
 		echo "CONFDIR=${CONFDIR}"
 		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR=${VARDIR}"
 	    else
 		echo "Default CONFIG_PATH is $CONFIG_PATH"
 		echo "Default VARDIR is /var/lib/$g_program"
-		echo "LIBEXEC is $g_libexec"
-		echo "SBINDIR is $g_sbindir"
+		echo "LIBEXEC is ${LIBEXECDIR}"
+		echo "SBINDIR is ${SBINDIR}"
 		echo "CONFDIR is ${CONFDIR}"
 		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR is ${VARDIR}"
 	    fi
@@ -891,11 +964,11 @@ show_command() {
 	    show_reset
 	    if [ $# -gt 0 ]; then
 		for chain in $*; do
-		    $g_tool -t $table -L $chain $g_ipt_options
+		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
 		    echo
 		done
 	    else
-		$g_tool -t $table -L $g_ipt_options
+		$g_tool -t $table -L $g_ipt_options | $output_filter
 	    fi
 	    ;;
 	vardir)
@@ -920,6 +993,12 @@ show_command() {
 	    echo
 	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
 	    ;;
+	nfacct)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
+	    echo
+	    show_nfacct
+	    ;;
 	*)
 	    case "$g_program" in
 		*-lite)
@@ -1007,14 +1086,14 @@ show_command() {
 		echo
 		show_reset
 		for chain in $*; do
-		    $g_tool -t $table -L $chain $g_ipt_options
+		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
 		    echo
 		done
 	    else
 		echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
 		echo
 		show_reset
-		$g_tool -t $table -L $g_ipt_options
+		$g_tool -t $table -L $g_ipt_options | $output_filter
 	    fi
 	    ;;
     esac
@@ -1127,7 +1206,7 @@ do_dump_command() {
 	elif [ -r $LOGFILE ]; then
 	    g_logread="tac $LOGFILE"
 	else
-	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
+	    echo "LOGFILE ($LOGFILE) does not exist! - See http://www.shorewall.net/shorewall_logging.html" >&2
 	    exit 2
 	fi
     fi
@@ -1196,12 +1275,17 @@ do_dump_command() {
 	brctl show
     fi
 
+    show_routing
+
     if [ $g_family -eq 4 ]; then
 	heading "Per-IP Counters"
 
 	perip_accounting
     fi
 
+    heading "NF Accounting"
+    show_nfacct
+
     if qt mywhich setkey; then
 	heading "PFKEY SPD"
 	setkey -DP
@@ -1229,8 +1313,6 @@ do_dump_command() {
 	done
     fi
 
-    show_routing
-
     if [ $g_family -eq 4 ]; then
 	heading "ARP"
 	arp -na
@@ -1567,19 +1649,19 @@ add_command() {
 	exit 2
     fi
 
-    case "$IPSET" in
-	*/*)
-	    ;;
-	*)
-	    [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located"
-	    ;;
-    esac
-    #
-    # Normalize host list
-    #
+    determine_ipset_version
+
+    case $1 in
+	*:*)
 	    while [ $# -gt 1 ]; do
+		if [ $g_family -eq 4 ]; then
 		    interface=${1%%:*}
 		    host=${1#*:}
+		else
+		    interface=${1%%|*}
+		    host=${1#*|}
+		fi
+
 		[ "$host" = "$1" ] && host=
 
 		if [ -z "$host" ]; then
@@ -1596,9 +1678,22 @@ add_command() {
 
 		shift
 	    done
+	    ;;
+	*)
+	    ipset=$1
+	    shift
+	    while [ $# -gt 0 ]; do
+		for h in $(separate_list $1); do
+		    hostlist="$hostlist $h"
+		done
+		shift
+	    done
+	    ;;
+    esac
 
     zone=$1
 
+    if [ -n "$zone" ]; then
 	for host in $hostlist; do
 	    if [ $g_family -eq 4 ]; then
 		interface=${host%:*}
@@ -1608,8 +1703,8 @@ add_command() {
 		ipset=6_${zone}_${interface};
 	    fi
 
-	if ! qt $IPSET -L $ipset -n; then
-	    fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
+	    if ! qt $IPSET -L $ipset; then
+		fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
 	    fi
 
 	    host=${host#*:}
@@ -1620,7 +1715,17 @@ add_command() {
 		fatal_error "Unable to add $interface:$host to zone $zone"
 	    fi
 	done
+    else
+	qt $IPSET -L $ipset || fatal_error "Zone $ipset is not dynamic"
 
+	for host in $hostlist; do
+	    if $IPSET -A $ipset $host; then
+		echo "Host $host added to zone $ipset"
+	    else
+		fatal_error "Unable to add $host to zone $ipset"
+	    fi
+	done
+    fi
 }
 
 #
@@ -1633,20 +1738,19 @@ delete_command() {
 	exit 2;
     fi
 
-    case "$IPSET" in
-	*/*)
-	    ;;
-	*)
-	    [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located"
-	    ;;
-    esac
+    determine_ipset_version
 
-    #
-    # Normalize host list
-    #
+    case $1 in
+	*:*)
 	    while [ $# -gt 1 ]; do
+		if [ $g_family -eq 4 ]; then
 		    interface=${1%%:*}
 		    host=${1#*:}
+		else
+		    interface=${1%%|*}
+		    host=${1#*|}
+		fi
+
 		[ "$host" = "$1" ] && host=
 
 		if [ -z "$host" ]; then
@@ -1663,31 +1767,54 @@ delete_command() {
 
 		shift
 	    done
+	    ;;
+	*)
+	    ipset=$1
+	    shift
+	    while [ $# -gt 0 ]; do
+		for h in $(separate_list $1); do
+		    hostlist="$hostlist $h"
+		done
+		shift
+	    done
+	    ;;
+    esac
 
     zone=$1
 
-    for hostent in $hostlist; do
+    if [ -n "$zone" ]; then
+	for host in $hostlist; do
 	    if [ $g_family -eq 4 ]; then
-	    interface=${hostent%:*}
+		interface=${host%:*}
 		ipset=${zone}_${interface};
 	    else
-	    interface=${hostent%%:*}
+		interface=${host%%:*}
 		ipset=6_${zone}_${interface};
 	    fi
 
 	    if ! qt $IPSET -L $ipset -n; then
-	    fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
+		fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
 	    fi
 
-	host=${hostent#*:}
+	    host=${host#*:}
 
 	    if $IPSET -D $ipset $host; then
-	    echo "Host $hostent deleted from zone $zone"
+		echo "Host $host deleted from zone $zone"
 	    else
 		echo "   WARNING: Unable to delete host $hostent to zone $zone" >&2
 	    fi
 	done
+    else
+	qt $IPSET -L $ipset -n || fatal_error "Zone $ipset is not dynamic"
 
+	for host in $hostlist; do
+	    if $IPSET -D $ipset $host; then
+		echo "Host $host deleted from to zone $ipset"
+	    else
+		echo "   WARNING: Unable to delete host $host from zone $zone" >&2
+	    fi
+	done
+    fi
 }
 
 #
@@ -1995,6 +2122,24 @@ determine_capabilities() {
     DSCP_MATCH=
     DSCP_TARGET=
     GEOIP_MATCH=
+    RPFILTER_MATCH=
+    NFACCT_MATCH=
+    CHECKSUM_TARGET=
+    AMANDA_HELPER=
+    FTP_HELPER=
+    FTP0_HELPER=
+    IRC_HELPER=
+    IRC0_HELPER=
+    NETBIOS_NS_HELPER=
+    H323_HELPER=
+    PPTP_HELPER=
+    SANE_HELPER=
+    SANE0_HELPER=
+    SIP_HELPER=
+    SIP0_HELPER=
+    SNMP_HELPER=
+    TFTP_HELPER=
+    TFTP0_HELPER=
 
     chain=fooX$$
 
@@ -2107,6 +2252,19 @@ determine_capabilities() {
 
     qt $g_tool -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes
 
+    if [ -n "$NFACCT" -a ! -x "$NFACCT" ]; then
+	error_message "WARNING: NFACCT=$NFACCT does not exist or is not executable"
+	NFACCT=
+    else
+	NFACCT=$(mywhich nfacct)
+    fi
+
+    if [ -n "$NFACCT" ] && qt $NFACCT add $chain; then
+	qt $g_tool -A $chain -m nfacct --nfacct-name $chain && NFACCT_MATCH=Yes
+	qt $g_tool -D $chain -m nfacct --nfacct-name $chain
+	qt $NFACCT del $chain
+    fi
+
     if [ -n "$MANGLE_ENABLED" ]; then
 	qt $g_tool -t mangle -N $chain
 
@@ -2127,6 +2285,8 @@ determine_capabilities() {
 	qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes
 	qt $g_tool -t mangle -A $chain -m dscp --dscp 0 && DSCP_MATCH=Yes
 	qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
+	qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes
+	qt $g_tool -t mangle -A $chain -j CHECKSUM --checksum-fill && CHECKSUM_TARGET=Yes
 
 	qt $g_tool -t mangle -F $chain
 	qt $g_tool -t mangle -X $chain
@@ -2138,9 +2298,30 @@ determine_capabilities() {
     qt $g_tool -t rawpost -L -n && RAWPOST_TABLE=Yes
 
     if [ -n "$RAW_TABLE" ]; then
+	qt $g_tool -t raw -F $chain
+	qt $g_tool -t raw -X $chain
 	qt $g_tool -t raw -N $chain
-	qt $g_tool -t raw -A $chain -j CT --notrack && CT_TARGET=Yes
-	qt $g_tool -t raw -N $chain
+	
+	if qt $g_tool -t raw -A $chain -j CT --notrack; then
+	    CT_TARGET=Yes;
+
+	    qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda     && AMANDA_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp        && FTP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp-0      && FTP0_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 1719  -j CT --helper RAS        && H323_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc        && IRC_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc-0      && IRC0_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 137   -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 1729  -j CT --helper pptp       && PPTP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane       && SANE_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane-0     && SANE0_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip        && SIP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip-0      && SIP0_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 161   -j CT --helper snmp       && SNMP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp       && TFTP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp-0     && TFTP0_HELPER=Yes
+	fi
+
 	qt $g_tool -t raw -F $chain
 	qt $g_tool -t raw -X $chain	   
     fi
@@ -2160,10 +2341,10 @@ determine_capabilities() {
 
 	    if [ -n "$have_ipset" ]; then
 		if qt $g_tool -A $chain -m set --match-set $chain src -j ACCEPT; then
-		    qt $g_tool -D $chain -m set --match-set $chain src -j ACCEPT
+		    qt $g_tool -F $chain
 		    IPSET_MATCH=Yes
 		elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT; then
-		    qt $g_tool -D $chain -m set --set $chain src -j ACCEPT
+		    qt $g_tool -F $chain
 		    IPSET_MATCH=Yes
 		    OLD_IPSET_MATCH=Yes
 		fi
@@ -2172,10 +2353,10 @@ determine_capabilities() {
 	elif qt ipset -N $chain hash:ip family inet6; then
 	    IPSET_V5=Yes
 	    if qt $g_tool -A $chain -m set --match-set $chain src -j ACCEPT; then
-		qt $g_tool -D $chain -m set --match-set $chain src -j ACCEPT
+		qt $g_tool -F $chain
 		IPSET_MATCH=Yes
 	    elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT; then
-		qt $g_tool -D $chain -m set --set $chain src -j ACCEPT
+		qt $g_tool -F $chain
 		IPSET_MATCH=Yes
 		OLD_IPSET_MATCH=Yes
 	    fi
@@ -2193,7 +2374,28 @@ determine_capabilities() {
     fi
     qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
     qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes
-    qt $g_tool -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
+
+    #
+    # -m helper doesn't verify the existence of the specified helper :-(
+    #
+    if qt $g_tool -A $chain -p tcp --dport 21 -m helper --helper ftp; then
+	HELPER_MATCH=Yes
+
+	if [ -z "$CT_TARGET" ]; then
+	    AMANDA_HELPER=Yes
+	    FTP_HELPER=Yes
+	    FTP_HELPER=Yes
+	    H323_HELPER=Yes
+	    IRC_HELPER=Yes
+	    NS_HELPER=Yes
+	    PPTP_HELPER=Yes
+	    SANE_HELPER=Yes
+	    SIP_HELPER=Yes
+	    SNMP_HELPER=Yes
+	    TFTP_HELPER=Yes
+	fi
+    fi
+
     qt $g_tool -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
     qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
     qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes
@@ -2213,7 +2415,9 @@ determine_capabilities() {
     fi
 
     qt $g_tool -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
+
     qt $g_tool -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
+
     qt $g_tool -S INPUT && IPTABLES_S=Yes
     qt $g_tool -F $chain
     qt $g_tool -X $chain
@@ -2319,6 +2523,25 @@ report_capabilities() {
 	report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
 	report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
 	report_capability "Geo IP match" $GEOIP_MATCH
+	report_capability "RPFilter match" $RPFILTER_MATCH
+	report_capability "NFAcct match" $NFACCT_MATCH
+	report_capability "Checksum Target" $CHECKSUM_TARGET
+
+	report_capability "Amanda Helper" $AMANDA_HELPER
+	report_capability "FTP Helper" $FTP_HELPER
+	report_capability "FTP-0 Helper" $FTP0_HELPER
+	report_capability "IRC Helper" $IRC_HELPER
+	report_capability "IRC-0 Helper" $IRC0_HELPER
+	report_capability "Netbios_ns Helper" $NETBIOS_NS_HELPER
+	report_capability "H323 Helper" $H323_HELPER
+	report_capability "PPTP Helper" $PPTP_HELPER
+	report_capability "SANE Helper" $SANE_HELPER
+	report_capability "SANE-0 Helper" $SANE0_HELPER
+	report_capability "SIP Helper" $SIP_HELPER
+	report_capability "SIP-0 Helper" $SIP0_HELPER
+	report_capability "SNMP Helper" $SNMP_HELPER
+	report_capability "TFTP Helper" $TFTP_HELPER
+	report_capability "TFTP-0 Helper" $TFTP0_HELPER
 
 	if [ $g_family -eq 4 ]; then
 	    report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
@@ -2328,6 +2551,9 @@ report_capabilities() {
 
 	report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
 	report_capability "CT Target (CT_TARGET)" $CT_TARGET
+
+	echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
+	echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -2410,6 +2636,25 @@ report_capabilities1() {
     report_capability1 DSCP_MATCH
     report_capability1 DSCP_TARGET
     report_capability1 GEOIP_MATCH
+    report_capability1 RPFILTER_MATCH
+    report_capability1 NFACCT_MATCH
+    report_capability1 CHECKSUM_TARGET
+
+    report_capability1 AMANDA_HELPER
+    report_capability1 FTP_HELPER
+    report_capability1 FTP0_HELPER
+    report_capability1 IRC_HELPER
+    report_capability1 IRC0_HELPER
+    report_capability1 NETBIOS_NS_HELPER
+    report_capability1 H323_HELPER
+    report_capability1 PPTP_HELPER
+    report_capability1 SANE_HELPER
+    report_capability1 SANE0_HELPER
+    report_capability1 SIP_HELPER
+    report_capability1 SIP0_HELPER
+    report_capability1 SNMP_HELPER
+    report_capability1 TFTP_HELPER
+    report_capability1 TFTP0_HELPER
 
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION
@@ -2735,7 +2980,27 @@ get_config() {
 	exit 2
     fi
 
-    IPSET=ipset
+    if [ -n "$IPSET" ]; then
+	case "$IPSET" in
+	    */*)
+		if [ ! -x "$IPSET" ] ; then
+		    echo "   ERROR: The program specified in IPSET ($IPSET) does not exist or is not executable" >&2
+		    exit 2
+		fi
+		;;
+	    *)
+		prog="$(mywhich $IPSET 2> /dev/null)"
+		if [ -z "$prog" ] ; then
+		    echo "   ERROR: Can't find $IPSET executable" >&2
+		    exit 2
+		fi
+		IPSET=$prog
+		;;
+	esac
+    else
+	IPSET=''
+    fi
+
     TC=tc
 
 }
@@ -2939,16 +3204,23 @@ usage() # $1 = exit status
     echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
+    echo "   show [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
     echo "   show [ -f ] capabilities"
     echo "   show classifiers"
     echo "   show config"
     echo "   show connections"
     echo "   show filters"
     echo "   show ip"
+
+    if [ $g_family -eq 4 ]; then
+	echo "   show ipa"
+    fi
+
     echo "   show [ -m ] log [<regex>]"
-    echo "   show [ -x ] mangle|nat|raw|rawpost|routing"
+    echo "   show [ -x ] mangle|nat|raw|rawpost"
+    echo "   show nfacct"
     echo "   show policies"
+    echo "   show routing"
     echo "   show tc [ device ]"
     echo "   show vardir"
     echo "   show zones"
@@ -2999,7 +3271,7 @@ shorewall_cli() {
     g_shorewalldir=
 
     VERBOSE=
-    VERBOSITY=
+    VERBOSITY=1
 
     [ -n "$g_lite" ] || . ${g_basedir}/lib.cli-std
 

Shorewall-core/lib.common

@@ -84,7 +84,7 @@ get_script_version() { # $1 = script
 
     temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 | sed 's/-.*//' )
 
-    if [ $? -ne 0 ]; then
+    if [ -z "$temp" ]; then
 	version=0
     else
 	ifs=$IFS

Shorewall-core/shorewallrc.apple

@@ -17,4 +17,4 @@ ANNOTATED=                             #Unused on OS X
 SYSTEMD=                               #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
-VARDIR=/var/lib                        #Unused on OS X
+VARLIB=/var/lib                        #Unused on OS X

Shorewall-core/shorewallrc.archlinux

@@ -17,4 +17,5 @@ ANNOTATED=                             #If non-zero, annotated configuration fil
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
 SYSTEMD=                               #Directory where .service files are installed (systems running systemd only)
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                        #Directory where product variable data is stored.
+VARLIB=/var/lib                        #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.

Shorewall-core/shorewallrc.cygwin

@@ -17,4 +17,4 @@ ANNOTATED=                            #Unused on Cygwin
 SYSTEMD=                              #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
-VARDIR=/var/lib                       #Unused on Cygwin
+VARLIB=/var/lib                       #Unused on Cygwin

Shorewall-core/shorewallrc.debian

@@ -18,4 +18,5 @@ SYSCONFFILE=default.debian              #Name of the distributed file to be inst
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
 SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                         #Directory where product variable data is stored.
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.

Shorewall-core/shorewallrc.default

@@ -10,7 +10,7 @@ PERLLIBDIR=${PREFIX}/share/shorewall    #Directory to install Shorewall Perl mod
 CONFDIR=/etc                            #Directory where subsystem configurations are installed
 SBINDIR=/sbin                           #Directory where system administration programs are installed
 MANDIR=${PREFIX}/man                    #Directory where manpages are installed.
-INITDIR=etc/init.d                      #Directory where SysV init scripts are installed.
+INITDIR=/etc/init.d                     #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.sh                      #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
@@ -18,4 +18,5 @@ SYSTEMD=                                #Directory where .service files are inst
 SYSCONFFILE=                            #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                             #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                         #Directory where product variable data is stored.
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.

Shorewall-core/shorewallrc.redhat

@@ -18,4 +18,5 @@ SYSTEMD=/lib/systemd/system             #Directory where .service files are inst
 SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
 SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                         #Directory where product variable data is stored.
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.

Shorewall-core/shorewallrc.slackware

@@ -19,4 +19,5 @@ SYSTEMD=                                   #Name of the directory where .service
 SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.
 ANNOTATED=                                 #If non-empty, install annotated configuration files
-VARDIR=/var/lib                            #Directory where product variable data is stored.
+VARLIB=/var/lib                            #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT                  #Directory where product variable data is stored.

Shorewall-core/shorewallrc.suse

@@ -12,10 +12,11 @@ SBINDIR=/sbin                                         #Directory where system ad
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                                     #Name of the product's SysV init script
-INITSOURCE=init.sh                                    #Name of the distributed file to be installed as the SysV init script
+INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
 SYSTEMD=                                              #Directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=                                          #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                                       #Directory where persistent product data is stored.
+VARLIB=/var/lib                                       #Directory where persistent product data is stored.
+VARDIR=${VARLIB}/$PRODUCT                             #Directory where product variable data is stored.

Shorewall-init/ifupdown.sh

@@ -22,6 +22,21 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
 Debian_SuSE_ppp() {
     NEWPRODUCTS=
     INTERFACE="$1"
@@ -187,8 +202,10 @@ fi
 [ -n "$LOGFILE" ] || LOGFILE=/dev/null
 
 for PRODUCT in $PRODUCTS; do
-    if [ -x $VARDIR/$PRODUCT/firewall ]; then
-	  ( ${VARDIR}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+    setstatedir
+
+    if [ -x $VARLIB/$PRODUCT/firewall ]; then
+	  ( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
     fi
 done
 

Shorewall-init/init.debian.sh

@@ -62,11 +62,29 @@ not_configured () {
 	exit 0
 }
 
+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 
+vardir=$VARDIR
+
 # check if shorewall-init is configured or not
 if [ -f "$SYSCONFDIR/shorewall-init" ]
 then
@@ -81,27 +99,27 @@ fi
 
 # Initialize the firewall
 shorewall_start () {
-  local product
-  local VARDIR
+  local PRODUCT
+  local STATEDIR
 
   echo -n "Initializing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
-      if [ -x ${VARDIR}/firewall ]; then
+  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ ! -x ${VARDIR}/$PRODUCT/firewall ]; then
+	  if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	      ${SBINDIR}/$PRODUCT compile
+	  fi
+      fi
+
+      if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
 	  #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
-	      . /usr/share/$product/lib.base
-	      #
-	      # Get mutex so the firewall state is stable
-	      #
-	      mutex_on
-	      if ! ${VARDIR}/firewall status > /dev/null 2>&1; then
-		  ${VARDIR}/firewall stop || echo_notdone
+	      if ! ${VARDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
+		  ${VARDIR}/$PRODUCT/firewall stop || echo_notdone
 	      fi
-	      mutex_off
 	  )
       fi
   done
@@ -113,19 +131,21 @@ shorewall_start () {
 
 # Clear the firewall
 shorewall_stop () {
-  local product
+  local PRODUCT
   local VARDIR
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
-      if [ -x ${VARDIR}/firewall ]; then
-	  ( . /usr/share/$product/lib.base
-	    mutex_on
-	    ${VARDIR}/firewall clear || echo_notdone
-	    mutex_off
-	  )
+  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ ! -x ${VARDIR}/$PRODUCT/firewall ]; then
+	  if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	      ${SBINDIR}/$PRODUCT compile
+	  fi
+      fi
+
+      if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
+	  ${VARDIR}/$PRODUCT/firewall clear || echo_notdone
       fi
   done
 

Shorewall-init/init.fedora.sh

@@ -14,13 +14,8 @@
 #                    prior to bringing up the network.  
 ### END INIT INFO
 #determine where the files were installed
-if [ -f ~/.shorewallrc ]; then
-    . ~/.shorewallrc || exit 1
-else
-    SBINDIR=/sbin
-    SYSCONFDIR=/etc/default
-    VARDIR=/var/lib
-fi
+
+. /usr/share/shorewall/shorewallrc
 
 prog="shorewall-init"
 logger="logger -i -t $prog"
@@ -29,6 +24,8 @@ lockfile="/var/lock/subsys/shorewall-init"
 # Source function library.
 . /etc/rc.d/init.d/functions
 
+vardir=$VARDIR
+
 # Get startup options (override default)
 OPTIONS=
 
@@ -40,9 +37,25 @@ else
     exit 6
 fi
 
+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
 # Initialize the firewall
 start () {
-    local product
+    local PRODUCT
     local vardir
 
     if [ -z "$PRODUCTS" ]; then
@@ -52,11 +65,19 @@ start () {
     fi
 
     echo -n "Initializing \"Shorewall-based firewalls\": "
-    for product in $PRODUCTS; do
-	if [ -x ${VARDIR}/$product/firewall ]; then
-	    ${VARDIR}/$product/firewall stop 2>&1 | $logger
+    for PRODUCT in $PRODUCTS; do
+	setstatedir
+
+	if [ ! -x ${VARDIR}/firewall ]; then
+	    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+		${SBINDIR}/$PRODUCT compile
+	    fi
+	fi
+
+	if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
+	    ${VARDIR}/$PRODUCT/firewall stop 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
-	    [ retval -ne 0 ] && break
+	    [ $retval -ne 0 ] && break
 	fi
     done
 
@@ -72,15 +93,23 @@ start () {
 
 # Clear the firewall
 stop () {
-    local product
+    local PRODUCT
     local vardir
 
     echo -n "Clearing \"Shorewall-based firewalls\": "
-    for product in $PRODUCTS; do
-	if [ -x ${VARDIR}/$product/firewall ]; then
-	    ${VARDIR}/$product/firewall clear 2>&1 | $logger
+    for PRODUCT in $PRODUCTS; do
+	setstatedir
+
+	if [ ! -x ${VARDIR}/firewall ]; then
+	    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+		${SBINDIR}/$PRODUCT compile
+	    fi
+	fi
+
+	if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
+	    ${VARDIR}/$PRODUCT/firewall clear 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
-	    [ retval -ne 0 ] && break
+	    [ $retval -ne 0 ] && break
 	fi
     done
 
@@ -107,11 +136,7 @@ case "$1" in
 	status_q || exit 0
 	$1
 	;;
-    restart|reload|force-reload)
-	echo "Not implemented"
-	exit 3
-	;;
-    condrestart|try-restart)
+    restart|reload|force-reload|condrestart|try-restart)
 	echo "Not implemented"
 	exit 3
 	;;
@@ -119,7 +144,7 @@ case "$1" in
 	status $prog
 	;;
   *)
-	echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+	echo "Usage: /etc/init.d/shorewall-init {start|stop|status}"
 	exit 1
 esac
 

Shorewall-init/init.sh

@@ -58,16 +58,34 @@ fi
 #
 . /usr/share/shorewall/shorewallrc
 
+# Locate the current PRODUCT's statedir
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile $STATEDIR/firewall
+	fi
+    fi
+}
+
 # Initialize the firewall
 shorewall_start () {
   local PRODUCT
-  local VARDIR
+  local STATEDIR
 
   echo -n "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      if [ -x ${VARDIR}/firewall ]; then
+      setstatedir
+
+      if [ -x ${STATEDIR}/firewall ]; then
 	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      ${VARDIR}/firewall stop || echo_notdone
+	      ${STATEDIR}/firewall stop || echo_notdone
 	  fi
       fi
   done
@@ -86,6 +104,14 @@ shorewall_stop () {
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ ! -x ${VARDIR}/firewall ]; then
+	  if [ $PRODUCT = shorewall -o $product = shorewall6 ]; then
+	      ${SBINDIR}/$PRODUCT compile
+	  fi
+      fi
+
       if [ -x ${VARDIR}/firewall ]; then
 	  ${VARDIR}/firewall clear || exit 1
       fi

Shorewall-init/init.suse.sh

@@ -0,0 +1,135 @@
+#! /bin/bash
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2010,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#
+### BEGIN INIT INFO
+# Provides: shorewall-init
+# Required-Start: $local_fs
+# Required-Stop:  $local_fs
+# Default-Start:  2 3 5
+# Default-Stop:   0 1 6
+# Short-Description: Initialize the firewall at boot time
+# Description:       Place the firewall in a safe state at boot time
+#                    prior to bringing up the network.  
+### END INIT INFO
+
+if [ "$(id -u)" != "0" ]
+then
+  echo "You must be root to start, stop or restart \"Shorewall \"."
+  exit 1
+fi
+
+# check if shorewall-init is configured or not
+if [ -f "/etc/sysconfig/shorewall-init" ]
+then
+	. /etc/sysconfig/shorewall-init
+	if [ -z "$PRODUCTS" ]
+	then
+		exit 0
+	fi
+else
+	exit 0
+fi
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
+# Initialize the firewall
+shorewall_start () {
+  local PRODUCT
+  local STATEDIR
+
+  echo -n "Initializing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ -x $STATEDIR/firewall ]; then
+	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+	      $STATEDIR/$PRODUCT/firewall stop || echo_notdone
+	  fi
+      fi
+  done
+
+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+      ipset -R < "$SAVE_IPSETS"
+  fi
+
+  return 0
+}
+
+# Clear the firewall
+shorewall_stop () {
+  local PRODUCT
+  local STATEDIR
+
+  echo -n "Clearing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ -x ${STATEDIR}/firewall ]; then
+	  ${STATEDIR}/firewall clear || exit 1
+      fi
+  done
+
+  if [ -n "$SAVE_IPSETS" ]; then
+      mkdir -p $(dirname "$SAVE_IPSETS")
+      if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+      fi
+  fi
+
+  return 0
+}
+
+case "$1" in
+  start)
+     shorewall_start
+     ;;
+  stop)
+     shorewall_stop
+     ;;
+  *)
+     echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+     exit 1
+esac
+
+exit 0

Shorewall-init/install.sh

@@ -160,7 +160,14 @@ else
     usage 1
 fi
 
-for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARDIR; do
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/${PRODUCT}
+elif [ -z "${VARDIR}" ]; then
+    VARDIR=${VARLIB}/${PRODUCT}
+fi
+
+for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
     require $var
 done
 
@@ -285,6 +292,7 @@ fi
 if [ -n "$SYSTEMD" ]; then
     mkdir -p ${DESTDIR}${SYSTEMD}
     run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}${SYSTEMD}/shorewall-init.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/shorewall-init.service
     echo "Service file installed as ${DESTDIR}${SYSTEMD}/shorewall-init.service"
     if [ -n "$DESTDIR" ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
@@ -297,8 +305,8 @@ fi
 #
 # Create /usr/share/shorewall-init if needed
 #
-mkdir -p ${DESTDIR}/usr/share/shorewall-init
-chmod 755 ${DESTDIR}/usr/share/shorewall-init
+mkdir -p ${DESTDIR}${SHAREDIR}/shorewall-init
+chmod 755 ${DESTDIR}${SHAREDIR}/shorewall-init
 
 #
 # Install logrotate file
@@ -311,14 +319,14 @@ fi
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-init/version
-chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
+echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/shorewall-init/version
+chmod 644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
 
 #
 # Remove and create the symbolic link to the init script
 #
 if [ -z "$DESTDIR" ]; then
-    rm -f /usr/share/shorewall-init/init
+    rm -f ${SHAREDIR}/shorewall-init/init
     ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
 fi
 

Shorewall-lite/init.suse.sh

@@ -0,0 +1,92 @@
+#!/bin/sh
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#	On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#	If an error occurs while starting or restarting the firewall, the
+#	firewall is automatically stopped.
+#
+#	Commands are:
+#
+#	   shorewall start			  Starts the firewall
+#	   shorewall restart			  Restarts the firewall
+#	   shorewall reload			  Reload the firewall
+#						  (same as restart)
+#	   shorewall stop			  Stops the firewall
+#	   shorewall status			  Displays firewall status
+#
+
+
+### BEGIN INIT INFO
+# Provides:	  shorewall-lite
+# Required-Start: $network $remote_fs
+# Required-Stop:  
+# Default-Start:  2 3 5
+# Default-Stop:	  0 1 6
+# Description:	  starts and stops the shorewall firewall
+# Short-Description: Packet filtering firewall
+### END INIT INFO
+
+################################################################################
+# Give Usage Information						       #
+################################################################################
+usage() {
+    echo "Usage: $0 start|stop|reload|restart|status"
+    exit 1
+}
+
+################################################################################
+# Get startup options (override default)
+################################################################################
+OPTIONS=
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+if [ -f ${SYSCONFDIR}/shorewall-lite ]; then
+    . ${SYSCONFDIR}/shorewall-lite
+fi
+
+SHOREWALL_INIT_SCRIPT=1
+
+################################################################################
+# E X E C U T I O N    B E G I N S   H E R E				       #
+################################################################################
+command="$1"
+
+case "$command" in
+    start)
+	exec ${SBINDIR}/shorewall-lite $OPTIONS start $STARTOPTIONS
+	;;
+    restart|reload)
+	exec ${SBINDIR}/shorewall-lite $OPTIONS restart $RESTARTOPTIONS
+	;;
+    status|stop)
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
+	;;
+    *)
+	usage
+	;;
+esac

Shorewall-lite/install.sh

@@ -171,7 +171,14 @@ else
     usage 1
 fi
 
-for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARDIR; do
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/${PRODUCT}
+elif [ -z "${VARDIR}" ]; then
+    VARDIR=${VARLIB}/${PRODUCT}
+fi
+
+for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARLIB VARDIR; do
     require $var
 done
 
@@ -182,7 +189,6 @@ PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}
 #
 cygwin=
 INSTALLD='-D'
-INITFILE=$PRODUCT
 T='-T'
 
 if [ -z "$BUILD" ]; then
@@ -253,7 +259,10 @@ case "$HOST" in
     archlinux)
 	echo "Installing ArchLinux-specific configuration..."
 	;;
-    linux|suse)
+    suse)
+	echo "Installing Suse-specific configuration..."
+	;;
+    linux)
 	;;
     *)
 	echo "ERROR: Unknown HOST \"$HOST\"" >&2
@@ -271,21 +280,11 @@ if [ -n "$DESTDIR" ]; then
 
     install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR}
     install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
-
-    if [ -n "$SYSTEMD" ]; then
-	mkdir -p ${DESTDIR}/lib/systemd/system
-	INITFILE=
-    fi
 else
     if [ ! -f /usr/share/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
 	exit 1
     fi
-
-    if [ -f /lib/systemd/system ]; then
-	SYSTEMD=Yes
-	INITFILE=
-    fi
 fi
 
 echo "Installing $Product Version $VERSION"
@@ -303,8 +302,8 @@ if [ -z "$DESTDIR" -a -d ${CONFDIR}/$PRODUCT ]; then
 	mv -f ${CONFDIR}/$PRODUCT/shorewall.conf ${CONFDIR}/$PRODUCT/$PRODUCT.conf
 else
     rm -rf ${DESTDIR}${CONFDIR}/$PRODUCT
-    rm -rf ${DESTDIR}/usr/share/$PRODUCT
-    rm -rf ${DESTDIR}/var/lib/$PRODUCT
+    rm -rf ${DESTDIR}${SHAREDIR}/$PRODUCT
+    rm -rf ${DESTDIR}${VARDIR}
     [ "$LIBEXECDIR" = /usr/share ] || rm -rf ${DESTDIR}/usr/share/$PRODUCT/wait4ifup ${DESTDIR}/usr/share/$PRODUCT/shorecap
 fi
 
@@ -327,9 +326,9 @@ echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
 mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
-mkdir -p ${DESTDIR}/usr/share/$PRODUCT
+mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
-mkdir -p ${DESTDIR}/var/lib/$PRODUCT
+mkdir -p ${DESTDIR}${VARDIR}
 
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}/usr/share/$PRODUCT
@@ -354,7 +353,9 @@ fi
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}${SYSTEMD}
     run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
     echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
 fi
 

Shorewall-lite/manpages/shorewall-lite.xml

@@ -337,6 +337,8 @@
 
       <arg choice="plain"><option>show</option></arg>
 
+      <arg><option>-b</option></arg>
+
       <arg><option>-x</option></arg>
 
       <arg><option>-l</option></arg>
@@ -841,6 +843,12 @@
                 Netfilter table to display. The default is <emphasis
                 role="bold">filter</emphasis>.</para>
 
+                <para>The <emphasis role="bold">-b</emphasis> ('brief') option
+                causes rules which have not been used (i.e. which have zero
+                packet and byte counts) to be omitted from the output. Chains
+                with no rules displayed are also omitted from the
+                output.</para>
+
                 <para>The <emphasis role="bold">-l</emphasis> option causes
                 the rule number for each Netfilter rule to be
                 displayed.</para>

Shorewall-lite/shorecap

@@ -53,10 +53,7 @@ g_program=shorewall-lite
 #
 . /usr/share/shorewall/shorewallrc
 
-g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall-lite
-g_sbindir="$SBINDIR"
-g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1
 

Shorewall-lite/shorewall-lite

@@ -25,17 +25,15 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
-g_program=shorewall-lite
+PRODUCT=shorewall-lite
 
 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 
-g_libexec="$LIBEXECDIR"
+g_program=$PRODUCT
 g_sharedir="$SHAREDIR"/shorewall-lite
-g_sbindir="$SBINDIR"
-g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1
 

Shorewall-lite/shorewall-lite.service

@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-lite $OPTIONS start
-ExecStop=/sbin/shorewall-lite $OPTIONS stop
+ExecStart=/usr/sbin/shorewall-lite $OPTIONS start
+ExecStop=/usr/sbin/shorewall-lite $OPTIONS stop
 
 [Install]
 WantedBy=multi-user.target

Shorewall/Macros/macro.Amanda

@@ -8,9 +8,16 @@
 #	files from those nodes.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
+ PARAM	-	-	udp	10080 ; helper=amanda
+?else
  PARAM	-	-	udp	10080
+?endif
+
 PARAM	-	-	tcp	10080
 #
 # You may also need this rule.  With AMANDA 2.4.4 on Linux kernel 2.6,

Shorewall/Macros/macro.BLACKLIST

@@ -8,8 +8,8 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-?IF $BLACKLIST_LOGLEVEL
+?if $BLACKLIST_LOGLEVEL
 blacklog
-?ELSE
+?else
 $BLACKLIST_DISPOSITION
-?ENDIF
+?endif

Shorewall/Macros/macro.FTP

@@ -6,6 +6,11 @@
 #	This macro handles FTP traffic.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
+?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
+ PARAM	-	-	tcp	21 ; helper=ftp
+?else
  PARAM	-	-	tcp	21
+?endif

Shorewall/Macros/macro.IRC

@@ -6,6 +6,12 @@
 #	This macro handles IRC traffic (Internet Relay Chat).
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
+ PARAM	-	-	tcp	6667 ; helper=irc
+?else
  PARAM	-	-	tcp	6667
+?endif

Shorewall/Macros/macro.PPtP

@@ -6,8 +6,14 @@
 #	This macro handles PPTP traffic.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	47
 PARAM	DEST	SOURCE	47
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
+ PARAM	-	-	tcp	1723 ; helper=pptp
+?else
  PARAM	-	-	tcp	1723
+?endif

Shorewall/Macros/macro.Puppet

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - Puppet Macro
+#
+# /usr/share/shorewall/macro.Puppet
+#
+#	This macro handles client-to-server for the Puppet configuration
+#	management system.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	tcp	8140

Shorewall/Macros/macro.SANE

@@ -6,9 +6,16 @@
 #	This macro handles SANE network scanning.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
+ PARAM	-	-	tcp	6566 ; helper=sane
+?else
  PARAM	-	-	tcp	6566
+?endif
+
 #
 # Kernels 2.6.23+ has nf_conntrack_sane module which will handle
 # sane data connection.

Shorewall/Macros/macro.SIP

@@ -0,0 +1,17 @@
+#
+# Shorewall version 4 - SIP Macro
+#
+# /usr/share/shorewall/macro.SIP
+#
+#	This macro handles SIP traffic.
+#
+###############################################################################
+FORMAT 2
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER  )
+ PARAM	-	-	udp	5060 ; helper=sip
+?else
+ PARAM	-	-	udp	5060
+?endif

Shorewall/Macros/macro.SMB

@@ -10,9 +10,17 @@
 #	between hosts you fully trust.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
+ PARAM	-	-	udp	137 ; helper=netbios-ns
+ PARAM	-	-	udp	138:139
+?else
  PARAM	-	-	udp	137:139
+?endif
+
 PARAM	-	-	udp	1024:	137
 PARAM	-	-	tcp	135,139,445

Shorewall/Macros/macro.SMBBI

@@ -10,13 +10,28 @@
 #	allow SMB traffic between hosts you fully trust.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
+ PARAM	-	-	udp	137 ; helper=netbios-ns
+ PARAM	-	-	udp	138:139
+?else
  PARAM	-	-	udp	137:139
+?endif
+
 PARAM	-	-	udp	1024:	137
 PARAM	-	-	tcp	135,139,445
 PARAM	DEST	SOURCE	udp	135,445
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
+ PARAM	DEST	SOURCE	udp	137 ; helper=netbios-ns
+ PARAM	DEST	SOURCE	udp	138:139
+?else
  PARAM	DEST	SOURCE	udp	137:139
+?endif
+
 PARAM	DEST	SOURCE	udp	1024:	137
 PARAM	DEST	SOURCE	tcp	135,139,445

Shorewall/Macros/macro.SNMP

@@ -3,10 +3,17 @@
 #
 # /usr/share/shorewall/macro.SNMP
 #
-#	This macro handles SNMP traffic (including traps).
+#	This macro handles SNMP traffic.
+#
+#       Note: To allow SNMP Traps, use the SNMPTrap macro
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	161:162
-PARAM	-	-	tcp	161
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
+ PARAM	-	-  	udp     161 ; helper=snmp
+?else
+ PARAM	-	-	udp	161
+?endif

Shorewall/Macros/macro.SNMPTrap

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - SNMP Trap Macro
+#
+# /usr/share/shorewall/macro.SNMP
+#
+#	This macro handles SNMP traps.
+#
+###############################################################################
+FORMAT 2
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	udp	162

Shorewall/Macros/macro.TFTP

@@ -8,6 +8,12 @@
 #	Internet.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
+ PARAM	-	-	udp	69 ; helper=tftp
+?else
  PARAM	-	-	udp	69
+?endif

Shorewall/Macros/macro.Teredo

@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - Teredo Macro
+#
+# /usr/share/shorewall/macro.Teredo
+#
+#	This macro handles Teredo IPv6 over UDP tunneling traffic
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	udp	3544

Shorewall/Macros/macro.template

@@ -71,9 +71,17 @@
 #	Remaining		Any value in the rules file REPLACES the value
 #	columns			given in the macro file.
 #
+# Multiple parameters may be passed to a macro. Within this file, $1 refers to the first parameter,
+# $2 to the second an so on. $1 is a synonym for PARAM but may be used anywhere in the file whereas
+# PARAM may only be used in the ACTION column.
+#
+# You can specify default values for parameters by using DEFAULT or DEFAULTS entry:
+#
+#      DEFAULTS  <default for $1>,<default for $2>,...
+#
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
 FORMAT 2
-####################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Shorewall/Perl/Shorewall/Accounting.pm

@@ -236,6 +236,11 @@ sub process_accounting_rule( ) {
 	    }
 	} elsif ( $action =~ /^NFLOG/ ) {
 	    $target = validate_level $action;
+	} elsif ( $action =~ /^NFACCT\((\w+)\)$/ ) {
+	    require_capability 'NFACCT_MATCH', 'The NFACCT action', 's';
+	    $nfobjects{$1} = 1;
+	    $target = '';
+	    $rule .= "-m nfacct --nfacct-name $1 ";
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;
 

Shorewall/Perl/Shorewall/Chains.pm

@@ -36,7 +36,7 @@ use Shorewall::IPAddrs;
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw(
+our @EXPORT = ( qw(
 		    DONT_OPTIMIZE
 		    DONT_DELETE
 		    DONT_MOVE
@@ -79,13 +79,13 @@ our @EXPORT = qw(
 		    add_interface_options
 
 		    %chain_table
-		    %helpers
 		    %targets
 		    $raw_table
 		    $rawpost_table
 		    $nat_table
 		    $mangle_table
 		    $filter_table
+		)
 	      );
 
 our %EXPORT_TAGS = (
@@ -98,10 +98,13 @@ our %EXPORT_TAGS = (
 				       ACTION
 				       MACRO
 				       LOGRULE
+				       NFLOG
 				       NFQ
 				       CHAIN
 				       SET
 				       AUDIT
+				       HELPER
+				       INLINE
 				       NO_RESTRICT
 				       PREROUTE_RESTRICT
 				       DESTIFACE_DISALLOW
@@ -116,6 +119,7 @@ our %EXPORT_TAGS = (
 				       OPTIMIZE_RULESET_MASK
 				       OPTIMIZE_MASK
 
+				       state_match
 				       state_imatch
 				       initialize_chain_table
 				       copy_rules
@@ -225,6 +229,7 @@ our %EXPORT_TAGS = (
 				       handle_network_list
 				       expand_rule
 				       addnatjump
+				       split_host_list
 				       set_chain_variables
 				       mark_firewall_not_started
 				       mark_firewall6_not_started
@@ -238,12 +243,15 @@ our %EXPORT_TAGS = (
 				       set_global_variables
 				       save_dynamic_chains
 				       load_ipsets
+				       create_nfobjects
 				       create_netfilter_load
 				       preview_netfilter_load
 				       create_chainlist_reload
 				       create_stop_load
+				       initialize_switches
 				       %targets
 				       %dscpmap
+				       %nfobjects
 				     ) ],
 		   );
 
@@ -329,11 +337,11 @@ our $rawpost_table;
 our $nat_table;
 our $mangle_table;
 our $filter_table;
-our %helpers;
 my  $comment;
 my  @comments;
 my  $export;
 my  %renamed;
+our %nfobjects;
 
 #
 # Target Types
@@ -351,6 +359,9 @@ use constant { STANDARD => 1,              #defined by Netfilter
 	       CHAIN    => 1024,           #Manual Chain
 	       SET      => 2048,           #SET
 	       AUDIT    => 4096,           #A_ACCEPT, etc
+	       HELPER   => 8192,           #CT:helper
+	       NFLOG    => 16384,          #NFLOG or ULOG
+	       INLINE   => 32768,          #Inline action
 	   };
 #
 # Valid Targets -- value is a combination of one or more of the above
@@ -593,6 +604,8 @@ my %isocodes;
 
 use constant { ISODIR => '/usr/share/xt_geoip/LE' };
 
+my %switches;
+
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -651,18 +664,9 @@ sub initialize( $$$ ) {
 
     %ipset_exists       = ();
 
-    %helpers = ( amanda          => TCP,
-		 ftp             => TCP,
-		 h323            => UDP,
-		 irc             => TCP,
-		 netbios_ns      => UDP,
-		 pptp            => TCP,
-		 sane            => TCP,
-		 sip             => UDP,
-		 snmp            => UDP,
-		 tftp            => UDP);
-
     %isocodes  = ();
+    %nfobjects = ();
+    %switches  = ();
 
     #
     # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
@@ -721,7 +725,7 @@ sub set_comment( $ ) {
 sub macro_comment( $ ) {
     my $macro = $_[0];
 
-    $comment = $macro unless $comment || ! ( have_capability( 'COMMENTS' ) && $config{AUTO_COMMENT} );
+    $comment = $macro unless $comment || ! ( have_capability( 'COMMENTS' ) && $config{AUTOCOMMENT} );
 }
 
 #
@@ -957,8 +961,10 @@ sub compatible( $$ ) {
 	    }
 	}
     }
-
-    return 1;
+    #
+    # Don't combine chains where each specifies '-m policy'
+    #
+    return ! ( $ref1->{policy} && $ref2->{policy} );
 }
 
 #
@@ -1880,7 +1886,7 @@ sub dnat_chain( $ )
 #
 sub notrack_chain( $ )
 {
-    $_[0] . '_notrk';
+    $_[0] . '_ctrk';
 }
 
 #
@@ -2443,11 +2449,16 @@ sub require_audit($$;$) {
 sub get_action_logging() {
     my $chainref = get_action_chain;
     my $wholeaction = $chainref->{action};
+
+    if ( $wholeaction ) {
 	my ( undef, $level, $tag, undef ) = split ':', $wholeaction;
 
 	$level = '' if $level =~ /^none/;
 
 	( $level, $tag );
+    } else {
+	( '' , '' );
+    }
 }
 
 #
@@ -2467,6 +2478,7 @@ sub initialize_chain_table($) {
 		    'A_ACCEPT'        => STANDARD  + AUDIT,
 		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
 		    'NONAT'           => STANDARD  + NONAT + NATONLY,
+		    'AUDIT'           => STANDARD  + AUDIT,
 		    'DROP'            => STANDARD,
 		    'DROP!'           => STANDARD,
 		    'A_DROP'          => STANDARD + AUDIT,
@@ -2485,15 +2497,18 @@ sub initialize_chain_table($) {
 		    'COUNT'           => STANDARD,
 		    'QUEUE'           => STANDARD,
 		    'QUEUE!'          => STANDARD,
+		    'NFLOG'           => STANDARD + LOGRULE + NFLOG,
 		    'NFQUEUE'         => STANDARD + NFQ,
 		    'NFQUEUE!'        => STANDARD + NFQ,
+		    'ULOG'            => STANDARD + LOGRULE + NFLOG,
 		    'ADD'             => STANDARD + SET,
 		    'DEL'             => STANDARD + SET,
-		    'WHITELIST'       => STANDARD
+		    'WHITELIST'       => STANDARD,
+		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		   );
 
 	for my $chain ( qw(OUTPUT PREROUTING) ) {
-	    new_builtin_chain 'raw', $chain, 'ACCEPT';
+	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
 	}
 
 	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
@@ -2521,24 +2536,35 @@ sub initialize_chain_table($) {
 	#
 	%targets = ('ACCEPT'          => STANDARD,
 		    'ACCEPT!'         => STANDARD,
+		    'AUDIT'           => STANDARD  + AUDIT,
+		    'A_ACCEPT'        => STANDARD  + AUDIT,
 		    'DROP'            => STANDARD,
 		    'DROP!'           => STANDARD,
+		    'A_DROP'          => STANDARD + AUDIT,
+		    'A_DROP!'         => STANDARD + AUDIT,
 		    'REJECT'          => STANDARD,
 		    'REJECT!'         => STANDARD,
+		    'A_REJECT'        => STANDARD + AUDIT,
+		    'A_REJECT!'       => STANDARD + AUDIT,
 		    'LOG'             => STANDARD + LOGRULE,
 		    'CONTINUE'        => STANDARD,
 		    'CONTINUE!'       => STANDARD,
 		    'COUNT'           => STANDARD,
 		    'QUEUE'           => STANDARD,
 		    'QUEUE!'          => STANDARD,
+		    'NFLOG'           => STANDARD + LOGRULE + NFLOG,
 		    'NFQUEUE'         => STANDARD + NFQ,
 		    'NFQUEUE!'        => STANDARD + NFQ,
+		    'ULOG'            => STANDARD + LOGRULE + NFLOG,
 		    'ADD'             => STANDARD + SET,
 		    'DEL'             => STANDARD + SET,
+		    'WHITELIST'       => STANDARD,
+		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		   );
 
 	for my $chain ( qw(OUTPUT PREROUTING) ) {
-	    new_builtin_chain 'raw', $chain, 'ACCEPT';
+	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
+	    
 	}
 
 	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
@@ -2895,7 +2921,7 @@ sub optimize_level4( $$ ) {
 			#
 			# Not so easy -- the rule contains matches
 			#
-			if ( $chainref->{builtin} || ! $globals{KLUDGEFREE} ) {
+			if ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
 			    #
 			    # This case requires a new rule merging algorithm. Ignore this chain for
 			    # now on.
@@ -2988,6 +3014,57 @@ sub optimize_level4( $$ ) {
 	}
     }
 
+    #
+    # Identify short chains with a single reference and replace the reference with the chain rules
+    #
+    my @chains  = grep ( $_->{referenced}   &&
+			 ! $_->{optflags}   &&
+			 @{$_->{rules}} < 4 &&
+			 keys %{$_->{references}} == 1 , values %$tableref );
+
+    if ( my $chains  = @chains ) {
+	$passes++;
+
+	progress_message "\n Table $table pass $passes, $chains short chains, level 4b...";
+
+	for my $chainref ( @chains ) {
+	    my $name = $chainref->{name};
+	    for my $sourceref ( map $tableref->{$_}, keys %{$chainref->{references}} ) {
+		my $name1 = $sourceref->{name};
+
+		if ( $chainref->{references}{$name1} == 1 ) {
+		    my $rulenum  = 0;
+		    my $rulesref = $sourceref->{rules};
+		    my $rules    = @{$chainref->{rules}};
+
+		    for ( @$rulesref ) {
+			if ( $_->{simple} && ( $_->{target} || '' ) eq $name ) {
+			    trace( $sourceref, 'D', $rulenum  + 1, $_ ) if $debug;
+			    splice @$rulesref, $rulenum, 1, @{$chainref->{rules}};
+			    while ( my $ruleref = shift @{$chainref->{rules}} ) {
+				trace ( $sourceref, 'I', $rulenum++, $ruleref ) if $debug;
+				my $target = $ruleref->{target};
+
+				if ( $target && ( my $targetref = $tableref->{$target} ) ) {
+				    #
+				    # The rule target is a chain
+				    #
+				    add_reference( $sourceref, $targetref );
+				    delete_reference( $chainref, $targetref );
+				}
+			    }
+
+			    delete $chainref->{references}{$name1};
+			    delete_chain $chainref;
+			    last;
+			}
+			$rulenum++;
+		    }
+		}
+	    }
+	}
+    }
+
     $passes;
 }
 
@@ -3008,6 +3085,8 @@ sub optimize_level8( $$$ ) {
 
     progress_message "\n Table $table pass $passes, $chains referenced user chains, level 8...";
 
+    %renamed = ();
+
     for my $chainref ( @chains ) {
 	my $digest = '';
 
@@ -3291,6 +3370,103 @@ sub combine_dports {
     \@rules;
 }
 
+#
+# When suppressing duplicate rules, care must be taken to avoid suppressing non-adjacent duplicates 
+# using any of these matches, because an intervening rule could modify the result of the match
+# of the second duplicate
+#
+my %bad_match = ( conntrack => 1, 
+		  dscp      => 1,
+		  ecn       => 1,
+		  mark      => 1,
+		  set       => 1,
+		  tos       => 1,
+		  u32       => 1 );
+#
+# Delete duplicate rules from the passed chain.
+#
+#   The arguments are a reference to the chain followed by references to each 
+#   of its rules.
+#
+sub delete_duplicates {
+    my @rules;
+    my $chainref  = shift;
+    my $lastrule  = @_;
+    my $baseref   = pop;
+    my $ruleref;
+
+    while ( @_ ) {
+	my $docheck;
+	my $duplicate = 0;
+
+	if ( $baseref->{mode} == CAT_MODE ) {
+	    my $ports1;
+	    my @keys1    = sort( keys( %$baseref ) );
+	    my $rulenum  = @_;
+	    my $adjacent = 1;
+		
+	    {
+	      RULE:
+
+		while ( --$rulenum >= 0 ) {
+		    $ruleref = $_[$rulenum];
+
+		    last unless $ruleref->{mode} == CAT_MODE;
+
+		    my @keys2 = sort(keys( %$ruleref ) );
+
+		    next unless @keys1 == @keys2 ;
+
+		    my $keynum = 0;
+
+		    if ( $adjacent > 0 ) {
+			#
+			# There are no non-duplicate rules between this rule and the base rule
+			#
+			for my $key ( @keys1 ) {
+			    next RULE unless $key eq $keys2[$keynum++];
+			    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
+			}
+		    } else {
+			#
+			# There are non-duplicate rules between this rule and the base rule
+			#
+			for my $key ( @keys1 ) {
+			    next RULE unless $key eq $keys2[$keynum++];
+			    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
+			    last RULE if $bad_match{$key};
+			}
+		    }
+		    #
+		    # This rule is a duplicate
+		    #
+		    $duplicate = 1;
+		    #
+		    # Increment $adjacent so that the continue block won't set it to zero
+		    #
+		    $adjacent++;
+
+		} continue {
+		    $adjacent--;
+		}
+	    }
+	}
+
+	if ( $duplicate ) {
+	    trace( $chainref, 'D', $lastrule, $baseref ) if $debug;
+	} else {
+	    unshift @rules, $baseref;
+	}
+
+	$baseref = pop @_;
+	$lastrule--;
+    }
+
+    unshift @rules, $baseref if $baseref;
+
+    \@rules;
+}
+
 sub optimize_level16( $$$ ) {
     my ( $table, $tableref , $passes ) = @_;
     my @chains   = ( grep $_->{referenced}, values %{$tableref} );
@@ -3300,10 +3476,16 @@ sub optimize_level16( $$$ ) {
     progress_message "\n Table $table pass $passes, $chains referenced user chains, level 16...";
 
     for my $chainref ( @chains ) {
-	$chainref->{rules} = combine_dports( $chainref, @{$chainref->{rules}} );
+	$chainref->{rules} = delete_duplicates( $chainref, @{$chainref->{rules}} );
     }
 
     $passes++;
+    
+    for my $chainref ( @chains ) {
+	$chainref->{rules} = combine_dports( $chainref, @{$chainref->{rules}} );
+    }
+
+    ++$passes;
 }
 
 #
@@ -3316,7 +3498,7 @@ sub valid_tables() {
     push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
     push @table_list, 'nat'     if have_capability( 'NAT_ENABLED' );
     push @table_list, 'mangle'  if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
-    push @table_list, 'filter';
+    push @table_list, 'filter'; #MUST BE LAST!!!
 
     @table_list;
 }
@@ -3492,7 +3674,7 @@ sub source_exclusion( $$ ) {
 
     my $table = reftype $target ? $target->{table} : 'filter';
 
-    my $chainref = new_chain( $table , newexclusionchain( $table ) );
+    my $chainref = dont_move new_chain( $table , newexclusionchain( $table ) );
 
     add_ijump( $chainref, j => 'RETURN', imatch_source_net( $_ ) ) for @$exclusions;
     add_ijump( $chainref, g => $target );
@@ -3512,9 +3694,9 @@ sub source_iexclusion( $$$$$;@ ) {
 
     if ( $source =~ /^([^!]+)!([^!]+)$/ ) {
 	$source = $1;
-	@exclusion = mysplit( $2 );
+	@exclusion = split_host_list( $2 );
 
-	my $chainref1 = new_chain( $table , newexclusionchain( $table ) );
+	my $chainref1 = dont_move new_chain( $table , newexclusionchain( $table ) );
 
 	add_ijump( $chainref1 , j => 'RETURN', imatch_source_net( $_ ) ) for @exclusion;
 
@@ -3543,7 +3725,7 @@ sub dest_exclusion( $$ ) {
 
     my $table = reftype $target ? $target->{table} : 'filter';
 
-    my $chainref = new_chain( $table , newexclusionchain( $table ) );
+    my $chainref = dont_move new_chain( $table , newexclusionchain( $table ) );
 
     add_ijump( $chainref, j => 'RETURN', imatch_dest_net( $_ ) ) for @$exclusions;
     add_ijump( $chainref, g => $target );
@@ -3563,9 +3745,9 @@ sub dest_iexclusion( $$$$$;@ ) {
 
     if ( $dest =~ /^([^!]+)!([^!]+)$/ ) {
 	$dest = $1;
-	@exclusion = mysplit( $2 );
+	@exclusion = split_host_list( $2 );
 
-	my $chainref1 = new_chain( $table , newexclusionchain( $table ) );
+	my $chainref1 = dont_move new_chain( $table , newexclusionchain( $table ) );
 
 	add_ijump( $chainref1 , j => 'RETURN', imatch_dest_net( $_ ) ) for @exclusion;
 
@@ -3597,6 +3779,16 @@ sub port_count( $ ) {
 #
 # Generate a state match
 #
+sub state_match( $ ) {
+    my $state = shift;
+
+    if ( $state eq 'ALL' ) {
+	''
+    } else {
+	have_capability 'CONNTRACK_MATCH' ? ( "-m conntrack --ctstate $state " ) : ( "-m state --state $state " );
+    }
+}
+
 sub state_imatch( $ ) {
     my $state = shift;
 
@@ -4208,7 +4400,7 @@ sub do_user( $ ) {
 
     require_capability 'OWNER_MATCH', 'A non-empty USER column', 's';
 
-    assert ( $user =~ /^(!)?(.*?)(:(.*))?$/ );
+    assert( $user =~ /^(!)?(.*?)(:(.+))?$/ );
     my $invert = $1 ? '! ' : '';
     my $group  = supplied $4 ? $4 : '';
 
@@ -4334,10 +4526,20 @@ sub validate_helper( $;$ ) {
 	#
 	#  Recognized helper
 	#
+	my $capability      = $helpers_map{$helper};
+	my $external_helper = lc $capability;
+	
+	$external_helper =~ s/_helper//;
+	$external_helper =~ s/_/-/;
+
+	fatal_error "The $external_helper helper is not enabled" unless $helpers_enabled{$external_helper};
+	
 	if ( supplied $proto ) {
+	    require_capability $helpers_map{$helper}, "Helper $helper", 's';
+
 	    my $protonum = -1;
 
-	    fatal_error "Unknown PROTO ($protonum)" unless defined ( $protonum = resolve_proto( $proto ) );
+	    fatal_error "Unknown PROTO ($proto)" unless defined ( $protonum = resolve_proto( $proto ) );
 
 	    unless ( $protonum == $helper_proto ) {
 		fatal_error "The $helper_base helper requires PROTO=" . (proto_name $helper_proto );
@@ -4358,7 +4560,7 @@ sub do_helper( $ ) {
 
     validate_helper( $helper );
 
-    qq(-m helper --helper "$helper" ) if defined wantarray;
+    qq(-m helper --helper "$helpers_aliases{$helper}" ) if defined wantarray;
 }
 
 
@@ -4468,17 +4670,37 @@ sub do_probability( $ ) {
 #
 # Generate a -m condition match
 #
-sub do_condition( $ ) {
-    my $condition = shift;
+sub do_condition( $$ ) {
+    my ( $condition, $chain ) = @_;
 
     return '' if $condition eq '-';
 
     my $invert = $condition =~ s/^!// ? '! ' : '';
 
+    my $initialize;
+
+    $initialize = $1 if $condition =~ s/(?:=([01]))?$//;
+
     require_capability 'CONDITION_MATCH', 'A non-empty SWITCH column', 's';
+
+    $chain =~ s/[^\w-]//g;
+    #                          $1    $2      -     $3
+    while ( $condition =~ m( ^(.*?) @({)?0(?(2)}) (.*)$ )x ) {
+	$condition = join( '', $1, $chain, $3 );
+    }
+
     fatal_error "Invalid switch name ($condition)" unless $condition =~ /^[a-zA-Z][-\w]*$/ && length $condition <= 30;
 
+    if ( defined $initialize ) {
+	if ( my $switchref = $switches{$condition} ) {
+	    fatal_error "Switch $condition was previously initialized to $switchref->{setting} at $switchref->{where}" unless $switchref->{setting} == $initialize;
+	} else {
+	    $switches{$condition} = { setting => $initialize, where => currentlineinfo };
+	}
+    }
+
     "-m condition ${invert}--condition $condition "
+	
 }
 
 #
@@ -4651,7 +4873,7 @@ sub get_set_flags( $$ ) {
 	}
     }
 
-    fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z]\w*/;
+    fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z][-\w]*/;
 
     have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options ";
 
@@ -4737,7 +4959,7 @@ sub load_isocodes() {
     $isocodes{substr(basename($_),0,2)} = 1 for @codes;
 }
 
-sub mysplit( $;$ );
+sub split_host_list( $;$ );
 
 #
 # Match a Source.
@@ -4767,12 +4989,12 @@ sub match_source_net( $;$\$ ) {
 
     if ( $net =~ /^\+\[(.+)\]$/ ) {
 	my $result = '';
-	my @sets = mysplit $1, 1;
+	my @sets = split_host_list $1, 1;
 
 	fatal_error "Multiple ipset matches require the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
 
 	for $net ( @sets ) {
-	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)[a-zA-Z][-\w]*(\[.*\])?/;
+	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)(6_)?[a-zA-Z][-\w]*(\[.*\])?/;
 	    $result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
 	}
 
@@ -4802,7 +5024,7 @@ sub match_source_net( $;$\$ ) {
 	    return '! -s ' . record_runtime_address $1, $2;
 	}
 
-	validate_net $net, 1;
+	$net = validate_net $net, 1;
 	return "! -s $net ";
     }
 
@@ -4810,7 +5032,7 @@ sub match_source_net( $;$\$ ) {
 	return '-s ' . record_runtime_address $1, $2;
     }
 
-    validate_net $net, 1;
+    $net = validate_net $net, 1;
     $net eq ALLIP ? '' : "-s $net ";
 }
 
@@ -4840,12 +5062,12 @@ sub imatch_source_net( $;$\$ ) {
 
     if ( $net =~ /^\+\[(.+)\]$/ ) {
 	my @result = ();
-	my @sets = mysplit $1, 1;
+	my @sets = split_host_list $1, 1;
 
 	fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
 
 	for $net ( @sets ) {
-	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)[a-zA-Z][-\w]*(\[.*\])?/;
+	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)(6_)?[a-zA-Z][-\w]*(\[.*\])?/;
 	    push @result , ( set => join( '', $1 ? '! ' : '', get_set_flags( $net, 'src' ) ) );
 	}
 
@@ -4875,7 +5097,7 @@ sub imatch_source_net( $;$\$ ) {
 	    return  ( s => '! ' . record_runtime_address( $1, $2, 1 ) );
 	}
 
-	validate_net $net, 1;
+	$net = validate_net $net, 1;
 	return ( s => "! $net " );
     }
 
@@ -4883,7 +5105,7 @@ sub imatch_source_net( $;$\$ ) {
 	return ( s =>  record_runtime_address( $1, $2, 1 ) );
     }
 
-    validate_net $net, 1;
+    $net = validate_net $net, 1;
     $net eq ALLIP ? () : ( s => $net );
 }
 
@@ -4909,12 +5131,12 @@ sub match_dest_net( $;$ ) {
 
     if ( $net =~ /^\+\[(.+)\]$/ ) {
 	my $result = '';
-	my @sets = mysplit $1, 1;
+	my @sets = split_host_list $1, 1;
 
 	fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
 
 	for $net ( @sets ) {
-	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)[a-zA-Z][-\w]*(\[.*\])?/;
+	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)(6_)?[a-zA-Z][-\w]*(\[.*\])?/;
 	    $result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) );
 	}
 
@@ -4944,7 +5166,7 @@ sub match_dest_net( $;$ ) {
 	    return '! -d ' . record_runtime_address $1, $2;
 	}
 
-	validate_net $net, 1;
+	$net = validate_net $net, 1;
 	return "! -d $net ";
     }
 
@@ -4952,7 +5174,7 @@ sub match_dest_net( $;$ ) {
 	return '-d ' . record_runtime_address $1, $2;
     }
 
-    validate_net $net, 1;
+    $net = validate_net $net, 1;
     $net eq ALLIP ? '' : "-d $net ";
 }
 
@@ -4976,12 +5198,12 @@ sub imatch_dest_net( $;$ ) {
 
     if ( $net =~ /^\+\[(.+)\]$/ ) {
 	my @result;
-	my @sets = mysplit $1, 1;
+	my @sets = split_host_list $1, 1;
 
 	fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
 
 	for $net ( @sets ) {
-	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)[a-zA-Z][-\w]*(\[.*\])?/;
+	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)(6_)?[a-zA-Z][-\w]*(\[.*\])?/;
 	    push @result , ( set => join( '', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) ) );
 	}
 
@@ -5011,7 +5233,7 @@ sub imatch_dest_net( $;$ ) {
 	    return ( d => '! ' . record_runtime_address( $1, $2, 1 ) );
 	}
 
-	validate_net $net, 1;
+	$net = validate_net $net, 1;
 	return ( d => "! $net " );
     }
 
@@ -5019,7 +5241,7 @@ sub imatch_dest_net( $;$ ) {
 	return ( d => record_runtime_address( $1, $2, 1 ) );
     }
 
-    validate_net $net, 1;
+    $net = validate_net $net, 1;
     $net eq ALLIP ? () : ( d =>  $net );
 }
 
@@ -5036,7 +5258,7 @@ sub match_orig_dest ( $ ) {
 	if ( $net =~ /^&(.+)/ ) {
 	    $net = record_runtime_address '&', $1;
 	} else {
-	    validate_net $net, 1;
+	    $net = validate_net $net, 1;
 	}
 
 	have_capability( 'OLD_CONNTRACK_MATCH' ) ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net ";
@@ -5044,7 +5266,7 @@ sub match_orig_dest ( $ ) {
 	if ( $net =~ /^&(.+)/ ) {
 	    $net = record_runtime_address '&', $1;
 	} else {
-	    validate_net $net, 1;
+	    $net = validate_net $net, 1;
 	}
 
 	$net eq ALLIP ? '' : "-m conntrack --ctorigdst $net ";
@@ -5289,7 +5511,7 @@ sub addnatjump( $$;@ ) {
 # Split a comma-separated source or destination host list but keep [...] together. Used for spliting address lists
 # where an element of the list might be +ipset[flag,...] or +[ipset[flag,...],...]
 #
-sub mysplit( $;$ ) {
+sub split_host_list( $;$ ) {
     my ( $input, $loose ) = @_;
 
     my @input = split_list $input, 'host';
@@ -5406,6 +5628,7 @@ sub set_chain_variables() {
     } else {
 	emit 'IPSET=ipset';
     }
+
 }
 
 #
@@ -5729,7 +5952,7 @@ sub handle_network_list( $$ ) {
     my $nets = '';
     my $excl = '';
 
-    my @nets = mysplit $list;
+    my @nets = split_host_list $list;
 
     for ( @nets ) {
 	if ( /!/ ) {
@@ -5764,17 +5987,19 @@ sub isolate_source_interface( $ ) {
     my ( $iiface, $inets );
 
     if ( $family == F_IPV4 ) {
-	if ( $source =~ /^~/ ) {
-	    $inets = $source;
-	} elsif ( $source =~ /^(.+?):(.+)$/ ) {
+	if ( $source =~ /^(.+?):(.+)$/ ) {
 	    $iiface = $1;
 	    $inets  = $2;
-	} elsif ( $source =~ /\+|&|~|\..*\./ || $source =~ /^!?\^/ ) {
+	} elsif ( $source =~ /^!?(?:\+|&|~|\^|\d+\.)/ ) {
 	    $inets = $source;
 	} else {
 	    $iiface = $source;
 	}
-    } elsif  ( $source =~ /^(.+?):<(.+)>\s*$/ || $source =~ /^(.+?):\[(.+)\]\s*$/ || $source =~ /^(.+?):(!?\+.+)$/ ) {
+    } elsif  ( $source =~ /^(.+?):<(.+)>\s*$/   ||
+	       $source =~ /^(.+?):\[(.+)\]\s*$/ ||
+	       $source =~ /^(.+?):(!?\+.+)$/    ||
+	       $source =~ /^(.+?):(\[.+\]\/(?:\d+))\s*$/
+	     ) {
 	$iiface = $1;
 	$inets  = $2;
     } elsif ( $source =~ /:/ ) {
@@ -5874,12 +6099,16 @@ sub isolate_dest_interface( $$$$ ) {
 	if ( $dest =~ /^(.+?):(.+)$/ ) {
 	    $diface = $1;
 	    $dnets  = $2;
-	} elsif ( $dest =~ /\+|&|%|~|\..*\./ || $dest =~ /^!?\^/ ) {
+	} elsif ( $dest =~ /^!?(?:\+|&|%|~|\^|\d+\.)/ ) {
 	    $dnets = $dest;
 	} else {
 	    $diface = $dest;
 	}
-    } elsif ( $dest =~ /^(.+?):<(.+)>\s*$/ || $dest =~ /^(.+?):\[(.+)\]\s*$/ || $dest =~ /^(.+?):(!?\+.+)$/ ) {
+    } elsif ( $dest =~ /^(.+?):<(.+)>\s*$/   || 
+	      $dest =~ /^(.+?):\[(.+)\]\s*$/ ||
+	      $dest =~ /^(.+?):(!?\+.+)$/    ||
+	      $dest =~ /^(.+?):(\[.+\]\/(?:\d+))\s*$/
+	    ) {
 	$diface = $1;
 	$dnets  = $2;
     } elsif ( $dest =~ /:/ ) {
@@ -5923,7 +6152,7 @@ sub verify_dest_interface( $$$$ ) {
 	    if ( $chainref->{accounting} ) {
 		fatal_error "Destination Interface ($diface) not allowed in the $chainref->{name} chain";
 	    } else {
-		fatal_error "Destination Interface ($diface) not allowed in the mangle OUTPUT chain";
+		fatal_error "Destination Interface ($diface) not allowed in the $chainref->{table} OUTPUT chain";
 	    }
 	}
 
@@ -5993,7 +6222,7 @@ sub handle_original_dest( $$$ ) {
 	}
 
 	unless ( $onets ) {
-	    my @oexcl = mysplit $oexcl;
+	    my @oexcl = split_host_list $oexcl;
 	    if ( @oexcl == 1 ) {
 		$rule .= match_orig_dest( "!$oexcl" );
 		$oexcl = '';
@@ -6044,19 +6273,19 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$ ) {
 	#
 	my $exclude = '-j MARK --or-mark ' . in_hex( $globals{EXCLUSION_MASK} );
 
-	for ( mysplit $iexcl ) {
+	for ( split_host_list $iexcl ) {
 	    my $cond = conditional_rule( $chainref, $_ );
 	    add_rule $chainref, ( match_source_net $_ , $restriction, $mac ) . $exclude;
 	    conditional_rule_end( $chainref ) if $cond;
 	}
 
-	for ( mysplit $dexcl ) {
+	for ( split_host_list $dexcl ) {
 	    my $cond = conditional_rule( $chainref, $_ );
 	    add_rule $chainref, ( match_dest_net $_, $restriction ) . $exclude;
 	    conditional_rule_end( $chainref ) if $cond;
 	}
 
-	for ( mysplit $oexcl ) {
+	for ( split_host_list $oexcl ) {
 	    my $cond = conditional_rule( $chainref, $_ );
 	    add_rule $chainref, ( match_orig_dest $_ ) . $exclude;
 	    conditional_rule_end( $chainref ) if $cond;
@@ -6077,19 +6306,19 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$ ) {
 	#
 	# Use the current rule and send all possible matches to the exclusion chain
 	#
-	for my $onet ( mysplit $onets ) {
+	for my $onet ( split_host_list $onets ) {
 
 	    my $cond = conditional_rule( $chainref, $onet );
 
 	    $onet = match_orig_dest $onet;
 
-	    for my $inet ( mysplit $inets ) {
+	    for my $inet ( split_host_list $inets ) {
 
 		my $cond = conditional_rule( $chainref, $inet );
 
 		my $source_match = match_source_net( $inet, $restriction, $mac ) if $globals{KLUDGEFREE};
 
-		for my $dnet ( mysplit $dnets ) {
+		for my $dnet ( split_host_list $dnets ) {
 		    $source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
 		    add_expanded_jump( $chainref, $echainref, 0, join( '', $rule, $source_match, match_dest_net( $dnet, $restriction ), $onet ) );
 		}
@@ -6102,19 +6331,19 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$ ) {
 	#
 	# Generate RETURNs for each exclusion
 	#
-	for ( mysplit $iexcl ) {
+	for ( split_host_list $iexcl ) {
 	    my $cond = conditional_rule( $echainref, $_ );
 	    add_rule $echainref, ( match_source_net $_ , $restriction, $mac ) . '-j RETURN';
 	    conditional_rule_end( $echainref ) if $cond;
 	}
 
-	for ( mysplit $dexcl ) {
+	for ( split_host_list $dexcl ) {
 	    my $cond = conditional_rule( $echainref, $_ );
 	    add_rule $echainref, ( match_dest_net $_, $restriction ) . '-j RETURN';
 	    conditional_rule_end( $echainref ) if $cond;
 	}
 
-	for ( mysplit $oexcl ) {
+	for ( split_host_list $oexcl ) {
 	    my $cond = conditional_rule( $echainref, $_ );
 	    add_rule $echainref, ( match_orig_dest $_ ) . '-j RETURN';
 	    conditional_rule_end( $echainref ) if $cond;
@@ -6239,7 +6468,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	( $inets, $iexcl ) = handle_network_list( $inets, 'SOURCE' );
 
 	unless ( $inets || $iexcl =~ /^\+\[/ || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) {
-	    my @iexcl = mysplit $iexcl, 1;
+	    my @iexcl = split_host_list $iexcl, 1;
 	    if ( @iexcl == 1 ) {
 		$rule .= match_source_net "!$iexcl" , $restriction;
 		$iexcl = '';
@@ -6254,7 +6483,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	( $dnets, $dexcl ) = handle_network_list( $dnets, 'DEST' );
 
 	unless ( $dnets || $dexcl =~ /^\+\[/ ) {
-	    my @dexcl = mysplit $dexcl, 1;
+	    my @dexcl = split_host_list $dexcl, 1;
 	    if ( @dexcl == 1 ) {
 		$rule .= match_dest_net "!$dexcl", $restriction;
 		$dexcl = '';
@@ -6300,19 +6529,19 @@ sub expand_rule( $$$$$$$$$$;$ )
 	#
 	# No non-trivial exclusions or we're using marks to handle them
 	#
-	for my $onet ( mysplit $onets ) {
+	for my $onet ( split_host_list $onets ) {
 	    my $cond1 = conditional_rule( $chainref, $onet );
 
 	    $onet = match_orig_dest $onet;
 
-	    for my $inet ( mysplit $inets ) {
+	    for my $inet ( split_host_list $inets ) {
 		my $source_match;
 
 		my $cond2 = conditional_rule( $chainref, $inet );
 
 		$source_match = match_source_net( $inet, $restriction, $mac ) if $globals{KLUDGEFREE};
 
-		for my $dnet ( mysplit $dnets ) {
+		for my $dnet ( split_host_list $dnets ) {
 		    $source_match  = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
 		    my $dest_match = match_dest_net( $dnet, $restriction );
 		    my $matches = join( '', $rule, $source_match, $dest_match, $onet );
@@ -6872,6 +7101,32 @@ sub load_ipsets() {
     }
 }
 
+#
+# Create nfacct objects if needed
+#
+sub create_nfobjects() {
+    
+    my @objects = ( keys %nfobjects );
+
+    if ( @objects ) {
+	if ( $config{NFACCT} ) {
+	    emit( qq(NFACCT="$config{NFACCT}") ,
+		  '[ -x "$NFACCT" ] || startup_error "NFACCT=$NFACCT does not exist or is not executable"'
+		);
+	} else {
+	    emit( 'NFACCT=$(mywhich nfacct)' ,
+		  '[ -n "$NFACCT" ] || startup_error "No nfacct utility found"',
+		  ''
+		);
+	}
+    }
+
+    for ( keys %nfobjects ) {
+	emit( qq(if ! qt \$NFACCT get $_; then),
+	      qq(    \$NFACCT add $_),
+	      qq(fi\n) );
+    }
+}
 #
 #
 # Generate the netfilter input
@@ -7191,7 +7446,7 @@ sub create_stop_load( $ ) {
 
     emit '';
 
-    emit(  '[ -n "$DEBUG" ] && command=debug_restore_input || command=$' . $UTILITY,
+    emit(  '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY,
 	   '',
 	   'progress_message2 "Running $command..."',
 	   '',
@@ -7256,4 +7511,17 @@ sub create_stop_load( $ ) {
 
 }
 
+sub initialize_switches() {
+    if ( keys %switches ) {
+	emit( 'if [ $COMMAND = start ]; then' );
+	push_indent;
+	while ( my ( $switch, $setting ) = each %switches ) {
+	    my $file = "/proc/net/nf_condition/$switch";
+	    emit "[ -f $file ] && echo $setting->{setting} > $file";
+	}
+	pop_indent;
+	emit "fi\n";
+    }
+}
+
 1;

Shorewall/Perl/Shorewall/Compiler.pm

@@ -34,7 +34,6 @@ use Shorewall::Accounting;
 use Shorewall::Rules;
 use Shorewall::Proc;
 use Shorewall::Proxyarp;
-use Shorewall::IPAddrs;
 use Shorewall::Raw;
 use Shorewall::Misc;
 
@@ -54,8 +53,8 @@ my $family;
 #
 # Initilize the package-globals in the other modules
 #
-sub initialize_package_globals( $$ ) {
-    Shorewall::Config::initialize($family, $_[1]);
+sub initialize_package_globals( $$$ ) {
+    Shorewall::Config::initialize($family, $_[1], $_[2]);
     Shorewall::Chains::initialize ($family, 1, $export );
     Shorewall::Zones::initialize ($family, $_[0]);
     Shorewall::Nat::initialize;
@@ -158,7 +157,7 @@ sub generate_script_2() {
 
     push_indent;
 
-    if ( $shorewallrc{TEMPDIR} ) {
+    if ( $shorewallrc1{TEMPDIR} ) {
 	emit( '',
 	      qq(TMPDIR="$shorewallrc{TEMPDIR}") ,
 	      q(export TMPDIR) );
@@ -168,14 +167,14 @@ sub generate_script_2() {
 	emit( 'g_family=4' );
 
 	if ( $export ) {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall-lite),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall-lite),
 		   'g_product="Shorewall Lite"',
 		   'g_program=shorewall-lite',
 		   'g_basedir=/usr/share/shorewall-lite',
-		   qq(CONFIG_PATH="$shorewallrc{CONFDIR}/shorewall-lite:$shorewallrc{SHAREDIR}/shorewall-lite") ,
+		   qq(CONFIG_PATH="$shorewallrc1{CONFDIR}/shorewall-lite:$shorewallrc1{SHAREDIR}/shorewall-lite") ,
 		 );
 	} else {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall),
 		   'g_product=Shorewall',
 		   'g_program=shorewall',
 		   'g_basedir=/usr/share/shorewall',
@@ -186,14 +185,14 @@ sub generate_script_2() {
 	emit( 'g_family=6' );
 
 	if ( $export ) {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall6-lite),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall6-lite),
 		   'g_product="Shorewall6 Lite"',
 		   'g_program=shorewall6-lite',
 		   'g_basedir=/usr/share/shorewall6',
-		   qq(CONFIG_PATH="$shorewallrc{CONFDIR}/shorewall6-lite:$shorewallrc{SHAREDIR}/shorewall6-lite") ,
+		   qq(CONFIG_PATH="$shorewallrc1{CONFDIR}/shorewall6-lite:$shorewallrc{SHAREDIR}/shorewall6-lite") ,
 		 );
 	} else {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall6),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall6),
 		   'g_product=Shorewall6',
 		   'g_program=shorewall6',
 		   'g_basedir=/usr/share/shorewall',
@@ -203,20 +202,8 @@ sub generate_script_2() {
     }
 
     emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
-
-    if ( $family == F_IPV4 ) {
-	if ( $export ) {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall-lite}" ]' );
-	} else {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall}" ]' );
-	}
-    } else {
-	if ( $export ) {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall6-lite}" ]' );
-	} else {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall6}" ]' );
-	}
-    }
+    emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
+    emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );
 
     emit 'TEMPFILE=';
 
@@ -368,6 +355,7 @@ sub generate_script_3($) {
     emit '';
 
     load_ipsets;
+    create_nfobjects;
 
     if ( $family == F_IPV4 ) {
 	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
@@ -471,49 +459,56 @@ sub generate_script_3($) {
         fatal_error "$iptables_save_file does not exist"
     fi
 EOF
-    pop_indent;
+    push_indent;
     setup_load_distribution;
     setup_forwarding( $family , 1 );
-    push_indent;
+    pop_indent;
 
     my $config_dir = $globals{CONFIGDIR};
 
     emit<<"EOF";
     set_state Started $config_dir
     run_restored_exit
-else
-    if [ \$COMMAND = refresh ]; then
+elif [ \$COMMAND = refresh ]; then
     chainlist_reload
 EOF
+    push_indent;
     setup_load_distribution;
     setup_forwarding( $family , 0 );
-
-    emit( '        run_refreshed_exit' ,
+    pop_indent;
+    #
+    # Use a parameter list rather than 'here documents' to avoid an extra blank line
+    #
+    emit(
+'    run_refreshed_exit',
 '    do_iptables -N shorewall',
 "    set_state Started $config_dir",
+'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
 'else',
-	  '        setup_netfilter' );
-
+'    setup_netfilter'
+	);
+    push_indent;
     setup_load_distribution;
+    pop_indent;
 
-    emit<<"EOF";
+    emit<<'EOF';
     conditionally_flush_conntrack
 EOF
+    push_indent;
+    initialize_switches;
     setup_forwarding( $family , 0 );
+    pop_indent;
 
     emit<<"EOF";
     run_start_exit
     do_iptables -N shorewall
     set_state Started $config_dir
+    [ \$0 = \${VARDIR}/firewall ] || cp -f \$(my_pathname) \${VARDIR}/firewall
     run_started_exit
 fi
-
 EOF
 
     emit<<'EOF';
-    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall
-fi
-
 date > ${VARDIR}/restarted
 
 case $COMMAND in
@@ -545,8 +540,8 @@ EOF
 #
 sub compiler {
 
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '');
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc                      , $shorewallrc1 ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '/usr/share/shorewall/shorewallrc', '' );
 
     $export = 0;
     $test   = 0;
@@ -585,6 +580,7 @@ sub compiler {
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
+		  shorewallrc1  => { store => \$shorewallrc1 } ,
 		);
     #
     #                               P A R A M E T E R    P R O C E S S I N G
@@ -602,7 +598,7 @@ sub compiler {
     #
     # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
     #
-    initialize_package_globals( $update, $shorewallrc );
+    initialize_package_globals( $update, $shorewallrc, $shorewallrc1 );
 
     set_config_path( $config_path ) if $config_path;
 
@@ -665,11 +661,6 @@ sub compiler {
     #                           (Produces no output to the compiled script)
     #
     process_policies;
-    #
-    #                                       N O T R A C K
-    #                           (Produces no output to the compiled script)
-    #
-    setup_notrack;
 
     enable_script;
 
@@ -709,6 +700,14 @@ sub compiler {
     #
     setup_proxy_arp;
 
+    emit( "#\n# Disable automatic helper association on kernel 3.5.0 and later\n#" ,
+	  'if [ -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then' ,
+	  '    progress_message "Disabling Kernel Automatic Helper Association"',
+	  "    echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper",
+	  'fi',
+	  ''
+	);
+
     if ( $scriptfilename || $debug ) {
 	emit 'return 0';
 	pop_indent;
@@ -788,6 +787,10 @@ sub compiler {
     #
     process_rules( $convert );
     #
+    # Process the conntrack file
+    #
+    setup_conntrack;
+    #
     # Add Tunnel rules.
     #
     setup_tunnels;
@@ -911,6 +914,7 @@ sub compiler {
 	    # call that function during normal 'check', we must validate routestopped here.
 	    #
 	    process_routestopped;
+	    process_stoppedrules;
 	}
 
 	if ( $family == F_IPV4 ) {

Shorewall/Perl/Shorewall/Config.pm

@@ -47,6 +47,7 @@ our @EXPORT = qw(
 		 warning_message
 		 fatal_error
 		 assert
+		 currentlineinfo
 
 		 progress_message
 		 progress_message_nocompress
@@ -62,6 +63,7 @@ our @EXPORT = qw(
 
 		 have_capability
 		 require_capability
+		 kernel_version
                 );
 
 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
@@ -103,6 +105,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       find_file
 				       split_list
 				       split_list1
+				       split_list2
 				       split_line
 				       split_line1
 				       first_entry
@@ -143,12 +146,25 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       %globals
 				       %config_files
 				       %shorewallrc
+				       %shorewallrc1
 
-				       @auditoptions
+				       %helpers
+				       %helpers_map
+				       %helpers_enabled
+				       %helpers_aliases
 				       
 		                       F_IPV4
 		                       F_IPV6
 
+				       TCP
+				       UDP
+				       UDPLITE
+				       ICMP
+				       DCCP
+				       IPv6_ICMP
+				       SCTP
+				       GRE
+
 				       MIN_VERBOSITY
 				       MAX_VERBOSITY
 
@@ -160,7 +176,18 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       CONFIG_CONTINUATION
 				       DO_INCLUDE
 				       NORMAL_READ
-				     ) ] );
+				     ) , ] ,
+		   protocols => [ qw (
+				       TCP
+				       UDP
+				       UDPLITE
+				       ICMP
+				       DCCP
+				       IPv6_ICMP
+				       SCTP
+				       GRE
+				    ) , ],
+		   );
 
 Exporter::export_ok_tags('internal');
 
@@ -227,6 +254,10 @@ our %globals;
 #
 our %config;
 #
+# Entries in shorewall.conf that have been renamed
+#
+my %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT' );
+#
 # Config options and global settings that are to be copied to output script
 #
 my @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY SUBSYSLOCK LOG_VERBOSITY/;
@@ -308,6 +339,25 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 DSCP_MATCH      => 'DSCP Match',
 		 DSCP_TARGET     => 'DSCP Target',
 		 GEOIP_MATCH     => 'GeoIP Match' ,
+		 RPFILTER_MATCH  => 'RPFilter Match',
+		 NFACCT_MATCH    => 'NFAcct Match',
+		 CHECKSUM_TARGET => 'Checksum Target',
+		 AMANDA_HELPER   => 'Amanda Helper',
+		 FTP_HELPER      => 'FTP Helper',
+		 FTP0_HELPER     => 'FTP-0 Helper',
+		 H323_HELPER     => 'H323 Helpers',
+		 IRC_HELPER      => 'IRC Helper',
+		 IRC0_HELPER     => 'IRC-0 Helper',
+		 NETBIOS_NS_HELPER =>
+                                    'Netbios-ns Helper',
+		 PPTP_HELPER     => 'PPTP Helper',
+		 SANE_HELPER     => 'SANE Helper',
+		 SANE0_HELPER    => 'SANE-0 Helper',
+		 SIP_HELPER      => 'SIP Helper',
+		 SIP0_HELPER     => 'SIP-0 Helper',
+		 SNMP_HELPER     => 'SNMP Helper',
+		 TFTP_HELPER     => 'TFTP Helper',
+		 TFTP0_HELPER     => 'TFTP-0 Helper',
 		 #
 		 # Constants
 		 #
@@ -316,10 +366,43 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
 
+use constant {
+	       ICMP                => 1,
+	       TCP                 => 6,
+	       UDP                 => 17,
+	       DCCP                => 33,
+	       GRE                 => 47,
+	       IPv6_ICMP           => 58,
+	       SCTP                => 132,
+	       UDPLITE             => 136,
+	     };
+
+our %helpers = ( amanda          => UDP,
+		 ftp             => TCP,
+		 irc             => TCP,
+		 'netbios-ns'    => UDP,
+		 pptp            => TCP,
+		 'Q.931'         => TCP,
+		 RAS             => UDP,
+		 sane            => TCP,
+		 sip             => UDP,
+		 snmp            => UDP,
+		 tftp            => UDP,
+	       );
+
+our %helpers_map;
+
+our %helpers_names;
+
+our %helpers_aliases;
+
+our %helpers_enabled;
+
 our %config_files = ( #accounting      => 1,
 		      actions          => 1,
 		      blacklist        => 1,
 		      clear            => 1,
+		      conntrack        => 1,
 		      ecn              => 1,
 		      findgw           => 1,
 		      hosts            => 1,
@@ -343,6 +426,7 @@ our %config_files = ( #accounting      => 1,
 		      route_rules      => 1,
 		      routes           => 1,
 		      routestopped     => 1,
+		      rtrules          => 1,
 		      rules            => 1,
 		      scfilter         => 1,
 		      secmarks         => 1,
@@ -350,6 +434,7 @@ our %config_files = ( #accounting      => 1,
 		      started          => 1,
 		      stop             => 1,
 		      stopped          => 1,
+		      stoppedrules     => 1,
 		      tcclasses        => 1,
 		      tcclear          => 1,
 		      tcdevices        => 1,
@@ -459,7 +544,7 @@ my $ifstack;
 #
 # From .shorewallrc
 #
-our %shorewallrc;
+our ( %shorewallrc, %shorewallrc1 );
 #
 # read_a_line options
 #
@@ -475,7 +560,7 @@ use constant { PLAIN_READ          => 0,     # No read_a_line options
                NORMAL_READ         => -1     # All options
 	   };
 
-sub process_shorewallrc($);
+sub process_shorewallrc($$);
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -486,8 +571,8 @@ sub process_shorewallrc($);
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
 #
-sub initialize( $;$ ) {
-    ( $family, my $shorewallrc ) = @_;
+sub initialize( $;$$) {
+    ( $family, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
 
     if ( $family == F_IPV4 ) {
 	( $product, $Product, $toolname, $toolNAME ) = qw( shorewall  Shorewall iptables  IPTABLES );
@@ -524,9 +609,8 @@ sub initialize( $;$ ) {
 		    EXPORT     => 0,
 		    KLUDGEFREE => '',
 		    STATEMATCH => '-m state --state',
-		    UNTRACKED  => 0,
-		    VERSION    => "4.5.6",
-		    CAPVERSION => 40504 ,
+		    VERSION    => "4.5.8-Beta2",
+		    CAPVERSION => 40509 ,
 		  );
     #
     # From shorewall.conf file
@@ -554,6 +638,7 @@ sub initialize( $;$ ) {
 	  LOG_VERBOSITY => undef,
 	  STARTUP_LOG => undef,
 	  SFILTER_LOG_LEVEL => undef,
+	  RPFILTER_LOG_LEVEL => undef,
 	  #
 	  # Location of Files
 	  #
@@ -570,6 +655,7 @@ sub initialize( $;$ ) {
 	  IPSECFILE => undef,
 	  LOCKFILE => undef,
 	  GEOIPDIR => undef,
+	  NFACCT => undef,
 	  #
 	  # Default Actions/Macros
 	  #
@@ -624,7 +710,7 @@ sub initialize( $;$ ) {
 	  DELETE_THEN_ADD => undef,
 	  MULTICAST => undef,
 	  DONT_LOAD => '',
-	  AUTO_COMMENT => undef ,
+	  AUTOCOMMENT => undef ,
 	  MANGLE_ENABLED => undef ,
 	  RFC1918_STRICT => undef ,
 	  NULL_ROUTE_RFC1918 => undef ,
@@ -646,6 +732,9 @@ sub initialize( $;$ ) {
 	  EXPORTMODULES => undef,
 	  LEGACY_FASTSTART => undef,
 	  USE_PHYSICAL_NAMES => undef,
+	  HELPERS => undef,
+	  AUTOHELPERS => undef,
+	  RESTORE_ROUTEMARKS => undef,
 	  #
 	  # Packet Disposition
 	  #
@@ -654,6 +743,7 @@ sub initialize( $;$ ) {
 	  BLACKLIST_DISPOSITION => undef,
 	  SMURF_DISPOSITION => undef,
 	  SFILTER_DISPOSITION => undef,
+	  RPFILTER_DISPOSITION => undef,
 	  RELATED_DISPOSITION => undef,
 	  #
 	  # Mark Geometry
@@ -759,6 +849,26 @@ sub initialize( $;$ ) {
 	       DSCP_MATCH => undef,
 	       DSCP_TARGET => undef,
 	       GEOIP_MATCH => undef,
+	       RPFILTER_MATCH => undef,
+	       NFACCT_MATCH => undef,
+	       CHECKSUM_TARGET => undef,
+
+	       AMANDA_HELPER => undef,
+	       FTP_HELPER => undef,
+	       FTP0_HELPER => undef,
+	       H323_HELPER => undef,
+	       IRC_HELPER => undef,
+	       IRC0_HELPER => undef,
+	       NETBIOS_NS_HELPER => undef,
+	       PPTP_HELPER => undef,
+	       SANE_HELPER => undef,
+	       SANE0_HELPER => undef,
+	       SIP_HELPER => undef,
+	       SIP0_HELPER => undef,
+	       SNMP_HELPER => undef,
+	       TFTP_HELPER => undef,
+	       TFTP0_HELPER => undef,
+
 	       CAPVERSION => undef,
 	       LOG_OPTIONS => 1,
 	       KERNELVERSION => undef,
@@ -793,12 +903,77 @@ sub initialize( $;$ ) {
 
     @actparms = ();
 
+    %helpers_enabled = (
+			amanda       => 1,
+			ftp          => 1,
+			'ftp-0'      => 1,
+			h323         => 1,
+			irc          => 1,
+			'irc-0'      => 1,
+			'netbios-ns' => 1,
+			pptp         => 1,
+			sane         => 1,
+			'sane-0'     => 1,
+			sip          => 1,
+			'sip-0'      => 1,
+			snmp         => 1,
+			tftp         => 1,
+			'tftp-0'     => 1,
+		       );
+
+    %helpers_map = ( amanda          => 'AMANDA_HELPER',
+		     ftp             => 'FTP_HELPER',
+		     irc             => 'IRC_HELPER',
+		     'netbios-ns'    => 'NETBIOS_NS_HELPER',
+		     pptp            => 'PPTP_HELPER',
+		     'Q.931'         => 'H323_HELPER',
+		     RAS             => 'H323_HELPER',
+		     sane            => 'SANE_HELPER',
+		     sip             => 'SIP_HELPER',
+		     snmp            => 'SNMP_HELPER',
+		     tftp            => 'TFTP_HELPER',
+		   );
+
+    %helpers_aliases = ( amanda       => 'amanda',
+			 ftp          => 'ftp',
+			 irc          => 'irc',
+			 'netbios-ns' => 'netbios-ns',
+			 pptp         => 'pptp',
+			 'Q.931'      => 'Q.931',
+			 RAS          => 'RAS',
+			 sane         => 'sane',
+			 sip          => 'sip',
+			 snmp         => 'snmp',
+			 tftp         => 'tftp',
+		       );
+
     %shorewallrc = (
 		    SHAREDIR => '/usr/share/',
 		    CONFDIR  => '/etc/',
 		    );
+    #
+    # If we are compiling for export, process the shorewallrc from the remote system
+    #
+    if ( $shorewallrc1 ) {
+	process_shorewallrc( $shorewallrc1,
+			     $family == F_IPV4 ? 'shorewall-lite' : 'shorewall6-lite'
+			   );
 
-    process_shorewallrc( $shorewallrc ) if $shorewallrc;
+	%shorewallrc1 = %shorewallrc;
+
+	%shorewallrc = (
+			SHAREDIR => '/usr/share/',
+			CONFDIR  => '/etc/',
+		       );
+    }
+    #
+    # Process the global shorewallrc file
+    #
+    #   Note: The build file executes this function passing only the protocol family
+    #
+    process_shorewallrc( $shorewallrc,
+			 $family == F_IPV4 ? 'shorewall' : 'shorewall6'
+		       ) if defined $shorewallrc;
 
     $globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";
 
@@ -814,6 +989,8 @@ sub initialize( $;$ ) {
 	$globals{PRODUCT}       = 'shorewall6';
 	$config{IP6TABLES}      = undef;
     }
+
+    %shorewallrc1 = %shorewallrc unless $shorewallrc1;
 }
 
 my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
@@ -935,6 +1112,12 @@ sub cleanup() {
 	qt1( "$iptables -X $sillyname1" );
 	qt1( "$iptables -t mangle -F $sillyname" );
 	qt1( "$iptables -t mangle -X $sillyname" );
+	qt1( "$iptables -t nat -F $sillyname" );
+	qt1( "$iptables -t nat -X $sillyname" );
+	qt1( "$iptables -t raw -F $sillyname" );
+	qt1( "$iptables -t raw -X $sillyname" );
+	qt1( "$iptables -t rawpost -F $sillyname" );
+	qt1( "$iptables -t rawpost -X $sillyname" );
 	$sillyname = '';
     }
 }
@@ -1062,7 +1245,7 @@ sub in_hex2( $ ) {
 }
 
 sub in_hex3( $ ) {
-    sprintf '0x%03x', $_[0];
+    sprintf '%03x', $_[0];
 }
 
 sub in_hex4( $ ) {
@@ -1306,7 +1489,10 @@ sub progress_message3 {
 #
 # Push/Pop Indent
 #
-sub push_indent() {
+sub push_indent(;$) {
+    my $times = shift || 1;
+
+    while ( $times-- ) {
 	if ( $indent2 ) {
 	    $indent2 = '';
 	    $indent = $indent1 = $indent1 . "\t";
@@ -1315,8 +1501,12 @@ sub push_indent() {
 	    $indent = $indent1 . $indent2;
 	}
     }
+}
 
-sub pop_indent() {
+sub pop_indent(;$) {
+    my $times = shift || 1;
+
+    while ( $times-- ) {
 	if ( $indent2 ) {
 	    $indent2 = '';
 	    $indent = $indent1;
@@ -1326,6 +1516,7 @@ sub pop_indent() {
 	    $indent = $indent1 . $indent2;
 	}
     }
+}
 
 #
 # Create the temporary script file -- the passed file name is the name of the final file.
@@ -1461,8 +1652,8 @@ sub split_list( $$;$ ) {
     split /,/, $list;
 }
 
-sub split_list1( $$ ) {
-    my ($list, $type ) = @_;
+sub split_list1( $$;$ ) {
+    my ($list, $type, $keepparens ) = @_;
 
     fatal_error "Invalid $type list ($list)" if $list =~ /^,|,$|,,|!,|,!$/;
 
@@ -1475,17 +1666,17 @@ sub split_list1( $$ ) {
 
 	if ( ( $count = tr/(/(/ ) > 0 ) {
 	    fatal_error "Invalid $type list ($list)" if $element || $count > 1;
-	    s/\(//;
+	    s/\(// unless $keepparens;
 	    if ( ( $count = tr/)/)/ ) > 0 ) {
 		fatal_error "Invalid $type list ($list)" if $count > 1;
-		s/\)//;
+		s/\)// unless $keepparens;
 		push @list2 , $_;
 	    } else {
 		$element = $_;
 	    }
 	} elsif ( ( $count =  tr/)/)/ ) > 0 ) {
 	    fatal_error "Invalid $type list ($list)" unless $element && $count == 1;
-	    s/\)//;
+	    s/\)// unless $keepparens;
 	    push @list2, join ',', $element, $_;
 	    $element = '';
 	} elsif ( $element ) {
@@ -1498,6 +1689,59 @@ sub split_list1( $$ ) {
     @list2;
 }
 
+sub split_list2( $$ ) {
+    my ($list, $type ) = @_;
+
+    fatal_error "Invalid $type ($list)" if $list =~ /^:|::/;
+
+    my @list1 = split /:/, $list;
+    my @list2;
+    my $element   = '';
+    my $opencount = 0;
+
+
+    for ( @list1 ) {
+	my $count;
+
+	if ( ( $count = tr/(/(/ ) > 0 ) {
+	    $opencount += $count;
+	    if ( $element eq '' ) {
+		$element = $_;
+	    } else {
+		$element = join( ':', $element, $_ );
+	    }
+
+	    if ( ( $count = tr/)/)/ ) > 0 ) {
+		if ( ! ( $opencount -= $count ) ) {
+		     push @list2 , $element;
+		     $element = '';
+		} else {
+		    fatal_error "Invalid $type ($list)" if $opencount < 0;
+		}
+	    }
+	} elsif ( ( $count =  tr/)/)/ ) > 0 ) {
+	    fatal_error "Invalid $type ($list)" unless $element ne '';
+	    $element = join (':', $element, $_ );
+	    if ( ! ( $opencount -= $count ) ) {
+		 push @list2 , $element;
+		 $element = '';
+	    } else {
+		fatal_error "Invalid $type ($list)" if $opencount < 0;
+	    }
+	} elsif ( $element eq '' ) {
+	    push @list2 , $_;
+	} else {
+	    $element = join ':', $element , $_;
+	}
+    }
+    
+    unless ( $opencount == 0 ) {
+	fatal_error "Invalid $type ($list)";
+    }
+
+    @list2;
+}
+
 #
 # Determine if a value has been supplied
 #
@@ -1685,6 +1929,7 @@ sub evaluate_expression( $$$ ) {
 	$val = ( exists $ENV{$var}     ? $ENV{$var}    :
 		 exists $params{$var}  ? $params{$var} :
 		 exists $config{$var}  ? $config{$var} :
+		 exists $renamed{$var} ? $config{$renamed{$var}} :
 		 exists $capdesc{$var} ? have_capability( $var ) : 0 );
 	$val = 0 unless defined $val;
 	$val = "'$val'" unless $val =~ /^-?\d+$/;
@@ -1697,7 +1942,12 @@ sub evaluate_expression( $$$ ) {
 	my ( $first, $cap, $rest ) = ( $1, $3, $4);
 
 	if ( exists $capdesc{$cap} ) {
-	    $val = have_capability( $cap )
+	    $val = have_capability( $cap );
+	    if ( defined $val ) {
+		$val = "'$val'" unless $val =~ /^-?\d+$/;
+	    } else {
+		$val = 0;
+	    }
 	} elsif ( $cap =~ /^IPV([46])$/ ) {
 	    $val = ( $family == $1 );
 	} else {
@@ -1737,9 +1987,9 @@ sub process_conditional( $$$$ ) {
 
     print "CD===> $line\n" if $debug;
 
-    cond_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF)(.*)$/;
+    cond_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF)(.*)$/i;
 
-    my ($keyword, $expression) = ( $1, $2 );
+    my ($keyword, $expression) = ( uc $1, $2 );
 
     if ( supplied $expression ) {
 	$expression =~ s/#.*//;
@@ -1751,7 +2001,7 @@ sub process_conditional( $$$$ ) {
     my ( $lastkeyword, $prioromit, $included, $lastlinenumber ) = @ifstack ? @{$ifstack[-1]} : ('', 0, 0, 0 );
 
     if ( $keyword =~ /^IF/ ) {
-	cond_error( "Missing IF expression" , $filename, $linenumber ) unless $expression;
+	cond_error( "Missing IF expression" , $filename, $linenumber ) unless supplied $expression;
 	my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber );
 	push @ifstack, [ 'IF', $omitting, ! $nextomitting, $linenumber ];
 	$omitting = $nextomitting;
@@ -2220,7 +2470,7 @@ sub embedded_perl( $ ) {
 # Push/pop action params
 #
 sub push_action_params( $$ ) {
-    my @params = split /,/, $_[1];
+    my @params = split_list1 $_[1], 'parameter', 1;
     my @oldparams = @actparms;
 
     @actparms = ();
@@ -2286,15 +2536,15 @@ sub set_action_param( $$ ) {
 sub expand_variables( \$ ) {
     my ( $lineref, $count ) = ( $_[0], 0 );
     #                         $1      $2   $3                  -     $4
-    while ( $$lineref =~ m( ^(.*?) \$({)? (\w+) (?(2)}) (.*)$ )x ) {
+    while ( $$lineref =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 
 	my ( $first, $var, $rest ) = ( $1, $3, $4);
 
 	my $val;
 
 	if ( $var =~ /^\d+$/ ) {
-	    fatal_error "Undefined parameter (\$$var)" unless $var > 0 && defined $actparms[$var];
-	    $val = $actparms[$var];
+	    fatal_error "Undefined parameter (\$$var)" if ( ! defined $actparms[$var] ) || ( length( $var ) > 1 && $var =~ /^0/ );
+	    $val = $var ? $actparms[$var] : $actparms[0]->{name};
 	} elsif ( exists $params{$var} ) {
 	    $val = $params{$var};
 	} elsif ( exists $shorewallrc{$var} ) {
@@ -2347,7 +2597,7 @@ sub read_a_line($) {
 	    #
 	    # Handle conditionals
 	    #
-	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF)/ ) {
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF)/i ) {
 		$omitting = process_conditional( $omitting, $_, $currentfilename, $. );
 		next;
 	    }
@@ -2443,10 +2693,10 @@ sub read_a_line($) {
     }
 }
 
-sub process_shorewallrc( $ ) {
-    my $shorewallrc = shift;
+sub process_shorewallrc( $$ ) {
+    my ( $shorewallrc , $product ) = @_;
 
-    $shorewallrc{PRODUCT} = $family == F_IPV4 ? 'shorewall' : 'shorewall6';
+    $shorewallrc{PRODUCT} = $product;
 
     if ( open_file $shorewallrc ) {
 	while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE | CHECK_GUNK ) ) {
@@ -2462,6 +2712,15 @@ sub process_shorewallrc( $ ) {
     } else {
 	fatal_error "Failed to open $shorewallrc: $!";
     }
+
+    if ( supplied $shorewallrc{VARDIR} ) {
+	if ( ! supplied $shorewallrc{VARLIB} ) {
+	    $shorewallrc{VARLIB} =  $shorewallrc{VARDIR};
+	    $shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product";
+	}
+    } elsif ( supplied $shorewallrc{VARLIB} ) {
+	$shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product" unless supplied $shorewallrc{VARDIR};
+    }
 }
 
 #
@@ -3033,7 +3292,7 @@ sub Old_IPSet_Match() {
 
 	if ( qt( "$ipset -N $sillyname iphash" ) ) {
 	    if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
-		qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" );
+		qt1( "$iptables -F $sillyname" );
 		$result = $capabilities{IPSET_MATCH} = 1;
 	    }
 
@@ -3056,7 +3315,7 @@ sub IPSet_Match() {
 
 	if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) {
 	    if ( qt1( "$iptables -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
-		qt1( "$iptables -D $sillyname -m set --match-set $sillyname src -j ACCEPT" );
+		qt1( "$iptables -F $sillyname" );
 		$result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
 	    } else {
 		$result = have_capability 'OLD_IPSET_MATCH';
@@ -3108,7 +3367,79 @@ sub Realm_Match() {
 }
 
 sub Helper_Match() {
-    qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
+    qt1( "$iptables -A $sillyname -p tcp --dport 21 -m helper --helper ftp" );
+}
+
+sub have_helper( $$$ ) {
+    my ( $helper, $proto, $port ) = @_;
+
+    if ( $helpers_enabled{$helper} ) {
+	if ( have_capability 'CT_TARGET' ) {
+	    qt1( "$iptables -t raw -A $sillyname -p $proto --dport $port -j CT --helper $helper" );
+	} else {
+	    have_capability 'HELPER_MATCH';
+	}
+    }
+}
+
+sub Amanda_Helper() {
+    have_helper( 'amanda', 'udp', 10080 );
+}
+
+sub FTP0_Helper() {
+    have_helper( 'ftp-0', 'tcp', 21 ) and $helpers_aliases{ftp} = 'ftp-0';
+}
+
+sub FTP_Helper() {
+    have_helper( 'ftp', 'tcp', 21 ) || FTP0_Helper;
+}
+
+sub H323_Helpers() {
+    have_helper( 'RAS', 'udp', 1719 );
+}
+
+sub IRC0_Helper() {
+    have_helper( 'irc-0', 'tcp', 6667 ) and $helpers_aliases{irc} = 'irc-0';
+}
+
+sub IRC_Helper() {
+    have_helper( 'irc', 'tcp', 6667 ) || IRC0_Helper;
+}
+
+sub Netbios_ns_Helper() {
+    have_helper( 'netbios-ns', 'udp', 137 );
+}
+
+sub PPTP_Helper() {
+    have_helper( 'pptp', 'tcp', 1729 );
+}
+
+sub SANE0_Helper() {
+    have_helper( 'sane-0', 'tcp', 6566 ) and $helpers_aliases{sane} = 'sane-0';
+}
+
+sub SANE_Helper() {
+    have_helper( 'sane', 'tcp', 6566 ) || SANE0_Helper;
+}
+
+sub SIP0_Helper() {
+    have_helper( 'sip-0', 'udp', 5060 ) and $helpers_aliases{sip} = 'sip-0';
+}
+
+sub SIP_Helper() {
+    have_helper( 'sip', 'udp', 5060 ) || SIP0_Helper;
+}
+
+sub SNMP_Helper() {
+    have_helper( 'snmp', 'udp', 161 );
+}
+
+sub TFTP0_Helper() {
+    have_helper( 'tftp-0', 'udp', 69 ) and $helpers_aliases{tftp} = 'tftp-0';
+}
+
+sub TFTP_Helper() {
+    have_helper( 'tftp', 'udp', 69 ) || TFTP0_Helper;
 }
 
 sub Connlimit_Match() {
@@ -3185,8 +3516,6 @@ sub Ct_Target() {
     if ( have_capability 'RAW_TABLE' ) {
 	qt1( "$iptables -t raw -N $sillyname" );
 	$ct_target = qt1( "$iptables -t raw -A $sillyname -j CT --notrack" );
-	qt1( "$iptables -t raw -F $sillyname" );
-	qt1( "$iptables -t raw -X $sillyname" );
     }
 
     $ct_target;
@@ -3196,6 +3525,7 @@ sub Statistic_Match() {
     qt1( "$iptables -A $sillyname -m statistic --mode nth --every 2 --packet 1" );
 }
 
+
 sub Imq_Target() {
     have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" );
 }
@@ -3208,15 +3538,37 @@ sub Dscp_Target() {
     have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j DSCP --set-dscp 0" );
 }
 
+sub RPFilter_Match() {
+    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -m rpfilter" );
+}
+
+sub NFAcct_Match() {
+    my $result;
+
+    if ( qt1( "nfacct add $sillyname" ) ) {
+	$result = qt1( "$iptables -A $sillyname -m nfacct --nfacct-name $sillyname" );
+	qt( "$iptables -D $sillyname -m nfacct --nfacct-name $sillyname" );
+	qt( "nfacct del $sillyname" );
+    }
+
+    $result;
+}
+
 sub GeoIP_Match() {
     qt1( "$iptables -A $sillyname -m geoip --src-cc US" );
 }
 
+sub Checksum_Target() {
+    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j CHECKSUM --checksum-fill" );
+}
+
 our %detect_capability =
     ( ACCOUNT_TARGET =>\&Account_Target,
+      AMANDA_HELPER => \&Amanda_Helper,
       AUDIT_TARGET => \&Audit_Target,
       ADDRTYPE => \&Addrtype,
       BASIC_FILTER => \&Basic_Filter,
+      CHECKSUM_TARGET => \&Checksum_Target,
       CLASSIFY_TARGET => \&Classify_Target,
       CONDITION_MATCH => \&Condition_Match,
       COMMENTS => \&Comments,
@@ -3230,9 +3582,12 @@ our %detect_capability =
       ENHANCED_REJECT => \&Enhanced_Reject,
       EXMARK => \&Exmark,
       FLOW_FILTER => \&Flow_Filter,
+      FTP_HELPER => \&FTP_Helper,
+      FTP0_HELPER => \&FTP0_Helper,
       FWMARK_RT_MASK => \&Fwmark_Rt_Mask,
       GEOIP_MATCH => \&GeoIP_Match,
       GOTO_TARGET => \&Goto_Target,
+      H323_HELPER => \&H323_Helpers,
       HASHLIMIT_MATCH => \&Hashlimit_Match,
       HEADER_MATCH => \&Header_Match,
       HELPER_MATCH => \&Helper_Match,
@@ -3241,6 +3596,8 @@ our %detect_capability =
       IPP2P_MATCH => \&Ipp2p_Match,
       IPRANGE_MATCH => \&IPRange_Match,
       IPSET_MATCH => \&IPSet_Match,
+      IRC_HELPER => \&IRC_Helper,
+      IRC0_HELPER => \&IRC0_Helper,
       OLD_IPSET_MATCH => \&Old_IPSet_Match,
       IPSET_V5 => \&IPSET_V5,
       IPTABLES_S => \&Iptables_S,
@@ -3256,7 +3613,9 @@ our %detect_capability =
       MARK_ANYWHERE => \&Mark_Anywhere,
       MULTIPORT => \&Multiport,
       NAT_ENABLED => \&Nat_Enabled,
+      NETBIOS_NS_HELPER => \&Netbios_ns_Helper,
       NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
+      NFACCT_MATCH => \&NFAcct_Match,
       NFQUEUE_TARGET => \&Nfqueue_Target,
       OLD_CONNTRACK_MATCH => \&Old_Conntrack_Match,
       OLD_HL_MATCH => \&Old_Hashlimit_Match,
@@ -3267,12 +3626,21 @@ our %detect_capability =
       PHYSDEV_BRIDGE => \&Physdev_Bridge,
       PHYSDEV_MATCH => \&Physdev_Match,
       POLICY_MATCH => \&Policy_Match,
+      PPTP_HELPER => \&PPTP_Helper,
       RAW_TABLE => \&Raw_Table,
       RAWPOST_TABLE => \&Rawpost_Table,
       REALM_MATCH => \&Realm_Match,
       RECENT_MATCH => \&Recent_Match,
+      RPFILTER_MATCH => \&RPFilter_Match,
+      SANE_HELPER => \&SANE_Helper,
+      SANE0_HELPER => \&SANE0_Helper,
+      SIP_HELPER => \&SIP_Helper,
+      SIP0_HELPER => \&SIP0_Helper,
+      SNMP_HELPER => \&SNMP_Helper,
       STATISTIC_MATCH => \&Statistic_Match,
       TCPMSS_MATCH => \&Tcpmss_Match,
+      TFTP_HELPER => \&TFTP_Helper,
+      TFTP0_HELPER => \&TFTP0_Helper,
       TIME_MATCH => \&Time_Match,
       TPROXY_TARGET => \&Tproxy_Target,
       USEPKTTYPE => \&Usepkttype,
@@ -3377,7 +3745,6 @@ sub determine_capabilities() {
 	$capabilities{CLASSIFY_TARGET} = detect_capability( 'CLASSIFY_TARGET' );
 	$capabilities{IPMARK_TARGET}   = detect_capability( 'IPMARK_TARGET' );
 	$capabilities{TPROXY_TARGET}   = detect_capability( 'TPROXY_TARGET' );
-
 	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
 	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
 	$capabilities{RAWPOST_TABLE}   = detect_capability( 'RAWPOST_TABLE' );
@@ -3387,7 +3754,6 @@ sub determine_capabilities() {
 	$capabilities{TCPMSS_MATCH}    = detect_capability( 'TCPMSS_MATCH' );
 	$capabilities{NFQUEUE_TARGET}  = detect_capability( 'NFQUEUE_TARGET' );
 	$capabilities{REALM_MATCH}     = detect_capability( 'REALM_MATCH' );
-	$capabilities{HELPER_MATCH}    = detect_capability( 'HELPER_MATCH' );
 	$capabilities{CONNLIMIT_MATCH} = detect_capability( 'CONNLIMIT_MATCH' );
 	$capabilities{TIME_MATCH}      = detect_capability( 'TIME_MATCH' );
 	$capabilities{GOTO_TARGET}     = detect_capability( 'GOTO_TARGET' );
@@ -3410,6 +3776,15 @@ sub determine_capabilities() {
 	$capabilities{DSCP_MATCH}      = detect_capability( 'DSCP_MATCH' );
 	$capabilities{DSCP_TARGET}     = detect_capability( 'DSCP_TARGET' );
 	$capabilities{GEOIP_MATCH}     = detect_capability( 'GEOIP_MATCH' );
+	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
+	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
+	$capabilities{CHECKSUM_TARGET} = detect_capability( 'CHECKSUM_TARGET' );
+	
+	if ( have_capability 'CT_TARGET' ) {
+	    $capabilities{$_} = detect_capability $_ for ( values( %helpers_map ) );
+	} else {
+	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
+	}
 
 	qt1( "$iptables -F $sillyname" );
 	qt1( "$iptables -X $sillyname" );
@@ -3426,6 +3801,11 @@ sub determine_capabilities() {
 	    qt1( "$iptables -t nat -X $sillyname" );
 	}
 
+	if ( $capabilities{RAW_TABLE} ) {
+	    qt1( "$iptables -t raw -F $sillyname" );
+	    qt1( "$iptables -t raw -X $sillyname" );
+	}
+
 	$sillyname = $sillyname1 = undef;
     }
 }
@@ -3439,6 +3819,13 @@ sub require_capability( $$$ ) {
     fatal_error "$description require${singular} $capdesc{$capability} in your kernel and iptables" unless have_capability $capability;
 }
 
+#
+# Return Kernel Version
+#
+sub kernel_version() {
+    $capabilities{KERNELVERSION}
+}
+
 #
 # Set default config path
 #
@@ -3657,7 +4044,14 @@ sub process_shorewall_conf( $$ ) {
 		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
 		    my ($var, $val) = ($1, $2);
 
-		    warning_message "Unknown configuration option ($var) ignored", next unless exists $config{$var};
+		    unless ( exists $config{$var} ) {
+			if ( exists $renamed{$var} ) {
+			    $var = $renamed{$var};
+			} else {
+			    warning_message "Unknown configuration option ($var) ignored";
+			    next ;
+			}
+		    }
 
 		    $config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val );
 
@@ -3701,7 +4095,9 @@ sub read_capabilities() {
 		next;
 	    }
 
-	    $capabilities{$var} = $val =~ /^\"([^\"]*)\"$/ ? $1 : $val;
+	    $val = $val =~ /^\"([^\"]*)\"$/ ? $1 : $val;
+	    
+	    $capabilities{$var} = $var =~ /VERSION$/ ? $val :  $val ne '';
 	} else {
 	    fatal_error "Unrecognized capabilities entry";
 	}
@@ -3724,6 +4120,7 @@ sub read_capabilities() {
     }
 
     $globals{KLUDGEFREE} = $capabilities{KLUDGEFREE};
+
 }
 
 #
@@ -3853,7 +4250,7 @@ sub get_params() {
 	    #
 	    # - Variable names preceded by 'export '
 	    # - Variable values are delimited by double quotes
-	    # - Embedded single quotes are escaped with '\'
+	    # - Embedded double quotes are escaped with '\'
 	    # - Valueless variables ( e.g., 'export foo') are supported
 	    #
 	    $shell = OLDBASH;
@@ -4012,6 +4409,14 @@ sub get_configuration( $$$ ) {
 
     get_capabilities( $export );
 
+    report_capabilities unless $config{LOAD_HELPERS_ONLY};
+
+    $helpers_aliases{ftp}  = 'ftp-0',  $capabilities{FTP_HELPER}  = 1 if $capabilities{FTP0_HELPER};
+    $helpers_aliases{irc}  = 'irc-0',  $capabilities{IRC_HELPER}  = 1 if $capabilities{IRC0_HELPER};
+    $helpers_aliases{sane} = 'sane-0', $capabilities{SANE_HELPER} = 1 if $capabilities{SANE0_HELPER};
+    $helpers_aliases{sip}  = 'sip-0',  $capabilities{SIP_HELPER}  = 1 if $capabilities{SIP0_HELPER};
+    $helpers_aliases{tftp} = 'tftp-0', $capabilities{TFTP_HELPER} = 1 if $capabilities{TFTP0_HELPER};
+
     $globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';
 
     #
@@ -4190,7 +4595,7 @@ sub get_configuration( $$$ ) {
     default_yes_no 'EXPAND_POLICIES'            , '';
     default_yes_no 'KEEP_RT_TABLES'             , '';
     default_yes_no 'DELETE_THEN_ADD'            , 'Yes';
-    default_yes_no 'AUTO_COMMENT'               , 'Yes';
+    default_yes_no 'AUTOCOMMENT'                , 'Yes';
     default_yes_no 'MULTICAST'                  , '';
     default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
     default_yes_no 'MANGLE_ENABLED'             , have_capability 'MANGLE_ENABLED' ? 'Yes' : '';
@@ -4219,6 +4624,33 @@ sub get_configuration( $$$ ) {
     default_yes_no 'LEGACY_FASTSTART'           , 'Yes';
     default_yes_no 'USE_PHYSICAL_NAMES'         , '';
     default_yes_no 'IPSET_WARNINGS'             , 'Yes';
+    default_yes_no 'AUTOHELPERS'                , 'Yes';
+    default_yes_no 'RESTORE_ROUTEMARKS'         , 'Yes';
+
+    $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset'; 
+
+    if ( supplied $config{HELPERS} ) {
+	my %helpers_temp = %helpers_enabled;
+
+	$helpers_temp{$_} = 0 for keys %helpers_temp;
+
+	for ( split_list $config{HELPERS} , 'helper' ) {
+	    my $name = $_;
+	    if ( exists $helpers_enabled{$name} ) {
+		s/-/_/;
+		require_capability( uc( $_ ) . '_HELPER' , "The $name helper", 's' );
+		$helpers_temp{$name} = 1;
+	    } else {
+		fatal_error "Unknown Helper ($_)";
+	    }
+	}
+	
+	%helpers_enabled = %helpers_temp;
+
+	while ( my ( $helper, $enabled ) = each %helpers_enabled ) {
+	    $capabilities{uc($helper) . '_HELPER'} = 0 unless $enabled; 
+	}
+    }
 
     require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
 
@@ -4304,6 +4736,15 @@ sub get_configuration( $$$ ) {
 	$config{SFILTER_DISPOSITION} = 'DROP';
     }
 
+    default_log_level 'RPFILTER_LOG_LEVEL', 'info';
+
+    if ( $val = $config{RPFILTER_DISPOSITION} ) {
+	fatal_error "Invalid RPFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
+	require_capability 'AUDIT_TARGET' , "RPFILTER_DISPOSITION=$val", 's' if $1;
+    } else {
+	$config{RPFILTER_DISPOSITION} = 'DROP';
+    }
+
     if ( $val = $config{MACLIST_DISPOSITION} ) {
 	if ( $val =~ /^(?:A_)?DROP$/ ) {
 	    $globals{MACLIST_TARGET} = $val;
@@ -4455,8 +4896,6 @@ sub get_configuration( $$$ ) {
 	$config{LOCKFILE} = '';
     }
 
-    report_capabilities unless $config{LOAD_HELPERS_ONLY};
-
     require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
     require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
     require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -26,13 +26,13 @@
 #
 package Shorewall::IPAddrs;
 require Exporter;
-use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 );
+use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 :protocols );
 use Socket;
 
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( ALLIPv4
+our @EXPORT = ( qw( ALLIPv4
                   ALLIPv6
 		  NILIPv4
 		  NILIPv6
@@ -48,14 +48,6 @@ our @EXPORT = qw( ALLIPv4
 		  ALLIP
 		  NILIP
 		  ALL
-		  TCP
-		  UDP
-		  UDPLITE
-		  ICMP
-		  DCCP
-		  IPv6_ICMP
-		  SCTP
-		  GRE
 
 		  validate_address
 		  validate_net
@@ -80,7 +72,7 @@ our @EXPORT = qw( ALLIPv4
 		  validate_port_list
 		  validate_icmp
 		  validate_icmp6
-		 );
+		 ) );
 our @EXPORT_OK = qw( );
 our $VERSION = 'MODULEVERSION';
 
@@ -115,14 +107,7 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       IPv6_LINK_ALLRTRS   => 'ff01::2' ,
 	       IPv6_SITE_ALLNODES  => 'ff02::1' ,
 	       IPv6_SITE_ALLRTRS   => 'ff02::2' ,
-	       ICMP                => 1,
-	       TCP                 => 6,
-	       UDP                 => 17,
-	       DCCP                => 33,
-	       GRE                 => 47,
-	       IPv6_ICMP           => 58,
-	       SCTP                => 132,
-	       UDPLITE             => 136 };
+	   };
 
 my @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
 
@@ -222,11 +207,13 @@ sub validate_4net( $$ ) {
     }
 
     if ( defined wantarray ) {
-	assert ( ! $allow_name );
 	if ( wantarray ) {
+	    assert( ! $allow_name );
 	    ( decodeaddr( $net ) , $vlsm );
+	} elsif ( valid_4address $net ) {
+	    $vlsm == 32 ? $net : "$net/$vlsm";
 	} else {
-	    "$net/$vlsm";
+	    $net;
 	}
     }
 }
@@ -241,6 +228,8 @@ sub validate_4range( $$ ) {
     my $last  = decodeaddr $high;
 
     fatal_error "Invalid IP Range ($low-$high)" unless $first <= $last;
+
+    "$low-$high";
 }
 
 sub validate_4host( $$ ) {
@@ -623,7 +612,7 @@ sub validate_6address( $$ ) {
 
 sub validate_6net( $$ ) {
     my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
-    my $allow_name = $_[1];
+    my $allow_name = $_[0];
 
     if ( $net =~ /\+(\[?)/ ) {
 	if ( $1 ) {
@@ -635,22 +624,28 @@ sub validate_6net( $$ ) {
 	}
     }
 
+    fatal_error "Invalid Network address ($_[0])" unless supplied $net;
+
+    $net = $1 if $net =~ /^\[(.*)\]$/;
+
     if ( defined $vlsm ) {
         fatal_error "Invalid VLSM ($vlsm)"              unless $vlsm =~ /^\d+$/ && $vlsm <= 128;
 	fatal_error "Invalid Network address ($_[0])"   if defined $rest;
 	fatal_error "Invalid IPv6 address ($net)"       unless valid_6address $net;
     } else {
-	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
+	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/';
 	validate_6address $net, $allow_name;
 	$vlsm = 128;
     }
 
     if ( defined wantarray ) {
-	assert ( ! $allow_name );
 	if ( wantarray ) {
+	    assert( ! $allow_name );
 	    ( $net , $vlsm );
+	} elsif ( valid_6address ( $net ) ) {
+	    $vlsm == 32 ? $net : "$net/$vlsm";
 	} else {
-	    "$net/$vlsm";
+	    $net;
 	}
     }
 }
@@ -697,11 +692,13 @@ sub validate_6range( $$ ) {
     while ( @low ) {
 	my ( $l, $h) = ( shift @low, shift @high );
 	next     if hex "0x$l" == hex "0x$h";
-	return 1 if hex "0x$l"  < hex "0x$h";
+	return "$low-$high" if hex "0x$l"  < hex "0x$h";
 	last;
     }
 
     fatal_error "Invalid IPv6 Range ($low-$high)";
+
+    
 }
 
 sub validate_6host( $$ ) {

Shorewall/Perl/Shorewall/Misc.pm

@@ -41,6 +41,7 @@ our @EXPORT = qw( process_tos
 		  add_common_rules
 		  setup_mac_lists
 		  process_routestopped
+		  process_stoppedrules
 		  compile_stop_firewall
 		  generate_matrix
 		  );
@@ -203,6 +204,9 @@ sub setup_blacklist() {
     my $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
     my $orig_target = $target;
 
+  BLACKLIST:
+    {
+	if ( my $fn = open_file 'blacklist' ) {
 	    #
 	    # We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary
 	    # for 'refresh' to work properly.
@@ -219,10 +223,6 @@ sub setup_blacklist() {
 		}
 	    }
 
-  BLACKLIST:
-    {
-	if ( my $fn = open_file 'blacklist' ) {
-
 	    my $first_entry = 1;
 
 	    first_entry "$doing $fn...";
@@ -668,6 +668,89 @@ sub process_routestopped() {
     }
 }
 
+#
+# Process the stoppedrules file. Returns true if the file was non-empty.
+#
+sub process_stoppedrules() {
+    my $fw = firewall_zone;
+    my $result;
+
+    if ( my $fn = open_file 'stoppedrules' ) {
+	first_entry "$doing $fn...";
+
+	while ( read_a_line( NORMAL_READ ) ) {
+
+	    $result = 1;
+
+	    my ( $target, $source, $dest, $proto, $ports, $sports ) = 
+		split_line1 'stoppedrules file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 }, { COMMENT => 0, FORMAT => 2 };
+
+	    fatal_error( "Invalid TARGET ($target)" ) unless $target =~ /^(?:ACCEPT|NOTRACK)$/;
+
+	    my $tableref;
+
+	    my $chainref;
+	    my $restriction = NO_RESTRICT;
+
+	    if ( $target eq 'NOTRACK' ) {
+		$tableref = $raw_table;
+		require_capability 'RAW_TABLE', 'NOTRACK', 's';
+		$chainref = $raw_table->{PREROUTING};
+		$restriction = PREROUTE_RESTRICT | DESTIFACE_DISALLOW;
+	    } else {
+		$tableref = $filter_table;
+	    }
+
+	    if ( $source eq $fw ) {
+		$chainref = ( $target eq 'NOTRACK' ? $raw_table : $filter_table)->{OUTPUT};
+		$source = '';
+		$restriction = OUTPUT_RESTRICT;
+	    } elsif ( $source =~ s/^($fw):// ) {
+		$chainref = ( $target eq 'NOTRACK' ? $raw_table : $filter_table)->{OUTPUT};
+		$restriction = OUTPUT_RESTRICT;
+	    }
+
+	    if ( $dest eq $fw ) {
+		fatal_error "\$FW may not be specified as the destination of a NOTRACK rule" if $target eq 'NOTRACK';
+		$chainref = $filter_table->{INPUT};
+		$dest = '';
+		$restriction = INPUT_RESTRICT;
+	    } elsif ( $dest =~ s/^($fw):// ) {
+		fatal_error "\$FW may not be specified as the destination of a NOTRACK rule" if $target eq 'NOTRACK';
+		$chainref = $filter_table->{INPUT};
+		$restriction = INPUT_RESTRICT;
+	    }
+
+	    $chainref = $tableref->{FORWARD} unless $chainref;
+
+	    my $disposition = $target;
+
+	    $target = 'CT --notrack' if $target eq 'NOTRACK' and have_capability( 'CT_TARGET' );
+
+	    unless ( $restriction == OUTPUT_RESTRICT
+		     && $target eq 'ACCEPT'
+		     && $config{ADMINISABSENTMINDED} ) {
+		expand_rule( $chainref ,
+			     $restriction ,
+			     do_proto( $proto, $ports, $sports ) ,
+			     $source ,
+			     $dest ,
+			     '' ,
+			     $target,
+			     '',
+			     $disposition,
+			     do_proto( $proto, '-', '-' ) );
+	    } else {
+		warning_message "Redundant OUTPUT rule ignored because ADMINISABSENTMINDED=Yes";
+	    }
+	}
+    }
+
+    clear_comment;
+
+    $result;
+}
+
 sub setup_mss();
 
 sub add_common_rules ( $ ) {
@@ -681,7 +764,7 @@ sub add_common_rules ( $ ) {
     my $chain;
     my $dynamicref;
 
-    my @state     = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
+    my @state     = $config{BLACKLISTNEWONLY} ? have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
     my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED';
     my $level     = $config{BLACKLIST_LOGLEVEL};
     my $rejectref = $filter_table->{reject};
@@ -749,7 +832,7 @@ sub add_common_rules ( $ ) {
 
 	my $interfaceref = find_interface $interface;
 
-	unless ( $interfaceref->{options}{ignore} & NO_SFILTER ) {
+	unless ( $interfaceref->{options}{ignore} & NO_SFILTER || $interfaceref->{options}{rpfilter} ) {
 
 	    my @filters = @{$interfaceref->{filter}};
 
@@ -787,6 +870,38 @@ sub add_common_rules ( $ ) {
 	}
     }
 
+    $list = find_interfaces_by_option('rpfilter');
+
+    if ( @$list ) {
+	$policy   = $config{RPFILTER_DISPOSITION};
+	$level    = $config{RPFILTER_LOG_LEVEL};
+	$audit    = $policy =~ s/^A_//;
+	
+	if ( $level || $audit ) {
+	    #
+	    # Create a chain to log and/or audit and apply the policy
+	    #
+	    $chainref = ensure_mangle_chain 'rplog';
+
+	    log_rule $level , $chainref , $policy , '' if $level ne '';
+
+	    add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
+
+	    add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
+
+	    $target = 'rplog';
+	} else {
+	    $target = $policy eq 'REJECT' ? 'reject' : $policy;
+	}
+
+	add_ijump( ensure_mangle_chain( 'rpfilter' ),
+		   j        => $target,
+		   rpfilter => '--validmark --invert',
+		   state_imatch 'NEW,RELATED,INVALID',
+		   @ipsec
+		 );
+    }
+	    
     run_user_exit1 'initdone';
 
     if ( $upgrade ) {
@@ -850,7 +965,7 @@ sub add_common_rules ( $ ) {
 	    add_ijump( $chainref, g => $smurfdest, s => IPv6_MULTICAST );
 	}
 
-	my @state = $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID';
+	my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID';
 
 	for my $hostref  ( @$list ) {
 	    $interface     = $hostref->[0];
@@ -1155,7 +1270,7 @@ sub setup_mac_lists( $ ) {
 	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my @source     = imatch_source_net $hostref->[2];
 
-	    my @state = $globals{UNTRACKED} ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
+	    my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
 
 	    if ( $table eq 'filter' ) {
 		my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} );
@@ -1310,6 +1425,7 @@ sub generate_source_rules( $$$;@ ) {
 sub handle_loopback_traffic() {
     my @zones   = ( vserver_zones, firewall_zone );
     my $natout  = $nat_table->{OUTPUT};
+    my $rawout  = $raw_table->{OUTPUT};
     my $rulenum = 0;
 
     my $outchainref;
@@ -1333,6 +1449,7 @@ sub handle_loopback_traffic() {
 	my $z1ref            = find_zone( $z1 );
 	my $type1            = $z1ref->{type};
 	my $natref           = $nat_table->{dnat_chain $z1};
+	my $notrackref       = $raw_table->{notrack_chain( $z1 )};
 	#
 	# Add jumps in the 'output' chain to the rules chains
 	#
@@ -1342,10 +1459,33 @@ sub handle_loopback_traffic() {
 
 		generate_dest_rules( $outchainref, $chain, $z2, @rule ) if $chain;
 	    }
+	    #
+	    # Handle conntrack 
+	    #
+	    if ( $notrackref ) {
+		add_ijump $rawout, j => $notrackref if $notrackref->{referenced};
+	    }
 	} else {
 	    for my $z2 ( @zones ) {
 		generate_source_rules( $outchainref, $z1, $z2, @rule );
 	    }
+	    #
+	    # Handle conntrack rules
+	    #
+	    if ( $notrackref->{referenced} ) {
+		for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
+		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $notrackref);
+		    my @ipsec_match = match_ipsec_in $z1 , $hostref;
+
+		    for my $net ( @{$hostref->{hosts}} ) {
+			insert_ijump( $rawout,
+				      j => $exclusion ,
+				      $rawout->{insert}++,
+				      imatch_source_net $net,
+				      @ipsec_match );
+		    }
+		}
+	    }
 	}
 
 	if ( $natref && $natref->{referenced} ) {
@@ -1379,6 +1519,7 @@ sub add_interface_jumps {
     our %forward_jump_added;
     my  $lo_jump_added = 0;
     my @interfaces = grep $_ ne '%vserver%', @_;
+    my $dummy;
     #
     # Add Nat jumps
     #
@@ -1386,10 +1527,6 @@ sub add_interface_jumps {
 	addnatjump 'POSTROUTING' , snat_chain( $interface ), imatch_dest_dev( $interface );
     }
 
-    addnatjump 'PREROUTING'  , 'nat_in';
-    addnatjump 'POSTROUTING' , 'nat_out';
-    addnatjump 'PREROUTING', 'dnat';
-
     for my $interface ( @interfaces  ) {
 	addnatjump 'PREROUTING'  , input_chain( $interface )  , imatch_source_dev( $interface );
 	addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
@@ -1400,6 +1537,8 @@ sub add_interface_jumps {
 	    insert_ijump ( $raw_table->{PREROUTING},      j => prerouting_chain( $interface ),  0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface};
 	    insert_ijump ( $raw_table->{OUTPUT},          j => output_chain( $interface ),      0, imatch_dest_dev( $interface) )   if $raw_table->{output_chain $interface};
 	}
+
+	add_ijump( $mangle_table->{PREROUTING}, j => 'rpfilter' , imatch_source_dev( $interface ) ) if interface_has_option( $interface, 'rpfilter', $dummy );
     }
     #
     # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
@@ -1477,7 +1616,7 @@ sub handle_complex_zone( $$ ) {
 
     if ( have_ipsec ) {
 	#
-	# Prior to KLUDGEFREE, policy match could only match an 'in' or an 'out' policy (but not both), so we place the
+	# In general, policy match can only match an 'in' or an 'out' policy (but not both), so we place the
 	# '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
 	# can match '--pol none --dir out' rules and send the packets down the wrong rules chain.
 	#
@@ -1692,6 +1831,7 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
 
     my $dnatref         = $nat_table->{dnat_chain( $zone )};
     my $preroutingref   = $nat_table->{PREROUTING};
+    my $rawref          = $raw_table->{PREROUTING};
     my $notrackref      = ensure_chain 'raw' , notrack_chain( $zone );
     my @ipsec_in_match  = match_ipsec_in  $zone , $hostref;
 
@@ -1716,15 +1856,20 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
 	# There are notrack rules with this zone as the source.
 	# Add a jump from this source network to this zone's notrack chain
 	#
-	add_ijump $raw_table->{PREROUTING}, j => source_exclusion( $exclusions, $notrackref), imatch_source_dev( $interface), @source, @ipsec_in_match;
+	insert_ijump $rawref, j => source_exclusion( $exclusions, $notrackref), $rawref->{insert}++, imatch_source_dev( $interface), @source, @ipsec_in_match;
     }
     #
     # If this zone has parents with DNAT/REDIRECT or notrack rules and there are no CONTINUE polcies with this zone as the source
     # then add a RETURN jump for this source network.
     #
     if ( $nested ) {
-	add_ijump $preroutingref,           j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnat;
-	add_ijump $raw_table->{PREROUTING}, j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnotrack;
+	if ( $parenthasnat ) {
+	    add_ijump $preroutingref, j => 'RETURN',                      imatch_source_dev( $interface), @source, @ipsec_in_match;
+	}
+	if ( $parenthasnotrack ) {
+	    my $rawref = $raw_table->{PREROUTING};
+	    insert_ijump $rawref,     j => 'RETURN', $rawref->{insert}++, imatch_source_dev( $interface), @source, @ipsec_in_match;
+	}
     }
 }
 
@@ -1927,7 +2072,7 @@ sub optimize1_zones( $$@ ) {
 # The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
 # A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
 #
-# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table and
+# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table, raw-table and
 # nat-table rules.
 #
 sub generate_matrix() {
@@ -1960,12 +2105,6 @@ sub generate_matrix() {
 	}
     }
     #
-    # NOTRACK from firewall
-    #
-    if ( ( my $notrackref = $raw_table->{notrack_chain(firewall_zone)}) ) {
-	add_ijump $raw_table->{OUTPUT}, j => $notrackref if $notrackref->{referenced};
-    }
-    #
     # Main source-zone matrix-generation loop
     #
     progress_message '  Entering main matrix-generation loop...';
@@ -2096,6 +2235,11 @@ sub generate_matrix() {
     } # Source Zone Loop
 
     progress_message '  Finishing matrix...';
+    #
+    # Make sure that the 1:1 NAT jumps are last in PREROUTING
+    #
+    addnatjump 'PREROUTING'  , 'nat_in';
+    addnatjump 'POSTROUTING' , 'nat_out';
 
     add_interface_jumps @interfaces unless $interface_jumps_added;
 
@@ -2287,6 +2431,14 @@ EOF
     deletechain shorewall
 
     run_stop_exit
+
+    #
+    # Enable automatic helper association on kernel 3.5.0 and later
+    #
+    if [ -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then
+        echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
+    fi
+
 EOF
 
     if ( have_capability( 'NAT_ENABLED' ) ) {
@@ -2354,7 +2506,7 @@ EOF
 	}
     }
 
-    process_routestopped;
+    process_routestopped unless process_stoppedrules;
 
     add_ijump $input,  j => 'ACCEPT', i => 'lo';
     add_ijump $output, j => 'ACCEPT', o => 'lo' unless $config{ADMINISABSENTMINDED};

Shorewall/Perl/Shorewall/Nat.pm

@@ -123,7 +123,7 @@ sub process_one_masq( )
     #
     # Handle Protocol, Ports and Condition
     #
-    $baserule .= do_proto( $proto, $ports, '' ) . do_condition( $condition );
+    $baserule .= do_proto( $proto, $ports, '' );
     #
     # Handle Mark
     #
@@ -158,6 +158,8 @@ sub process_one_masq( )
 
 	my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
 
+	$baserule .= do_condition( $condition , $chainref->{name} );
+
 	my $detectaddress = 0;
 	my $exceptionrule = '';
 	my $randomize     = '';
@@ -431,8 +433,8 @@ sub setup_netmap() {
 		    my @rulein;
 		    my @ruleout;
 
-		    validate_net $net1, 0;
-		    validate_net $net2, 0;
+		    $net1 = validate_net $net1, 0;
+		    $net2 = validate_net $net2, 0;
 
 		    unless ( $interfaceref->{root} ) {
 			@rulein  = imatch_source_dev( $interface );
@@ -466,7 +468,7 @@ sub setup_netmap() {
 
 		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
 
-		    validate_net $net2, 0;
+		    $net2 = validate_net $net2, 0;
 
 		    unless ( $interfaceref->{root} ) {
 			@match = imatch_dest_dev(  $interface );
@@ -632,12 +634,13 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
     #
     # And generate the nat table rule(s)
     #
+    my $firewallsource = $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
+
     expand_rule ( ensure_chain ('nat' ,
-				( $action_chain ?
-				  $action_chain :
-				  ( $sourceref->{type} == FIREWALL ? 'OUTPUT' : 
-				    dnat_chain $sourceref->{name} ) ) ),
-		  PREROUTE_RESTRICT ,
+				( $action_chain   ? $action_chain :
+				  $firewallsource ? 'OUTPUT' :
+				  dnat_chain $sourceref->{name} ) ) ,
+		  $firewallsource ? OUTPUT_RESTRICT : PREROUTE_RESTRICT ,
 		  $rule ,
 		  $source ,
 		  $origdest ,

Shorewall/Perl/Shorewall/Proc.pm

@@ -251,9 +251,6 @@ sub setup_forwarding( $$ ) {
 	if ( @$interfaces ) {
 	    progress_message2 "$doing Interface forwarding..." if $first;
 
-	    push_indent;
-	    push_indent;
-
 	    save_progress_message 'Setting up IPv6 Interface Forwarding...';
 
 	    for my $interface ( @$interfaces ) {
@@ -270,9 +267,6 @@ sub setup_forwarding( $$ ) {
 		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }
-
-	    pop_indent;
-	    pop_indent;
 	}
     }
 }

Shorewall/Perl/Shorewall/Providers.pm

@@ -118,10 +118,15 @@ sub initialize( $ ) {
 #
 sub setup_route_marking() {
     my $mask = in_hex( $globals{PROVIDER_MASK} );
+    my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';
 
     require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
 
+    if ( $config{RESTORE_ROUTEMARKS} ) {
+	add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
+    } else {
 	add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;
+    }
 
     my $chainref  = new_chain 'mangle', 'routemark';
 
@@ -145,10 +150,10 @@ sub setup_route_marking() {
 
 	    if ( $providerref->{shared} ) {
 		add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
 		decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
 	    } else {
-		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface );
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface );
 	    }
 	}
 
@@ -333,24 +338,35 @@ sub balance_fallback_route( $$$$ ) {
     }
 }
 
-sub start_provider( $$$ ) {
-    my ($table, $number, $test ) = @_;
+sub start_provider( $$$$ ) {
+    my ($what, $table, $number, $test ) = @_;
 
-    emit "\n#\n# Add Provider $table ($number)\n#";
+    emit "\n#\n# Add $what $table ($number)\n#";
 
+    if ( $number ) {
 	emit "start_provider_$table() {";
+    } else {
+	emit "start_interface_$table() {";
+    }
+
     push_indent;
     emit $test;
     push_indent;
 
+
+    if ( $number ) {
 	emit "qt ip -$family route flush table $number";
 	emit "echo \"qt \$IP -$family route flush table $number\" > \${VARDIR}/undo_${table}_routing";
+    } else {
+	emit( "> \${VARDIR}/undo_${table}_routing" );
+    }
 }
 
 #
 # Process a record in the providers file
 #
-sub process_a_provider() {
+sub process_a_provider( $ ) {
+    my $pseudo = $_[0]; # When true, this is an optional interface that we are treating somewhat like a provider.
 
     my ($table, $number, $mark, $duplicate, $interface, $gateway,  $options, $copy ) =
 	split_line 'providers file', { table => 0, number => 1, mark => 2, duplicate => 3, interface => 4, gateway => 5, options => 6, copy => 7 };
@@ -358,6 +374,8 @@ sub process_a_provider() {
     fatal_error "Duplicate provider ($table)" if $providers{$table};
 
     fatal_error 'NAME must be specified' if $table eq '-';
+
+    unless ( $pseudo ) {
 	fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;
 
 	my $num = numeric_value $number;
@@ -370,6 +388,7 @@ sub process_a_provider() {
 	for my $providerref ( values %providers  ) {
 	    fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
 	}
+    }
 
     fatal_error 'INTERFACE must be specified' if $interface eq '-';
 
@@ -389,6 +408,11 @@ sub process_a_provider() {
     my $physical    = get_physical $interface;
     my $gatewaycase = '';
 
+    if ( $physical =~ /\+$/ ) {
+	return 0 if $pseudo;
+	fatal_error "Wildcard interfaces ($physical) may not be used as provider interfaces";
+    }
+
     if ( $gateway eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
 	$gateway = get_interface_gateway $interface;
@@ -402,8 +426,15 @@ sub process_a_provider() {
 	$gateway = '';
     }
 
-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load ) =
-	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0 );
+    my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what );
+
+    if ( $pseudo ) {	
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what ) =
+	( 0,      0                       , 0 ,        0,        0,                               1                                  , ''  , 0       , 0,      0,     'interface');
+    } else {
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what )=
+	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider');
+    }
 
     unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
@@ -513,7 +544,7 @@ sub process_a_provider() {
 
     }
 
-    unless ( $loose ) {
+    unless ( $loose || $pseudo ) {
 	warning_message q(The 'proxyarp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyarp' );
 	warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
     }
@@ -551,10 +582,14 @@ sub process_a_provider() {
 			   local       => $local ,
 			   tproxy      => $tproxy ,
 			   load        => $load ,
+			   pseudo      => $pseudo ,
+			   what        => $what ,
 			   rules       => [] ,
 			   routes      => [] ,
 			 };
 
+    $provider_interfaces{$interface} = $table unless $shared;
+
     if ( $track ) {
 	fatal_error "The 'track' option requires a numeric value in the MARK column" if $mark eq '-';
 
@@ -573,7 +608,22 @@ sub process_a_provider() {
 
     push @providers, $table;
 
-    progress_message "   Provider \"$currentline\" $done";
+    progress_message "   Provider \"$currentline\" $done" unless $pseudo;
+
+    return 1;
+}
+
+#
+# Emit a 'started' message
+#
+sub emit_started_message( $$$$$ ) {
+    my ( $spaces, $level, $pseudo, $name, $number ) = @_;
+
+    if ( $pseudo ) {
+	emit qq(${spaces}progress_message${level} "   Optional interface $name Started");
+    } else {
+	emit qq(${spaces}progress_message${level} "   Provider $name ($number) Started");
+    }
 }
 
 #
@@ -604,6 +654,9 @@ sub add_a_provider( $$ ) {
     my $local       = $providerref->{local};
     my $tproxy      = $providerref->{tproxy};
     my $load        = $providerref->{load};
+    my $pseudo      = $providerref->{pseudo};
+    my $what        = $providerref->{what};
+    my $label       = $pseudo ? 'Optional Interface' : 'Provider';
 
     my $dev         = chain_base $physical;
     my $base        = uc $dev;
@@ -612,14 +665,16 @@ sub add_a_provider( $$ ) {
     if ( $shared ) {
 	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
 	$realm = "realm $number";
-	start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
+	start_provider( $label , $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
+    } elsif ( $pseudo ) {
+	start_provider( $label , $table, $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
     } else {
 	if ( $optional ) {
-	    start_provider( $table, $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
+	    start_provider( $label, $table , $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
 	} elsif ( $gatewaycase eq 'detect' ) {
-	    start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
+	    start_provider( $label, $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
 	} else {
-	    start_provider( $table, $number, "if interface_is_usable $physical; then" );
+	    start_provider( $label, $table, $number, "if interface_is_usable $physical; then" );
 	}
 	$provider_interfaces{$interface} = $table;
 
@@ -737,7 +792,7 @@ CEOF
 	    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
 	    emit( "run_ip rule add from $address pref 20000 table $number" ,
 		  "echo \"qt \$IP -$family rule del from $address\" >> \${VARDIR}/undo_${table}_routing" );
-	} else {
+	} elsif ( ! $pseudo ) {
 	    emit  ( "find_interface_addresses $physical | while read address; do" );
 	    emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
 	    emit  ( "    run_ip rule add from \$address pref 20000 table $number",
@@ -800,15 +855,17 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}
 
-	emit ( qq(progress_message2 "   Provider $table ($number) Started") );
+	emit_started_message( '', 2, $pseudo, $table, $number );
 
 	pop_indent;
 
+	unless ( $pseudo ) {
 	    emit( 'else' );
-	emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) ,
-	      qq(    progress_message "   Provider $table ($number) Started"),
-	      qq(fi\n)
-	    );
+	    emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) );
+	    emit_started_message( '    ', '', $pseudo, $table, $number );
+	}
+
+	emit "fi\n";
     } else {
 	emit( qq(echo 0 > \${VARDIR}/${physical}.status) );
 	emit( qq(progress_message "Provider $table ($number) Started") );
@@ -825,6 +882,8 @@ CEOF
     if ( $optional ) {
 	if ( $shared ) {
 	    emit ( "error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Started\"" );
+	} elsif ( $pseudo ) {
+	    emit ( "error_message \"WARNING: Optional Interface $physical is not usable -- $table not Started\"" );
 	} else {
 	    emit ( "error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Started\"" );
 	}
@@ -842,14 +901,14 @@ CEOF
 
     pop_indent;
 
-    emit '}'; # End of start_provider_$table();
+    emit "} # End of start_${what}_${table}();";
 
     if ( $optional ) {
 	emit( '',
 	      '#',
-	      "# Stop provider $table",
+	      "# Stop $what $table",
 	      '#',
-	      "stop_provider_$table() {" );
+	      "stop_${what}_${table}() {" );
 
 	push_indent;
 
@@ -877,8 +936,13 @@ CEOF
 	    emit( qq(delete_gateway "$via" $tbl $physical) );
 	}
 
-	emit (". $undo",
-	      "> $undo" );
+	emit (". $undo" );
+
+	if ( $pseudo ) {
+	    emit( "rm -f $undo" );
+	} else {
+	    emit( "> $undo" );
+	}
 
 	emit ( '',
 	       "distribute_load $maxload @load_interfaces" ) if $load;
@@ -889,8 +953,13 @@ CEOF
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}
 
-	emit( "echo 1 > \${VARDIR}/${physical}.status",
-	      "progress_message2 \"   Provider $table ($number) stopped\"" );
+	emit( "echo 1 > \${VARDIR}/${physical}.status" );
+
+	if ( $pseudo ) {
+	    emit( "progress_message2 \"   Optional Interface $table stopped\"" );
+	} else {
+	    emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
+	}
 
 	pop_indent;
 
@@ -938,7 +1007,7 @@ sub add_an_rtrule( ) {
     if ( $dest eq '-' ) {
 	$dest = 'to ' . ALLIP;
     } else {
-	validate_net( $dest, 0 );
+	$dest = validate_net( $dest, 0 );
 	$dest = "to $dest";
     }
 
@@ -950,22 +1019,22 @@ sub add_an_rtrule( ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
 	    fatal_error "Invalid SOURCE" if defined $remainder;
-	    validate_net ( $source, 0 );
+	    $source = validate_net ( $source, 0 );
 	    $interface = physical_name $interface;
 	    $source = "iif $interface from $source";
 	} elsif ( $source =~ /\..*\..*/ ) {
-	    validate_net ( $source, 0 );
+	    $source = validate_net ( $source, 0 );
 	    $source = "from $source";
 	} else {
 	    $source = 'iif ' . physical_name $source;
 	}
-    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ ) {
+    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ || $source =~ /^(.+?):(\[.+?\](?:\/\d+))$/ ) {
 	my ($interface, $source ) = ($1, $2);
-	validate_net ($source, 0);
+	$source = validate_net ($source, 0);
 	$interface = physical_name $interface;
 	$source = "iif $interface from $source";
     } elsif (  $source =~ /:.*:/ || $source =~ /\..*\..*/ ) {
-	validate_net ( $source, 0 );
+	$source = validate_net ( $source, 0 );
 	$source = "from $source";
     } else {
 	$source = 'iif ' . physical_name $source;
@@ -1020,7 +1089,7 @@ sub add_a_route( ) {
     }
 
     fatal_error 'DEST must be specified' if $dest eq '-';
-    validate_net ( $dest, 1 );
+    $dest = validate_net ( $dest, 1 );
 
     validate_address ( $gateway, 1 ) if $gateway ne '-';
 
@@ -1199,12 +1268,23 @@ sub process_providers( $ ) {
     my $tcdevices = shift;
 
     our $providers = 0;
+    our $pseudoproviders = 0;
 
     $lastmark = 0;
 
     if ( my $fn = open_file 'providers' ) {
 	first_entry "$doing $fn...";
-	process_a_provider, $providers++ while read_a_line( NORMAL_READ );
+	$providers += process_a_provider(0) while read_a_line( NORMAL_READ );
+    }
+    #
+    # Treat optional interfaces as pseudo-providers
+    #
+    for ( grep interface_is_optional( $_ ) && ! $provider_interfaces{ $_ }, all_real_interfaces ) {
+	#
+	#               TABLE NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
+	$currentline = "$_    0      -    -         $_        -       -       -";
+	#
+	$pseudoproviders += process_a_provider(1);
     }
 
     if ( $providers ) {
@@ -1214,7 +1294,7 @@ sub process_providers( $ ) {
 
 	if ( $fn ){
 	    if ( -f ( my $fn1 = find_file 'rtrules' ) ) {
-		warning_message "Both $fn and $fn1 exists: $fn1 will be ignored";
+		warning_message "Both $fn and $fn1 exist: $fn1 will be ignored";
 	    }
 	} else {
 	    $fn = open_file( 'rtrules' );
@@ -1227,17 +1307,19 @@ sub process_providers( $ ) {
 
 	    add_an_rtrule while read_a_line( NORMAL_READ );
 	}
+    }
 
-	$fn = open_file 'routes';
+    if ( $providers || $pseudoproviders ) {
+	my $fn = open_file 'routes';
 
 	if ( $fn ) {
 	    first_entry "$doing $fn...";
 	    emit '';
 	    add_a_route while read_a_line( NORMAL_READ );
 	}
-    }
 
 	add_a_provider( $providers{$_}, $tcdevices ) for @providers;
+    }
 
     emit << 'EOF';;
 
@@ -1258,14 +1340,20 @@ EOF
 
 	if ( $providerref->{optional} ) {
 	    if ( $providerref->{shared} || $providerref->{physical} eq $provider) {
-		emit "$provider})";
+		emit "$provider)";
 	    } else {
 		emit( "$providerref->{physical}|$provider)" );
 	    }
 
+	    if ( $providerref->{pseudo} ) {
+		emit ( "    if [ ! -f \${VARDIR}/$product/undo_${provider}_routing ]; then",
+		       "        start_interface_$provider" );
+	    } else {
 		emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
-		   "        start_provider_$provider",
-		   '    else',
+		       "        start_provider_$provider" );
+	    }
+
+	    emit ( '    else',
 		   "        startup_error \"Interface $providerref->{physical} is already enabled\"",
 		   '    fi',
 		   '    ;;'
@@ -1278,7 +1366,7 @@ EOF
 
     emit << 'EOF';;
         *)
-            startup_error "$g_interface is not an optional provider or provider interface"
+            startup_error "$g_interface is not an optional provider or interface"
             ;;
     esac
 
@@ -1299,14 +1387,26 @@ EOF
     for my $provider (@providers ) {
 	my $providerref = $providers{$provider};
 
-	emit( "$providerref->{physical}|$provider)",
-	      "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
-	      "        stop_provider_$provider",
+	if ( $providerref->{optional} ) {
+	    if ( $provider eq $providerref->{physical} ) {
+		emit( "$provider)" );
+	    } else {
+		emit( "$providerref->{physical}|$provider)" );
+	    }
+
+	    if ( $providerref->{pseudo} ) {
+		emit( "    if [ -f \${VARDIR}/$product/undo_${provider}_routing ]; then" );
+	    } else {
+		emit( "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then" );
+	    }
+
+	    emit( "        stop_$providerref->{what}_$provider",
 		  '    else',
 		  "        startup_error \"Interface $providerref->{physical} is already disabled\"",
 		  '    fi',
 		  '    ;;'
-	    ) if $providerref->{optional};
+		);
+	}
     }
 
     pop_indent;
@@ -1338,7 +1438,7 @@ sub setup_providers() {
 
 	emit '';
 
-	emit "start_provider_$_" for @providers;
+	emit "start_$providers{$_}->{what}_$_" for @providers;
 
 	emit '';
 

Shorewall/Perl/Shorewall/Raw.pm

@@ -20,7 +20,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   This module contains the code that handles the /etc/shorewall/notrack file.
+#   This module contains the code that handles the /etc/shorewall/conntrack file.
 #
 package Shorewall::Raw;
 require Exporter;
@@ -32,8 +32,8 @@ use Shorewall::Chains qw(:DEFAULT :internal);
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( setup_notrack );
-our @EXPORT_OK = qw( );
+our @EXPORT = qw( setup_conntrack );
+our @EXPORT_OK = qw( handle_helper_rule );
 our $VERSION = 'MODULEVERSION';
 
 my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured => 1, protoinfo => 1, helper => 1, mark => 1, natseqinfo => 1, secmark => 1 );
@@ -41,54 +41,91 @@ my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured
 #
 # Notrack
 #
-sub process_notrack_rule( $$$$$$$ ) {
+sub process_conntrack_rule( $$$$$$$$$$ ) {
 
-    my ($action, $source, $dest, $proto, $ports, $sports, $user ) = @_;
+    my ($chainref, $zoneref, $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = @_;
+
+    require_capability 'RAW_TABLE', 'conntrack rules', '';
 
     $proto  = ''    if $proto  eq 'any';
     $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
     $sports = ''    if $sports eq 'any' || $sports eq 'all';
 
-    ( my $zone, $source) = split /:/, $source, 2;
-    my $zoneref  = find_zone $zone;
-    my $chainref = ensure_raw_chain( notrack_chain $zone );
-    my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
+    my $zone;
+    my $restriction = PREROUTE_RESTRICT;
 
+    if ( $chainref ) {
+	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
+    } else {
+	#
+	# Entry in the conntrack file
+	#
+	if ( $zoneref ) {
+	    $zone = $zoneref->{name};
+	} else {
+	    ($zone, $source) = split /:/, $source, 2;
+	    $zoneref = find_zone ( $zone );
+	}
+
+	$chainref = ensure_raw_chain( notrack_chain $zone );
+	$restriction = OUTPUT_RESTRICT if $zoneref->{type}  & (FIREWALL | VSERVER );
 	fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
-    require_capability 'RAW_TABLE', 'Notrack rules', '';
+    }
 
     my $target = $action;
     my $exception_rule = '';
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );
 
-    unless ( $action eq 'NOTRACK' ) {
+    if ( $action eq 'NOTRACK' ) {
+	#
+	# A patch that deimplements the NOTRACK target has been posted on the
+	# Netfilter development list
+	#
+	$action = 'CT --notrack' if have_capability 'CT_TARGET';
+    } elsif ( $action ne 'DROP' ) {
 	(  $target, my ( $option, $args, $junk ) ) = split ':', $action, 4;
 
 	fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT';
 
-	require_capability 'CT_TARGET', 'CT entries in the notrack file', '';
+	require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';
 
 	if ( $option eq 'notrack' ) {
-	    fatal_error "Invalid notrack ACTION ( $action )" if supplied $args;
+	    fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
 	    $action = 'CT --notrack';
 	} else {
 	    fatal_error "Invalid or missing CT option and arguments" unless supplied $option && supplied $args;
 
 	    if ( $option eq 'helper' ) {
+		my $modifiers = '';
+
+		if ( $args =~ /^([-\w.]+)\((.+)\)$/ ) {
+		    $args      = $1;
+		    $modifiers = $2;
+		}
+
 		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
 		validate_helper( $args, $proto );
-		$action = "CT --helper $args";
+		$action = "CT --helper $helpers_aliases{$args}";
 		$exception_rule = do_proto( $proto, '-', '-' );
-	    } elsif ( $option eq 'ctevents' ) {
-		for ( split ',', $args ) {
+
+		for my $mod ( split_list1( $modifiers, 'ctevents' ) ) {
+		    fatal_error "Invalid helper option ($mod)" unless $mod =~ /^(\w+)=(.+)$/;
+		    $mod    = $1;
+		    my $val = $2;
+		    
+		    if ( $mod eq 'ctevents' ) {
+			for ( split_list( $val, 'ctevents' ) ) {
 			    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
 			}
 
-		$action = "CT --ctevents $args";
-	    } elsif ( $option eq 'expevent' ) {
-		fatal_error "Invalid expevent argument ($args)" unless $args eq 'new';
-	    } elsif ( $option eq 'zone' ) {
-		fatal_error "Invalid zone id ($args)" unless $args =~ /^\d+$/;
+			$action .= " --ctevents $val";
+		    } elsif ( $mod eq 'expevents' ) {
+			fatal_error "Invalid expevent argument ($val)" unless $val eq 'new';
+			$action .= ' --expevents new';
+		    } else {
+			fatal_error "Invalid helper option ($mod)";
+		    }
+		}
 	    } else {
 		fatal_error "Invalid CT option ($option)";
 	    }
@@ -106,64 +143,158 @@ sub process_notrack_rule( $$$$$$$ ) {
 		 $target ,
 		 $exception_rule );
 
-    progress_message "  Notrack rule \"$currentline\" $done";
+    progress_message "  Conntrack rule \"$currentline\" $done";
+}
 
-    $globals{UNTRACKED} = 1;
+sub handle_helper_rule( $$$$$$$$$$$ ) {
+    my ( $helper, $source, $dest, $proto, $ports, $sports, $sourceref, $action_target, $actionchain, $user, $rule ) = @_;
+
+    if ( $helper ne '-' ) {
+	fatal_error "A HELPER is not allowed with this ACTION" if $action_target;
+	#
+	# This means that an ACCEPT or NAT rule with a helper is being processed
+	#
+	process_conntrack_rule( $actionchain ? ensure_raw_chain( $actionchain ) : undef ,
+				$sourceref ,
+				"CT:helper:$helper",
+				$source ,
+				$dest ,
+				$proto ,
+				$ports ,
+				$sports ,
+				$user,
+				'-',
+			      );
+    } else {
+	assert( $action_target );
+	#
+	# The target is an action
+	#
+	if ( $actionchain ) {
+	    #
+	    # And the source is another action chain
+	    #
+	    expand_rule( ensure_raw_chain( $actionchain ) ,
+			 PREROUTE_RESTRICT ,
+			 $rule ,
+			 $source ,
+			 $dest ,
+			 '' ,
+			 $action_target ,
+			 '',
+			 'CT' ,
+			 '' );
+	} else {
+	    expand_rule( ensure_raw_chain( notrack_chain( $sourceref->{name} ) ) ,
+			 ( $sourceref->{type} == FIREWALL || $sourceref->{type} == VSERVER ?
+			   OUTPUT_RESTRICT :
+			   PREROUTE_RESTRICT ) ,
+			 $rule ,
+			 $source ,
+			 $dest ,
+			 '' ,
+			 $action_target ,
+			 '' ,
+			 'CT' ,
+			 '' );
+	}
+    }
 }
 
 sub process_format( $ ) {
     my $format = shift;
 
-    fatal_error q(FORMAT must be '1' or '2') unless $format =~ /^[12]$/;
+    fatal_error q(FORMAT must be '1', '2' or '3') unless $format =~ /^[123]$/;
 
     $format;
 }
 
-sub setup_notrack() {
+sub setup_conntrack() {
+
+    for my $name ( qw/notrack conntrack/ ) {
+
+	my $fn = open_file( $name );
+
+	if ( $fn ) {
 
 	    my $format = 1;
+
 	    my $action = 'NOTRACK';
 
-    if ( my $fn = open_file 'notrack' ) {
+	    my $empty = 1;
 
-	first_entry "$doing $fn...";
-
-	my $nonEmpty = 0;
+	    first_entry( "$doing $fn..." );
 
 	    while ( read_a_line( NORMAL_READ ) ) {
-	    my ( $source, $dest, $proto, $ports, $sports, $user );
+		my ( $source, $dest, $proto, $ports, $sports, $user, $switch );
 
 		if ( $format == 1 ) {
-		( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
+		    ( $source, $dest, $proto, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 };
 
 		    if ( $source eq 'FORMAT' ) {
 			$format = process_format( $dest );
 			next;
 		    }
-
-		if ( $source eq 'COMMENT' ) {
-		    process_comment;
-		    next;
-		}
 		} else {
-		( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
+		    ( $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }, { COMMENT => 0, FORMAT => 2 };
 
 		    if ( $action eq 'FORMAT' ) {
 			$format = process_format( $source );
 			$action = 'NOTRACK';
 			next;
 		    }
+		}
 
 		if ( $action eq 'COMMENT' ) {
 		    process_comment;
 		    next;
 		}
-	    }
 
-	    process_notrack_rule $action, $source, $dest, $proto, $ports, $sports, $user;
+		$empty = 0;
+
+		if ( $format < 3 ) {
+		    if ( $source =~ /^all(-)?(:(.+))?$/ ) {
+			fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
+			for my $zone ( $1 ? off_firewall_zones : all_zones ) {
+			    process_conntrack_rule( undef ,
+						    undef,
+						    $action,
+						    $zone . ( $2 || ''),
+						    $dest,
+						    $proto,
+						    $ports,
+						    $sports,
+						    $user ,
+						    $switch );
+			}
+		    } else {
+			process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		    }
+		} elsif ( $action =~ s/:O$// ) {
+		    process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		} elsif ( $action =~ s/:OP// || $action =~ s/:PO// ) {
+		    process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		    process_conntrack_rule( $raw_table->{OUTPUT},     undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		} else {
+		    $action =~ s/:P//;
+		    process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		}		    
 	    }
 
 	    clear_comment;
+
+	    if ( $name eq 'notrack') {
+		if ( $empty ) {
+		    if ( unlink( $fn ) ) {
+			warning_message "Empty notrack file ($fn) removed";
+		    } else {
+			warning_message "Unable to remove empty notrack file ($fn): $!";
+		    }
+		} else {
+		    warning_message "Non-empty notrack file ($fn); please move its contents to the conntrack file";
+		}
+	    }
+	}
     }
 }
 

Shorewall/Perl/Shorewall/Tc.pm

@@ -174,6 +174,12 @@ my $family;
 
 my $divertref; # DIVERT chain
 
+my %validstates = ( NEW                => 0,
+		    RELATED            => 0,
+		    ESTABLISHED        => 0,
+		    UNTRACKED          => 0,
+		    INVALID            => 0,
+		  );
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -199,17 +205,17 @@ sub initialize( $ ) {
 }
 
 sub process_tc_rule( ) {
-    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp );
+    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
     if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp ) =
-	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 }, { COMMENT => 0, FORMAT => 2 } , 14;
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
+	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13, state => 14 }, { COMMENT => 0, FORMAT => 2 } , 15;
 	$headers = '-';
     } else {
-	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) =
-	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 },  { COMMENT => 0, FORMAT => 2 }, 15;
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
+	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 },  { COMMENT => 0, FORMAT => 2 }, 16;
     }
 
-    our @tccmd;
+    our %tccmd;
 
     our $format;
 
@@ -259,6 +265,8 @@ sub process_tc_rule( ) {
     my $cmd;
     my $rest;
     my $matches = '';
+    my $mark1;
+    my $exceptionrule = '';
 
     my %processtcc = ( sticky => sub() {
 			                  if ( $chain eq 'tcout' ) {
@@ -372,7 +380,11 @@ sub process_tc_rule( ) {
 
 					  if ( supplied $ip ) {
 					      if ( $family == F_IPV6 ) {
-						  $ip = $1 if $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/;
+						  if ( $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/ ) {
+						      $ip = $1;
+						  } elsif ( $ip =~ /^\[(.+)\]\/(\d+)$/ ) {
+						      $ip = join( $1, $2 );
+						  }
 					      }
 
 					      validate_address $ip, 1;
@@ -380,19 +392,27 @@ sub process_tc_rule( ) {
 					  }
 
 					  $target .= ' --tproxy-mark';
+
+					  $exceptionrule = '-p tcp ';
 				      },
 		       TTL => sub() {
 			                  fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
 					  fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest;
-					  fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' );
-
 					  $chain = 'tcfor';
 
-					  $cmd =~ /^TTL\(([-+]?\d+)\)$/;
+					  if ( $designator ) {
+					      if ( $designator eq 'P' ) {
+						  $chain = 'tcpre';
+					      } else {
+						  fatal_error "Chain designator $designator not allowed with TTL" if $designator ne 'F';
+					      }
+					  }
+
+					  $cmd =~ /^TTL\(([-+]?(\d+))\)$/;
 
 					  my $param =  $1;
 
-					  fatal_error "Invalid TTL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+					  fatal_error "Invalid TTL specification( $cmd )" unless supplied( $1 ) && ( $1 eq $2 || $2 != 0 ) && ( $param = abs $param ) < 256;
 
 					  if ( $1 =~ /^\+/ ) {
 					      $target .= " --ttl-inc $param";
@@ -405,15 +425,22 @@ sub process_tc_rule( ) {
 		       HL => sub() {
 			                  fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4;
 					  fatal_error "Invalid HL specification( $cmd/$rest )" if $rest;
-					  fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' );
-
 					  $chain = 'tcfor';
 
-					  $cmd =~ /^HL\(([-+]?\d+)\)$/;
+
+					  if ( $designator ) {
+					      if ( $designator eq 'P' ) {
+						  $chain = 'tcpre';
+					      } else {
+						  fatal_error "Chain designator $designator not allowed with HL" if $designator ne 'F';
+					      }
+					  }
+
+					  $cmd =~ /^HL\(([-+]?(\d+))\)$/;
 
 					  my $param =  $1;
 
-					  fatal_error "Invalid HL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+					  fatal_error "Invalid HL specification( $cmd )" unless supplied( $1 ) && ( $1 eq $2 || $2 != 0 ) && ( $param = abs $param ) < 256;
 
 					  if ( $1 =~ /^\+/ ) {
 					      $target .= " --hl-inc $param";
@@ -440,6 +467,10 @@ sub process_tc_rule( ) {
 			                  assert( $cmd =~ /^TOS\((.+)\)$/ );
 					  $target .= decode_tos( $1 , 2 );
 				      },
+		       CHECKSUM => sub()
+		                        {  require_capability 'CHECKSUM_TARGET', 'The CHECKSUM action', 's';
+					   $target .= ' --checksum-fill';
+				       },
 		     );
 
     if ( $source ) {
@@ -480,13 +511,13 @@ sub process_tc_rule( ) {
 
 	    $chain    = $tcsref->{chain}                       if $tcsref->{chain};
 	    $target   = $tcsref->{target}                      if $tcsref->{target};
-	    $mark     = "$mark/" . in_hex( $globals{TC_MASK} ) if $connmark = $tcsref->{connmark};
+	    $mark     = "$mark/" . in_hex( $globals{TC_MASK} ) if $connmark = $tcsref->{connmark} && $mark !~ m'/';
 
 	    require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
 
 	} else {
 	    unless ( $classid ) {
-		fatal_error "Invalid MARK ($originalmark)" unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
+		fatal_error "Invalid ACTION ($originalmark)" unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
 		fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $chain eq 'tcin';
 		$chain = 'tcpost';
 		$mark  = $originalmark;
@@ -524,10 +555,10 @@ sub process_tc_rule( ) {
     $list = '';
 
     unless ( $classid ) {
-      MARK:
 	{
-	    for my $tccmd ( @tccmd ) {
-		if ( $tccmd->{match}($cmd) ) {
+	    if ( $cmd =~ /^([[A-Z!&]+)/ ) {
+		if ( my $tccmd = $tccmd{$1} ) {
+		    fatal_error "Invalid $1 ACTION ($originalmark)" unless $tccmd->{match}($cmd); 
 		    fatal_error "$mark not valid with :C[FPT]" if $connmark;
 
 		    require_capability ('CONNMARK' , "SAVE/RESTORE Rules", '' ) if $tccmd->{connmark};
@@ -546,7 +577,7 @@ sub process_tc_rule( ) {
 		    }
 
 		    if ( $rest ) {
-			fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK;
+			fatal_error "Invalid COMMAND ($originalmark)" if $marktype == NOMARK;
 
 			$mark = $rest if $tccmd->{mask};
 
@@ -558,11 +589,16 @@ sub process_tc_rule( ) {
 		    } elsif ( $tccmd->{mask} ) {
 			$mark = $tccmd->{mask};
 		    }
-
-		    last MARK;
+		} else {
+		    fatal_error "Invalid ACTION ($originalmark)";
 		}
-	    }
-
+	    } elsif ( $mark =~ /-/ ) {
+		( $mark, $mark1 ) = split /-/, $mark, 2;
+		validate_mark $mark;
+		fatal_error "Invalid mark range ($mark-$mark1)" if $mark =~ m'/';
+		validate_mark $mark1;
+		require_capability 'STATISTIC_MATCH', 'A mark range', 's';
+	    }  else {
 		validate_mark $mark;
 
 		if ( $config{PROVIDER_OFFSET} ) {
@@ -576,10 +612,73 @@ sub process_tc_rule( ) {
 		}
 	    }
 	}
+    }
 
     fatal_error "USER/GROUP only allowed in the OUTPUT chain" unless ( $user eq '-' || ( $chain eq 'tcout' || $chain eq 'tcpost' ) );
 
-    if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
+    if ( $state ne '-' ) {
+	my @state = split_list( $state, 'state' );
+	my %state = %validstates;
+
+	for ( @state ) {
+	    fatal_error "Invalid STATE ($_)"   unless exists $state{$_};
+	    fatal_error "Duplicate STATE ($_)" if $state{$_};
+	}
+    } else {
+	$state = 'ALL';
+    }
+
+    if ( $mark1 ) {
+	#
+	# A Mark Range
+	#
+	my $chainref = ensure_chain( 'mangle', $chain );
+
+	( $mark1, my $mask ) = split( '/', $mark1 );
+
+	my ( $markval, $mark1val ) = ( numeric_value $mark, numeric_value $mark1 );
+
+	fatal_error "Invalid mark range ($mark-$mark1)" unless $markval < $mark1val;
+
+	$mask = $globals{TC_MASK} unless supplied $mask;
+
+	$mask = numeric_value $mask;
+
+	my $increment = 1;
+	my $shift     = 0;
+
+	$increment <<= 1, $shift++ until $increment & $mask;
+
+	$mask = in_hex $mask;
+
+	my $marks = ( ( $mark1val - $markval ) >> $shift ) + 1;
+
+	for ( my $packet = 0; $packet < $marks; $packet++, $markval += $increment ) {
+	    my $match = "-m statistic --mode nth --every $marks --packet $packet ";
+
+	    expand_rule( $chainref,
+			 $restrictions{$chain} | $restriction,
+			 $match .
+			 do_user( $user ) .
+			 do_test( $testval, $globals{TC_MASK} ) .
+			 do_test( $testval, $globals{TC_MASK} ) .
+			 do_length( $length ) .
+			 do_tos( $tos ) .
+			 do_connbytes( $connbytes ) .
+			 do_helper( $helper ) .
+			 do_headers( $headers ) .
+			 do_probability( $probability ) .
+			 do_dscp( $dscp ) .
+			 state_match( $state ) ,
+			 $source ,
+			 $dest ,
+			 '' ,
+			 "$target " . join( '/', in_hex( $markval ) , $mask ) ,
+			 '',
+			 $target ,
+			 $exceptionrule );
+	}
+    } elsif ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
 					  $restrictions{$chain} | $restriction,
 					  do_proto( $proto, $ports, $sports) . $matches .
 					  do_user( $user ) .
@@ -590,14 +689,15 @@ sub process_tc_rule( ) {
 					  do_helper( $helper ) .
 					  do_headers( $headers ) .
 					  do_probability( $probability ) .
-				     do_dscp( $dscp ) ,
+					  do_dscp( $dscp ) .
+					  state_match( $state ) ,
 					  $source ,
 					  $dest ,
 					  '' ,
 					  $mark ? "$target $mark" : $target,
 					  '' ,
 					  $target ,
-				     '' ) )
+					  $exceptionrule ) )
 	      && $device ) {
 	#
 	# expand_rule() returns destination device if any
@@ -820,8 +920,9 @@ sub process_simple_device() {
     }
 
     for ( my $i = 1; $i <= 3; $i++ ) {
+	my $prio = 16 | $i;
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
-	emit "run_tc filter add dev $physical protocol all prio 2 parent $number: handle $i fw classid $number:$i";
+	emit "run_tc filter add dev $physical protocol all prio $prio parent $number: handle $i fw classid $number:$i";
 	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
 	emit '';
     }
@@ -969,6 +1070,7 @@ sub validate_tc_device( ) {
 			    mtu           => $mtu,
 			    mpu           => $mpu,
 			    tsize         => $tsize,
+			    filterpri     => 0,
 			  } ,
 
     push @tcdevices, $device;
@@ -1043,6 +1145,16 @@ my %validredoptions = ( min         => RED_INTEGER,
 			ecn         => RED_NONE,
 		      );
 
+sub validate_filter_priority( $$ ) {
+    my ( $priority, $kind ) = @_;
+
+    my $pri = numeric_value( $priority );
+
+    fatal_error "Invalid $kind priority ($priority)" unless defined $pri && $pri > 0 && $pri <= 65535;
+
+    $pri;
+}
+
 sub validate_tc_class( ) {
     my ( $devclass, $mark, $rate, $ceil, $prio, $options ) =
 	split_line 'tcclasses file', { interface => 0, mark => 1, rate => 2, ceil => 3, prio => 4, options => 5 };
@@ -1096,11 +1208,26 @@ sub validate_tc_class( ) {
 
     my $tcref = $tcclasses{$device};
 
+    if ( $devref->{qdisc} eq 'htb' ) {
+	fatal_error "Invalid PRIO ($prio)" unless defined numeric_value $prio;
+    }
+
     my $markval  = 0;
+    my $markprio;
 
     if ( $mark ne '-' ) {
 	fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};
 
+	( $mark, my $priority ) = split/:/, $mark, 2;
+
+	if ( supplied $priority ) {
+	    $markprio = validate_filter_priority( $priority, 'mark' );
+	} else {
+	    fatal_error "Missing mark priority" if $prio eq '-';
+	    $markprio =  ( $prio << 8 ) | 20;
+	    progress_message2 "   Priority of the $device packet mark $mark filter is $markprio";
+	}
+
 	$markval = numeric_value( $mark );
 	fatal_error "Invalid MARK ($markval)" unless defined $markval;
 
@@ -1169,16 +1296,15 @@ sub validate_tc_class( ) {
 	warning_message "Total RATE of classes ($devref->{guarantee}kbits) exceeds OUT-BANDWIDTH (${full}kbits)" if ( $devref->{guarantee} += $rate ) > $full;
     }
 
-    fatal_error "Invalid PRIO ($prio)" unless defined numeric_value $prio;
-
     $tcref->{$classnumber} = { tos       => [] ,
 			       rate      => $rate ,
 			       umax      => $umax ,
 			       dmax      => $dmax ,
 			       ceiling   => $ceil   = ( supplied $ceil   ? convert_rate( $ceilmax, $ceil,   'CEIL'  , $ceilname ) : 0 ),
 			       lsceil    => $lsceil = ( $lsceil          ? convert_rate( $ceilmax, $lsceil, 'LSCEIL', $ceilname ) : 0 ),
-			       priority  => $prio eq '-' ? 1 : $prio ,
+			       priority  => $prio ,
 			       mark      => $markval ,
+			       markprio  => $markprio ,
 			       flow      => '' ,
 			       pfifo     => 0,
 			       occurs    => 1,
@@ -1196,25 +1322,47 @@ sub validate_tc_class( ) {
 
     unless ( $options eq '-' ) {
 	for my $option ( split_list1 "\L$options", 'option' ) {
-	    my $optval = $tosoptions{$option};
+	    my $priority;
+	    my $optval;
+
+	    ( $option, my $pri ) =  split /:/, $option, 2;
+
+	    if ( $option =~ /^tos=(.+)/ || ( $optval = $tosoptions{$option} ) ) {
+
+		if ( supplied $pri ) {
+		    $priority = validate_filter_priority( $pri, 'mark' );
+		} else {
+		    fatal_error "Missing TOS priority" if $prio eq '-';
+		    $priority = ( $prio << 8 ) | 15;
+		    progress_message2 "   Priority of the $device $option filter is $priority";
+		}
 
 		$option = "tos=$optval" if $optval;
+	    } elsif ( supplied $pri ) {
+		$option = join ':', $option, $pri;
+	    }
 
 	    if ( $option eq 'default' ) {
 		fatal_error "Only one default class may be specified for device $device" if $devref->{default};
 		fatal_error "The $option option is not valid with 'occurs" if $tcref->{occurs} > 1;
 		$devref->{default} = $classnumber;
-	    } elsif ( $option eq 'tcp-ack' ) {
+	    } elsif ( $option =~ /tcp-ack(:(\d+|0x[0-0a-fA-F]))?$/ ) {
 		fatal_error "The $option option is not valid with 'occurs" if $tcref->{occurs} > 1;
-		$tcref->{tcp_ack} = 1;
+		if ( $1 ) {
+		    $tcref->{tcp_ack} = validate_filter_priority( $2, 'tcp-ack' );
+		} else {
+		    fatal_error "Missing tcp-ack priority" if $prio eq '-';
+		    my $ackpri = $tcref->{tcp_ack} =  ( $prio << 8 ) | 10;
+		    progress_message2 "   Priority of the $device tcp-ack filter is $ackpri";
+		}
 	    } elsif ( $option =~ /^tos=0x[0-9a-f]{2}$/ ) {
 		fatal_error "The $option option is not valid with 'occurs" if $tcref->{occurs} > 1;
 		( undef, $option ) = split /=/, $option;
-		push @{$tcref->{tos}}, "$option/0xff";
+		push @{$tcref->{tos}}, "$option/0xff:$priority";
 	    } elsif ( $option =~ /^tos=0x[0-9a-f]{2}\/0x[0-9a-f]{2}$/ ) {
 		fatal_error "The $option option is not valid with 'occurs" if $tcref->{occurs} > 1;
 		( undef, $option ) = split /=/, $option;
-		push @{$tcref->{tos}}, $option;
+		push @{$tcref->{tos}}, "$option:$priority";
 	    } elsif ( $option =~ /^flow=(.*)$/ ) {
 		fatal_error "The 'flow' option is not allowed with 'pfifo'" if $tcref->{pfifo};
 		fatal_error "The 'flow' option is not allowed with 'red'"   if $tcref->{red};
@@ -1300,10 +1448,7 @@ sub validate_tc_class( ) {
     }
 
     unless ( $devref->{classify} || $occurs > 1 ) {
-	if ( $mark ne '-' ) {
 	fatal_error "Missing MARK" if $mark eq '-';
-	    warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option"	if $devclass =~ /:/;
-	}
     }
 
     $tcref->{flow}  = $devref->{flow}  unless $tcref->{flow};
@@ -1319,6 +1464,7 @@ sub validate_tc_class( ) {
 					       ceiling  => $tcref->{ceiling} ,
 					       priority => $tcref->{priority} ,
 					       mark     => 0 ,
+					       markprio => $markprio ,
 					       flow     => $tcref->{flow} ,
 					       pfifo    => $tcref->{pfifo},
 					       occurs   => 0,
@@ -1340,7 +1486,7 @@ my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0x
 #
 sub process_tc_filter() {
 
-    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 };
+    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length, $priority ) = split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 , priority => 8 };
 
     fatal_error 'CLASS must be specified' if $devclass eq '-';
 
@@ -1350,7 +1496,7 @@ sub process_tc_filter() {
 
     fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest || ! ($device && $class );
 
-    my ( $ip, $ip32, $prio , $lo ) = $family == F_IPV4 ? ('ip', 'ip', 10, 2 ) : ('ipv6', 'ip6', 11 , 4 );
+    my ( $ip, $ip32, $lo ) = $family == F_IPV4 ? ('ip', 'ip', 2 ) : ('ipv6', 'ip6', 4 );
 
     my $devref;
 
@@ -1360,6 +1506,18 @@ sub process_tc_filter() {
 	( $device , $devref ) = dev_by_number( $device );
     }
 
+    my ( $prio, $filterpri ) = ( undef, $devref->{filterpri} );
+
+    if ( $priority eq '-' ) {
+	$prio = ++$filterpri;
+	fatal_error "Filter priority overflow" if $prio > 65535;
+    } else {
+	$prio = validate_filter_priority( $priority, 'filter' );
+	$filterpri = $prio if $prio > $filterpri;
+    }
+
+    $devref->{filterpri} = $filterpri;
+
     my $devnum = in_hexp $devref->{number};
 
     my $tcref = $tcclasses{$device};
@@ -1856,7 +2014,7 @@ sub process_traffic_shaping() {
 	    handle_in_bandwidth( $device, $devref->{in_bandwidth} );
 
 	    for my $rdev ( @{$devref->{redirected}} ) {
-		my $phyrdev = get_physical( $rdev );
+		my $phyrdev = physical_name( $rdev );
 		emit ( "run_tc qdisc add dev $phyrdev handle ffff: ingress" );
 		emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
 	    }
@@ -1886,7 +2044,6 @@ sub process_traffic_shaping() {
 
 		$classids{$classid}=$devname;
 
-		my $priority = $tcref->{priority} << 8;
 		my $parent   = in_hexp $tcref->{parent};
 
 		emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" );
@@ -1945,22 +2102,23 @@ sub process_traffic_shaping() {
 		# add filters
 		#
 		unless ( $mark eq '-' ) {
-		    emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1;
+		    emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio $tcref->{markprio} handle $mark fw classid $classid" if $tcref->{occurs} == 1;
 		}
 
 		emit "run_tc filter add dev $device protocol all prio 1 parent $sfqinhex: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
 		#
 		# options
 		#
-		emit( "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . ' u32' .
+		emit( "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio $tcref->{tcp_ack} u32" .
 		      "\\\n    match ip protocol 6 0xff" .
 		      "\\\n    match u8 0x05 0x0f at 0" .
 		      "\\\n    match u16 0x0000 0xffc0 at 2" .
 		      "\\\n    match u8 0x10 0xff at 33 flowid $classid" ) if $tcref->{tcp_ack};
 
 		for my $tospair ( @{$tcref->{tos}} ) {
+		    ( $tospair, my $priority ) = split /:/, $tospair;
 		    my ( $tos, $mask ) = split q(/), $tospair;
-		    emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . " u32 match ip tos $tos $mask flowid $classid";
+		    emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio $priority u32 match ip tos $tos $mask flowid $classid";
 		}
 
 		save_progress_message_short qq("   TC Class $classid defined.");
@@ -2063,7 +2221,11 @@ sub process_secmark_rule() {
 
     my %state = ( N   => 'NEW' ,
 		  I   => 'INVALID',
+		  U   => 'UNTRACKED',
+		  IU  => 'INVALID,UNTRACKED',
 		  NI  => 'NEW,INVALID',
+		  NU  => 'NEW,UNTRACKED',
+		  NIU => 'NEW,INVALID,UNTRACKED',
 		  E   => 'ESTABLISHED' ,
 		  ER  => 'ESTABLISHED,RELATED',
 		);
@@ -2161,86 +2323,95 @@ sub setup_tc() {
     }
 
     if ( $config{MANGLE_ENABLED} ) {
-	our  @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
+	our  %tccmd = ( SAVE =>     { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 				      target    => 'CONNMARK --save-mark --mask' ,
 				      mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK,
 				      mask      => in_hex( $globals{TC_MASK} ) ,
 				      connmark  => 1
 				    } ,
-			{ match     => sub ( $ ) { $_[0] eq 'RESTORE' },
+			RESTORE =>  { match     => sub ( $ ) { $_[0] eq 'RESTORE' },
 				      target    => 'CONNMARK --restore-mark --mask' ,
 				      mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK ,
 				      mask      => in_hex( $globals{TC_MASK} ) ,
 				      connmark  => 1
 				    } ,
-			{ match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
+			CONTINUE => { match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
 				      target    => 'RETURN' ,
 				      mark      => NOMARK ,
 				      mask      => '' ,
 				      connmark  => 0
 				    } ,
-			{ match     => sub ( $ ) { $_[0] eq 'SAME' },
+			SAME =>     { match     => sub ( $ ) { $_[0] eq 'SAME' },
 				      target    => 'sticky' ,
 				      mark      => NOMARK ,
 				      mask      => '' ,
 				      connmark  => 0
 				    } ,
-			{ match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
+			IPMARK =>   { match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
 				      target    => 'IPMARK' ,
 				      mark      => NOMARK,
 				      mask      => '',
 				      connmark  => 0
 				    } ,
-			{ match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
+			'|' =>      { match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
 				      target    => 'MARK --or-mark' ,
 				      mark      => HIGHMARK ,
-			  mask      => '' } ,
-			{ match     => sub ( $ ) { $_[0] =~ '&.*' },
+				      mask      => ''
+				    } ,
+			'&' =>      { match     => sub ( $ ) { $_[0] =~ '&.*' },
 				      target    => 'MARK --and-mark' ,
 				      mark      => HIGHMARK ,
 				      mask      => '' ,
 				      connmark  => 0
 				    } ,
-			{ match     => sub ( $ ) { $_[0] =~ /^TPROXY/ },
+			TPROXY =>   { match     => sub ( $ ) { $_[0] =~ /^TPROXY/ },
 				      target    => 'TPROXY',
 				      mark      => HIGHMARK,
 				      mask      => '',
-			  connmark  => '' },
-			{ match     => sub( $ ) { $_[0] =~ /^DIVERT/ },
+				      connmark  => ''
+				    },
+			DIVERT =>   { match     => sub( $ ) { $_[0] =~ /^DIVERT/ },
 				      target    => 'DIVERT',
 				      mark      => HIGHMARK,
 				      mask      => '',
-			  connmark  => '' },
-			{ match     => sub( $ ) { $_[0] =~ /^TTL/ },
+				      connmark  => ''
+				    },
+			TTL =>      { match     => sub( $ ) { $_[0] =~ /^TTL/ },
 				      target    => 'TTL',
 				      mark      => NOMARK,
 				      mask      => '',
 				      connmark  => 0
 			            },
-			{ match     => sub( $ ) { $_[0] =~ /^HL/ },
+			HL =>       { match     => sub( $ ) { $_[0] =~ /^HL/ },
 				      target    => 'HL',
 				      mark      => NOMARK,
 				      mask      => '',
 				      connmark  => 0
 			            },
-			{ match     => sub( $ ) { $_[0] =~ /^IMQ\(\d+\)$/ },
+			IMQ =>      { match     => sub( $ ) { $_[0] =~ /^IMQ\(\d+\)$/ },
 				      target    => 'IMQ',
 				      mark      => NOMARK,
 				      mask      => '',
 				      connmark  => 0
 			            },
-			{ match     => sub( $ ) { $_[0] =~ /^DSCP\(\w+\)$/ },
+			DSCP =>     { match     => sub( $ ) { $_[0] =~ /^DSCP\(\w+\)$/ },
 				      target    => 'DSCP',
 				      mark      => NOMARK,
 				      mask      => '',
 				      connmark  => 0
 				    },
-			{ match     => sub( $ ) { $_[0] =~ /^TOS\(.+\)$/ },
+			TOS =>      { match     => sub( $ ) { $_[0] =~ /^TOS\(.+\)$/ },
 				      target    => 'TOS',
 				      mark      => NOMARK,
 				      mask      => '',
 				      connmark  => 0
 				    },
+			CHECKSUM => { match     => sub( $ ) { $_[0] eq 'CHECKSUM' },
+				      target    => 'CHECKSUM' ,
+				      mark      => NOMARK,
+				      mask      => '',
+				      connmark  => 0,
+				    }
 		      );
 
 	if ( my $fn = open_file 'tcrules' ) {

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -61,7 +61,7 @@ sub setup_tunnels() {
 	    }
 	}
 
-	my @options = $globals{UNTRACKED} ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
+	my @options = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
 
 	add_tunnel_rule $inchainref,  p => 50, @$source;
 	add_tunnel_rule $outchainref, p => 50, @$dest;

Shorewall/Perl/Shorewall/Zones.pm

@@ -31,7 +31,7 @@ use Shorewall::IPAddrs;
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( NOTHING
+our @EXPORT = ( qw( NOTHING
 		    NUMERIC
 		    NETWORK
 		    IPSECPROTO
@@ -41,6 +41,7 @@ our @EXPORT = qw( NOTHING
 		    IP
 		    BPORT
 		    IPSEC
+		    GROUP
 		    NO_UPDOWN
 		    NO_SFILTER
 
@@ -57,6 +58,7 @@ our @EXPORT = qw( NOTHING
 		    all_parent_zones
 		    complex_zones
 		    vserver_zones
+		    on_firewall_zones
 		    off_firewall_zones
 		    non_firewall_zones
 		    single_interface
@@ -90,6 +92,7 @@ our @EXPORT = qw( NOTHING
 		    find_zones_by_option
 		    all_ipsets
 		    have_ipsec
+		 ),
 	      );
 
 our @EXPORT_OK = qw( initialize );
@@ -117,7 +120,8 @@ use constant { IN_OUT     => 1,
 #
 #     @zones contains the ordered list of zones with sub-zones appearing before their parents.
 #
-#     %zones{<zone1> => {type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
+#     %zones{<zone1> => {name =>       <name>,
+#                        type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
 #                        complex =>    0|1
 #                        super   =>    0|1
 #                        options =>    { in_out  => < policy match string >
@@ -191,7 +195,9 @@ my @bport_zones;
 my %ipsets;
 my %physical;
 my %basemap;
+my %basemap1;
 my %mapbase;
+my %mapbase1;
 my $family;
 my $upgrade;
 my $have_ipsec;
@@ -237,6 +243,7 @@ my %validhostoptions;
 my %validzoneoptions = ( mss            => NUMERIC,
 			 nomark         => NOTHING,
 			 blacklist      => NOTHING,
+			 dynamic_shared => NOTHING,
 			 strict         => NOTHING,
 			 next           => NOTHING,
 			 reqid          => NUMERIC,
@@ -251,7 +258,7 @@ use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
 #
 # Hash of options that have their own key in the returned hash.
 #
-my %zonekey = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );
+my %zonekey = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY, dynamic_shared => IN_OUT_ONLY );
 
 #
 # Rather than initializing globals in an INIT block or during declaration,
@@ -277,7 +284,9 @@ sub initialize( $$ ) {
     %ipsets = ();
     %physical = ();
     %basemap = ();
+    %basemap1 = ();
     %mapbase = ();
+    %mapbase1 = ();
     $baseseq = 0;
     $minroot = 0;
 
@@ -299,6 +308,7 @@ sub initialize( $$ ) {
 				  required    => SIMPLE_IF_OPTION,
 				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				  routefilter => NUMERIC_IF_OPTION ,
+				  rpfilter    => SIMPLE_IF_OPTION,
 				  sfilter     => IPLIST_IF_OPTION,
 				  sourceroute => BINARY_IF_OPTION,
 				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -332,6 +342,7 @@ sub initialize( $$ ) {
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
 				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
+				    rpfilter    => SIMPLE_IF_OPTION,
 				    sfilter     => IPLIST_IF_OPTION,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -393,7 +404,7 @@ sub parse_zone_option_list($$\$$)
 
 	    if ( $key ) {
 		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype & ( FIREWALL | VSERVER) );
-		fatal_error "Opeion '$e' is only permitted in the OPTIONS columns" if $key & IN_OUT_ONLY && $column != IN_OUT;
+		fatal_error "Option '$e' is only permitted in the OPTIONS columns" if $key & IN_OUT_ONLY && $column != IN_OUT;
 		$$complexref = 1 if $key & COMPLEX;
 		$h{$e} = $val || 1;
 	    } else {
@@ -529,6 +540,7 @@ sub process_zone( \$ ) {
     }
 
     if ( $zoneref->{options}{in_out}{blacklist} ) {
+	warning_message q(The 'blacklist' option is deprecated);
 	for ( qw/in out/ ) {
 	    unless ( $zoneref->{options}{$_}{blacklist} ) {
 		$zoneref->{options}{$_}{blacklist} = 1;
@@ -536,6 +548,10 @@ sub process_zone( \$ ) {
 		warning_message( "Redundant 'blacklist' in " . uc( $_ ) . '_OPTIONS' );
 	    }
 	}
+    } else {
+	for ( qw/in out/ ) {
+	    warning_message q(The 'blacklist' option is deprecated), last if  $zoneref->{options}{$_}{blacklist};
+	}
     }
 
     return $zone;
@@ -748,6 +764,13 @@ sub add_group_to_zone($$$$$)
 	    $new = \@exclusions;
 	}
 
+	if ( substr( $host, 0, 1 ) eq '+' ) {
+	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+(6_)?[a-zA-Z][-\w]*$/;
+	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
+	} else {
+	    $host = validate_host $host, 0;
+	}
+
 	unless ( $switched ) {
 	    if ( $type == $zonetype ) {
 		fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $interfaces{$interface}{zone} eq $zone;
@@ -766,13 +789,6 @@ sub add_group_to_zone($$$$$)
 	    }
 	}
 
-	if ( substr( $host, 0, 1 ) eq '+' ) {
-	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+(6_)?[a-zA-Z]\w*$/;
-	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
-	} else {
-	    validate_host $host, 0;
-	}
-
 	push @$new, $host;
     }
 
@@ -836,6 +852,10 @@ sub all_zones() {
     @zones;
 }
 
+sub on_firewall_zones() {
+   grep ( ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
+}
+
 sub off_firewall_zones() {
    grep ( ! ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
 }
@@ -920,6 +940,55 @@ sub chain_base($) {
     $basemap{$key} = $name;
 }
 
+#
+# This is a slightly relaxed version of the above that allows '-' in the generated name.
+#
+sub chain_base1($) {
+    my $chain = $_[0];
+    my $name  = $basemap1{$chain};
+    #
+    # Return existing mapping, if any
+    #
+    return $name if $name;
+    #
+    # Remember initial value
+    #
+    my $key = $chain;
+    #
+    # Handle VLANs and wildcards
+    #
+    $chain =~ s/\+$//;
+    $chain =~ tr/./_/;
+
+    if ( $chain eq '' || $chain =~ /^[0-9]/ || $chain =~ /[^-\w]/ ) {
+	#
+	# Must map. Remove all illegal characters
+	#
+	$chain =~ s/[^\w]//g;
+	#
+	# Prefix with if_ if it begins with a digit
+	#
+	$chain = join( '' , 'if_', $chain ) if $chain =~ /^[0-9]/;
+	#
+	# Create a new unique name
+	#
+	1 while $mapbase1{$name = join ( '_', $chain, ++$baseseq )};
+    } else {
+	#
+	# We'll store the identity mapping if it is unique
+	#
+	$chain = join( '_', $key , ++$baseseq ) while $mapbase1{$name = $chain};
+    }
+    #
+    # Store the reverse mapping
+    #
+    $mapbase1{$name} = $key;
+    #
+    # Store the mapping
+    #
+    $basemap1{$key} = $name;
+}
+
 #
 # Process a record in the interfaces file
 #
@@ -1138,7 +1207,7 @@ sub process_interface( $$ ) {
 		    $hostoptions{broadcast} = 1;
 		} elsif ( $option eq 'sfilter' ) {
 		    $filterref = [ split_list $value, 'address' ];
-		    validate_net( $_, 1) for @{$filterref}
+		    $_ = validate_net( $_, 1) for @{$filterref}
 		} else {
 		    assert(0);
 		}
@@ -1160,11 +1229,18 @@ sub process_interface( $$ ) {
 	    }
 	}
 
-	fatal_error "Invalid combination of interface options"
+	fatal_error q(The 'required', 'optional' and 'ignore' options are mutually exclusive)
 	    if ( ( $options{required} && $options{optional} ) ||
 		 ( $options{required} && $options{ignore}   ) ||
 		 ( $options{optional} && $options{ignore}   ) );
 
+	if ( $options{rpfilter} ) {
+	    require_capability( 'RPFILTER_MATCH', q(The 'rpfilter' option), 's' ) ;
+	    fatal_error q(The 'routefilter', 'sfilter' and 'rpfilter' options are mutually exclusive) if $options{routefilter} || @$filterref;
+	} else {
+	    fatal_error q(The 'routefilter', 'sfilter' and 'rpfilter' options are mutually exclusive) if $options{routefilter} && @$filterref;
+	}
+
 	if ( supplied( my $ignore = $options{ignore} ) ) {
 	    fatal_error "Invalid value ignore=0" if ! $ignore;
 	} else {
@@ -1172,7 +1248,8 @@ sub process_interface( $$ ) {
 	}
 
 	if ( $netsref eq 'dynamic' ) {
-	    my $ipset = $family == F_IPV4 ? "${zone}_" . chain_base $physical : "6_${zone}_" . chain_base $physical;
+	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
+	    $ipset = join( '_', $ipset, chain_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
 	    $netsref = [ "+$ipset" ];
 	    $ipsets{$ipset} = 1;
 	}
@@ -1743,7 +1820,8 @@ sub process_host( ) {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
     } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/               ||
-	      $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]$/ ||
+	      $hosts =~ /^([\w.@%-]+\+?)\[(.*)\]$/              ||
+	      $hosts =~ /^([\w.@%-]+\+?):(!?\[.+\](?:\/\d+)?)$/ ||
 	      $hosts =~ /^([\w.@%-]+\+?):(!?\+.*)$/             ||
 	      $hosts =~ /^([\w.@%-]+\+?):(dynamic)$/ ) {
 	$interface = $1;
@@ -1784,6 +1862,7 @@ sub process_host( ) {
 	    } elsif ( $option eq 'norfc1918' ) {
 		warning_message "The 'norfc1918' host option is no longer supported"
 	    } elsif ( $option eq 'blacklist' ) {
+		warning_message "The 'blacklist' option is deprecated";
 		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $option =~ /^mss=(\d+)$/ ) {
 		fatal_error "Invalid mss ($1)" unless $1 >= 500;
@@ -1820,8 +1899,14 @@ sub process_host( ) {
     if ( $hosts eq 'dynamic' ) {
 	fatal_error "Vserver zones may not be dynamic" if $type & VSERVER;
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
-	my $physical = chain_base( physical_name $interface );
-	my $set      = $family == F_IPV4 ? "${zone}_${physical}" : "6_${zone}_${physical}";
+
+	my $set = $family == F_IPV4 ? "${zone}" : "6_${zone}";
+	
+	unless ( $zoneref->{options}{in_out}{dynamic_shared} ) {
+	    my $physical = chain_base1( physical_name $interface );
+	    $set = join( '_', $set, $physical );
+	}
+
 	$hosts = "+$set";
 	$optionsref->{dynamic} = 1;
 	$ipsets{$set} = 1;

Shorewall/Perl/compiler.pl

@@ -37,7 +37,8 @@
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
 #         --preview                   # Preview the ruleset.
-#         --shorewallrc=<path>        # Path to shorewallrc file.
+#         --shorewallrc=<path>        # Path to global shorewallrc file.
+#         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #
 use strict;
@@ -67,6 +68,7 @@ sub usage( $ ) {
     [ --update ]
     [ --convert ]
     [ --shorewallrc=<pathname> ]
+    [ --shorewallrc1=<pathname> ]
     [ --config_path=<path-list> ]
 ';
 
@@ -94,6 +96,7 @@ my $update        = 0;
 my $convert       = 0;
 my $config_path   = '';
 my $shorewallrc   = '';
+my $shorewallrc1  = '';
 
 Getopt::Long::Configure ('bundling');
 
@@ -126,6 +129,7 @@ my $result = GetOptions('h'               => \$help,
 			'convert'         => \$convert,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
+			'shorewallrc1=s'  => \$shorewallrc1,
 		       );
 
 usage(1) unless $result && @ARGV < 2;
@@ -148,5 +152,6 @@ compiler( script          => $ARGV[0] || '',
 	  convert         => $convert,
 	  annotate        => $annotate,
 	  config_path     => $config_path,
-	  shorewallrc     => $shorewallrc
+	  shorewallrc     => $shorewallrc,
+	  shorewallrc1    => $shorewallrc1,
 	);

Shorewall/Perl/getparams

@@ -25,12 +25,12 @@
 #
 #      $1 = Path name of params file
 #      $2 = $CONFIG_PATH
-#      $3 = Address family (4 o4 6)
+#      $3 = Address family (4 or 6)
 #
 if [ "$3" = 6 ]; then
-    g_program=shorewall6
+    PRODUCT=shorewall6
 else
-    g_program=shorewall
+    PRODUCT=shorewall
 fi
 
 #
@@ -38,11 +38,9 @@ fi
 #
 . /usr/share/shorewall/shorewallrc
 
-g_libexec="$LIBEXECDIR"
-g_sharedir="$SHAREDIR"/shorewall
-g_sbindir="$SBINDIR"
-g_perllib="$PERLLIBDIR"
-g_confdir="$CONFDIR"/shorewall
+g_program=$PRODUCT
+g_sharedir="$SHAREDIR/shorewall"
+g_confdir="$CONFDIR/$PRODUCT"
 g_readrc=1
 
 . $g_sharedir/lib.cli

Shorewall/Perl/lib.core

@@ -430,7 +430,7 @@ run_iptables()
     local status
 
     while [ 1 ]; do
-	$g_tool $@
+	eval $g_tool $@
 	status=$?
 	[ $status -ne 4 ] && break
     done
@@ -626,7 +626,7 @@ EOF
     fi
 }
 
-?IF __IPV4
+?if __IPV4
 #################################################################################
 #                        IPv4-specific Functions
 #################################################################################
@@ -838,13 +838,13 @@ detect_dynamic_gateway() { # $1 = interface
 	gateway=$( find_peer $($IP addr list $interface ) )
     fi
 
-    if [ -z "$gateway" -a -f /var/lib/dhcpcd/dhcpcd-${1}.info ]; then
-	eval $(grep ^GATEWAYS=  /var/lib/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
+    if [ -z "$gateway" -a -f ${VARLIB}/dhcpcd/dhcpcd-${1}.info ]; then
+	eval $(grep ^GATEWAYS=  ${VARLIB}/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
 	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
     fi
 
-    if [ -z "$gateway" -a -f /var/lib/dhcp/dhclient-${1}.lease ]; then
-	gateway=$(grep 'option routers' /var/lib/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
+    if [ -z "$gateway" -a -f ${VARLIB}/dhcp/dhclient-${1}.lease ]; then
+	gateway=$(grep 'option routers' ${VARLIB}/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
     fi
 
     [ -n "$gateway" ] && echo $gateway
@@ -916,7 +916,12 @@ add_gateway() # $1 = Delta $2 = Table Number
 	delta=$1
 
 	if ! echo $route | fgrep -q ' nexthop '; then
+	    if echo $route | fgrep -q via; then
 		route=`echo $route | sed 's/via/nexthop via/'`
+	    else
+		route="nexthop $route"
+	    fi
+
 	    dev=$(find_device $route)
 	    if [ -f ${VARDIR}/${dev}_weight ]; then
 		weight=`cat ${VARDIR}/${dev}_weight`
@@ -1027,7 +1032,7 @@ get_all_bcasts()
     $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
 
-?ELSE
+?else
 #################################################################################
 #                        IPv6-specific Functions
 #################################################################################
@@ -1319,4 +1324,4 @@ clear_firewall() {
     logger -p kern.info "$g_product Cleared"
 }
 
-?ENDIF
+?endif

Shorewall/Perl/prog.footer

@@ -33,9 +33,9 @@ usage() {
 }
 
 checkkernelversion() {
+?if __IPV6
     local kernel
 
-    if [ $g_family -eq 6 ]; then
     kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
 
     case "$kernel" in
@@ -51,7 +51,7 @@ checkkernelversion() {
 	error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
 	return 1
     fi
-    fi
+?endif
 
     return 0
 }

Shorewall/Samples/Universal/rules

@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-###################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS	 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED

Shorewall/Samples/Universal/shorewall.conf

@@ -41,6 +41,8 @@ MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
+RPFILTER_LOG_LEVEL=info
+
 SFILTER_LOG_LEVEL=info
 
 SMURF_LOG_LEVEL=info
@@ -67,6 +69,8 @@ LOCKFILE=
 
 MODULESDIR=
 
+NFACCT=
+
 PERL=/usr/bin/perl
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -110,7 +114,9 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
@@ -140,6 +146,8 @@ FASTACCEPT=Yes
 
 FORWARD_CLEAR_MARK=
 
+HELPERS=
+
 IMPLICIT_CONTINUE=No
 
 IPSET_WARNINGS=Yes
@@ -178,6 +186,8 @@ REQUIRE_INTERFACE=Yes
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No
@@ -208,6 +218,8 @@ MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
 
+RPFILTER_DISPOSITION=DROP
+
 SMURF_DISPOSITION=DROP
 
 SFILTER_DISPOSITION=DROP

Shorewall/Samples/one-interface/rules

@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS	 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED

Shorewall/Samples/one-interface/shorewall.conf

@@ -52,6 +52,8 @@ MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
+RPFILTER_LOG_LEVEL=info
+
 SFILTER_LOG_LEVEL=info
 
 SMURF_LOG_LEVEL=info
@@ -78,6 +80,8 @@ LOCKFILE=
 
 MODULESDIR=
 
+NFACCT=
+
 PERL=/usr/bin/perl
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -121,7 +125,9 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
@@ -151,6 +157,8 @@ FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=
 
+HELPERS=
+
 IMPLICIT_CONTINUE=No
 
 IPSET_WARNINGS=Yes
@@ -189,6 +197,8 @@ REQUIRE_INTERFACE=No
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No
@@ -219,6 +229,8 @@ MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
 
+RPFILTER_DISPOSITION=DROP
+
 SMURF_DISPOSITION=DROP
 
 SFILTER_DISPOSITION=DROP

Shorewall/Samples/three-interfaces/rules

@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS	 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -50,6 +50,8 @@ MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
+RPFILTER_LOG_LEVEL=info
+
 SFILTER_LOG_LEVEL=info
 
 SMURF_LOG_LEVEL=info
@@ -76,6 +78,8 @@ LOCKFILE=
 
 MODULESDIR=
 
+NFACCT=
+
 PERL=/usr/bin/perl
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -119,7 +123,9 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
@@ -149,6 +155,8 @@ FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=
 
+HELPERS=
+
 IMPLICIT_CONTINUE=No
 
 IPSET_WARNINGS=Yes
@@ -187,6 +195,8 @@ REQUIRE_INTERFACE=No
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No
@@ -217,6 +227,8 @@ MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
 
+RPFILTER_DISPOSITION=DROP
+
 SMURF_DISPOSITION=DROP
 
 SFILTER_DISPOSITION=DROP

Shorewall/Samples/three-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
-# Shorewall6 version 4.0 - Sample Routestopped File for two-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Shorewall version 4.5 - Sample Stoppedrules File for three-interface configuration.
+# Copyright (C) 2012 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -9,11 +9,12 @@
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall6-routestopped"
-#
-# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
-# information.
-#
-##############################################################################
-#INTERFACE	HOST(S)                  OPTIONS
-eth1		-
+# For information about entries in this file, type "man shorewall-stoppedrules"
+###############################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
+#							PORT(S)		PORT(S)
+ACCEPT		eth1		-
+ACCEPT		-		eth1
+ACCEPT		eth2		-
+ACCEPT		-		eth2
+

Shorewall/Samples/two-interfaces/rules

@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS	 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -53,6 +53,8 @@ MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
+RPFILTER_LOG_LEVEL=info
+
 SFILTER_LOG_LEVEL=info
 
 SMURF_LOG_LEVEL=info
@@ -79,6 +81,8 @@ LOCKFILE=
 
 MODULESDIR=
 
+NFACCT=
+
 PERL=/usr/bin/perl
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -122,7 +126,9 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
@@ -152,6 +158,8 @@ FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=
 
+HELPERS=
+
 IMPLICIT_CONTINUE=No
 
 IPSET_WARNINGS=Yes
@@ -190,6 +198,8 @@ REQUIRE_INTERFACE=No
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No
@@ -220,6 +230,8 @@ MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
 
+RPFILTER_DISPOSITION=DROP
+
 SMURF_DISPOSITION=DROP
 
 SFILTER_DISPOSITION=DROP

Shorewall/Samples/two-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
-# Shorewall version 4.0 - Sample Routestopped File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Shorewall version 4.5 - Sample Stoppedrules File for two-interface configuration.
+# Copyright (C) 2012 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -9,7 +9,9 @@
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall-routestopped"
-##############################################################################
-#INTERFACE	HOST(S)                  OPTIONS
-eth1		-
+# For information about entries in this file, type "man shorewall-stoppedrules"
+###############################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
+#							PORT(S)		PORT(S)
+ACCEPT		eth1		-
+ACCEPT		-		eth1

Shorewall/action.Broadcast

@@ -43,6 +43,7 @@ fatal_error "Invalid parameter ($audit) to action Broadcast"   if supplied $audi
 fatal_error "Invalid parameter ($action) to action Broadcast"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
 
 my $chainref           = get_action_chain;
+
 my ( $level, $tag )    = get_action_logging;
 my $target             = require_audit ( $action , $audit );
 

Shorewall/action.DropSmurfs

@@ -16,12 +16,14 @@ DEFAULTS -
 ?BEGIN PERL;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
+use Shorewall::IPAddrs qw( IPv6_MULTICAST );
 use Shorewall::Chains;
 use Shorewall::Rules;
 
 my ( $audit ) = get_action_params( 1 );
 
 my $chainref        = get_action_chain;
+
 my ( $level, $tag ) = get_action_logging;
 my $target;
 

Shorewall/action.Invalid

@@ -43,6 +43,7 @@ fatal_error "Invalid parameter ($audit) to action Invalid"   if supplied $audit
 fatal_error "Invalid parameter ($action) to action Invalid"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
 
 my $chainref         = get_action_chain;
+
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );
 

Shorewall/action.NotSyn

@@ -43,6 +43,7 @@ fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit &
 fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
 
 my $chainref         = get_action_chain;
+
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );
 

Shorewall/action.RST

@@ -38,15 +38,16 @@ use Shorewall::Chains;
 
 my ( $action, $audit ) = get_action_params( 2 );
 
-fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit && $audit ne 'audit';
-fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP)$/;
+fatal_error "Invalid parameter ($audit) to action RST"   if supplied $audit && $audit ne 'audit';
+fatal_error "Invalid parameter ($action) to action RST"  unless $action =~ /^(?:ACCEPT|DROP)$/;
 
 my $chainref         = get_action_chain;
+
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );
 
 log_rule_limit $level, $chainref, 'RST' , $action, '', $tag, 'add', '-p 6 --tcp-flags RST RST ' if $level ne '';
-add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST, ';
+add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST ';
 
 allow_optimize( $chainref );
 

Shorewall/action.TCPFlags

@@ -1,7 +1,7 @@
 #
-# Shorewall version 4 - Drop Smurfs Action
+# Shorewall version 4 - Drop TCPFlags Action
 #
-# /usr/share/shorewall/action.DropSmurfs
+# /usr/share/shorewall/action.TCPFlags
 #
 #   Accepts a single optional parameter:
 #
@@ -21,6 +21,7 @@ use Shorewall::Chains;
 my ( $disposition, $audit ) = get_action_params( 2 );
 
 my $chainref        = get_action_chain;
+
 my ( $level, $tag ) = get_action_logging;
 
 fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/;

Shorewall/action.template

@@ -21,6 +21,6 @@
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
 FORMAT 2
-####################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Shorewall/actions.std

@@ -35,11 +35,11 @@
 #ACTION
 A_Drop 		                # Audited Default Action for DROP policy
 A_Reject	                # Audited Default action for REJECT policy
-Broadcast	    # Handles Broadcast/Multicast/Anycast
+Broadcast  noinline             # Handles Broadcast/Multicast/Anycast
 Drop		                # Default Action for DROP policy
-DropSmurfs          # Drop smurf packets
-Invalid             # Handles packets in the INVALID conntrack state
-NotSyn              # Handles TCP packets which do not have SYN=1 and ACK=0
+DropSmurfs noinline             # Drop smurf packets
+Invalid    noinline             # Handles packets in the INVALID conntrack state
+NotSyn     noinline             # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject                          # Default Action for REJECT policy
-RST		    # Handle packets with RST set
-TCPFlags            # Handle bad flag combinations.
+RST	   noinline             # Handle packets with RST set
+TCPFlags   noinline             # Handle bad flag combinations.

Shorewall/configfiles/actions

@@ -7,6 +7,6 @@
 #
 # Please see http://shorewall.net/Actions.html for additional information.
 #
-###############################################################################
-#ACTION             COMMENT (place '# ' below the 'C' in comment followed by
-#                           a comment describing the action)
+########################################################################################
+#ACTION    OPTIONS		COMMENT (place '# ' below the 'C' in comment followed by
+#                        	v        a comment describing the action)

Shorewall/configfiles/blacklist

@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - Blacklist File
-#
-# For information about entries in this file, type "man shorewall-blacklist"
-#
-# Please see http://shorewall.net/blacklisting_support.htm for additional
-# information.
-#
-###############################################################################
-#ADDRESS/SUBNET		PROTOCOL	PORT	OPTIONS
-

Shorewall/configfiles/conntrack

@@ -0,0 +1,53 @@
+#
+# Shorewall version 4 - conntrack File
+#
+# For information about entries in this file, type "man shorewall-conntrack"
+#
+##############################################################################################################
+FORMAT 3
+#ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/		SWITCH
+#								PORT(S)		PORT(S)	GROUP
+?if $AUTOHELPERS && __CT_TARGET
+
+?if __AMANDA_HELPER
+CT:helper:amanda:PO	-		-		udp	10080
+?endif
+
+?if __FTP_HELPER
+CT:helper:ftp:PO	-		-		tcp	21
+?endif
+
+?if __H323_HELPER
+CT:helper:RAS;PO	-		-		udp	1719
+CT:helper:Q.931:PO	-		-		tcp	1720
+?endif
+
+?if __IRC_HELPER
+CT:helper:irc:PO	-		-		tcp	6667
+?endif
+
+?if __NETBIOS_NS_HELPER
+CT:helper:netbios-ns:PO	-		-		udp	137
+?endif
+
+?if __PPTP_HELPER
+CT:helper:pptp:PO	-		-		tcp	1723
+?endif
+
+?if __SANE_HELPER
+CT:helper:sane:PO	-		-		tcp	6566
+?endif
+
+?if __SIP_HELPER
+CT:helper:sip:PO	-		-		udp	5060
+?endif
+
+?if __SNMP_HELPER
+CT:helper:snmp:PO	-		-		udp	161
+?endif
+
+?if __TFTP_HELPER
+CT:helper:tftp:PO	-		-		udp	69
+?endif
+
+?endif

Shorewall/configfiles/notrack

@@ -1,9 +0,0 @@
-#
-# Shorewall version 4 - Notrack File
-#
-# For information about entries in this file, type "man shorewall-notrack"
-#
-#####################################################################################
-FORMAT 2
-#ACTION		SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
-#							PORT(S)		PORT(S)	GROUP

Shorewall/configfiles/routestopped

@@ -1,6 +1,8 @@
 #
 # Shorewall version 4 - Routestopped File
 #
+# This file is deprecated in favor of the stoppedrules file
+#
 # For information about entries in this file, type "man shorewall-routestopped"
 #
 # The manpage is also online at

Shorewall/configfiles/rules

@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS	 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED

Shorewall/configfiles/shorewall.conf

@@ -41,6 +41,8 @@ MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
+RPFILTER_LOG_LEVEL=info
+
 SFILTER_LOG_LEVEL=info
 
 SMURF_LOG_LEVEL=info
@@ -67,6 +69,8 @@ LOCKFILE=
 
 MODULESDIR=
 
+NFACCT=
+
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
 
 PERL=/usr/bin/perl
@@ -110,7 +114,9 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
@@ -140,6 +146,8 @@ FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=
 
+HELPERS=
+
 IMPLICIT_CONTINUE=No
 
 IPSET_WARNINGS=Yes
@@ -178,6 +186,8 @@ REQUIRE_INTERFACE=No
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No
@@ -208,6 +218,8 @@ MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
 
+RPFILTER_DISPOSITION=DROP
+
 SMURF_DISPOSITION=DROP
 
 SFILTER_DISPOSITION=DROP

Shorewall/configfiles/stoppedrules

@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - Stopped Rules File
+#
+# For information about entries in this file, type "man shorewall-stoppedrules"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-stoppedrules.html
+#
+# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
+# information.
+#
+###############################################################################
+#ACTION		SOURCE			DEST		PROTO	DEST	SOURCE
+#								PORT(S)	PORT(S)

Shorewall/configfiles/tcfilters

@@ -5,6 +5,6 @@
 #
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
-##############################################################################################
-#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE   TOS		LENGTH
+########################################################################################################
+#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE   TOS		LENGTH	PRIORITY
 #CLASS							PORT(S)	PORT(S)

Shorewall/init.suse.sh

@@ -0,0 +1,93 @@
+#!/bin/sh
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.2
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
+#
+#	On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#	If an error occurs while starting or restarting the firewall, the
+#	firewall is automatically stopped.
+#
+#	Commands are:
+#
+#	   shorewall start			  Starts the firewall
+#	   shorewall restart			  Restarts the firewall
+#	   shorewall reload			  Reload the firewall
+#						  (same as restart)
+#	   shorewall stop			  Stops the firewall
+#	   shorewall status			  Displays firewall status
+#
+
+### BEGIN INIT INFO
+# Provides:          shorewall
+# Required-Start:    $network $remote_fs
+# Required-Stop:     $network $remote_fs
+# Default-Start:     2 3 5
+# Default-Stop:      0 6
+# Short-Description: Configure the firewall at boot time
+# Description:       Configure the firewall according to the rules specified in
+#                    /etc/shorewall
+### END INIT INFO
+
+################################################################################
+# Give Usage Information						       #
+################################################################################
+usage() {
+    echo "Usage: $0 start|stop|reload|restart|status" >&2
+    exit 1
+}
+
+################################################################################
+# Get startup options (override default)
+################################################################################
+OPTIONS="-v0"
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+if [ -f ${SYSCONFDIR}/shorewall ]; then
+    . ${SYSCONFDIR}/shorewall
+fi
+
+export SHOREWALL_INIT_SCRIPT=1
+
+################################################################################
+# E X E C U T I O N    B E G I N S   H E R E				       #
+################################################################################
+command="$1"
+shift
+
+case "$command" in
+    start)
+	exec $SBINDIR/shorewall $OPTIONS start $STARTOPTIONS
+	;;
+    restart|reload)
+	exec $SBINDIR/shorewall $OPTIONS restart $RESTARTOPTIONS
+	;;
+    status|stop)
+	exec $SBINDIR/shorewall $OPTIONS $command
+	;;
+    *)
+	usage
+	;;
+esac

Shorewall/install.sh

@@ -193,7 +193,14 @@ else
     usage 1
 fi
 
-for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARDIR; do
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/${PRODUCT}
+elif [ -z "${VARDIR}" ]; then
+    VARDIR=${VARLIB}/${PRODUCT}
+fi
+
+for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARLIB VARDIR; do
     require $var
 done
 
@@ -371,7 +378,7 @@ mkdir -p ${DESTDIR}/${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
-mkdir -p ${DESTDIR}/var/lib/$PRODUCT
+mkdir -p ${DESTDIR}${VARDIR}
 
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
@@ -388,6 +395,7 @@ fi
 if [ -n "$SYSTEMD" ]; then
     mkdir -p ${DESTDIR}${SYSTEMD}
     run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
     echo "Service file installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
 fi
 
@@ -601,14 +609,14 @@ else
     fi
 fi
 #
-# Install the Stopped Routing file
+# Install the Stopped Rules file
 #
-run_install $OWNERSHIP -m 0644 routestopped           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
-run_install $OWNERSHIP -m 0644 routestopped.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
+run_install $OWNERSHIP -m 0644 stoppedrules           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
+run_install $OWNERSHIP -m 0644 stoppedrules.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/routestopped ]; then
-    run_install $OWNERSHIP -m 0600 routestopped${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/routestopped
-    echo "Stopped Routing file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/routestopped"
+if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/stoppedrules ]; then
+    run_install $OWNERSHIP -m 0600 stoppedrules${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/stoppedrules
+    echo "Stopped Rules file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/stoppedrules"
 fi
 #
 # Install the Mac List file
@@ -634,14 +642,14 @@ if [ -f masq ]; then
     fi
 fi
 #
-# Install the Notrack file
+# Install the Conntrack file
 #
-run_install $OWNERSHIP -m 0644 notrack           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
-run_install $OWNERSHIP -m 0644 notrack.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+run_install $OWNERSHIP -m 0644 conntrack           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+run_install $OWNERSHIP -m 0644 conntrack.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/notrack ]; then
-    run_install $OWNERSHIP -m 0600 notrack${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/notrack
-    echo "Notrack file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/notrack"
+if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack ]; then
+    run_install $OWNERSHIP -m 0600 conntrack${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack
+    echo "Conntrack file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack"
 fi
 
 #
@@ -698,10 +706,6 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/tunnels ]; then
     echo "Tunnels file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/tunnels"
 fi
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/blacklist ]; then
-    run_install $OWNERSHIP -m 0600 blacklist${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/blacklist
-    echo "Blacklist file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/blacklist"
-fi
 #
 # Install the blacklist rules file
 #
@@ -974,12 +978,6 @@ fi
 
 cd ..
 
-#
-# Install the Standard Actions file
-#
-install_file actions.std ${DESTDIR}${SHAREDIR}/$PRODUCT/actions.std 0644
-echo "Standard actions file installed as ${DESTDIR}${SHAREDIR}d/$PRODUCT/actions.std"
-
 #
 # Install the  Makefiles
 #

Shorewall/lib.cli-std

@@ -34,8 +34,6 @@ get_config() {
 
     ensure_config_path
 
-
-
     if [ "$1" = Yes ]; then
 	params=$(find_file params)
 
@@ -138,6 +136,12 @@ get_config() {
 			exit 2
 		    fi
 		    ;;
+		ipset)
+		    #
+		    # Old config files had this as default
+		    #
+		    IPSET=''
+		    ;;
 		*)
 		    prog="$(mywhich $IPSET 2> /dev/null)"
 		    if [ -z "$prog" ] ; then
@@ -148,7 +152,7 @@ get_config() {
 		    ;;
 	    esac
 	else
-	    IPSET='ipset'
+	    IPSET=''
 	fi
 
 	if [ -n "$TC" ]; then
@@ -363,8 +367,9 @@ uptodate() {
 compiler() {
     local pc
     local shorewallrc
+    local shorewallrc1
 
-    pc=$g_libexec/shorewall/compiler.pl
+    pc=${LIBEXECDIR}/shorewall/compiler.pl
 
     if [ $(id -u) -ne 0 ]; then
 	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = /etc/$g_program ]; then
@@ -378,7 +383,7 @@ compiler() {
     #
     # Get the config from $g_shorewalldir
     #
-    [ -n "$g_shorewalldir" -a "$g_shorewalldir" != ${g_confdir} ] && get_config
+    get_config Yes
 
     case $COMMAND in
 	*start|try|refresh)
@@ -399,14 +404,15 @@ compiler() {
     [ "$1" = nolock ] && shift;
     shift
 
+    shorewallrc=${g_basedir}/shorewallrc
+    
     if [ -n "$g_export" ]; then
-	shorewallrc=$(find_file shorewallrc)
-	[ -f "$shorewallrc" ] || fatal_error "Compiling for export requires a shorewallrc file"
-    else
-	shorewallrc="${g_basedir}/shorewallrc"
+	shorewallrc1=$(find_file shorewallrc)
+	[ -f "$shorewallrc1" ] || fatal_error "Compiling for export requires a shorewallrc file"
     fi
 
     options="--verbose=$VERBOSITY --family=$g_family --config_path=$CONFIG_PATH --shorewallrc=${shorewallrc}"
+    [ -n "$shorewallrc1" ] && options="$options --shorewallrc1=${shorewallrc1}"
     [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG"
     [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY";
     [ -n "$g_export" ] && options="$options --export"
@@ -430,15 +436,30 @@ compiler() {
 	PERL=/usr/bin/perl
     fi
 
-    if [ $g_perllib = ${g_libexec}/shorewall ]; then
+    if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
 	$PERL $debugflags $pc $options $@
     else
-	PERL5LIB=$g_perllib
+	PERL5LIB=${PERLLIBDIR}
 	export PERL5LIB
 	$PERL $debugflags $pc $options $@
     fi
 }
 
+#
+# Run the postcompile user exit
+#
+run_postcompile() { # $1 is the compiled script
+    local script
+
+    script=$(find_file postcompile)
+
+    if [ -f $script ]; then
+	. $script $1
+    else
+	return 0
+    fi
+}
+
 #
 # Start Command Executor
 #
@@ -459,6 +480,7 @@ start_command() {
 	    progress_message3 "Compiling..."
 
 	    if compiler $g_debugging $nolock compile ${VARDIR}/.start; then
+		run_postcompile ${VARDIR}/.start
 		[ -n "$nolock" ] || mutex_on
 		run_it ${VARDIR}/.start $g_debugging start
 		rc=$?
@@ -603,6 +625,7 @@ compile_command() {
 		    case $option in
 			e*)
 			    g_export=Yes
+			    g_shorewalldir='.'
 			    option=${option#e}
 			    ;;
 			p*)
@@ -641,14 +664,14 @@ compile_command() {
 
     case $# in
 	0)
-	    file=${VARDIR}/firewall
+	    [ -n "$g_export" ] && file=firewall || file=${VARDIR}/firewall
 	    ;;
 	1)
 	    file=$1
 	    [ -d $file ] && echo "   ERROR: $file is a directory" >&2 && exit 2;
 	    ;;
 	2)
-	    [ -n "$g_shorewalldir" ] && usage 2
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
 
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -668,7 +691,7 @@ compile_command() {
 
     [ "x$file" = x- ] || progress_message3 "Compiling..."
 
-    compiler $g_debugging compile $file
+    compiler $g_debugging compile $file && run_postcompile $file
 }
 
 #
@@ -692,6 +715,7 @@ check_command() {
 			    ;;
 			e*)
 			    g_export=Yes
+			    g_shorewalldir='.'
 			    option=${option#e}
 			    ;;
 			p*)
@@ -731,7 +755,7 @@ check_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && usage 2
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
 
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -934,6 +958,7 @@ restart_command() {
 	progress_message3 "Compiling..."
 
 	if compiler $g_debugging $nolock compile ${VARDIR}/.restart; then
+	    run_postcompile ${VARDIR}/.restart
 	    [ -n "$nolock" ] || mutex_on
 	    run_it ${VARDIR}/.restart $g_debugging restart
 	    rc=$?
@@ -1025,6 +1050,7 @@ refresh_command() {
     progress_message3 "Compiling..."
 
     if compiler $g_debugging $nolock compile ${VARDIR}/.refresh; then
+	run_postcompile ${VARDIR}/.refresh
 	[ -n "$nolock" ] || mutex_on
 	run_it ${VARDIR}/.refresh $g_debugging refresh
 	rc=$?
@@ -1139,6 +1165,8 @@ safe_commands() {
 	exit $status
     fi
 
+    run_postcompile ${VARDIR}/.$command
+
     case $command in
 	start)
 	    RESTOREFILE=NONE
@@ -1270,6 +1298,8 @@ try_command() {
 	exit $status
     fi
 
+    run_postcompile ${VARDIR}/.restart
+
     case $command in
 	start)
 	    RESTOREFILE=NONE
@@ -1285,7 +1315,7 @@ try_command() {
 
     [ -n "$nolock" ] || mutex_on
 
-    if run_it ${VARDIR}/.$command $command && [ -n "$timeout" ]; then
+    if run_it ${VARDIR}/.$command $g_debugging $command && [ -n "$timeout" ]; then
 	sleep $timeout
 
 	if [ "$command" = "restart" ]; then
@@ -1628,7 +1658,9 @@ usage() # $1 = exit status
     echo "   show macros"
     echo "   show marks"
     echo "   show [ -x ] mangle|nat|raw|rawpost|routing"
+    echo "   show nfacct"
     echo "   show policies"
+    echo "   show routing"
     echo "   show tc [ device ]"
     echo "   show vardir"
     echo "   show zones"
@@ -1646,7 +1678,6 @@ compiler_command() {
 
     case $COMMAND in
 	compile)
-	    get_config Yes
 	    shift
 	    compile_command $@
 	    ;;
@@ -1656,7 +1687,6 @@ compiler_command() {
 	    refresh_command $@
 	    ;;
 	check)
-	    get_config Yes
 	    shift
 	    check_command $@
 	    ;;

Shorewall/manpages/shorewall-accounting.xml

@@ -294,8 +294,25 @@
             </varlistentry>
 
             <varlistentry>
-              <term>NFLOG[(nflog-parameters)] - Added in
-              Shorewall-4.4.20.</term>
+              <term><emphasis
+              role="bold">NFACCT</emphasis>(<replaceable>object</replaceable>)</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.7. Provides a form of accounting
+                that survives <command>shorewall stop/shorewall</command>
+                start and <command>shorewall restart</command>. Requires the
+                NFaccnt Match capability in your kernel and iptables.
+                <replaceable>object</replaceable> names an nfacct object (see
+                man nfaccnt(8)). Multiple rules can specify the same
+                <replaceable>object</replaceable>; all packets that match any
+                of the rules increment the packet and bytes count of the
+                object.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">NFLOG</emphasis>[(nflog-parameters)]
+              - Added in Shorewall-4.4.20.</term>
 
               <listitem>
                 <para>Causes each matching packet to be sent via the currently
@@ -306,7 +323,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term>COMMENT</term>
+              <term><emphasis role="bold">COMMENT</emphasis></term>
 
               <listitem>
                 <para>The remainder of the line is treated as a comment which

Shorewall/manpages/shorewall-actions.xml

@@ -28,11 +28,73 @@
     the iptables rules to be performed in an ACTION in
     /etc/shorewall/action.<emphasis>action-name</emphasis>.</para>
 
-    <para>ACTION names should begin with an upper-case letter to distinguish
-    them from Shorewall-generated chain names and be composed of letters,
-    digits or numbers. If you intend to log from the action then the name must
-    be no longer than 11 characters in length if you use the standard
-    LOGFORMAT.</para>
+    <para>Columns are:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>NAME</term>
+
+        <listitem>
+          <para>The name of the action. ACTION names should begin with an
+          upper-case letter to distinguish them from Shorewall-generated chain
+          names and be composed of letters, digits or numbers. If you intend
+          to log from the action then the name must be no longer than 11
+          characters in length if you use the standard LOGFORMAT.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>OPTIONS</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.10. Available options are:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>inline</term>
+
+              <listitem>
+                <para>Causes the action body (defined in
+                action.<replaceable>action-name</replaceable>) to be expanded
+                in-line like a macro rather than in its own chain. You can
+                list Shorewall Standard Actions in this file to specify the
+                <option>inline</option> option.</para>
+
+                <caution>
+                  <para>Some of the Shorewall standard actions cannot be used
+                  in-line and will generate a warning and the compiler will
+                  ignore <option>inline</option> if you try to use them that
+                  way:</para>
+
+                  <simplelist>
+                    <member>Broadcast</member>
+
+                    <member>DropSmurfs</member>
+
+                    <member>Invalid</member>
+
+                    <member>NotSyn</member>
+
+                    <member>RST</member>
+
+                    <member>TCPFlags</member>
+                  </simplelist>
+                </caution>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>noinline</term>
+
+              <listitem>
+                <para>Causes any later <option>inline</option> option for the
+                same action to be ignored with a warning.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+    </variablelist>
   </refsect1>
 
   <refsect1>

Shorewall/manpages/shorewall-blacklist.xml

@@ -23,8 +23,10 @@
   <refsect1>
     <title>Description</title>
 
-    <para>The blacklist file is used to perform static blacklisting. You can
-    blacklist by source address (IP or MAC), or by application.</para>
+    <para>The blacklist file is used to perform static blacklisting by source
+    address (IP or MAC), or by application. The use of this file is deprecated
+    and beginning with Shorewall 4.5.7, the file is no longer
+    installed.</para>
 
     <para>The columns in the file are as follows (where the column name is
     followed by a different name in parentheses, the different name is used in

Shorewall/manpages/shorewall-conntrack.xml

@@ -0,0 +1,486 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall6-conntrack</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>conntrack</refname>
+
+    <refpurpose>shorewall conntrack file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall/conntrack</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>The original intent of the <emphasis role="bold">notrack</emphasis>
+    file was to exempt certain traffic from Netfilter connection tracking.
+    Traffic matching entries in the file were not to be tracked.</para>
+
+    <para>The role of the file was expanded in Shorewall 4.4.27 to include all
+    rules that can be added in the Netfilter <emphasis
+    role="bold">raw</emphasis> table. In 4.5.7, the file's name was changed to
+    <emphasis role="bold">conntrack</emphasis>.</para>
+
+    <para>The file supports two different column layouts: FORMAT 1, FORMAT 2,
+    and FORMAT 3, FORMAT 1 being the default. The three differ as
+    follows:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>in FORMAT 2 and 3, there is an additional leading ACTION
+        column.</para>
+      </listitem>
+
+      <listitem>
+        <para>in FORMAT 3, the SOURCE column accepts no zone name; rather the
+        ACTION column allows a SUFFIX that determines the chain(s) that the
+        generated rule will be added to.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>When an entry in the following form is encountered, the format of
+    the following entries are assumed to be of the specified
+    <replaceable>format</replaceable>.</para>
+
+    <simplelist>
+      <member><emphasis role="bold">FORMAT</emphasis>
+      <replaceable>format</replaceable></member>
+    </simplelist>
+
+    <para>where <replaceable>format</replaceable> is either <emphasis
+    role="bold">1</emphasis>,<emphasis role="bold">2</emphasis> or <emphasis
+    role="bold">3</emphasis>.</para>
+
+    <para>Format 3 was introduced in Shorewall 4.5.10.</para>
+
+    <para>Comments may be attached to Netfilter rules generated from entries
+    in this file through the use of COMMENT lines. These lines begin with the
+    word COMMENT; the remainder of the line is treated as a comment which is
+    attached to subsequent rules until another COMMENT line is found or until
+    the end of the file is reached. To stop adding comments to rules, use a
+    line with only the word COMMENT.</para>
+
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">ACTION</emphasis> - {<emphasis
+        role="bold">NOTRACK</emphasis>|<emphasis
+        role="bold">CT</emphasis>:<emphasis
+        role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
+        role="bold">CT:notrack</emphasis>|DROP}[:<replaceable>chain-designator</replaceable>]</term>
+
+        <listitem>
+          <para>This column is only present when FORMAT &gt;= 2. Values other
+          than NOTRACK or DROP require <firstterm>CT Target
+          </firstterm>support in your iptables and kernel.</para>
+
+          <itemizedlist>
+            <listitem>
+              <para><option>NOTRACK</option> or
+              <option>CT:notrack</option></para>
+
+              <para>Disables connection tracking for this packet.</para>
+            </listitem>
+
+            <listitem>
+              <para><option>DROP</option></para>
+
+              <para>Added in Shorewall 4.5.10. Silently discard the
+              packet.</para>
+            </listitem>
+
+            <listitem>
+              <para><option>helper</option>:<replaceable>name</replaceable></para>
+
+              <para>Attach the helper identified by the
+              <replaceable>name</replaceable> to this connection. This is more
+              flexible than loading the conntrack helper with preset
+              ports.</para>
+
+              <para>At this writing, the available helpers are:</para>
+
+              <variablelist>
+                <varlistentry>
+                  <term>amanda</term>
+
+                  <listitem>
+                    <para>Requires that the amanda netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>ftp</term>
+
+                  <listitem>
+                    <para>Requires that the FTP netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>irc</term>
+
+                  <listitem>
+                    <para>Requires that the IRC netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>netbios-ns</term>
+
+                  <listitem>
+                    <para>Requires that the netbios_ns (sic) helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>RAS and Q.931</term>
+
+                  <listitem>
+                    <para>These require that the H323 netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>pptp</term>
+
+                  <listitem>
+                    <para>Requires that the pptp netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term></term>
+
+                  <listitem>
+                    <para></para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>sane</term>
+
+                  <listitem>
+                    <para>Requires that the SANE netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>sip</term>
+
+                  <listitem>
+                    <para>Requires that the SIP netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>snmp</term>
+
+                  <listitem>
+                    <para>Requires that the SNMP netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>tftp</term>
+
+                  <listitem>
+                    <para>Requires that the TFTP netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+              </variablelist>
+
+              <para>May be followed by an option list of
+              <replaceable>arg</replaceable>=<replaceable>val</replaceable>
+              pairs in parentheses:</para>
+
+              <itemizedlist>
+                <listitem>
+                  <para><option>ctevents</option>=<replaceable>event</replaceable>[,...]</para>
+
+                  <para>Only generate the specified conntrack events for this
+                  connection. Possible event types are: <emphasis
+                  role="bold">new</emphasis>, <emphasis
+                  role="bold">related</emphasis>, <emphasis
+                  role="bold">destroy</emphasis>, <emphasis
+                  role="bold">reply</emphasis>, <emphasis
+                  role="bold">assured</emphasis>, <emphasis
+                  role="bold">protoinfo</emphasis>, <emphasis
+                  role="bold">helper</emphasis>, <emphasis
+                  role="bold">mark</emphasis> (this is connection mark, not
+                  packet mark), <emphasis role="bold">natseqinfo</emphasis>,
+                  and <emphasis role="bold">secmark</emphasis>. If more than
+                  one <emphasis>event</emphasis> is listed, the
+                  <replaceable>event</replaceable> list must be enclosed in
+                  parentheses (e.g., ctevents=(new,related)).</para>
+                </listitem>
+
+                <listitem>
+                  <para><option>expevents</option><option>=new</option></para>
+
+                  <para>Only generate a <emphasis role="bold">new</emphasis>
+                  expectation events for this connection.</para>
+                </listitem>
+              </itemizedlist>
+            </listitem>
+          </itemizedlist>
+
+          <para>When FORMAT = 1, this column is not present and the rule is
+          processed as if NOTRACK had been entered in this column.</para>
+
+          <para>Beginning with Shorewall 4.5.10, when FORMAT = 3, this column
+          can end with a colon followed by a
+          <replaceable>chain-designator</replaceable>. The
+          <replaceable>chain-designator</replaceable> can be one of the
+          following:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>P</term>
+
+              <listitem>
+                <para>The rule is added to the raw table PREROUTING chain.
+                This is the default if no
+                <replaceable>chain-designator</replaceable> is present.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>O</term>
+
+              <listitem>
+                <para>The rule is added to the raw table OUTPUT chain.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>PO or OP</term>
+
+              <listitem>
+                <para>The rule is added to the raw table PREROUTING and OUTPUT
+                chains.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>SOURCE (formats 1 and 2) ‒
+        {<emphasis>zone</emphasis>[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>]|COMMENT}</term>
+
+        <listitem>
+          <para>where <replaceable>zone</replaceable> is the name of a zone,
+          <replaceable>interface</replaceable> is an interface to that zone,
+          and <replaceable>address-list</replaceable> is a comma-separated
+          list of addresses (may contain exclusion - see <ulink
+          url="shorewall-exclusion.html">shorewall-exclusion</ulink>
+          (5)).</para>
+
+          <para>Beginning with Shorewall 4.5.7, <option>all</option> can be
+          used as the <replaceable>zone</replaceable> name to mean
+          <firstterm>all zones</firstterm>.</para>
+
+          <para>Beginning with Shorewall 4.5.10, <option>all-</option> can be
+          used as the <replaceable>zone</replaceable> name to mean all
+          <firstterm>off-firewall zone</firstterm>s.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>SOURCE (format 3) ‒
+        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>
+
+        <listitem>
+          <para>Where <replaceable>interface</replaceable> is an interface to
+          that zone, and <replaceable>address-list</replaceable> is a
+          comma-separated list of addresses (may contain exclusion - see
+          <ulink url="shorewall-exclusion.html">shorewall-exclusion</ulink>
+          (5)).</para>
+
+          <para>COMMENT is only allowed in format 1; the remainder of the line
+          is treated as a comment that will be associated with the generated
+          rule(s).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>DEST ‒
+        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>
+
+        <listitem>
+          <para>where <replaceable>address-list</replaceable> is a
+          comma-separated list of addresses (may contain exclusion - see
+          <ulink url="shorewall-exclusion.html">shorewall6-exclusion</ulink>
+          (5)).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PROTO ‒
+        <replaceable>protocol-name-or-number</replaceable></term>
+
+        <listitem>
+          <para>A protocol name from <filename>/etc/protocols</filename> or a
+          protocol number.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>DEST PORT(S) (dport) - port-number/service-name-list</term>
+
+        <listitem>
+          <para>A comma-separated list of port numbers and/or service names
+          from <filename>/etc/services</filename>. May also include port
+          ranges of the form
+          <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
+          if your kernel and iptables include port range support.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>SOURCE PORT(S) (sport) - port-number/service-name-list</term>
+
+        <listitem>
+          <para>A comma-separated list of port numbers and/or service names
+          from <filename>/etc/services</filename>. May also include port
+          ranges of the form
+          <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
+          if your kernel and iptables include port range support.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>USER/GROUP (user) ‒
+        [<replaceable>user</replaceable>][:<replaceable>group</replaceable>]</term>
+
+        <listitem>
+          <para>May only be specified if the SOURCE
+          <replaceable>zone</replaceable> is $FW. Specifies the effective user
+          id and or group id of the process sending the traffic.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SWITCH -
+        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.10 and allows enabling and disabling
+          the rule without requiring <command>shorewall
+          restart</command>.</para>
+
+          <para>The rule is enabled if the value stored in
+          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
+          is 1. The rule is disabled if that file contains 0 (the default). If
+          '!' is supplied, the test is inverted such that the rule is enabled
+          if the file contains 0.</para>
+
+          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
+          '@{0}' are replaced by the name of the chain to which the rule is a
+          added. The <replaceable>switch-name</replaceable> (after '...'
+          expansion) must begin with a letter and be composed of letters,
+          decimal digits, underscores or hyphens. Switch names must be 30
+          characters or less in length.</para>
+
+          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
+          turn a switch <emphasis role="bold">on</emphasis>:</para>
+
+          <simplelist>
+            <member><command>echo 1 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
+
+          <simplelist>
+            <member><command>echo 0 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>Switch settings are retained over <command>shorewall
+          restart</command>.</para>
+
+          <para>When the <replaceable>switch-name</replaceable> is followed by
+          <option>=0</option> or <option>=1</option>, then the switch is
+          initialized to off or on respectively by the
+          <command>start</command> command. Other commands do not affect the
+          switch setting.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>EXAMPLE</title>
+
+    <para>Example 1:</para>
+
+    <programlisting>#ACTION                       SOURCE            DEST               PROTO            DEST              SOURCE              USER/GROUP
+#                                                                                   PORT(S)           PORT(S)
+CT:helper:ftp(expevents=new)  fw                -                  tcp              21              </programlisting>
+
+    <para>Example 2 (Shorewall 4.5.10 or later):</para>
+
+    <para>Drop traffic to/from all zones to IP address 1.2.3.4</para>
+
+    <programlisting>FORMAT 2
+#ACTION                       SOURCE             DEST               PROTO            DEST              SOURCE              USER/GROUP
+#                                                                                   PORT(S)           PORT(S)
+DROP                          all-:1.2.3.4       -
+DROP                          all                1.2.3.4</programlisting>
+
+    <para>or<programlisting>FORMAT 3
+#ACTION                       SOURCE             DEST               PROTO            DEST              SOURCE              USER/GROUP
+#                                                                                   PORT(S)           PORT(S)
+DROP:P                        1.2.3.4            -
+DROP:PO                       -                  1.2.3.4
+</programlisting></para>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall/notrack</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
+  </refsect1>
+</refentry>

Shorewall/manpages/shorewall-interfaces.xml

@@ -202,7 +202,7 @@ loc     eth2            -</programlisting>
                 changed; the value assigned to the setting will be the value
                 specified (if any) or 1 if no value is given.</para>
 
-                <para/>
+                <para></para>
 
                 <note>
                   <para>This option does not work with a wild-card
@@ -236,7 +236,7 @@ loc     eth2            -</programlisting>
 
                 <para>8 - do not reply for all local addresses</para>
 
-                <para/>
+                <para></para>
 
                 <note>
                   <para>This option does not work with a wild-card
@@ -244,7 +244,7 @@ loc     eth2            -</programlisting>
                   the INTERFACE column.</para>
                 </note>
 
-                <para/>
+                <para></para>
 
                 <warning>
                   <para>Do not specify <emphasis
@@ -394,7 +394,7 @@ loc     eth2            -</programlisting>
         1
         teastep@lists:~$ </programlisting>
 
-                <para/>
+                <para></para>
 
                 <note>
                   <para>This option does not work with a wild-card
@@ -461,7 +461,7 @@ loc     eth2            -</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term>nosmurfs</term>
+              <term><emphasis role="bold">nosmurfs</emphasis></term>
 
               <listitem>
                 <para>Filter packets for smurfs (packets with a broadcast
@@ -637,7 +637,22 @@ loc     eth2            -</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term>sfilter=(<emphasis>net</emphasis>[,...])</term>
+              <term><emphasis role="bold">rpfilter</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.7. This is an anti-spoofing
+                measure that requires the 'RPFilter Match' capability in your
+                iptables and kernel. It provides a more efficient alternative
+                to the <option>sfilter</option> option below. It performs a
+                function similar to <option>routefilter</option> (see above)
+                but works with Multi-ISP configurations that do now use
+                balanced routes.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+	      role="bold">sfilter=(<emphasis>net</emphasis>[,...])</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.4.20. This option provides an
@@ -668,7 +683,7 @@ loc     eth2            -</programlisting>
                 changed; the value assigned to the setting will be the value
                 specified (if any) or 1 if no value is given.</para>
 
-                <para/>
+                <para></para>
 
                 <note>
                   <para>This option does not work with a wild-card

Shorewall/manpages/shorewall-masq.xml

@@ -124,7 +124,7 @@
       <varlistentry>
         <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET)
         -
-        {<emphasis>interface</emphasis>[:<emphasis>exclusion</emphasis>]|<emphasis>address</emphasis>[<emphasis
+        {<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>
 
         <listitem>
@@ -137,20 +137,6 @@
           fact. (Shorewall will use your main routing table to determine the
           appropriate addresses to masquerade).</para>
 
-          <para>In order to exclude a address of the specified SOURCE, you may
-          append an <emphasis>exclusion</emphasis> ("!" and a comma-separated
-          list of IP addresses (host or net) that you wish to exclude (see
-          <ulink
-          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5))).
-          Note that a colon (":") must appear between an
-          <replaceable>interface</replaceable> name and the
-          <replaceable>exclusion</replaceable>;</para>
-
-          <para>Example: eth1:!192.168.1.4,192.168.32.0/27</para>
-
-          <para>In that example traffic from eth1 would be masqueraded unless
-          it came from 192.168.1.4 or 196.168.32.0/27</para>
-
           <para>The preferred way to specify the SOURCE is to supply one or
           more host or network addresses separated by comma. You may use ipset
           names preceded by a plus sign (+) to specify a set of hosts.</para>
@@ -475,7 +461,7 @@
 
       <varlistentry>
         <term><emphasis role="bold">SWITCH -
-        [!]<replaceable>switch-name</replaceable></emphasis></term>
+        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
 
         <listitem>
           <para>Added in Shorewall 4.5.1 and allows enabling and disabling the
@@ -485,10 +471,14 @@
           <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
           is 1. The rule is disabled if that file contains 0 (the default). If
           '!' is supplied, the test is inverted such that the rule is enabled
-          if the file contains 0. <replaceable>switch-name</replaceable> must
-          begin with a letter and be composed of letters, decimal digits,
-          underscores or hyphens. Switch names must be 30 characters or less
-          in length.</para>
+          if the file contains 0.</para>
+
+          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
+          '@{0}' are replaced by the name of the chain to which the rule is a
+          added. The <replaceable>switch-name</replaceable> (after '@...'
+          expansion) must begin with a letter and be composed of letters,
+          decimal digits, underscores or hyphens. Switch names must be 30
+          characters or less in length.</para>
 
           <para>Switches are normally <emphasis role="bold">off</emphasis>. To
           turn a switch <emphasis role="bold">on</emphasis>:</para>
@@ -507,6 +497,13 @@
 
           <para>Switch settings are retained over <command>shorewall
           restart</command>.</para>
+
+          <para>Beginning with Shoreawll 4.5.10, when the
+          <replaceable>switch-name</replaceable> is followed by
+          <option>=0</option> or <option>=1</option>, then the switch is
+          initialized to off or on respectively by the
+          <command>start</command> command. Other commands do not affect the
+          switch setting.</para>
         </listitem>
       </varlistentry>
 
@@ -619,6 +616,29 @@
         eth0:+myset[dst]        -               206.124.146.177</programlisting>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>Example 7:</term>
+
+        <listitem>
+          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
+          round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
+          (Shorewall 4.5.9 and later).</para>
+
+          <programlisting>/etc/shorewall/tcrules:
+
+       #ACTION   SOURCE         DEST         PROTO   PORT(S)       SOURCE  USER    TEST
+       #                                                           PORT(S)
+       1-3:CF    192.168.1.0/24 eth0 ; state=NEW
+
+/etc/shorewall/masq:
+
+       #INTERFACE SOURCE         ADDRESS     ...
+       eth0       192.168.1.0/24 1.1.1.1 ; mark=1:C
+       eth0       192.168.1.0/24 1.1.1.3 ; mark=2:C
+       eth0       192.168.1.0/24 1.1.1.4 ; mark=3:C</programlisting>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 

Shorewall/manpages/shorewall-notrack.xml

@@ -1,250 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-<refentry>
-  <refmeta>
-    <refentrytitle>shorewall6-notrack</refentrytitle>
-
-    <manvolnum>5</manvolnum>
-  </refmeta>
-
-  <refnamediv>
-    <refname>notrack</refname>
-
-    <refpurpose>shorewall notrack file</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>/etc/shorewall/notrack</command>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>Description</title>
-
-    <para>The original intent of the notrack file was to exempt certain
-    traffic from Netfilter connection tracking. Traffic matching entries in
-    this file were not to be tracked.</para>
-
-    <para>The role of the file was expanded in Shorewall 4.4.27 to include all
-    rules tht can be added in the Netfilter <emphasis
-    role="bold">raw</emphasis> table.</para>
-
-    <para>The file supports two different column layouts: FORMAT 1 and FORMAT
-    2, FORMAT 1 being the default. The two differ in that FORMAT 2 has an
-    additional leading ACTION column. When an entry in the file of this form
-    is encountered, the format of the following entries are assumed to be of
-    the specified <replaceable>format</replaceable>.</para>
-
-    <simplelist>
-      <member><emphasis role="bold">FORMAT</emphasis>
-      <replaceable>format</replaceable></member>
-    </simplelist>
-
-    <para>where <replaceable>format</replaceable> is either <emphasis
-    role="bold">1</emphasis> or <emphasis role="bold">2</emphasis>.</para>
-
-    <para>The columns in the file are as follows (where the column name is
-    followed by a different name in parentheses, the different name is used in
-    the alternate specification syntax).</para>
-
-    <variablelist>
-      <varlistentry>
-        <term><emphasis role="bold">ACTION</emphasis> - {<emphasis
-        role="bold">NOTRACK</emphasis>|<emphasis
-        role="bold">CT</emphasis>:<replaceable>option</replaceable>[:<replaceable>arg,...</replaceable>]}</term>
-
-        <listitem>
-          <para>This column is only present when FORMAT = 2. Values other than
-          NOTRACK require <firstterm>CT Target </firstterm>support in your
-          iptables and kernel.</para>
-
-          <para>Possible values for <replaceable>option</replaceable> and
-          <replaceable>arg</replaceable>s are:</para>
-
-          <itemizedlist>
-            <listitem>
-              <para><option>notrack</option> (no
-              <replaceable>arg</replaceable>)</para>
-
-              <para>Disables connection tracking for this packet, the same as
-              if NOTRACK has been specified in this column.</para>
-            </listitem>
-
-            <listitem>
-              <para><option>helper</option>:<replaceable>name</replaceable></para>
-
-              <para>Use the helper identified by the name to this connection.
-              This is more flexible than loading the conntrack helper with
-              preset ports.</para>
-            </listitem>
-
-            <listitem>
-              <para><option>ctevents</option>:<replaceable>event</replaceable>,...</para>
-
-              <para>Only generate the specified conntrack events for this
-              connection. Possible event types are: <emphasis
-              role="bold">new</emphasis>, <emphasis
-              role="bold">related</emphasis>, <emphasis
-              role="bold">destroy</emphasis>, <emphasis
-              role="bold">reply</emphasis>, <emphasis
-              role="bold">assured</emphasis>, <emphasis
-              role="bold">protoinfo</emphasis>, <emphasis
-              role="bold">helper</emphasis>, <emphasis
-              role="bold">mark</emphasis> (this is connection mark, not packet
-              mark), <emphasis role="bold">natseqinfo</emphasis>, and
-              <emphasis role="bold">secmark</emphasis>.</para>
-            </listitem>
-
-            <listitem>
-              <para><option>expevents</option><option>:new</option></para>
-
-              <para>Only generate a new expectation events for this
-              connection.</para>
-            </listitem>
-
-            <listitem>
-              <para><option>zone</option>:<replaceable>id</replaceable></para>
-
-              <para>Assign this packet to zone <replaceable>id</replaceable>
-              and only have lookups done in that zone. By default, packets
-              have zone 0.</para>
-            </listitem>
-          </itemizedlist>
-
-          <para>When FORMAT = 1, this column is not present and the rule is
-          processed as if NOTRACK had been entered in this column.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>SOURCE ‒
-        {<emphasis>zone</emphasis>[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>]|COMMENT}</term>
-
-        <listitem>
-          <para>where <replaceable>zone</replaceable> is the name of a zone,
-          <replaceable>interface</replaceable> is an interface to that zone,
-          and <replaceable>address-list</replaceable> is a comma-separated
-          list of addresses (may contain exclusion - see <ulink
-          url="shorewall-exclusion.html">shorewall-exclusion</ulink>
-          (5)).</para>
-
-          <para>Comments may be attached to Netfilter rules generated from
-          entries in this file through the use of COMMENT lines. These lines
-          begin with the word COMMENT; the remainder of the line is treated as
-          a comment which is attached to subsequent rules until another
-          COMMENT line is found or until the end of the file is reached. To
-          stop adding comments to rules, use a line with only the word
-          COMMENT.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>DEST ‒
-        [<replaceable>interface</replaceable>|<replaceable>address-list</replaceable>]</term>
-
-        <listitem>
-          <para>where <replaceable>interface</replaceable> is the name of a
-          network interface and <replaceable>address-list</replaceable> is a
-          comma-separated list of addresses (may contain exclusion - see
-          <ulink url="shorewall-exclusion.html">shorewall-exclusion</ulink>
-          (5)). If an interface is given:</para>
-
-          <itemizedlist>
-            <listitem>
-              <para>It must be up and configured with an IPv4 address when
-              Shorewall is started or restarted.</para>
-            </listitem>
-
-            <listitem>
-              <para>All routes out of the interface must be configured when
-              Shorewall is started or restarted.</para>
-            </listitem>
-
-            <listitem>
-              <para>Default routes out of the interface will result in a
-              warning message and will be ignored.</para>
-            </listitem>
-          </itemizedlist>
-
-          <para>These restrictions are because Netfilter doesn't support
-          NOTRACK rules that specify a destination interface (these rules are
-          applied before packets are routed and hence the destination
-          interface is unknown). Shorewall uses the routes out of the
-          interface to replace the interface with an address list
-          corresponding to the networks routed out of the named
-          interface.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>PROTO ‒
-        <replaceable>protocol-name-or-number</replaceable></term>
-
-        <listitem>
-          <para>A protocol name from <filename>/etc/protocols</filename> or a
-          protocol number.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>DEST PORT(S) (dport) - port-number/service-name-list</term>
-
-        <listitem>
-          <para>A comma-separated list of port numbers and/or service names
-          from <filename>/etc/services</filename>. May also include port
-          ranges of the form
-          <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
-          if your kernel and iptables include port range support.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>SOURCE PORT(S) (sport) - port-number/service-name-list</term>
-
-        <listitem>
-          <para>A comma-separated list of port numbers and/or service names
-          from <filename>/etc/services</filename>. May also include port
-          ranges of the form
-          <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
-          if your kernel and iptables include port range support.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>USER/GROUP (user) ‒
-        [<replaceable>user</replaceable>][:<replaceable>group</replaceable>]</term>
-
-        <listitem>
-          <para>May only be specified if the SOURCE
-          <replaceable>zone</replaceable> is $FW. Specifies the effective user
-          id and or group id of the process sending the traffic.</para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>FILES</title>
-
-    <para>/etc/shorewall/notrack</para>
-  </refsect1>
-
-  <refsect1>
-    <title>See ALSO</title>
-
-    <para><ulink
-    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
-  </refsect1>
-</refentry>

Shorewall/manpages/shorewall-policy.xml

@@ -91,7 +91,7 @@
         role="bold">QUEUE</emphasis>|<emphasis
         role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber</emphasis>)]|<emphasis
         role="bold">NONE</emphasis>}[<emphasis
-        role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>|<emphasis
+        role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>[:level]|<emphasis
         role="bold">None</emphasis>}]</term>
 
         <listitem>
@@ -109,24 +109,19 @@
             </listitem>
 
             <listitem>
-              <para>The name of an action (requires that USE_ACTIONS=Yes in
-              <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5)).
-              That action will be invoked before the policy is
-              enforced.</para>
-            </listitem>
-
-            <listitem>
-              <para>The name of a macro. The rules in that macro will be
-              applied before the policy is enforced. This does not require
-              USE_ACTIONS=Yes.</para>
+              <para>The name of an action. The action will be invoked before
+              the policy is enforced.</para>
             </listitem>
           </orderedlist>
 
-          <blockquote>
-            <programlisting></programlisting>
+          <para>Actions can have parameters specified.</para>
 
-            <para>Possible policies are:</para>
-          </blockquote>
+          <para>Beginning with Shorewall 4.5.10, the action name can be
+          followed optionally by a colon and a log level. The level will be
+          applied to each rule in the action or body that does not already
+          have a log level.</para>
+
+          <para>Possible actions are:</para>
 
           <variablelist>
             <varlistentry>

Shorewall/manpages/shorewall-routestopped.xml

@@ -24,6 +24,10 @@
   <refsect1>
     <title>Description</title>
 
+    <para>This file is deprecated in favor of the <ulink
+    url="shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
+    file.</para>
+
     <para>This file is used to define the hosts that are accessible when the
     firewall is stopped or is being stopped.</para>