Yet more improvements to Shorewall-init

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -76,7 +76,7 @@ for p in $@; do
 		    pn=HOST
 		    ;;
 		SHAREDSTATEDIR)
-		    pn=VARDIR
+		    pn=VARLIB
 		    ;;
 		DATADIR)
 		    pn=SHAREDIR
@@ -93,15 +93,38 @@ done
 
 vendor=${params[HOST]}
 
+if [ -z "$vendor" ]; then
+    if [ -f /etc/os-release ]; then
+	eval $(cat /etc/os-release | grep ^ID)
+
+	case $ID in
+	    fedora)
+		vendor=redhat
+		;;
+	    debian)
+		vendor=debian
+		;;
+	    opensuse)
+		vendor=suse
+		;;
+	    *)
+		vendor="$ID"
+		;;
+	esac
+
+	params[HOST]="$vendor"
+    fi
+fi
+
 if [ -z "$vendor" ]; then
     case `uname` in
 	Darwin)
-	    $params[HOST]=apple
+	    params[HOST]=apple
 	    rcfile=shorewallrc.apple
 	    ;;
 
-	cygwin*)
-	    $params[HOST]=cygwin
+	cygwin*|CYGWIN*)
+	    params[HOST]=cygwin
 	    rcfile=shorewallrc.cygwin
 	    ;;
 	*)
@@ -161,6 +184,17 @@ if [ $# -gt 0 ]; then
     echo '#'           >> shorewallrc
 fi
 
+if [ -n "${options[VARLIB]}" ]; then
+    if [ -z "${options[VARDIR]}" ]; then
+	options[VARDIR]='${VARLIB}/${PRODUCT}'
+    fi
+elif [ -n "${options[VARDIR]}" ]; then
+    if [ -z "{$options[VARLIB]}" ]; then
+	options[VARLIB]=${options[VARDIR]}
+	options[VARDIR]='${VARLIB}/${PRODUCT}'
+    fi
+fi
+
 for on in \
     HOST \
     PREFIX \
@@ -176,10 +210,12 @@ for on in \
     AUXINITSOURCE \
     AUXINITFILE \
     SYSTEMD \
+    SERVICEFILE \
     SYSCONFFILE \
     SYSCONFDIR \
     SPARSE \
     ANNOTATED \
+    VARLIB \
     VARDIR
 do
     echo "$on=${options[${on}]}"

Shorewall-core/configure.pl

@@ -38,7 +38,7 @@ my %params;
 my %options;
 
 my %aliases = ( VENDOR         => 'HOST',
-		SHAREDSTATEDIR => 'VARDIR',
+		SHAREDSTATEDIR => 'VARLIB',
 		DATADIR        => 'SHAREDIR' );
 
 for ( @ARGV ) {
@@ -56,6 +56,26 @@ my $vendor = $params{HOST};
 my $rcfile;
 my $rcfilename;
 
+unless ( defined $vendor ) {
+    if ( -f '/etc/os-release' ) {
+	my $id = `cat /etc/os-release | grep ^ID`;
+
+	chomp $id;
+
+	$id =~ s/ID=//;
+	
+	if ( $id eq 'fedora' ) {
+	    $vendor = 'redhat';
+	} elsif ( $id eq 'opensuse' ) {
+	    $vendor = 'suse';
+	} else {
+	    $vendor = $id;
+	}
+    }
+
+    $params{HOST} = $vendor;
+}
+
 if ( defined $vendor ) {
     $rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
     die qq("ERROR: $vendor" is not a recognized host type) unless -f $rcfilename;
@@ -123,6 +143,15 @@ printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d
 
 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;
 
+if ( $options{VARLIB} ) {
+    unless ( $options{VARDIR} ) {
+	$options{VARDIR} = '${VARLIB}/${PRODUCT}';
+    }
+} elsif ( $options{VARDIR} ) {
+    $options{VARLIB} = $options{VARDIR};
+    $options{VARDIR} = '${VARLIB}/${PRODUCT}';
+}
+
 for ( qw/ HOST
 	  PREFIX
 	  SHAREDIR
@@ -137,10 +166,12 @@ for ( qw/ HOST
 	  AUXINITSOURCE
 	  AUXINITFILE
 	  SYSTEMD
+          SERVICEFILE
 	  SYSCONFFILE
 	  SYSCONFDIR
 	  SPARSE
 	  ANNOTATED
+	  VARLIB
 	  VARDIR / ) {
 
     my $val = $options{$_} || '';

Shorewall-core/install.sh

@@ -164,7 +164,18 @@ else
     usage 1
 fi
 
-for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARDIR; do
+update=0
+
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR="${VARLIB}/${PRODUCT}"
+    update=1
+elif [ -z "${VARDIR}" ]; then
+    VARDIR="${VARLIB}/${PRODUCT}"
+    update=2
+fi
+
+for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARLIB VARDIR; do
     require $var
 done
 
@@ -183,7 +194,24 @@ if [ -z "$BUILD" ]; then
 	    BUILD=apple
 	    ;;
 	*)
-	    if [ -f /etc/debian_version ]; then
+	    if [ -f /etc/os-release ]; then
+		eval $(cat /etc/os-release | grep ^ID)
+
+		case $ID in
+		    fedora)
+			BUILD=redhat
+			;;
+		    debian)
+			BUILD=debian
+			;;
+		    opensuse)
+			BUILD=suse
+			;;
+		    *)
+			BUILD="$ID"
+			;;
+		esac
+	    elif [ -f /etc/debian_version ]; then
 		BUILD=debian
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
@@ -346,9 +374,25 @@ ln -sf lib.base ${DESTDIR}${SHAREDIR}/shorewall/functions
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/shorewall/coreversion
 chmod 644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
 
-[ $file != "${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc
+if [ -z "${DESTDIR}" ]; then
+    if [ $update -ne 0 ]; then
+	echo "Updating $file - original saved in $file.bak"
 
-[ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
+	cp $file $file.bak
+
+	echo '#'                                             >> $file
+	echo "# Updated by Shorewall-core $VERSION -" `date` >> $file
+	echo '#'                                             >> $file
+
+	[ $update -eq 1 ] && sed -i 's/VARDIR/VARLIB/' $file
+
+	echo 'VARDIR=${VARLIB}/${PRODUCT}' >> $file
+    fi
+
+    [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
+fi
+
+[ $file != "${DESTDIR}${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc
 
 if [ ${SHAREDIR} != /usr/share ]; then
     for f in lib.*; do

Shorewall-core/lib.base

@@ -20,15 +20,11 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# This library contains the code common to all Shorewall components.
-#
-# - It is loaded by /sbin/shorewall.
-# - It is released as part of Shorewall[6] Lite where it is used by /sbin/shorewall[6]-lite
-#   and /usr/share/shorewall[6]-lite/shorecap.
+# This library contains the code common to all Shorewall components except the
+# generated scripts.
 #
 
-SHOREWALL_LIBVERSION=40502
-SHOREWALL_CAPVERSION=40504
+SHOREWALL_LIBVERSION=40509
 
 [ -n "${g_program:=shorewall}" ]
 
@@ -38,11 +34,7 @@ if [ -z "$g_readrc" ]; then
     #
     . /usr/share/shorewall/shorewallrc
 
-    g_libexec="$LIBEXECDIR"
     g_sharedir="$SHAREDIR"/$g_program
-    g_sbindir="$SBINDIR"
-    g_perllib="$PERLLIBDIR"
-    g_vardir="$VARDIR"
     g_confdir="$CONFDIR"/$g_program
     g_readrc=1
 fi
@@ -53,13 +45,13 @@ case $g_program in
     shorewall)
 	g_product="Shorewall"
 	g_family=4
-	g_tool=
+	g_tool=iptables
 	g_lite=
 	;;
     shorewall6)
 	g_product="Shorewall6"
 	g_family=6
-	g_tool=
+	g_tool=ip6tables
 	g_lite=
 	;;
     shorewall-lite)
@@ -76,7 +68,12 @@ case $g_program in
 	;;
 esac
 
-VARDIR=${VARDIR}/${g_program}
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/$g_program
+elif [ -z "${VARDIR}" ]; then
+    VARDIR="${VARLIB}/${PRODUCT}"
+fi
 
 #
 # Conditionally produce message

Shorewall-core/lib.common

@@ -65,6 +65,7 @@ startup_error() # $* = Error Message
 	esac
     fi
 
+    mutex_off
     kill $$
     exit 2
 }
@@ -84,7 +85,7 @@ get_script_version() { # $1 = script
 
     temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 | sed 's/-.*//' )
 
-    if [ $? -ne 0 ]; then
+    if [ -z "$temp" ]; then
 	version=0
     else
 	ifs=$IFS
@@ -272,8 +273,11 @@ shorewall6_is_started() {
 # Echos the fully-qualified name of the calling shell program
 #
 my_pathname() {
+    local pwd
+    pwd=$PWD
     cd $(dirname $0)
     echo $PWD/$(basename $0)
+    cd $pwd
 }
 
 #
@@ -676,7 +680,11 @@ find_file()
 		fi
 	    done
 
-	    echo ${g_confdir}/$1
+	    if [ -n "$g_shorewalldir" ]; then
+		echo ${g_shorewalldir}/$1
+	    else
+		echo ${g_confdir}/$1
+	    fi
 	    ;;
     esac
 }

Shorewall-core/shorewallrc.apple

@@ -15,6 +15,7 @@ INITFILE=                              #Unused on OS X
 INITSOURCE=                            #Unused on OS X
 ANNOTATED=                             #Unused on OS X
 SYSTEMD=                               #Unused on OS X
+SERVICEFILE=                           #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
-VARDIR=/var/lib                        #Unused on OS X
+VARLIB=/var/lib                        #Unused on OS X

Shorewall-core/shorewallrc.archlinux

@@ -1,20 +1,22 @@
 #
-# Archlinux Shorewall 4.5 rc file
+# Arch Linux Shorewall 4.5 rc file
 #
-BUILD=archlinux
+BUILD=                                 #Default is to detect the build system
 HOST=archlinux
 PREFIX=/usr                            #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share               #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share             #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall   #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                           #Directory where subsystem configurations are installed
-SBINDIR=/sbin                          #Directory where system administration programs are installed
+SBINDIR=/usr/sbin                      #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                 #Directory where manpages are installed.
-INITDIR=/etc/rc.d                      #Directory where SysV init scripts are installed.
-INITFILE=$PRODUCT                      #Name of the product's installed SysV init script
-INITSOURCE=init.sh                     #Name of the distributed file to be installed as the SysV init script
+INITDIR=                               #Directory where SysV init scripts are installed.
+INITFILE=                              #Name of the product's installed SysV init script
+INITSOURCE=                            #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                             #If non-zero, annotated configuration files are installed
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
-SYSTEMD=                               #Directory where .service files are installed (systems running systemd only)
+SYSTEMD=/usr/lib/systemd/system        #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=                           #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                        #Directory where product variable data is stored.
+VARLIB=/var/lib                        #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.

Shorewall-core/shorewallrc.cygwin

@@ -15,6 +15,7 @@ INITFILE=                             #Unused on Cygwin
 INITSOURCE=                           #Unused on Cygwin
 ANNOTATED=                            #Unused on Cygwin
 SYSTEMD=                              #Unused on Cygwin
+SERVICEFILE=                          #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
-VARDIR=/var/lib                       #Unused on Cygwin
+VARLIB=/var/lib                       #Unused on Cygwin

Shorewall-core/shorewallrc.debian

@@ -15,7 +15,9 @@ INITFILE=$PRODUCT                       #Name of the product's installed SysV in
 INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
 SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
+SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
 SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                         #Directory where product variable data is stored.
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.

Shorewall-core/shorewallrc.default

@@ -10,12 +10,14 @@ PERLLIBDIR=${PREFIX}/share/shorewall    #Directory to install Shorewall Perl mod
 CONFDIR=/etc                            #Directory where subsystem configurations are installed
 SBINDIR=/sbin                           #Directory where system administration programs are installed
 MANDIR=${PREFIX}/man                    #Directory where manpages are installed.
-INITDIR=etc/init.d                      #Directory where SysV init scripts are installed.
+INITDIR=/etc/init.d                     #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.sh                      #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
 SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=                            #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                            #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                             #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                         #Directory where product variable data is stored.
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.

Shorewall-core/shorewallrc.redhat

@@ -16,6 +16,8 @@ INITSOURCE=init.fedora.sh               #Name of the distributed file to be inst
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
 SYSTEMD=/lib/systemd/system             #Directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
+SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                         #Directory where product variable data is stored.
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.

Shorewall-core/shorewallrc.slackware

@@ -16,7 +16,9 @@ AUXINITFILE=rc.firewall                    #Name of the product's installed SysV
 INITSOURCE=init.slackware.$PRODUCT.sh      #Name of the distributed file to be installed as a second SysV init script
 INITFILE=rc.$PRODUCT                       #Name of the product's installed second init script
 SYSTEMD=                                   #Name of the directory where .service files are installed (systems running systemd only)
+SERVICEFILE=                               #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.
 ANNOTATED=                                 #If non-empty, install annotated configuration files
-VARDIR=/var/lib                            #Directory where product variable data is stored.
+VARLIB=/var/lib                            #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT                  #Directory where product variable data is stored.

Shorewall-core/shorewallrc.suse

@@ -12,10 +12,12 @@ SBINDIR=/sbin                                         #Directory where system ad
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                                     #Name of the product's SysV init script
-INITSOURCE=init.sh                                    #Name of the distributed file to be installed as the SysV init script
+INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
 SYSTEMD=                                              #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=                      		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                                          #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                                       #Directory where persistent product data is stored.
+VARLIB=/var/lib                                       #Directory where persistent product data is stored.
+VARDIR=${VARLIB}/$PRODUCT                             #Directory where product variable data is stored.

Shorewall-init/ifupdown.debian.sh

@@ -0,0 +1,135 @@
+#!/bin/sh
+#
+# Debian ifupdown script for Shorewall-based products
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
+Debian_ppp() {
+    NEWPRODUCTS=
+    INTERFACE="$1"
+
+    case $0 in
+	/etc/ppp/ip-*)
+	    #
+	    # IPv4
+	    #
+	    for product in $PRODUCTS; do
+		case $product in
+		    shorewall|shorewall-lite)
+			NEWPRODUCTS="$NEWPRODUCTS $product";
+			;;
+		esac
+	    done
+	    ;;
+	/etc/ppp/ipv6-*)
+	    #
+	    # IPv6
+	    #
+	    for product in $PRODUCTS; do
+		case $product in
+		    shorewall6|shorewall6-lite)
+			NEWPRODUCTS="$NEWPRODUCTS $product";
+			;;
+		esac
+	    done
+	    ;;
+	*)
+	    exit 0
+	    ;;
+    esac
+
+    PRODUCTS="$NEWPRODUCTS"
+
+    case $0 in
+	*up/*)
+	    COMMAND=up
+	    ;;
+	*)
+	    COMMAND=down
+	    ;;
+    esac
+}
+
+IFUPDOWN=0
+PRODUCTS=
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+if [ -f /etc/default/shorewall-init ]; then
+    . /etc/default/shorewall-init
+elif [ -f /etc/sysconfig/shorewall-init ]; then
+    . /etc/sysconfig/shorewall-init
+fi
+
+[ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
+
+case $0 in
+    /etc/ppp*)
+	#
+	# Debian ppp
+	#
+	Debian_ppp
+	;;
+    *)
+        #
+        # Debian ifupdown system
+        #
+	INTERFACE="$IFACE"
+
+	if [ "$MODE" = start ]; then
+	    COMMAND=up
+	elif [ "$MODE" = stop ]; then
+	    COMMAND=down
+	else
+	    exit 0
+	fi
+	;;
+esac
+
+[ -n "$LOGFILE" ] || LOGFILE=/dev/null
+
+for PRODUCT in $PRODUCTS; do
+    setstatedir
+
+    if [ -x $VARLIB/$PRODUCT/firewall ]; then
+	  ( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+    fi
+done
+
+exit 0

Shorewall-init/ifupdown.fedora.sh

@@ -0,0 +1,111 @@
+#!/bin/sh
+#
+# Redhat/Fedora/Centos/Foobar ifupdown script for Shorewall-based products
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+# Get startup options (override default)
+OPTIONS=
+
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x "$STATEDIR/firewall" ]; then
+	if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT $OPTIONS compile
+	fi
+    fi
+}
+
+IFUPDOWN=0
+PRODUCTS=
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+if [ -f /etc/default/shorewall-init ]; then
+    . /etc/default/shorewall-init
+elif [ -f /etc/sysconfig/shorewall-init ]; then
+    . /etc/sysconfig/shorewall-init
+fi
+
+[ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
+
+PHASE=''
+
+case $0 in
+    /etc/ppp*)
+	INTERFACE="$1"
+
+	case $0 in
+	    *ip-up.local)
+		COMMAND=up
+		;;
+	    *ip-down.local)
+		COMMAND=down
+		;;
+	    *)
+		exit 0
+		;;
+	esac
+	;;
+    *)
+	#
+	# RedHat ifup/down system
+	#
+	INTERFACE="$1"
+    
+	case $0 in 
+	    *ifup*)
+		COMMAND=up
+		;;
+	    *ifdown*)
+		COMMAND=down
+		;;
+	    *dispatcher.d*)
+		COMMAND="$2"
+		;;
+	    *)
+		exit 0
+		;;
+	esac
+	;;
+esac
+
+[ -n "$LOGFILE" ] || LOGFILE=/dev/null
+
+for PRODUCT in $PRODUCTS; do
+    setstatedir
+
+    if [ -x "$STATEDIR/firewall" ]; then
+	  echo "`date --rfc-3339=seconds` $0: Executing $STATEDIR/firewall $OPTIONS $COMMAND $INTERFACE" >> $LOGFILE 2>&1
+	  ( $STATEDIR/firewall $OPTIONS $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+    fi
+done
+
+exit 0

Shorewall-init/ifupdown.suse.sh

@@ -1,10 +1,10 @@
 #!/bin/sh
 #
-# ifupdown script for Shorewall-based products
+# SuSE ifupdown script for Shorewall-based products
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,22 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-Debian_SuSE_ppp() {
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
+SuSE_ppp() {
     NEWPRODUCTS=
     INTERFACE="$1"
 
@@ -84,111 +99,47 @@ fi
 
 [ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
 
-if [ -f /etc/debian_version ]; then
-    case $0 in
-	/etc/ppp*)
-	    #
-	    # Debian ppp
-	    #
-	    Debian_SuSE_ppp
-	    ;;
-	
-	*)
-            #
-            # Debian ifupdown system
-            #
-	    INTERFACE="$IFACE"
+PHASE=''
 
-	    if [ "$MODE" = start ]; then
+case $0 in
+    /etc/ppp*)
+        #
+	# SUSE ppp
+	#
+	SuSE_ppp
+	;;
+	
+    *)
+        #
+        # SuSE ifupdown system
+        #
+	INTERFACE="$2"
+
+	case $0 in
+	    *dispatcher.d*)
+		INTERFACE="$1"
+		COMMAND="$2"
+		;;
+	    *if-up.d*)
 		COMMAND=up
-	    elif [ "$MODE" = stop ]; then
+		;;
+	    *if-down.d*)
 		COMMAND=down
-	    else
+		;;
+	    *)
 		exit 0
-	    fi
-	    ;;
-    esac
-elif [ -f /etc/SuSE-release ]; then
-    PHASE=''
-
-    case $0 in
-	/etc/ppp*)
-	    #
-	    # SUSE ppp
-	    #
-	    Debian_SuSE_ppp
-	    ;;
-	
-	*)
-            #
-            # SuSE ifupdown system
-            #
-	    INTERFACE="$2"
-
-	    case $0 in
-		*if-up.d*)
-		    COMMAND=up
-		    ;;
-		*if-down.d*)
-		    COMMAND=down
-		    ;;
-		*)
-		    exit 0
-		    ;;
-	    esac
-	    ;;
-    esac
-else
-    #
-    # Assume RedHat/Fedora/CentOS/Foobar/...
-    #
-    PHASE=''
-
-    case $0 in
-	/etc/ppp*)
-	    INTERFACE="$1"
-
-	    case $0 in
-		*ip-up.local)
-		    COMMAND=up
-		    ;;
-		*ip-down.local)
-		    COMMAND=down
-		    ;;
-		*)
-		    exit 0
-		    ;;
-	    esac
-	    ;;
-	*)
-	    #
-	    # RedHat ifup/down system
-	    #
-	    INTERFACE="$1"
-    
-	    case $0 in 
-		*ifup*)
-		    COMMAND=up
-		    ;;
-		*ifdown*)
-		    COMMAND=down
-		    ;;
-		*dispatcher.d*)
-		    COMMAND="$2"
-		    ;;
-		*)
-		    exit 0
-		    ;;
-	    esac
-	    ;;
-    esac
-fi
+		;;
+	esac
+	;;
+esac
 
 [ -n "$LOGFILE" ] || LOGFILE=/dev/null
 
 for PRODUCT in $PRODUCTS; do
-    if [ -x $VARDIR/$PRODUCT/firewall ]; then
-	  ( ${VARDIR}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+    setstatedir
+
+    if [ -x $VARLIB/$PRODUCT/firewall ]; then
+	  ( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
     fi
 done
 

Shorewall-init/init.debian.sh

@@ -50,16 +50,30 @@ echo_notdone () {
 }
 
 not_configured () {
-	echo "#### WARNING ####"
-	echo "the firewall won't be initialized unless it is configured"
-	if [ "$1" != "stop" ]
-	then
-		echo ""
-		echo "Please read about Debian specific customization in"
-		echo "/usr/share/doc/shorewall-init/README.Debian.gz."
-	fi
-	echo "#################"
-	exit 0
+    echo "#### WARNING ####"
+    echo "the firewall won't be initialized unless it is configured"
+    if [ "$1" != "stop" ]
+    then
+	echo ""
+	echo "Please read about Debian specific customization in"
+	echo "/usr/share/doc/shorewall-init/README.Debian.gz."
+    fi
+    echo "#################"
+    exit 0
+}
+
+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT compile -c || echo_notdone
+    fi
 }
 
 #
@@ -70,39 +84,38 @@ not_configured () {
 # check if shorewall-init is configured or not
 if [ -f "$SYSCONFDIR/shorewall-init" ]
 then
-	. $SYSCONFDIR/shorewall-init
-	if [ -z "$PRODUCTS" ]
-	then
-		not_configured
-	fi
-else
+    . $SYSCONFDIR/shorewall-init
+    if [ -z "$PRODUCTS" ]
+    then
 	not_configured
+    fi
+else
+    not_configured
 fi
 
 # Initialize the firewall
 shorewall_start () {
-  local product
-  local VARDIR
+  local PRODUCT
+  local STATEDIR
 
   echo -n "Initializing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
-      if [ -x ${VARDIR}/firewall ]; then
-	  #
+
+  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+          #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
-	      . /usr/share/$product/lib.base
-	      #
-	      # Get mutex so the firewall state is stable
-	      #
-	      mutex_on
-	      if ! ${VARDIR}/firewall status > /dev/null 2>&1; then
-		  ${VARDIR}/firewall stop || echo_notdone
+	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
+		  ${STATEDIR}/$PRODUCT/firewall stop || echo_notdone
+	      else
+		  echo_notdone
 	      fi
-	      mutex_off
 	  )
+      else
+	  echo echo_notdone
       fi
   done
 
@@ -113,19 +126,15 @@ shorewall_start () {
 
 # Clear the firewall
 shorewall_stop () {
-  local product
-  local VARDIR
+  local PRODUCT
+  local STATEDIR
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
-      if [ -x ${VARDIR}/firewall ]; then
-	  ( . /usr/share/$product/lib.base
-	    mutex_on
-	    ${VARDIR}/firewall clear || echo_notdone
-	    mutex_off
-	  )
+  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+	  ${STATEDIR}/$PRODUCT/firewall clear || echo_notdone
       fi
   done
 
@@ -144,7 +153,7 @@ case "$1" in
   reload|force-reload)
      ;;
   *)
-     echo "Usage: /etc/init.d/shorewall-init {start|stop|reload|force-reload}"
+     echo "Usage: $0 {start|stop|reload|force-reload}"
      exit 1
 esac
 

Shorewall-init/init.fedora.sh

@@ -14,13 +14,8 @@
 #                    prior to bringing up the network.  
 ### END INIT INFO
 #determine where the files were installed
-if [ -f ~/.shorewallrc ]; then
-    . ~/.shorewallrc || exit 1
-else
-    SBINDIR=/sbin
-    SYSCONFDIR=/etc/default
-    VARDIR=/var/lib
-fi
+
+. /usr/share/shorewall/shorewallrc
 
 prog="shorewall-init"
 logger="logger -i -t $prog"
@@ -40,10 +35,26 @@ else
     exit 6
 fi
 
+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+	${SBINDIR}/$PRODUCT $OPTIONS compile -c
+    else
+	return 0
+    fi
+}
+
 # Initialize the firewall
 start () {
-    local product
-    local vardir
+    local PRODUCT
+    local STATEDIR
 
     if [ -z "$PRODUCTS" ]; then
 	echo "No firewalls configured for shorewall-init"
@@ -52,15 +63,26 @@ start () {
     fi
 
     echo -n "Initializing \"Shorewall-based firewalls\": "
-    for product in $PRODUCTS; do
-	if [ -x ${VARDIR}/$product/firewall ]; then
-	    ${VARDIR}/$product/firewall stop 2>&1 | $logger
-	    retval=${PIPESTATUS[0]}
-	    [ retval -ne 0 ] && break
+
+    for PRODUCT in $PRODUCTS; do
+	setstatedir
+	retval=$?
+
+	if [ $retval -eq 0 ]; then
+	    if [ -x "${STATEDIR}/firewall" ]; then
+		${STATEDIR}/firewall stop 2>&1 | $logger
+		retval=${PIPESTATUS[0]}
+		[ $retval -ne 0 ] && break
+	    else
+		retval=6 #Product not configured
+		break
+	    fi
+	else
+	    break
 	fi
     done
 
-    if [ retval -eq 0 ]; then
+    if [ $retval -eq 0 ]; then
 	touch $lockfile 
 	success
     else
@@ -72,19 +94,30 @@ start () {
 
 # Clear the firewall
 stop () {
-    local product
-    local vardir
+    local PRODUCT
+    local STATEDIR
 
     echo -n "Clearing \"Shorewall-based firewalls\": "
-    for product in $PRODUCTS; do
-	if [ -x ${VARDIR}/$product/firewall ]; then
-	    ${VARDIR}/$product/firewall clear 2>&1 | $logger
-	    retval=${PIPESTATUS[0]}
-	    [ retval -ne 0 ] && break
+
+    for PRODUCT in $PRODUCTS; do
+	setstatedir
+	retval=$?
+
+	if [ $retval -eq 0 ]; then
+	    if [ -x "${STATEDIR}/firewall" ]; then
+		${STATEDIR}/firewall clear 2>&1 | $logger
+		retval=${PIPESTATUS[0]}
+		[ $retval -ne 0 ] && break
+	    else
+		retval=6 #Product not configured
+		break
+	    fi
+	else
+	    break
 	fi
     done
 
-    if [ retval -eq 0 ]; then
+    if [ $retval -eq 0 ]; then
 	rm -f $lockfile
 	success
     else
@@ -107,19 +140,15 @@ case "$1" in
 	status_q || exit 0
 	$1
 	;;
-    restart|reload|force-reload)
+    restart|reload|force-reload|condrestart|try-restart)
 	echo "Not implemented"
 	exit 3
 	;;
-    condrestart|try-restart)
-	echo "Not implemented"
-	exit 3
-        ;;
     status)
 	status $prog
 	;;
   *)
-	echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+	echo "Usage: $0 {start|stop|status}"
 	exit 1
 esac
 

Shorewall-init/init.sh

@@ -58,16 +58,34 @@ fi
 #
 . /usr/share/shorewall/shorewallrc
 
+# Locate the current PRODUCT's statedir
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile $STATEDIR/firewall
+	fi
+    fi
+}
+
 # Initialize the firewall
 shorewall_start () {
   local PRODUCT
-  local VARDIR
+  local STATEDIR
 
   echo -n "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      if [ -x ${VARDIR}/firewall ]; then
+      setstatedir
+
+      if [ -x ${STATEDIR}/firewall ]; then
 	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      ${VARDIR}/firewall stop || echo_notdone
+	      ${STATEDIR}/firewall stop || exit 1
 	  fi
       fi
   done
@@ -82,12 +100,20 @@ shorewall_start () {
 # Clear the firewall
 shorewall_stop () {
   local PRODUCT
-  local VARDIR
+  local STATEDIR
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall clear || exit 1
+      setstatedir
+
+      if [ ! -x ${STATEDIR}/firewall ]; then
+	  if [ $PRODUCT = shorewall -o $product = shorewall6 ]; then
+	      ${SBINDIR}/$PRODUCT compile
+	  fi
+      fi
+
+      if [ -x ${STATEDIR}/firewall ]; then
+	  ${STATEDIR}/firewall clear || exit 1
       fi
   done
 

Shorewall-init/init.suse.sh

@@ -0,0 +1,149 @@
+#! /bin/bash
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2010,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#
+### BEGIN INIT INFO
+# Provides: shorewall-init
+# Required-Start: $local_fs
+# Required-Stop:  $local_fs
+# Default-Start:  2 3 5
+# Default-Stop:   0 1 6
+# Short-Description: Initialize the firewall at boot time
+# Description:       Place the firewall in a safe state at boot time
+#                    prior to bringing up the network.  
+### END INIT INFO
+
+#Return values acc. to LSB for all commands but status:
+# 0 - success
+# 1 - generic or unspecified error
+# 2 - invalid or excess argument(s)
+# 3 - unimplemented feature (e.g. "reload")
+# 4 - insufficient privilege
+# 5 - program is not installed
+# 6 - program is not configured
+# 7 - program is not running
+
+if [ "$(id -u)" != "0" ]
+then
+  echo "You must be root to start, stop or restart \"Shorewall \"."
+  exit 4
+fi
+
+# check if shorewall-init is configured or not
+if [ -f "/etc/sysconfig/shorewall-init" ]
+then
+    . /etc/sysconfig/shorewall-init
+
+    if [ -z "$PRODUCTS" ]
+    then
+	echo "No PRODUCTS configured"
+	exit 6
+    fi
+else
+    echo "/etc/sysconfig/shorewall-init not found"
+    exit 6
+fi
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT compile -c || exit
+    fi
+}
+
+# Initialize the firewall
+shorewall_start () {
+  local PRODUCT
+  local STATEDIR
+
+  echo -n "Initializing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ -x $STATEDIR/firewall ]; then
+	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+	      $STATEDIR/$PRODUCT/firewall stop || exit
+	  fi
+      else
+	  exit 6
+      fi
+  done
+
+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+      ipset -R < "$SAVE_IPSETS"
+  fi
+}
+
+# Clear the firewall
+shorewall_stop () {
+  local PRODUCT
+  local STATEDIR
+
+  echo -n "Clearing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ -x ${STATEDIR}/firewall ]; then
+	  ${STATEDIR}/firewall clear || exit
+      else
+	  exit 6
+      fi
+  done
+
+  if [ -n "$SAVE_IPSETS" ]; then
+      mkdir -p $(dirname "$SAVE_IPSETS")
+      if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+      fi
+  fi
+}
+
+case "$1" in
+    start)
+	shorewall_start
+	;;
+    stop)
+	shorewall_stop
+	;;
+    reload|forced-reload)
+	;;
+    *)
+	echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+	exit 1
+	;;
+esac
+
+exit 0

Shorewall-init/install.sh

@@ -160,7 +160,14 @@ else
     usage 1
 fi
 
-for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARDIR; do
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/${PRODUCT}
+elif [ -z "${VARDIR}" ]; then
+    VARDIR=${VARLIB}/${PRODUCT}
+fi
+
+for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
     require $var
 done
 
@@ -175,7 +182,24 @@ if [ -z "$BUILD" ]; then
 	    BUILD=apple
 	    ;;
 	*)
-	    if [ -f /etc/debian_version ]; then
+	    if [ -f /etc/os-release ]; then
+		eval $(cat /etc/os-release | grep ^ID)
+
+		case $ID in
+		    fedora)
+			BUILD=redhat
+			;;
+		    debian)
+			BUILD=debian
+			;;
+		    opensuse)
+			BUILD=suse
+			;;
+		    *)
+			BUILD="$ID"
+			;;
+		esac
+	    elif [ -f /etc/debian_version ]; then
 		BUILD=debian
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
@@ -215,7 +239,7 @@ case "$HOST" in
     debian)
 	echo "Installing Debian-specific configuration..."
 	;;
-    redhat|redhat)
+    redhat)
 	echo "Installing Redhat/Fedora-specific configuration..."
 	;;
     slackware)
@@ -226,7 +250,7 @@ case "$HOST" in
 	echo "Shorewall-init is currently not supported on Arch Linux" >&2
 	exit 1
 	;;
-    suse|suse)
+    suse)
 	echo "Installing SuSE-specific configuration..."
 	;;
     linux)
@@ -284,8 +308,10 @@ fi
 #
 if [ -n "$SYSTEMD" ]; then
     mkdir -p ${DESTDIR}${SYSTEMD}
-    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}${SYSTEMD}/shorewall-init.service
-    echo "Service file installed as ${DESTDIR}${SYSTEMD}/shorewall-init.service"
+    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
+    run_install $OWNERSHIP -m 600 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
     if [ -n "$DESTDIR" ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
         chmod 755 ${DESTDIR}${SBINDIR}
@@ -297,8 +323,8 @@ fi
 #
 # Create /usr/share/shorewall-init if needed
 #
-mkdir -p ${DESTDIR}/usr/share/shorewall-init
-chmod 755 ${DESTDIR}/usr/share/shorewall-init
+mkdir -p ${DESTDIR}${SHAREDIR}/shorewall-init
+chmod 755 ${DESTDIR}${SHAREDIR}/shorewall-init
 
 #
 # Install logrotate file
@@ -311,14 +337,14 @@ fi
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-init/version
-chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
+echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/shorewall-init/version
+chmod 644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
 
 #
 # Remove and create the symbolic link to the init script
 #
 if [ -z "$DESTDIR" ]; then
-    rm -f /usr/share/shorewall-init/init
+    rm -f ${SHAREDIR}/shorewall-init/init
     ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
 fi
 
@@ -335,6 +361,8 @@ if [ $HOST = debian ]; then
 
 	install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
     fi
+
+    IFUPDOWN=ifupdown.debian.sh
 else
     if [ -n "$DESTDIR" ]; then
 	mkdir -p ${DESTDIR}${SYSCONFDIR}
@@ -351,14 +379,16 @@ else
 
     if [ -d ${DESTDIR}${SYSCONFDIR} -a ! -f ${DESTDIR}${SYSCONFDIR}/shorewall-init ]; then
 	install_file sysconfig ${DESTDIR}${SYSCONFDIR}/shorewall-init 0644
-    fi 
+    fi
+
+    [ $HOST = suse ] && IFUPDOWN=ifupdown.suse.sh || IFUPDOWN=ifupdown.fedora.sh
 fi
 
 #
 # Install the ifupdown script
 #
 
-cp ifupdown.sh ifupdown
+cp $IFUPDOWN ifupdown
 
 [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
 
@@ -383,11 +413,23 @@ case $HOST in
 	fi
 	;;
     redhat)
-	if [ -f ${DESTDIR}${SBINDIR}/ifup-local -o -f ${DESTDIR}${SBINDIR}/ifdown-local ]; then
-	    echo "WARNING: ${SBINDIR}/ifup-local and/or ${SBINDIR}/ifdown-local already exist; up/down events will not be handled"
-	elif [ -z "$DESTDIR" ]; then
-	    install_file ifupdown ${DESTDIR}${SBINDIR}/ifup-local 0544
-	    install_file ifupdown ${DESTDIR}${SBINDIR}/ifdown-local 0544
+	if [ -z "$DESTDIR" ]; then
+	    install_local=
+
+	    if [ -f ${SBINDIR}/ifup-local -o -f ${SBINDIR}/ifdown-local ]; then
+		if ! fgrep -q Shorewall-based ${SBINDIR}/ifup-local || ! fgrep -q Shorewall-based ${SBINDIR}/ifdown-local; then
+		    echo "WARNING: ${SBINDIR}/ifup-local and/or ${SBINDIR}/ifdown-local already exist; up/down events will not be handled"
+		else
+		    install_local=Yes
+		fi
+	    else
+		install_local=Yes
+	    fi
+
+	    if [ -n "$install_local" ]; then
+		install_file ifupdown ${DESTDIR}${SBINDIR}/ifup-local 0544
+		install_file ifupdown ${DESTDIR}${SBINDIR}/ifdown-local 0544
+	    fi
 	fi
 	;;
 esac

Shorewall-init/shorewall-init

@@ -23,6 +23,20 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #########################################################################################
+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT compile -c || exit 1
+    fi
+}
+
 #
 # This is modified by the installer when ${SHAREDIR} <> /usr/share
 #
@@ -43,14 +57,25 @@ fi
 # Initialize the firewall
 shorewall_start () {
   local PRODUCT
-  local VARDIR
+  local STATEDIR
 
   echo -n "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      if [ -x ${VARDIR}/firewall ]; then
-	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
-	      ${VARDIR}/firewall stop || exit 1
-	  fi
+      setstatedir
+
+      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+          #
+	  # Run in a sub-shell to avoid name collisions
+	  #
+	  (
+	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
+		  ${STATEDIR}/$PRODUCT/firewall stop || exit 1
+	      else
+		  exit 1
+	      fi
+	  )
+      else
+	  exit 1
       fi
   done
 
@@ -64,14 +89,14 @@ shorewall_start () {
 # Clear the firewall
 shorewall_stop () {
   local PRODUCT
-  local VARDIR
+  local STATEDIR
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      VARDIR=/var/lib/$PRODUCT
-      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
-      if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall clear || exit 1
+      setstatedir
+
+      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+	  ${STATEDIR}/$PRODUCT/firewall clear || exit 1
       fi
   done
 

Shorewall-init/sysconfig

@@ -21,3 +21,6 @@ SAVE_IPSETS=""
 #
 LOGFILE=/var/log/shorewall-ifupdown.log
 
+# Startup options - set verbosity to 0 (minimal reporting)
+OPTIONS="-V0"
+

Shorewall-lite/configpath

@@ -4,4 +4,4 @@
 # /usr/share/shorewall-lite/configpath
 #
 
-CONFIG_PATH=/etc/shorewall-lite:/usr/share/shorewall-lite
+CONFIG_PATH=${CONFDIR}/shorewall-lite:${SHAREDIR}/shorewall-lite:${SHAREDIR}/shorewall

Shorewall-lite/init.archlinux.sh

@@ -1,58 +0,0 @@
-#!/bin/bash
-
-OPTIONS="-f"
-
-if [ -f /etc/sysconfig/shorewall ] ; then
-	. /etc/sysconfig/shorewall
-elif [ -f /etc/default/shorewall ] ; then
-	. /etc/default/shorewall
-fi
-
-# if you want to override options, do so in /etc/sysconfig/shorewall or
-# in /etc/default/shorewall --
-# i strongly encourage you use the latter, since /etc/sysconfig/ does not exist.
-
-. /etc/rc.conf
-. /etc/rc.d/functions
-
-DAEMON_NAME="shorewall" # of course shorewall is NOT a deamon.
-
-case "$1" in
-	start)
-		stat_busy "Starting $DAEMON_NAME"
-		/sbin/shorewall-lite $OPTIONS start &>/dev/null
-		if [ $? -gt 0 ]; then
-			stat_fail
-		else
-			add_daemon $DAEMON_NAME
-			stat_done
-		fi
-		;;
-
-
-	stop)
-		stat_busy "Stopping $DAEMON_NAME"
-		/sbin/shorewall-lite stop &>/dev/null
-		if [ $? -gt 0 ]; then
-			stat_fail
-		else
-			rm_daemon $DAEMON_NAME
-			stat_done
-		fi
-		;;
-
-	restart|reload)
-		stat_busy "Restarting $DAEMON_NAME"
-		/sbin/shorewall-lite restart &>/dev/null
-		if [ $? -gt 0  ]; then
-			stat_fail
-		else
-			stat_done
-		fi
-		;;
-
-	*)
-		echo "usage: $0 {start|stop|restart}"
-esac
-exit 0
-

Shorewall-lite/init.suse.sh

@@ -0,0 +1,92 @@
+#!/bin/sh
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#	On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#	If an error occurs while starting or restarting the firewall, the
+#	firewall is automatically stopped.
+#
+#	Commands are:
+#
+#	   shorewall start			  Starts the firewall
+#	   shorewall restart			  Restarts the firewall
+#	   shorewall reload			  Reload the firewall
+#						  (same as restart)
+#	   shorewall stop			  Stops the firewall
+#	   shorewall status			  Displays firewall status
+#
+
+
+### BEGIN INIT INFO
+# Provides:	  shorewall-lite
+# Required-Start: $network $remote_fs
+# Required-Stop:  
+# Default-Start:  2 3 5
+# Default-Stop:	  0 1 6
+# Description:	  starts and stops the shorewall firewall
+# Short-Description: Packet filtering firewall
+### END INIT INFO
+
+################################################################################
+# Give Usage Information						       #
+################################################################################
+usage() {
+    echo "Usage: $0 start|stop|reload|restart|status"
+    exit 1
+}
+
+################################################################################
+# Get startup options (override default)
+################################################################################
+OPTIONS=
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+if [ -f ${SYSCONFDIR}/shorewall-lite ]; then
+    . ${SYSCONFDIR}/shorewall-lite
+fi
+
+SHOREWALL_INIT_SCRIPT=1
+
+################################################################################
+# E X E C U T I O N    B E G I N S   H E R E				       #
+################################################################################
+command="$1"
+
+case "$command" in
+    start)
+	exec ${SBINDIR}/shorewall-lite $OPTIONS start $STARTOPTIONS
+	;;
+    restart|reload)
+	exec ${SBINDIR}/shorewall-lite $OPTIONS restart $RESTARTOPTIONS
+	;;
+    status|stop)
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
+	;;
+    *)
+	usage
+	;;
+esac

Shorewall-lite/install.sh

@@ -171,10 +171,19 @@ else
     usage 1
 fi
 
-for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARDIR; do
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/${PRODUCT}
+elif [ -z "${VARDIR}" ]; then
+    VARDIR=${VARLIB}/${PRODUCT}
+fi
+
+for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARLIB VARDIR; do
     require $var
 done
 
+[ -n "${INITFILE}" ] && require INITSOURCE && require INITDIR
+
 PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}
 
 #
@@ -182,7 +191,6 @@ PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}
 #
 cygwin=
 INSTALLD='-D'
-INITFILE=$PRODUCT
 T='-T'
 
 if [ -z "$BUILD" ]; then
@@ -194,7 +202,24 @@ if [ -z "$BUILD" ]; then
 	    BUILD=apple
 	    ;;
 	*)
-	    if [ -f ${CONFDIR}/debian_version ]; then
+	    if [ -f /etc/os-release ]; then
+		eval $(cat /etc/os-release | grep ^ID)
+
+		case $ID in
+		    fedora)
+			BUILD=redhat
+			;;
+		    debian)
+			BUILD=debian
+			;;
+		    opensuse)
+			BUILD=suse
+			;;
+		    *)
+			BUILD="$ID"
+			;;
+		esac
+	    elif [ -f ${CONFDIR}/debian_version ]; then
 		BUILD=debian
 	    elif [ -f ${CONFDIR}/redhat-release ]; then
 		BUILD=redhat
@@ -253,7 +278,10 @@ case "$HOST" in
     archlinux)
 	echo "Installing ArchLinux-specific configuration..."
 	;;
-    linux|suse)
+    suse)
+	echo "Installing Suse-specific configuration..."
+	;;
+    linux)
 	;;
     *)
 	echo "ERROR: Unknown HOST \"$HOST\"" >&2
@@ -271,21 +299,11 @@ if [ -n "$DESTDIR" ]; then
 
     install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR}
     install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
-
-    if [ -n "$SYSTEMD" ]; then
-	mkdir -p ${DESTDIR}/lib/systemd/system
-	INITFILE=
-    fi
 else
     if [ ! -f /usr/share/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
 	exit 1
     fi
-
-    if [ -f /lib/systemd/system ]; then
-	SYSTEMD=Yes
-	INITFILE=
-    fi
 fi
 
 echo "Installing $Product Version $VERSION"
@@ -303,8 +321,8 @@ if [ -z "$DESTDIR" -a -d ${CONFDIR}/$PRODUCT ]; then
 	mv -f ${CONFDIR}/$PRODUCT/shorewall.conf ${CONFDIR}/$PRODUCT/$PRODUCT.conf
 else
     rm -rf ${DESTDIR}${CONFDIR}/$PRODUCT
-    rm -rf ${DESTDIR}/usr/share/$PRODUCT
-    rm -rf ${DESTDIR}/var/lib/$PRODUCT
+    rm -rf ${DESTDIR}${SHAREDIR}/$PRODUCT
+    rm -rf ${DESTDIR}${VARDIR}
     [ "$LIBEXECDIR" = /usr/share ] || rm -rf ${DESTDIR}/usr/share/$PRODUCT/wait4ifup ${DESTDIR}/usr/share/$PRODUCT/shorecap
 fi
 
@@ -327,9 +345,9 @@ echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
 mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
-mkdir -p ${DESTDIR}/usr/share/$PRODUCT
+mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
-mkdir -p ${DESTDIR}/var/lib/$PRODUCT
+mkdir -p ${DESTDIR}${VARDIR}
 
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}/usr/share/$PRODUCT
@@ -342,22 +360,25 @@ if [ -n "$DESTDIR" ]; then
 fi
 
 if [ -n "$INITFILE" ]; then
+    if [ -f "${INITSOURCE}" ]; then
+	initfile="${DESTDIR}/${INITDIR}/${INITFILE}"
+	install_file ${INITSOURCE} "$initfile" 0544
 
-    initfile="${DESTDIR}/${INITDIR}/${INITFILE}"
-    install_file ${INITSOURCE} "$initfile" 0544
+	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"
 
-    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"
-
-    echo  "$Product init script installed in $initfile"
+	echo  "$Product init script installed in $initfile"
+    fi
 fi
 #
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
-    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/${SYSTEMD}/$PRODUCT.service
-    echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
+    mkdir -p ${DESTDIR}${SYSTEMD}
+    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
+    run_install $OWNERSHIP -m 600 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
 fi
-
 #
 # Install the config file
 #
@@ -482,7 +503,7 @@ if [ -n "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
 	chmod 755 ${DESTDIR}${SYSCONFDIR}
     fi
 
-    run_install $OWNERSHIP -m 0644 default.debian ${DESTDIR}${SYSCONFDIR}/${PRODUCT}
+    run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT}
     echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
 

Shorewall-lite/manpages/shorewall-lite.conf.xml

@@ -141,7 +141,7 @@
           stops. Creating and removing this file allows Shorewall to work with
           your distribution's initscripts. For RedHat, this should be set to
           /var/lock/subsys/shorewall. For Debian, the value is
-          /var/state/shorewall and in LEAF it is /var/run/shorwall.</para>
+          /var/state/shorewall and in LEAF it is /var/run/shorewall.</para>
         </listitem>
       </varlistentry>
 

Shorewall-lite/manpages/shorewall-lite.xml

@@ -335,7 +335,9 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>show</option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
+
+      <arg><option>-b</option></arg>
 
       <arg><option>-x</option></arg>
 
@@ -355,7 +357,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>show</option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
 
       <arg><option>-f</option></arg>
 
@@ -369,10 +371,10 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>show</option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
 
       <arg
-      choice="req"><option>classifiers|connections|config|filters|ip|ipa|zones|policies|marks</option></arg>
+      choice="req"><option>classifiers|connections|config|events|filters|ip|ipa|zones|policies|marks</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -382,7 +384,20 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>show</option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
+
+      <arg choice="plain"><option>event</option><arg
+      choice="plain"><replaceable>event</replaceable></arg></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="opt"><option>show | list | ls </option></arg>
 
       <arg><option>-x</option></arg>
 
@@ -396,7 +411,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>show</option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
 
       <arg choice="plain"><option>tc</option></arg>
     </cmdsynopsis>
@@ -408,7 +423,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>show</option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
 
       <arg><option>-m</option></arg>
 
@@ -490,9 +505,9 @@
     url="shorewall.conf.html">shorewall.conf</ulink>(5). Each <emphasis
     role="bold">v</emphasis> adds one to the effective verbosity and each
     <emphasis role="bold">q</emphasis> subtracts one from the effective
-    VERBOSITY. Anternately, <emphasis role="bold">v</emphasis> may be followed
+    VERBOSITY. Alternately, <emphasis role="bold">v</emphasis> may be followed
     immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
-    be no white space between <emphasis role="bold">v</emphasis> and the
+    be no white-space between <emphasis role="bold">v</emphasis> and the
     VERBOSITY.</para>
 
     <para>The <emphasis>options</emphasis> may also include the letter
@@ -630,7 +645,7 @@
         <term><emphasis role="bold">forget</emphasis></term>
 
         <listitem>
-          <para>Deletes /var/lib/shorewall-lite/<emphasis>filenam</emphasis>e
+          <para>Deletes /var/lib/shorewall-lite/<emphasis>filename</emphasis>
           and /var/lib/shorewall-lite/save. If no
           <emphasis>filename</emphasis> is given then the file specified by
           RESTOREFILE in <ulink
@@ -688,7 +703,7 @@
           and raw table PREROUTING chains.</para>
 
           <para>The trace records are written to the kernel's log buffer with
-          faciility = kernel and priority = warning, and they are routed from
+          facility = kernel and priority = warning, and they are routed from
           there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
           Shorewall-lite has no control over where the messages go; consult
           your logging daemon's documentation.</para>
@@ -745,7 +760,7 @@
 
           <para>The <replaceable>iptables match expression</replaceable> must
           be one given in the <command>iptrace</command> command being
-          cancelled.</para>
+          canceled.</para>
         </listitem>
       </varlistentry>
 
@@ -841,6 +856,12 @@
                 Netfilter table to display. The default is <emphasis
                 role="bold">filter</emphasis>.</para>
 
+                <para>The <emphasis role="bold">-b</emphasis> ('brief') option
+                causes rules which have not been used (i.e. which have zero
+                packet and byte counts) to be omitted from the output. Chains
+                with no rules displayed are also omitted from the
+                output.</para>
+
                 <para>The <emphasis role="bold">-l</emphasis> option causes
                 the rule number for each Netfilter rule to be
                 displayed.</para>
@@ -867,7 +888,7 @@
               <term><emphasis role="bold">config</emphasis></term>
 
               <listitem>
-                <para>Dispays distribution-specific defaults.</para>
+                <para>Displays distribution-specific defaults.</para>
               </listitem>
             </varlistentry>
 
@@ -880,6 +901,24 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">event</emphasis><replaceable>
+              event</replaceable></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.19. Displays the named
+                event.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">events</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.19. Displays all events.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">ip</emphasis></term>
 
@@ -1047,6 +1086,23 @@
     </variablelist>
   </refsect1>
 
+  <refsect1>
+    <title>EXIT STATUS</title>
+
+    <para>In general, when a command succeeds, status 0 is returned; when the
+    command fails, a non-zero status is returned.</para>
+
+    <para>The <command>status</command> command returns exit status as
+    follows:</para>
+
+    <para>0 - Firewall is started.</para>
+
+    <para>3 - Firewall is stopped or cleared</para>
+
+    <para>4 - Unknown state; usually means that the firewall has never been
+    started.</para>
+  </refsect1>
+
   <refsect1>
     <title>FILES</title>
 

Shorewall-lite/shorecap

@@ -53,10 +53,7 @@ g_program=shorewall-lite
 #
 . /usr/share/shorewall/shorewallrc
 
-g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall-lite
-g_sbindir="$SBINDIR"
-g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1
 

Shorewall-lite/shorewall-lite

@@ -25,17 +25,15 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
-g_program=shorewall-lite
+PRODUCT=shorewall-lite
 
 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 
-g_libexec="$LIBEXECDIR"
+g_program=$PRODUCT
 g_sharedir="$SHAREDIR"/shorewall-lite
-g_sbindir="$SBINDIR"
-g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1
 

Shorewall-lite/uninstall.sh

@@ -118,14 +118,14 @@ fi
 
 if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
     FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
-elIF [ -n "$INITFILE" ]; then
+elif [ -n "$INITFILE" ]; then
     FIREWALL=${INITDIR}/${INITFILE}
 fi
 
 if [ -f "$FIREWALL" ]; then
     if mywhich updaterc.d ; then
 	updaterc.d shorewall-lite remove
-    elif if mywhich insserv ; then
+    elif mywhich insserv ; then
         insserv -r $FIREWALL
     elif [ mywhich chkconfig ; then
 	chkconfig --del $(basename $FIREWALL)

Shorewall/Macros/macro.A_AllowICMPs

@@ -9,7 +9,7 @@
 #ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #					PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT Needed ICMP types
+?COMMENT Needed ICMP types
 
 A_ACCEPT       -	-	icmp	fragmentation-needed
 A_ACCEPT       -	-	icmp	time-exceeded

Shorewall/Macros/macro.A_DropDNSrep

@@ -9,6 +9,6 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT Late DNS Replies
+?COMMENT Late DNS Replies
 
 A_DROP	-	-	udp	-	53

Shorewall/Macros/macro.A_DropUPnP

@@ -9,6 +9,6 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT UPnP
+?COMMENT UPnP
 
 A_DROP	-	-	udp	1900

Shorewall/Macros/macro.ActiveDir

@@ -0,0 +1,40 @@
+#
+# Shorewall version 4 - Samba 4 Macro
+#
+# /usr/share/shorewall/macro.ActiveDir
+#
+#       This macro handles ports for Samba 4 Active Directory Service
+#
+# You can comment out the ports you do not want open
+#
+# 
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
+#                               PORT(S) PORT(S) LIMIT   GROUP
+PARAM   -       -       tcp     389 	#LDAP services
+PARAM   -       -       udp	389  
+PARAM   -       -       tcp     636	#LDAP SSL
+PARAM   -       -       tcp     3268	#LDAP GC
+PARAM   -       -       tcp     3269	#LDAP GC SSL
+PARAM   -       -       tcp     88	#Kerberos
+PARAM   -       -       udp	88
+
+# Use macro.DNS for DNS sevice
+
+PARAM   -       -       tcp     445	#Replication, User and Computer Authentication, Group Policy, Trusts
+PARAM   -       -       udp	445
+
+# Use macro.SMTP for Mail service
+
+PARAM   -       -       tcp     135	#RPC, EPM
+PARAM   -       -       tcp     5722	#RPC, DFSR (SYSVOL)
+PARAM   -       -       udp	123	#Windows Time
+PARAM   -       -       tcp     464	#Kerberosb change/set password
+PARAM   -       -       udp	464
+PARAM   -       -       udp	138	#DFS, Group Policy
+PARAM   -       -       tcp     9389	#SOAP
+PARAM   -       -       tcp     2535	#MADCAP
+PARAM   -       -       udp	2535
+PARAM   -       -       udp     137	#NetLogon, NetBIOS Name Resolution
+PARAM   -       -       tcp	139	#DFSN, NetBIOS Session Service, NetLogon    
+  

Shorewall/Macros/macro.AllowICMPs

@@ -9,7 +9,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT Needed ICMP types
+?COMMENT Needed ICMP types
 
 DEFAULT ACCEPT
 PARAM	-	-	icmp	fragmentation-needed

Shorewall/Macros/macro.Amanda

@@ -8,9 +8,16 @@
 #	files from those nodes.
 #
 ###############################################################################
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	10080
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
+ PARAM	-	-	udp	10080 ; helper=amanda
+?else
+ PARAM	-	-	udp	10080
+?endif
+
 PARAM	-	-	tcp	10080
 #
 # You may also need this rule.  With AMANDA 2.4.4 on Linux kernel 2.6,

Shorewall/Macros/macro.BLACKLIST

@@ -8,8 +8,8 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-?IF $BLACKLIST_LOGLEVEL
+?if $BLACKLIST_LOGLEVEL
 blacklog
-?ELSE
+?else
 $BLACKLIST_DISPOSITION
-?ENDIF
+?endif

Shorewall/Macros/macro.DCC

@@ -9,4 +9,4 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	6277
+PARAM	-	-	udp	6277

Shorewall/Macros/macro.DropDNSrep

@@ -9,7 +9,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT Late DNS Replies
+?COMMENT Late DNS Replies
 
 DEFAULT DROP
 PARAM	-	-	udp	-	53

Shorewall/Macros/macro.DropUPnP

@@ -9,7 +9,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT UPnP
+?COMMENT UPnP
 
 DEFAULT DROP
 PARAM	-	-	udp	1900

Shorewall/Macros/macro.FTP

@@ -6,6 +6,11 @@
 #	This macro handles FTP traffic.
 #
 ###############################################################################
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	21
+?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
+ PARAM	-	-	tcp	21 ; helper=ftp
+?else
+ PARAM	-	-	tcp	21
+?endif

Shorewall/Macros/macro.IRC

@@ -6,6 +6,12 @@
 #	This macro handles IRC traffic (Internet Relay Chat).
 #
 ###############################################################################
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	6667
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
+ PARAM	-	-	tcp	6667 ; helper=irc
+?else
+ PARAM	-	-	tcp	6667
+?endif

Shorewall/Macros/macro.Kerberos

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - Kerberos Macro
+#
+# /usr/share/shorewall/macro.Kerberos
+#
+#	This macro handles Kerberos traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	tcp	88
+PARAM	-	-	udp	88

Shorewall/Macros/macro.PPtP

@@ -6,8 +6,14 @@
 #	This macro handles PPTP traffic.
 #
 ###############################################################################
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	47
 PARAM	DEST	SOURCE	47
-PARAM	-	-	tcp	1723
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
+ PARAM	-	-	tcp	1723 ; helper=pptp
+?else
+ PARAM	-	-	tcp	1723
+?endif

Shorewall/Macros/macro.Puppet

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - Puppet Macro
+#
+# /usr/share/shorewall/macro.Puppet
+#
+#	This macro handles client-to-server for the Puppet configuration
+#	management system.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	tcp	8140

Shorewall/Macros/macro.Rfc1918

@@ -7,7 +7,7 @@
 #############################################################################################
 #ACTION		SOURCE		DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
 #						PORT(S)	PORT(S)	DEST		LIMIT	GROUP
-FORMAT 2
+?FORMAT 2
 PARAM		SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \
 				DEST	-	-	-	-	-	-
 PARAM		SOURCE		DEST	-	-	-	10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

Shorewall/Macros/macro.SANE

@@ -6,9 +6,16 @@
 #	This macro handles SANE network scanning.
 #
 ###############################################################################
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	6566
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
+ PARAM	-	-	tcp	6566 ; helper=sane
+?else
+ PARAM	-	-	tcp	6566
+?endif
+
 #
 # Kernels 2.6.23+ has nf_conntrack_sane module which will handle
 # sane data connection.

Shorewall/Macros/macro.SIP

@@ -0,0 +1,17 @@
+#
+# Shorewall version 4 - SIP Macro
+#
+# /usr/share/shorewall/macro.SIP
+#
+#	This macro handles SIP traffic.
+#
+###############################################################################
+?FORMAT 2
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER  )
+ PARAM	-	-	udp	5060 ; helper=sip
+?else
+ PARAM	-	-	udp	5060
+?endif

Shorewall/Macros/macro.SMB

@@ -10,9 +10,17 @@
 #	between hosts you fully trust.
 #
 ###############################################################################
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
-PARAM	-	-	udp	137:139
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
+ PARAM	-	-	udp	137 ; helper=netbios-ns
+ PARAM	-	-	udp	138:139
+?else
+ PARAM	-	-	udp	137:139
+?endif
+
 PARAM	-	-	udp	1024:	137
 PARAM	-	-	tcp	135,139,445

Shorewall/Macros/macro.SMBBI

@@ -10,13 +10,28 @@
 #	allow SMB traffic between hosts you fully trust.
 #
 ###############################################################################
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
-PARAM	-	-	udp	137:139
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
+ PARAM	-	-	udp	137 ; helper=netbios-ns
+ PARAM	-	-	udp	138:139
+?else
+ PARAM	-	-	udp	137:139
+?endif
+
 PARAM	-	-	udp	1024:	137
 PARAM	-	-	tcp	135,139,445
 PARAM	DEST	SOURCE	udp	135,445
-PARAM	DEST	SOURCE	udp	137:139
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
+ PARAM	DEST	SOURCE	udp	137 ; helper=netbios-ns
+ PARAM	DEST	SOURCE	udp	138:139
+?else
+ PARAM	DEST	SOURCE	udp	137:139
+?endif
+
 PARAM	DEST	SOURCE	udp	1024:	137
 PARAM	DEST	SOURCE	tcp	135,139,445

Shorewall/Macros/macro.SNMP

@@ -3,10 +3,17 @@
 #
 # /usr/share/shorewall/macro.SNMP
 #
-#	This macro handles SNMP traffic (including traps).
+#	This macro handles SNMP traffic.
+#
+#       Note: To allow SNMP Traps, use the SNMPTrap macro
 #
 ###############################################################################
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	161:162
-PARAM	-	-	tcp	161
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
+ PARAM	-	-  	udp     161 ; helper=snmp
+?else
+ PARAM	-	-	udp	161
+?endif

Shorewall/Macros/macro.SNMPTrap

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - SNMP Trap Macro
+#
+# /usr/share/shorewall/macro.SNMP
+#
+#	This macro handles SNMP traps.
+#
+###############################################################################
+?FORMAT 2
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	udp	162

Shorewall/Macros/macro.TFTP

@@ -8,6 +8,12 @@
 #	Internet.
 #
 ###############################################################################
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	69
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
+ PARAM	-	-	udp	69 ; helper=tftp
+?else
+ PARAM	-	-	udp	69
+?endif

Shorewall/Macros/macro.Teredo

@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - Teredo Macro
+#
+# /usr/share/shorewall/macro.Teredo
+#
+#	This macro handles Teredo IPv6 over UDP tunneling traffic
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	udp	3544

Shorewall/Macros/macro.VRRP

@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - VRRP Macro
+#
+# /usr/share/shorewall/macro.VRRP
+#
+#	This macro handles VRRP traffic.
+#
+###############################################################################
+#ACTION		SOURCE		DEST		PROTO
+PARAM		SOURCE		DEST:224.0.0.18	vrrp
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/Macros/macro.Xymon

@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - Xymon Macro
+#
+# /usr/share/shorewall/macro.Xymon
+#
+#	This macro handles Xymon traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	tcp	1984

Shorewall/Macros/macro.template

@@ -71,9 +71,17 @@
 #	Remaining		Any value in the rules file REPLACES the value
 #	columns			given in the macro file.
 #
+# Multiple parameters may be passed to a macro. Within this file, $1 refers to the first parameter,
+# $2 to the second an so on. $1 is a synonym for PARAM but may be used anywhere in the file whereas
+# PARAM may only be used in the ACTION column.
+#
+# You can specify default values for parameters by using DEFAULT or DEFAULTS entry:
+#
+#      DEFAULTS  <default for $1>,<default for $2>,...
+#
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
-FORMAT 2
-####################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+?FORMAT 2
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Shorewall/Perl/Shorewall/ARP.pm

@@ -0,0 +1,314 @@
+#
+# Shorewall 4.5 -- /usr/share/shorewall/Shorewall/ARP.pm
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2013 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#  This file is responsible for Shorewall's arptables support
+#
+package Shorewall::ARP;
+require Exporter;
+
+use Shorewall::Config qw(:DEFAULT :internal);
+use Shorewall::Zones;
+use Shorewall::IPAddrs;
+use strict;
+
+our @ISA = qw(Exporter);
+our @EXPORT = ( qw( process_arprules create_arptables_load preview_arptables_load ) );
+
+our %arp_table;
+our $arp_input;
+our $arp_output;
+our $arp_forward;
+our $sourcemac;
+our $destmac;
+our $addrlen;
+our $hw;
+our @builtins;
+our $arptablesjf;
+our @map = ( qw( 0 Request Reply Request_Reverse Reply_Reverse DRARP_Request DRARP_Reply DRARP_Error InARP_Request ARP_NAK ) );
+
+
+#
+# Handles the network and mac parts of the SOURCE ($source == 1 ) and DEST ($source == 0) columns in the arprules file.
+# Returns any match(es) specified.
+#
+sub match_arp_net( $$$ ) {
+    my ( $net, $mac, $source ) = @_;
+
+    my $return = '';
+
+    if ( supplied $net ) {
+	my $invert = ( $net =~ s/^!// ) ? '! ' : '';
+	validate_net $net, 0;
+	$return = $source ? "-s ${invert}$net " : "-d ${invert}$net ";
+    }
+
+    if ( supplied $mac ) {
+	my ( $addr , $mask ) = split( '/', $mac, 2 );
+
+	my $invert = ( $addr =~ s/^!// ) ? '! ' : '';
+
+	fatal_error "Invalid MAC address ($addr)" unless $addr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+	if ( supplied $mask ) {
+	    fatal_error "Invalid MAC Mask ($mask)" unless $mask =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+	    $return .= $source ? "$sourcemac $invert$addr/$mask " : "$destmac $invert$addr/mask ";
+	} else {
+	    $return .= $source ? "$sourcemac $invert$addr " : "$destmac $invert$addr ";
+	}
+    }
+
+    $return;
+}
+
+#
+# Process a rule in the arprules file
+#
+sub process_arprule() {
+    my ( $originalaction, $source, $dest, $opcode ) = split_line( 'arprules file entry', {action => 0, source => 1, dest => 2, opcode => 3 } );
+
+    my $chainref;
+    my $iifaceref;
+    my $iiface;
+    my $difaceref;
+    my $diface;
+    my $saddr;
+    my $smac;
+    my $daddr;
+    my $dmac;
+    my $rule = '';
+
+    fatal_error "ACTION must be specified" if $originalaction eq '-';
+
+    my ( $action, $newaddr ) = split( ':', $originalaction, 2 );
+
+    my %functions = ( DROP   => sub() { $rule .= "-j DROP" },
+		      ACCEPT => sub() { $rule .= "-j ACCEPT" },
+		      SNAT   => sub() { validate_address $newaddr, 0;
+					$rule .= "-j mangle --mangle-ip-s $newaddr"; },
+		      DNAT   => sub() { validate_address $newaddr, 0;
+					$rule .= "-j mangle --mangle-ip-d $newaddr"; },
+		      SMAT   => sub() { fatal_error "Invalid MAC address ($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+					$rule .= "$addrlen 6 -j mangle --mangle-$hw-s $newaddr"; },
+		      DMAT   => sub() { fatal_error "Invalid MAC address ($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+					$rule .= "$addrlen 6 -j mangle --mangle-$hw-d $newaddr"; },
+		      SNATC  => sub() { validate_address $newaddr, 0;
+					$rule .= "-j mangle --mangle-ip-s $newaddr --mangle-target CONTINUE"; },
+		      DNATC  => sub() { validate_address $newaddr, 0;
+					$rule .= "-j mangle --mangle-ip-d $newaddr --mangle-target CONTINUE"; },
+		      SMATC  => sub() { fatal_error "Invalid MAC address ($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+					$rule .= "$addrlen 6 -j mangle --mangle-$hw-s $newaddr --mangle-target CONTINUE"; },
+		      DMATC  => sub() { fatal_error "Invalid MAC address ($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+					$rule .= "$addrlen 6 -j mangle --mangle-$hw-d $newaddr --mangle-target CONTINUE"; },
+		    );
+
+    if ( supplied $newaddr ) {
+	fatal_error "The $action ACTION does not allow a new address" unless $action =~ /^(?:SNAT|DNAT|SMAT|DMAT)C?$/;
+    } else {
+	fatal_error "The $action ACTION requires a new address" if $action =~ /^(?:SNAT|DNAT|SMAT|DMAT)C?$/;
+    }
+
+    my $function = $functions{$action};
+
+    fatal_error "Unknown ACTION ($action)" unless $function;
+
+    if ( $source ne '-' ) {
+	( $iiface, $saddr, $smac ) = split /:/, $source, 3;
+
+	fatal_error "SOURCE interface missing" unless supplied $iiface; 
+
+	$iiface = ( $iifaceref = find_interface( $iiface ) )->{physical};
+
+	fatal_error "Wildcard Interfaces ( $iiface )may not be used in this context" if $iiface =~ /\+$/;
+
+	$rule .= "-i $iiface ";
+	$rule .= match_arp_net( $saddr , $smac, 1 ) if supplied( $saddr );
+	$chainref = $arp_input;
+    }
+
+    if ( $dest ne '-' ) {
+	( $diface, $daddr, $dmac ) = split /:/, $dest, 3;
+
+	fatal_error "DEST interface missing" unless supplied $diface; 
+
+	$diface = ( $difaceref = find_interface( $diface ) )->{physical};
+
+	fatal_error "A wildcard interfaces ( $diface) may not be used in this context" if $diface =~ /\+$/;
+
+	if ( $iiface ) {
+	    fatal_error "When both SOURCE and DEST are given, the interfaces must be ports on the same bridge"
+		if $iifaceref->{bridge} ne $difaceref->{bridge};
+	    $chainref = $arp_forward;
+	} else {
+	    $chainref = $arp_output;
+	}
+
+	$rule .= "-o $diface ";
+	$rule .= match_arp_net( $daddr , $dmac, 0 ) if supplied( $daddr );
+
+    }
+
+    if ( $opcode ne '-' ) {
+	my $invert = ( $opcode =~ s/^!// ) ? '! ' : '';
+	warning_message q(arptables versions through 0.3.4 ignore '!' after '--opcode') if $invert && ! $arptablesjf;
+	fatal_error "Invalid ARP OPCODE ($opcode)" unless $opcode =~ /^\d$/ && $opcode;
+	$rule .= $arptablesjf ? " --arpop ${invert}$map[$opcode] " : "--opcode ${invert}$opcode ";
+    }
+
+    $function ->();
+
+    fatal_error "Either SOURCE or DEST must be specified" unless $chainref;
+
+    push @$chainref, $rule;
+
+}
+
+#
+# Process the arprules file -- returns true if there were any arp rules
+#
+sub process_arprules() {
+    my $result = 0;
+
+    if ( $arptablesjf = have_capability 'ARPTABLESJF' ) {
+	$arp_input  = $arp_table{IN}       = [];
+	$arp_output = $arp_table{OUT}      = [];
+	$arp_forward = $arp_table{FORWARD} = [];
+	@builtins = qw( IN OUT FORWARD );
+	$sourcemac = '-z';
+	$destmac   = '-y';
+	$addrlen   = '--arhln';
+	$hw        = 'hw';
+    } else {
+	$arp_input   = $arp_table{INPUT}   = [];
+	$arp_output  = $arp_table{OUTPUT}  = [];
+	$arp_forward = $arp_table{FORWARD} = [];
+	@builtins = qw( INPUT OUTPUT FORWARD );
+	$sourcemac = '--source-mac';
+	$destmac   = '--destination-mac';
+	$addrlen   = '--h-length';
+	$hw        = 'mac';
+    }
+
+    my $fn = open_file 'arprules';
+
+    if ( $fn ) {
+	first_entry( sub() {
+			 $result = 1;
+			 progress_message2 "$doing $fn..."; }
+		   );
+	process_arprule while read_a_line( NORMAL_READ );
+    }
+
+    $result;
+}
+
+#
+# Generate the arptables_load() function
+#
+sub create_arptables_load( $ ) {
+    my $test = shift;
+
+    emit ( '#',
+	   '# Create the input to arptables-restore and pass that input to the utility',
+	   '#',
+	   'setup_arptables()',
+	   '{'
+	   );
+
+    push_indent;
+
+    save_progress_message "Preparing arptables-restore input...";
+
+    emit '';
+
+    emit "exec 3>\${VARDIR}/.arptables-input";
+
+    my $date = localtime;
+
+    unless ( $test ) {
+	emit_unindented '#';
+	emit_unindented "# Generated by Shorewall $globals{VERSION} - $date";
+	emit_unindented '#';
+    }
+
+    emit '';
+    emit 'cat >&3 << __EOF__';
+
+    emit_unindented "*filter";
+
+    emit_unindented ":$_ ACCEPT" for @builtins;
+
+    for ( @builtins ) {
+	my $rules = $arp_table{$_};
+
+	while ( my $rule = shift @$rules ) {
+	    emit_unindented "-A $_ $rule";
+	}
+    }
+
+    emit_unindented "COMMIT\n" if $arptablesjf;
+
+    emit_unindented "__EOF__";
+
+    #
+    # Now generate the actual ip[6]tables-restore command
+    #
+    emit(  'exec 3>&-',
+	   '',
+	   'progress_message2 "Running $ARPTABLES_RESTORE..."',
+	   '',
+	   'cat ${VARDIR}/.arptables-input | $ARPTABLES_RESTORE # Use this nonsensical form to appease SELinux',
+	   'if [ $? != 0 ]; then',
+	   qq(    fatal_error "arptables-restore Failed. Input is in \${VARDIR}/.arptables-input"),
+	   "fi\n",
+	   "run_ip neigh flush nud stale nud reachable\n",
+	   );    
+
+    pop_indent;
+    emit "}\n";
+}	  
+
+#
+# Preview the generated ARP rules
+#
+sub preview_arptables_load() {
+
+    my $date = localtime;
+
+    print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
+
+    print "*filter\n";
+
+    print ":$_ ACCEPT\n" for qw( INPUT OUTPUT FORWARD );
+
+    for ( @builtins ) {
+	my $rules = $arp_table{$_};
+
+	while ( my $rule = shift @$rules ) {
+	    print "-A $rule\n";
+	}
+    }
+
+    print "COMMIT\n" if $arptablesjf;
+
+    print "\n";
+}	  
+
+1;

Shorewall/Perl/Shorewall/Accounting.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -40,18 +40,17 @@ our $VERSION = 'MODULEVERSION';
 #
 # Per-IP accounting tables. Each entry contains the associated network.
 #
-my %tables;
+our %tables;
 
-my $jumpchainref;
-my %accountingjumps;
-my $asection;
-my $defaultchain;
-my $ipsecdir;
-my $defaultrestriction;
-my $restriction;
-my $accounting_commands = { COMMENT => 0, SECTION => 2 };
-my $sectionname;
-my $acctable;
+our $jumpchainref;
+our %accountingjumps;
+our $asection;
+our $defaultchain;
+our $ipsecdir;
+our $defaultrestriction;
+our $restriction;
+our $sectionname;
+our $acctable;
 
 #
 # Sections in the Accounting File
@@ -139,30 +138,25 @@ sub process_section ($) {
     $asection = $newsect;
 }
 
+sub split_nfacct_list( $;$ ) {
+    my ($list, $origlist ) = @_;
+
+    fatal_error( "Invalid nfacct list (" . ( $origlist ? $origlist : $list ) . ')' ) if $list =~ /^,|,$|,,$/;
+
+    split /,/, $list;
+}
+
 #
 # Accounting
 #
-sub process_accounting_rule( ) {
+sub process_accounting_rule1( $$$$$$$$$$$ ) {
+
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = @_;
 
     $acctable = $config{ACCOUNTING_TABLE};
 
     $jumpchainref = 0;
 
-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) =
-	split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 }, $accounting_commands;
-
-    fatal_error 'ACTION must be specified' if $action eq '-';
-
-    if ( $action eq 'COMMENT' ) {
-	process_comment;
-	return 0;
-    }
-
-    if ( $action eq 'SECTION' ) {
-	process_section( $chain );
-	return 0;
-    }
-
     $asection = LEGACY if $asection < 0;
 
     our $disposition = '';
@@ -204,6 +198,7 @@ sub process_accounting_rule( ) {
     fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT;
 
     my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
+    my $prerule = '';
     my $rule2 = 0;
     my $jump  = 0;
 
@@ -236,6 +231,19 @@ sub process_accounting_rule( ) {
 	    }
 	} elsif ( $action =~ /^NFLOG/ ) {
 	    $target = validate_level $action;
+	} elsif ( $action =~ /^NFACCT\((.+)\)$/ ) {
+	    require_capability 'NFACCT_MATCH', 'The NFACCT action', 's';
+	    $target = '';
+	    for ( my @objects = split_nfacct_list $1 ) {
+		validate_nfobject( $_, 1 );
+		if ( s/!$// ) {
+		    $prerule .= do_nfacct( $_ );
+		} else {
+		    $rule .= do_nfacct( $_ );
+		}
+	    }
+	} elsif ( $action eq 'INLINE' ) {
+	    $rule .= get_inline_matches;
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;
 
@@ -276,6 +284,7 @@ sub process_accounting_rule( ) {
 		expand_rule(
 			    ensure_rules_chain ( 'accountout' ) ,
 			    OUTPUT_RESTRICT ,
+			    $prerule ,
 			    $rule ,
 			    $source ,
 			    $dest = ALLIP ,
@@ -369,6 +378,7 @@ sub process_accounting_rule( ) {
     expand_rule
 	$chainref ,
 	$restriction ,
+	$prerule ,
 	$rule ,
 	$source ,
 	$dest ,
@@ -394,25 +404,48 @@ sub process_accounting_rule( ) {
     }
 
     if ( $rule2 ) {
-	expand_rule
-	    $jumpchainref ,
-	    $restriction ,
-	    $rule ,
-	    $source ,
-	    $dest ,
-	    '' ,
-	    '' ,
-	    '' ,
-	    '' ,
-	    '' ;
+	expand_rule(
+		    $jumpchainref ,
+		    $restriction ,
+		    $prerule ,
+		    $rule ,
+		    $source ,
+		    $dest ,
+		    '' ,
+		    '' ,
+		    '' ,
+		    '' ,
+		    '' );
     }
 
     return 1;
 }
 
+sub process_accounting_rule( ) {
+
+    my ($action, $chain, $source, $dest, $protos, $ports, $sports, $user, $mark, $ipsec, $headers ) =
+	split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 };
+
+    my $nonempty = 0;
+
+    for my $proto ( split_list $protos, 'Protocol' ) {
+	fatal_error 'ACTION must be specified' if $action eq '-';
+
+	if ( $action eq 'SECTION' ) {
+	    process_section( $chain );
+	} else {
+	    for my $proto ( split_list $protos, 'Protocol' ) {
+		$nonempty |= process_accounting_rule1( $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers );
+	    }
+	}
+    }
+
+    $nonempty;
+}
+
 sub setup_accounting() {
 
-    if ( my $fn = open_file 'accounting' ) {
+    if ( my $fn = open_file 'accounting', 1, 1 ) {
 
 	first_entry "$doing $fn...";
 
@@ -420,8 +453,6 @@ sub setup_accounting() {
 
 	$nonEmpty |= process_accounting_rule while read_a_line( NORMAL_READ );
 
-	clear_comment;
-
 	if ( $nonEmpty ) {
 	    my $tableref = $chain_table{$acctable};
 

Shorewall/Perl/Shorewall/Compiler.pm

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -34,9 +34,9 @@ use Shorewall::Accounting;
 use Shorewall::Rules;
 use Shorewall::Proc;
 use Shorewall::Proxyarp;
-use Shorewall::IPAddrs;
 use Shorewall::Raw;
 use Shorewall::Misc;
+use Shorewall::ARP;
 
 use strict;
 
@@ -45,20 +45,22 @@ our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
 our $VERSION = 'MODULEVERSION';
 
-my $export;
+our $export;
 
-my $test;
+our $test;
 
-my $family;
+our $family;
+
+our $have_arptables;
 
 #
 # Initilize the package-globals in the other modules
 #
-sub initialize_package_globals( $$ ) {
-    Shorewall::Config::initialize($family, $_[1]);
+sub initialize_package_globals( $$$ ) {
+    Shorewall::Config::initialize($family, $_[1], $_[2]);
     Shorewall::Chains::initialize ($family, 1, $export );
     Shorewall::Zones::initialize ($family, $_[0]);
-    Shorewall::Nat::initialize;
+    Shorewall::Nat::initialize($family);
     Shorewall::Providers::initialize($family);
     Shorewall::Tc::initialize($family);
     Shorewall::Accounting::initialize;
@@ -158,7 +160,7 @@ sub generate_script_2() {
 
     push_indent;
 
-    if ( $shorewallrc{TEMPDIR} ) {
+    if ( $shorewallrc1{TEMPDIR} ) {
 	emit( '',
 	      qq(TMPDIR="$shorewallrc{TEMPDIR}") ,
 	      q(export TMPDIR) );
@@ -168,14 +170,14 @@ sub generate_script_2() {
 	emit( 'g_family=4' );
 
 	if ( $export ) {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall-lite),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall-lite),
 		   'g_product="Shorewall Lite"',
 		   'g_program=shorewall-lite',
 		   'g_basedir=/usr/share/shorewall-lite',
-		   qq(CONFIG_PATH="$shorewallrc{CONFDIR}/shorewall-lite:$shorewallrc{SHAREDIR}/shorewall-lite") ,
+		   qq(CONFIG_PATH="$shorewallrc1{CONFDIR}/shorewall-lite:$shorewallrc1{SHAREDIR}/shorewall-lite") ,
 		 );
 	} else {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall),
 		   'g_product=Shorewall',
 		   'g_program=shorewall',
 		   'g_basedir=/usr/share/shorewall',
@@ -186,14 +188,14 @@ sub generate_script_2() {
 	emit( 'g_family=6' );
 
 	if ( $export ) {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall6-lite),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall6-lite),
 		   'g_product="Shorewall6 Lite"',
 		   'g_program=shorewall6-lite',
 		   'g_basedir=/usr/share/shorewall6',
-		   qq(CONFIG_PATH="$shorewallrc{CONFDIR}/shorewall6-lite:$shorewallrc{SHAREDIR}/shorewall6-lite") ,
+		   qq(CONFIG_PATH="$shorewallrc1{CONFDIR}/shorewall6-lite:$shorewallrc{SHAREDIR}/shorewall6-lite") ,
 		 );
 	} else {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall6),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall6),
 		   'g_product=Shorewall6',
 		   'g_program=shorewall6',
 		   'g_basedir=/usr/share/shorewall',
@@ -202,21 +204,9 @@ sub generate_script_2() {
 	}
     }
 
-    emit( '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
-
-    if ( $family == F_IPV4 ) {
-	if ( $export ) {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall-lite}" ]' );
-	} else {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall}" ]' );
-	}
-    } else {
-	if ( $export ) {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall6-lite}" ]' );
-	} else {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall6}" ]' );
-	}
-    }
+    emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
+    emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
+    emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );
 
     emit 'TEMPFILE=';
 
@@ -239,6 +229,22 @@ sub generate_script_2() {
 
     set_chain_variables;
 
+    my $need_arptables = $have_arptables || $config{SAVE_ARPTABLES};
+
+    if ( my $arptables = $config{ARPTABLES} ) {
+	emit( qq(ARPTABLES="$arptables"),
+	      '[ -x "$ARPTABLES" ] || startup_error "ARPTABLES=$ARPTABLES does not exist or is not executable"',
+	    );
+    } elsif ( $need_arptables ) {
+	emit( '[ -z "$ARPTABLES" ] && ARPTABLES=$(mywhich arptables)',
+	      '[ -n "$ARPTABLES" -a -x "$ARPTABLES" ] || startup_error "Can\'t find arptables executable"' );
+    }
+
+    if ( $need_arptables ) {
+	emit( 'ARPTABLES_RESTORE=${ARPTABLES}-restore',
+	      '[ -x "$ARPTABLES_RESTORE" ] || startup_error "$ARPTABLES_RESTORE does not exist or is not executable"' );
+    }
+
     if ( $config{EXPORTPARAMS} ) {
 	append_file 'params';
     } else {
@@ -336,6 +342,7 @@ sub generate_script_3($) {
     }
 
     create_netfilter_load( $test );
+    create_arptables_load( $test ) if $have_arptables;
     create_chainlist_reload( $_[0] );
 
     emit "#\n# Start/Restart the Firewall\n#";
@@ -368,6 +375,7 @@ sub generate_script_3($) {
     emit '';
 
     load_ipsets;
+    create_nfobjects;
 
     if ( $family == F_IPV4 ) {
 	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
@@ -377,8 +385,8 @@ sub generate_script_3($) {
 	       'fi',
 	       '' );
 
+	verify_address_variables;
 	save_dynamic_chains;
-
 	mark_firewall_not_started;
 
 	emit ( '',
@@ -406,6 +414,7 @@ sub generate_script_3($) {
 	       'fi',
 	       '' );
 
+	verify_address_variables;
 	save_dynamic_chains;
 	mark_firewall_not_started;
 
@@ -461,59 +470,86 @@ sub generate_script_3($) {
 	  '    if [ -f $iptables_save_file ]; then' );
 
     if ( $family == F_IPV4 ) {
-	emit '        cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux'
+	emit( '        cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux' );
+
+	emit( '',
+	      '        arptables_save_file=${VARDIR}/$(basename $0)-arptables',
+	      '        if [ -f $arptables_save_file ]; then',
+	      '            cat $arptables_save_file | $ARPTABLES_RESTORE',
+	      '        fi')
+	    if $config{SAVE_ARPTABLES};
+
     } else {
 	emit '        cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux'
     }
 
-    emit<<'EOF';
-    else
-        fatal_error "$iptables_save_file does not exist"
-    fi
-EOF
-    pop_indent;
+    emit( '    else',
+	  '       fatal_error "$iptables_save_file does not exist"',
+	  '    fi',
+	  ''
+	);
+
+    push_indent;
     setup_load_distribution;
     setup_forwarding( $family , 1 );
-    push_indent;
+    pop_indent;
 
     my $config_dir = $globals{CONFIGDIR};
 
     emit<<"EOF";
     set_state Started $config_dir
     run_restored_exit
-else
-    if [ \$COMMAND = refresh ]; then
-        chainlist_reload
+elif [ \$COMMAND = refresh ]; then
+    chainlist_reload
 EOF
+    push_indent;
     setup_load_distribution;
     setup_forwarding( $family , 0 );
+    pop_indent;
+    #
+    # Use a parameter list rather than 'here documents' to avoid an extra blank line
+    #
+    emit(
+'    run_refreshed_exit',
+'    do_iptables -N shorewall' );
 
-    emit( '        run_refreshed_exit' ,
-	  '        do_iptables -N shorewall' ,
-	  "        set_state Started $config_dir" ,
-	  '    else' ,
-	  '        setup_netfilter' );
+    emit ( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
 
+    emit(
+"    set_state Started $config_dir",
+'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
+'else',
+'    setup_netfilter'
+	);
+    push_indent;
+    emit 'setup_arptables' if $have_arptables;
     setup_load_distribution;
+    pop_indent;
 
-    emit<<"EOF";
-        conditionally_flush_conntrack
+    emit<<'EOF';
+    conditionally_flush_conntrack
 EOF
+    push_indent;
+    initialize_switches;
     setup_forwarding( $family , 0 );
+    pop_indent;
 
     emit<<"EOF";
-        run_start_exit
-        do_iptables -N shorewall
-        set_state Started $config_dir
-        run_started_exit
-    fi
+    run_start_exit
+    do_iptables -N shorewall
+EOF
 
+    emit ( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
+
+    emit<<"EOF";
+    set_state Started $config_dir
+    my_pathname=\$(my_pathname)
+    [ \$my_pathname = \${VARDIR}/firewall ] || cp -f \$my_pathname \${VARDIR}/firewall
+    run_started_exit
+fi
 EOF
 
     emit<<'EOF';
-    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall
-fi
-
 date > ${VARDIR}/restarted
 
 case $COMMAND in
@@ -545,11 +581,12 @@ EOF
 #
 sub compiler {
 
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '');
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc                      , $shorewallrc1 , $directives ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 );
 
-    $export = 0;
-    $test   = 0;
+    $export         = 0;
+    $test           = 0;
+    $have_arptables = 0;
 
     sub validate_boolean( $ ) {
 	 my $val = numeric_value( shift );
@@ -583,8 +620,10 @@ sub compiler {
 		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
 		  convert       => { store => \$convert,       validate=> \&validate_boolean    } ,
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
+		  directives    => { store => \$directives,    validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
+		  shorewallrc1  => { store => \$shorewallrc1 } ,
 		);
     #
     #                               P A R A M E T E R    P R O C E S S I N G
@@ -602,7 +641,7 @@ sub compiler {
     #
     # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
     #
-    initialize_package_globals( $update, $shorewallrc );
+    initialize_package_globals( $update, $shorewallrc, $shorewallrc1 );
 
     set_config_path( $config_path ) if $config_path;
 
@@ -620,7 +659,7 @@ sub compiler {
     #
     #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
     #
-    get_configuration( $export , $update , $annotate );
+    get_configuration( $export , $update , $annotate , $directives );
     #
     # Create a temp file to hold the script
     #
@@ -665,11 +704,6 @@ sub compiler {
     #                           (Produces no output to the compiled script)
     #
     process_policies;
-    #
-    #                                       N O T R A C K
-    #                           (Produces no output to the compiled script)
-    #
-    setup_notrack;
 
     enable_script;
 
@@ -709,6 +743,16 @@ sub compiler {
     #
     setup_proxy_arp;
 
+    emit( "#\n# Disable automatic helper association on kernel 3.5.0 and later\n#" ,
+	  'if [ -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then' ,
+	  '    progress_message "Disabling Kernel Automatic Helper Association"',
+	  "    echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper",
+	  'fi',
+	  ''
+	);
+
+    setup_accept_ra if $family == F_IPV6;
+
     if ( $scriptfilename || $debug ) {
 	emit 'return 0';
 	pop_indent;
@@ -753,28 +797,26 @@ sub compiler {
 	emit "}\n"; # End of setup_routing_and_traffic_shaping()
     }
 
+    $have_arptables = process_arprules if $family == F_IPV4;
+
     disable_script;
     #
     #                                       N E T F I L T E R
     #       (Produces no output to the compiled script -- rules are stored in the chain table)
     #
     process_tos;
-
-    if ( $family == F_IPV4 ) {
-	#
-	# ECN
-	#
-	setup_ecn if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
-	#
-	# Setup Masquerading/SNAT
-	#
-	setup_masq;
-	#
-	# Setup Nat
-	#
-	setup_nat;
-    }
-
+    #
+    # ECN
+    #
+    setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+    #
+    # Setup Masquerading/SNAT
+    #
+    setup_masq;
+    #
+    # Setup Nat
+    #
+    setup_nat if $family == F_IPV4;
     #
     # Setup NETMAP
     #
@@ -788,10 +830,18 @@ sub compiler {
     #
     process_rules( $convert );
     #
+    # Process the conntrack file
+    #
+    setup_conntrack;
+    #
     # Add Tunnel rules.
     #
     setup_tunnels;
     #
+    # Clear the current filename
+    #
+    clear_currentfilename;
+    #
     # MACLIST Filtration again
     #
     setup_mac_lists 2;
@@ -832,7 +882,7 @@ sub compiler {
 	generate_script_2;
 	#
 	#                          N E T F I L T E R   L O A D
-	#    (Produces setup_netfilter(), chainlist_reload() and define_firewall() )
+	#    (Produces setup_netfilter(), setup_arptables(), chainlist_reload() and define_firewall() )
 	#
 	generate_script_3( $chains );
 	#
@@ -845,7 +895,7 @@ sub compiler {
 	#                           S T O P _ F I R E W A L L
 	#         (Writes the stop_firewall() function to the compiled script)
 	#
-	compile_stop_firewall( $test, $export );
+	compile_stop_firewall( $test, $export , $have_arptables );
 	#
 	#                               U P D O W N
 	#               (Writes the updown() function to the compiled script)
@@ -865,6 +915,10 @@ sub compiler {
 	# And generate the auxilary config file
 	#
 	enable_script, generate_aux_config if $export;
+	#
+	# Report used/required capabilities
+	#
+	report_used_capabilities;
     } else {
 	#
 	# Just checking the configuration
@@ -877,7 +931,7 @@ sub compiler {
 
 	    optimize_level0;
 
-	    if ( ( my $optimize = $config{OPTIMIZE} & OPTIMIZE_MASK ) ) {
+	    if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1e ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
 		# Optimize Policy Chains
@@ -893,7 +947,10 @@ sub compiler {
 
 	    generate_script_2 if $debug;
 
-	    preview_netfilter_load if $preview;
+	    if ( $preview ) {
+		preview_netfilter_load;
+		preview_arptables_load if $have_arptables;
+	    }
 	}
 	#
 	# Re-initialize the chain table so that process_routestopped() has the same
@@ -903,7 +960,7 @@ sub compiler {
 	initialize_chain_table(0);
 
 	if ( $debug ) {
-	    compile_stop_firewall( $test, $export );
+	    compile_stop_firewall( $test, $export, $have_arptables );
 	    disable_script;
 	} else {
 	    #
@@ -911,7 +968,12 @@ sub compiler {
 	    # call that function during normal 'check', we must validate routestopped here.
 	    #
 	    process_routestopped;
+	    process_stoppedrules;
 	}
+	#
+	# Report used/required capabilities
+	#
+	report_used_capabilities;
 
 	if ( $family == F_IPV4 ) {
 	    progress_message3 "Shorewall configuration verified";

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -26,13 +26,13 @@
 #
 package Shorewall::IPAddrs;
 require Exporter;
-use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 );
+use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 :protocols %config );
 use Socket;
 
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( ALLIPv4
+our @EXPORT = ( qw( ALLIPv4
                   ALLIPv6
 		  NILIPv4
 		  NILIPv6
@@ -48,15 +48,11 @@ our @EXPORT = qw( ALLIPv4
 		  ALLIP
 		  NILIP
 		  ALL
-		  TCP
-		  UDP
-		  UDPLITE
-		  ICMP
-		  DCCP
-		  IPv6_ICMP
-		  SCTP
-		  GRE
+		  VLSMv4
+		  VLSMv6
+		  VLSM
 
+		  valid_address
 		  validate_address
 		  validate_net
 		  decompose_net
@@ -73,6 +69,7 @@ our @EXPORT = qw( ALLIPv4
 		  nilip
 		  rfc1918_networks
 		  resolve_proto
+		  resolve_dnsname
 		  proto_name
 		  validate_port
 		  validate_portpair
@@ -80,27 +77,29 @@ our @EXPORT = qw( ALLIPv4
 		  validate_port_list
 		  validate_icmp
 		  validate_icmp6
-		 );
+		 ) );
 our @EXPORT_OK = qw( );
 our $VERSION = 'MODULEVERSION';
 
 #
 # Some IPv4/6 useful stuff
 #
-my @allipv4 = ( '0.0.0.0/0' );
-my @allipv6 = ( '::/0' );
-my $allip;
-my @allip;
-my @nilipv4 = ( '0.0.0.0' );
-my @nilipv6 = ( '::' );
-my $nilip;
-my @nilip;
-my $valid_address;
-my $validate_address;
-my $validate_net;
-my $validate_range;
-my $validate_host;
-my $family;
+our @allipv4 = ( '0.0.0.0/0' );
+our @allipv6 = ( '::/0' );
+our $allip;
+our @allip;
+our @nilipv4 = ( '0.0.0.0' );
+our @nilipv6 = ( '::' );
+our $nilip;
+our @nilip;
+our $vlsm_width;
+our $valid_address;
+our $validate_address;
+our $validate_net;
+our $resolve_dnsname;
+our $validate_range;
+our $validate_host;
+our $family;
 
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
@@ -115,16 +114,11 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       IPv6_LINK_ALLRTRS   => 'ff01::2' ,
 	       IPv6_SITE_ALLNODES  => 'ff02::1' ,
 	       IPv6_SITE_ALLRTRS   => 'ff02::2' ,
-	       ICMP                => 1,
-	       TCP                 => 6,
-	       UDP                 => 17,
-	       DCCP                => 33,
-	       GRE                 => 47,
-	       IPv6_ICMP           => 58,
-	       SCTP                => 132,
-	       UDPLITE             => 136 };
+	       VLSMv4              => 32,
+	       VLSMv6              => 128,
+	   };
 
-my @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
+our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
 
 #
 # Note: initialize() is declared at the bottom of the file
@@ -132,7 +126,7 @@ my @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
 sub vlsm_to_mask( $ ) {
     my $vlsm = $_[0];
 
-    in_hex8 ( ( 0xFFFFFFFF << ( 32 - $vlsm ) ) & 0xFFFFFFFF );
+    in_hex8 ( ( 0xFFFFFFFF << ( VLSMv4 - $vlsm ) ) & 0xFFFFFFFF );
 }
 
 sub valid_4address( $ ) {
@@ -167,6 +161,20 @@ sub validate_4address( $$ ) {
     defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
 }
 
+sub resolve_4dnsname( $ ) {
+    my $net = $_[0];
+    my @addrs;
+
+    fatal_error "Unknown Host ($net)" unless  @addrs = gethostbyname( $net );
+
+    shift @addrs for (1..4);
+    for ( @addrs ) {
+	$_ = ( inet_ntoa( $_ ) );
+    }
+
+    @addrs;
+} 
+
 sub decodeaddr( $ ) {
     my $address = $_[0];
 
@@ -212,21 +220,24 @@ sub validate_4net( $$ ) {
     }
 
     if ( defined $vlsm ) {
-        fatal_error "Invalid VLSM ($vlsm)"            unless $vlsm =~ /^\d+$/ && $vlsm <= 32;
+        fatal_error "Invalid VLSM ($vlsm)"            unless $vlsm =~ /^\d+$/ && $vlsm <= VLSMv4;
 	fatal_error "Invalid Network address ($_[0])" if defined $rest;
 	fatal_error "Invalid IP address ($net)"       unless valid_4address $net;
     } else {
 	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
-	validate_4address $net, $_[1];
-	$vlsm = 32;
+	my $net1 = validate_4address $net, $allow_name;
+	$net  = $net1 unless $config{DEFER_DNS_RESOLUTION};
+	$vlsm = VLSMv4;
     }
 
     if ( defined wantarray ) {
-	assert ( ! $allow_name );
 	if ( wantarray ) {
+	    assert( ! $allow_name );
 	    ( decodeaddr( $net ) , $vlsm );
+	} elsif ( valid_4address $net ) {
+	    $vlsm == VLSMv4 ? $net : "$net/$vlsm";
 	} else {
-	    "$net/$vlsm";
+	    $net;
 	}
     }
 }
@@ -241,6 +252,8 @@ sub validate_4range( $$ ) {
     my $last  = decodeaddr $high;
 
     fatal_error "Invalid IP Range ($low-$high)" unless $first <= $last;
+
+    "$low-$high";
 }
 
 sub validate_4host( $$ ) {
@@ -335,6 +348,7 @@ sub resolve_proto( $ ) {
 	$number = numeric_value ( $proto );
 	defined $number && $number <= 255 ? $number : undef;
     } else {
+	fatal_error "A protocol list  ($proto) is not allowed in this context" if $proto =~ /,/; 
 	#
 	# Allow 'icmp' as a synonym for 'ipv6-icmp' in IPv6 compilations
 	#
@@ -392,10 +406,11 @@ sub validate_portpair( $$ ) {
 	$what = 'port';
     }
 
-    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
-	defined $protonum && ( $protonum == TCP  ||
-			       $protonum == UDP  ||
-			       $protonum == SCTP ||
+    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, UDPLITE, SCTP or DCCP" unless
+	defined $protonum && ( $protonum == TCP     ||
+			       $protonum == UDP     ||
+			       $protonum == UDPLITE ||
+			       $protonum == SCTP    ||
 			       $protonum == DCCP );
     join ':', @ports;
 
@@ -621,9 +636,35 @@ sub validate_6address( $$ ) {
     defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
 }
 
+sub resolve_6dnsname( $ ) {
+    my $net = $_[0];
+    my @addrs;
+    
+    require Socket6;
+    fatal_error "Unknown Host ($net)" unless (@addrs = Socket6::gethostbyname2( $net, Socket6::AF_INET6()));
+
+    shift @addrs for (1..4);
+    for ( @addrs ) {
+	$_ = Socket6::inet_ntop( Socket6::AF_INET6(), $_ );
+    }
+
+    @addrs;
+} 
+
 sub validate_6net( $$ ) {
-    my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
-    my $allow_name = $_[1];
+    my ( $net, $allow_name ) = @_;
+
+    if ( $net =~ /^\[(.+)]$/ ) {
+	$net = $1;
+    } elsif ( $net =~ /^\[(.+)\]\/(\d+)$/ ) {
+	$net = join( '/', $1, $2 );
+    }
+
+    fatal_error "Invalid Network Address($net)" if $net =~ /\[/;
+
+    ($net, my $vlsm, my $rest) = split( '/', $net, 3 );
+
+    fatal_error 'Invalid Network Address(' . join( '/', $net, $vlsm, $rest ) if defined $rest;
 
     if ( $net =~ /\+(\[?)/ ) {
 	if ( $1 ) {
@@ -635,22 +676,28 @@ sub validate_6net( $$ ) {
 	}
     }
 
+    fatal_error "Invalid Network address ($_[0])" unless supplied $net;
+
+
     if ( defined $vlsm ) {
-        fatal_error "Invalid VLSM ($vlsm)"              unless $vlsm =~ /^\d+$/ && $vlsm <= 128;
+        fatal_error "Invalid VLSM ($vlsm)"              unless $vlsm =~ /^\d+$/ && $vlsm <= VLSMv6;
 	fatal_error "Invalid Network address ($_[0])"   if defined $rest;
 	fatal_error "Invalid IPv6 address ($net)"       unless valid_6address $net;
     } else {
-	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
-	validate_6address $net, $allow_name;
-	$vlsm = 128;
+	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/';
+	my $net1 = validate_6address $net, $allow_name;
+	$net  = $net1 unless $config{DEFER_DNS_RESOLUTION};
+	$vlsm = VLSMv6;
     }
 
     if ( defined wantarray ) {
-	assert ( ! $allow_name );
 	if ( wantarray ) {
+	    assert( ! $allow_name );
 	    ( $net , $vlsm );
+	} elsif ( valid_6address ( $net ) ) {
+	    $vlsm == VLSMv6 ? $net : "$net/$vlsm";
 	} else {
-	    "$net/$vlsm";
+	    $net;
 	}
     }
 }
@@ -697,11 +744,13 @@ sub validate_6range( $$ ) {
     while ( @low ) {
 	my ( $l, $h) = ( shift @low, shift @high );
 	next     if hex "0x$l" == hex "0x$h";
-	return 1 if hex "0x$l"  < hex "0x$h";
+	return "$low-$high" if hex "0x$l"  < hex "0x$h";
 	last;
     }
 
     fatal_error "Invalid IPv6 Range ($low-$high)";
+
+    
 }
 
 sub validate_6host( $$ ) {
@@ -718,8 +767,8 @@ my %ipv6_icmp_types = ( any                          => 'any',
 			'destination-unreachable'    => 1,
 			'no-route'                   => '1/0',
 			'communication-prohibited'   => '1/1',
-			'address-unreachable'        => '1/2',
-			'port-unreachable'           => '1/3',
+			'address-unreachable'        => '1/3',
+			'port-unreachable'           => '1/4',
 			'packet-too-big'             =>  2,
 			'time-exceeded'              =>  3,
 			'ttl-exceeded'               =>  3,
@@ -768,6 +817,10 @@ sub nilip() {
     @nilip;
 }
 
+sub VLSM() {
+    $vlsm_width;
+}
+
 sub valid_address ( $ ) {
     $valid_address->(@_);
 }
@@ -780,6 +833,10 @@ sub validate_net ( $$ ) {
     $validate_net->(@_);
 }
 
+sub resolve_dnsname( $ ) {
+    $resolve_dnsname->(@_);
+}
+
 sub validate_range ($$ ) {
     $validate_range->(@_);
 }
@@ -806,21 +863,25 @@ sub initialize( $ ) {
 	@allip            = @allipv4;
 	$nilip            = NILIPv4;
 	@nilip            = @nilipv4;
+	$vlsm_width       = VLSMv4;
 	$valid_address    = \&valid_4address;
 	$validate_address = \&validate_4address;
 	$validate_net     = \&validate_4net;
 	$validate_range   = \&validate_4range;
 	$validate_host    = \&validate_4host;
+	$resolve_dnsname  = \&resolve_4dnsname;
     } else {
 	$allip            = ALLIPv6;
 	@allip            = @allipv6;
 	$nilip            = NILIPv6;
 	@nilip            = @nilipv6;
+	$vlsm_width       = VLSMv6;
 	$valid_address    = \&valid_6address;
 	$validate_address = \&validate_6address;
 	$validate_net     = \&validate_6net;
 	$validate_range   = \&validate_6range;
 	$validate_host    = \&validate_6host;
+	$resolve_dnsname  = \&resolve_6dnsname;
     }
 }
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -41,13 +41,14 @@ our @EXPORT = qw( process_tos
 		  add_common_rules
 		  setup_mac_lists
 		  process_routestopped
+		  process_stoppedrules
 		  compile_stop_firewall
 		  generate_matrix
 		  );
 our @EXPORT_OK = qw( initialize );
 our $VERSION = 'MODULEVERSION';
 
-my $family;
+our $family;
 
 #
 # Rather than initializing globals in an INIT block or during declaration,
@@ -117,6 +118,7 @@ sub process_tos() {
 	    expand_rule
 		$chainref ,
 		$restriction ,
+		'',
 		do_proto( $proto, $ports, $sports ) . do_test( $mark , $globals{TC_MASK} ) ,
 		$src ,
 		$dst ,
@@ -198,30 +200,29 @@ sub setup_blacklist() {
     my $zones1 = find_zones_by_option 'blacklist', 'out';
     my $chainref;
     my $chainref1;
-    my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
+    my ( $level, $disposition ) = @config{'BLACKLIST_LOG_LEVEL', 'BLACKLIST_DISPOSITION' };
     my $audit       = $disposition =~ /^A_/;
     my $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
     my $orig_target = $target;
 
-    #
-    # We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary
-    # for 'refresh' to work properly.
-    #
-    if ( @$zones || @$zones1 ) {
-	$chainref  = set_optflags( new_standard_chain( 'blacklst' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones;
-	$chainref1 = set_optflags( new_standard_chain( 'blackout' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones1;
-
-	if ( supplied $level ) {
-	    $target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
-	} elsif ( $audit ) {
-	    require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
-	    $target = verify_audit( $disposition );
-	}
-    }
-
   BLACKLIST:
     {
 	if ( my $fn = open_file 'blacklist' ) {
+	    #
+	    # We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary
+	    # for 'refresh' to work properly.
+	    #
+	    if ( @$zones || @$zones1 ) {
+		$chainref  = set_optflags( new_standard_chain( 'blacklst' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones;
+		$chainref1 = set_optflags( new_standard_chain( 'blackout' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones1;
+
+		if ( supplied $level ) {
+		    $target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
+		} elsif ( $audit ) {
+		    require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
+		    $target = verify_audit( $disposition );
+		}
+	    }
 
 	    my $first_entry = 1;
 
@@ -283,6 +284,7 @@ sub setup_blacklist() {
 				expand_rule(
 					    $chainref ,
 					    NO_RESTRICT ,
+					    '' ,
 					    do_proto( $protocol , $ports, '' ) ,
 					    $networks,
 					    '',
@@ -303,6 +305,7 @@ sub setup_blacklist() {
 				expand_rule(
 					    $chainref1 ,
 					    NO_RESTRICT ,
+					    '' ,
 					    do_proto( $protocol , $ports, '' ) ,
 					    '',
 					    $networks,
@@ -379,7 +382,7 @@ sub remove_blacklist( $ ) {
 sub convert_blacklist() {
     my $zones  = find_zones_by_option 'blacklist', 'in';
     my $zones1 = find_zones_by_option 'blacklist', 'out';
-    my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
+    my ( $level, $disposition ) = @config{'BLACKLIST_LOG_LEVEL', 'BLACKLIST_DISPOSITION' };
     my $audit       = $disposition =~ /^A_/;
     my $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
     my $orig_target = $target;
@@ -668,6 +671,90 @@ sub process_routestopped() {
     }
 }
 
+#
+# Process the stoppedrules file. Returns true if the file was non-empty.
+#
+sub process_stoppedrules() {
+    my $fw = firewall_zone;
+    my $result;
+
+    if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
+	first_entry "$doing $fn...";
+
+	while ( read_a_line( NORMAL_READ ) ) {
+
+	    $result = 1;
+
+	    my ( $target, $source, $dest, $protos, $ports, $sports ) = 
+		split_line1 'stoppedrules file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 };
+
+	    fatal_error( "Invalid TARGET ($target)" ) unless $target =~ /^(?:ACCEPT|NOTRACK)$/;
+
+	    my $tableref;
+
+	    my $chainref;
+	    my $restriction = NO_RESTRICT;
+
+	    if ( $target eq 'NOTRACK' ) {
+		$tableref = $raw_table;
+		require_capability 'RAW_TABLE', 'NOTRACK', 's';
+		$chainref = $raw_table->{PREROUTING};
+		$restriction = PREROUTE_RESTRICT | DESTIFACE_DISALLOW;
+	    } else {
+		$tableref = $filter_table;
+	    }
+
+	    if ( $source eq $fw ) {
+		$chainref = ( $target eq 'NOTRACK' ? $raw_table : $filter_table)->{OUTPUT};
+		$source = '';
+		$restriction = OUTPUT_RESTRICT;
+	    } elsif ( $source =~ s/^($fw):// ) {
+		$chainref = ( $target eq 'NOTRACK' ? $raw_table : $filter_table)->{OUTPUT};
+		$restriction = OUTPUT_RESTRICT;
+	    }
+
+	    if ( $dest eq $fw ) {
+		fatal_error "\$FW may not be specified as the destination of a NOTRACK rule" if $target eq 'NOTRACK';
+		$chainref = $filter_table->{INPUT};
+		$dest = '';
+		$restriction = INPUT_RESTRICT;
+	    } elsif ( $dest =~ s/^($fw):// ) {
+		fatal_error "\$FW may not be specified as the destination of a NOTRACK rule" if $target eq 'NOTRACK';
+		$chainref = $filter_table->{INPUT};
+		$restriction = INPUT_RESTRICT;
+	    }
+
+	    $chainref = $tableref->{FORWARD} unless $chainref;
+
+	    my $disposition = $target;
+
+	    $target = 'CT --notrack' if $target eq 'NOTRACK' and have_capability( 'CT_TARGET' );
+
+	    unless ( $restriction == OUTPUT_RESTRICT
+		     && $target eq 'ACCEPT'
+		     && $config{ADMINISABSENTMINDED} ) {
+		for my $proto ( split_list $protos, 'Protocol' ) {
+		    expand_rule( $chainref ,
+				 $restriction ,
+				 '' ,
+				 do_proto( $proto, $ports, $sports ) ,
+				 $source ,
+				 $dest ,
+				 '' ,
+				 $target,
+				 '',
+				 $disposition,
+				 do_proto( $proto, '-', '-' ) );
+		}
+	    } else {
+		warning_message "Redundant OUTPUT rule ignored because ADMINISABSENTMINDED=Yes";
+	    }
+	}
+    }
+
+    $result;
+}
+
 sub setup_mss();
 
 sub add_common_rules ( $ ) {
@@ -681,9 +768,9 @@ sub add_common_rules ( $ ) {
     my $chain;
     my $dynamicref;
 
-    my @state     = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
+    my @state     = state_imatch( $globals{BLACKLIST_STATES} );
     my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED';
-    my $level     = $config{BLACKLIST_LOGLEVEL};
+    my $level     = $config{BLACKLIST_LOG_LEVEL};
     my $rejectref = $filter_table->{reject};
 
     if ( $config{DYNAMIC_BLACKLIST} ) {
@@ -745,11 +832,12 @@ sub add_common_rules ( $ ) {
     }
 
     for $interface ( all_real_interfaces ) {
-	ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface ), option_chains( $interface ), output_option_chain( $interface );
+	ensure_chain( 'filter', $_ )->{origin} = interface_origin( $interface )
+	    for first_chains( $interface ), output_chain( $interface ), option_chains( $interface ), output_option_chain( $interface );
 
 	my $interfaceref = find_interface $interface;
 
-	unless ( $interfaceref->{options}{ignore} & NO_SFILTER ) {
+	unless ( $interfaceref->{options}{ignore} & NO_SFILTER || $interfaceref->{options}{rpfilter} || $interfaceref->{physical} eq 'lo' ) {
 
 	    my @filters = @{$interfaceref->{filter}};
 
@@ -773,7 +861,7 @@ sub add_common_rules ( $ ) {
 
 	    for ( option_chains( $interface ) ) {
 		add_ijump( $filter_table->{$_}, j => $dynamicref, @state ) if $dynamicref;
-		add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate ) if $config{FASTACCEPT};
+		add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
 	    }
 	}
     }
@@ -787,6 +875,38 @@ sub add_common_rules ( $ ) {
 	}
     }
 
+    $list = find_interfaces_by_option('rpfilter');
+
+    if ( @$list ) {
+	$policy   = $config{RPFILTER_DISPOSITION};
+	$level    = $config{RPFILTER_LOG_LEVEL};
+	$audit    = $policy =~ s/^A_//;
+	
+	if ( $level || $audit ) {
+	    #
+	    # Create a chain to log and/or audit and apply the policy
+	    #
+	    $chainref = ensure_mangle_chain 'rplog';
+
+	    log_rule $level , $chainref , $policy , '' if $level ne '';
+
+	    add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
+
+	    add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
+
+	    $target = 'rplog';
+	} else {
+	    $target = $policy eq 'REJECT' ? 'reject' : $policy;
+	}
+
+	add_ijump( ensure_mangle_chain( 'rpfilter' ),
+		   j        => $target,
+		   rpfilter => '--validmark --invert',
+		   state_imatch 'NEW,RELATED,INVALID',
+		   @ipsec
+		 );
+    }
+	    
     run_user_exit1 'initdone';
 
     if ( $upgrade ) {
@@ -807,14 +927,13 @@ sub add_common_rules ( $ ) {
 	if ( supplied $config{SMURF_LOG_LEVEL} ) {
 	    my $smurfref = new_chain( 'filter', 'smurflog' );
 
-	    log_rule_limit( $config{SMURF_LOG_LEVEL},
-			    $smurfref,
-			    'smurfs' ,
-			    'DROP',
-			    $globals{LOGLIMIT},
-			    '',
-			    'add',
-			    '' );
+	    log_irule_limit( $config{SMURF_LOG_LEVEL},
+			     $smurfref,
+			     'smurfs' ,
+			     'DROP',
+			     $globals{LOGILIMIT},
+			     '',
+			     'add' );
 	    add_ijump( $smurfref, j => 'AUDIT', targetopts => '--type drop' ) if $smurfdest eq 'A_DROP';
 	    add_ijump( $smurfref, j => 'DROP' );
 
@@ -850,7 +969,7 @@ sub add_common_rules ( $ ) {
 	    add_ijump( $chainref, g => $smurfdest, s => IPv6_MULTICAST );
 	}
 
-	my @state = $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID';
+	my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID';
 
 	for my $hostref  ( @$list ) {
 	    $interface     = $hostref->[0];
@@ -924,7 +1043,7 @@ sub add_common_rules ( $ ) {
 		add_ijump( $filter_table->{input_chain( $interface ) } ,
 			   j => 'ACCEPT' ,
 			   p => "udp --dport $ports" ,
-			   s => NILIPv4 . '/32' );
+			   s => NILIPv4 . '/' . VLSMv4 );
 	    }
 	}
     }
@@ -1011,7 +1130,7 @@ sub add_common_rules ( $ ) {
 
 	    for $interface ( @$list ) {
 		my $chainref = $filter_table->{input_option_chain $interface};
-		my $base     = uc chain_base get_physical $interface;
+		my $base     = uc var_base get_physical $interface;
 		my $optional = interface_is_optional( $interface );
 		my $variable = get_interface_gateway( $interface, ! $optional );
 
@@ -1050,7 +1169,7 @@ sub setup_mac_lists( $ ) {
     my $target      = $globals{MACLIST_TARGET};
     my $level       = $config{MACLIST_LOG_LEVEL};
     my $disposition = $config{MACLIST_DISPOSITION};
-    my $audit       = $disposition =~ /^A_/;
+    my $audit       = ( $disposition =~ s/^A_// );
     my $ttl         = $config{MACLIST_TTL};
 
     progress_message2 "$doing MAC Filtration -- Phase $phase...";
@@ -1093,7 +1212,7 @@ sub setup_mac_lists( $ ) {
 	    }
 	}
 
-	if ( my $fn = open_file 'maclist' ) {
+	if ( my $fn = open_file 'maclist', 1, 1 ) {
 
 	    first_entry "$doing $fn...";
 
@@ -1101,50 +1220,44 @@ sub setup_mac_lists( $ ) {
 
 		my ( $original_disposition, $interface, $mac, $addresses  ) = split_line1 'maclist file', { disposition => 0, interface => 1, mac => 2, addresses => 3 };
 
-		if ( $original_disposition eq 'COMMENT' ) {
-		    process_comment;
-		} else {
-		    my ( $disposition, $level, $remainder) = split( /:/, $original_disposition, 3 );
+		my ( $disposition, $level, $remainder) = split( /:/, $original_disposition, 3 );
 
-		    fatal_error "Invalid DISPOSITION ($original_disposition)" if defined $remainder || ! $disposition;
+		fatal_error "Invalid DISPOSITION ($original_disposition)" if defined $remainder || ! $disposition;
 
-		    my $targetref = $maclist_targets{$disposition};
+		my $targetref = $maclist_targets{$disposition};
 
-		    fatal_error "Invalid DISPOSITION ($original_disposition)"              if ! $targetref || ( ( $table eq 'mangle' ) && ! $targetref->{mangle} );
-		    fatal_error "Unknown Interface ($interface)"                           unless known_interface( $interface );
-		    fatal_error "No hosts on $interface have the maclist option specified" unless $maclist_interfaces{$interface};
+		fatal_error "Invalid DISPOSITION ($original_disposition)"              if ! $targetref || ( ( $table eq 'mangle' ) && ! $targetref->{mangle} );
+		fatal_error "Unknown Interface ($interface)"                           unless known_interface( $interface );
+		fatal_error "No hosts on $interface have the maclist option specified" unless $maclist_interfaces{$interface};
 
-		    my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
+		my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
 
-		    $mac       = '' unless $mac && ( $mac ne '-' );
-		    $addresses = '' unless defined $addresses && ( $addresses ne '-' );
+		$mac       = '' unless $mac && ( $mac ne '-' );
+		$addresses = '' unless defined $addresses && ( $addresses ne '-' );
 
-		    fatal_error "You must specify a MAC address or an IP address" unless $mac || $addresses;
+		fatal_error "You must specify a MAC address or an IP address" unless $mac || $addresses;
 
-		    $mac = do_mac $mac if $mac;
+		$mac = do_mac $mac if $mac;
 
-		    if ( $addresses ) {
-			for my $address ( split ',', $addresses ) {
-			    my $source = match_source_net $address;
-			    log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
-				if supplied $level;
-
-			    add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
-			    add_jump( $chainref , $targetref->{target}, 0, "${mac}${source}" );
-			}
-		    } else {
-			log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
+		if ( $addresses ) {
+		    for my $address ( split ',', $addresses ) {
+			my $source = match_source_net $address;
+			log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
 			    if supplied $level;
 
 			add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
-			add_jump ( $chainref , $targetref->{target}, 0, "$mac" );
+			add_jump( $chainref , $targetref->{target}, 0, "${mac}${source}" );
 		    }
+		} else {
+		    log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
+			if supplied $level;
 
-		    progress_message "      Maclist entry \"$currentline\" $done";
+		    add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
+		    add_jump ( $chainref , $targetref->{target}, 0, "$mac" );
 		}
-	    }
 
-	    clear_comment;
+		progress_message "      Maclist entry \"$currentline\" $done";
+	    }
 	}
 	#
 	# Generate jumps from the input and forward chains
@@ -1155,7 +1268,7 @@ sub setup_mac_lists( $ ) {
 	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my @source     = imatch_source_net $hostref->[2];
 
-	    my @state = $globals{UNTRACKED} ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
+	    my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
 
 	    if ( $table eq 'filter' ) {
 		my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} );
@@ -1172,6 +1285,8 @@ sub setup_mac_lists( $ ) {
 	#
 	# Phase II
 	#
+	ensure_audit_chain( $target, $disposition, undef, $table ) if $audit;
+
 	for my $interface ( @maclist_interfaces ) {
 	    my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
 	    my $chain    = $chainref->{name};
@@ -1219,7 +1334,7 @@ sub setup_mac_lists( $ ) {
 
 	    run_user_exit2( 'maclog', $chainref );
 
-	    log_rule_limit $level, $chainref , $chain , $disposition, '', '', 'add', '' if $level ne '';
+	    log_irule_limit $level, $chainref , $chain , $disposition, [], '', 'add' if $level ne '';
 	    add_ijump $chainref, j => $target;
 	}
     }
@@ -1283,7 +1398,7 @@ sub generate_source_rules( $$$;@ ) {
     my ( $outchainref, $z1, $z2, @matches ) = @_;
     my $chain = rules_target ( $z1, $z2 );
 
-    if ( $chain ) {
+    if ( $chain && $chain ne 'NONE' ) {
 	#
 	# Not a CONTINUE policy with no rules
 	#
@@ -1308,10 +1423,14 @@ sub generate_source_rules( $$$;@ ) {
 # Loopback traffic -- this is where we assemble the intra-firewall chains
 #
 sub handle_loopback_traffic() {
-    my @zones   = ( vserver_zones, firewall_zone );
-    my $natout  = $nat_table->{OUTPUT};
-    my $rulenum = 0;
+    my @zones    = ( vserver_zones, firewall_zone );
+    my $natout   = $nat_table->{OUTPUT};
+    my $rawout   = $raw_table->{OUTPUT};
+    my $rulenum  = 0;
+    my $loopback = loopback_zones;
+    my $loref    = known_interface('lo');
 
+    my $unmanaged;
     my $outchainref;
     my @rule;
 
@@ -1325,27 +1444,57 @@ sub handle_loopback_traffic() {
 	#
 	# Only the firewall -- just use the OUTPUT chain
 	#
-	$outchainref = $filter_table->{OUTPUT};
-	@rule = ( o => 'lo');
+	if ( $unmanaged = $loref && $loref->{options}{unmanaged} ) {
+	    add_ijump( $filter_table->{INPUT},  j => 'ACCEPT', i => 'lo' );
+	    add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', o => 'lo' );
+	} else {
+	    $outchainref = $filter_table->{OUTPUT};
+	    @rule = ( o => 'lo');
+	}
     }
 
     for my $z1 ( @zones ) {
 	my $z1ref            = find_zone( $z1 );
 	my $type1            = $z1ref->{type};
 	my $natref           = $nat_table->{dnat_chain $z1};
+	my $notrackref       = $raw_table->{notrack_chain( $z1 )};
 	#
 	# Add jumps in the 'output' chain to the rules chains
 	#
 	if ( $type1 == FIREWALL ) {
 	    for my $z2 ( @zones ) {
-		my $chain = rules_target( $z1, $z2 );
+		next if $z1 eq $z2 && ( $loopback || $unmanaged );
 
+		my $chain = rules_target( $z1, $z2 );
 		generate_dest_rules( $outchainref, $chain, $z2, @rule ) if $chain;
 	    }
+	    #
+	    # Handle conntrack 
+	    #
+	    if ( $notrackref ) {
+		add_ijump $rawout, j => $notrackref if $notrackref->{referenced};
+	    }
 	} else {
 	    for my $z2 ( @zones ) {
 		generate_source_rules( $outchainref, $z1, $z2, @rule );
 	    }
+	    #
+	    # Handle conntrack rules
+	    #
+	    if ( $notrackref->{referenced} ) {
+		for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
+		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $notrackref);
+		    my @ipsec_match = match_ipsec_in $z1 , $hostref;
+
+		    for my $net ( @{$hostref->{hosts}} ) {
+			insert_ijump( $rawout,
+				      j => $exclusion ,
+				      $rawout->{insert}++,
+				      imatch_source_net $net,
+				      @ipsec_match );
+		    }
+		}
+	    }
 	}
 
 	if ( $natref && $natref->{referenced} ) {
@@ -1377,8 +1526,9 @@ sub add_interface_jumps {
     our %input_jump_added;
     our %output_jump_added;
     our %forward_jump_added;
-    my  $lo_jump_added = 0;
     my @interfaces = grep $_ ne '%vserver%', @_;
+    my $dummy;
+    my $lo_jump_added = interface_zone( 'lo' ) && ! get_interface_option( 'lo', 'destonly' );
     #
     # Add Nat jumps
     #
@@ -1386,10 +1536,6 @@ sub add_interface_jumps {
 	addnatjump 'POSTROUTING' , snat_chain( $interface ), imatch_dest_dev( $interface );
     }
 
-    addnatjump 'PREROUTING'  , 'nat_in';
-    addnatjump 'POSTROUTING' , 'nat_out';
-    addnatjump 'PREROUTING', 'dnat';
-
     for my $interface ( @interfaces  ) {
 	addnatjump 'PREROUTING'  , input_chain( $interface )  , imatch_source_dev( $interface );
 	addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
@@ -1400,6 +1546,8 @@ sub add_interface_jumps {
 	    insert_ijump ( $raw_table->{PREROUTING},      j => prerouting_chain( $interface ),  0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface};
 	    insert_ijump ( $raw_table->{OUTPUT},          j => output_chain( $interface ),      0, imatch_dest_dev( $interface) )   if $raw_table->{output_chain $interface};
 	}
+
+	add_ijump( $mangle_table->{PREROUTING}, j => 'rpfilter' , imatch_source_dev( $interface ) ) if interface_has_option( $interface, 'rpfilter', $dummy );
     }
     #
     # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
@@ -1477,7 +1625,7 @@ sub handle_complex_zone( $$ ) {
 
     if ( have_ipsec ) {
 	#
-	# Prior to KLUDGEFREE, policy match could only match an 'in' or an 'out' policy (but not both), so we place the
+	# In general, policy match can only match an 'in' or an 'out' policy (but not both), so we place the
 	# '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
 	# can match '--pol none --dir out' rules and send the packets down the wrong rules chain.
 	#
@@ -1489,6 +1637,8 @@ sub handle_complex_zone( $$ ) {
 	    my @interfacematch;
 	    my $interfaceref = find_interface $interface;
 
+	    next if $interfaceref->{options}{destonly};
+
 	    if ( use_forward_chain( $interface, $sourcechainref ) ) {
 		#
 		# Use the interface forward chain
@@ -1692,6 +1842,7 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
 
     my $dnatref         = $nat_table->{dnat_chain( $zone )};
     my $preroutingref   = $nat_table->{PREROUTING};
+    my $rawref          = $raw_table->{PREROUTING};
     my $notrackref      = ensure_chain 'raw' , notrack_chain( $zone );
     my @ipsec_in_match  = match_ipsec_in  $zone , $hostref;
 
@@ -1716,15 +1867,20 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
 	# There are notrack rules with this zone as the source.
 	# Add a jump from this source network to this zone's notrack chain
 	#
-	add_ijump $raw_table->{PREROUTING}, j => source_exclusion( $exclusions, $notrackref), imatch_source_dev( $interface), @source, @ipsec_in_match;
+	insert_ijump $rawref, j => source_exclusion( $exclusions, $notrackref), $rawref->{insert}++, imatch_source_dev( $interface), @source, @ipsec_in_match;
     }
     #
     # If this zone has parents with DNAT/REDIRECT or notrack rules and there are no CONTINUE polcies with this zone as the source
     # then add a RETURN jump for this source network.
     #
     if ( $nested ) {
-	add_ijump $preroutingref,           j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnat;
-	add_ijump $raw_table->{PREROUTING}, j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnotrack;
+	if ( $parenthasnat ) {
+	    add_ijump $preroutingref, j => 'RETURN',                      imatch_source_dev( $interface), @source, @ipsec_in_match;
+	}
+	if ( $parenthasnotrack ) {
+	    my $rawref = $raw_table->{PREROUTING};
+	    insert_ijump $rawref,     j => 'RETURN', $rawref->{insert}++, imatch_source_dev( $interface), @source, @ipsec_in_match;
+	}
     }
 }
 
@@ -1927,11 +2083,11 @@ sub optimize1_zones( $$@ ) {
 # The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
 # A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
 #
-# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table and
+# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table, raw-table and
 # nat-table rules.
 #
 sub generate_matrix() {
-    my @interfaces = ( all_interfaces );
+    my @interfaces = ( managed_interfaces );
     #
     # Should this be the real PREROUTING chain?
     #
@@ -1960,12 +2116,6 @@ sub generate_matrix() {
 	}
     }
     #
-    # NOTRACK from firewall
-    #
-    if ( ( my $notrackref = $raw_table->{notrack_chain(firewall_zone)}) ) {
-	add_ijump $raw_table->{OUTPUT}, j => $notrackref if $notrackref->{referenced};
-    }
-    #
     # Main source-zone matrix-generation loop
     #
     progress_message '  Entering main matrix-generation loop...';
@@ -1977,6 +2127,7 @@ sub generate_matrix() {
 	my $nested           = @{$zoneref->{parents}};
 	my $parenthasnat     = 0;
 	my $parenthasnotrack = 0;
+	my $type             = $zoneref->{type};
 	#
 	# Create the zone's dnat chain
 	#
@@ -2052,6 +2203,7 @@ sub generate_matrix() {
 	    #
 	    for my $zone1 ( @dest_zones ) {
 		my $zone1ref = find_zone( $zone1 );
+		my $type1    = $zone1ref->{type};
 
 		next if $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy}  eq 'NONE';
 
@@ -2065,7 +2217,7 @@ sub generate_matrix() {
 		    next if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! $zoneref->{options}{in_out}{routeback};
 		}
 
-		if ( $zone1ref->{type} & BPORT ) {
+		if ( $type1 & BPORT ) {
 		    next unless $zoneref->{bridge} eq $zone1ref->{bridge};
 		}
 
@@ -2096,20 +2248,31 @@ sub generate_matrix() {
     } # Source Zone Loop
 
     progress_message '  Finishing matrix...';
+    #
+    # Make sure that the 1:1 NAT jumps are last in PREROUTING
+    #
+    addnatjump 'PREROUTING'  , 'nat_in';
+    addnatjump 'POSTROUTING' , 'nat_out';
 
     add_interface_jumps @interfaces unless $interface_jumps_added;
 
-    my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,
-		     nat=>     [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
-		     filter=>  [ qw/INPUT FORWARD OUTPUT/ ] );
-
     unless ( $config{COMPLETE} ) {
+	for ( unmanaged_interfaces ) {
+	    my $physical = get_physical $_;
+	    add_ijump( $filter_table->{INPUT},  j => 'ACCEPT', i => $physical );
+	    add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', o => $physical );
+	}
+
 	complete_standard_chain $filter_table->{INPUT}   , 'all' , firewall_zone , 'DROP';
 	complete_standard_chain $filter_table->{OUTPUT}  , firewall_zone , 'all', 'REJECT';
 	complete_standard_chain $filter_table->{FORWARD} , 'all' , 'all', 'REJECT';
     }
 
     if ( $config{LOGALLNEW} ) {
+	my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,
+			 nat=>     [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
+			 filter=>  [ qw/INPUT FORWARD OUTPUT/ ] );
+
 	for my $table ( qw/mangle nat filter/ ) {
 	    for my $chain ( @{$builtins{$table}} ) {
 		log_rule_limit
@@ -2120,7 +2283,7 @@ sub generate_matrix() {
 		    '' ,
 		    '' ,
 		    'insert' ,
-		    "$globals{STATEMATCH} NEW ";
+		    state_match('NEW');
 	    }
 	}
     }
@@ -2181,8 +2344,8 @@ sub setup_mss( ) {
 #
 # Compile the stop_firewall() function
 #
-sub compile_stop_firewall( $$ ) {
-    my ( $test, $export ) = @_;
+sub compile_stop_firewall( $$$ ) {
+    my ( $test, $export, $have_arptables ) = @_;
 
     my $input   = $filter_table->{INPUT};
     my $output  = $filter_table->{OUTPUT};
@@ -2287,6 +2450,14 @@ EOF
     deletechain shorewall
 
     run_stop_exit
+
+    #
+    # Enable automatic helper association on kernel 3.5.0 and later
+    #
+    if [ $COMMAND = clear -a -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then
+        echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
+    fi
+
 EOF
 
     if ( have_capability( 'NAT_ENABLED' ) ) {
@@ -2354,7 +2525,7 @@ EOF
 	}
     }
 
-    process_routestopped;
+    process_routestopped unless process_stoppedrules;
 
     add_ijump $input,  j => 'ACCEPT', i => 'lo';
     add_ijump $output, j => 'ACCEPT', o => 'lo' unless $config{ADMINISABSENTMINDED};
@@ -2379,6 +2550,8 @@ EOF
     create_stop_load $test;
 
     if ( $family == F_IPV4 ) {
+	emit( '$ARPTABLES -F',
+	      '' ) if $have_arptables; 
 	if ( $config{IP_FORWARDING} eq 'on' ) {
 	    emit( 'echo 1 > /proc/sys/net/ipv4/ip_forward',
 		  'progress_message2 IPv4 Forwarding Enabled' );

Shorewall/Perl/Shorewall/Nat.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -29,7 +29,7 @@ use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
-use Shorewall::Providers qw( lookup_provider );
+use Shorewall::Providers qw( provider_realm );
 
 use strict;
 
@@ -42,13 +42,15 @@ Exporter::export_ok_tags('rules');
 
 our $VERSION = 'MODULEVERSION';
 
-my @addresses_to_add;
-my %addresses_to_add;
+our @addresses_to_add;
+our %addresses_to_add;
+our $family;
 
 #
 # Called by the compiler
 #
-sub initialize() {
+sub initialize($) {
+    $family = shift;
     @addresses_to_add = ();
     %addresses_to_add = ();
 }
@@ -56,20 +58,12 @@ sub initialize() {
 #
 # Process a single rule from the the masq file
 #
-sub process_one_masq( )
+sub process_one_masq1( $$$$$$$$$$ )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest ) =
-	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 };
-
-    if ( $interfacelist eq 'COMMENT' ) {
-	process_comment;
-	return 1;
-    }
-
-    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest ) = @_;
 
     my $pre_nat;
-    my $add_snat_aliases = $config{ADD_SNAT_ALIASES};
+    my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
     my $destnets = '';
     my $baserule = '';
 
@@ -80,28 +74,33 @@ sub process_one_masq( )
     #
     # Parse the remaining part of the INTERFACE column
     #
-    if ( $interfacelist =~ /^([^:]+)::([^:]*)$/ ) {
-	$add_snat_aliases = 0;
-	$destnets = $2;
-	$interfacelist = $1;
-    } elsif ( $interfacelist =~ /^([^:]+:[^:]+):([^:]+)$/ ) {
-	$destnets = $2;
-	$interfacelist = $1;
-    } elsif ( $interfacelist =~ /^([^:]+):$/ ) {
-	$add_snat_aliases = 0;
-	$interfacelist = $1;
-    } elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
-	my ( $one, $two ) = ( $1, $2 );
-	if ( $2 =~ /\./ || $2 =~ /^%/ ) {
-	    $interfacelist = $one;
-	    $destnets = $two;
+    if ( $family == F_IPV4 ) {
+	if ( $interfacelist =~ /^([^:]+)::([^:]*)$/ ) {
+	    $add_snat_aliases = 0;
+	    $destnets = $2;
+	    $interfacelist = $1;
+	} elsif ( $interfacelist =~ /^([^:]+:[^:]+):([^:]+)$/ ) {
+	    $destnets = $2;
+	    $interfacelist = $1;
+	} elsif ( $interfacelist =~ /^([^:]+):$/ ) {
+	    $add_snat_aliases = 0;
+	    $interfacelist = $1;
+	} elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
+	    my ( $one, $two ) = ( $1, $2 );
+	    if ( $2 =~ /\./ || $2 =~ /^%/ ) {
+		$interfacelist = $one;
+		$destnets = $two;
+	    }
 	}
+    } elsif ( $interfacelist =~ /^(.+?):(.+)$/ ) {
+	$interfacelist = $1;
+	$destnets      = $2;
     }
     #
     # If there is no source or destination then allow all addresses
     #
-    $networks = ALLIPv4 if $networks eq '-';
-    $destnets = ALLIPv4 if $destnets eq '-';
+    $networks = ALLIP if $networks eq '-';
+    $destnets = ALLIP if $destnets eq '-';
 
     #
     # Handle IPSEC options, if any
@@ -123,7 +122,7 @@ sub process_one_masq( )
     #
     # Handle Protocol, Ports and Condition
     #
-    $baserule .= do_proto( $proto, $ports, '' ) . do_condition( $condition );
+    $baserule .= do_proto( $proto, $ports, '' );
     #
     # Handle Mark
     #
@@ -141,8 +140,11 @@ sub process_one_masq( )
 	if ( $interface =~ /(.*)[(](\w*)[)]$/ ) {
 	    $interface = $1;
 	    my $provider  = $2;
+
+	    fatal_error "Missing Provider ($fullinterface)" unless supplied $provider;
+
 	    $fullinterface =~ s/[(]\w*[)]//;
-	    my $realm = lookup_provider( $provider );
+	    my $realm = provider_realm( $provider );
 
 	    fatal_error "$provider is not a shared-interface provider" unless $realm;
 
@@ -158,6 +160,8 @@ sub process_one_masq( )
 
 	my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
 
+	$baserule .= do_condition( $condition , $chainref->{name} );
+
 	my $detectaddress = 0;
 	my $exceptionrule = '';
 	my $randomize     = '';
@@ -168,6 +172,7 @@ sub process_one_masq( )
 	#
 	if ( $addresses ne '-' ) {
 	    if ( $addresses eq 'random' ) {
+		require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '') if $family == F_IPV6;
 		$randomize = '--random ';
 	    } else {
 		$addresses =~ s/:persistent$// and $persistent = ' --persistent ';
@@ -189,44 +194,129 @@ sub process_one_masq( )
 			$detectaddress = 1;
 		    }
 		} elsif ( $addresses eq 'NONAT' ) {
+		    fatal_error "'persistent' may not be specified with 'NONAT'" if $persistent;
+		    fatal_error "'random' may not be specified with 'NONAT'"     if $randomize;
 		    $target = 'RETURN';
 		    $add_snat_aliases = 0;
-		} else {
+		} elsif ( $addresses ) {
 		    my $addrlist = '';
-		    for my $addr ( split_list $addresses , 'address' ) {
-			if ( $addr =~ /^&(.+)$/ ) {
-			    $target = 'SNAT ';
-			    if ( $conditional = conditional_rule( $chainref, $addr ) ) {
-				$addrlist .= '--to-source ' . get_interface_address $1;
-			    } else {
-				$addrlist .= '--to-source ' . record_runtime_address( '&', $1 );
+		    my @addrs = split_list $addresses, 'address';
+
+		    fatal_error "Only one IPv6 ADDRESS may be specified" if $family == F_IPV6 && @addrs > 1;
+
+		    for my $addr ( @addrs ) {
+			if ( $addr =~ /^([&%])(.+)$/ ) {
+			    my ( $type, $interface ) = ( $1, $2 );
+
+			    my $ports = '';
+
+			    if ( $interface =~ s/:(.+)$// ) {
+				validate_portpair1( $proto, $1 );
+				$ports = ":$1";
 			    }
-			} elsif ( $addr =~ /^.*\..*\..*\./ ) {
+			    #
+			    # Address Variable
+			    #
 			    $target = 'SNAT ';
-			    my ($ipaddr, $rest) = split ':', $addr;
-			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
-				validate_range( $1, $2 );
+			    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
+				#
+				# User-defined address variable
+				#
+				$conditional = conditional_rule( $chainref, $addr );
+				$addrlist .= '--to-source ' . "\$${1}${ports} ";
 			    } else {
-				validate_address $ipaddr, 0;
+				if ( $conditional = conditional_rule( $chainref, $addr ) ) {
+				    #
+				    # Optional Interface -- rule is conditional
+				    #
+				    $addr = get_interface_address $interface;
+				} else {
+				    #
+				    # Interface is not optional
+				    #
+				    $addr = record_runtime_address( $type, $interface );
+				}
+
+				if ( $ports ) {
+				    $addr =~ s/ $//;
+				    $addr = $family == F_IPV4 ? "${addr}${ports} " : "[$addr]$ports ";
+				}
+
+				$addrlist .= '--to-source ' . $addr;
+			    }
+			} elsif ( $family == F_IPV4 ) {
+			    if ( $addr =~ /^.*\..*\..*\./ ) {
+				$target = 'SNAT ';
+				my ($ipaddr, $rest) = split ':', $addr;
+				if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
+				    validate_range( $1, $2 );
+				} else {
+				    validate_address $ipaddr, 0;
+				}
+				validate_portpair1( $proto, $rest ) if supplied $rest;
+				$addrlist .= "--to-source $addr ";
+				$exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
+			    } else {
+				my $ports = $addr;
+				$ports =~ s/^://;
+				validate_portpair1( $proto, $ports );
+				$addrlist .= "--to-ports $ports ";
+				$exceptionrule = do_proto( $proto, '', '' );
 			    }
-			    $addrlist .= "--to-source $addr ";
-			    $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			} else {
-			    my $ports = $addr;
-			    $ports =~ s/^://;
-			    validate_portpair1( $proto, $ports );
-			    $addrlist .= "--to-ports $ports ";
-			    $exceptionrule = do_proto( $proto, '', '' );
+			    $target = 'SNAT ';
+
+			    if ( $addr =~ /^\[/ ) {
+				#
+				# Can have ports specified
+				#
+				my $ports;
+
+				if ( $addr =~ s/:([^]:]+)$// ) {
+				    $ports = $1;
+				}
+
+				fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;
+
+				$addr = $1;
+
+				if ( $addr =~ /^(.+)-(.+)$/ ) {
+				    fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $addr =~ /]-\[/;
+				    validate_range( $1, $2 );
+				} else {
+				    validate_address $addr, 0;
+				}
+
+				if ( supplied $ports ) {
+				    validate_portpair1( $proto, $ports );
+				    $exceptionrule = do_proto( $proto, '', '' );
+				    $addr = "[$addr]:$ports";
+				}
+
+				$addrlist .= "--to-source $addr ";
+			    } else {
+				if ( $addr =~ /^(.+)-(.+)$/ ) {
+				    validate_range( $1, $2 );
+				} else {
+				    validate_address $addr, 0;
+				}
+
+				$addrlist .= "--to-source $addr ";
+			    }
 			}
 		    }
 
 		    $target .= $addrlist;
+		} else {
+		    fatal_error( "':persistent' is not allowed in a MASQUERADE rule" ) if $persistent;
+		    require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '' )     if $family == F_IPV6;
 		}
 	    }
 
 	    $target .= $randomize;
 	    $target .= $persistent;
 	} else {
+	    require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '' )  if $family == F_IPV6;
 	    $add_snat_aliases = 0;
 	}
 	#
@@ -234,6 +324,7 @@ sub process_one_masq( )
 	#
 	expand_rule( $chainref ,
 		     POSTROUTE_RESTRICT ,
+		     '' ,
 		     $baserule . $rule ,
 		     $networks ,
 		     $destnets ,
@@ -241,7 +332,8 @@ sub process_one_masq( )
 		     $target ,
 		     '' ,
 		     '' ,
-		     $exceptionrule );
+		     $exceptionrule )
+	    unless unreachable_warning( 0, $chainref );
 
 	conditional_rule_end( $chainref ) if $detectaddress || $conditional;
 
@@ -271,18 +363,28 @@ sub process_one_masq( )
 
 }
 
+sub process_one_masq( )
+{
+    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest ) =
+	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 };
+
+    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+
+    for my $proto ( split_list $protos, 'Protocol' ) {
+	process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest );
+    }
+}
+
 #
 # Process the masq file
 #
 sub setup_masq()
 {
-    if ( my $fn = open_file 'masq' ) {
+    if ( my $fn = open_file( 'masq', 1, 1 ) ) {
 
-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
 
 	process_one_masq while read_a_line( NORMAL_READ );
-
-	clear_comment;
     }
 }
 
@@ -373,7 +475,7 @@ sub do_one_nat( $$$$$ )
 #
 sub setup_nat() {
 
-    if ( my $fn = open_file 'nat' ) {
+    if ( my $fn = open_file( 'nat', 1, 1 ) ) {
 
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
 
@@ -381,26 +483,20 @@ sub setup_nat() {
 
 	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 0, interface => 1, internal => 2, allints => 3, local => 4 };
 
-	    if ( $external eq 'COMMENT' ) {
-		process_comment;
-	    } else {
-		( $interfacelist, my $digit ) = split /:/, $interfacelist;
+	    ( $interfacelist, my $digit ) = split /:/, $interfacelist;
 
-		$digit = defined $digit ? ":$digit" : '';
+	    $digit = defined $digit ? ":$digit" : '';
 
-		fatal_error 'EXTERNAL must be specified' if $external eq '-';
-		fatal_error 'INTERNAL must be specified' if $interfacelist eq '-';
+	    fatal_error 'EXTERNAL must be specified' if $external eq '-';
+	    fatal_error 'INTERNAL must be specified' if $interfacelist eq '-';
 
-		for my $interface ( split_list $interfacelist , 'interface' ) {
-		    fatal_error "Invalid Interface List ($interfacelist)" unless supplied $interface;
-		    do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
-		}
-
-		progress_message "   NAT entry \"$currentline\" $done";
+	    for my $interface ( split_list $interfacelist , 'interface' ) {
+		fatal_error "Invalid Interface List ($interfacelist)" unless supplied $interface;
+		do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
 	    }
-	}
 
-	clear_comment;
+	    progress_message "   NAT entry \"$currentline\" $done";
+	}
     }
 }
 
@@ -409,7 +505,7 @@ sub setup_nat() {
 #
 sub setup_netmap() {
 
-    if ( my $fn = open_file 'netmap' ) {
+    if ( my $fn = open_file 'netmap', 1, 1 ) {
 
 	first_entry "$doing $fn...";
 
@@ -431,8 +527,8 @@ sub setup_netmap() {
 		    my @rulein;
 		    my @ruleout;
 
-		    validate_net $net1, 0;
-		    validate_net $net2, 0;
+		    $net1 = validate_net $net1, 0;
+		    $net2 = validate_net $net2, 0;
 
 		    unless ( $interfaceref->{root} ) {
 			@rulein  = imatch_source_dev( $interface );
@@ -466,7 +562,7 @@ sub setup_netmap() {
 
 		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
 
-		    validate_net $net2, 0;
+		    $net2 = validate_net $net2, 0;
 
 		    unless ( $interfaceref->{root} ) {
 			@match = imatch_dest_dev(  $interface );
@@ -512,8 +608,6 @@ sub setup_netmap() {
 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
 	    }
 	}
-
-	clear_comment;
     }
 
 }
@@ -521,7 +615,7 @@ sub setup_netmap() {
 #
 # Called from process_rule1 to add a rule to the NAT table
 #
-sub handle_nat_rule( $$$$$$$$$$$$ ) {
+sub handle_nat_rule( $$$$$$$$$$$$$ ) {
     my ( $dest,           # <server>[:port]
 	 $proto,          # Protocol
 	 $ports,          # Destination port list
@@ -534,6 +628,7 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
 	 $source,         # Source Address
 	 $loglevel,       # [<level>[:<tag>]]
 	 $log_action,     # Action name to include in the log message
+	 $wildcard        # Part of a wildcard rule
        ) = @_;
 
     my ( $server, $serverport , $origdstports ) = ( '', '', '' );
@@ -542,13 +637,17 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
     #
     # Isolate server port
     #
-    if ( $dest =~ /^(.*)(?::(.+))$/ ) {
+    if ( ( $family == F_IPV4 && $dest =~ /^(.*)(?::(.+))$/ ) || ( $family == F_IPV6 && $dest =~ /^\[(.*)]:(.+)$/ ) ) {
 	#
 	# Server IP and Port
 	#
 	$server = $1;      # May be empty
 	$serverport = $2;  # Not Empty due to RE
 
+	my ( $p ) = split( ':', $proto ); # Might be "tcp:syn"
+
+	require_capability( 'UDPLITEREDIRECT', 'UDPLITE Port Redirection', 's' ) if resolve_proto( $p ) == UDPLITE; 
+
 	$origdstports = validate_port( $proto, $ports )	if $ports && $ports ne '-' && port_count( $ports ) == 1;
 
 	if ( $serverport =~ /^(\d+)-(\d+)$/ ) {
@@ -597,20 +696,42 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
 	if ( $server eq '' ) {
 	    fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport;
 	} elsif ( $server =~ /^(.+)-(.+)$/ ) {
-	    validate_range( $1, $2 );
-	} else {
-	    unless ( $server eq ALLIP ) {
-		my @servers = validate_address $server, 1;
-		$server = join ',', @servers;
+	    if ( $family == F_IPV4 ) {
+		validate_range( $1, $2 );
+	    } else {
+		my ( $addr1, $addr2 ) = ( $1, $2 );
+
+		if ( $server =~ /^\[(.+)\]$/ ) {
+		    $server = $1;
+		    fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $server =~ /]-\[/;
+		    assert( $server =~ /^(.+)-(.+)$/ );
+		    ( $addr1, $addr2 ) = ( $1, $2 );
+		}
+
+		validate_range( $addr1, $addr2 );
+		$server = join( '-', $addr1, $addr2 );
 	    }
+	} elsif ( $server eq ALLIP || $server eq NILIP ) {
+	    fatal_error "Invalid or missing server IP address";
+	} else {
+	    $server = $1 if $family == F_IPV6 && $server =~ /^\[(.+)\]$/;
+	    fatal_error "Invalid server IP address ($server)" if $server eq ALLIP || $server eq NILIP;
+	    my @servers = validate_address $server, 1;
+	    $server = join ',', @servers;
 	}
 
 	if ( $action eq 'DNAT' ) {
 	    $target = $action;
 	    if ( $server ) {
 		$serverport = ":$serverport" if $serverport;
-		for my $serv ( split /,/, $server ) {
-		    $target .= " --to-destination ${serv}${serverport}";
+		if ( $family == F_IPV4 ) {
+		    for my $serv ( split /,/, $server ) {
+			$target .= " --to-destination ${serv}${serverport}";
+		    }
+		} else {
+		    for my $serv ( split /,/, $server ) {
+			$target .= " --to-destination [${serv}]${serverport}";
+		    }
 		}
 	    } else {
 		$target .= " --to-destination :$serverport";
@@ -632,12 +753,15 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
     #
     # And generate the nat table rule(s)
     #
-    expand_rule ( ensure_chain ('nat' ,
-				( $action_chain ?
-				  $action_chain :
-				  ( $sourceref->{type} == FIREWALL ? 'OUTPUT' : 
-				    dnat_chain $sourceref->{name} ) ) ),
-		  PREROUTE_RESTRICT ,
+    my $firewallsource = $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
+
+    my $chainref = ensure_chain ('nat' ,
+				( $action_chain   ? $action_chain :
+				  $firewallsource ? 'OUTPUT' :
+				  dnat_chain $sourceref->{name} ) );
+    expand_rule ( $chainref,
+		  $firewallsource ? OUTPUT_RESTRICT : PREROUTE_RESTRICT ,
+		  '' ,
 		  $rule ,
 		  $source ,
 		  $origdest ,
@@ -646,7 +770,8 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
 		  $loglevel ,
 		  $log_action ,
 		  $serverport ? do_proto( $proto, '', '' ) : '',
-		);
+		)
+	unless unreachable_warning( $wildcard, $chainref );
 
     ( $ports, $origdstports, $server );
 }
@@ -654,8 +779,8 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
 #
 # Called from process_rule1() to handle the nat table part of the NONAT and ACCEPT+ actions
 #
-sub handle_nonat_rule( $$$$$$$$$$ ) {
-    my ( $action, $source, $dest, $origdest, $sourceref, $inaction, $chain, $loglevel, $log_action, $rule ) = @_;
+sub handle_nonat_rule( $$$$$$$$$$$ ) {
+    my ( $action, $source, $dest, $origdest, $sourceref, $inaction, $chain, $loglevel, $log_action, $rule, $wildcard ) = @_;
 
     my $sourcezone = $sourceref->{name};
     #
@@ -707,6 +832,7 @@ sub handle_nonat_rule( $$$$$$$$$$ ) {
 	    #
 	    expand_rule( $chn,
 			 PREROUTE_RESTRICT,
+			 '', # Prerule
 			 '', # Rule
 			 '', # Source
 			 '', # Dest
@@ -715,7 +841,9 @@ sub handle_nonat_rule( $$$$$$$$$$ ) {
 			 $loglevel,
 			 $log_action,
 			 '',
-			 dnat_chain( $sourcezone  ) );
+			 dnat_chain( $sourcezone  ) )
+		unless unreachable_warning( $wildcard, $chn );
+
 	    $loglevel = '';
 	    $tgt = $chn->{name};
 	} else {
@@ -723,10 +851,9 @@ sub handle_nonat_rule( $$$$$$$$$$ ) {
 	}
     }
 
-    set_optflags( $nonat_chain, DONT_MOVE | DONT_OPTIMIZE ) if $tgt eq 'RETURN';
-
     expand_rule( $nonat_chain ,
 		 PREROUTE_RESTRICT ,
+		 '' ,
 		 $rule ,
 		 $source ,
 		 $dest ,
@@ -735,7 +862,8 @@ sub handle_nonat_rule( $$$$$$$$$$ ) {
 		 $loglevel ,
 		 $log_action ,
 		 '',
-	       );
+	       )
+	unless unreachable_warning( $wildcard, $nonat_chain );
 }
 
 sub add_addresses () {

Shorewall/Perl/Shorewall/Proc.pm

@@ -38,6 +38,7 @@ our @EXPORT = qw(
 		 setup_route_filtering
 		 setup_martian_logging
 		 setup_source_routing
+		 setup_accept_ra
 		 setup_forwarding
 		 );
 our @EXPORT_OK = qw( setup_interface_proc );
@@ -214,35 +215,64 @@ sub setup_source_routing( $ ) {
     }
 }
 
+#
+# Source Routing
+#
+sub setup_accept_ra() {
+
+    my $interfaces = find_interfaces_by_option 'accept_ra';
+
+    if ( @$interfaces ) {
+	progress_message2 "$doing Accept Routing Advertisements...";
+
+	save_progress_message 'Setting up Accept Routing Advertisements...';
+
+	for my $interface ( @$interfaces ) {
+	    my $value = get_interface_option $interface, 'accept_ra';
+	    my $optional = interface_is_optional $interface;
+
+	    $interface = get_physical $interface;
+
+	    my $file = "/proc/sys/net/ipv6/conf/$interface/accept_ra";
+
+	    emit ( "if [ -f $file ]; then" ,
+		   "    echo $value > $file" );
+	    emit ( 'else' ,
+		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless $optional;
+	    emit   "fi\n";
+	}
+    }
+}
+
 sub setup_forwarding( $$ ) {
     my ( $family, $first ) = @_;
 
     if ( $family == F_IPV4 ) {
 	if ( $config{IP_FORWARDING} eq 'on' ) {
-	    emit '        echo 1 > /proc/sys/net/ipv4/ip_forward';
-	    emit '        progress_message2 IPv4 Forwarding Enabled';
+	    emit 'echo 1 > /proc/sys/net/ipv4/ip_forward';
+	    emit 'progress_message2 IPv4 Forwarding Enabled';
 	} elsif ( $config{IP_FORWARDING} eq 'off' ) {
-	    emit '        echo 0 > /proc/sys/net/ipv4/ip_forward';
-	    emit '        progress_message2 IPv4 Forwarding Disabled!';
+	    emit 'echo 0 > /proc/sys/net/ipv4/ip_forward';
+	    emit 'progress_message2 IPv4 Forwarding Disabled!';
 	}
 
 	emit '';
 
-	emit ( '        echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables' ,
+	emit ( 'echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables' ,
 	       ''
 	     ) if have_bridges;
     } else {
 	if ( $config{IP_FORWARDING} eq 'on' ) {
-	    emit '        echo 1 > /proc/sys/net/ipv6/conf/all/forwarding';
-	    emit '        progress_message2 IPv6 Forwarding Enabled';
+	    emit 'echo 1 > /proc/sys/net/ipv6/conf/all/forwarding';
+	    emit 'progress_message2 IPv6 Forwarding Enabled';
 	} elsif ( $config{IP_FORWARDING} eq 'off' ) {
-	    emit '        echo 0 > /proc/sys/net/ipv6/conf/all/forwarding';
-	    emit '        progress_message2 IPv6 Forwarding Disabled!';
+	    emit 'echo 0 > /proc/sys/net/ipv6/conf/all/forwarding';
+	    emit 'progress_message2 IPv6 Forwarding Disabled!';
 	}
 
 	emit '';
 
-	emit ( '        echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables' ,
+	emit ( 'echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables' ,
 	       ''
 	     ) if have_bridges;
 
@@ -251,9 +281,6 @@ sub setup_forwarding( $$ ) {
 	if ( @$interfaces ) {
 	    progress_message2 "$doing Interface forwarding..." if $first;
 
-	    push_indent;
-	    push_indent;
-
 	    save_progress_message 'Setting up IPv6 Interface Forwarding...';
 
 	    for my $interface ( @$interfaces ) {
@@ -270,9 +297,6 @@ sub setup_forwarding( $$ ) {
 		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }
-
-	    pop_indent;
-	    pop_indent;
 	}
     }
 }
@@ -303,10 +327,16 @@ sub setup_interface_proc( $ ) {
 	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route";
     }
 
-    if ( interface_has_option( $interface, 'sourceroute' , $value ) ) {
-	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route";
+    if ( interface_has_option( $interface, 'forward' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv6/conf/$physical/forwarding";
     }
 
+    if ( interface_has_option( $interface, 'accept_ra' , $value ) ) {
+	push @emitted, "if [ -f /proc/sys/net/ipv6/conf/$physical/accept_ra ]; then";
+	push @emitted, "    echo $value > /proc/sys/net/ipv6/conf/$physical/accept_ra";
+	push @emitted, 'fi';
+    }
+	
     if ( @emitted ) {
 	emit( 'if [ $COMMAND = enable ]; then' );
 	push_indent;

Shorewall/Perl/Shorewall/Raw.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -20,7 +20,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   This module contains the code that handles the /etc/shorewall/notrack file.
+#   This module contains the code that handles the /etc/shorewall/conntrack file.
 #
 package Shorewall::Raw;
 require Exporter;
@@ -32,63 +32,109 @@ use Shorewall::Chains qw(:DEFAULT :internal);
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( setup_notrack );
-our @EXPORT_OK = qw( );
+our @EXPORT = qw( setup_conntrack );
+our @EXPORT_OK = qw( handle_helper_rule );
 our $VERSION = 'MODULEVERSION';
 
-my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured => 1, protoinfo => 1, helper => 1, mark => 1, natseqinfo => 1, secmark => 1 );
+our %valid_ctevent = ( new        => 1,
+		       related    => 1,
+		       destroy    => 1,
+		       reply      => 1,
+		       assured    => 1,
+		       protoinfo  => 1,
+		       helper     => 1,
+		       mark       => 1,
+		       natseqinfo => 1,
+		       secmark    => 1 );
 
 #
 # Notrack
 #
-sub process_notrack_rule( $$$$$$$ ) {
+sub process_conntrack_rule( $$$$$$$$$$ ) {
 
-    my ($action, $source, $dest, $proto, $ports, $sports, $user ) = @_;
+    my ($chainref, $zoneref, $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = @_;
+
+    require_capability 'RAW_TABLE', 'conntrack rules', '';
 
     $proto  = ''    if $proto  eq 'any';
     $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
     $sports = ''    if $sports eq 'any' || $sports eq 'all';
 
-    ( my $zone, $source) = split /:/, $source, 2;
-    my $zoneref  = find_zone $zone;
-    my $chainref = ensure_raw_chain( notrack_chain $zone );
-    my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
+    my $zone;
+    my $restriction = PREROUTE_RESTRICT;
 
-    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
-    require_capability 'RAW_TABLE', 'Notrack rules', '';
+    if ( $chainref ) {
+	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
+    } else {
+	#
+	# Entry in the conntrack file
+	#
+	if ( $zoneref ) {
+	    $zone = $zoneref->{name};
+	} else {
+	    ($zone, $source) = split /:/, $source, 2;
+	    $zoneref = find_zone ( $zone );
+	}
+
+	$chainref = ensure_raw_chain( notrack_chain $zone );
+	$restriction = OUTPUT_RESTRICT if $zoneref->{type}  & (FIREWALL | VSERVER );
+	fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
+    }
 
     my $target = $action;
     my $exception_rule = '';
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );
 
-    unless ( $action eq 'NOTRACK' ) {
+    if ( $action eq 'NOTRACK' ) {
+	#
+	# A patch that deimplements the NOTRACK target has been posted on the
+	# Netfilter development list
+	#
+	$action = 'CT --notrack' if have_capability 'CT_TARGET';
+    } elsif ( $action ne 'DROP' ) {
 	(  $target, my ( $option, $args, $junk ) ) = split ':', $action, 4;
 
 	fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT';
 
-	require_capability 'CT_TARGET', 'CT entries in the notrack file', '';
+	require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';
 
 	if ( $option eq 'notrack' ) {
-	    fatal_error "Invalid notrack ACTION ( $action )" if supplied $args;
+	    fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
 	    $action = 'CT --notrack';
 	} else {
 	    fatal_error "Invalid or missing CT option and arguments" unless supplied $option && supplied $args;
 
 	    if ( $option eq 'helper' ) {
-		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
-		validate_helper( $args, $proto );
-		$action = "CT --helper $args";
-		$exception_rule = do_proto( $proto, '-', '-' );
-	    } elsif ( $option eq 'ctevents' ) {
-		for ( split ',', $args ) {
-		    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
+		my $modifiers = '';
+
+		if ( $args =~ /^([-\w.]+)\((.+)\)$/ ) {
+		    $args      = $1;
+		    $modifiers = $2;
 		}
 
-		$action = "CT --ctevents $args";
-	    } elsif ( $option eq 'expevent' ) {
-		fatal_error "Invalid expevent argument ($args)" unless $args eq 'new';
-	    } elsif ( $option eq 'zone' ) {
-		fatal_error "Invalid zone id ($args)" unless $args =~ /^\d+$/;
+		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
+		validate_helper( $args, $proto );
+		$action = "CT --helper $helpers_aliases{$args}";
+		$exception_rule = do_proto( $proto, '-', '-' );
+
+		for my $mod ( split_list1( $modifiers, 'ctevents' ) ) {
+		    fatal_error "Invalid helper option ($mod)" unless $mod =~ /^(\w+)=(.+)$/;
+		    $mod    = $1;
+		    my $val = $2;
+		    
+		    if ( $mod eq 'ctevents' ) {
+			for ( split_list( $val, 'ctevents' ) ) {
+			    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
+			}
+
+			$action .= " --ctevents $val";
+		    } elsif ( $mod eq 'expevents' ) {
+			fatal_error "Invalid expevent argument ($val)" unless $val eq 'new';
+			$action .= ' --expevents new';
+		    } else {
+			fatal_error "Invalid helper option ($mod)";
+		    }
+		}
 	    } else {
 		fatal_error "Invalid CT option ($option)";
 	    }
@@ -97,6 +143,7 @@ sub process_notrack_rule( $$$$$$$ ) {
 
     expand_rule( $chainref ,
 		 $restriction ,
+		 '',
 		 $rule,
 		 $source ,
 		 $dest ,
@@ -106,64 +153,144 @@ sub process_notrack_rule( $$$$$$$ ) {
 		 $target ,
 		 $exception_rule );
 
-    progress_message "  Notrack rule \"$currentline\" $done";
+    progress_message "  Conntrack rule \"$currentline\" $done";
+}
 
-    $globals{UNTRACKED} = 1;
+sub handle_helper_rule( $$$$$$$$$$$ ) {
+    my ( $helper, $source, $dest, $proto, $ports, $sports, $sourceref, $action_target, $actionchain, $user, $rule ) = @_;
+
+    if ( $helper ne '-' ) {
+	fatal_error "A HELPER is not allowed with this ACTION" if $action_target;
+	#
+	# This means that an ACCEPT or NAT rule with a helper is being processed
+	#
+	process_conntrack_rule( $actionchain ? ensure_raw_chain( $actionchain ) : undef ,
+				$sourceref ,
+				"CT:helper:$helper",
+				$source ,
+				$dest ,
+				$proto ,
+				$ports ,
+				$sports ,
+				$user,
+				'-',
+			      );
+    } else {
+	assert( $action_target );
+	#
+	# The target is an action
+	#
+	if ( $actionchain ) {
+	    #
+	    # And the source is another action chain
+	    #
+	    expand_rule( ensure_raw_chain( $actionchain ) ,
+			 PREROUTE_RESTRICT ,
+			 '',
+			 $rule ,
+			 $source ,
+			 $dest ,
+			 '' ,
+			 $action_target ,
+			 '',
+			 'CT' ,
+			 '' );
+	} else {
+	    expand_rule( ensure_raw_chain( notrack_chain( $sourceref->{name} ) ) ,
+			 ( $sourceref->{type} == FIREWALL || $sourceref->{type} == VSERVER ?
+			   OUTPUT_RESTRICT :
+			   PREROUTE_RESTRICT ) ,
+			 '' ,
+			 $rule ,
+			 $source ,
+			 $dest ,
+			 '' ,
+			 $action_target ,
+			 '' ,
+			 'CT' ,
+			 '' );
+	}
+    }
 }
 
 sub process_format( $ ) {
     my $format = shift;
 
-    fatal_error q(FORMAT must be '1' or '2') unless $format =~ /^[12]$/;
+    fatal_error q(FORMAT must be '1', '2' or '3') unless $format =~ /^[123]$/;
+    format_warning;
 
-    $format;
+    $file_format = $format;
 }
 
-sub setup_notrack() {
+sub setup_conntrack() {
 
-    my $format = 1;
-    my $action = 'NOTRACK';
+    for my $name ( qw/notrack conntrack/ ) {
 
-    if ( my $fn = open_file 'notrack' ) {
+	my $fn = open_file( $name, 3 , 1 );
 
-	first_entry "$doing $fn...";
+	if ( $fn ) {
 
-	my $nonEmpty = 0;
+	    my $action;
 
-	while ( read_a_line( NORMAL_READ ) ) {
-	    my ( $source, $dest, $proto, $ports, $sports, $user );
+	    my $empty = 1;
 
-	    if ( $format == 1 ) {
-		( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
+	    first_entry( "$doing $fn..." );
 
-		if ( $source eq 'FORMAT' ) {
-		    $format = process_format( $dest );
-		    next;
-		}
+	    while ( read_a_line( NORMAL_READ ) ) {
+		my ( $source, $dest, $protos, $ports, $sports, $user, $switch );
 
-		if ( $source eq 'COMMENT' ) {
-		    process_comment;
-		    next;
-		}
-	    } else {
-		( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
-
-		if ( $action eq 'FORMAT' ) {
-		    $format = process_format( $source );
+		if ( $file_format == 1 ) {
+		    ( $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 };
 		    $action = 'NOTRACK';
-		    next;
+		} else {
+		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };
 		}
 
-		if ( $action eq 'COMMENT' ) {
-		    process_comment;
-		    next;
+		$empty = 0;
+
+		for my $proto ( split_list $protos, 'Protocol' ) {
+		    if ( $file_format < 3 ) {
+			if ( $source =~ /^all(-)?(:(.+))?$/ ) {
+			    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
+			    for my $zone ( $1 ? off_firewall_zones : all_zones ) {
+				process_conntrack_rule( undef ,
+							undef,
+							$action,
+							$zone . ( $2 || ''),
+							$dest,
+							$proto,
+							$ports,
+							$sports,
+							$user ,
+							$switch );
+			    }
+			} else {
+			    process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+			}
+		    } elsif ( $action =~ s/:O$// ) {
+			process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		    } elsif ( $action =~ s/:OP// || $action =~ s/:PO// ) {
+			process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+			process_conntrack_rule( $raw_table->{OUTPUT},     undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		    } else {
+			$action =~ s/:P//;
+			process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		    }
 		}
 	    }
 
-	    process_notrack_rule $action, $source, $dest, $proto, $ports, $sports, $user;
+	    if ( $name eq 'notrack') {
+		if ( $empty ) {
+		    if ( unlink( $fn ) ) {
+			warning_message "Empty notrack file ($fn) removed";
+		    } else {
+			warning_message "Unable to remove empty notrack file ($fn): $!";
+		    }
+		} else {
+		    warning_message "Non-empty notrack file ($fn); please move its contents to the conntrack file";
+		}
+	    }
 	}
-
-	clear_comment;
     }
 }
 

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -61,7 +61,7 @@ sub setup_tunnels() {
 	    }
 	}
 
-	my @options = $globals{UNTRACKED} ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
+	my @options = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
 
 	add_tunnel_rule $inchainref,  p => 50, @$source;
 	add_tunnel_rule $outchainref, p => 50, @$dest;
@@ -285,25 +285,19 @@ sub setup_tunnels() {
     #
     # Setup_Tunnels() Starts Here
     #
-    if ( my $fn = open_file 'tunnels' ) {
+    if ( my $fn = open_file( 'tunnels', 1, 1 ) ) {
 
 	first_entry "$doing $fn...";
 
 	while ( read_a_line( NORMAL_READ ) ) {
 
-	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 , gateway_zones => 3 }, undef, 4;
+	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 , gateway_zones => 3 }, {}, 4;
 
 	    fatal_error 'TYPE must be specified' if $kind eq '-';
 
-	    if ( $kind eq 'COMMENT' ) {
-		process_comment;
-	    } else {
-		fatal_error 'ZONE must be specified' if $zone eq '-';
-		setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
-	    }
+	    fatal_error 'ZONE must be specified' if $zone eq '-';
+	    setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
 	}
-
-	clear_comment;
     }
 }
 

Shorewall/Perl/Shorewall/Zones.pm

@@ -31,66 +31,77 @@ use Shorewall::IPAddrs;
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( NOTHING
-		  NUMERIC
-		  NETWORK
-		  IPSECPROTO
-		  IPSECMODE
-		  FIREWALL
-		  VSERVER
-		  IP
-		  BPORT
-		  IPSEC
-		  NO_UPDOWN
-		  NO_SFILTER
+our @EXPORT = ( qw( NOTHING
+		    NUMERIC
+		    NETWORK
+		    IPSECPROTO
+		    IPSECMODE
+		    FIREWALL
+		    VSERVER
+		    LOOPBACK
+		    LOCAL
+		    IP
+		    BPORT
+		    IPSEC
+		    GROUP
+		    NO_UPDOWN
+		    NO_SFILTER
 
-		  determine_zones
-		  zone_report
-		  dump_zone_contents
-		  find_zone
-		  firewall_zone
-		  defined_zone
-		  zone_type
-		  zone_interfaces
-		  zone_mark
-		  all_zones
-		  all_parent_zones
-		  complex_zones
-		  vserver_zones
-		  off_firewall_zones
-		  non_firewall_zones
-		  single_interface
-		  chain_base
-		  validate_interfaces_file
-		  all_interfaces
-		  all_real_interfaces
-		  all_plain_interfaces
-		  all_bridges
-		  interface_number
-		  find_interface
-		  known_interface
-		  get_physical
-		  physical_name
-		  have_bridges
-		  port_to_bridge
-		  source_port_to_bridge
-		  interface_is_optional
-		  interface_is_required
-		  find_interfaces_by_option
-		  find_interfaces_by_option1
-		  get_interface_option
-		  interface_has_option
-		  set_interface_option
-		  set_interface_provider
-		  interface_zones
-		  verify_required_interfaces
-		  validate_hosts_file
-		  find_hosts_by_option
-		  find_zone_hosts_by_option
-		  find_zones_by_option
-		  all_ipsets
-		  have_ipsec
-		 );
+		    determine_zones
+		    zone_report
+		    dump_zone_contents
+		    find_zone
+		    firewall_zone
+		    loopback_zones
+		    local_zones
+		    defined_zone
+		    zone_type
+		    zone_interfaces
+		    zone_mark
+		    all_zones
+		    all_parent_zones
+		    complex_zones
+		    vserver_zones
+		    on_firewall_zones
+		    off_firewall_zones
+		    non_firewall_zones
+		    single_interface
+		    var_base
+		    validate_interfaces_file
+		    all_interfaces
+		    all_real_interfaces
+		    all_plain_interfaces
+		    all_bridges
+		    managed_interfaces
+		    unmanaged_interfaces
+		    interface_number
+		    interface_origin
+		    find_interface
+		    known_interface
+		    get_physical
+		    physical_name
+		    have_bridges
+		    port_to_bridge
+		    source_port_to_bridge
+		    interface_is_optional
+		    interface_is_required
+		    find_interfaces_by_option
+		    find_interfaces_by_option1
+		    get_interface_option
+		    interface_has_option
+		    set_interface_option
+		    set_interface_provider
+		    interface_zone
+		    interface_zones
+		    verify_required_interfaces
+		    validate_hosts_file
+		    find_hosts_by_option
+		    find_zone_hosts_by_option
+		    find_zones_by_option
+		    all_ipsets
+		    have_ipsec
+		 ),
+	      );
 
 our @EXPORT_OK = qw( initialize );
 our $VERSION = 'MODULEVERSION';
@@ -117,7 +128,8 @@ use constant { IN_OUT     => 1,
 #
 #     @zones contains the ordered list of zones with sub-zones appearing before their parents.
 #
-#     %zones{<zone1> => {type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
+#     %zones{<zone1> => {name =>       <name>,
+#                        type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
 #                        complex =>    0|1
 #                        super   =>    0|1
 #                        options =>    { in_out  => < policy match string >
@@ -144,12 +156,14 @@ use constant { IN_OUT     => 1,
 #
 #     $firewall_zone names the firewall zone.
 #
-my @zones;
-my %zones;
-my %zonetypes;
-my $firewall_zone;
+our @zones;
+our %zones;
+our %zonetypes;
+our $firewall_zone;
+our @loopback_zones;
+our @local_zones;
 
-my  %reservedName = ( all => 1,
+our %reservedName = ( all => 1,
 		      any => 1,
 		      none => 1,
 		      SOURCE => 1,
@@ -169,7 +183,7 @@ my  %reservedName = ( all => 1,
 #                                     zone        => <zone name>
 #                                     multizone   => undef|1   #More than one zone interfaces through this interface
 #                                     nets        => <number of nets in interface/hosts records referring to this interface>
-#                                     bridge      => <bridge name>
+#                                     bridge      => <bridge name> # Same as ->{name} if not a bridge port.
 #                                     ports       => <number of port on this bridge>
 #                                     ipsec       => undef|1 # Has an ipsec host group
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
@@ -184,28 +198,33 @@ my  %reservedName = ( all => 1,
 #    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
 #    the same order as the interfaces are encountered in the configuration files.
 #
-my @interfaces;
-my %interfaces;
-my %roots;
-my @bport_zones;
-my %ipsets;
-my %physical;
-my %basemap;
-my %mapbase;
-my $family;
-my $upgrade;
-my $have_ipsec;
-my $baseseq;
-my $minroot;
-my $zonemark;
-my $zonemarkincr;
-my $zonemarklimit;
+our @interfaces;
+our %interfaces;
+our %roots;
+our @bport_zones;
+our %ipsets;
+our %physical;
+our %basemap;
+our %basemap1;
+our %mapbase;
+our %mapbase1;
+our $family;
+our $upgrade;
+our $have_ipsec;
+our $baseseq;
+our $minroot;
+our $zonemark;
+our $zonemarkincr;
+our $zonemarklimit;
 
 use constant { FIREWALL => 1,
 	       IP       => 2,
 	       BPORT    => 4,
 	       IPSEC    => 8,
-	       VSERVER  => 16 };
+	       VSERVER  => 16,
+	       LOOPBACK => 32,
+	       LOCAL    => 64,
+	   };
 
 use constant { SIMPLE_IF_OPTION   => 1,
 	       BINARY_IF_OPTION   => 2,
@@ -226,32 +245,55 @@ use constant { SIMPLE_IF_OPTION   => 1,
 use constant { NO_UPDOWN   => 1, 
 	       NO_SFILTER  => 2 };
 
-my %validinterfaceoptions;
+our %validinterfaceoptions;
 
-my %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
+our %prohibitunmanaged = (
+			  blacklist      => 1,
+			  bridge         => 1,
+			  destonly       => 1,
+			  detectnets     => 1,
+			  dhcp           => 1,
+			  maclist        => 1,
+			  nets           => 1,
+			  norfc1918      => 1,
+			  nosmurfs       => 1,
+			  optional       => 1,
+			  routeback      => 1,
+			  rpfilter       => 1,
+			  sfilter        => 1,
+			  tcpflags       => 1,
+			  upnp           => 1,
+			  upnpclient     => 1,
+			 );
 
-my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN );
+our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60, accept_ra => 1 , ignore => 3, routeback => 1 );
 
-my %validhostoptions;
+our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN | NO_SFILTER, accept_ra => 2 );
 
-my %validzoneoptions = ( mss          => NUMERIC,
-			 nomark       => NOTHING,
-			 blacklist    => NOTHING,
-			 strict       => NOTHING,
-			 next         => NOTHING,
-			 reqid        => NUMERIC,
-			 spi          => NUMERIC,
-			 proto        => IPSECPROTO,
-			 mode         => IPSECMODE,
-			 "tunnel-src" => NETWORK,
-			 "tunnel-dst" => NETWORK,
+our %validhostoptions;
+
+our %validzoneoptions = ( mss            => NUMERIC,
+			  nomark         => NOTHING,
+			  blacklist      => NOTHING,
+			  dynamic_shared => NOTHING,
+			  strict         => NOTHING,
+			  next           => NOTHING,
+			  reqid          => NUMERIC,
+			  spi            => NUMERIC,
+			  proto          => IPSECPROTO,
+			  mode           => IPSECMODE,
+			 "tunnel-src"   => NETWORK,
+			 "tunnel-dst"   => NETWORK,
 		       );
 
 use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
 #
 # Hash of options that have their own key in the returned hash.
 #
-my %zonekey = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );
+our %zonekey = ( mss            => UNRESTRICTED | COMPLEX ,
+		 blacklist      => NOFW, 
+		 nomark         => NOFW | IN_OUT_ONLY,
+		 dynamic_shared => IN_OUT_ONLY );
 
 #
 # Rather than initializing globals in an INIT block or during declaration,
@@ -267,6 +309,8 @@ sub initialize( $$ ) {
     ( $family , $upgrade ) = @_;
     @zones = ();
     %zones = ();
+    @loopback_zones = ();
+    @local_zones = ();
     $firewall_zone = '';
     $have_ipsec = undef;
 
@@ -277,7 +321,9 @@ sub initialize( $$ ) {
     %ipsets = ();
     %physical = ();
     %basemap = ();
+    %basemap1 = ();
     %mapbase = ();
+    %mapbase1 = ();
     $baseseq = 0;
     $minroot = 0;
 
@@ -286,6 +332,7 @@ sub initialize( $$ ) {
 				  arp_ignore  => ENUM_IF_OPTION,
 				  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  bridge      => SIMPLE_IF_OPTION,
+				  destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
 				  ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
@@ -297,8 +344,9 @@ sub initialize( $$ ) {
 				  optional    => SIMPLE_IF_OPTION,
 				  proxyarp    => BINARY_IF_OPTION,
 				  required    => SIMPLE_IF_OPTION,
-				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
+				  routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				  routefilter => NUMERIC_IF_OPTION ,
+				  rpfilter    => SIMPLE_IF_OPTION,
 				  sfilter     => IPLIST_IF_OPTION,
 				  sourceroute => BINARY_IF_OPTION,
 				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -306,6 +354,7 @@ sub initialize( $$ ) {
 				  upnpclient  => SIMPLE_IF_OPTION,
 				  mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				  physical    => STRING_IF_OPTION  + IF_OPTION_HOST,
+				  unmanaged   => SIMPLE_IF_OPTION,
 				  wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				 );
 	%validhostoptions = (
@@ -319,10 +368,19 @@ sub initialize( $$ ) {
 			     sourceonly => 1,
 			     mss => 1,
 			    );
-	%zonetypes = ( 1 => 'firewall', 2 => 'ipv4', 4 => 'bport4', 8 => 'ipsec4', 16 => 'vserver' );
+
+	%zonetypes = ( 1   => 'firewall',
+		       2   => 'ipv4',
+		       4   => 'bport4',
+		       8   => 'ipsec4',
+		       16  => 'vserver',
+		       32  => 'loopback',
+		       64  => 'local' );
     } else {
-	%validinterfaceoptions = (  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
+	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
+				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
+				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -331,13 +389,15 @@ sub initialize( $$ ) {
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
-				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
+				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
+				    rpfilter    => SIMPLE_IF_OPTION,
 				    sfilter     => IPLIST_IF_OPTION,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    forward     => BINARY_IF_OPTION,
 				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
+				    unmanaged   => SIMPLE_IF_OPTION,
 				    wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				 );
 	%validhostoptions = (
@@ -347,7 +407,14 @@ sub initialize( $$ ) {
 			     tcpflags => 1,
 			     mss => 1,
 			    );
-	%zonetypes = ( 1 => 'firewall', 2 => 'ipv6', 4 => 'bport6', 8 => 'ipsec4', 16 => 'vserver' );
+
+	%zonetypes = ( 1   => 'firewall',
+		       2   => 'ipv6',
+		       4   => 'bport6',
+		       8   => 'ipsec4',
+		       16  => 'vserver',
+		       32  => 'loopback',
+		       64  => 'local' );
     }
 }
 
@@ -365,6 +432,8 @@ sub parse_zone_option_list($$\$$)
     my $fmt;
 
     if ( $list ne '-' ) {
+	fatal_error "The 'loopback' zone may not have $column OPTIONS" if $zonetype == LOOPBACK;
+
 	for my $e ( split_list $list, 'option' ) {
 	    my $val    = undef;
 	    my $invert = '';
@@ -393,7 +462,7 @@ sub parse_zone_option_list($$\$$)
 
 	    if ( $key ) {
 		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype & ( FIREWALL | VSERVER) );
-		fatal_error "Opeion '$e' is only permitted in the OPTIONS columns" if $key & IN_OUT_ONLY && $column != IN_OUT;
+		fatal_error "Option '$e' is only permitted in the OPTIONS columns" if $key & IN_OUT_ONLY && $column != IN_OUT;
 		$$complexref = 1 if $key & COMPLEX;
 		$h{$e} = $val || 1;
 	    } else {
@@ -472,6 +541,13 @@ sub process_zone( \$ ) {
     } elsif ( $type eq '-' ) {
 	$type = IP;
 	$$ip = 1;
+    } elsif ( $type eq 'local' ) {
+	push @local_zones, $zone;
+	$type = LOCAL;
+	$$ip  = 1;
+    } elsif ( $type eq 'loopback' ) {
+	push @loopback_zones, $zone;
+	$type = LOOPBACK;
     } else {
 	fatal_error "Invalid zone type ($type)";
     }
@@ -484,6 +560,8 @@ sub process_zone( \$ ) {
 
 	fatal_error 'Subzones of a Vserver zone not allowed' if $ptype & VSERVER;
 	fatal_error 'Subzones of firewall zone not allowed'  if $ptype & FIREWALL;
+	fatal_error 'Loopback zones may only be subzones of other loopback zones' if ( $type | $ptype ) & LOOPBACK && $type != $ptype;
+	fatal_error 'Local zones may only be subzones of other local zones'       if ( $type | $ptype ) & LOCAL    && $type != $ptype;
 
 	set_super( $zones{$p} ) if $type & IPSEC && ! ( $ptype & IPSEC );
 
@@ -529,6 +607,7 @@ sub process_zone( \$ ) {
     }
 
     if ( $zoneref->{options}{in_out}{blacklist} ) {
+	warning_message q(The 'blacklist' option is deprecated);
 	for ( qw/in out/ ) {
 	    unless ( $zoneref->{options}{$_}{blacklist} ) {
 		$zoneref->{options}{$_}{blacklist} = 1;
@@ -536,6 +615,10 @@ sub process_zone( \$ ) {
 		warning_message( "Redundant 'blacklist' in " . uc( $_ ) . '_OPTIONS' );
 	    }
 	}
+    } else {
+	for ( qw/in out/ ) {
+	    warning_message q(The 'blacklist' option is deprecated), last if  $zoneref->{options}{$_}{blacklist};
+	}
     }
 
     return $zone;
@@ -544,6 +627,8 @@ sub process_zone( \$ ) {
 #
 # Parse the zones file.
 #
+sub vserver_zones();
+
 sub determine_zones()
 {
     my @z;
@@ -562,6 +647,7 @@ sub determine_zones()
 
     fatal_error "No firewall zone defined" unless $firewall_zone;
     fatal_error "No IP zones defined" unless $ip;
+    fatal_error "Loopback zones and vserver zones are mutually exclusive" if @loopback_zones && vserver_zones;
     #
     # Topological sort to place sub-zones before all of their parents
     #
@@ -723,8 +809,12 @@ sub add_group_to_zone($$$$$)
     my $zoneref  = $zones{$zone};
     my $zonetype = $zoneref->{type};
 
-
+    $interfaceref = $interfaces{$interface};
     $zoneref->{interfaces}{$interface} = 1;
+    $zoneref->{destonly} ||= $interfaceref->{options}{destonly};
+    $options->{destonly} ||= $interfaceref->{options}{destonly};
+
+    $interfaceref->{zones}{$zone} = 1;
 
     my @newnetworks;
     my @exclusions = ();
@@ -733,10 +823,6 @@ sub add_group_to_zone($$$$$)
     my $allip    = 0;
 
     for my $host ( @$networks ) {
-	$interfaceref = $interfaces{$interface};
-
-	$interfaceref->{zones}{$zone} = 1;
-
 	$interfaceref->{nets}++;
 
 	fatal_error "Invalid Host List" unless supplied $host;
@@ -748,6 +834,13 @@ sub add_group_to_zone($$$$$)
 	    $new = \@exclusions;
 	}
 
+	if ( substr( $host, 0, 1 ) eq '+' ) {
+	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+(6_)?[a-zA-Z][-\w]*$/;
+	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
+	} else {
+	    $host = validate_host $host, 0;
+	}
+
 	unless ( $switched ) {
 	    if ( $type == $zonetype ) {
 		fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $interfaces{$interface}{zone} eq $zone;
@@ -766,13 +859,6 @@ sub add_group_to_zone($$$$$)
 	    }
 	}
 
-	if ( substr( $host, 0, 1 ) eq '+' ) {
-	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+(6_)?[a-zA-Z]\w*$/;
-	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
-	} else {
-	    validate_host $host, 0;
-	}
-
 	push @$new, $host;
     }
 
@@ -836,6 +922,10 @@ sub all_zones() {
     @zones;
 }
 
+sub on_firewall_zones() {
+   grep ( ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
+}
+
 sub off_firewall_zones() {
    grep ( ! ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
 }
@@ -864,19 +954,27 @@ sub firewall_zone() {
     $firewall_zone;
 }
 
+sub loopback_zones() {
+    @loopback_zones;
+}
+
+sub local_zones() {
+    @local_zones;
+}
+
 #
 # Determine if the passed physical device is a bridge
 #
 sub is_a_bridge( $ ) {
-    which 'brctl' && qt( "brctl show | tail -n+2 | grep -q '^$_[0]\[\[:space:\]\]'" );
+    which 'brctl' && system( "brctl show < /dev/null | tail -n+2 | grep -q '^$_[0]\[\[:space:\]\]' > /dev/null" ) == 0;
 }
 
 #
 # Transform the passed interface name into a legal shell variable name.
 #
-sub chain_base($) {
-    my $chain = $_[0];
-    my $name  = $basemap{$chain};
+sub var_base($) {
+    my $var = $_[0];
+    my $name  = $basemap{$var};
     #
     # Return existing mapping, if any
     #
@@ -884,31 +982,31 @@ sub chain_base($) {
     #
     # Remember initial value
     #
-    my $key = $chain;
+    my $key = $var;
     #
     # Handle VLANs and wildcards
     #
-    $chain =~ s/\+$//;
-    $chain =~ tr/./_/;
+    $var =~ s/\+$/_plus/;
+    $var =~ tr/./_/;
 
-    if ( $chain eq '' || $chain =~ /^[0-9]/ || $chain =~ /[^\w]/ ) {
+    if ( $var eq '' || $var =~ /^[0-9]/ || $var =~ /[^\w]/ ) {
 	#
 	# Must map. Remove all illegal characters
 	#
-	$chain =~ s/[^\w]//g;
+	$var =~ s/[^\w]//g;
 	#
 	# Prefix with if_ if it begins with a digit
 	#
-	$chain = join( '' , 'if_', $chain ) if $chain =~ /^[0-9]/;
+	$var = join( '' , 'if_', $var ) if $var =~ /^[0-9]/;
 	#
 	# Create a new unique name
 	#
-	1 while $mapbase{$name = join ( '_', $chain, ++$baseseq )};
+	1 while $mapbase{$name = join ( '_', $var, ++$baseseq )};
     } else {
 	#
 	# We'll store the identity mapping if it is unique
 	#
-	$chain = join( '_', $key , ++$baseseq ) while $mapbase{$name = $chain};
+	$var = join( '_', $key , ++$baseseq ) while $mapbase{$name = $var};
     }
     #
     # Store the reverse mapping
@@ -920,6 +1018,55 @@ sub chain_base($) {
     $basemap{$key} = $name;
 }
 
+#
+# This is a slightly relaxed version of the above that allows '-' in the generated name.
+#
+sub var_base1($) {
+    my $var = $_[0];
+    my $name  = $basemap1{$var};
+    #
+    # Return existing mapping, if any
+    #
+    return $name if $name;
+    #
+    # Remember initial value
+    #
+    my $key = $var;
+    #
+    # Handle VLANs and wildcards
+    #
+    $var =~ s/\+$//;
+    $var =~ tr/./_/;
+
+    if ( $var eq '' || $var =~ /^[0-9]/ || $var =~ /[^-\w]/ ) {
+	#
+	# Must map. Remove all illegal characters
+	#
+	$var =~ s/[^\w]//g;
+	#
+	# Prefix with if_ if it begins with a digit
+	#
+	$var = join( '' , 'if_', $var ) if $var =~ /^[0-9]/;
+	#
+	# Create a new unique name
+	#
+	1 while $mapbase1{$name = join ( '_', $var, ++$baseseq )};
+    } else {
+	#
+	# We'll store the identity mapping if it is unique
+	#
+	$var = join( '_', $key , ++$baseseq ) while $mapbase1{$name = $var};
+    }
+    #
+    # Store the reverse mapping
+    #
+    $mapbase1{$name} = $key;
+    #
+    # Store the mapping
+    #
+    $basemap1{$key} = $name;
+}
+
 #
 # Process a record in the interfaces file
 #
@@ -930,24 +1077,14 @@ sub process_interface( $$ ) {
     my ($zone, $originalinterface, $bcasts, $options );
     my $zoneref;
     my $bridge = '';
-    our $format;
 
-    if ( $format == 1 ) {
-	($zone, $originalinterface, $bcasts, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 }, { COMMENT => 0, FORMAT => 2 };
+    if ( $file_format == 1 ) {
+	($zone, $originalinterface, $bcasts, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 };
     } else {
-	($zone, $originalinterface, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, options => 2 }, { COMMENT => 0, FORMAT => 2 };
+	($zone, $originalinterface, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, options => 2 };
 	$bcasts = '-';
     }
 
-    if ( $zone eq 'FORMAT' ) {
-	if ( $originalinterface =~ /^([12])$/ ) {
-	    $format = $1;
-	    return;
-	}
-
-	fatal_error "Invalid FORMAT ($originalinterface)";
-    }
-
     if ( $zone eq '-' ) {
 	$zone = '';
     } else {
@@ -1082,7 +1219,7 @@ sub process_interface( $$ ) {
 	    } elsif ( $type == BINARY_IF_OPTION ) {
 		$value = 1 unless defined $value;
 		fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
-		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard;
+		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard && ! $type && IF_OPTION_WILDOK;
 		$options{$option} = $value;
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
@@ -1138,7 +1275,7 @@ sub process_interface( $$ ) {
 		    $hostoptions{broadcast} = 1;
 		} elsif ( $option eq 'sfilter' ) {
 		    $filterref = [ split_list $value, 'address' ];
-		    validate_net( $_, 1) for @{$filterref}
+		    validate_net( $_, 0) for @{$filterref}
 		} else {
 		    assert(0);
 		}
@@ -1147,6 +1284,7 @@ sub process_interface( $$ ) {
 
 		if ( $option eq 'physical' ) {
 		    fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
+		    fatal_error "Virtual interfaces ($value) are not supported" if $value =~ /:\d+$/;
 
 		    fatal_error "Duplicate physical interface name ($value)" if ( $physical{$value} && ! $port );
 
@@ -1160,11 +1298,18 @@ sub process_interface( $$ ) {
 	    }
 	}
 
-	fatal_error "Invalid combination of interface options"
+	fatal_error q(The 'required', 'optional' and 'ignore' options are mutually exclusive)
 	    if ( ( $options{required} && $options{optional} ) ||
 		 ( $options{required} && $options{ignore}   ) ||
 		 ( $options{optional} && $options{ignore}   ) );
 
+	if ( $options{rpfilter} ) {
+	    require_capability( 'RPFILTER_MATCH', q(The 'rpfilter' option), 's' ) ;
+	    fatal_error q(The 'routefilter', 'sfilter' and 'rpfilter' options are mutually exclusive) if $options{routefilter} || @$filterref;
+	} else {
+	    fatal_error q(The 'routefilter', 'sfilter' and 'rpfilter' options are mutually exclusive) if $options{routefilter} && @$filterref;
+	}
+
 	if ( supplied( my $ignore = $options{ignore} ) ) {
 	    fatal_error "Invalid value ignore=0" if ! $ignore;
 	} else {
@@ -1172,7 +1317,8 @@ sub process_interface( $$ ) {
 	}
 
 	if ( $netsref eq 'dynamic' ) {
-	    my $ipset = $family == F_IPV4 ? "${zone}_" . chain_base $physical : "6_${zone}_" . chain_base $physical;
+	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
+	    $ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
 	    $netsref = [ "+$ipset" ];
 	    $ipsets{$ipset} = 1;
 	}
@@ -1180,10 +1326,10 @@ sub process_interface( $$ ) {
 	if ( $options{bridge} ) {
 	    require_capability( 'PHYSDEV_MATCH', 'The "bridge" option', 's');
 	    fatal_error "Bridges may not have wildcard names" if $wildcard;
-	    $hostoptions{routeback} = $options{routeback} = 1;
+	    $hostoptions{routeback} = $options{routeback} = 1 unless supplied $options{routeback};
 	}
 
-	$hostoptions{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export || $options{routeback};
+	$hostoptions{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export || supplied $options{routeback} || $options{unmanaged};
 
 	$hostoptionsref = \%hostoptions;
     } else {
@@ -1197,6 +1343,14 @@ sub process_interface( $$ ) {
 	$options{ignore} ||= 0;
     }
 
+    if ( $options{unmanaged} ) {
+	fatal_error "The 'lo' interface may not be unmanaged when there are vserver zones" if $physical eq 'lo' && vserver_zones;
+
+	while ( my ( $option, $value ) = each( %options ) ) {
+	    fatal_error "The $option option may not be specified with 'unmanaged'" if $prohibitunmanaged{$option};
+	}
+    }
+
     $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
 						       bridge     => $bridge ,
 						       filter     => $filterref ,
@@ -1207,11 +1361,44 @@ sub process_interface( $$ ) {
 						       options    => \%options ,
 						       zone       => '',
 						       physical   => $physical ,
-						       base       => chain_base( $physical ),
+						       base       => var_base( $physical ),
 						       zones      => {},
+						       origin     => shortlineinfo(''),
 						     };
 
     if ( $zone ) {
+	fatal_error "Unmanaged interfaces may not be associated with a zone" if $options{unmanaged};
+
+	if ( $physical eq 'lo' ) {
+	    fatal_error "Only a loopback zone may be assigned to 'lo'" unless $zoneref->{type} == LOOPBACK;
+	    fatal_error "Invalid definition of 'lo'"                   if $bridge ne $interface;
+	    
+	    for ( qw/arp_filter
+		     arp_ignore
+		     blacklist
+		     bridge
+		     detectnets
+		     dhcp
+		     maclist
+		     logmartians
+		     norfc1918
+		     nosmurts
+		     proxyarp
+		     routeback
+		     routefilter
+		     rpfilter
+		     sfilter
+		     sourceroute
+		     upnp
+		     upnpclient
+		     mss
+		    / ) {
+		fatal_error "The 'lo' interface may not specify the '$_' option" if supplied $options{$_};
+	    }
+	} else {
+	    fatal_error "A loopback zone may only be assigned to 'lo'" if $zoneref->{type} == LOOPBACK;
+	}
+
 	$netsref ||= [ allip ];
 	add_group_to_zone( $zone, $zoneref->{type}, $interface, $netsref, $hostoptionsref );
 	add_group_to_zone( $zone,
@@ -1231,12 +1418,11 @@ sub process_interface( $$ ) {
 #
 sub validate_interfaces_file( $ ) {
     my  $export = shift;
-    our $format = 1;
 
     my @ifaces;
     my $nextinum = 1;
 
-    if ( my $fn = open_file 'interfaces' ) {
+    if ( my $fn = open_file 'interfaces', 2 ) {
 	first_entry "$doing $fn...";
 	push @ifaces, process_interface( $nextinum++, $export ) while read_a_line( NORMAL_READ );
     } else {
@@ -1332,13 +1518,14 @@ sub known_interface($)
 						   name     => $i ,
 						   number   => $interfaceref->{number} ,
 						   physical => $physical ,
-						   base     => chain_base( $physical ) ,
+						   base     => var_base( $physical ) ,
+						   zones    => $interfaceref->{zones} ,
 						 };
 	    }
 	}
     }
 
-    0;
+    $physical{$interface} || 0;
 }
 
 #
@@ -1348,6 +1535,13 @@ sub interface_number( $ ) {
     $interfaces{$_[0]}{number} || 256;
 }
 
+#
+# Return interface origin
+#
+sub interface_origin( $ ) {
+    $interfaces{$_[0]}->{origin};
+}
+
 #
 # Return the interfaces list
 #
@@ -1356,10 +1550,10 @@ sub all_interfaces() {
 }
 
 #
-# Return all non-vserver interfaces
+# Return all managed non-vserver interfaces
 #
 sub all_real_interfaces() {
-    grep $_ ne '%vserver%', @interfaces;
+    grep $_ ne '%vserver%' && ! $interfaces{$_}{options}{unmanaged}, @interfaces;
 }
 
 #
@@ -1369,6 +1563,20 @@ sub all_bridges() {
     grep ( $interfaces{$_}{options}{bridge} , @interfaces );
 }
 
+#
+# Return a list of managed interfaces
+#
+sub managed_interfaces() {
+    grep (! $interfaces{$_}{options}{unmanaged} , @interfaces );
+}
+
+#
+# Return a list of unmanaged interfaces (skip 'lo' since it is implicitly unmanaged when there are no loopback zones).
+#
+sub unmanaged_interfaces() {
+    grep ( $interfaces{$_}{options}{unmanaged} && $_ ne 'lo', @interfaces );
+}
+
 #
 # Return a reference to the interfaces table entry for an interface
 #
@@ -1427,9 +1635,19 @@ sub source_port_to_bridge( $ ) {
 # Returns a hash reference for the zones interface through the interface
 #
 sub interface_zones( $ ) {
-    my $interfaceref = $interfaces{(shift)};
+    my $interfaceref = known_interface( $_[0] );
 
-    $interfaceref->{zones};
+    fatal_error "Unknown interface(@_)" unless $interfaceref;
+    $interfaceref->{zones} || {};
+}
+
+#
+# Returns the 'zone' member of the passed interface, if any
+#
+sub interface_zone( $ ) {
+    my $interfaceref = known_interface( $_[0] );
+
+    $interfaceref ? $interfaceref->{zone} : '';
 }
 
 #
@@ -1679,7 +1897,7 @@ sub verify_required_interfaces( $ ) {
 	    my $physical = get_physical $interface;
 
 	    if ( $physical =~ /\+$/ ) {
-		my $base = uc chain_base $physical;
+		my $base = uc var_base $physical;
 
 		$physical =~ s/\+$/*/;
 
@@ -1742,22 +1960,30 @@ sub process_host( ) {
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
-    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/   ||
-	      $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]$/ ||
-	      $hosts =~ /^([\w.@%-]+\+?):(!?\+.*)$/   ||
+    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/               ||
+	      $hosts =~ /^([\w.@%-]+\+?)\[(.*)\]$/              ||
+	      $hosts =~ /^([\w.@%-]+\+?):(!?\[.+\](?:\/\d+)?)$/ ||
+	      $hosts =~ /^([\w.@%-]+\+?):(!?\+.*)$/             ||
 	      $hosts =~ /^([\w.@%-]+\+?):(dynamic)$/ ) {
 	$interface = $1;
 	$hosts = $2;
 
 	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
+	fatal_error "Unmanaged interfaces may not be associated with a zone" if $interfaceref->{unmanaged};
+
+	if ( $interfaceref->{name} eq 'lo' ) {
+	    fatal_error "Only a loopback zone may be associated with the loopback interface (lo)" if $type != LOOPBACK;
+	} else {
+	    fatal_error "Loopback zones may only be associated with the loopback interface (lo)" if $type == LOOPBACK;
+	}
     } else {
 	fatal_error "Invalid HOST(S) column contents: $hosts"
     }
 
     if ( $hosts =~ /^!?\+/ ) {
-	$zoneref->{complex} = 1;
-	fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
-	fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
+       $zoneref->{complex} = 1;
+       fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
+       fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
     }
 
     if ( $type & BPORT ) {
@@ -1784,6 +2010,7 @@ sub process_host( ) {
 	    } elsif ( $option eq 'norfc1918' ) {
 		warning_message "The 'norfc1918' host option is no longer supported"
 	    } elsif ( $option eq 'blacklist' ) {
+		warning_message "The 'blacklist' option is deprecated";
 		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $option =~ /^mss=(\d+)$/ ) {
 		fatal_error "Invalid mss ($1)" unless $1 >= 500;
@@ -1820,8 +2047,14 @@ sub process_host( ) {
     if ( $hosts eq 'dynamic' ) {
 	fatal_error "Vserver zones may not be dynamic" if $type & VSERVER;
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
-	my $physical = chain_base( physical_name $interface );
-	my $set      = $family == F_IPV4 ? "${zone}_${physical}" : "6_${zone}_${physical}";
+
+	my $set = $family == F_IPV4 ? "${zone}" : "6_${zone}";
+	
+	unless ( $zoneref->{options}{in_out}{dynamic_shared} ) {
+	    my $physical = var_base1( physical_name $interface );
+	    $set = join( '_', $set, $physical );
+	}
+
 	$hosts = "+$set";
 	$optionsref->{dynamic} = 1;
 	$ipsets{$set} = 1;

Shorewall/Perl/compiler.pl

@@ -37,7 +37,8 @@
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
 #         --preview                   # Preview the ruleset.
-#         --shorewallrc=<path>        # Path to shorewallrc file.
+#         --shorewallrc=<path>        # Path to global shorewallrc file.
+#         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #
 use strict;
@@ -48,7 +49,9 @@ use Getopt::Long;
 
 sub usage( $ ) {
 
-    print STDERR 'usage: compiler.pl [ <option> ... ] [ <filename> ]
+    print STDERR << '_EOF_';
+
+usage: compiler.pl [ <option> ... ] [ <filename> ]
 
   options are:
     [ --export ]
@@ -66,9 +69,12 @@ sub usage( $ ) {
     [ --annotate ]
     [ --update ]
     [ --convert ]
+    [ --directives ]
     [ --shorewallrc=<pathname> ]
+    [ --shorewallrc1=<pathname> ]
     [ --config_path=<path-list> ]
-';
+
+_EOF_
 
     exit shift @_;
 }
@@ -92,8 +98,10 @@ my $preview       = 0;
 my $annotate      = 0;
 my $update        = 0;
 my $convert       = 0;
+my $directives    = 0;
 my $config_path   = '';
 my $shorewallrc   = '';
+my $shorewallrc1  = '';
 
 Getopt::Long::Configure ('bundling');
 
@@ -121,11 +129,14 @@ my $result = GetOptions('h'               => \$help,
 			'confess'         => \$confess,
 			'a'               => \$annotate,
 			'annotate'        => \$annotate,
+			'directives'      => \$directives,
+			'D'               => \$directives,
 			'u'               => \$update,
 			'update'          => \$update,
 			'convert'         => \$convert,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
+			'shorewallrc1=s'  => \$shorewallrc1,
 		       );
 
 usage(1) unless $result && @ARGV < 2;
@@ -147,6 +158,8 @@ compiler( script          => $ARGV[0] || '',
 	  update          => $update,
 	  convert         => $convert,
 	  annotate        => $annotate,
+	  directives      => $directives,
 	  config_path     => $config_path,
-	  shorewallrc     => $shorewallrc
+	  shorewallrc     => $shorewallrc,
+	  shorewallrc1    => $shorewallrc1,
 	);

Shorewall/Perl/getparams

@@ -25,12 +25,12 @@
 #
 #      $1 = Path name of params file
 #      $2 = $CONFIG_PATH
-#      $3 = Address family (4 o4 6)
+#      $3 = Address family (4 or 6)
 #
 if [ "$3" = 6 ]; then
-    g_program=shorewall6
+    PRODUCT=shorewall6
 else
-    g_program=shorewall
+    PRODUCT=shorewall
 fi
 
 #
@@ -38,11 +38,9 @@ fi
 #
 . /usr/share/shorewall/shorewallrc
 
-g_libexec="$LIBEXECDIR"
-g_sharedir="$SHAREDIR"/shorewall
-g_sbindir="$SBINDIR"
-g_perllib="$PERLLIBDIR"
-g_confdir="$CONFDIR"/shorewall
+g_program=$PRODUCT
+g_sharedir="$SHAREDIR/shorewall"
+g_confdir="$CONFDIR/$PRODUCT"
 g_readrc=1
 
 . $g_sharedir/lib.cli

Shorewall/Perl/lib.core

@@ -216,8 +216,8 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
 delete_tc1()
 {
     clear_one_tc() {
-        $TC qdisc del dev $1 root 2> /dev/null
-        $TC qdisc del dev $1 ingress 2> /dev/null
+        $TC qdisc del dev ${1%@*} root 2> /dev/null
+        $TC qdisc del dev ${1%@*} ingress 2> /dev/null
 
     }
 
@@ -419,6 +419,7 @@ fatal_error()
 
     stop_firewall
     [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+    mutex_off
     exit 2
 }
 
@@ -430,7 +431,7 @@ run_iptables()
     local status
 
     while [ 1 ]; do
-	$g_tool $@
+	eval $g_tool $@
 	status=$?
 	[ $status -ne 4 ] && break
     done
@@ -626,7 +627,7 @@ EOF
     fi
 }
 
-?IF __IPV4
+?if __IPV4
 #################################################################################
 #                        IPv4-specific Functions
 #################################################################################
@@ -838,13 +839,13 @@ detect_dynamic_gateway() { # $1 = interface
 	gateway=$( find_peer $($IP addr list $interface ) )
     fi
 
-    if [ -z "$gateway" -a -f /var/lib/dhcpcd/dhcpcd-${1}.info ]; then
-	eval $(grep ^GATEWAYS=  /var/lib/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
+    if [ -z "$gateway" -a -f ${VARLIB}/dhcpcd/dhcpcd-${1}.info ]; then
+	eval $(grep ^GATEWAYS=  ${VARLIB}/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
 	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
     fi
 
-    if [ -z "$gateway" -a -f /var/lib/dhcp/dhclient-${1}.lease ]; then
-	gateway=$(grep 'option routers' /var/lib/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
+    if [ -z "$gateway" -a -f ${VARLIB}/dhcp/dhclient-${1}.lease ]; then
+	gateway=$(grep 'option routers' ${VARLIB}/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
     fi
 
     [ -n "$gateway" ] && echo $gateway
@@ -916,7 +917,12 @@ add_gateway() # $1 = Delta $2 = Table Number
 	delta=$1
 
 	if ! echo $route | fgrep -q ' nexthop '; then
-	    route=`echo $route | sed 's/via/nexthop via/'`
+	    if echo $route | fgrep -q via; then
+		route=`echo $route | sed 's/via/nexthop via/'`
+	    else
+		route="nexthop $route"
+	    fi
+
 	    dev=$(find_device $route)
 	    if [ -f ${VARDIR}/${dev}_weight ]; then
 		weight=`cat ${VARDIR}/${dev}_weight`
@@ -1027,7 +1033,7 @@ get_all_bcasts()
     $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
 
-?ELSE
+?else
 #################################################################################
 #                        IPv6-specific Functions
 #################################################################################
@@ -1319,4 +1325,4 @@ clear_firewall() {
     logger -p kern.info "$g_product Cleared"
 }
 
-?ENDIF
+?endif # IPv6-specific functions.

Shorewall/Perl/prog.footer

@@ -24,7 +24,7 @@ usage() {
     echo "Options are:"
     echo
     echo "   -v and -q        Standard Shorewall verbosity controls"
-    echo "   -n               Don't unpdate routing configuration"
+    echo "   -n               Don't update routing configuration"
     echo "   -p               Purge Conntrack Table"
     echo "   -t               Timestamp progress Messages"
     echo "   -V <verbosity>   Set verbosity explicitly"
@@ -33,25 +33,25 @@ usage() {
 }
 
 checkkernelversion() {
+?if __IPV6
     local kernel
 
-    if [ $g_family -eq 6 ]; then
-	kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
+    kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
 
-	case "$kernel" in
-	    *.*.*)
-		kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
-		;;
-	    *)
-		kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
-		;;
-	esac
+    case "$kernel" in
+	*.*.*)
+	    kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+	    ;;
+	*)
+	    kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
+	    ;;
+    esac
 
-	if [ $kernel -lt 20624 ]; then
-	    error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
-	    return 1
-	fi
+    if [ $kernel -lt 20624 ]; then
+	error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
+	return 1
     fi
+?endif
 
     return 0
 }
@@ -321,13 +321,12 @@ case "$COMMAND" in
 	;;
     status)
 	[ $# -ne 1 ] && usage 2
-	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
-	echo
+	[ $VERBOSITY -ge 1 ] && echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)" &&	echo
 	if product_is_started; then
-	    echo "$g_product is running"
+	    [ $VERBOSITY -ge 1 ] && echo "$g_product is running"
 	    status=0
 	else
-	    echo "$g_product is stopped"
+	    [ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
 	    status=4
 	fi
 
@@ -341,8 +340,7 @@ case "$COMMAND" in
 	else
 	    state=Unknown
 	fi
-	echo "State:$state"
-	echo
+	[ $VERBOSITY -ge 1 ] && echo "State:$state" && echo
 	;;
     up|down)
 	[ $# -eq 1 ] && exit 0

Shorewall/Samples/Universal/interfaces

@@ -7,7 +7,7 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 -	lo		ignore

Shorewall/Samples/Universal/rules

@@ -6,12 +6,14 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-###################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+######################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
 SECTION NEW
 Invalid(DROP)	net		$FW		tcp
 SSH(ACCEPT)	net		$FW

Shorewall/Samples/Universal/shorewall.conf

@@ -21,7 +21,9 @@ VERBOSITY=1
 #		                L O G G I N G
 ###############################################################################
 
-BLACKLIST_LOGLEVEL=
+BLACKLIST_LOG_LEVEL=
+
+INVALID_LOG_LEVEL=
 
 LOG_MARTIANS=Yes
 
@@ -41,6 +43,8 @@ MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
+RPFILTER_LOG_LEVEL=info
+
 SFILTER_LOG_LEVEL=info
 
 SMURF_LOG_LEVEL=info
@@ -49,10 +53,14 @@ STARTUP_LOG=/var/log/shorewall-init.log
 
 TCP_FLAGS_LOG_LEVEL=info
 
+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
+ARPTABLES=
+
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -67,6 +75,8 @@ LOCKFILE=
 
 MODULESDIR=
 
+NFACCT=
+
 PERL=/usr/bin/perl
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -110,11 +120,17 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-AUTO_COMMENT=Yes
+IGNOREUNKNOWNVARIABLES=No
+
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
+
+CHAIN_SCRIPTS=No
 
 CLAMPMSS=No
 
@@ -122,6 +138,8 @@ CLEAR_TC=Yes
 
 COMPLETE=Yes
 
+DEFER_DNS_RESOLUTION=Yes
+
 DISABLE_IPV6=No
 
 DELETE_THEN_ADD=Yes
@@ -140,6 +158,8 @@ FASTACCEPT=Yes
 
 FORWARD_CLEAR_MARK=
 
+HELPERS=
+
 IMPLICIT_CONTINUE=No
 
 IPSET_WARNINGS=Yes
@@ -170,7 +190,7 @@ MUTEX_TIMEOUT=60
 
 NULL_ROUTE_RFC1918=No
 
-OPTIMIZE=31
+OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
@@ -178,10 +198,14 @@ REQUIRE_INTERFACE=Yes
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No
 
+SAVE_ARPTABLES=No
+
 SAVE_IPSETS=No
 
 TC_ENABLED=Internal
@@ -192,10 +216,16 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 
 TRACK_PROVIDERS=Yes
 
+TRACK_RULES=No
+
 USE_DEFAULT_RT=No
 
 USE_PHYSICAL_NAMES=No
 
+USE_RT_NAMES=No
+
+WARNOLDCAPVERSION=Yes
+
 ZONE2ZONE=2
 
 ###############################################################################
@@ -204,16 +234,22 @@ ZONE2ZONE=2
 
 BLACKLIST_DISPOSITION=DROP
 
+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
 
+RPFILTER_DISPOSITION=DROP
+
 SMURF_DISPOSITION=DROP
 
 SFILTER_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################

Shorewall/Samples/one-interface/interfaces

@@ -11,7 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 net     eth0            dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0

Shorewall/Samples/one-interface/rules

@@ -10,12 +10,14 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+######################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
 SECTION NEW
 
 # Drop packets in the INVALID state

Shorewall/Samples/one-interface/shorewall.conf

@@ -32,7 +32,9 @@ VERBOSITY=1
 #		                L O G G I N G
 ###############################################################################
 
-BLACKLIST_LOGLEVEL=
+BLACKLIST_LOG_LEVEL=
+
+INVALID_LOG_LEVEL=
 
 LOG_MARTIANS=Yes
 
@@ -52,6 +54,8 @@ MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
+RPFILTER_LOG_LEVEL=info
+
 SFILTER_LOG_LEVEL=info
 
 SMURF_LOG_LEVEL=info
@@ -60,10 +64,14 @@ STARTUP_LOG=/var/log/shorewall-init.log
 
 TCP_FLAGS_LOG_LEVEL=info
 
+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
+ARPTABLES=
+
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -78,6 +86,8 @@ LOCKFILE=
 
 MODULESDIR=
 
+NFACCT=
+
 PERL=/usr/bin/perl
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -121,11 +131,17 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-AUTO_COMMENT=Yes
+IGNOREUNKNOWNVARIABLES=No
+
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
+
+CHAIN_SCRIPTS=No
 
 CLAMPMSS=No
 
@@ -133,6 +149,8 @@ CLEAR_TC=Yes
 
 COMPLETE=No
 
+DEFER_DNS_RESOLUTION=Yes
+
 DISABLE_IPV6=No
 
 DELETE_THEN_ADD=Yes
@@ -151,6 +169,8 @@ FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=
 
+HELPERS=
+
 IMPLICIT_CONTINUE=No
 
 IPSET_WARNINGS=Yes
@@ -181,7 +201,7 @@ MUTEX_TIMEOUT=60
 
 NULL_ROUTE_RFC1918=No
 
-OPTIMIZE=31
+OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
@@ -189,10 +209,14 @@ REQUIRE_INTERFACE=No
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No
 
+SAVE_ARPTABLES=No
+
 SAVE_IPSETS=No
 
 TC_ENABLED=Internal
@@ -203,10 +227,16 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 
 TRACK_PROVIDERS=Yes
 
+TRACK_RULES=No
+
 USE_DEFAULT_RT=No
 
 USE_PHYSICAL_NAMES=No
 
+USE_RT_NAMES=No
+
+WARNOLDCAPVERSION=Yes
+
 ZONE2ZONE=2
 
 ###############################################################################
@@ -215,16 +245,22 @@ ZONE2ZONE=2
 
 BLACKLIST_DISPOSITION=DROP
 
+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
 
+RPFILTER_DISPOSITION=DROP
+
 SMURF_DISPOSITION=DROP
 
 SFILTER_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################

Shorewall/Samples/three-interfaces/interfaces

@@ -11,7 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0

Shorewall/Samples/three-interfaces/rules

@@ -10,12 +10,14 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+######################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
 SECTION NEW
 
 #       Don't allow connection pickup from the net

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -30,7 +30,9 @@ VERBOSITY=1
 #		                L O G G I N G
 ###############################################################################
 
-BLACKLIST_LOGLEVEL=
+BLACKLIST_LOG_LEVEL=
+
+INVALID_LOG_LEVEL=
 
 LOG_MARTIANS=Yes
 
@@ -50,6 +52,8 @@ MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
+RPFILTER_LOG_LEVEL=info
+
 SFILTER_LOG_LEVEL=info
 
 SMURF_LOG_LEVEL=info
@@ -58,10 +62,14 @@ STARTUP_LOG=/var/log/shorewall-init.log
 
 TCP_FLAGS_LOG_LEVEL=info
 
+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
+ARPTABLES=
+
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -76,6 +84,8 @@ LOCKFILE=
 
 MODULESDIR=
 
+NFACCT=
+
 PERL=/usr/bin/perl
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -119,11 +129,17 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-AUTO_COMMENT=Yes
+IGNOREUNKNOWNVARIABLES=No
+
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
+
+CHAIN_SCRIPTS=No
 
 CLAMPMSS=Yes
 
@@ -131,6 +147,8 @@ CLEAR_TC=Yes
 
 COMPLETE=No
 
+DEFER_DNS_RESOLUTION=Yes
+
 DISABLE_IPV6=No
 
 DELETE_THEN_ADD=Yes
@@ -149,6 +167,8 @@ FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=
 
+HELPERS=
+
 IMPLICIT_CONTINUE=No
 
 IPSET_WARNINGS=Yes
@@ -179,7 +199,7 @@ MUTEX_TIMEOUT=60
 
 NULL_ROUTE_RFC1918=No
 
-OPTIMIZE=31
+OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
@@ -187,10 +207,14 @@ REQUIRE_INTERFACE=No
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No
 
+SAVE_ARPTABLES=No
+
 SAVE_IPSETS=No
 
 TC_ENABLED=Internal
@@ -201,10 +225,16 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 
 TRACK_PROVIDERS=Yes
 
+TRACK_RULES=No
+
 USE_DEFAULT_RT=No
 
 USE_PHYSICAL_NAMES=No
 
+USE_RT_NAMES=No
+
+WARNOLDCAPVERSION=Yes
+
 ZONE2ZONE=2
 
 ###############################################################################
@@ -213,16 +243,22 @@ ZONE2ZONE=2
 
 BLACKLIST_DISPOSITION=DROP
 
+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
 
+RPFILTER_DISPOSITION=DROP
+
 SMURF_DISPOSITION=DROP
 
 SFILTER_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################

Shorewall/Samples/three-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
-# Shorewall6 version 4.0 - Sample Routestopped File for two-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Shorewall version 4.5 - Sample Stoppedrules File for three-interface configuration.
+# Copyright (C) 2012 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -9,11 +9,12 @@
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall6-routestopped"
-#
-# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
-# information.
-#
-##############################################################################
-#INTERFACE	HOST(S)                  OPTIONS
-eth1		-
+# For information about entries in this file, type "man shorewall-stoppedrules"
+###############################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
+#							PORT(S)		PORT(S)
+ACCEPT		eth1		-
+ACCEPT		-		eth1
+ACCEPT		eth2		-
+ACCEPT		-		eth2
+

Shorewall/Samples/two-interfaces/interfaces

@@ -11,7 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0

Shorewall/Samples/two-interfaces/rules

@@ -10,12 +10,14 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+######################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
 SECTION NEW
 
 #       Don't allow connection pickup from the net

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -33,7 +33,9 @@ VERBOSITY=1
 #		                L O G G I N G
 ###############################################################################
 
-BLACKLIST_LOGLEVEL=
+BLACKLIST_LOG_LEVEL=
+
+INVALID_LOG_LEVEL=
 
 LOG_MARTIANS=Yes
 
@@ -53,6 +55,8 @@ MACLIST_LOG_LEVEL=info
 
 RELATED_LOG_LEVEL=
 
+RPFILTER_LOG_LEVEL=info
+
 SFILTER_LOG_LEVEL=info
 
 SMURF_LOG_LEVEL=info
@@ -61,10 +65,14 @@ STARTUP_LOG=/var/log/shorewall-init.log
 
 TCP_FLAGS_LOG_LEVEL=info
 
+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
+ARPTABLES=
+
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -79,6 +87,8 @@ LOCKFILE=
 
 MODULESDIR=
 
+NFACCT=
+
 PERL=/usr/bin/perl
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -122,11 +132,17 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
-AUTO_COMMENT=Yes
+IGNOREUNKNOWNVARIABLES=No
+
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
+
+CHAIN_SCRIPTS=No
 
 CLAMPMSS=Yes
 
@@ -134,6 +150,8 @@ CLEAR_TC=Yes
 
 COMPLETE=No
 
+DEFER_DNS_RESOLUTION=Yes
+
 DISABLE_IPV6=No
 
 DELETE_THEN_ADD=Yes
@@ -152,6 +170,8 @@ FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=
 
+HELPERS=
+
 IMPLICIT_CONTINUE=No
 
 IPSET_WARNINGS=Yes
@@ -182,7 +202,7 @@ MUTEX_TIMEOUT=60
 
 NULL_ROUTE_RFC1918=No
 
-OPTIMIZE=31
+OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
@@ -190,10 +210,14 @@ REQUIRE_INTERFACE=No
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No
 
+SAVE_ARPTABLES=No
+
 SAVE_IPSETS=No
 
 TC_ENABLED=Internal
@@ -204,10 +228,16 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 
 TRACK_PROVIDERS=Yes
 
+TRACK_RULES=No
+
 USE_DEFAULT_RT=No
 
 USE_PHYSICAL_NAMES=No
 
+USE_RT_NAMES=No
+
+WARNOLDCAPVERSION=Yes
+
 ZONE2ZONE=2
 
 ###############################################################################
@@ -216,16 +246,22 @@ ZONE2ZONE=2
 
 BLACKLIST_DISPOSITION=DROP
 
+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
 
+RPFILTER_DISPOSITION=DROP
+
 SMURF_DISPOSITION=DROP
 
 SFILTER_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################

Shorewall/Samples/two-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
-# Shorewall version 4.0 - Sample Routestopped File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Shorewall version 4.5 - Sample Stoppedrules File for two-interface configuration.
+# Copyright (C) 2012 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -9,7 +9,9 @@
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall-routestopped"
-##############################################################################
-#INTERFACE	HOST(S)                  OPTIONS
-eth1		-
+# For information about entries in this file, type "man shorewall-stoppedrules"
+###############################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
+#							PORT(S)		PORT(S)
+ACCEPT		eth1		-
+ACCEPT		-		eth1

Shorewall/action.A_Drop

@@ -24,9 +24,9 @@
 #
 COUNT
 #
-# Reject 'auth'
+# Silently DROP 'auth'
 #
-Auth(A_REJECT)
+Auth(A_DROP)
 #
 # Don't log broadcasts
 #

Shorewall/action.A_Reject

@@ -20,10 +20,6 @@
 #
 COUNT
 #
-# Don't log 'auth' -- REJECT
-#
-Auth(A_REJECT)
-#
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #

Shorewall/action.AutoBL

@@ -0,0 +1,59 @@
+#
+# Shorewall version 4 - Auto Blacklist Action
+#
+# Parameters are:
+#
+#    Event          - Name of the event to associate with this blacklist
+#    Interval
+#    Count          - Interval and number of Packets to trigger blacklisting
+#                     Default is 60 seconds and 5 packets.
+#    Successive     - If a matching packet arrives within this many
+#                     seconds of the preceding one, it should be logged
+#                     and dealt with according to the Disposition and
+#                     Log Level parameters below. Default is 2 seconds.
+#    Blacklist time - Number of seconds to blacklist
+#                     Default is 300 (5 minutes)
+#    Disposition    - Disposition of blacklisted packets
+#                     Default is DROP
+#    Log Level      - Level to Log Rejects
+#                     Default is info (6)
+#
+?format 2
+DEFAULTS -,60,5,2,300,DROP,info
+
+?begin perl
+my ( $event, $interval, $count, $successive, $bltime, $disposition, $level ) = get_action_params(7);
+
+fatal_error "The event name parameter to AutoBL is required"            unless supplied $event;
+fatal_error "Invalid interval ($interval) passed to AutoBL"             unless $interval =~ /^\d+$/ && $interval;
+fatal_error "Invalid successive interval ($succesive) passed to AutoBL" unless $successive =~ /^\d+$/;
+fatal_error "Invalid packet count ($count) passed to AutoBL"            unless $count =~ /^\d+$/ && $count;
+fatal_error "Invalid blacklist time ($bltime) passed to AutoBL"         unless $bltime =~ /^\d+$/ && $bltime;
+validate_level( $level );
+
+?end perl
+###############################################################################
+#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#
+# Silently reject the client if blacklisted
+#
+IfEvent(${1}_BL,$6,$5,1,src,check:reap)
+#
+# Blacklist if M attempts in the last N seconds
+#
+IfEvent($1,AutoBLL($1,$6,$7),$2,$3,src,check:reap)
+#
+# Log and reject if the client has tried to connect
+# in the last N seconds
+#
+?if $4
+IfEvent($1,$6:$7,$4,1,-,update,Added)
+?endif
+#
+# Un-blacklist the client
+#
+ResetEvent(${1}_BL,LOG:$7,-,Removed)
+#
+# Set the event and accept the connection
+#
+SetEvent($1,ACCEPT,src)

Shorewall/action.AutoBLL

@@ -0,0 +1,20 @@
+#
+# Shorewall version 4 - Auto Blacklisting Logger Action
+#
+# Arguments are
+#
+#    Event:       Name of the blacklisted event
+#    Disposition: What to do with packets
+#    Level:       Log level and optional tag for logging.
+###############################################################################
+#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#
+# Log the Reject
+#
+?if "$3" ne 'none'
+LOG:$3
+?endif
+#
+# And set the AutoBL Event for the SOURCE IP address
+#
+SetEvent(${1}_BL,$2,src)

Shorewall/action.Broadcast

@@ -27,11 +27,11 @@
 #       Default action is DROP
 #
 ##########################################################################################
-FORMAT 2
+?format 2
 
 DEFAULTS DROP,-
 
-?BEGIN PERL;
+?begin perl;
 
 use Shorewall::IPAddrs;
 use Shorewall::Config;
@@ -43,6 +43,7 @@ fatal_error "Invalid parameter ($audit) to action Broadcast"   if supplied $audi
 fatal_error "Invalid parameter ($action) to action Broadcast"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
 
 my $chainref           = get_action_chain;
+
 my ( $level, $tag )    = get_action_logging;
 my $target             = require_audit ( $action , $audit );
 
@@ -70,4 +71,4 @@ add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';
 
 1;
 
-?END PERL;
+?end perl;

Shorewall/action.Drop

@@ -9,18 +9,15 @@
 #	of the action is:
 #
 #	a) Avoid logging lots of useless cruft.
-#	b) Ensure that 'auth' requests are rejected, even if the policy is
-#	   DROP. Otherwise, you may experience problems establishing
-#	   connections with servers that use auth.
-#	c) Ensure that certain ICMP packets that are necessary for successful
+#	b) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
 #  The action accepts five optional parameters:
 #
 #	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
 #           actions.
-#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
-#           depending on the setting of the first parameter.
+#       2 - Action to take with Auth requests. Default is to do nothing special
+#	    with them.
 #	3 - Action to take with SMB requests. Default is DROP or A_DROP,
 #           depending on the setting of the first parameter.
 #       4 - Action to take with required ICMP packets. Default is ACCEPT or
@@ -31,19 +28,18 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
-FORMAT 2
+?format 2
 #
-# The following magic provides different defaults for $2 thru $5, when $1 is
+# The following magic provides different defaults for @2 thru @5, when @1 is
 # 'audit'.
 #
-?BEGIN PERL;
+?begin perl;
 use Shorewall::Config;
 
 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
 
 if ( defined $p1 ) {
     if ( $p1 eq 'audit' ) {
-	set_action_param( 2, 'A_REJECT')   unless supplied $p2;
 	set_action_param( 3, 'A_DROP')     unless supplied $p3;
 	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
 	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
@@ -54,9 +50,9 @@ if ( defined $p1 ) {
 
 1;
 
-?END PERL;
+?end perl;
 
-DEFAULTS -,REJECT,DROP,ACCEPT,DROP
+DEFAULTS -,-,DROP,ACCEPT,DROP
 
 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
@@ -64,33 +60,35 @@ DEFAULTS -,REJECT,DROP,ACCEPT,DROP
 #
 COUNT
 #
-# Reject 'auth'
+# Special Handling for Auth
 #
-Auth($2)
+?if @2 ne '-'
+Auth(@2)
+?endif
 #
 # Don't log broadcasts
 #
-Broadcast(DROP,$1)
+Broadcast(DROP,@1)
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs($4)	-	-	icmp
+AllowICMPs(@4)	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
-Invalid(DROP,$1)
+Invalid(DROP,@1)
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
-SMB($3)
-DropUPnP($5)
+SMB(@3)
+DropUPnP(@5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-NotSyn(DROP,$1)	-	-	tcp
+NotSyn(DROP,@1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep($5)
+DropDNSrep(@5)