Correct typo in shorewall-masq(5)

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -76,7 +76,7 @@ for p in $@; do
 		    pn=HOST
 		    ;;
 		SHAREDSTATEDIR)
-		    pn=VARDIR
+		    pn=VARLIB
 		    ;;
 		DATADIR)
 		    pn=SHAREDIR
@@ -161,6 +161,17 @@ if [ $# -gt 0 ]; then
     echo '#'           >> shorewallrc
 fi
 
+if [ -n "${options[VARLIB]}" ]; then
+    if [ -z "${options[VARDIR]}" ]; then
+	options[VARDIR]='${VARLIB}/${PRODUCT}'
+    fi
+elif [ -n "${options[VARDIR]}" ]; then
+    if [ -z "{$options[VARLIB]}" ]; then
+	options[VARLIB]=${options[VARDIR]}
+	options[VARDIR]='${VARLIB}/${PRODUCT}'
+    fi
+fi
+
 for on in \
     HOST \
     PREFIX \
@@ -180,6 +191,7 @@ for on in \
     SYSCONFDIR \
     SPARSE \
     ANNOTATED \
+    VARLIB \
     VARDIR
 do
     echo "$on=${options[${on}]}"

Shorewall-core/configure.pl

@@ -38,7 +38,7 @@ my %params;
 my %options;
 
 my %aliases = ( VENDOR         => 'HOST',
-		SHAREDSTATEDIR => 'VARDIR',
+		SHAREDSTATEDIR => 'VARLIB',
 		DATADIR        => 'SHAREDIR' );
 
 for ( @ARGV ) {
@@ -123,6 +123,15 @@ printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d
 
 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;
 
+if ( $options{VARLIB} ) {
+    unless ( $options{VARDIR} ) {
+	$options{VARDIR} = '${VARLIB}/${PRODUCT}';
+    }
+} elsif ( $options{VARDIR} ) {
+    $options{VARLIB} = $options{VARDIR};
+    $options{VARDIR} = '${VARLIB}/${PRODUCT}';
+}
+
 for ( qw/ HOST
 	  PREFIX
 	  SHAREDIR
@@ -141,6 +150,7 @@ for ( qw/ HOST
 	  SYSCONFDIR
 	  SPARSE
 	  ANNOTATED
+	  VARLIB
 	  VARDIR / ) {
 
     my $val = $options{$_} || '';

Shorewall-core/install.sh

@@ -164,7 +164,18 @@ else
     usage 1
 fi
 
-for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARDIR; do
+update=0
+
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR="${VARLIB}/${PRODUCT}"
+    update=1
+elif [ -z "${VARDIR}" ]; then
+    VARDIR="${VARLIB}/${PRODUCT}"
+    update=2
+fi
+
+for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARLIB VARDIR; do
     require $var
 done
 
@@ -346,9 +357,25 @@ ln -sf lib.base ${DESTDIR}${SHAREDIR}/shorewall/functions
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/shorewall/coreversion
 chmod 644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
 
-[ $file != "${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc
+if [ -z "${DESTDIR}" ]; then
+    if [ $update -ne 0 ]; then
+	echo "Updating $file - original saved in $file.bak"
 
-[ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
+	cp $file $file.bak
+
+	echo '#'                                             >> $file
+	echo "# Updated by Shorewall-core $VERSION -" `date` >> $file
+	echo '#'                                             >> $file
+
+	[ $update -eq 1 ] && sed -i 's/VARDIR/VARLIB/' $file
+
+	echo 'VARDIR=${VARLIB}/${PRODUCT}' >> $file
+    fi
+
+    [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
+fi
+
+[ $file != "${DESTDIR}${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc
 
 if [ ${SHAREDIR} != /usr/share ]; then
     for f in lib.*; do

Shorewall-core/lib.base

@@ -20,15 +20,11 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# This library contains the code common to all Shorewall components.
-#
-# - It is loaded by /sbin/shorewall.
-# - It is released as part of Shorewall[6] Lite where it is used by /sbin/shorewall[6]-lite
-#   and /usr/share/shorewall[6]-lite/shorecap.
+# This library contains the code common to all Shorewall components except the
+# generated scripts.
 #
 
-SHOREWALL_LIBVERSION=40502
-SHOREWALL_CAPVERSION=40507
+SHOREWALL_LIBVERSION=40509
 
 [ -n "${g_program:=shorewall}" ]
 
@@ -38,11 +34,7 @@ if [ -z "$g_readrc" ]; then
     #
     . /usr/share/shorewall/shorewallrc
 
-    g_libexec="$LIBEXECDIR"
     g_sharedir="$SHAREDIR"/$g_program
-    g_sbindir="$SBINDIR"
-    g_perllib="$PERLLIBDIR"
-    g_vardir="$VARDIR"
     g_confdir="$CONFDIR"/$g_program
     g_readrc=1
 fi
@@ -53,13 +45,13 @@ case $g_program in
     shorewall)
 	g_product="Shorewall"
 	g_family=4
-	g_tool=
+	g_tool=iptables
 	g_lite=
 	;;
     shorewall6)
 	g_product="Shorewall6"
 	g_family=6
-	g_tool=
+	g_tool=ip6tables
 	g_lite=
 	;;
     shorewall-lite)
@@ -76,7 +68,12 @@ case $g_program in
 	;;
 esac
 
-VARDIR=${VARDIR}/${g_program}
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/$g_program
+elif [ -z "${VARDIR}" ]; then
+    VARDIR="${VARLIB}/${PRODUCT}"
+fi
 
 #
 # Conditionally produce message

Shorewall-core/lib.cli

@@ -21,20 +21,21 @@
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # This library contains the command processing code common to /sbin/shorewall[6] and
-# /sbin/shorewall[6]-lite.
+# /sbin/shorewall[6]-lite. In Shorewall and Shorewall6, the lib.cli-std library is 
+# loaded after this one and replaces some of the functions declared here.
 #
 
+SHOREWALL_CAPVERSION=40509
+
+[ -n "${g_program:=shorewall}" ]
+
 if [ -z "$g_readrc" ]; then
     #
     # This is modified by the installer when ${SHAREDIR} <> /usr/share
     #
     . /usr/share/shorewall/shorewallrc
 
-    g_libexec="$LIBEXECDIR"
     g_sharedir="$SHAREDIR"/$g_program
-    g_sbindir="$SBINDIR"
-    g_perllib="$PERLLIBDIR"
-    g_vardir="$VARDIR"
     g_confdir="$CONFDIR"/$g_program
     g_readrc=1
 fi
@@ -435,21 +436,42 @@ save_config() {
 #
 sort_routes() {
     local dest
+    local second
     local rest
-    local crvsn
+    local vlsm
+    local maxvlsm
+    local rule
 
-    while read dest rest; do
+    if [ $g_family -eq 4 ]; then
+	maxvlsm=032
+    else
+	maxvlsm=128
+    fi
+
+    while read dest second rest; do
 	if [ -n "$dest" ]; then
+	    rule="$dest $second $rest"
 	    case "$dest" in
 		default)
-		    echo "00 $dest $rest"
+		    echo "000 $rule"
+		    ;;
+		blackhole|local)
+		    case "$second" in
+			*/*)
+			    vlsm=${second#*/}
+			    printf "%03d %s\n" $vlsm "$rule"
+			    ;;
+			*)
+			    echo "$maxvlsm $rule"
+			    ;;
+		    esac
 		    ;;
 		*/*)
-		    crvsn=${dest#*/}
-		    printf "%02d %s\n" $crvsn "$dest $rest"
+		    vlsm=${dest#*/}
+		    printf "%03d %s\n" $vlsm "$rule"
 		    ;;
 		*)
-		    echo "32 $dest $rest"
+		    echo "$maxvlsm $rule"
 		    ;;
 	    esac
 	fi
@@ -480,7 +502,7 @@ show_routing() {
 	ip -$g_family rule list | find_tables | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
-		ip -$g_family -o route list table $table | fgrep -v cache
+		ip -$g_family -o route list table $table | fgrep -v cache | sort_routes
 	    else
 		ip -4 -o route list table $table | sort_routes
 	    fi
@@ -493,13 +515,33 @@ show_routing() {
     else
 	heading "Routing Table"
 	if [ $g_family -eq 6 ]; then
-	    ip -$g_family -o route list | fgrep -v cache
+	    ip -$g_family -o route list | fgrep -v cache | sort_routes
 	else
 	    ip -4 -o route list table $table | sort_routes
 	fi
     fi
 }
 
+determine_ipset_version() {
+    local setname
+
+    if [ -z "$IPSET" -o $IPSET = ipset ]; then
+	IPSET=$(mywhich ipset)
+	[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
+    fi
+
+    setname=fooX$$
+
+    qt ipset -X $setname # Just in case something went wrong the last time
+
+    if qt ipset -N $setname hash:ip family inet; then
+	qt ipset -X $setname
+	IPSETN="$IPSET"
+    else
+	IPSETN="$IPSET -n"
+    fi
+}
+
 #
 # 'list dynamic' command executor
 #
@@ -507,7 +549,7 @@ find_sets() {
     local junk
     local setname
 
-    ipset -L -n | grep "^Name: ${1}_" | while read junk setname; do echo $setname; done
+    $IPSETN -L | egrep "^Name: ${1}(_.+)?$" | while read junk setname; do echo $setname; done
 }
 
 list_zone() {
@@ -515,22 +557,22 @@ list_zone() {
     local sets
     local setname
 
-    [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"
+    determine_ipset_version
 
     if [ $g_family -eq 4 ]; then
-	sets=$(ipset -L -n | grep '^$1_');
+	sets=$($IPSETN -L | egrep "^$1(_.+)?");
      else
-	sets=$(ipset -L -n | grep "^6_$1_")
+	sets=$($IPSETN -L | egrep "^6_$1(_.+)?")
     fi
 
     [ -n "$sets" ] || sets=$(find_sets $1)
 
     for setname in $sets; do
 	echo "${setname#${1}_}:"
-	ipset -L $setname -n | awk 'BEGIN        {prnt=0;}; \
-                                    /^Members:/  {prnt=1; next; }; \
-                                    /^Bindings:/ {prnt=0; }; \
-                                                 { if (prnt == 1) print "   ", $1; };'
+	$IPSETN -L $setname | awk 'BEGIN        {prnt=0;}; \
+                                   /^Members:/  {prnt=1; next; }; \
+                                   /^Bindings:/ {prnt=0; }; \
+                                                { if (prnt == 1) print "   ", $1; };'
     done
 }
 
@@ -639,6 +681,8 @@ show_command() {
     table=filter
     local table_given
     table_given=
+    local output_filter
+    output_filter=cat
 
     show_macro() {
 	foo=`grep 'This macro' $macro | sed 's/This macro //'`
@@ -653,6 +697,16 @@ show_command() {
 	fi
     }
 
+    # eliminates rules which have not been used from ip*tables' output
+    brief_output() {
+	awk \
+	'/^Chain /  { heading1 = $0; getline heading2; printed = 0; next; };
+         /^ +0 +0 / { next; };
+         /^$/       { if ( printed == 1 ) { print $0; }; next; };
+                    { if ( printed == 0 ) { print heading1; print heading2; printed = 1 }; };
+	            { print; }';
+    }
+
     while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
 	case $option in
@@ -705,6 +759,10 @@ show_command() {
 			    g_routecache=Yes
 			    option=${option#c}
 			    ;;
+			b*)
+			    output_filter=brief_output
+			    option=${option#b}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -722,6 +780,7 @@ show_command() {
 
 
     [ -n "$g_debugging" ] && set -x
+
     case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
@@ -765,28 +824,28 @@ show_command() {
 	    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t nat -L $g_ipt_options
+	    $g_tool -t nat -L $g_ipt_options | $output_filter
 	    ;;
 	raw)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t raw -L $g_ipt_options
+	    $g_tool -t raw -L $g_ipt_options | $output_filter
 	    ;;
 	rawpost)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t rawpost -L $g_ipt_options
+	    $g_tool -t rawpost -L $g_ipt_options | $output_filter
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t mangle -L $g_ipt_options
+	    $g_tool -t mangle -L $g_ipt_options | $output_filter
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
@@ -822,7 +881,7 @@ show_command() {
 	    shift
 
 	    if [ -z "$1" ]; then
-		$g_tool -t mangle -L -n -v
+		$g_tool -t mangle -L -n -v | $output_filter
 		echo
 	    fi
 
@@ -885,15 +944,15 @@ show_command() {
 	    if [ -n "$g_filemode" ]; then
 		echo "CONFIG_PATH=$CONFIG_PATH"
 		echo "VARDIR=$VARDIR"
-		echo "LIBEXEC=$g_libexec"
-		echo "SBINDIR=$g_sbindir"
+		echo "LIBEXEC=${LIBEXECDIR}"
+		echo "SBINDIR=${SBINDIR}"
 		echo "CONFDIR=${CONFDIR}"
 		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR=${VARDIR}"
 	    else
 		echo "Default CONFIG_PATH is $CONFIG_PATH"
 		echo "Default VARDIR is /var/lib/$g_program"
-		echo "LIBEXEC is $g_libexec"
-		echo "SBINDIR is $g_sbindir"
+		echo "LIBEXEC is ${LIBEXECDIR}"
+		echo "SBINDIR is ${SBINDIR}"
 		echo "CONFDIR is ${CONFDIR}"
 		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR is ${VARDIR}"
 	    fi
@@ -905,11 +964,11 @@ show_command() {
 	    show_reset
 	    if [ $# -gt 0 ]; then
 		for chain in $*; do
-		    $g_tool -t $table -L $chain $g_ipt_options
+		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
 		    echo
 		done
 	    else
-		$g_tool -t $table -L $g_ipt_options
+		$g_tool -t $table -L $g_ipt_options | $output_filter
 	    fi
 	    ;;
 	vardir)
@@ -948,18 +1007,18 @@ show_command() {
 		    case $1 in
 			actions)
 			    [ $# -gt 1 ] && usage 1
-			    echo "A_ACCEPT            # Audit and accept the connection"
-			    echo "A_DROP              # Audit and drop the connection"
-			    echo "A_REJECT            # Audit and reject the connection "
-			    echo "allowBcast          # Silently Allow Broadcast/multicast"
-			    echo "allowInvalid        # Accept packets that are in the INVALID conntrack state."
-			    echo "allowinUPnP         # Allow UPnP inbound (to firewall) traffic"
-			    echo "allowoutUPnP        # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
-			    echo "dropBcast           # Silently Drop Broadcast/multicast"
-			    echo "dropInvalid         # Silently Drop packets that are in the INVALID conntrack state"
-			    echo "dropNotSyn          # Silently Drop Non-syn TCP packets"
-			    echo "forwardUPnP         # Allow traffic that upnpd has redirected from"
-			    echo "rejNotSyn           # Silently Reject Non-syn TCP packets"
+			    echo "A_ACCEPT                        # Audit and accept the connection"
+			    echo "A_DROP                          # Audit and drop the connection"
+			    echo "A_REJECT                        # Audit and reject the connection "
+			    echo "allowBcast                      # Silently Allow Broadcast/multicast"
+			    echo "allowInvalid                    # Accept packets that are in the INVALID conntrack state."
+			    echo "allowinUPnP                     # Allow UPnP inbound (to firewall) traffic"
+			    echo "allowoutUPnP                    # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
+			    echo "dropBcast                       # Silently Drop Broadcast/multicast"
+			    echo "dropInvalid                     # Silently Drop packets that are in the INVALID conntrack state"
+			    echo "dropNotSyn                      # Silently Drop Non-syn TCP packets"
+			    echo "forwardUPnP                     # Allow traffic that upnpd has redirected from"
+			    echo "rejNotSyn                       # Silently Reject Non-syn TCP packets"
 
 			    if [ -f ${g_confdir}/actions ]; then
 				cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
@@ -1027,14 +1086,14 @@ show_command() {
 		echo
 		show_reset
 		for chain in $*; do
-		    $g_tool -t $table -L $chain $g_ipt_options
+		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
 		    echo
 		done
 	    else
 		echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
 		echo
 		show_reset
-		$g_tool -t $table -L $g_ipt_options
+		$g_tool -t $table -L $g_ipt_options | $output_filter
 	    fi
 	    ;;
     esac
@@ -1147,7 +1206,7 @@ do_dump_command() {
 	elif [ -r $LOGFILE ]; then
 	    g_logread="tac $LOGFILE"
 	else
-	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
+	    echo "LOGFILE ($LOGFILE) does not exist! - See http://www.shorewall.net/shorewall_logging.html" >&2
 	    exit 2
 	fi
     fi
@@ -1590,60 +1649,83 @@ add_command() {
 	exit 2
     fi
 
-    case "$IPSET" in
-	*/*)
+    determine_ipset_version
+
+    case $1 in
+	*:*)
+	    while [ $# -gt 1 ]; do
+		if [ $g_family -eq 4 ]; then
+		    interface=${1%%:*}
+		    host=${1#*:}
+		else
+		    interface=${1%%|*}
+		    host=${1#*|}
+		fi
+
+		[ "$host" = "$1" ] && host=
+
+		if [ -z "$host" ]; then
+		    if [ $g_family -eq 4 ]; then
+			hostlist="$hostlist $interface:0.0.0.0/0"
+		    else
+			hostlist="$hostlist $interface:::/0"
+		    fi
+		else
+		    for h in $(separate_list $host); do
+			hostlist="$hostlist $interface:$h"
+		    done
+		fi
+
+		shift
+	    done
 	    ;;
 	*)
-	    [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located"
+	    ipset=$1
+	    shift
+	    while [ $# -gt 0 ]; do
+		for h in $(separate_list $1); do
+		    hostlist="$hostlist $h"
+		done
+		shift
+	    done
 	    ;;
     esac
-    #
-    # Normalize host list
-    #
-    while [ $# -gt 1 ]; do
-	interface=${1%%:*}
-	host=${1#*:}
-	[ "$host" = "$1" ] && host=
-
-	if [ -z "$host" ]; then
-	    if [ $g_family -eq 4 ]; then
-	        hostlist="$hostlist $interface:0.0.0.0/0"
-	    else
-		hostlist="$hostlist $interface:::/0"
-	    fi
-	else
-	    for h in $(separate_list $host); do
-		hostlist="$hostlist $interface:$h"
-	    done
-	fi
-
-	shift
-    done
 
     zone=$1
 
-    for host in $hostlist; do
-	if [ $g_family -eq 4 ]; then
-	    interface=${host%:*}
-	    ipset=${zone}_${interface};
-	else
-	    interface=${host%%:*}
-	    ipset=6_${zone}_${interface};
-	fi
+    if [ -n "$zone" ]; then
+	for host in $hostlist; do
+	    if [ $g_family -eq 4 ]; then
+		interface=${host%:*}
+		ipset=${zone}_${interface};
+	    else
+		interface=${host%%:*}
+		ipset=6_${zone}_${interface};
+	    fi
 
-	if ! qt $IPSET -L $ipset -n; then
-	    fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
-	fi
+	    if ! qt $IPSET -L $ipset; then
+		fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
+	    fi
 
-	host=${host#*:}
+	    host=${host#*:}
 
-	if $IPSET -A $ipset $host; then
-	    echo "Host $interface:$host added to zone $zone"
-	else
-	    fatal_error "Unable to add $interface:$host to zone $zone"
-	fi
-    done
+	    if $IPSET -A $ipset $host; then
+		echo "Host $interface:$host added to zone $zone"
+	    else
+		fatal_error "Unable to add $interface:$host to zone $zone"
+	    fi
+	done
+    else
+	qt $IPSET -L $ipset || fatal_error "Zone $ipset is not dynamic"
 
+	for host in $hostlist; do
+	    if $IPSET -A $ipset $host; then
+		echo "Host $host added to zone $ipset"
+	    else
+		fatal_error "Unable to add $host to zone $ipset"
+	    fi
+	done
+    fi
 }
 
 #
@@ -1656,61 +1738,83 @@ delete_command() {
 	exit 2;
     fi
 
-    case "$IPSET" in
-	*/*)
+    determine_ipset_version
+
+    case $1 in
+	*:*)
+	    while [ $# -gt 1 ]; do
+		if [ $g_family -eq 4 ]; then
+		    interface=${1%%:*}
+		    host=${1#*:}
+		else
+		    interface=${1%%|*}
+		    host=${1#*|}
+		fi
+
+		[ "$host" = "$1" ] && host=
+
+		if [ -z "$host" ]; then
+		    if [ $g_family -eq 4 ]; then
+			hostlist="$hostlist $interface:0.0.0.0/0"
+		    else
+			hostlist="$hostlist $interface:::/0"
+		    fi
+		else
+		    for h in $(separate_list $host); do
+			hostlist="$hostlist $interface:$h"
+		    done
+		fi
+
+		shift
+	    done
 	    ;;
 	*)
-	    [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located"
+	    ipset=$1
+	    shift
+	    while [ $# -gt 0 ]; do
+		for h in $(separate_list $1); do
+		    hostlist="$hostlist $h"
+		done
+		shift
+	    done
 	    ;;
     esac
 
-    #
-    # Normalize host list
-    #
-    while [ $# -gt 1 ]; do
-	interface=${1%%:*}
-	host=${1#*:}
-	[ "$host" = "$1" ] && host=
-
-	if [ -z "$host" ]; then
-	    if [ $g_family -eq 4 ]; then
-		hostlist="$hostlist $interface:0.0.0.0/0"
-	    else
-		hostlist="$hostlist $interface:::/0"
-	    fi
-	else
-	    for h in $(separate_list $host); do
-		hostlist="$hostlist $interface:$h"
-	    done
-	fi
-
-	shift
-    done
-
     zone=$1
 
-    for hostent in $hostlist; do
-	if [ $g_family -eq 4 ]; then
-	    interface=${hostent%:*}
-	    ipset=${zone}_${interface};
-	else
-	    interface=${hostent%%:*}
-	    ipset=6_${zone}_${interface};
-	fi
+    if [ -n "$zone" ]; then
+	for host in $hostlist; do
+	    if [ $g_family -eq 4 ]; then
+		interface=${host%:*}
+		ipset=${zone}_${interface};
+	    else
+		interface=${host%%:*}
+		ipset=6_${zone}_${interface};
+	    fi
 
-	if ! qt $IPSET -L $ipset -n; then
-	    fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
-	fi
+	    if ! qt $IPSET -L $ipset -n; then
+		fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
+	    fi
 
-	host=${hostent#*:}
+	    host=${host#*:}
 
-	if $IPSET -D $ipset $host; then
-	    echo "Host $hostent deleted from zone $zone"
-	else
-	    echo "   WARNING: Unable to delete host $hostent to zone $zone" >&2
-	fi
-    done
+	    if $IPSET -D $ipset $host; then
+		echo "Host $host deleted from zone $zone"
+	    else
+		echo "   WARNING: Unable to delete host $hostent to zone $zone" >&2
+	    fi
+	done
+    else
+	qt $IPSET -L $ipset -n || fatal_error "Zone $ipset is not dynamic"
 
+	for host in $hostlist; do
+	    if $IPSET -D $ipset $host; then
+		echo "Host $host deleted from to zone $ipset"
+	    else
+		echo "   WARNING: Unable to delete host $host from zone $zone" >&2
+	    fi
+	done
+    fi
 }
 
 #
@@ -2020,6 +2124,7 @@ determine_capabilities() {
     GEOIP_MATCH=
     RPFILTER_MATCH=
     NFACCT_MATCH=
+    CHECKSUM_TARGET=
     AMANDA_HELPER=
     FTP_HELPER=
     FTP0_HELPER=
@@ -2181,6 +2286,7 @@ determine_capabilities() {
 	qt $g_tool -t mangle -A $chain -m dscp --dscp 0 && DSCP_MATCH=Yes
 	qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
 	qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes
+	qt $g_tool -t mangle -A $chain -j CHECKSUM --checksum-fill && CHECKSUM_TARGET=Yes
 
 	qt $g_tool -t mangle -F $chain
 	qt $g_tool -t mangle -X $chain
@@ -2309,7 +2415,9 @@ determine_capabilities() {
     fi
 
     qt $g_tool -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
+
     qt $g_tool -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
+
     qt $g_tool -S INPUT && IPTABLES_S=Yes
     qt $g_tool -F $chain
     qt $g_tool -X $chain
@@ -2334,7 +2442,7 @@ determine_capabilities() {
     esac
 }
 
-report_capabilities() {
+report_capabilities_unsorted() {
     report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
     {
 	local setting
@@ -2345,120 +2453,124 @@ report_capabilities() {
 	echo "  " $1: $setting
     }
 
+    report_capability "NAT (NAT_ENABLED)" $NAT_ENABLED
+    report_capability "Packet Mangling (MANGLE_ENABLED)" $MANGLE_ENABLED
+    report_capability "Multi-port Match (MULTIPORT)" $MULTIPORT
+    [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match (XMULIPORT)" $XMULTIPORT
+    report_capability "Connection Tracking Match (CONNTRACK_MATCH)" $CONNTRACK_MATCH
+    if [ -n "$CONNTRACK_MATCH" ]; then
+	report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
+	[ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH
+    fi
+    report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE
+    report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH
+    report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH
+    report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE
+    report_capability "Packet length Match (LENGTH_MATCH)" $LENGTH_MATCH
+    report_capability "IP range Match(IPRANGE_MATCH)" $IPRANGE_MATCH
+    report_capability "Recent Match (RECENT_MATCH)" $RECENT_MATCH
+    report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
+    report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
+    if [ -n "$IPSET_MATCH" ]; then
+	report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
+	[ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)" $OLD_IPSET_MATCH
+    fi
+    report_capability "CONNMARK Target (CONNMARK)" $CONNMARK
+    [ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target (XCONNMARK)" $XCONNMARK
+    report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH
+    [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH
+    report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE
+    report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE
+    report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH
+    [ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH
+    report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET
+    report_capability "Extended REJECT (ENHANCED_REJECT)" $ENHANCED_REJECT
+    report_capability "Repeat match (KLUDGEFREE)" $KLUDGEFREE
+    report_capability "MARK Target (MARK)" $MARK
+    [ -n "$MARK" ] && report_capability "Extended MARK Target (XMARK)" $XMARK
+    [ -n "$XMARK" ] && report_capability "Extended MARK Target 2 (EXMARK)" $EXMARK
+    report_capability "Mangle FORWARD Chain (MANGLE_FORWARD)" $MANGLE_FORWARD
+    report_capability "Comments (COMMENTS)" $COMMENTS
+    report_capability "Address Type Match (ADDRTYPE)" $ADDRTYPE
+    report_capability "TCPMSS Match (TCPMSS_MATCH)" $TCPMSS_MATCH
+    report_capability "Hashlimit Match (HASHLIMIT_MATCH)" $HASHLIMIT_MATCH
+    [ -n "$OLD_HL_MATCH" ] && report_capability "Old Hashlimit Match (OLD_HL_MATCH)" $OLD_HL_MATCH
+    report_capability "NFQUEUE Target (NFQUEUE_TARGET)" $NFQUEUE_TARGET
+    report_capability "Realm Match (REALM_MATCH)" $REALM_MATCH
+    report_capability "Helper Match (HELPER_MATCH)" $HELPER_MATCH
+    report_capability "Connlimit Match (CONNLIMIT_MATCH)" $CONNLIMIT_MATCH
+    report_capability "Time Match (TIME_MATCH)" $TIME_MATCH
+    report_capability "Goto Support (GOTO_TARGET)" $GOTO_TARGET
+    report_capability "LOGMARK Target (LOGMARK_TARGET)" $LOGMARK_TARGET
+    report_capability "IPMARK Target (IPMARK_TARGET)" $IPMARK_TARGET
+    report_capability "LOG Target (LOG_TARGET)" $LOG_TARGET
+    report_capability "ULOG Target (ULOG_TARGET)" $ULOG_TARGET
+    report_capability "NFLOG Target (NFLOG_TARGET)" $NFLOG_TARGET
+    report_capability "Persistent SNAT (PERSISTENT_SNAT)" $PERSISTENT_SNAT
+    report_capability "TPROXY Target (TPROXY_TARGET)" $TPROXY_TARGET
+    report_capability "FLOW Classifier (FLOW_FILTER)" $FLOW_FILTER
+    report_capability "fwmark route mask (FWMARK_RT_MASK)" $FWMARK_RT_MASK
+    report_capability "Mark in any table (MARK_ANYWHERE)" $MARK_ANYWHERE
+    report_capability "Header Match (HEADER_MATCH)" $HEADER_MATCH
+    report_capability "ACCOUNT Target (ACCOUNT_TARGET)" $ACCOUNT_TARGET
+    report_capability "AUDIT Target (AUDIT_TARGET)" $AUDIT_TARGET
+    report_capability "ipset V5 (IPSET_V5)" $IPSET_V5
+    report_capability "Condition Match (CONDITION_MATCH)" $CONDITION_MATCH
+    report_capability "Statistic Match (STATISTIC_MATCH)" $STATISTIC_MATCH
+    report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
+    report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
+    report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
+    report_capability "Geo IP match" $GEOIP_MATCH
+    report_capability "RPFilter match" $RPFILTER_MATCH
+    report_capability "NFAcct match" $NFACCT_MATCH
+    report_capability "Checksum Target" $CHECKSUM_TARGET
+
+    report_capability "Amanda Helper" $AMANDA_HELPER
+    report_capability "FTP Helper" $FTP_HELPER
+    report_capability "FTP-0 Helper" $FTP0_HELPER
+    report_capability "IRC Helper" $IRC_HELPER
+    report_capability "IRC-0 Helper" $IRC0_HELPER
+    report_capability "Netbios_ns Helper" $NETBIOS_NS_HELPER
+    report_capability "H323 Helper" $H323_HELPER
+    report_capability "PPTP Helper" $PPTP_HELPER
+    report_capability "SANE Helper" $SANE_HELPER
+    report_capability "SANE-0 Helper" $SANE0_HELPER
+    report_capability "SIP Helper" $SIP_HELPER
+    report_capability "SIP-0 Helper" $SIP0_HELPER
+    report_capability "SNMP Helper" $SNMP_HELPER
+    report_capability "TFTP Helper" $TFTP_HELPER
+    report_capability "TFTP-0 Helper" $TFTP0_HELPER
+
+    if [ $g_family -eq 4 ]; then
+	report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
+    else
+	report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
+    fi
+
+    report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
+    report_capability "CT Target (CT_TARGET)" $CT_TARGET
+
+    echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
+    echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
+}
+
+report_capabilities() {
+
     if [ $VERBOSITY -gt 1 ]; then
 	echo "$g_product has detected the following iptables/netfilter capabilities:"
-	report_capability "NAT (NAT_ENABLED)" $NAT_ENABLED
-	report_capability "Packet Mangling (MANGLE_ENABLED)" $MANGLE_ENABLED
-	report_capability "Multi-port Match (MULTIPORT)" $MULTIPORT
-	[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match (XMULIPORT)" $XMULTIPORT
-	report_capability "Connection Tracking Match (CONNTRACK_MATCH)" $CONNTRACK_MATCH
-	if [ -n "$CONNTRACK_MATCH" ]; then
-	    report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
-	    [ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH
-	fi
-	report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE
-	report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH
-	report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH
-	report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE
-	report_capability "Packet length Match (LENGTH_MATCH)" $LENGTH_MATCH
-	report_capability "IP range Match(IPRANGE_MATCH)" $IPRANGE_MATCH
-	report_capability "Recent Match (RECENT_MATCH)" $RECENT_MATCH
-	report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
-	report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
-	if [ -n "$IPSET_MATCH" ]; then
-	    report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
-	    [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)" $OLD_IPSET_MATCH
-	fi
-	report_capability "CONNMARK Target (CONNMARK)" $CONNMARK
-	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target (XCONNMARK)" $XCONNMARK
-	report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH
-	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH
-	report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE
-	report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE
-	report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH
-	[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH
-	report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET
-	report_capability "Extended REJECT (ENHANCED_REJECT)" $ENHANCED_REJECT
-	report_capability "Repeat match (KLUDGEFREE)" $KLUDGEFREE
-	report_capability "MARK Target (MARK)" $MARK
-	[ -n "$MARK" ] && report_capability "Extended MARK Target (XMARK)" $XMARK
-	[ -n "$XMARK" ] && report_capability "Extended MARK Target 2 (EXMARK)" $EXMARK
-	report_capability "Mangle FORWARD Chain (MANGLE_FORWARD)" $MANGLE_FORWARD
-	report_capability "Comments (COMMENTS)" $COMMENTS
-	report_capability "Address Type Match (ADDRTYPE)" $ADDRTYPE
-	report_capability "TCPMSS Match (TCPMSS_MATCH)" $TCPMSS_MATCH
-	report_capability "Hashlimit Match (HASHLIMIT_MATCH)" $HASHLIMIT_MATCH
-	[ -n "$OLD_HL_MATCH" ] && report_capability "Old Hashlimit Match (OLD_HL_MATCH)" $OLD_HL_MATCH
-	report_capability "NFQUEUE Target (NFQUEUE_TARGET)" $NFQUEUE_TARGET
-	report_capability "Realm Match (REALM_MATCH)" $REALM_MATCH
-	report_capability "Helper Match (HELPER_MATCH)" $HELPER_MATCH
-	report_capability "Connlimit Match (CONNLIMIT_MATCH)" $CONNLIMIT_MATCH
-	report_capability "Time Match (TIME_MATCH)" $TIME_MATCH
-	report_capability "Goto Support (GOTO_TARGET)" $GOTO_TARGET
-	report_capability "LOGMARK Target (LOGMARK_TARGET)" $LOGMARK_TARGET
-	report_capability "IPMARK Target (IPMARK_TARGET)" $IPMARK_TARGET
-	report_capability "LOG Target (LOG_TARGET)" $LOG_TARGET
-	report_capability "ULOG Target (ULOG_TARGET)" $ULOG_TARGET
-	report_capability "NFLOG Target (NFLOG_TARGET)" $NFLOG_TARGET
-	report_capability "Persistent SNAT (PERSISTENT_SNAT)" $PERSISTENT_SNAT
-	report_capability "TPROXY Target (TPROXY_TARGET)" $TPROXY_TARGET
-	report_capability "FLOW Classifier (FLOW_FILTER)" $FLOW_FILTER
-	report_capability "fwmark route mask (FWMARK_RT_MASK)" $FWMARK_RT_MASK
-	report_capability "Mark in any table (MARK_ANYWHERE)" $MARK_ANYWHERE
-	report_capability "Header Match (HEADER_MATCH)" $HEADER_MATCH
-        report_capability "ACCOUNT Target (ACCOUNT_TARGET)" $ACCOUNT_TARGET
-	report_capability "AUDIT Target (AUDIT_TARGET)" $AUDIT_TARGET
-	report_capability "ipset V5 (IPSET_V5)" $IPSET_V5
-	report_capability "Condition Match (CONDITION_MATCH)" $CONDITION_MATCH
-	report_capability "Statistic Match (STATISTIC_MATCH)" $STATISTIC_MATCH
-	report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
-	report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
-	report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
-	report_capability "Geo IP match" $GEOIP_MATCH
-	report_capability "RPFilter match" $RPFILTER_MATCH
-	report_capability "NFAcct match" $NFACCT_MATCH
-	report_capability "Amanda Helper" $AMANDA_HELPER
-	report_capability "FTP Helper" $FTP_HELPER
-	report_capability "FTP-0 Helper" $FTP0_HELPER
-	report_capability "IRC Helper" $IRC_HELPER
-	report_capability "IRC-0 Helper" $IRC0_HELPER
-	report_capability "Netbios_ns Helper" $NETBIOS_NS_HELPER
-	report_capability "H323 Helper" $H323_HELPER
-	report_capability "PPTP Helper" $PPTP_HELPER
-	report_capability "SANE Helper" $SANE_HELPER
-	report_capability "SANE-0 Helper" $SANE0_HELPER
-	report_capability "SIP Helper" $SIP_HELPER
-	report_capability "SIP-0 Helper" $SIP0_HELPER
-	report_capability "SNMP Helper" $SNMP_HELPER
-	report_capability "TFTP Helper" $TFTP_HELPER
-	report_capability "TFTP-0 Helper" $TFTP0_HELPER
-
-	if [ $g_family -eq 4 ]; then
-	    report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
-	else
-	    report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
-	fi
-
-	report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
-	report_capability "CT Target (CT_TARGET)" $CT_TARGET
-
-	echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
-	echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
+	report_capabilities_unsorted | sort
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
 
 }
 
-report_capabilities1() {
+report_capabilities_unsorted1() {
     report_capability1() # $1 = Capability
     {
 	eval echo $1=\$$1
     }
 
-    echo "#"
-    echo "# $g_product $SHOREWALL_VERSION detected the following iptables/netfilter capabilities - $(date)"
-    echo "#"
     report_capability1 NAT_ENABLED
     report_capability1 MANGLE_ENABLED
     report_capability1 MULTIPORT
@@ -2528,6 +2640,8 @@ report_capabilities1() {
     report_capability1 GEOIP_MATCH
     report_capability1 RPFILTER_MATCH
     report_capability1 NFACCT_MATCH
+    report_capability1 CHECKSUM_TARGET
+
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER
     report_capability1 FTP0_HELPER
@@ -2548,6 +2662,13 @@ report_capabilities1() {
     echo KERNELVERSION=$KERNELVERSION
 }
 
+report_capabilities1() {
+    echo "#"
+    echo "# $g_product $SHOREWALL_VERSION detected the following iptables/netfilter capabilities - $(date)"
+    echo "#"
+    report_capabilities_unsorted1 | sort
+}
+
 show_status() {
     if product_is_started ; then
 	echo "$g_product is running"
@@ -2868,7 +2989,27 @@ get_config() {
 	exit 2
     fi
 
-    IPSET=ipset
+    if [ -n "$IPSET" ]; then
+	case "$IPSET" in
+	    */*)
+		if [ ! -x "$IPSET" ] ; then
+		    echo "   ERROR: The program specified in IPSET ($IPSET) does not exist or is not executable" >&2
+		    exit 2
+		fi
+		;;
+	    *)
+		prog="$(mywhich $IPSET 2> /dev/null)"
+		if [ -z "$prog" ] ; then
+		    echo "   ERROR: Can't find $IPSET executable" >&2
+		    exit 2
+		fi
+		IPSET=$prog
+		;;
+	esac
+    else
+	IPSET=''
+    fi
+
     TC=tc
 
 }
@@ -3072,7 +3213,7 @@ usage() # $1 = exit status
     echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
+    echo "   show [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
     echo "   show [ -f ] capabilities"
     echo "   show classifiers"
     echo "   show config"
@@ -3139,7 +3280,7 @@ shorewall_cli() {
     g_shorewalldir=
 
     VERBOSE=
-    VERBOSITY=
+    VERBOSITY=1
 
     [ -n "$g_lite" ] || . ${g_basedir}/lib.cli-std
 

Shorewall-core/lib.common

@@ -84,7 +84,7 @@ get_script_version() { # $1 = script
 
     temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 | sed 's/-.*//' )
 
-    if [ $? -ne 0 ]; then
+    if [ -z "$temp" ]; then
 	version=0
     else
 	ifs=$IFS

Shorewall-core/shorewallrc.apple

@@ -17,4 +17,4 @@ ANNOTATED=                             #Unused on OS X
 SYSTEMD=                               #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
-VARDIR=/var/lib                        #Unused on OS X
+VARLIB=/var/lib                        #Unused on OS X

Shorewall-core/shorewallrc.archlinux

@@ -17,4 +17,5 @@ ANNOTATED=                             #If non-zero, annotated configuration fil
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
 SYSTEMD=                               #Directory where .service files are installed (systems running systemd only)
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                        #Directory where product variable data is stored.
+VARLIB=/var/lib                        #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.

Shorewall-core/shorewallrc.cygwin

@@ -17,4 +17,4 @@ ANNOTATED=                            #Unused on Cygwin
 SYSTEMD=                              #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
-VARDIR=/var/lib                       #Unused on Cygwin
+VARLIB=/var/lib                       #Unused on Cygwin

Shorewall-core/shorewallrc.debian

@@ -18,4 +18,5 @@ SYSCONFFILE=default.debian              #Name of the distributed file to be inst
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
 SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                         #Directory where product variable data is stored.
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.

Shorewall-core/shorewallrc.default

@@ -10,7 +10,7 @@ PERLLIBDIR=${PREFIX}/share/shorewall    #Directory to install Shorewall Perl mod
 CONFDIR=/etc                            #Directory where subsystem configurations are installed
 SBINDIR=/sbin                           #Directory where system administration programs are installed
 MANDIR=${PREFIX}/man                    #Directory where manpages are installed.
-INITDIR=etc/init.d                      #Directory where SysV init scripts are installed.
+INITDIR=/etc/init.d                     #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.sh                      #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
@@ -18,4 +18,5 @@ SYSTEMD=                                #Directory where .service files are inst
 SYSCONFFILE=                            #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                             #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                         #Directory where product variable data is stored.
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.

Shorewall-core/shorewallrc.redhat

@@ -18,4 +18,5 @@ SYSTEMD=/lib/systemd/system             #Directory where .service files are inst
 SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
 SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                         #Directory where product variable data is stored.
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.

Shorewall-core/shorewallrc.slackware

@@ -19,4 +19,5 @@ SYSTEMD=                                   #Name of the directory where .service
 SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.
 ANNOTATED=                                 #If non-empty, install annotated configuration files
-VARDIR=/var/lib                            #Directory where product variable data is stored.
+VARLIB=/var/lib                            #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT                  #Directory where product variable data is stored.

Shorewall-core/shorewallrc.suse

@@ -18,4 +18,5 @@ SYSTEMD=                                              #Directory where .service
 SYSCONFFILE=                                          #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                                       #Directory where persistent product data is stored.
+VARLIB=/var/lib                                       #Directory where persistent product data is stored.
+VARDIR=${VARLIB}/$PRODUCT                             #Directory where product variable data is stored.

Shorewall-init/ifupdown.sh

@@ -22,6 +22,21 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
 Debian_SuSE_ppp() {
     NEWPRODUCTS=
     INTERFACE="$1"
@@ -187,8 +202,10 @@ fi
 [ -n "$LOGFILE" ] || LOGFILE=/dev/null
 
 for PRODUCT in $PRODUCTS; do
-    if [ -x $VARDIR/$PRODUCT/firewall ]; then
-	  ( ${VARDIR}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+    setstatedir
+
+    if [ -x $VARLIB/$PRODUCT/firewall ]; then
+	  ( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
     fi
 done
 

Shorewall-init/init.debian.sh

@@ -62,11 +62,29 @@ not_configured () {
 	exit 0
 }
 
+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 
+vardir=$VARDIR
+
 # check if shorewall-init is configured or not
 if [ -f "$SYSCONFDIR/shorewall-init" ]
 then
@@ -81,27 +99,27 @@ fi
 
 # Initialize the firewall
 shorewall_start () {
-  local product
-  local VARDIR
+  local PRODUCT
+  local STATEDIR
 
   echo -n "Initializing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
-      if [ -x ${VARDIR}/firewall ]; then
+  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ ! -x ${VARDIR}/$PRODUCT/firewall ]; then
+	  if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	      ${SBINDIR}/$PRODUCT compile
+	  fi
+      fi
+
+      if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
 	  #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
-	      . /usr/share/$product/lib.base
-	      #
-	      # Get mutex so the firewall state is stable
-	      #
-	      mutex_on
-	      if ! ${VARDIR}/firewall status > /dev/null 2>&1; then
-		  ${VARDIR}/firewall stop || echo_notdone
+	      if ! ${VARDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
+		  ${VARDIR}/$PRODUCT/firewall stop || echo_notdone
 	      fi
-	      mutex_off
 	  )
       fi
   done
@@ -113,19 +131,21 @@ shorewall_start () {
 
 # Clear the firewall
 shorewall_stop () {
-  local product
+  local PRODUCT
   local VARDIR
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
-      if [ -x ${VARDIR}/firewall ]; then
-	  ( . /usr/share/$product/lib.base
-	    mutex_on
-	    ${VARDIR}/firewall clear || echo_notdone
-	    mutex_off
-	  )
+  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ ! -x ${VARDIR}/$PRODUCT/firewall ]; then
+	  if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	      ${SBINDIR}/$PRODUCT compile
+	  fi
+      fi
+
+      if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
+	  ${VARDIR}/$PRODUCT/firewall clear || echo_notdone
       fi
   done
 

Shorewall-init/init.fedora.sh

@@ -14,13 +14,8 @@
 #                    prior to bringing up the network.  
 ### END INIT INFO
 #determine where the files were installed
-if [ -f ~/.shorewallrc ]; then
-    . ~/.shorewallrc || exit 1
-else
-    SBINDIR=/sbin
-    SYSCONFDIR=/etc/default
-    VARDIR=/var/lib
-fi
+
+. /usr/share/shorewall/shorewallrc
 
 prog="shorewall-init"
 logger="logger -i -t $prog"
@@ -29,6 +24,8 @@ lockfile="/var/lock/subsys/shorewall-init"
 # Source function library.
 . /etc/rc.d/init.d/functions
 
+vardir=$VARDIR
+
 # Get startup options (override default)
 OPTIONS=
 
@@ -40,9 +37,25 @@ else
     exit 6
 fi
 
+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
 # Initialize the firewall
 start () {
-    local product
+    local PRODUCT
     local vardir
 
     if [ -z "$PRODUCTS" ]; then
@@ -52,11 +65,19 @@ start () {
     fi
 
     echo -n "Initializing \"Shorewall-based firewalls\": "
-    for product in $PRODUCTS; do
-	if [ -x ${VARDIR}/$product/firewall ]; then
-	    ${VARDIR}/$product/firewall stop 2>&1 | $logger
+    for PRODUCT in $PRODUCTS; do
+	setstatedir
+
+	if [ ! -x ${VARDIR}/firewall ]; then
+	    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+		${SBINDIR}/$PRODUCT compile
+	    fi
+	fi
+
+	if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
+	    ${VARDIR}/$PRODUCT/firewall stop 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
-	    [ retval -ne 0 ] && break
+	    [ $retval -ne 0 ] && break
 	fi
     done
 
@@ -72,15 +93,23 @@ start () {
 
 # Clear the firewall
 stop () {
-    local product
+    local PRODUCT
     local vardir
 
     echo -n "Clearing \"Shorewall-based firewalls\": "
-    for product in $PRODUCTS; do
-	if [ -x ${VARDIR}/$product/firewall ]; then
-	    ${VARDIR}/$product/firewall clear 2>&1 | $logger
+    for PRODUCT in $PRODUCTS; do
+	setstatedir
+
+	if [ ! -x ${VARDIR}/firewall ]; then
+	    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+		${SBINDIR}/$PRODUCT compile
+	    fi
+	fi
+
+	if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
+	    ${VARDIR}/$PRODUCT/firewall clear 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
-	    [ retval -ne 0 ] && break
+	    [ $retval -ne 0 ] && break
 	fi
     done
 
@@ -107,19 +136,15 @@ case "$1" in
 	status_q || exit 0
 	$1
 	;;
-    restart|reload|force-reload)
+    restart|reload|force-reload|condrestart|try-restart)
 	echo "Not implemented"
 	exit 3
 	;;
-    condrestart|try-restart)
-	echo "Not implemented"
-	exit 3
-        ;;
     status)
 	status $prog
 	;;
   *)
-	echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+	echo "Usage: /etc/init.d/shorewall-init {start|stop|status}"
 	exit 1
 esac
 

Shorewall-init/init.sh

@@ -58,16 +58,34 @@ fi
 #
 . /usr/share/shorewall/shorewallrc
 
+# Locate the current PRODUCT's statedir
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile $STATEDIR/firewall
+	fi
+    fi
+}
+
 # Initialize the firewall
 shorewall_start () {
   local PRODUCT
-  local VARDIR
+  local STATEDIR
 
   echo -n "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      if [ -x ${VARDIR}/firewall ]; then
+      setstatedir
+
+      if [ -x ${STATEDIR}/firewall ]; then
 	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      ${VARDIR}/firewall stop || echo_notdone
+	      ${STATEDIR}/firewall stop || echo_notdone
 	  fi
       fi
   done
@@ -86,6 +104,14 @@ shorewall_stop () {
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ ! -x ${VARDIR}/firewall ]; then
+	  if [ $PRODUCT = shorewall -o $product = shorewall6 ]; then
+	      ${SBINDIR}/$PRODUCT compile
+	  fi
+      fi
+
       if [ -x ${VARDIR}/firewall ]; then
 	  ${VARDIR}/firewall clear || exit 1
       fi

Shorewall-init/init.suse.sh

@@ -57,16 +57,34 @@ fi
 #
 . /usr/share/shorewall/shorewallrc
 
+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
 # Initialize the firewall
 shorewall_start () {
   local PRODUCT
-  local VARDIR
+  local STATEDIR
 
   echo -n "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      if [ -x ${VARDIR}/firewall ]; then
+      setstatedir
+
+      if [ -x $STATEDIR/firewall ]; then
 	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      ${VARDIR}/firewall stop || echo_notdone
+	      $STATEDIR/$PRODUCT/firewall stop || echo_notdone
 	  fi
       fi
   done
@@ -81,12 +99,14 @@ shorewall_start () {
 # Clear the firewall
 shorewall_stop () {
   local PRODUCT
-  local VARDIR
+  local STATEDIR
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall clear || exit 1
+      setstatedir
+
+      if [ -x ${STATEDIR}/firewall ]; then
+	  ${STATEDIR}/firewall clear || exit 1
       fi
   done
 

Shorewall-init/install.sh

@@ -160,7 +160,14 @@ else
     usage 1
 fi
 
-for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARDIR; do
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/${PRODUCT}
+elif [ -z "${VARDIR}" ]; then
+    VARDIR=${VARLIB}/${PRODUCT}
+fi
+
+for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
     require $var
 done
 
@@ -285,6 +292,7 @@ fi
 if [ -n "$SYSTEMD" ]; then
     mkdir -p ${DESTDIR}${SYSTEMD}
     run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}${SYSTEMD}/shorewall-init.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/shorewall-init.service
     echo "Service file installed as ${DESTDIR}${SYSTEMD}/shorewall-init.service"
     if [ -n "$DESTDIR" ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}

Shorewall-lite/install.sh

@@ -171,7 +171,14 @@ else
     usage 1
 fi
 
-for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARDIR; do
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/${PRODUCT}
+elif [ -z "${VARDIR}" ]; then
+    VARDIR=${VARLIB}/${PRODUCT}
+fi
+
+for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARLIB VARDIR; do
     require $var
 done
 
@@ -182,7 +189,6 @@ PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}
 #
 cygwin=
 INSTALLD='-D'
-INITFILE=$PRODUCT
 T='-T'
 
 if [ -z "$BUILD" ]; then
@@ -274,21 +280,11 @@ if [ -n "$DESTDIR" ]; then
 
     install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR}
     install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
-
-    if [ -n "$SYSTEMD" ]; then
-	mkdir -p ${DESTDIR}/lib/systemd/system
-	INITFILE=
-    fi
 else
     if [ ! -f /usr/share/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
 	exit 1
     fi
-
-    if [ -f /lib/systemd/system ]; then
-	SYSTEMD=Yes
-	INITFILE=
-    fi
 fi
 
 echo "Installing $Product Version $VERSION"
@@ -307,7 +303,7 @@ if [ -z "$DESTDIR" -a -d ${CONFDIR}/$PRODUCT ]; then
 else
     rm -rf ${DESTDIR}${CONFDIR}/$PRODUCT
     rm -rf ${DESTDIR}${SHAREDIR}/$PRODUCT
-    rm -rf ${DESTDIR}${VARDIR}/$PRODUCT
+    rm -rf ${DESTDIR}${VARDIR}
     [ "$LIBEXECDIR" = /usr/share ] || rm -rf ${DESTDIR}/usr/share/$PRODUCT/wait4ifup ${DESTDIR}/usr/share/$PRODUCT/shorecap
 fi
 
@@ -332,7 +328,7 @@ echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
-mkdir -p ${DESTDIR}${VARDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${VARDIR}
 
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}/usr/share/$PRODUCT
@@ -357,7 +353,9 @@ fi
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}${SYSTEMD}
     run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
     echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
 fi
 

Shorewall-lite/manpages/shorewall-lite.xml

@@ -337,6 +337,8 @@
 
       <arg choice="plain"><option>show</option></arg>
 
+      <arg><option>-b</option></arg>
+
       <arg><option>-x</option></arg>
 
       <arg><option>-l</option></arg>
@@ -841,6 +843,12 @@
                 Netfilter table to display. The default is <emphasis
                 role="bold">filter</emphasis>.</para>
 
+                <para>The <emphasis role="bold">-b</emphasis> ('brief') option
+                causes rules which have not been used (i.e. which have zero
+                packet and byte counts) to be omitted from the output. Chains
+                with no rules displayed are also omitted from the
+                output.</para>
+
                 <para>The <emphasis role="bold">-l</emphasis> option causes
                 the rule number for each Netfilter rule to be
                 displayed.</para>

Shorewall-lite/shorecap

@@ -53,10 +53,7 @@ g_program=shorewall-lite
 #
 . /usr/share/shorewall/shorewallrc
 
-g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall-lite
-g_sbindir="$SBINDIR"
-g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1
 

Shorewall-lite/shorewall-lite

@@ -25,17 +25,15 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
-g_program=shorewall-lite
+PRODUCT=shorewall-lite
 
 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 
-g_libexec="$LIBEXECDIR"
+g_program=$PRODUCT
 g_sharedir="$SHAREDIR"/shorewall-lite
-g_sbindir="$SBINDIR"
-g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1
 

Shorewall-lite/shorewall-lite.service

@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-lite $OPTIONS start
-ExecStop=/sbin/shorewall-lite $OPTIONS stop
+ExecStart=/usr/sbin/shorewall-lite $OPTIONS start
+ExecStop=/usr/sbin/shorewall-lite $OPTIONS stop
 
 [Install]
 WantedBy=multi-user.target

Shorewall/Macros/macro.A_AllowICMPs

@@ -9,7 +9,7 @@
 #ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #					PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT Needed ICMP types
+?COMMENT Needed ICMP types
 
 A_ACCEPT       -	-	icmp	fragmentation-needed
 A_ACCEPT       -	-	icmp	time-exceeded

Shorewall/Macros/macro.A_DropDNSrep

@@ -9,6 +9,6 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT Late DNS Replies
+?COMMENT Late DNS Replies
 
 A_DROP	-	-	udp	-	53

Shorewall/Macros/macro.A_DropUPnP

@@ -9,6 +9,6 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT UPnP
+?COMMENT UPnP
 
 A_DROP	-	-	udp	1900

Shorewall/Macros/macro.AllowICMPs

@@ -9,7 +9,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT Needed ICMP types
+?COMMENT Needed ICMP types
 
 DEFAULT ACCEPT
 PARAM	-	-	icmp	fragmentation-needed

Shorewall/Macros/macro.Amanda

@@ -8,7 +8,7 @@
 #	files from those nodes.
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 

Shorewall/Macros/macro.DropDNSrep

@@ -9,7 +9,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT Late DNS Replies
+?COMMENT Late DNS Replies
 
 DEFAULT DROP
 PARAM	-	-	udp	-	53

Shorewall/Macros/macro.DropUPnP

@@ -9,7 +9,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT UPnP
+?COMMENT UPnP
 
 DEFAULT DROP
 PARAM	-	-	udp	1900

Shorewall/Macros/macro.FTP

@@ -6,7 +6,7 @@
 #	This macro handles FTP traffic.
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )

Shorewall/Macros/macro.IRC

@@ -6,7 +6,7 @@
 #	This macro handles IRC traffic (Internet Relay Chat).
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 

Shorewall/Macros/macro.Puppet

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - Puppet Macro
+#
+# /usr/share/shorewall/macro.Puppet
+#
+#	This macro handles client-to-server for the Puppet configuration
+#	management system.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	tcp	8140

Shorewall/Macros/macro.Rfc1918

@@ -7,7 +7,7 @@
 #############################################################################################
 #ACTION		SOURCE		DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
 #						PORT(S)	PORT(S)	DEST		LIMIT	GROUP
-FORMAT 2
+?FORMAT 2
 PARAM		SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \
 				DEST	-	-	-	-	-	-
 PARAM		SOURCE		DEST	-	-	-	10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

Shorewall/Macros/macro.SANE

@@ -6,7 +6,7 @@
 #	This macro handles SANE network scanning.
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 

Shorewall/Macros/macro.SIP

@@ -6,7 +6,7 @@
 #	This macro handles SIP traffic.
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 

Shorewall/Macros/macro.SMB

@@ -10,7 +10,7 @@
 #	between hosts you fully trust.
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445

Shorewall/Macros/macro.SMBBI

@@ -10,7 +10,7 @@
 #	allow SMB traffic between hosts you fully trust.
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445

Shorewall/Macros/macro.SNMP

@@ -3,18 +3,17 @@
 #
 # /usr/share/shorewall/macro.SNMP
 #
-#	This macro handles SNMP traffic (including traps).
+#	This macro handles SNMP traffic.
+#
+#       Note: To allow SNMP Traps, use the SNMPTrap macro
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
  PARAM	-	-  	udp     161 ; helper=snmp
- PARAM	-	-	udp	162
 ?else
- PARAM	-	-	udp	161:162
+ PARAM	-	-	udp	161
 ?endif
-
-PARAM	-	-	tcp	161

Shorewall/Macros/macro.SNMPTrap

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - SNMP Trap Macro
+#
+# /usr/share/shorewall/macro.SNMP
+#
+#	This macro handles SNMP traps.
+#
+###############################################################################
+?FORMAT 2
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	udp	162

Shorewall/Macros/macro.TFTP

@@ -8,7 +8,7 @@
 #	Internet.
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 

Shorewall/Macros/macro.Teredo

@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - Teredo Macro
+#
+# /usr/share/shorewall/macro.Teredo
+#
+#	This macro handles Teredo IPv6 over UDP tunneling traffic
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	udp	3544

Shorewall/Macros/macro.template

@@ -71,9 +71,17 @@
 #	Remaining		Any value in the rules file REPLACES the value
 #	columns			given in the macro file.
 #
+# Multiple parameters may be passed to a macro. Within this file, $1 refers to the first parameter,
+# $2 to the second an so on. $1 is a synonym for PARAM but may be used anywhere in the file whereas
+# PARAM may only be used in the ACTION column.
+#
+# You can specify default values for parameters by using DEFAULT or DEFAULTS entry:
+#
+#      DEFAULTS  <default for $1>,<default for $2>,...
+#
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
-FORMAT 2
-####################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+?FORMAT 2
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Shorewall/Perl/Shorewall/Accounting.pm

@@ -40,18 +40,18 @@ our $VERSION = 'MODULEVERSION';
 #
 # Per-IP accounting tables. Each entry contains the associated network.
 #
-my %tables;
+our %tables;
 
-my $jumpchainref;
-my %accountingjumps;
-my $asection;
-my $defaultchain;
-my $ipsecdir;
-my $defaultrestriction;
-my $restriction;
-my $accounting_commands = { COMMENT => 0, SECTION => 2 };
-my $sectionname;
-my $acctable;
+our $jumpchainref;
+our %accountingjumps;
+our $asection;
+our $defaultchain;
+our $ipsecdir;
+our $defaultrestriction;
+our $restriction;
+our $accounting_commands = { COMMENT => 0, SECTION => 2 };
+our $sectionname;
+our $acctable;
 
 #
 # Sections in the Accounting File
@@ -417,7 +417,7 @@ sub process_accounting_rule( ) {
 
 sub setup_accounting() {
 
-    if ( my $fn = open_file 'accounting' ) {
+    if ( my $fn = open_file 'accounting', 1, 1 ) {
 
 	first_entry "$doing $fn...";
 

Shorewall/Perl/Shorewall/Compiler.pm

@@ -34,7 +34,6 @@ use Shorewall::Accounting;
 use Shorewall::Rules;
 use Shorewall::Proc;
 use Shorewall::Proxyarp;
-use Shorewall::IPAddrs;
 use Shorewall::Raw;
 use Shorewall::Misc;
 
@@ -45,17 +44,17 @@ our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
 our $VERSION = 'MODULEVERSION';
 
-my $export;
+our $export;
 
-my $test;
+our $test;
 
-my $family;
+our $family;
 
 #
 # Initilize the package-globals in the other modules
 #
-sub initialize_package_globals( $$ ) {
-    Shorewall::Config::initialize($family, $_[1]);
+sub initialize_package_globals( $$$ ) {
+    Shorewall::Config::initialize($family, $_[1], $_[2]);
     Shorewall::Chains::initialize ($family, 1, $export );
     Shorewall::Zones::initialize ($family, $_[0]);
     Shorewall::Nat::initialize;
@@ -158,7 +157,7 @@ sub generate_script_2() {
 
     push_indent;
 
-    if ( $shorewallrc{TEMPDIR} ) {
+    if ( $shorewallrc1{TEMPDIR} ) {
 	emit( '',
 	      qq(TMPDIR="$shorewallrc{TEMPDIR}") ,
 	      q(export TMPDIR) );
@@ -168,14 +167,14 @@ sub generate_script_2() {
 	emit( 'g_family=4' );
 
 	if ( $export ) {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall-lite),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall-lite),
 		   'g_product="Shorewall Lite"',
 		   'g_program=shorewall-lite',
 		   'g_basedir=/usr/share/shorewall-lite',
-		   qq(CONFIG_PATH="$shorewallrc{CONFDIR}/shorewall-lite:$shorewallrc{SHAREDIR}/shorewall-lite") ,
+		   qq(CONFIG_PATH="$shorewallrc1{CONFDIR}/shorewall-lite:$shorewallrc1{SHAREDIR}/shorewall-lite") ,
 		 );
 	} else {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall),
 		   'g_product=Shorewall',
 		   'g_program=shorewall',
 		   'g_basedir=/usr/share/shorewall',
@@ -186,14 +185,14 @@ sub generate_script_2() {
 	emit( 'g_family=6' );
 
 	if ( $export ) {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall6-lite),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall6-lite),
 		   'g_product="Shorewall6 Lite"',
 		   'g_program=shorewall6-lite',
 		   'g_basedir=/usr/share/shorewall6',
-		   qq(CONFIG_PATH="$shorewallrc{CONFDIR}/shorewall6-lite:$shorewallrc{SHAREDIR}/shorewall6-lite") ,
+		   qq(CONFIG_PATH="$shorewallrc1{CONFDIR}/shorewall6-lite:$shorewallrc{SHAREDIR}/shorewall6-lite") ,
 		 );
 	} else {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall6),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall6),
 		   'g_product=Shorewall6',
 		   'g_program=shorewall6',
 		   'g_basedir=/usr/share/shorewall',
@@ -202,21 +201,9 @@ sub generate_script_2() {
 	}
     }
 
-    emit( '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
-
-    if ( $family == F_IPV4 ) {
-	if ( $export ) {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall-lite}" ]' );
-	} else {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall}" ]' );
-	}
-    } else {
-	if ( $export ) {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall6-lite}" ]' );
-	} else {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall6}" ]' );
-	}
-    }
+    emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
+    emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
+    emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );
 
     emit 'TEMPFILE=';
 
@@ -378,8 +365,8 @@ sub generate_script_3($) {
 	       'fi',
 	       '' );
 
+	verify_address_variables;
 	save_dynamic_chains;
-
 	mark_firewall_not_started;
 
 	emit ( '',
@@ -407,6 +394,7 @@ sub generate_script_3($) {
 	       'fi',
 	       '' );
 
+	verify_address_variables;
 	save_dynamic_chains;
 	mark_firewall_not_started;
 
@@ -472,49 +460,56 @@ sub generate_script_3($) {
         fatal_error "$iptables_save_file does not exist"
     fi
 EOF
-    pop_indent;
+    push_indent;
     setup_load_distribution;
     setup_forwarding( $family , 1 );
-    push_indent;
+    pop_indent;
 
     my $config_dir = $globals{CONFIGDIR};
 
     emit<<"EOF";
     set_state Started $config_dir
     run_restored_exit
-else
-    if [ \$COMMAND = refresh ]; then
-        chainlist_reload
+elif [ \$COMMAND = refresh ]; then
+    chainlist_reload
 EOF
+    push_indent;
     setup_load_distribution;
     setup_forwarding( $family , 0 );
-
-    emit( '        run_refreshed_exit' ,
-	  '        do_iptables -N shorewall' ,
-	  "        set_state Started $config_dir" ,
-	  '    else' ,
-	  '        setup_netfilter' );
-
+    pop_indent;
+    #
+    # Use a parameter list rather than 'here documents' to avoid an extra blank line
+    #
+    emit(
+'    run_refreshed_exit',
+'    do_iptables -N shorewall',
+"    set_state Started $config_dir",
+'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
+'else',
+'    setup_netfilter'
+	);
+    push_indent;
     setup_load_distribution;
+    pop_indent;
 
-    emit<<"EOF";
-        conditionally_flush_conntrack
+    emit<<'EOF';
+    conditionally_flush_conntrack
 EOF
+    push_indent;
+    initialize_switches;
     setup_forwarding( $family , 0 );
+    pop_indent;
 
     emit<<"EOF";
-        run_start_exit
-        do_iptables -N shorewall
-        set_state Started $config_dir
-        run_started_exit
-    fi
-
+    run_start_exit
+    do_iptables -N shorewall
+    set_state Started $config_dir
+    [ \$0 = \${VARDIR}/firewall ] || cp -f \$(my_pathname) \${VARDIR}/firewall
+    run_started_exit
+fi
 EOF
 
     emit<<'EOF';
-    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall
-fi
-
 date > ${VARDIR}/restarted
 
 case $COMMAND in
@@ -546,8 +541,8 @@ EOF
 #
 sub compiler {
 
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '');
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc                      , $shorewallrc1 , $directives ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 );
 
     $export = 0;
     $test   = 0;
@@ -584,8 +579,10 @@ sub compiler {
 		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
 		  convert       => { store => \$convert,       validate=> \&validate_boolean    } ,
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
+		  directives    => { store => \$directives,    validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
+		  shorewallrc1  => { store => \$shorewallrc1 } ,
 		);
     #
     #                               P A R A M E T E R    P R O C E S S I N G
@@ -603,7 +600,7 @@ sub compiler {
     #
     # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
     #
-    initialize_package_globals( $update, $shorewallrc );
+    initialize_package_globals( $update, $shorewallrc, $shorewallrc1 );
 
     set_config_path( $config_path ) if $config_path;
 
@@ -621,7 +618,7 @@ sub compiler {
     #
     #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
     #
-    get_configuration( $export , $update , $annotate );
+    get_configuration( $export , $update , $annotate , $directives );
     #
     # Create a temp file to hold the script
     #
@@ -919,6 +916,7 @@ sub compiler {
 	    # call that function during normal 'check', we must validate routestopped here.
 	    #
 	    process_routestopped;
+	    process_stoppedrules;
 	}
 
 	if ( $family == F_IPV4 ) {

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -32,7 +32,7 @@ use Socket;
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( ALLIPv4
+our @EXPORT = ( qw( ALLIPv4
                   ALLIPv6
 		  NILIPv4
 		  NILIPv6
@@ -72,27 +72,27 @@ our @EXPORT = qw( ALLIPv4
 		  validate_port_list
 		  validate_icmp
 		  validate_icmp6
-		 );
+		 ) );
 our @EXPORT_OK = qw( );
 our $VERSION = 'MODULEVERSION';
 
 #
 # Some IPv4/6 useful stuff
 #
-my @allipv4 = ( '0.0.0.0/0' );
-my @allipv6 = ( '::/0' );
-my $allip;
-my @allip;
-my @nilipv4 = ( '0.0.0.0' );
-my @nilipv6 = ( '::' );
-my $nilip;
-my @nilip;
-my $valid_address;
-my $validate_address;
-my $validate_net;
-my $validate_range;
-my $validate_host;
-my $family;
+our @allipv4 = ( '0.0.0.0/0' );
+our @allipv6 = ( '::/0' );
+our $allip;
+our @allip;
+our @nilipv4 = ( '0.0.0.0' );
+our @nilipv6 = ( '::' );
+our $nilip;
+our @nilip;
+our $valid_address;
+our $validate_address;
+our $validate_net;
+our $validate_range;
+our $validate_host;
+our $family;
 
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
@@ -109,7 +109,7 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       IPv6_SITE_ALLRTRS   => 'ff02::2' ,
 	   };
 
-my @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
+our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
 
 #
 # Note: initialize() is declared at the bottom of the file
@@ -207,11 +207,13 @@ sub validate_4net( $$ ) {
     }
 
     if ( defined wantarray ) {
-	assert ( ! $allow_name );
 	if ( wantarray ) {
+	    assert( ! $allow_name );
 	    ( decodeaddr( $net ) , $vlsm );
+	} elsif ( valid_4address $net ) {
+	    $vlsm == 32 ? $net : "$net/$vlsm";
 	} else {
-	    "$net/$vlsm";
+	    $net;
 	}
     }
 }
@@ -226,6 +228,8 @@ sub validate_4range( $$ ) {
     my $last  = decodeaddr $high;
 
     fatal_error "Invalid IP Range ($low-$high)" unless $first <= $last;
+
+    "$low-$high";
 }
 
 sub validate_4host( $$ ) {
@@ -608,7 +612,7 @@ sub validate_6address( $$ ) {
 
 sub validate_6net( $$ ) {
     my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
-    my $allow_name = $_[1];
+    my $allow_name = $_[0];
 
     if ( $net =~ /\+(\[?)/ ) {
 	if ( $1 ) {
@@ -620,22 +624,28 @@ sub validate_6net( $$ ) {
 	}
     }
 
+    fatal_error "Invalid Network address ($_[0])" unless supplied $net;
+
+    $net = $1 if $net =~ /^\[(.*)\]$/;
+
     if ( defined $vlsm ) {
         fatal_error "Invalid VLSM ($vlsm)"              unless $vlsm =~ /^\d+$/ && $vlsm <= 128;
 	fatal_error "Invalid Network address ($_[0])"   if defined $rest;
 	fatal_error "Invalid IPv6 address ($net)"       unless valid_6address $net;
     } else {
-	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
+	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/';
 	validate_6address $net, $allow_name;
 	$vlsm = 128;
     }
 
     if ( defined wantarray ) {
-	assert ( ! $allow_name );
 	if ( wantarray ) {
+	    assert( ! $allow_name );
 	    ( $net , $vlsm );
+	} elsif ( valid_6address ( $net ) ) {
+	    $vlsm == 32 ? $net : "$net/$vlsm";
 	} else {
-	    "$net/$vlsm";
+	    $net;
 	}
     }
 }
@@ -682,11 +692,13 @@ sub validate_6range( $$ ) {
     while ( @low ) {
 	my ( $l, $h) = ( shift @low, shift @high );
 	next     if hex "0x$l" == hex "0x$h";
-	return 1 if hex "0x$l"  < hex "0x$h";
+	return "$low-$high" if hex "0x$l"  < hex "0x$h";
 	last;
     }
 
     fatal_error "Invalid IPv6 Range ($low-$high)";
+
+    
 }
 
 sub validate_6host( $$ ) {

Shorewall/Perl/Shorewall/Misc.pm

@@ -41,13 +41,14 @@ our @EXPORT = qw( process_tos
 		  add_common_rules
 		  setup_mac_lists
 		  process_routestopped
+		  process_stoppedrules
 		  compile_stop_firewall
 		  generate_matrix
 		  );
 our @EXPORT_OK = qw( initialize );
 our $VERSION = 'MODULEVERSION';
 
-my $family;
+our $family;
 
 #
 # Rather than initializing globals in an INIT block or during declaration,
@@ -203,25 +204,24 @@ sub setup_blacklist() {
     my $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
     my $orig_target = $target;
 
-    #
-    # We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary
-    # for 'refresh' to work properly.
-    #
-    if ( @$zones || @$zones1 ) {
-	$chainref  = set_optflags( new_standard_chain( 'blacklst' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones;
-	$chainref1 = set_optflags( new_standard_chain( 'blackout' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones1;
-
-	if ( supplied $level ) {
-	    $target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
-	} elsif ( $audit ) {
-	    require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
-	    $target = verify_audit( $disposition );
-	}
-    }
-
   BLACKLIST:
     {
 	if ( my $fn = open_file 'blacklist' ) {
+	    #
+	    # We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary
+	    # for 'refresh' to work properly.
+	    #
+	    if ( @$zones || @$zones1 ) {
+		$chainref  = set_optflags( new_standard_chain( 'blacklst' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones;
+		$chainref1 = set_optflags( new_standard_chain( 'blackout' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones1;
+
+		if ( supplied $level ) {
+		    $target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
+		} elsif ( $audit ) {
+		    require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
+		    $target = verify_audit( $disposition );
+		}
+	    }
 
 	    my $first_entry = 1;
 
@@ -668,6 +668,89 @@ sub process_routestopped() {
     }
 }
 
+#
+# Process the stoppedrules file. Returns true if the file was non-empty.
+#
+sub process_stoppedrules() {
+    my $fw = firewall_zone;
+    my $result;
+
+    if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
+	first_entry "$doing $fn...";
+
+	while ( read_a_line( NORMAL_READ ) ) {
+
+	    $result = 1;
+
+	    my ( $target, $source, $dest, $proto, $ports, $sports ) = 
+		split_line1 'stoppedrules file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 }, { COMMENT => 0 };
+
+	    fatal_error( "Invalid TARGET ($target)" ) unless $target =~ /^(?:ACCEPT|NOTRACK)$/;
+
+	    my $tableref;
+
+	    my $chainref;
+	    my $restriction = NO_RESTRICT;
+
+	    if ( $target eq 'NOTRACK' ) {
+		$tableref = $raw_table;
+		require_capability 'RAW_TABLE', 'NOTRACK', 's';
+		$chainref = $raw_table->{PREROUTING};
+		$restriction = PREROUTE_RESTRICT | DESTIFACE_DISALLOW;
+	    } else {
+		$tableref = $filter_table;
+	    }
+
+	    if ( $source eq $fw ) {
+		$chainref = ( $target eq 'NOTRACK' ? $raw_table : $filter_table)->{OUTPUT};
+		$source = '';
+		$restriction = OUTPUT_RESTRICT;
+	    } elsif ( $source =~ s/^($fw):// ) {
+		$chainref = ( $target eq 'NOTRACK' ? $raw_table : $filter_table)->{OUTPUT};
+		$restriction = OUTPUT_RESTRICT;
+	    }
+
+	    if ( $dest eq $fw ) {
+		fatal_error "\$FW may not be specified as the destination of a NOTRACK rule" if $target eq 'NOTRACK';
+		$chainref = $filter_table->{INPUT};
+		$dest = '';
+		$restriction = INPUT_RESTRICT;
+	    } elsif ( $dest =~ s/^($fw):// ) {
+		fatal_error "\$FW may not be specified as the destination of a NOTRACK rule" if $target eq 'NOTRACK';
+		$chainref = $filter_table->{INPUT};
+		$restriction = INPUT_RESTRICT;
+	    }
+
+	    $chainref = $tableref->{FORWARD} unless $chainref;
+
+	    my $disposition = $target;
+
+	    $target = 'CT --notrack' if $target eq 'NOTRACK' and have_capability( 'CT_TARGET' );
+
+	    unless ( $restriction == OUTPUT_RESTRICT
+		     && $target eq 'ACCEPT'
+		     && $config{ADMINISABSENTMINDED} ) {
+		expand_rule( $chainref ,
+			     $restriction ,
+			     do_proto( $proto, $ports, $sports ) ,
+			     $source ,
+			     $dest ,
+			     '' ,
+			     $target,
+			     '',
+			     $disposition,
+			     do_proto( $proto, '-', '-' ) );
+	    } else {
+		warning_message "Redundant OUTPUT rule ignored because ADMINISABSENTMINDED=Yes";
+	    }
+	}
+    }
+
+    clear_comment;
+
+    $result;
+}
+
 sub setup_mss();
 
 sub add_common_rules ( $ ) {
@@ -1125,7 +1208,7 @@ sub setup_mac_lists( $ ) {
 	    }
 	}
 
-	if ( my $fn = open_file 'maclist' ) {
+	if ( my $fn = open_file 'maclist', 1, 1 ) {
 
 	    first_entry "$doing $fn...";
 
@@ -1395,10 +1478,11 @@ sub handle_loopback_traffic() {
 		    my @ipsec_match = match_ipsec_in $z1 , $hostref;
 
 		    for my $net ( @{$hostref->{hosts}} ) {
-			add_ijump( $rawout,
-				   j => $exclusion ,
-				   imatch_source_net $net,
-				   @ipsec_match );
+			insert_ijump( $rawout,
+				      j => $exclusion ,
+				      $rawout->{insert}++,
+				      imatch_source_net $net,
+				      @ipsec_match );
 		    }
 		}
 	    }
@@ -1443,10 +1527,6 @@ sub add_interface_jumps {
 	addnatjump 'POSTROUTING' , snat_chain( $interface ), imatch_dest_dev( $interface );
     }
 
-    addnatjump 'PREROUTING'  , 'nat_in';
-    addnatjump 'POSTROUTING' , 'nat_out';
-    addnatjump 'PREROUTING', 'dnat';
-
     for my $interface ( @interfaces  ) {
 	addnatjump 'PREROUTING'  , input_chain( $interface )  , imatch_source_dev( $interface );
 	addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
@@ -1751,6 +1831,7 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
 
     my $dnatref         = $nat_table->{dnat_chain( $zone )};
     my $preroutingref   = $nat_table->{PREROUTING};
+    my $rawref          = $raw_table->{PREROUTING};
     my $notrackref      = ensure_chain 'raw' , notrack_chain( $zone );
     my @ipsec_in_match  = match_ipsec_in  $zone , $hostref;
 
@@ -1775,15 +1856,20 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
 	# There are notrack rules with this zone as the source.
 	# Add a jump from this source network to this zone's notrack chain
 	#
-	add_ijump $raw_table->{PREROUTING}, j => source_exclusion( $exclusions, $notrackref), imatch_source_dev( $interface), @source, @ipsec_in_match;
+	insert_ijump $rawref, j => source_exclusion( $exclusions, $notrackref), $rawref->{insert}++, imatch_source_dev( $interface), @source, @ipsec_in_match;
     }
     #
     # If this zone has parents with DNAT/REDIRECT or notrack rules and there are no CONTINUE polcies with this zone as the source
     # then add a RETURN jump for this source network.
     #
     if ( $nested ) {
-	add_ijump $preroutingref,           j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnat;
-	add_ijump $raw_table->{PREROUTING}, j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnotrack;
+	if ( $parenthasnat ) {
+	    add_ijump $preroutingref, j => 'RETURN',                      imatch_source_dev( $interface), @source, @ipsec_in_match;
+	}
+	if ( $parenthasnotrack ) {
+	    my $rawref = $raw_table->{PREROUTING};
+	    insert_ijump $rawref,     j => 'RETURN', $rawref->{insert}++, imatch_source_dev( $interface), @source, @ipsec_in_match;
+	}
     }
 }
 
@@ -1986,7 +2072,7 @@ sub optimize1_zones( $$@ ) {
 # The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
 # A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
 #
-# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table and
+# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table, raw-table and
 # nat-table rules.
 #
 sub generate_matrix() {
@@ -2149,6 +2235,11 @@ sub generate_matrix() {
     } # Source Zone Loop
 
     progress_message '  Finishing matrix...';
+    #
+    # Make sure that the 1:1 NAT jumps are last in PREROUTING
+    #
+    addnatjump 'PREROUTING'  , 'nat_in';
+    addnatjump 'POSTROUTING' , 'nat_out';
 
     add_interface_jumps @interfaces unless $interface_jumps_added;
 
@@ -2415,7 +2506,7 @@ EOF
 	}
     }
 
-    process_routestopped;
+    process_routestopped unless process_stoppedrules;
 
     add_ijump $input,  j => 'ACCEPT', i => 'lo';
     add_ijump $output, j => 'ACCEPT', o => 'lo' unless $config{ADMINISABSENTMINDED};

Shorewall/Perl/Shorewall/Nat.pm

@@ -42,8 +42,8 @@ Exporter::export_ok_tags('rules');
 
 our $VERSION = 'MODULEVERSION';
 
-my @addresses_to_add;
-my %addresses_to_add;
+our @addresses_to_add;
+our %addresses_to_add;
 
 #
 # Called by the compiler
@@ -123,7 +123,7 @@ sub process_one_masq( )
     #
     # Handle Protocol, Ports and Condition
     #
-    $baserule .= do_proto( $proto, $ports, '' ) . do_condition( $condition );
+    $baserule .= do_proto( $proto, $ports, '' );
     #
     # Handle Mark
     #
@@ -158,6 +158,8 @@ sub process_one_masq( )
 
 	my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
 
+	$baserule .= do_condition( $condition , $chainref->{name} );
+
 	my $detectaddress = 0;
 	my $exceptionrule = '';
 	my $randomize     = '';
@@ -194,12 +196,16 @@ sub process_one_masq( )
 		} else {
 		    my $addrlist = '';
 		    for my $addr ( split_list $addresses , 'address' ) {
-			if ( $addr =~ /^&(.+)$/ ) {
+			if ( $addr =~ /^([&%])(.+)$/ ) {
+			    my ( $type, $interface ) = ( $1, $2 );
 			    $target = 'SNAT ';
-			    if ( $conditional = conditional_rule( $chainref, $addr ) ) {
-				$addrlist .= '--to-source ' . get_interface_address $1;
+			    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
+				$conditional = conditional_rule( $chainref, $addr );
+				$addrlist .= '--to-source ' . "\$$1 ";
+			    } elsif ( $conditional = conditional_rule( $chainref, $addr ) ) {
+				$addrlist .= '--to-source ' . get_interface_address $interface;
 			    } else {
-				$addrlist .= '--to-source ' . record_runtime_address( '&', $1 );
+				$addrlist .= '--to-source ' . record_runtime_address( $type, $interface );
 			    }
 			} elsif ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = 'SNAT ';
@@ -276,7 +282,7 @@ sub process_one_masq( )
 #
 sub setup_masq()
 {
-    if ( my $fn = open_file 'masq' ) {
+    if ( my $fn = open_file( 'masq', 1, 1 ) ) {
 
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
 
@@ -373,7 +379,7 @@ sub do_one_nat( $$$$$ )
 #
 sub setup_nat() {
 
-    if ( my $fn = open_file 'nat' ) {
+    if ( my $fn = open_file( 'nat', 1, 1 ) ) {
 
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
 
@@ -409,7 +415,7 @@ sub setup_nat() {
 #
 sub setup_netmap() {
 
-    if ( my $fn = open_file 'netmap' ) {
+    if ( my $fn = open_file 'netmap', 1, 1 ) {
 
 	first_entry "$doing $fn...";
 
@@ -431,8 +437,8 @@ sub setup_netmap() {
 		    my @rulein;
 		    my @ruleout;
 
-		    validate_net $net1, 0;
-		    validate_net $net2, 0;
+		    $net1 = validate_net $net1, 0;
+		    $net2 = validate_net $net2, 0;
 
 		    unless ( $interfaceref->{root} ) {
 			@rulein  = imatch_source_dev( $interface );
@@ -466,7 +472,7 @@ sub setup_netmap() {
 
 		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
 
-		    validate_net $net2, 0;
+		    $net2 = validate_net $net2, 0;
 
 		    unless ( $interfaceref->{root} ) {
 			@match = imatch_dest_dev(  $interface );

Shorewall/Perl/Shorewall/Proc.pm

@@ -219,30 +219,30 @@ sub setup_forwarding( $$ ) {
 
     if ( $family == F_IPV4 ) {
 	if ( $config{IP_FORWARDING} eq 'on' ) {
-	    emit '        echo 1 > /proc/sys/net/ipv4/ip_forward';
-	    emit '        progress_message2 IPv4 Forwarding Enabled';
+	    emit 'echo 1 > /proc/sys/net/ipv4/ip_forward';
+	    emit 'progress_message2 IPv4 Forwarding Enabled';
 	} elsif ( $config{IP_FORWARDING} eq 'off' ) {
-	    emit '        echo 0 > /proc/sys/net/ipv4/ip_forward';
-	    emit '        progress_message2 IPv4 Forwarding Disabled!';
+	    emit 'echo 0 > /proc/sys/net/ipv4/ip_forward';
+	    emit 'progress_message2 IPv4 Forwarding Disabled!';
 	}
 
 	emit '';
 
-	emit ( '        echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables' ,
+	emit ( 'echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables' ,
 	       ''
 	     ) if have_bridges;
     } else {
 	if ( $config{IP_FORWARDING} eq 'on' ) {
-	    emit '        echo 1 > /proc/sys/net/ipv6/conf/all/forwarding';
-	    emit '        progress_message2 IPv6 Forwarding Enabled';
+	    emit 'echo 1 > /proc/sys/net/ipv6/conf/all/forwarding';
+	    emit 'progress_message2 IPv6 Forwarding Enabled';
 	} elsif ( $config{IP_FORWARDING} eq 'off' ) {
-	    emit '        echo 0 > /proc/sys/net/ipv6/conf/all/forwarding';
-	    emit '        progress_message2 IPv6 Forwarding Disabled!';
+	    emit 'echo 0 > /proc/sys/net/ipv6/conf/all/forwarding';
+	    emit 'progress_message2 IPv6 Forwarding Disabled!';
 	}
 
 	emit '';
 
-	emit ( '        echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables' ,
+	emit ( 'echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables' ,
 	       ''
 	     ) if have_bridges;
 
@@ -251,9 +251,6 @@ sub setup_forwarding( $$ ) {
 	if ( @$interfaces ) {
 	    progress_message2 "$doing Interface forwarding..." if $first;
 
-	    push_indent;
-	    push_indent;
-
 	    save_progress_message 'Setting up IPv6 Interface Forwarding...';
 
 	    for my $interface ( @$interfaces ) {
@@ -270,9 +267,6 @@ sub setup_forwarding( $$ ) {
 		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }
-
-	    pop_indent;
-	    pop_indent;
 	}
     }
 }

Shorewall/Perl/Shorewall/Providers.pm

@@ -53,28 +53,28 @@ use constant { LOCAL_TABLE   => 255,
 	       UNSPEC_TABLE  => 0
 	       };
 
-my  @routemarked_providers;
-my  %routemarked_interfaces;
+our @routemarked_providers;
+our %routemarked_interfaces;
 our @routemarked_interfaces;
-my  %provider_interfaces;
-my  @load_providers;
-my  @load_interfaces;
+our %provider_interfaces;
+our @load_providers;
+our @load_interfaces;
 
-my $balancing;
-my $fallback;
-my $metrics;
-my $first_default_route;
-my $first_fallback_route;
-my $maxload;
-my $tproxies;
+our $balancing;
+our $fallback;
+our $metrics;
+our $first_default_route;
+our $first_fallback_route;
+our $maxload;
+our $tproxies;
 
-my %providers;
+our %providers;
 
-my @providers;
+our @providers;
 
-my $family;
+our $family;
 
-my $lastmark;
+our $lastmark;
 
 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 
@@ -118,10 +118,15 @@ sub initialize( $ ) {
 #
 sub setup_route_marking() {
     my $mask = in_hex( $globals{PROVIDER_MASK} );
+    my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';
 
     require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
 
-    add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
+    if ( $config{RESTORE_ROUTEMARKS} ) {
+	add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
+    } else {
+	add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;
+    }
 
     my $chainref  = new_chain 'mangle', 'routemark';
 
@@ -145,10 +150,10 @@ sub setup_route_marking() {
 
 	    if ( $providerref->{shared} ) {
 		add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
 		decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
 	    } else {
-		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface );
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface );
 	    }
 	}
 
@@ -333,24 +338,35 @@ sub balance_fallback_route( $$$$ ) {
     }
 }
 
-sub start_provider( $$$ ) {
-    my ($table, $number, $test ) = @_;
+sub start_provider( $$$$ ) {
+    my ($what, $table, $number, $test ) = @_;
 
-    emit "\n#\n# Add Provider $table ($number)\n#";
+    emit "\n#\n# Add $what $table ($number)\n#";
+
+    if ( $number ) {
+	emit "start_provider_$table() {";
+    } else {
+	emit "start_interface_$table() {";
+    }
 
-    emit "start_provider_$table() {";
     push_indent;
     emit $test;
     push_indent;
 
-    emit "qt ip -$family route flush table $number";
-    emit "echo \"qt \$IP -$family route flush table $number\" > \${VARDIR}/undo_${table}_routing";
+
+    if ( $number ) {
+	emit "qt ip -$family route flush table $number";
+	emit "echo \"qt \$IP -$family route flush table $number\" > \${VARDIR}/undo_${table}_routing";
+    } else {
+	emit( "> \${VARDIR}/undo_${table}_routing" );
+    }
 }
 
 #
 # Process a record in the providers file
 #
-sub process_a_provider() {
+sub process_a_provider( $ ) {
+    my $pseudo = $_[0]; # When true, this is an optional interface that we are treating somewhat like a provider.
 
     my ($table, $number, $mark, $duplicate, $interface, $gateway,  $options, $copy ) =
 	split_line 'providers file', { table => 0, number => 1, mark => 2, duplicate => 3, interface => 4, gateway => 5, options => 6, copy => 7 };
@@ -358,17 +374,20 @@ sub process_a_provider() {
     fatal_error "Duplicate provider ($table)" if $providers{$table};
 
     fatal_error 'NAME must be specified' if $table eq '-';
-    fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;
 
-    my $num = numeric_value $number;
+    unless ( $pseudo ) {
+	fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;
 
-    fatal_error 'NUMBER must be specified' if $number eq '-';
-    fatal_error "Invalid Provider number ($number)" unless defined $num;
+	my $num = numeric_value $number;
 
-    $number = $num;
+	fatal_error 'NUMBER must be specified' if $number eq '-';
+	fatal_error "Invalid Provider number ($number)" unless defined $num;
 
-    for my $providerref ( values %providers  ) {
-	fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
+	$number = $num;
+
+	for my $providerref ( values %providers  ) {
+	    fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
+	}
     }
 
     fatal_error 'INTERFACE must be specified' if $interface eq '-';
@@ -389,6 +408,11 @@ sub process_a_provider() {
     my $physical    = get_physical $interface;
     my $gatewaycase = '';
 
+    if ( $physical =~ /\+$/ ) {
+	return 0 if $pseudo;
+	fatal_error "Wildcard interfaces ($physical) may not be used as provider interfaces";
+    }
+
     if ( $gateway eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
 	$gateway = get_interface_gateway $interface;
@@ -402,8 +426,15 @@ sub process_a_provider() {
 	$gateway = '';
     }
 
-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load ) =
-	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0 );
+    my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what );
+
+    if ( $pseudo ) {	
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what ) =
+	( 0,      0                       , 0 ,        0,        0,                               1                                  , ''  , 0       , 0,      0,     'interface');
+    } else {
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what )=
+	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider');
+    }
 
     unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
@@ -513,7 +544,7 @@ sub process_a_provider() {
 
     }
 
-    unless ( $loose ) {
+    unless ( $loose || $pseudo ) {
 	warning_message q(The 'proxyarp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyarp' );
 	warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
     }
@@ -551,10 +582,14 @@ sub process_a_provider() {
 			   local       => $local ,
 			   tproxy      => $tproxy ,
 			   load        => $load ,
+			   pseudo      => $pseudo ,
+			   what        => $what ,
 			   rules       => [] ,
 			   routes      => [] ,
 			 };
 
+    $provider_interfaces{$interface} = $table unless $shared;
+
     if ( $track ) {
 	fatal_error "The 'track' option requires a numeric value in the MARK column" if $mark eq '-';
 
@@ -573,7 +608,22 @@ sub process_a_provider() {
 
     push @providers, $table;
 
-    progress_message "   Provider \"$currentline\" $done";
+    progress_message "   Provider \"$currentline\" $done" unless $pseudo;
+
+    return 1;
+}
+
+#
+# Emit a 'started' message
+#
+sub emit_started_message( $$$$$ ) {
+    my ( $spaces, $level, $pseudo, $name, $number ) = @_;
+
+    if ( $pseudo ) {
+	emit qq(${spaces}progress_message${level} "   Optional interface $name Started");
+    } else {
+	emit qq(${spaces}progress_message${level} "   Provider $name ($number) Started");
+    }
 }
 
 #
@@ -604,6 +654,9 @@ sub add_a_provider( $$ ) {
     my $local       = $providerref->{local};
     my $tproxy      = $providerref->{tproxy};
     my $load        = $providerref->{load};
+    my $pseudo      = $providerref->{pseudo};
+    my $what        = $providerref->{what};
+    my $label       = $pseudo ? 'Optional Interface' : 'Provider';
 
     my $dev         = chain_base $physical;
     my $base        = uc $dev;
@@ -612,14 +665,16 @@ sub add_a_provider( $$ ) {
     if ( $shared ) {
 	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
 	$realm = "realm $number";
-	start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
+	start_provider( $label , $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
+    } elsif ( $pseudo ) {
+	start_provider( $label , $table, $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
     } else {
 	if ( $optional ) {
-	    start_provider( $table, $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
+	    start_provider( $label, $table , $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
 	} elsif ( $gatewaycase eq 'detect' ) {
-	    start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
+	    start_provider( $label, $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
 	} else {
-	    start_provider( $table, $number, "if interface_is_usable $physical; then" );
+	    start_provider( $label, $table, $number, "if interface_is_usable $physical; then" );
 	}
 	$provider_interfaces{$interface} = $table;
 
@@ -737,7 +792,7 @@ CEOF
 	    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
 	    emit( "run_ip rule add from $address pref 20000 table $number" ,
 		  "echo \"qt \$IP -$family rule del from $address\" >> \${VARDIR}/undo_${table}_routing" );
-	} else {
+	} elsif ( ! $pseudo ) {
 	    emit  ( "find_interface_addresses $physical | while read address; do" );
 	    emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
 	    emit  ( "    run_ip rule add from \$address pref 20000 table $number",
@@ -800,15 +855,17 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}
 
-	emit ( qq(progress_message2 "   Provider $table ($number) Started") );
+	emit_started_message( '', 2, $pseudo, $table, $number );
 
 	pop_indent;
 
-	emit( 'else' );
-	emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) ,
-	      qq(    progress_message "   Provider $table ($number) Started"),
-	      qq(fi\n)
-	    );
+	unless ( $pseudo ) {
+	    emit( 'else' );
+	    emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) );
+	    emit_started_message( '    ', '', $pseudo, $table, $number );
+	}
+
+	emit "fi\n";
     } else {
 	emit( qq(echo 0 > \${VARDIR}/${physical}.status) );
 	emit( qq(progress_message "Provider $table ($number) Started") );
@@ -825,6 +882,8 @@ CEOF
     if ( $optional ) {
 	if ( $shared ) {
 	    emit ( "error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Started\"" );
+	} elsif ( $pseudo ) {
+	    emit ( "error_message \"WARNING: Optional Interface $physical is not usable -- $table not Started\"" );
 	} else {
 	    emit ( "error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Started\"" );
 	}
@@ -842,14 +901,14 @@ CEOF
 
     pop_indent;
 
-    emit '}'; # End of start_provider_$table();
+    emit "} # End of start_${what}_${table}();";
 
     if ( $optional ) {
 	emit( '',
 	      '#',
-	      "# Stop provider $table",
+	      "# Stop $what $table",
 	      '#',
-	      "stop_provider_$table() {" );
+	      "stop_${what}_${table}() {" );
 
 	push_indent;
 
@@ -877,8 +936,13 @@ CEOF
 	    emit( qq(delete_gateway "$via" $tbl $physical) );
 	}
 
-	emit (". $undo",
-	      "> $undo" );
+	emit (". $undo" );
+
+	if ( $pseudo ) {
+	    emit( "rm -f $undo" );
+	} else {
+	    emit( "> $undo" );
+	}
 
 	emit ( '',
 	       "distribute_load $maxload @load_interfaces" ) if $load;
@@ -889,8 +953,13 @@ CEOF
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}
 
-	emit( "echo 1 > \${VARDIR}/${physical}.status",
-	      "progress_message2 \"   Provider $table ($number) stopped\"" );
+	emit( "echo 1 > \${VARDIR}/${physical}.status" );
+
+	if ( $pseudo ) {
+	    emit( "progress_message2 \"   Optional Interface $table stopped\"" );
+	} else {
+	    emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
+	}
 
 	pop_indent;
 
@@ -938,7 +1007,7 @@ sub add_an_rtrule( ) {
     if ( $dest eq '-' ) {
 	$dest = 'to ' . ALLIP;
     } else {
-	validate_net( $dest, 0 );
+	$dest = validate_net( $dest, 0 );
 	$dest = "to $dest";
     }
 
@@ -950,22 +1019,22 @@ sub add_an_rtrule( ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
 	    fatal_error "Invalid SOURCE" if defined $remainder;
-	    validate_net ( $source, 0 );
+	    $source = validate_net ( $source, 0 );
 	    $interface = physical_name $interface;
 	    $source = "iif $interface from $source";
 	} elsif ( $source =~ /\..*\..*/ ) {
-	    validate_net ( $source, 0 );
+	    $source = validate_net ( $source, 0 );
 	    $source = "from $source";
 	} else {
 	    $source = 'iif ' . physical_name $source;
 	}
-    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ ) {
+    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ || $source =~ /^(.+?):(\[.+?\](?:\/\d+))$/ ) {
 	my ($interface, $source ) = ($1, $2);
-	validate_net ($source, 0);
+	$source = validate_net ($source, 0);
 	$interface = physical_name $interface;
 	$source = "iif $interface from $source";
     } elsif (  $source =~ /:.*:/ || $source =~ /\..*\..*/ ) {
-	validate_net ( $source, 0 );
+	$source = validate_net ( $source, 0 );
 	$source = "from $source";
     } else {
 	$source = 'iif ' . physical_name $source;
@@ -1020,7 +1089,7 @@ sub add_a_route( ) {
     }
 
     fatal_error 'DEST must be specified' if $dest eq '-';
-    validate_net ( $dest, 1 );
+    $dest = validate_net ( $dest, 1 );
 
     validate_address ( $gateway, 1 ) if $gateway ne '-';
 
@@ -1199,12 +1268,23 @@ sub process_providers( $ ) {
     my $tcdevices = shift;
 
     our $providers = 0;
+    our $pseudoproviders = 0;
 
     $lastmark = 0;
 
     if ( my $fn = open_file 'providers' ) {
 	first_entry "$doing $fn...";
-	process_a_provider, $providers++ while read_a_line( NORMAL_READ );
+	$providers += process_a_provider(0) while read_a_line( NORMAL_READ );
+    }
+    #
+    # Treat optional interfaces as pseudo-providers
+    #
+    for ( grep interface_is_optional( $_ ) && ! $provider_interfaces{ $_ }, all_real_interfaces ) {
+	#
+	#               TABLE NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
+	$currentline = "$_    0      -    -         $_        -       -       -";
+	#
+	$pseudoproviders += process_a_provider(1);
     }
 
     if ( $providers ) {
@@ -1227,17 +1307,19 @@ sub process_providers( $ ) {
 
 	    add_an_rtrule while read_a_line( NORMAL_READ );
 	}
+    }
 
-	$fn = open_file 'routes';
+    if ( $providers || $pseudoproviders ) {
+	my $fn = open_file 'routes';
 
 	if ( $fn ) {
 	    first_entry "$doing $fn...";
 	    emit '';
 	    add_a_route while read_a_line( NORMAL_READ );
 	}
-    }
 
-    add_a_provider( $providers{$_}, $tcdevices ) for @providers;
+	add_a_provider( $providers{$_}, $tcdevices ) for @providers;
+    }
 
     emit << 'EOF';;
 
@@ -1258,14 +1340,20 @@ EOF
 
 	if ( $providerref->{optional} ) {
 	    if ( $providerref->{shared} || $providerref->{physical} eq $provider) {
-		emit "$provider})";
+		emit "$provider)";
 	    } else {
 		emit( "$providerref->{physical}|$provider)" );
 	    }
 
-	    emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
-		   "        start_provider_$provider",
-		   '    else',
+	    if ( $providerref->{pseudo} ) {
+		emit ( "    if [ ! -f \${VARDIR}/$product/undo_${provider}_routing ]; then",
+		       "        start_interface_$provider" );
+	    } else {
+		emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
+		       "        start_provider_$provider" );
+	    }
+
+	    emit ( '    else',
 		   "        startup_error \"Interface $providerref->{physical} is already enabled\"",
 		   '    fi',
 		   '    ;;'
@@ -1278,7 +1366,7 @@ EOF
 
     emit << 'EOF';;
         *)
-            startup_error "$g_interface is not an optional provider or provider interface"
+            startup_error "$g_interface is not an optional provider or interface"
             ;;
     esac
 
@@ -1299,14 +1387,26 @@ EOF
     for my $provider (@providers ) {
 	my $providerref = $providers{$provider};
 
-	emit( "$providerref->{physical}|$provider)",
-	      "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
-	      "        stop_provider_$provider",
-	      '    else',
-	      "        startup_error \"Interface $providerref->{physical} is already disabled\"",
-	      '    fi',
-	      '    ;;'
-	    ) if $providerref->{optional};
+	if ( $providerref->{optional} ) {
+	    if ( $provider eq $providerref->{physical} ) {
+		emit( "$provider)" );
+	    } else {
+		emit( "$providerref->{physical}|$provider)" );
+	    }
+
+	    if ( $providerref->{pseudo} ) {
+		emit( "    if [ -f \${VARDIR}/$product/undo_${provider}_routing ]; then" );
+	    } else {
+		emit( "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then" );
+	    }
+
+	    emit( "        stop_$providerref->{what}_$provider",
+		  '    else',
+		  "        startup_error \"Interface $providerref->{physical} is already disabled\"",
+		  '    fi',
+		  '    ;;'
+		);
+	}
     }
 
     pop_indent;
@@ -1338,7 +1438,7 @@ sub setup_providers() {
 
 	emit '';
 
-	emit "start_provider_$_" for @providers;
+	emit "start_$providers{$_}->{what}_$_" for @providers;
 
 	emit '';
 
@@ -1852,7 +1952,7 @@ sub handle_stickiness( $ ) {
 
 sub setup_load_distribution() {
     emit ( '',
-	   "        distribute_load $maxload @load_interfaces" ,
+	   "distribute_load $maxload @load_interfaces" ,
 	   ''
 	 ) if @load_interfaces;
 }

Shorewall/Perl/Shorewall/Raw.pm

@@ -36,14 +36,23 @@ our @EXPORT = qw( setup_conntrack );
 our @EXPORT_OK = qw( handle_helper_rule );
 our $VERSION = 'MODULEVERSION';
 
-my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured => 1, protoinfo => 1, helper => 1, mark => 1, natseqinfo => 1, secmark => 1 );
+our %valid_ctevent = ( new        => 1,
+		       related    => 1,
+		       destroy    => 1,
+		       reply      => 1,
+		       assured    => 1,
+		       protoinfo  => 1,
+		       helper     => 1,
+		       mark       => 1,
+		       natseqinfo => 1,
+		       secmark    => 1 );
 
 #
 # Notrack
 #
-sub process_conntrack_rule( $$$$$$$$$ ) {
+sub process_conntrack_rule( $$$$$$$$$$ ) {
 
-    my ($chainref, $zoneref, $action, $source, $dest, $proto, $ports, $sports, $user ) = @_;
+    my ($chainref, $zoneref, $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = @_;
 
     require_capability 'RAW_TABLE', 'conntrack rules', '';
 
@@ -54,7 +63,9 @@ sub process_conntrack_rule( $$$$$$$$$ ) {
     my $zone;
     my $restriction = PREROUTE_RESTRICT;
 
-    unless ( $chainref ) {
+    if ( $chainref ) {
+	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
+    } else {
 	#
 	# Entry in the conntrack file
 	#
@@ -66,13 +77,13 @@ sub process_conntrack_rule( $$$$$$$$$ ) {
 	}
 
 	$chainref = ensure_raw_chain( notrack_chain $zone );
-	$restriction = OUTPUT_RESTRICT if $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER;
+	$restriction = OUTPUT_RESTRICT if $zoneref->{type}  & (FIREWALL | VSERVER );
 	fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
     }
 
     my $target = $action;
     my $exception_rule = '';
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );
 
     if ( $action eq 'NOTRACK' ) {
 	#
@@ -80,7 +91,7 @@ sub process_conntrack_rule( $$$$$$$$$ ) {
 	# Netfilter development list
 	#
 	$action = 'CT --notrack' if have_capability 'CT_TARGET';
-    } else {
+    } elsif ( $action ne 'DROP' ) {
 	(  $target, my ( $option, $args, $junk ) ) = split ':', $action, 4;
 
 	fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT';
@@ -160,7 +171,9 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
 				$proto ,
 				$ports ,
 				$sports ,
-				$user );
+				$user,
+				'-',
+			      );
     } else {
 	assert( $action_target );
 	#
@@ -200,21 +213,20 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
 sub process_format( $ ) {
     my $format = shift;
 
-    fatal_error q(FORMAT must be '1' or '2') unless $format =~ /^[12]$/;
+    fatal_error q(FORMAT must be '1', '2' or '3') unless $format =~ /^[123]$/;
+    format_warning;
 
-    $format;
+    $file_format = $format;
 }
 
 sub setup_conntrack() {
 
     for my $name ( qw/notrack conntrack/ ) {
 
-	my $fn = open_file( $name );
+	my $fn = open_file( $name, 3 , 1 );
 
 	if ( $fn ) {
 
-	    my $format = 1;
-
 	    my $action = 'NOTRACK';
 
 	    my $empty = 1;
@@ -222,20 +234,20 @@ sub setup_conntrack() {
 	    first_entry( "$doing $fn..." );
 
 	    while ( read_a_line( NORMAL_READ ) ) {
-		my ( $source, $dest, $proto, $ports, $sports, $user );
+		my ( $source, $dest, $proto, $ports, $sports, $user, $switch );
 
-		if ( $format == 1 ) {
-		    ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
+		if ( $file_format == 1 ) {
+		    ( $source, $dest, $proto, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 };
 
 		    if ( $source eq 'FORMAT' ) {
-			$format = process_format( $dest );
+			process_format( $dest );
 			next;
 		    }
 		} else {
-		    ( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
+		    ( $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }, { COMMENT => 0, FORMAT => 2 };
 
 		    if ( $action eq 'FORMAT' ) {
-			$format = process_format( $source );
+			process_format( $source );
 			$action = 'NOTRACK';
 			next;
 		    }
@@ -248,13 +260,33 @@ sub setup_conntrack() {
 
 		$empty = 0;
 
-		if ( $source eq 'all' ) {
-		    for my $zone (all_zones) {
-			process_conntrack_rule( undef, undef, $action, $zone, $dest, $proto, $ports, $sports, $user );
+		if ( $file_format < 3 ) {
+		    if ( $source =~ /^all(-)?(:(.+))?$/ ) {
+			fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
+			for my $zone ( $1 ? off_firewall_zones : all_zones ) {
+			    process_conntrack_rule( undef ,
+						    undef,
+						    $action,
+						    $zone . ( $2 || ''),
+						    $dest,
+						    $proto,
+						    $ports,
+						    $sports,
+						    $user ,
+						    $switch );
+			}
+		    } else {
+			process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
 		    }
+		} elsif ( $action =~ s/:O$// ) {
+		    process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		} elsif ( $action =~ s/:OP// || $action =~ s/:PO// ) {
+		    process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		    process_conntrack_rule( $raw_table->{OUTPUT},     undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
 		} else {
-		    process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user );
-		}
+		    $action =~ s/:P//;
+		    process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		}		    
 	    }
 
 	    clear_comment;

Shorewall/Perl/Shorewall/Tc.pm

@@ -86,7 +86,7 @@ use constant { NOMARK    => 0 ,
 	       HIGHMARK  => 2
 	       };
 
-my  %flow_keys = ( 'src'            => 1,
+our %flow_keys = ( 'src'            => 1,
 		   'dst'            => 1,
 		   'proto'          => 1,
 		   'proto-src'      => 1,
@@ -104,15 +104,15 @@ my  %flow_keys = ( 'src'            => 1,
 		   'sk-gid'         => 1,
 		   'vlan-tag'       => 1 );
 
-my %designator = ( F => 'tcfor' ,
-		   T => 'tcpost' );
+our %designator = ( F => 'tcfor' ,
+		    T => 'tcpost' );
 
-my  %tosoptions = ( 'tos-minimize-delay'       => '0x10/0x10' ,
+our %tosoptions = ( 'tos-minimize-delay'       => '0x10/0x10' ,
 		    'tos-maximize-throughput'  => '0x08/0x08' ,
 		    'tos-maximize-reliability' => '0x04/0x04' ,
 		    'tos-minimize-cost'        => '0x02/0x02' ,
 		    'tos-normal-service'       => '0x00/0x1e' );
-my  %classids;
+our %classids;
 
 #
 # Perl version of Arn Bernin's 'tc4shorewall'.
@@ -133,12 +133,12 @@ my  %classids;
 #                              name          => <interface>
 #                                               }
 #
-my  @tcdevices;
-my  %tcdevices;
-my  @devnums;
-my  $devnum;
-my  $sticky;
-my  $ipp2p;
+our @tcdevices;
+our %tcdevices;
+our @devnums;
+our $devnum;
+our $sticky;
+our $ipp2p;
 
 #
 # TCClasses Table
@@ -159,10 +159,10 @@ my  $ipp2p;
 #                                                }
 #                                     }
 #             }
-my  @tcclasses;
-my  %tcclasses;
+our @tcclasses;
+our %tcclasses;
 
-my  %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
+our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 		      PREROUTING => PREROUTE_RESTRICT ,
 		      tcpost     => POSTROUTE_RESTRICT ,
 		      tcfor      => NO_RESTRICT ,
@@ -170,10 +170,16 @@ my  %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 		      tcout      => OUTPUT_RESTRICT ,
 		    );
 
-my $family;
+our $family;
 
-my $divertref; # DIVERT chain
+our $divertref; # DIVERT chain
 
+our %validstates = ( NEW                => 0,
+		     RELATED            => 0,
+		     ESTABLISHED        => 0,
+		     UNTRACKED          => 0,
+		     INVALID            => 0,
+		   );
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -199,19 +205,17 @@ sub initialize( $ ) {
 }
 
 sub process_tc_rule( ) {
-    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp );
+    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
     if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp ) =
-	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 }, { COMMENT => 0, FORMAT => 2 } , 14;
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
+	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13, state => 14 }, { COMMENT => 0, FORMAT => 2 } , 15;
 	$headers = '-';
     } else {
-	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) =
-	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 },  { COMMENT => 0, FORMAT => 2 }, 15;
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
+	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 },  { COMMENT => 0, FORMAT => 2 }, 16;
     }
 
-    our @tccmd;
-
-    our $format;
+    our %tccmd;
 
     fatal_error 'MARK must be specified' if $originalmark eq '-';
 
@@ -221,8 +225,9 @@ sub process_tc_rule( ) {
     }
 
     if ( $originalmark eq 'FORMAT' ) {
+	format_warning;
 	if ( $source =~ /^([12])$/ ) {
-	    $format = $1;
+	    $file_format = $1;
 	    return;
 	}
 
@@ -259,6 +264,8 @@ sub process_tc_rule( ) {
     my $cmd;
     my $rest;
     my $matches = '';
+    my $mark1;
+    my $exceptionrule = '';
 
     my %processtcc = ( sticky => sub() {
 			                  if ( $chain eq 'tcout' ) {
@@ -312,7 +319,7 @@ sub process_tc_rule( ) {
 					  $target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
 				      },
 		       DIVERT => sub() {
-			                  fatal_error "Invalid MARK ($originalmark)"               unless $format == 2;
+			                  fatal_error "Invalid MARK ($originalmark)"               unless $file_format == 2;
 			                  fatal_error "Invalid DIVERT specification( $cmd/$rest )" if $rest;
 
 					  $chain = 'PREROUTING';
@@ -341,7 +348,7 @@ sub process_tc_rule( ) {
 					  my $params = $1;
 					  my ( $port, $ip, $bad );
 
-					  if ( $format == 1 ) {
+					  if ( $file_format == 1 ) {
 					      fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
 
 					      ( $mark, $port, $ip, $bad ) = split_list $params, 'Parameter';
@@ -372,7 +379,11 @@ sub process_tc_rule( ) {
 
 					  if ( supplied $ip ) {
 					      if ( $family == F_IPV6 ) {
-						  $ip = $1 if $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/;
+						  if ( $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/ ) {
+						      $ip = $1;
+						  } elsif ( $ip =~ /^\[(.+)\]\/(\d+)$/ ) {
+						      $ip = join( $1, $2 );
+						  }
 					      }
 
 					      validate_address $ip, 1;
@@ -380,19 +391,27 @@ sub process_tc_rule( ) {
 					  }
 
 					  $target .= ' --tproxy-mark';
+
+					  $exceptionrule = '-p tcp ';
 				      },
 		       TTL => sub() {
 			                  fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
 					  fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest;
-					  fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' );
-
 					  $chain = 'tcfor';
 
-					  $cmd =~ /^TTL\(([-+]?\d+)\)$/;
+					  if ( $designator ) {
+					      if ( $designator eq 'P' ) {
+						  $chain = 'tcpre';
+					      } else {
+						  fatal_error "Chain designator $designator not allowed with TTL" if $designator ne 'F';
+					      }
+					  }
+
+					  $cmd =~ /^TTL\(([-+]?(\d+))\)$/;
 
 					  my $param =  $1;
 
-					  fatal_error "Invalid TTL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+					  fatal_error "Invalid TTL specification( $cmd )" unless supplied( $1 ) && ( $1 eq $2 || $2 != 0 ) && ( $param = abs $param ) < 256;
 
 					  if ( $1 =~ /^\+/ ) {
 					      $target .= " --ttl-inc $param";
@@ -405,15 +424,22 @@ sub process_tc_rule( ) {
 		       HL => sub() {
 			                  fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4;
 					  fatal_error "Invalid HL specification( $cmd/$rest )" if $rest;
-					  fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' );
-
 					  $chain = 'tcfor';
 
-					  $cmd =~ /^HL\(([-+]?\d+)\)$/;
+
+					  if ( $designator ) {
+					      if ( $designator eq 'P' ) {
+						  $chain = 'tcpre';
+					      } else {
+						  fatal_error "Chain designator $designator not allowed with HL" if $designator ne 'F';
+					      }
+					  }
+
+					  $cmd =~ /^HL\(([-+]?(\d+))\)$/;
 
 					  my $param =  $1;
 
-					  fatal_error "Invalid HL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+					  fatal_error "Invalid HL specification( $cmd )" unless supplied( $1 ) && ( $1 eq $2 || $2 != 0 ) && ( $param = abs $param ) < 256;
 
 					  if ( $1 =~ /^\+/ ) {
 					      $target .= " --hl-inc $param";
@@ -440,6 +466,10 @@ sub process_tc_rule( ) {
 			                  assert( $cmd =~ /^TOS\((.+)\)$/ );
 					  $target .= decode_tos( $1 , 2 );
 				      },
+		       CHECKSUM => sub()
+		                        {  require_capability 'CHECKSUM_TARGET', 'The CHECKSUM action', 's';
+					   $target .= ' --checksum-fill';
+				       },
 		     );
 
     if ( $source ) {
@@ -480,13 +510,13 @@ sub process_tc_rule( ) {
 
 	    $chain    = $tcsref->{chain}                       if $tcsref->{chain};
 	    $target   = $tcsref->{target}                      if $tcsref->{target};
-	    $mark     = "$mark/" . in_hex( $globals{TC_MASK} ) if $connmark = $tcsref->{connmark};
+	    $mark     = "$mark/" . in_hex( $globals{TC_MASK} ) if $connmark = $tcsref->{connmark} && $mark !~ m'/';
 
 	    require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
 
 	} else {
 	    unless ( $classid ) {
-		fatal_error "Invalid MARK ($originalmark)" unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
+		fatal_error "Invalid ACTION ($originalmark)" unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
 		fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $chain eq 'tcin';
 		$chain = 'tcpost';
 		$mark  = $originalmark;
@@ -524,10 +554,10 @@ sub process_tc_rule( ) {
     $list = '';
 
     unless ( $classid ) {
-      MARK:
 	{
-	    for my $tccmd ( @tccmd ) {
-		if ( $tccmd->{match}($cmd) ) {
+	    if ( $cmd =~ /^([[A-Z!&]+)/ ) {
+		if ( my $tccmd = $tccmd{$1} ) {
+		    fatal_error "Invalid $1 ACTION ($originalmark)" unless $tccmd->{match}($cmd); 
 		    fatal_error "$mark not valid with :C[FPT]" if $connmark;
 
 		    require_capability ('CONNMARK' , "SAVE/RESTORE Rules", '' ) if $tccmd->{connmark};
@@ -546,7 +576,7 @@ sub process_tc_rule( ) {
 		    }
 
 		    if ( $rest ) {
-			fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK;
+			fatal_error "Invalid COMMAND ($originalmark)" if $marktype == NOMARK;
 
 			$mark = $rest if $tccmd->{mask};
 
@@ -558,20 +588,26 @@ sub process_tc_rule( ) {
 		    } elsif ( $tccmd->{mask} ) {
 			$mark = $tccmd->{mask};
 		    }
-
-		    last MARK;
+		} else {
+		    fatal_error "Invalid ACTION ($originalmark)";
 		}
-	    }
+	    } elsif ( $mark =~ /-/ ) {
+		( $mark, $mark1 ) = split /-/, $mark, 2;
+		validate_mark $mark;
+		fatal_error "Invalid mark range ($mark-$mark1)" if $mark =~ m'/';
+		validate_mark $mark1;
+		require_capability 'STATISTIC_MATCH', 'A mark range', 's';
+	    }  else {
+		validate_mark $mark;
 
-	    validate_mark $mark;
-
-	    if ( $config{PROVIDER_OFFSET} ) {
-		my $val = numeric_value( $cmd );
-		fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
-		my $limit = $globals{TC_MASK};
-		unless ( have_capability 'FWMARK_RT_MASK' ) {
-		    fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
-			if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
+		if ( $config{PROVIDER_OFFSET} ) {
+		    my $val = numeric_value( $cmd );
+		    fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
+		    my $limit = $globals{TC_MASK};
+		    unless ( have_capability 'FWMARK_RT_MASK' ) {
+			fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
+			    if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
+		    }
 		}
 	    }
 	}
@@ -579,26 +615,89 @@ sub process_tc_rule( ) {
 
     fatal_error "USER/GROUP only allowed in the OUTPUT chain" unless ( $user eq '-' || ( $chain eq 'tcout' || $chain eq 'tcpost' ) );
 
-    if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
-				     $restrictions{$chain} | $restriction,
-				     do_proto( $proto, $ports, $sports) . $matches .
-				     do_user( $user ) .
-				     do_test( $testval, $globals{TC_MASK} ) .
-				     do_length( $length ) .
-				     do_tos( $tos ) .
-				     do_connbytes( $connbytes ) .
-				     do_helper( $helper ) .
-				     do_headers( $headers ) .
-				     do_probability( $probability ) .
-				     do_dscp( $dscp ) ,
-				     $source ,
-				     $dest ,
-				     '' ,
-				     $mark ? "$target $mark" : $target,
-				     '' ,
-				     $target ,
-				     '' ) )
-	  && $device ) {
+    if ( $state ne '-' ) {
+	my @state = split_list( $state, 'state' );
+	my %state = %validstates;
+
+	for ( @state ) {
+	    fatal_error "Invalid STATE ($_)"   unless exists $state{$_};
+	    fatal_error "Duplicate STATE ($_)" if $state{$_};
+	}
+    } else {
+	$state = 'ALL';
+    }
+
+    if ( $mark1 ) {
+	#
+	# A Mark Range
+	#
+	my $chainref = ensure_chain( 'mangle', $chain );
+
+	( $mark1, my $mask ) = split( '/', $mark1 );
+
+	my ( $markval, $mark1val ) = ( numeric_value $mark, numeric_value $mark1 );
+
+	fatal_error "Invalid mark range ($mark-$mark1)" unless $markval < $mark1val;
+
+	$mask = $globals{TC_MASK} unless supplied $mask;
+
+	$mask = numeric_value $mask;
+
+	my $increment = 1;
+	my $shift     = 0;
+
+	$increment <<= 1, $shift++ until $increment & $mask;
+
+	$mask = in_hex $mask;
+
+	my $marks = ( ( $mark1val - $markval ) >> $shift ) + 1;
+
+	for ( my $packet = 0; $packet < $marks; $packet++, $markval += $increment ) {
+	    my $match = "-m statistic --mode nth --every $marks --packet $packet ";
+
+	    expand_rule( $chainref,
+			 $restrictions{$chain} | $restriction,
+			 $match .
+			 do_user( $user ) .
+			 do_test( $testval, $globals{TC_MASK} ) .
+			 do_test( $testval, $globals{TC_MASK} ) .
+			 do_length( $length ) .
+			 do_tos( $tos ) .
+			 do_connbytes( $connbytes ) .
+			 do_helper( $helper ) .
+			 do_headers( $headers ) .
+			 do_probability( $probability ) .
+			 do_dscp( $dscp ) .
+			 state_match( $state ) ,
+			 $source ,
+			 $dest ,
+			 '' ,
+			 "$target " . join( '/', in_hex( $markval ) , $mask ) ,
+			 '',
+			 $target ,
+			 $exceptionrule );
+	}
+    } elsif ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
+					  $restrictions{$chain} | $restriction,
+					  do_proto( $proto, $ports, $sports) . $matches .
+					  do_user( $user ) .
+					  do_test( $testval, $globals{TC_MASK} ) .
+					  do_length( $length ) .
+					  do_tos( $tos ) .
+					  do_connbytes( $connbytes ) .
+					  do_helper( $helper ) .
+					  do_headers( $headers ) .
+					  do_probability( $probability ) .
+					  do_dscp( $dscp ) .
+					  state_match( $state ) ,
+					  $source ,
+					  $dest ,
+					  '' ,
+					  $mark ? "$target $mark" : $target,
+					  '' ,
+					  $target ,
+					  $exceptionrule ) )
+	      && $device ) {
 	#
 	# expand_rule() returns destination device if any
 	#
@@ -820,8 +919,9 @@ sub process_simple_device() {
     }
 
     for ( my $i = 1; $i <= 3; $i++ ) {
+	my $prio = 16 | $i;
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
-	emit "run_tc filter add dev $physical protocol all prio 2 parent $number: handle $i fw classid $number:$i";
+	emit "run_tc filter add dev $physical protocol all prio $prio parent $number: handle $i fw classid $number:$i";
 	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
 	emit '';
     }
@@ -969,6 +1069,7 @@ sub validate_tc_device( ) {
 			    mtu           => $mtu,
 			    mpu           => $mpu,
 			    tsize         => $tsize,
+			    filterpri     => 0,
 			  } ,
 
     push @tcdevices, $device;
@@ -1043,6 +1144,16 @@ my %validredoptions = ( min         => RED_INTEGER,
 			ecn         => RED_NONE,
 		      );
 
+sub validate_filter_priority( $$ ) {
+    my ( $priority, $kind ) = @_;
+
+    my $pri = numeric_value( $priority );
+
+    fatal_error "Invalid $kind priority ($priority)" unless defined $pri && $pri > 0 && $pri <= 65535;
+
+    $pri;
+}
+
 sub validate_tc_class( ) {
     my ( $devclass, $mark, $rate, $ceil, $prio, $options ) =
 	split_line 'tcclasses file', { interface => 0, mark => 1, rate => 2, ceil => 3, prio => 4, options => 5 };
@@ -1096,11 +1207,26 @@ sub validate_tc_class( ) {
 
     my $tcref = $tcclasses{$device};
 
-    my $markval = 0;
+    if ( $devref->{qdisc} eq 'htb' ) {
+	fatal_error "Invalid PRIO ($prio)" unless defined numeric_value $prio;
+    }
+
+    my $markval  = 0;
+    my $markprio;
 
     if ( $mark ne '-' ) {
 	fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};
 
+	( $mark, my $priority ) = split/:/, $mark, 2;
+
+	if ( supplied $priority ) {
+	    $markprio = validate_filter_priority( $priority, 'mark' );
+	} else {
+	    fatal_error "Missing mark priority" if $prio eq '-';
+	    $markprio =  ( $prio << 8 ) | 20;
+	    progress_message2 "   Priority of the $device packet mark $mark filter is $markprio";
+	}
+
 	$markval = numeric_value( $mark );
 	fatal_error "Invalid MARK ($markval)" unless defined $markval;
 
@@ -1169,16 +1295,15 @@ sub validate_tc_class( ) {
 	warning_message "Total RATE of classes ($devref->{guarantee}kbits) exceeds OUT-BANDWIDTH (${full}kbits)" if ( $devref->{guarantee} += $rate ) > $full;
     }
 
-    fatal_error "Invalid PRIO ($prio)" unless defined numeric_value $prio;
-
     $tcref->{$classnumber} = { tos       => [] ,
 			       rate      => $rate ,
 			       umax      => $umax ,
 			       dmax      => $dmax ,
 			       ceiling   => $ceil   = ( supplied $ceil   ? convert_rate( $ceilmax, $ceil,   'CEIL'  , $ceilname ) : 0 ),
 			       lsceil    => $lsceil = ( $lsceil          ? convert_rate( $ceilmax, $lsceil, 'LSCEIL', $ceilname ) : 0 ),
-			       priority  => $prio eq '-' ? 1 : $prio ,
+			       priority  => $prio ,
 			       mark      => $markval ,
+			       markprio  => $markprio ,
 			       flow      => '' ,
 			       pfifo     => 0,
 			       occurs    => 1,
@@ -1196,25 +1321,47 @@ sub validate_tc_class( ) {
 
     unless ( $options eq '-' ) {
 	for my $option ( split_list1 "\L$options", 'option' ) {
-	    my $optval = $tosoptions{$option};
+	    my $priority;
+	    my $optval;
 
-	    $option = "tos=$optval" if $optval;
+	    ( $option, my $pri ) =  split /:/, $option, 2;
+
+	    if ( $option =~ /^tos=(.+)/ || ( $optval = $tosoptions{$option} ) ) {
+
+		if ( supplied $pri ) {
+		    $priority = validate_filter_priority( $pri, 'mark' );
+		} else {
+		    fatal_error "Missing TOS priority" if $prio eq '-';
+		    $priority = ( $prio << 8 ) | 15;
+		    progress_message2 "   Priority of the $device $option filter is $priority";
+		}
+
+		$option = "tos=$optval" if $optval;
+	    } elsif ( supplied $pri ) {
+		$option = join ':', $option, $pri;
+	    }
 
 	    if ( $option eq 'default' ) {
 		fatal_error "Only one default class may be specified for device $device" if $devref->{default};
 		fatal_error "The $option option is not valid with 'occurs" if $tcref->{occurs} > 1;
 		$devref->{default} = $classnumber;
-	    } elsif ( $option eq 'tcp-ack' ) {
+	    } elsif ( $option =~ /tcp-ack(:(\d+|0x[0-0a-fA-F]))?$/ ) {
 		fatal_error "The $option option is not valid with 'occurs" if $tcref->{occurs} > 1;
-		$tcref->{tcp_ack} = 1;
+		if ( $1 ) {
+		    $tcref->{tcp_ack} = validate_filter_priority( $2, 'tcp-ack' );
+		} else {
+		    fatal_error "Missing tcp-ack priority" if $prio eq '-';
+		    my $ackpri = $tcref->{tcp_ack} =  ( $prio << 8 ) | 10;
+		    progress_message2 "   Priority of the $device tcp-ack filter is $ackpri";
+		}
 	    } elsif ( $option =~ /^tos=0x[0-9a-f]{2}$/ ) {
 		fatal_error "The $option option is not valid with 'occurs" if $tcref->{occurs} > 1;
 		( undef, $option ) = split /=/, $option;
-		push @{$tcref->{tos}}, "$option/0xff";
+		push @{$tcref->{tos}}, "$option/0xff:$priority";
 	    } elsif ( $option =~ /^tos=0x[0-9a-f]{2}\/0x[0-9a-f]{2}$/ ) {
 		fatal_error "The $option option is not valid with 'occurs" if $tcref->{occurs} > 1;
 		( undef, $option ) = split /=/, $option;
-		push @{$tcref->{tos}}, $option;
+		push @{$tcref->{tos}}, "$option:$priority";
 	    } elsif ( $option =~ /^flow=(.*)$/ ) {
 		fatal_error "The 'flow' option is not allowed with 'pfifo'" if $tcref->{pfifo};
 		fatal_error "The 'flow' option is not allowed with 'red'"   if $tcref->{red};
@@ -1300,10 +1447,7 @@ sub validate_tc_class( ) {
     }
 
     unless ( $devref->{classify} || $occurs > 1 ) {
-	if ( $mark ne '-' ) {
-	    fatal_error "Missing MARK" if $mark eq '-';
-	    warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option"	if $devclass =~ /:/;
-	}
+	fatal_error "Missing MARK" if $mark eq '-';
     }
 
     $tcref->{flow}  = $devref->{flow}  unless $tcref->{flow};
@@ -1319,6 +1463,7 @@ sub validate_tc_class( ) {
 					       ceiling  => $tcref->{ceiling} ,
 					       priority => $tcref->{priority} ,
 					       mark     => 0 ,
+					       markprio => $markprio ,
 					       flow     => $tcref->{flow} ,
 					       pfifo    => $tcref->{pfifo},
 					       occurs   => 0,
@@ -1340,7 +1485,7 @@ my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0x
 #
 sub process_tc_filter() {
 
-    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 };
+    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length, $priority ) = split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 , priority => 8 };
 
     fatal_error 'CLASS must be specified' if $devclass eq '-';
 
@@ -1350,7 +1495,7 @@ sub process_tc_filter() {
 
     fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest || ! ($device && $class );
 
-    my ( $ip, $ip32, $prio , $lo ) = $family == F_IPV4 ? ('ip', 'ip', 10, 2 ) : ('ipv6', 'ip6', 11 , 4 );
+    my ( $ip, $ip32, $lo ) = $family == F_IPV4 ? ('ip', 'ip', 2 ) : ('ipv6', 'ip6', 4 );
 
     my $devref;
 
@@ -1360,6 +1505,18 @@ sub process_tc_filter() {
 	( $device , $devref ) = dev_by_number( $device );
     }
 
+    my ( $prio, $filterpri ) = ( undef, $devref->{filterpri} );
+
+    if ( $priority eq '-' ) {
+	$prio = ++$filterpri;
+	fatal_error "Filter priority overflow" if $prio > 65535;
+    } else {
+	$prio = validate_filter_priority( $priority, 'filter' );
+	$filterpri = $prio if $prio > $filterpri;
+    }
+
+    $devref->{filterpri} = $filterpri;
+
     my $devnum = in_hexp $devref->{number};
 
     my $tcref = $tcclasses{$device};
@@ -1721,7 +1878,7 @@ sub process_tcinterfaces() {
 #
 sub process_tcpri() {
     my $fn  = find_file 'tcinterfaces';
-    my $fn1 = open_file 'tcpri';
+    my $fn1 = open_file 'tcpri', 1,1;
 
     if ( $fn1 ) {
 	first_entry
@@ -1856,7 +2013,7 @@ sub process_traffic_shaping() {
 	    handle_in_bandwidth( $device, $devref->{in_bandwidth} );
 
 	    for my $rdev ( @{$devref->{redirected}} ) {
-		my $phyrdev = get_physical( $rdev );
+		my $phyrdev = physical_name( $rdev );
 		emit ( "run_tc qdisc add dev $phyrdev handle ffff: ingress" );
 		emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
 	    }
@@ -1886,7 +2043,6 @@ sub process_traffic_shaping() {
 
 		$classids{$classid}=$devname;
 
-		my $priority = $tcref->{priority} << 8;
 		my $parent   = in_hexp $tcref->{parent};
 
 		emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" );
@@ -1945,22 +2101,23 @@ sub process_traffic_shaping() {
 		# add filters
 		#
 		unless ( $mark eq '-' ) {
-		    emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1;
+		    emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio $tcref->{markprio} handle $mark fw classid $classid" if $tcref->{occurs} == 1;
 		}
 
 		emit "run_tc filter add dev $device protocol all prio 1 parent $sfqinhex: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
 		#
 		# options
 		#
-		emit( "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . ' u32' .
+		emit( "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio $tcref->{tcp_ack} u32" .
 		      "\\\n    match ip protocol 6 0xff" .
 		      "\\\n    match u8 0x05 0x0f at 0" .
 		      "\\\n    match u16 0x0000 0xffc0 at 2" .
 		      "\\\n    match u8 0x10 0xff at 33 flowid $classid" ) if $tcref->{tcp_ack};
 
 		for my $tospair ( @{$tcref->{tos}} ) {
+		    ( $tospair, my $priority ) = split /:/, $tospair;
 		    my ( $tos, $mask ) = split q(/), $tospair;
-		    emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . " u32 match ip tos $tos $mask flowid $classid";
+		    emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio $priority u32 match ip tos $tos $mask flowid $classid";
 		}
 
 		save_progress_message_short qq("   TC Class $classid defined.");
@@ -2061,11 +2218,15 @@ sub process_secmark_rule() {
 		 I => 'tcin'    ,
 		 O => 'tcout'   , );
 
-    my %state = ( N =>  'NEW' ,
-		  I => 'INVALID',
-		  NI => 'NEW,INVALID',
-		  E =>  'ESTABLISHED' ,
-		  ER => 'ESTABLISHED,RELATED',
+    my %state = ( N   => 'NEW' ,
+		  I   => 'INVALID',
+		  U   => 'UNTRACKED',
+		  IU  => 'INVALID,UNTRACKED',
+		  NI  => 'NEW,INVALID',
+		  NU  => 'NEW,UNTRACKED',
+		  NIU => 'NEW,INVALID,UNTRACKED',
+		  E   => 'ESTABLISHED' ,
+		  ER  => 'ESTABLISHED,RELATED',
 		);
 
     my ( $chain , $state, $rest) = split ':', $chainin , 3;
@@ -2161,91 +2322,98 @@ sub setup_tc() {
     }
 
     if ( $config{MANGLE_ENABLED} ) {
-	our  @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
-			  target    => 'CONNMARK --save-mark --mask' ,
-			  mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK,
-			  mask      => in_hex( $globals{TC_MASK} ) ,
-			  connmark  => 1
-			} ,
-			{ match     => sub ( $ ) { $_[0] eq 'RESTORE' },
-			  target    => 'CONNMARK --restore-mark --mask' ,
-			  mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK ,
-			  mask      => in_hex( $globals{TC_MASK} ) ,
-			  connmark  => 1
-			} ,
-			{ match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
-			  target    => 'RETURN' ,
-			  mark      => NOMARK ,
-			  mask      => '' ,
-			  connmark  => 0
-			} ,
-			{ match     => sub ( $ ) { $_[0] eq 'SAME' },
-			  target    => 'sticky' ,
-			  mark      => NOMARK ,
-			  mask      => '' ,
-			  connmark  => 0
-			} ,
-			{ match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
-			  target    => 'IPMARK' ,
-			  mark      => NOMARK,
-			  mask      => '',
-			  connmark  => 0
-			} ,
-			{ match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
-			  target    => 'MARK --or-mark' ,
-			  mark      => HIGHMARK ,
-			  mask      => '' } ,
-			{ match     => sub ( $ ) { $_[0] =~ '&.*' },
-			  target    => 'MARK --and-mark' ,
-			  mark      => HIGHMARK ,
-			  mask      => '' ,
-			  connmark  => 0
-			} ,
-			{ match     => sub ( $ ) { $_[0] =~ /^TPROXY/ },
-			  target    => 'TPROXY',
-			  mark      => HIGHMARK,
-			  mask      => '',
-			  connmark  => '' },
-			{ match     => sub( $ ) { $_[0] =~ /^DIVERT/ },
-			  target    => 'DIVERT',
-			  mark      => HIGHMARK,
-			  mask      => '',
-			  connmark  => '' },
-			{ match     => sub( $ ) { $_[0] =~ /^TTL/ },
-			  target    => 'TTL',
-			  mark      => NOMARK,
-			  mask      => '',
-			  connmark  => 0
-			},
-			{ match     => sub( $ ) { $_[0] =~ /^HL/ },
-			  target    => 'HL',
-			  mark      => NOMARK,
-			  mask      => '',
-			  connmark  => 0
-			},
-			{ match     => sub( $ ) { $_[0] =~ /^IMQ\(\d+\)$/ },
-			  target    => 'IMQ',
-			  mark      => NOMARK,
-			  mask      => '',
-			  connmark  => 0
-			},
-			{ match     => sub( $ ) { $_[0] =~ /^DSCP\(\w+\)$/ },
-			  target    => 'DSCP',
-			  mark      => NOMARK,
-			  mask      => '',
-			  connmark  => 0
-			},
-			{ match     => sub( $ ) { $_[0] =~ /^TOS\(.+\)$/ },
-			  target    => 'TOS',
-			  mark      => NOMARK,
-			  mask      => '',
-			  connmark  => 0
-			},
+	our  %tccmd = ( SAVE =>     { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
+				      target    => 'CONNMARK --save-mark --mask' ,
+				      mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK,
+				      mask      => in_hex( $globals{TC_MASK} ) ,
+				      connmark  => 1
+				    } ,
+			RESTORE =>  { match     => sub ( $ ) { $_[0] eq 'RESTORE' },
+				      target    => 'CONNMARK --restore-mark --mask' ,
+				      mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK ,
+				      mask      => in_hex( $globals{TC_MASK} ) ,
+				      connmark  => 1
+				    } ,
+			CONTINUE => { match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
+				      target    => 'RETURN' ,
+				      mark      => NOMARK ,
+				      mask      => '' ,
+				      connmark  => 0
+				    } ,
+			SAME =>     { match     => sub ( $ ) { $_[0] eq 'SAME' },
+				      target    => 'sticky' ,
+				      mark      => NOMARK ,
+				      mask      => '' ,
+				      connmark  => 0
+				    } ,
+			IPMARK =>   { match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
+				      target    => 'IPMARK' ,
+				      mark      => NOMARK,
+				      mask      => '',
+				      connmark  => 0
+				    } ,
+			'|' =>      { match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
+				      target    => 'MARK --or-mark' ,
+				      mark      => HIGHMARK ,
+				      mask      => ''
+				    } ,
+			'&' =>      { match     => sub ( $ ) { $_[0] =~ '&.*' },
+				      target    => 'MARK --and-mark' ,
+				      mark      => HIGHMARK ,
+				      mask      => '' ,
+				      connmark  => 0
+				    } ,
+			TPROXY =>   { match     => sub ( $ ) { $_[0] =~ /^TPROXY/ },
+				      target    => 'TPROXY',
+				      mark      => HIGHMARK,
+				      mask      => '',
+				      connmark  => ''
+				    },
+			DIVERT =>   { match     => sub( $ ) { $_[0] =~ /^DIVERT/ },
+				      target    => 'DIVERT',
+				      mark      => HIGHMARK,
+				      mask      => '',
+				      connmark  => ''
+				    },
+			TTL =>      { match     => sub( $ ) { $_[0] =~ /^TTL/ },
+				      target    => 'TTL',
+				      mark      => NOMARK,
+				      mask      => '',
+				      connmark  => 0
+			            },
+			HL =>       { match     => sub( $ ) { $_[0] =~ /^HL/ },
+				      target    => 'HL',
+				      mark      => NOMARK,
+				      mask      => '',
+				      connmark  => 0
+			            },
+			IMQ =>      { match     => sub( $ ) { $_[0] =~ /^IMQ\(\d+\)$/ },
+				      target    => 'IMQ',
+				      mark      => NOMARK,
+				      mask      => '',
+				      connmark  => 0
+			            },
+			DSCP =>     { match     => sub( $ ) { $_[0] =~ /^DSCP\(\w+\)$/ },
+				      target    => 'DSCP',
+				      mark      => NOMARK,
+				      mask      => '',
+				      connmark  => 0
+				    },
+			TOS =>      { match     => sub( $ ) { $_[0] =~ /^TOS\(.+\)$/ },
+				      target    => 'TOS',
+				      mark      => NOMARK,
+				      mask      => '',
+				      connmark  => 0
+				    },
+			CHECKSUM => { match     => sub( $ ) { $_[0] eq 'CHECKSUM' },
+				      target    => 'CHECKSUM' ,
+				      mark      => NOMARK,
+				      mask      => '',
+				      connmark  => 0,
+				    }
 		      );
 
-	if ( my $fn = open_file 'tcrules' ) {
-
-	    our $format = 1;
+	if ( my $fn = open_file( 'tcrules' , 2, 1 ) ) {
 
 	    first_entry "$doing $fn...";
 
@@ -2255,7 +2423,7 @@ sub setup_tc() {
 
 	}
 
-	if ( my $fn = open_file 'secmarks' ) {
+	if ( my $fn = open_file( 'secmarks', 1, 1 ) ) {
 
 	    first_entry "$doing $fn...";
 

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -285,7 +285,7 @@ sub setup_tunnels() {
     #
     # Setup_Tunnels() Starts Here
     #
-    if ( my $fn = open_file 'tunnels' ) {
+    if ( my $fn = open_file( 'tunnels', 1, 1 ) ) {
 
 	first_entry "$doing $fn...";
 

Shorewall/Perl/Shorewall/Zones.pm

@@ -31,67 +31,69 @@ use Shorewall::IPAddrs;
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( NOTHING
-		  NUMERIC
-		  NETWORK
-		  IPSECPROTO
-		  IPSECMODE
-		  FIREWALL
-		  VSERVER
-		  IP
-		  BPORT
-		  IPSEC
-		  NO_UPDOWN
-		  NO_SFILTER
+our @EXPORT = ( qw( NOTHING
+		    NUMERIC
+		    NETWORK
+		    IPSECPROTO
+		    IPSECMODE
+		    FIREWALL
+		    VSERVER
+		    IP
+		    BPORT
+		    IPSEC
+		    GROUP
+		    NO_UPDOWN
+		    NO_SFILTER
 
-		  determine_zones
-		  zone_report
-		  dump_zone_contents
-		  find_zone
-		  firewall_zone
-		  defined_zone
-		  zone_type
-		  zone_interfaces
-		  zone_mark
-		  all_zones
-		  all_parent_zones
-		  complex_zones
-		  vserver_zones
-		  on_firewall_zones
-		  off_firewall_zones
-		  non_firewall_zones
-		  single_interface
-		  chain_base
-		  validate_interfaces_file
-		  all_interfaces
-		  all_real_interfaces
-		  all_plain_interfaces
-		  all_bridges
-		  interface_number
-		  find_interface
-		  known_interface
-		  get_physical
-		  physical_name
-		  have_bridges
-		  port_to_bridge
-		  source_port_to_bridge
-		  interface_is_optional
-		  interface_is_required
-		  find_interfaces_by_option
-		  find_interfaces_by_option1
-		  get_interface_option
-		  interface_has_option
-		  set_interface_option
-		  set_interface_provider
-		  interface_zones
-		  verify_required_interfaces
-		  validate_hosts_file
-		  find_hosts_by_option
-		  find_zone_hosts_by_option
-		  find_zones_by_option
-		  all_ipsets
-		  have_ipsec
-		 );
+		    determine_zones
+		    zone_report
+		    dump_zone_contents
+		    find_zone
+		    firewall_zone
+		    defined_zone
+		    zone_type
+		    zone_interfaces
+		    zone_mark
+		    all_zones
+		    all_parent_zones
+		    complex_zones
+		    vserver_zones
+		    on_firewall_zones
+		    off_firewall_zones
+		    non_firewall_zones
+		    single_interface
+		    chain_base
+		    validate_interfaces_file
+		    all_interfaces
+		    all_real_interfaces
+		    all_plain_interfaces
+		    all_bridges
+		    interface_number
+		    find_interface
+		    known_interface
+		    get_physical
+		    physical_name
+		    have_bridges
+		    port_to_bridge
+		    source_port_to_bridge
+		    interface_is_optional
+		    interface_is_required
+		    find_interfaces_by_option
+		    find_interfaces_by_option1
+		    get_interface_option
+		    interface_has_option
+		    set_interface_option
+		    set_interface_provider
+		    interface_zones
+		    verify_required_interfaces
+		    validate_hosts_file
+		    find_hosts_by_option
+		    find_zone_hosts_by_option
+		    find_zones_by_option
+		    all_ipsets
+		    have_ipsec
+		 ),
+	      );
 
 our @EXPORT_OK = qw( initialize );
 our $VERSION = 'MODULEVERSION';
@@ -146,12 +148,12 @@ use constant { IN_OUT     => 1,
 #
 #     $firewall_zone names the firewall zone.
 #
-my @zones;
-my %zones;
-my %zonetypes;
-my $firewall_zone;
+our @zones;
+our %zones;
+our %zonetypes;
+our $firewall_zone;
 
-my  %reservedName = ( all => 1,
+our %reservedName = ( all => 1,
 		      any => 1,
 		      none => 1,
 		      SOURCE => 1,
@@ -186,22 +188,24 @@ my  %reservedName = ( all => 1,
 #    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
 #    the same order as the interfaces are encountered in the configuration files.
 #
-my @interfaces;
-my %interfaces;
-my %roots;
-my @bport_zones;
-my %ipsets;
-my %physical;
-my %basemap;
-my %mapbase;
-my $family;
-my $upgrade;
-my $have_ipsec;
-my $baseseq;
-my $minroot;
-my $zonemark;
-my $zonemarkincr;
-my $zonemarklimit;
+our @interfaces;
+our %interfaces;
+our %roots;
+our @bport_zones;
+our %ipsets;
+our %physical;
+our %basemap;
+our %basemap1;
+our %mapbase;
+our %mapbase1;
+our $family;
+our $upgrade;
+our $have_ipsec;
+our $baseseq;
+our $minroot;
+our $zonemark;
+our $zonemarkincr;
+our $zonemarklimit;
 
 use constant { FIREWALL => 1,
 	       IP       => 2,
@@ -228,32 +232,36 @@ use constant { SIMPLE_IF_OPTION   => 1,
 use constant { NO_UPDOWN   => 1, 
 	       NO_SFILTER  => 2 };
 
-my %validinterfaceoptions;
+our %validinterfaceoptions;
 
-my %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
+our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
 
-my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN );
+our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN );
 
-my %validhostoptions;
+our %validhostoptions;
 
-my %validzoneoptions = ( mss          => NUMERIC,
-			 nomark       => NOTHING,
-			 blacklist    => NOTHING,
-			 strict       => NOTHING,
-			 next         => NOTHING,
-			 reqid        => NUMERIC,
-			 spi          => NUMERIC,
-			 proto        => IPSECPROTO,
-			 mode         => IPSECMODE,
-			 "tunnel-src" => NETWORK,
-			 "tunnel-dst" => NETWORK,
+our %validzoneoptions = ( mss            => NUMERIC,
+			  nomark         => NOTHING,
+			  blacklist      => NOTHING,
+			  dynamic_shared => NOTHING,
+			  strict         => NOTHING,
+			  next           => NOTHING,
+			  reqid          => NUMERIC,
+			  spi            => NUMERIC,
+			  proto          => IPSECPROTO,
+			  mode           => IPSECMODE,
+			 "tunnel-src"   => NETWORK,
+			 "tunnel-dst"   => NETWORK,
 		       );
 
 use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
 #
 # Hash of options that have their own key in the returned hash.
 #
-my %zonekey = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );
+our %zonekey = ( mss            => UNRESTRICTED | COMPLEX ,
+		 blacklist      => NOFW, 
+		 nomark         => NOFW | IN_OUT_ONLY,
+		 dynamic_shared => IN_OUT_ONLY );
 
 #
 # Rather than initializing globals in an INIT block or during declaration,
@@ -279,7 +287,9 @@ sub initialize( $$ ) {
     %ipsets = ();
     %physical = ();
     %basemap = ();
+    %basemap1 = ();
     %mapbase = ();
+    %mapbase1 = ();
     $baseseq = 0;
     $minroot = 0;
 
@@ -397,7 +407,7 @@ sub parse_zone_option_list($$\$$)
 
 	    if ( $key ) {
 		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype & ( FIREWALL | VSERVER) );
-		fatal_error "Opeion '$e' is only permitted in the OPTIONS columns" if $key & IN_OUT_ONLY && $column != IN_OUT;
+		fatal_error "Option '$e' is only permitted in the OPTIONS columns" if $key & IN_OUT_ONLY && $column != IN_OUT;
 		$$complexref = 1 if $key & COMPLEX;
 		$h{$e} = $val || 1;
 	    } else {
@@ -533,6 +543,7 @@ sub process_zone( \$ ) {
     }
 
     if ( $zoneref->{options}{in_out}{blacklist} ) {
+	warning_message q(The 'blacklist' option is deprecated);
 	for ( qw/in out/ ) {
 	    unless ( $zoneref->{options}{$_}{blacklist} ) {
 		$zoneref->{options}{$_}{blacklist} = 1;
@@ -540,6 +551,10 @@ sub process_zone( \$ ) {
 		warning_message( "Redundant 'blacklist' in " . uc( $_ ) . '_OPTIONS' );
 	    }
 	}
+    } else {
+	for ( qw/in out/ ) {
+	    warning_message q(The 'blacklist' option is deprecated), last if  $zoneref->{options}{$_}{blacklist};
+	}
     }
 
     return $zone;
@@ -752,6 +767,13 @@ sub add_group_to_zone($$$$$)
 	    $new = \@exclusions;
 	}
 
+	if ( substr( $host, 0, 1 ) eq '+' ) {
+	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+(6_)?[a-zA-Z][-\w]*$/;
+	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
+	} else {
+	    $host = validate_host $host, 0;
+	}
+
 	unless ( $switched ) {
 	    if ( $type == $zonetype ) {
 		fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $interfaces{$interface}{zone} eq $zone;
@@ -770,13 +792,6 @@ sub add_group_to_zone($$$$$)
 	    }
 	}
 
-	if ( substr( $host, 0, 1 ) eq '+' ) {
-	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+(6_)?[a-zA-Z]\w*$/;
-	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
-	} else {
-	    validate_host $host, 0;
-	}
-
 	push @$new, $host;
     }
 
@@ -928,6 +943,55 @@ sub chain_base($) {
     $basemap{$key} = $name;
 }
 
+#
+# This is a slightly relaxed version of the above that allows '-' in the generated name.
+#
+sub chain_base1($) {
+    my $chain = $_[0];
+    my $name  = $basemap1{$chain};
+    #
+    # Return existing mapping, if any
+    #
+    return $name if $name;
+    #
+    # Remember initial value
+    #
+    my $key = $chain;
+    #
+    # Handle VLANs and wildcards
+    #
+    $chain =~ s/\+$//;
+    $chain =~ tr/./_/;
+
+    if ( $chain eq '' || $chain =~ /^[0-9]/ || $chain =~ /[^-\w]/ ) {
+	#
+	# Must map. Remove all illegal characters
+	#
+	$chain =~ s/[^\w]//g;
+	#
+	# Prefix with if_ if it begins with a digit
+	#
+	$chain = join( '' , 'if_', $chain ) if $chain =~ /^[0-9]/;
+	#
+	# Create a new unique name
+	#
+	1 while $mapbase1{$name = join ( '_', $chain, ++$baseseq )};
+    } else {
+	#
+	# We'll store the identity mapping if it is unique
+	#
+	$chain = join( '_', $key , ++$baseseq ) while $mapbase1{$name = $chain};
+    }
+    #
+    # Store the reverse mapping
+    #
+    $mapbase1{$name} = $key;
+    #
+    # Store the mapping
+    #
+    $basemap1{$key} = $name;
+}
+
 #
 # Process a record in the interfaces file
 #
@@ -938,9 +1002,8 @@ sub process_interface( $$ ) {
     my ($zone, $originalinterface, $bcasts, $options );
     my $zoneref;
     my $bridge = '';
-    our $format;
 
-    if ( $format == 1 ) {
+    if ( $file_format == 1 ) {
 	($zone, $originalinterface, $bcasts, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 }, { COMMENT => 0, FORMAT => 2 };
     } else {
 	($zone, $originalinterface, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, options => 2 }, { COMMENT => 0, FORMAT => 2 };
@@ -948,8 +1011,9 @@ sub process_interface( $$ ) {
     }
 
     if ( $zone eq 'FORMAT' ) {
+	format_warning;
 	if ( $originalinterface =~ /^([12])$/ ) {
-	    $format = $1;
+	    $file_format = $1;
 	    return;
 	}
 
@@ -1146,7 +1210,7 @@ sub process_interface( $$ ) {
 		    $hostoptions{broadcast} = 1;
 		} elsif ( $option eq 'sfilter' ) {
 		    $filterref = [ split_list $value, 'address' ];
-		    validate_net( $_, 1) for @{$filterref}
+		    $_ = validate_net( $_, 1) for @{$filterref}
 		} else {
 		    assert(0);
 		}
@@ -1187,7 +1251,8 @@ sub process_interface( $$ ) {
 	}
 
 	if ( $netsref eq 'dynamic' ) {
-	    my $ipset = $family == F_IPV4 ? "${zone}_" . chain_base $physical : "6_${zone}_" . chain_base $physical;
+	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
+	    $ipset = join( '_', $ipset, chain_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
 	    $netsref = [ "+$ipset" ];
 	    $ipsets{$ipset} = 1;
 	}
@@ -1246,12 +1311,11 @@ sub process_interface( $$ ) {
 #
 sub validate_interfaces_file( $ ) {
     my  $export = shift;
-    our $format = 1;
 
     my @ifaces;
     my $nextinum = 1;
 
-    if ( my $fn = open_file 'interfaces' ) {
+    if ( my $fn = open_file 'interfaces', 2 ) {
 	first_entry "$doing $fn...";
 	push @ifaces, process_interface( $nextinum++, $export ) while read_a_line( NORMAL_READ );
     } else {
@@ -1757,9 +1821,10 @@ sub process_host( ) {
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
-    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/   ||
-	      $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]$/ ||
-	      $hosts =~ /^([\w.@%-]+\+?):(!?\+.*)$/   ||
+    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/               ||
+	      $hosts =~ /^([\w.@%-]+\+?)\[(.*)\]$/              ||
+	      $hosts =~ /^([\w.@%-]+\+?):(!?\[.+\](?:\/\d+)?)$/ ||
+	      $hosts =~ /^([\w.@%-]+\+?):(!?\+.*)$/             ||
 	      $hosts =~ /^([\w.@%-]+\+?):(dynamic)$/ ) {
 	$interface = $1;
 	$hosts = $2;
@@ -1770,9 +1835,9 @@ sub process_host( ) {
     }
 
     if ( $hosts =~ /^!?\+/ ) {
-	$zoneref->{complex} = 1;
-	fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
-	fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
+       $zoneref->{complex} = 1;
+       fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
+       fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
     }
 
     if ( $type & BPORT ) {
@@ -1799,6 +1864,7 @@ sub process_host( ) {
 	    } elsif ( $option eq 'norfc1918' ) {
 		warning_message "The 'norfc1918' host option is no longer supported"
 	    } elsif ( $option eq 'blacklist' ) {
+		warning_message "The 'blacklist' option is deprecated";
 		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $option =~ /^mss=(\d+)$/ ) {
 		fatal_error "Invalid mss ($1)" unless $1 >= 500;
@@ -1835,8 +1901,14 @@ sub process_host( ) {
     if ( $hosts eq 'dynamic' ) {
 	fatal_error "Vserver zones may not be dynamic" if $type & VSERVER;
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
-	my $physical = chain_base( physical_name $interface );
-	my $set      = $family == F_IPV4 ? "${zone}_${physical}" : "6_${zone}_${physical}";
+
+	my $set = $family == F_IPV4 ? "${zone}" : "6_${zone}";
+	
+	unless ( $zoneref->{options}{in_out}{dynamic_shared} ) {
+	    my $physical = chain_base1( physical_name $interface );
+	    $set = join( '_', $set, $physical );
+	}
+
 	$hosts = "+$set";
 	$optionsref->{dynamic} = 1;
 	$ipsets{$set} = 1;

Shorewall/Perl/compiler.pl

@@ -37,7 +37,8 @@
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
 #         --preview                   # Preview the ruleset.
-#         --shorewallrc=<path>        # Path to shorewallrc file.
+#         --shorewallrc=<path>        # Path to global shorewallrc file.
+#         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #
 use strict;
@@ -66,7 +67,9 @@ sub usage( $ ) {
     [ --annotate ]
     [ --update ]
     [ --convert ]
+    [ --directives ]
     [ --shorewallrc=<pathname> ]
+    [ --shorewallrc1=<pathname> ]
     [ --config_path=<path-list> ]
 ';
 
@@ -92,8 +95,10 @@ my $preview       = 0;
 my $annotate      = 0;
 my $update        = 0;
 my $convert       = 0;
+my $directives    = 0;
 my $config_path   = '';
 my $shorewallrc   = '';
+my $shorewallrc1  = '';
 
 Getopt::Long::Configure ('bundling');
 
@@ -121,11 +126,14 @@ my $result = GetOptions('h'               => \$help,
 			'confess'         => \$confess,
 			'a'               => \$annotate,
 			'annotate'        => \$annotate,
+			'directives'      => \$directives,
+			'D'               => \$directives,
 			'u'               => \$update,
 			'update'          => \$update,
 			'convert'         => \$convert,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
+			'shorewallrc1=s'  => \$shorewallrc1,
 		       );
 
 usage(1) unless $result && @ARGV < 2;
@@ -147,6 +155,8 @@ compiler( script          => $ARGV[0] || '',
 	  update          => $update,
 	  convert         => $convert,
 	  annotate        => $annotate,
+	  directives      => $directives,
 	  config_path     => $config_path,
-	  shorewallrc     => $shorewallrc
+	  shorewallrc     => $shorewallrc,
+	  shorewallrc1    => $shorewallrc1,
 	);

Shorewall/Perl/getparams

@@ -25,12 +25,12 @@
 #
 #      $1 = Path name of params file
 #      $2 = $CONFIG_PATH
-#      $3 = Address family (4 o4 6)
+#      $3 = Address family (4 or 6)
 #
 if [ "$3" = 6 ]; then
-    g_program=shorewall6
+    PRODUCT=shorewall6
 else
-    g_program=shorewall
+    PRODUCT=shorewall
 fi
 
 #
@@ -38,11 +38,9 @@ fi
 #
 . /usr/share/shorewall/shorewallrc
 
-g_libexec="$LIBEXECDIR"
-g_sharedir="$SHAREDIR"/shorewall
-g_sbindir="$SBINDIR"
-g_perllib="$PERLLIBDIR"
-g_confdir="$CONFDIR"/shorewall
+g_program=$PRODUCT
+g_sharedir="$SHAREDIR/shorewall"
+g_confdir="$CONFDIR/$PRODUCT"
 g_readrc=1
 
 . $g_sharedir/lib.cli

Shorewall/Perl/lib.core

@@ -430,7 +430,7 @@ run_iptables()
     local status
 
     while [ 1 ]; do
-	$g_tool $@
+	eval $g_tool $@
 	status=$?
 	[ $status -ne 4 ] && break
     done
@@ -626,7 +626,7 @@ EOF
     fi
 }
 
-?IF __IPV4
+?if __IPV4
 #################################################################################
 #                        IPv4-specific Functions
 #################################################################################
@@ -838,13 +838,13 @@ detect_dynamic_gateway() { # $1 = interface
 	gateway=$( find_peer $($IP addr list $interface ) )
     fi
 
-    if [ -z "$gateway" -a -f /var/lib/dhcpcd/dhcpcd-${1}.info ]; then
-	eval $(grep ^GATEWAYS=  /var/lib/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
+    if [ -z "$gateway" -a -f ${VARLIB}/dhcpcd/dhcpcd-${1}.info ]; then
+	eval $(grep ^GATEWAYS=  ${VARLIB}/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
 	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
     fi
 
-    if [ -z "$gateway" -a -f /var/lib/dhcp/dhclient-${1}.lease ]; then
-	gateway=$(grep 'option routers' /var/lib/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
+    if [ -z "$gateway" -a -f ${VARLIB}/dhcp/dhclient-${1}.lease ]; then
+	gateway=$(grep 'option routers' ${VARLIB}/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
     fi
 
     [ -n "$gateway" ] && echo $gateway
@@ -1032,7 +1032,7 @@ get_all_bcasts()
     $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
 
-?ELSE
+?else
 #################################################################################
 #                        IPv6-specific Functions
 #################################################################################
@@ -1324,4 +1324,4 @@ clear_firewall() {
     logger -p kern.info "$g_product Cleared"
 }
 
-?ENDIF
+?endif

Shorewall/Perl/prog.footer

@@ -33,25 +33,25 @@ usage() {
 }
 
 checkkernelversion() {
+?if __IPV6
     local kernel
 
-    if [ $g_family -eq 6 ]; then
-	kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
+    kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
 
-	case "$kernel" in
-	    *.*.*)
-		kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
-		;;
-	    *)
-		kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
-		;;
-	esac
+    case "$kernel" in
+	*.*.*)
+	    kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+	    ;;
+	*)
+	    kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
+	    ;;
+    esac
 
-	if [ $kernel -lt 20624 ]; then
-	    error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
-	    return 1
-	fi
+    if [ $kernel -lt 20624 ]; then
+	error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
+	return 1
     fi
+?endif
 
     return 0
 }

Shorewall/Samples/Universal/interfaces

@@ -7,7 +7,7 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 -	lo		ignore

Shorewall/Samples/Universal/rules

@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-##############################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
+######################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED

Shorewall/Samples/Universal/shorewall.conf

@@ -114,6 +114,8 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
+IGNOREUNKNOWNVARIABLES=No
+
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
@@ -186,6 +188,8 @@ REQUIRE_INTERFACE=Yes
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No

Shorewall/Samples/one-interface/interfaces

@@ -11,7 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 net     eth0            dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0

Shorewall/Samples/one-interface/rules

@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-##############################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
+######################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED

Shorewall/Samples/one-interface/shorewall.conf

@@ -125,6 +125,8 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
+IGNOREUNKNOWNVARIABLES=No
+
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
@@ -197,6 +199,8 @@ REQUIRE_INTERFACE=No
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No

Shorewall/Samples/three-interfaces/interfaces

@@ -11,7 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0

Shorewall/Samples/three-interfaces/rules

@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-##############################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
+######################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -123,6 +123,8 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
+IGNOREUNKNOWNVARIABLES=No
+
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
@@ -195,6 +197,8 @@ REQUIRE_INTERFACE=No
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No

Shorewall/Samples/three-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
-# Shorewall6 version 4.0 - Sample Routestopped File for two-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Shorewall version 4.5 - Sample Stoppedrules File for three-interface configuration.
+# Copyright (C) 2012 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -9,11 +9,12 @@
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall6-routestopped"
-#
-# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
-# information.
-#
-##############################################################################
-#INTERFACE	HOST(S)                  OPTIONS
-eth1		-
+# For information about entries in this file, type "man shorewall-stoppedrules"
+###############################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
+#							PORT(S)		PORT(S)
+ACCEPT		eth1		-
+ACCEPT		-		eth1
+ACCEPT		eth2		-
+ACCEPT		-		eth2
+

Shorewall/Samples/two-interfaces/interfaces

@@ -11,7 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0

Shorewall/Samples/two-interfaces/rules

@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-##############################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
+######################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -126,6 +126,8 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
+IGNOREUNKNOWNVARIABLES=No
+
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
@@ -198,6 +200,8 @@ REQUIRE_INTERFACE=No
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No

Shorewall/Samples/two-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
-# Shorewall version 4.0 - Sample Routestopped File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Shorewall version 4.5 - Sample Stoppedrules File for two-interface configuration.
+# Copyright (C) 2012 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -9,7 +9,9 @@
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall-routestopped"
-##############################################################################
-#INTERFACE	HOST(S)                  OPTIONS
-eth1		-
+# For information about entries in this file, type "man shorewall-stoppedrules"
+###############################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
+#							PORT(S)		PORT(S)
+ACCEPT		eth1		-
+ACCEPT		-		eth1

Shorewall/action.Broadcast

@@ -27,7 +27,7 @@
 #       Default action is DROP
 #
 ##########################################################################################
-FORMAT 2
+?FORMAT 2
 
 DEFAULTS DROP,-
 
@@ -43,6 +43,7 @@ fatal_error "Invalid parameter ($audit) to action Broadcast"   if supplied $audi
 fatal_error "Invalid parameter ($action) to action Broadcast"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
 
 my $chainref           = get_action_chain;
+
 my ( $level, $tag )    = get_action_logging;
 my $target             = require_audit ( $action , $audit );
 

Shorewall/action.Drop

@@ -31,9 +31,9 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #
-# The following magic provides different defaults for $2 thru $5, when $1 is
+# The following magic provides different defaults for @2 thru @5, when @1 is
 # 'audit'.
 #
 ?BEGIN PERL;
@@ -66,31 +66,31 @@ COUNT
 #
 # Reject 'auth'
 #
-Auth($2)
+Auth(@2)
 #
 # Don't log broadcasts
 #
-Broadcast(DROP,$1)
+Broadcast(DROP,@1)
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs($4)	-	-	icmp
+AllowICMPs(@4)	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
-Invalid(DROP,$1)
+Invalid(DROP,@1)
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
-SMB($3)
-DropUPnP($5)
+SMB(@3)
+DropUPnP(@5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-NotSyn(DROP,$1)	-	-	tcp
+NotSyn(DROP,@1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep($5)
+DropDNSrep(@5)

Shorewall/action.DropSmurfs

@@ -9,19 +9,21 @@
 #          audit = Audit dropped packets.
 #
 #################################################################################
-FORMAT 2
+?FORMAT 2
 
 DEFAULTS -
 
 ?BEGIN PERL;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
+use Shorewall::IPAddrs qw( IPv6_MULTICAST );
 use Shorewall::Chains;
 use Shorewall::Rules;
 
 my ( $audit ) = get_action_params( 1 );
 
 my $chainref        = get_action_chain;
+
 my ( $level, $tag ) = get_action_logging;
 my $target;
 

Shorewall/action.Invalid

@@ -27,7 +27,7 @@
 #       Default action is DROP
 #
 ##########################################################################################
-FORMAT 2
+?FORMAT 2
 
 DEFAULTS DROP,-
 
@@ -43,6 +43,7 @@ fatal_error "Invalid parameter ($audit) to action Invalid"   if supplied $audit
 fatal_error "Invalid parameter ($action) to action Invalid"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
 
 my $chainref         = get_action_chain;
+
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );
 

Shorewall/action.NotSyn

@@ -27,7 +27,7 @@
 #       Default action is DROP
 #
 ##########################################################################################
-FORMAT 2
+?FORMAT 2
 
 DEFAULTS DROP,-
 
@@ -43,6 +43,7 @@ fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit &
 fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
 
 my $chainref         = get_action_chain;
+
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );
 

Shorewall/action.RST

@@ -27,7 +27,7 @@
 #       Default action is DROP
 #
 ##########################################################################################
-FORMAT 2
+?FORMAT 2
 
 DEFAULTS DROP,-
 
@@ -38,15 +38,16 @@ use Shorewall::Chains;
 
 my ( $action, $audit ) = get_action_params( 2 );
 
-fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit && $audit ne 'audit';
-fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP)$/;
+fatal_error "Invalid parameter ($audit) to action RST"   if supplied $audit && $audit ne 'audit';
+fatal_error "Invalid parameter ($action) to action RST"  unless $action =~ /^(?:ACCEPT|DROP)$/;
 
 my $chainref         = get_action_chain;
+
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );
 
 log_rule_limit $level, $chainref, 'RST' , $action, '', $tag, 'add', '-p 6 --tcp-flags RST RST ' if $level ne '';
-add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST, ';
+add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST ';
 
 allow_optimize( $chainref );
 

Shorewall/action.Reject

@@ -27,9 +27,9 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #
-# The following magic provides different defaults for $2 thru $5, when $1 is
+# The following magic provides different defaults for @2 thru @5, when @1 is
 # 'audit'.
 #
 ?BEGIN PERL;
@@ -62,33 +62,33 @@ COUNT
 #
 # Don't log 'auth' -- REJECT
 #
-Auth($2)
+Auth(@2)
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
-Broadcast(DROP,$1)
+Broadcast(DROP,@1)
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs($4)	-	-	icmp
+AllowICMPs(@4)	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
-Invalid(DROP,$1)
+Invalid(DROP,@1)
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
-SMB($3)
-DropUPnP($5)
+SMB(@3)
+DropUPnP(@5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-NotSyn(DROP,$1)	-	-	tcp
+NotSyn(DROP,@1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep($5)
+DropDNSrep(@5)

Shorewall/action.TCPFlags

@@ -1,7 +1,7 @@
 #
-# Shorewall version 4 - Drop Smurfs Action
+# Shorewall version 4 - Drop TCPFlags Action
 #
-# /usr/share/shorewall/action.DropSmurfs
+# /usr/share/shorewall/action.TCPFlags
 #
 #   Accepts a single optional parameter:
 #
@@ -9,7 +9,7 @@
 #          audit = Audit dropped packets.
 #
 #################################################################################
-FORMAT 2
+?FORMAT 2
 
 DEFAULTS DROP,-
 
@@ -21,6 +21,7 @@ use Shorewall::Chains;
 my ( $disposition, $audit ) = get_action_params( 2 );
 
 my $chainref        = get_action_chain;
+
 my ( $level, $tag ) = get_action_logging;
 
 fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/;

Shorewall/action.template

@@ -20,7 +20,7 @@
 #
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
-FORMAT 2
-####################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+?FORMAT 2
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Shorewall/actions.std

@@ -33,13 +33,13 @@
 #
 ###############################################################################
 #ACTION
-A_Drop 		    # Audited Default Action for DROP policy
-A_Reject	    # Audited Default action for REJECT policy
-Broadcast	    # Handles Broadcast/Multicast/Anycast
-Drop		    # Default Action for DROP policy
-DropSmurfs          # Drop smurf packets
-Invalid             # Handles packets in the INVALID conntrack state
-NotSyn              # Handles TCP packets which do not have SYN=1 and ACK=0
-Reject		    # Default Action for REJECT policy
-RST		    # Handle packets with RST set
-TCPFlags            # Handle bad flag combinations.
+A_Drop 		                # Audited Default Action for DROP policy
+A_Reject	                # Audited Default action for REJECT policy
+Broadcast  noinline             # Handles Broadcast/Multicast/Anycast
+Drop		                # Default Action for DROP policy
+DropSmurfs noinline             # Drop smurf packets
+Invalid    noinline             # Handles packets in the INVALID conntrack state
+NotSyn     noinline             # Handles TCP packets which do not have SYN=1 and ACK=0
+Reject                          # Default Action for REJECT policy
+RST	   noinline             # Handle packets with RST set
+TCPFlags   noinline             # Handle bad flag combinations.

Shorewall/configfiles/actions

@@ -7,6 +7,6 @@
 #
 # Please see http://shorewall.net/Actions.html for additional information.
 #
-###############################################################################
-#ACTION             COMMENT (place '# ' below the 'C' in comment followed by
-#                           a comment describing the action)
+########################################################################################
+#ACTION    OPTIONS		COMMENT (place '# ' below the 'C' in comment followed by
+#                        	v        a comment describing the action)

Shorewall/configfiles/conntrack

@@ -3,51 +3,51 @@
 #
 # For information about entries in this file, type "man shorewall-conntrack"
 #
-#############################################################################################
-FORMAT 2
-#ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
+##############################################################################################################
+?FORMAT 3
+#ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/		SWITCH
 #								PORT(S)		PORT(S)	GROUP
 ?if $AUTOHELPERS && __CT_TARGET
 
 ?if __AMANDA_HELPER
-CT:helper:amanda	all		-		udp	10080
+CT:helper:amanda:PO	-		-		udp	10080
 ?endif
 
 ?if __FTP_HELPER
-CT:helper:ftp		all		-		tcp	21
+CT:helper:ftp:PO	-		-		tcp	21
 ?endif
 
 ?if __H323_HELPER
-CT:helper:RAS		all		-		udp	1719
-CT:helper:Q.931		all		-		tcp	1720
+CT:helper:RAS:PO	-		-		udp	1719
+CT:helper:Q.931:PO	-		-		tcp	1720
 ?endif
 
 ?if __IRC_HELPER
-CT:helper:irc		all		-		tcp	6667
+CT:helper:irc:PO	-		-		tcp	6667
 ?endif
 
 ?if __NETBIOS_NS_HELPER
-CT:helper:netbios-ns	all		-		udp	137
+CT:helper:netbios-ns:PO	-		-		udp	137
 ?endif
 
 ?if __PPTP_HELPER
-CT:helper:pptp		all		-		tcp	1729
+CT:helper:pptp:PO	-		-		tcp	1723
 ?endif
 
 ?if __SANE_HELPER
-CT:helper:sane		all		-		tcp	6566
+CT:helper:sane:PO	-		-		tcp	6566
 ?endif
 
 ?if __SIP_HELPER
-CT:helper:sip		all		-		udp	5060
+CT:helper:sip:PO	-		-		udp	5060
 ?endif
 
 ?if __SNMP_HELPER
-CT:helper:snmp		all		-		udp	161
+CT:helper:snmp:PO	-		-		udp	161
 ?endif
 
 ?if __TFTP_HELPER
-CT:helper:tftp		all		-		udp	69
+CT:helper:tftp:PO	-		-		udp	69
 ?endif
 
 ?endif

Shorewall/configfiles/interfaces

@@ -7,6 +7,6 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 ###############################################################################
 #ZONE		INTERFACE		OPTIONS

Shorewall/configfiles/routestopped

@@ -1,6 +1,8 @@
 #
 # Shorewall version 4 - Routestopped File
 #
+# This file is deprecated in favor of the stoppedrules file
+#
 # For information about entries in this file, type "man shorewall-routestopped"
 #
 # The manpage is also online at

Shorewall/configfiles/rules

@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
+######################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED

Shorewall/configfiles/shorewall.conf

@@ -114,6 +114,8 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
+IGNOREUNKNOWNVARIABLES=No
+
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
@@ -186,6 +188,8 @@ REQUIRE_INTERFACE=No
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No

Shorewall/configfiles/stoppedrules

@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - Stopped Rules File
+#
+# For information about entries in this file, type "man shorewall-stoppedrules"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-stoppedrules.html
+#
+# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
+# information.
+#
+###############################################################################
+#ACTION		SOURCE			DEST		PROTO	DEST	SOURCE
+#								PORT(S)	PORT(S)

Shorewall/configfiles/tcfilters

@@ -5,6 +5,6 @@
 #
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
-##############################################################################################
-#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE   TOS		LENGTH
+########################################################################################################
+#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE   TOS		LENGTH	PRIORITY
 #CLASS							PORT(S)	PORT(S)

Shorewall/configfiles/tcrules

@@ -10,7 +10,7 @@
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 ##########################################################################################################################################
-FORMAT 2
+?FORMAT 2
 ##########################################################################################################################################
 #ACTION	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY DSCP
 #						PORT(S)	PORT(S)

Shorewall/install.sh

@@ -193,7 +193,14 @@ else
     usage 1
 fi
 
-for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARDIR; do
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/${PRODUCT}
+elif [ -z "${VARDIR}" ]; then
+    VARDIR=${VARLIB}/${PRODUCT}
+fi
+
+for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARLIB VARDIR; do
     require $var
 done
 
@@ -371,7 +378,7 @@ mkdir -p ${DESTDIR}/${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
-mkdir -p ${DESTDIR}${VARDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${VARDIR}
 
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
@@ -388,6 +395,7 @@ fi
 if [ -n "$SYSTEMD" ]; then
     mkdir -p ${DESTDIR}${SYSTEMD}
     run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
     echo "Service file installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
 fi
 
@@ -601,14 +609,14 @@ else
     fi
 fi
 #
-# Install the Stopped Routing file
+# Install the Stopped Rules file
 #
-run_install $OWNERSHIP -m 0644 routestopped           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
-run_install $OWNERSHIP -m 0644 routestopped.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
+run_install $OWNERSHIP -m 0644 stoppedrules           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
+run_install $OWNERSHIP -m 0644 stoppedrules.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/routestopped ]; then
-    run_install $OWNERSHIP -m 0600 routestopped${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/routestopped
-    echo "Stopped Routing file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/routestopped"
+if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/stoppedrules ]; then
+    run_install $OWNERSHIP -m 0600 stoppedrules${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/stoppedrules
+    echo "Stopped Rules file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/stoppedrules"
 fi
 #
 # Install the Mac List file

Shorewall/lib.cli-std

@@ -34,8 +34,6 @@ get_config() {
 
     ensure_config_path
 
-
-
     if [ "$1" = Yes ]; then
 	params=$(find_file params)
 
@@ -138,6 +136,12 @@ get_config() {
 			exit 2
 		    fi
 		    ;;
+		ipset)
+		    #
+		    # Old config files had this as default
+		    #
+		    IPSET=''
+		    ;;
 		*)
 		    prog="$(mywhich $IPSET 2> /dev/null)"
 		    if [ -z "$prog" ] ; then
@@ -148,7 +152,7 @@ get_config() {
 		    ;;
 	    esac
 	else
-	    IPSET='ipset'
+	    IPSET=''
 	fi
 
 	if [ -n "$TC" ]; then
@@ -363,8 +367,9 @@ uptodate() {
 compiler() {
     local pc
     local shorewallrc
+    local shorewallrc1
 
-    pc=$g_libexec/shorewall/compiler.pl
+    pc=${LIBEXECDIR}/shorewall/compiler.pl
 
     if [ $(id -u) -ne 0 ]; then
 	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = /etc/$g_program ]; then
@@ -378,7 +383,7 @@ compiler() {
     #
     # Get the config from $g_shorewalldir
     #
-    [ -n "$g_shorewalldir" -a "$g_shorewalldir" != ${g_confdir} ] && get_config
+    get_config Yes
 
     case $COMMAND in
 	*start|try|refresh)
@@ -399,14 +404,15 @@ compiler() {
     [ "$1" = nolock ] && shift;
     shift
 
+    shorewallrc=${g_basedir}/shorewallrc
+    
     if [ -n "$g_export" ]; then
-	shorewallrc=$(find_file shorewallrc)
-	[ -f "$shorewallrc" ] || fatal_error "Compiling for export requires a shorewallrc file"
-    else
-	shorewallrc="${g_basedir}/shorewallrc"
+	shorewallrc1=$(find_file shorewallrc)
+	[ -f "$shorewallrc1" ] || fatal_error "Compiling for export requires a shorewallrc file"
     fi
 
     options="--verbose=$VERBOSITY --family=$g_family --config_path=$CONFIG_PATH --shorewallrc=${shorewallrc}"
+    [ -n "$shorewallrc1" ] && options="$options --shorewallrc1=${shorewallrc1}"
     [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG"
     [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY";
     [ -n "$g_export" ] && options="$options --export"
@@ -420,6 +426,7 @@ compiler() {
     [ -n "$g_update" ] && options="$options --update"
     [ -n "$g_convert" ] && options="$options --convert"
     [ -n "$g_annotate" ] && options="$options --annotate"
+    [ -n "$g_directives" ] && options="$options --directives"
 
     if [ -n "$PERL" ]; then
 	if [ ! -x "$PERL" ]; then
@@ -430,15 +437,30 @@ compiler() {
 	PERL=/usr/bin/perl
     fi
 
-    if [ $g_perllib = ${g_libexec}/shorewall ]; then
+    if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
 	$PERL $debugflags $pc $options $@
     else
-	PERL5LIB=$g_perllib
+	PERL5LIB=${PERLLIBDIR}
 	export PERL5LIB
 	$PERL $debugflags $pc $options $@
     fi
 }
 
+#
+# Run the postcompile user exit
+#
+run_postcompile() { # $1 is the compiled script
+    local script
+
+    script=$(find_file postcompile)
+
+    if [ -f $script ]; then
+	. $script $1
+    else
+	return 0
+    fi
+}
+
 #
 # Start Command Executor
 #
@@ -459,6 +481,7 @@ start_command() {
 	    progress_message3 "Compiling..."
 
 	    if compiler $g_debugging $nolock compile ${VARDIR}/.start; then
+		run_postcompile ${VARDIR}/.start
 		[ -n "$nolock" ] || mutex_on
 		run_it ${VARDIR}/.start $g_debugging start
 		rc=$?
@@ -603,6 +626,7 @@ compile_command() {
 		    case $option in
 			e*)
 			    g_export=Yes
+			    g_shorewalldir='.'
 			    option=${option#e}
 			    ;;
 			p*)
@@ -641,14 +665,14 @@ compile_command() {
 
     case $# in
 	0)
-	    file=${VARDIR}/firewall
+	    [ -n "$g_export" ] && file=firewall || file=${VARDIR}/firewall
 	    ;;
 	1)
 	    file=$1
 	    [ -d $file ] && echo "   ERROR: $file is a directory" >&2 && exit 2;
 	    ;;
 	2)
-	    [ -n "$g_shorewalldir" ] && usage 2
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
 
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -668,7 +692,7 @@ compile_command() {
 
     [ "x$file" = x- ] || progress_message3 "Compiling..."
 
-    compiler $g_debugging compile $file
+    compiler $g_debugging compile $file && run_postcompile $file
 }
 
 #
@@ -692,6 +716,7 @@ check_command() {
 			    ;;
 			e*)
 			    g_export=Yes
+			    g_shorewalldir='.'
 			    option=${option#e}
 			    ;;
 			p*)
@@ -710,10 +735,6 @@ check_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
-			a*)
-			    g_annotate=Yes
-			    option=${option#a}
-			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -731,7 +752,7 @@ check_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && usage 2
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
 
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -802,6 +823,10 @@ update_command() {
 			    g_convert=Yes
 			    option=${option#b}
 			    ;;
+			D*)
+			    g_directives=Yes
+			    option=${option#D}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -934,6 +959,7 @@ restart_command() {
 	progress_message3 "Compiling..."
 
 	if compiler $g_debugging $nolock compile ${VARDIR}/.restart; then
+	    run_postcompile ${VARDIR}/.restart
 	    [ -n "$nolock" ] || mutex_on
 	    run_it ${VARDIR}/.restart $g_debugging restart
 	    rc=$?
@@ -1025,6 +1051,7 @@ refresh_command() {
     progress_message3 "Compiling..."
 
     if compiler $g_debugging $nolock compile ${VARDIR}/.refresh; then
+	run_postcompile ${VARDIR}/.refresh
 	[ -n "$nolock" ] || mutex_on
 	run_it ${VARDIR}/.refresh $g_debugging refresh
 	rc=$?
@@ -1139,6 +1166,8 @@ safe_commands() {
 	exit $status
     fi
 
+    run_postcompile ${VARDIR}/.$command
+
     case $command in
 	start)
 	    RESTOREFILE=NONE
@@ -1270,6 +1299,8 @@ try_command() {
 	exit $status
     fi
 
+    run_postcompile ${VARDIR}/.restart
+
     case $command in
 	start)
 	    RESTOREFILE=NONE
@@ -1285,7 +1316,7 @@ try_command() {
 
     [ -n "$nolock" ] || mutex_on
 
-    if run_it ${VARDIR}/.$command $command && [ -n "$timeout" ]; then
+    if run_it ${VARDIR}/.$command $g_debugging $command && [ -n "$timeout" ]; then
 	sleep $timeout
 
 	if [ "$command" = "restart" ]; then
@@ -1638,7 +1669,7 @@ usage() # $1 = exit status
     echo "   status"
     echo "   stop"
     echo "   try <directory> [ <timeout> ]"
-    echo "   update [ -a ] [ -b ] [ -r ] [ -T ] [ <directory> ]"
+    echo "   update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ <directory> ]"
     echo "   version [ -a ]"
     echo
     exit $1
@@ -1648,7 +1679,6 @@ compiler_command() {
 
     case $COMMAND in
 	compile)
-	    get_config Yes
 	    shift
 	    compile_command $@
 	    ;;
@@ -1658,7 +1688,6 @@ compiler_command() {
 	    refresh_command $@
 	    ;;
 	check)
-	    get_config Yes
 	    shift
 	    check_command $@
 	    ;;