Correct typo in shorewall-masq(5)

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -76,7 +76,7 @@ for p in $@; do
 		    pn=HOST
 		    ;;
 		SHAREDSTATEDIR)
-		    pn=VARDIR
+		    pn=VARLIB
 		    ;;
 		DATADIR)
 		    pn=SHAREDIR
@@ -161,6 +161,17 @@ if [ $# -gt 0 ]; then
     echo '#'           >> shorewallrc
 fi
 
+if [ -n "${options[VARLIB]}" ]; then
+    if [ -z "${options[VARDIR]}" ]; then
+	options[VARDIR]='${VARLIB}/${PRODUCT}'
+    fi
+elif [ -n "${options[VARDIR]}" ]; then
+    if [ -z "{$options[VARLIB]}" ]; then
+	options[VARLIB]=${options[VARDIR]}
+	options[VARDIR]='${VARLIB}/${PRODUCT}'
+    fi
+fi
+
 for on in \
     HOST \
     PREFIX \
@@ -180,6 +191,7 @@ for on in \
     SYSCONFDIR \
     SPARSE \
     ANNOTATED \
+    VARLIB \
     VARDIR
 do
     echo "$on=${options[${on}]}"

Shorewall-core/configure.pl

@@ -38,7 +38,7 @@ my %params;
 my %options;
 
 my %aliases = ( VENDOR         => 'HOST',
-		SHAREDSTATEDIR => 'VARDIR',
+		SHAREDSTATEDIR => 'VARLIB',
 		DATADIR        => 'SHAREDIR' );
 
 for ( @ARGV ) {
@@ -123,6 +123,15 @@ printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d
 
 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;
 
+if ( $options{VARLIB} ) {
+    unless ( $options{VARDIR} ) {
+	$options{VARDIR} = '${VARLIB}/${PRODUCT}';
+    }
+} elsif ( $options{VARDIR} ) {
+    $options{VARLIB} = $options{VARDIR};
+    $options{VARDIR} = '${VARLIB}/${PRODUCT}';
+}
+
 for ( qw/ HOST
 	  PREFIX
 	  SHAREDIR
@@ -141,6 +150,7 @@ for ( qw/ HOST
 	  SYSCONFDIR
 	  SPARSE
 	  ANNOTATED
+	  VARLIB
 	  VARDIR / ) {
 
     my $val = $options{$_} || '';

Shorewall-core/install.sh

@@ -164,7 +164,18 @@ else
     usage 1
 fi
 
-for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARDIR; do
+update=0
+
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR="${VARLIB}/${PRODUCT}"
+    update=1
+elif [ -z "${VARDIR}" ]; then
+    VARDIR="${VARLIB}/${PRODUCT}"
+    update=2
+fi
+
+for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARLIB VARDIR; do
     require $var
 done
 
@@ -346,9 +357,25 @@ ln -sf lib.base ${DESTDIR}${SHAREDIR}/shorewall/functions
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/shorewall/coreversion
 chmod 644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
 
-[ $file != "${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc
+if [ -z "${DESTDIR}" ]; then
+    if [ $update -ne 0 ]; then
+	echo "Updating $file - original saved in $file.bak"
 
-[ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
+	cp $file $file.bak
+
+	echo '#'                                             >> $file
+	echo "# Updated by Shorewall-core $VERSION -" `date` >> $file
+	echo '#'                                             >> $file
+
+	[ $update -eq 1 ] && sed -i 's/VARDIR/VARLIB/' $file
+
+	echo 'VARDIR=${VARLIB}/${PRODUCT}' >> $file
+    fi
+
+    [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
+fi
+
+[ $file != "${DESTDIR}${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc
 
 if [ ${SHAREDIR} != /usr/share ]; then
     for f in lib.*; do

Shorewall-core/lib.base

@@ -20,15 +20,11 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# This library contains the code common to all Shorewall components.
-#
-# - It is loaded by /sbin/shorewall.
-# - It is released as part of Shorewall[6] Lite where it is used by /sbin/shorewall[6]-lite
-#   and /usr/share/shorewall[6]-lite/shorecap.
+# This library contains the code common to all Shorewall components except the
+# generated scripts.
 #
 
-SHOREWALL_LIBVERSION=40502
-SHOREWALL_CAPVERSION=40507
+SHOREWALL_LIBVERSION=40509
 
 [ -n "${g_program:=shorewall}" ]
 
@@ -38,11 +34,7 @@ if [ -z "$g_readrc" ]; then
     #
     . /usr/share/shorewall/shorewallrc
 
-    g_libexec="$LIBEXECDIR"
     g_sharedir="$SHAREDIR"/$g_program
-    g_sbindir="$SBINDIR"
-    g_perllib="$PERLLIBDIR"
-    g_vardir="$VARDIR"
     g_confdir="$CONFDIR"/$g_program
     g_readrc=1
 fi
@@ -53,13 +45,13 @@ case $g_program in
     shorewall)
 	g_product="Shorewall"
 	g_family=4
-	g_tool=
+	g_tool=iptables
 	g_lite=
 	;;
     shorewall6)
 	g_product="Shorewall6"
 	g_family=6
-	g_tool=
+	g_tool=ip6tables
 	g_lite=
 	;;
     shorewall-lite)
@@ -76,7 +68,12 @@ case $g_program in
 	;;
 esac
 
-VARDIR=${VARDIR}/${g_program}
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/$g_program
+elif [ -z "${VARDIR}" ]; then
+    VARDIR="${VARLIB}/${PRODUCT}"
+fi
 
 #
 # Conditionally produce message

Shorewall-core/lib.cli

@@ -21,20 +21,21 @@
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # This library contains the command processing code common to /sbin/shorewall[6] and
-# /sbin/shorewall[6]-lite.
+# /sbin/shorewall[6]-lite. In Shorewall and Shorewall6, the lib.cli-std library is 
+# loaded after this one and replaces some of the functions declared here.
 #
 
+SHOREWALL_CAPVERSION=40509
+
+[ -n "${g_program:=shorewall}" ]
+
 if [ -z "$g_readrc" ]; then
     #
     # This is modified by the installer when ${SHAREDIR} <> /usr/share
     #
     . /usr/share/shorewall/shorewallrc
 
-    g_libexec="$LIBEXECDIR"
     g_sharedir="$SHAREDIR"/$g_program
-    g_sbindir="$SBINDIR"
-    g_perllib="$PERLLIBDIR"
-    g_vardir="$VARDIR"
     g_confdir="$CONFDIR"/$g_program
     g_readrc=1
 fi
@@ -435,21 +436,42 @@ save_config() {
 #
 sort_routes() {
     local dest
+    local second
     local rest
-    local crvsn
+    local vlsm
+    local maxvlsm
+    local rule
 
-    while read dest rest; do
+    if [ $g_family -eq 4 ]; then
+	maxvlsm=032
+    else
+	maxvlsm=128
+    fi
+
+    while read dest second rest; do
 	if [ -n "$dest" ]; then
+	    rule="$dest $second $rest"
 	    case "$dest" in
 		default)
-		    echo "00 $dest $rest"
+		    echo "000 $rule"
 		    ;;
+		blackhole|local)
+		    case "$second" in
 			*/*)
-		    crvsn=${dest#*/}
-		    printf "%02d %s\n" $crvsn "$dest $rest"
+			    vlsm=${second#*/}
+			    printf "%03d %s\n" $vlsm "$rule"
 			    ;;
 			*)
-		    echo "32 $dest $rest"
+			    echo "$maxvlsm $rule"
+			    ;;
+		    esac
+		    ;;
+		*/*)
+		    vlsm=${dest#*/}
+		    printf "%03d %s\n" $vlsm "$rule"
+		    ;;
+		*)
+		    echo "$maxvlsm $rule"
 		    ;;
 	    esac
 	fi
@@ -480,7 +502,7 @@ show_routing() {
 	ip -$g_family rule list | find_tables | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
-		ip -$g_family -o route list table $table | fgrep -v cache
+		ip -$g_family -o route list table $table | fgrep -v cache | sort_routes
 	    else
 		ip -4 -o route list table $table | sort_routes
 	    fi
@@ -493,13 +515,33 @@ show_routing() {
     else
 	heading "Routing Table"
 	if [ $g_family -eq 6 ]; then
-	    ip -$g_family -o route list | fgrep -v cache
+	    ip -$g_family -o route list | fgrep -v cache | sort_routes
 	else
 	    ip -4 -o route list table $table | sort_routes
 	fi
     fi
 }
 
+determine_ipset_version() {
+    local setname
+
+    if [ -z "$IPSET" -o $IPSET = ipset ]; then
+	IPSET=$(mywhich ipset)
+	[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
+    fi
+
+    setname=fooX$$
+
+    qt ipset -X $setname # Just in case something went wrong the last time
+
+    if qt ipset -N $setname hash:ip family inet; then
+	qt ipset -X $setname
+	IPSETN="$IPSET"
+    else
+	IPSETN="$IPSET -n"
+    fi
+}
+
 #
 # 'list dynamic' command executor
 #
@@ -507,7 +549,7 @@ find_sets() {
     local junk
     local setname
 
-    ipset -L -n | grep "^Name: ${1}_" | while read junk setname; do echo $setname; done
+    $IPSETN -L | egrep "^Name: ${1}(_.+)?$" | while read junk setname; do echo $setname; done
 }
 
 list_zone() {
@@ -515,19 +557,19 @@ list_zone() {
     local sets
     local setname
 
-    [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"
+    determine_ipset_version
 
     if [ $g_family -eq 4 ]; then
-	sets=$(ipset -L -n | grep '^$1_');
+	sets=$($IPSETN -L | egrep "^$1(_.+)?");
      else
-	sets=$(ipset -L -n | grep "^6_$1_")
+	sets=$($IPSETN -L | egrep "^6_$1(_.+)?")
     fi
 
     [ -n "$sets" ] || sets=$(find_sets $1)
 
     for setname in $sets; do
 	echo "${setname#${1}_}:"
-	ipset -L $setname -n | awk 'BEGIN        {prnt=0;}; \
+	$IPSETN -L $setname | awk 'BEGIN        {prnt=0;}; \
                                    /^Members:/  {prnt=1; next; }; \
                                    /^Bindings:/ {prnt=0; }; \
                                                 { if (prnt == 1) print "   ", $1; };'
@@ -639,6 +681,8 @@ show_command() {
     table=filter
     local table_given
     table_given=
+    local output_filter
+    output_filter=cat
 
     show_macro() {
 	foo=`grep 'This macro' $macro | sed 's/This macro //'`
@@ -653,6 +697,16 @@ show_command() {
 	fi
     }
 
+    # eliminates rules which have not been used from ip*tables' output
+    brief_output() {
+	awk \
+	'/^Chain /  { heading1 = $0; getline heading2; printed = 0; next; };
+         /^ +0 +0 / { next; };
+         /^$/       { if ( printed == 1 ) { print $0; }; next; };
+                    { if ( printed == 0 ) { print heading1; print heading2; printed = 1 }; };
+	            { print; }';
+    }
+
     while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
 	case $option in
@@ -705,6 +759,10 @@ show_command() {
 			    g_routecache=Yes
 			    option=${option#c}
 			    ;;
+			b*)
+			    output_filter=brief_output
+			    option=${option#b}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -722,6 +780,7 @@ show_command() {
 
 
     [ -n "$g_debugging" ] && set -x
+
     case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
@@ -765,28 +824,28 @@ show_command() {
 	    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t nat -L $g_ipt_options
+	    $g_tool -t nat -L $g_ipt_options | $output_filter
 	    ;;
 	raw)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t raw -L $g_ipt_options
+	    $g_tool -t raw -L $g_ipt_options | $output_filter
 	    ;;
 	rawpost)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t rawpost -L $g_ipt_options
+	    $g_tool -t rawpost -L $g_ipt_options | $output_filter
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t mangle -L $g_ipt_options
+	    $g_tool -t mangle -L $g_ipt_options | $output_filter
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
@@ -822,7 +881,7 @@ show_command() {
 	    shift
 
 	    if [ -z "$1" ]; then
-		$g_tool -t mangle -L -n -v
+		$g_tool -t mangle -L -n -v | $output_filter
 		echo
 	    fi
 
@@ -885,15 +944,15 @@ show_command() {
 	    if [ -n "$g_filemode" ]; then
 		echo "CONFIG_PATH=$CONFIG_PATH"
 		echo "VARDIR=$VARDIR"
-		echo "LIBEXEC=$g_libexec"
-		echo "SBINDIR=$g_sbindir"
+		echo "LIBEXEC=${LIBEXECDIR}"
+		echo "SBINDIR=${SBINDIR}"
 		echo "CONFDIR=${CONFDIR}"
 		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR=${VARDIR}"
 	    else
 		echo "Default CONFIG_PATH is $CONFIG_PATH"
 		echo "Default VARDIR is /var/lib/$g_program"
-		echo "LIBEXEC is $g_libexec"
-		echo "SBINDIR is $g_sbindir"
+		echo "LIBEXEC is ${LIBEXECDIR}"
+		echo "SBINDIR is ${SBINDIR}"
 		echo "CONFDIR is ${CONFDIR}"
 		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR is ${VARDIR}"
 	    fi
@@ -905,11 +964,11 @@ show_command() {
 	    show_reset
 	    if [ $# -gt 0 ]; then
 		for chain in $*; do
-		    $g_tool -t $table -L $chain $g_ipt_options
+		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
 		    echo
 		done
 	    else
-		$g_tool -t $table -L $g_ipt_options
+		$g_tool -t $table -L $g_ipt_options | $output_filter
 	    fi
 	    ;;
 	vardir)
@@ -1027,14 +1086,14 @@ show_command() {
 		echo
 		show_reset
 		for chain in $*; do
-		    $g_tool -t $table -L $chain $g_ipt_options
+		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
 		    echo
 		done
 	    else
 		echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
 		echo
 		show_reset
-		$g_tool -t $table -L $g_ipt_options
+		$g_tool -t $table -L $g_ipt_options | $output_filter
 	    fi
 	    ;;
     esac
@@ -1147,7 +1206,7 @@ do_dump_command() {
 	elif [ -r $LOGFILE ]; then
 	    g_logread="tac $LOGFILE"
 	else
-	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
+	    echo "LOGFILE ($LOGFILE) does not exist! - See http://www.shorewall.net/shorewall_logging.html" >&2
 	    exit 2
 	fi
     fi
@@ -1590,19 +1649,19 @@ add_command() {
 	exit 2
     fi
 
-    case "$IPSET" in
-	*/*)
-	    ;;
-	*)
-	    [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located"
-	    ;;
-    esac
-    #
-    # Normalize host list
-    #
+    determine_ipset_version
+
+    case $1 in
+	*:*)
 	    while [ $# -gt 1 ]; do
+		if [ $g_family -eq 4 ]; then
 		    interface=${1%%:*}
 		    host=${1#*:}
+		else
+		    interface=${1%%|*}
+		    host=${1#*|}
+		fi
+
 		[ "$host" = "$1" ] && host=
 
 		if [ -z "$host" ]; then
@@ -1619,9 +1678,22 @@ add_command() {
 
 		shift
 	    done
+	    ;;
+	*)
+	    ipset=$1
+	    shift
+	    while [ $# -gt 0 ]; do
+		for h in $(separate_list $1); do
+		    hostlist="$hostlist $h"
+		done
+		shift
+	    done
+	    ;;
+    esac
 
     zone=$1
 
+    if [ -n "$zone" ]; then
 	for host in $hostlist; do
 	    if [ $g_family -eq 4 ]; then
 		interface=${host%:*}
@@ -1631,8 +1703,8 @@ add_command() {
 		ipset=6_${zone}_${interface};
 	    fi
 
-	if ! qt $IPSET -L $ipset -n; then
-	    fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
+	    if ! qt $IPSET -L $ipset; then
+		fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
 	    fi
 
 	    host=${host#*:}
@@ -1643,7 +1715,17 @@ add_command() {
 		fatal_error "Unable to add $interface:$host to zone $zone"
 	    fi
 	done
+    else
+	qt $IPSET -L $ipset || fatal_error "Zone $ipset is not dynamic"
 
+	for host in $hostlist; do
+	    if $IPSET -A $ipset $host; then
+		echo "Host $host added to zone $ipset"
+	    else
+		fatal_error "Unable to add $host to zone $ipset"
+	    fi
+	done
+    fi
 }
 
 #
@@ -1656,20 +1738,19 @@ delete_command() {
 	exit 2;
     fi
 
-    case "$IPSET" in
-	*/*)
-	    ;;
-	*)
-	    [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located"
-	    ;;
-    esac
+    determine_ipset_version
 
-    #
-    # Normalize host list
-    #
+    case $1 in
+	*:*)
 	    while [ $# -gt 1 ]; do
+		if [ $g_family -eq 4 ]; then
 		    interface=${1%%:*}
 		    host=${1#*:}
+		else
+		    interface=${1%%|*}
+		    host=${1#*|}
+		fi
+
 		[ "$host" = "$1" ] && host=
 
 		if [ -z "$host" ]; then
@@ -1686,31 +1767,54 @@ delete_command() {
 
 		shift
 	    done
+	    ;;
+	*)
+	    ipset=$1
+	    shift
+	    while [ $# -gt 0 ]; do
+		for h in $(separate_list $1); do
+		    hostlist="$hostlist $h"
+		done
+		shift
+	    done
+	    ;;
+    esac
 
     zone=$1
 
-    for hostent in $hostlist; do
+    if [ -n "$zone" ]; then
+	for host in $hostlist; do
 	    if [ $g_family -eq 4 ]; then
-	    interface=${hostent%:*}
+		interface=${host%:*}
 		ipset=${zone}_${interface};
 	    else
-	    interface=${hostent%%:*}
+		interface=${host%%:*}
 		ipset=6_${zone}_${interface};
 	    fi
 
 	    if ! qt $IPSET -L $ipset -n; then
-	    fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
+		fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
 	    fi
 
-	host=${hostent#*:}
+	    host=${host#*:}
 
 	    if $IPSET -D $ipset $host; then
-	    echo "Host $hostent deleted from zone $zone"
+		echo "Host $host deleted from zone $zone"
 	    else
 		echo "   WARNING: Unable to delete host $hostent to zone $zone" >&2
 	    fi
 	done
+    else
+	qt $IPSET -L $ipset -n || fatal_error "Zone $ipset is not dynamic"
 
+	for host in $hostlist; do
+	    if $IPSET -D $ipset $host; then
+		echo "Host $host deleted from to zone $ipset"
+	    else
+		echo "   WARNING: Unable to delete host $host from zone $zone" >&2
+	    fi
+	done
+    fi
 }
 
 #
@@ -2020,6 +2124,7 @@ determine_capabilities() {
     GEOIP_MATCH=
     RPFILTER_MATCH=
     NFACCT_MATCH=
+    CHECKSUM_TARGET=
     AMANDA_HELPER=
     FTP_HELPER=
     FTP0_HELPER=
@@ -2181,6 +2286,7 @@ determine_capabilities() {
 	qt $g_tool -t mangle -A $chain -m dscp --dscp 0 && DSCP_MATCH=Yes
 	qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
 	qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes
+	qt $g_tool -t mangle -A $chain -j CHECKSUM --checksum-fill && CHECKSUM_TARGET=Yes
 
 	qt $g_tool -t mangle -F $chain
 	qt $g_tool -t mangle -X $chain
@@ -2309,7 +2415,9 @@ determine_capabilities() {
     fi
 
     qt $g_tool -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
+
     qt $g_tool -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
+
     qt $g_tool -S INPUT && IPTABLES_S=Yes
     qt $g_tool -F $chain
     qt $g_tool -X $chain
@@ -2334,7 +2442,7 @@ determine_capabilities() {
     esac
 }
 
-report_capabilities() {
+report_capabilities_unsorted() {
     report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
     {
 	local setting
@@ -2345,8 +2453,6 @@ report_capabilities() {
 	echo "  " $1: $setting
     }
 
-    if [ $VERBOSITY -gt 1 ]; then
-	echo "$g_product has detected the following iptables/netfilter capabilities:"
     report_capability "NAT (NAT_ENABLED)" $NAT_ENABLED
     report_capability "Packet Mangling (MANGLE_ENABLED)" $MANGLE_ENABLED
     report_capability "Multi-port Match (MULTIPORT)" $MULTIPORT
@@ -2417,6 +2523,8 @@ report_capabilities() {
     report_capability "Geo IP match" $GEOIP_MATCH
     report_capability "RPFilter match" $RPFILTER_MATCH
     report_capability "NFAcct match" $NFACCT_MATCH
+    report_capability "Checksum Target" $CHECKSUM_TARGET
+
     report_capability "Amanda Helper" $AMANDA_HELPER
     report_capability "FTP Helper" $FTP_HELPER
     report_capability "FTP-0 Helper" $FTP0_HELPER
@@ -2444,21 +2552,25 @@ report_capabilities() {
 
     echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
     echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
+}
+
+report_capabilities() {
+
+    if [ $VERBOSITY -gt 1 ]; then
+	echo "$g_product has detected the following iptables/netfilter capabilities:"
+	report_capabilities_unsorted | sort
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
 
 }
 
-report_capabilities1() {
+report_capabilities_unsorted1() {
     report_capability1() # $1 = Capability
     {
 	eval echo $1=\$$1
     }
 
-    echo "#"
-    echo "# $g_product $SHOREWALL_VERSION detected the following iptables/netfilter capabilities - $(date)"
-    echo "#"
     report_capability1 NAT_ENABLED
     report_capability1 MANGLE_ENABLED
     report_capability1 MULTIPORT
@@ -2528,6 +2640,8 @@ report_capabilities1() {
     report_capability1 GEOIP_MATCH
     report_capability1 RPFILTER_MATCH
     report_capability1 NFACCT_MATCH
+    report_capability1 CHECKSUM_TARGET
+
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER
     report_capability1 FTP0_HELPER
@@ -2548,6 +2662,13 @@ report_capabilities1() {
     echo KERNELVERSION=$KERNELVERSION
 }
 
+report_capabilities1() {
+    echo "#"
+    echo "# $g_product $SHOREWALL_VERSION detected the following iptables/netfilter capabilities - $(date)"
+    echo "#"
+    report_capabilities_unsorted1 | sort
+}
+
 show_status() {
     if product_is_started ; then
 	echo "$g_product is running"
@@ -2868,7 +2989,27 @@ get_config() {
 	exit 2
     fi
 
-    IPSET=ipset
+    if [ -n "$IPSET" ]; then
+	case "$IPSET" in
+	    */*)
+		if [ ! -x "$IPSET" ] ; then
+		    echo "   ERROR: The program specified in IPSET ($IPSET) does not exist or is not executable" >&2
+		    exit 2
+		fi
+		;;
+	    *)
+		prog="$(mywhich $IPSET 2> /dev/null)"
+		if [ -z "$prog" ] ; then
+		    echo "   ERROR: Can't find $IPSET executable" >&2
+		    exit 2
+		fi
+		IPSET=$prog
+		;;
+	esac
+    else
+	IPSET=''
+    fi
+
     TC=tc
 
 }
@@ -3072,7 +3213,7 @@ usage() # $1 = exit status
     echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
+    echo "   show [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
     echo "   show [ -f ] capabilities"
     echo "   show classifiers"
     echo "   show config"
@@ -3139,7 +3280,7 @@ shorewall_cli() {
     g_shorewalldir=
 
     VERBOSE=
-    VERBOSITY=
+    VERBOSITY=1
 
     [ -n "$g_lite" ] || . ${g_basedir}/lib.cli-std
 

Shorewall-core/lib.common

@@ -84,7 +84,7 @@ get_script_version() { # $1 = script
 
     temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 | sed 's/-.*//' )
 
-    if [ $? -ne 0 ]; then
+    if [ -z "$temp" ]; then
 	version=0
     else
 	ifs=$IFS

Shorewall-core/shorewallrc.apple

@@ -17,4 +17,4 @@ ANNOTATED=                             #Unused on OS X
 SYSTEMD=                               #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
-VARDIR=/var/lib                        #Unused on OS X
+VARLIB=/var/lib                        #Unused on OS X

Shorewall-core/shorewallrc.archlinux

@@ -17,4 +17,5 @@ ANNOTATED=                             #If non-zero, annotated configuration fil
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
 SYSTEMD=                               #Directory where .service files are installed (systems running systemd only)
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                        #Directory where product variable data is stored.
+VARLIB=/var/lib                        #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.

Shorewall-core/shorewallrc.cygwin

@@ -17,4 +17,4 @@ ANNOTATED=                            #Unused on Cygwin
 SYSTEMD=                              #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
-VARDIR=/var/lib                       #Unused on Cygwin
+VARLIB=/var/lib                       #Unused on Cygwin

Shorewall-core/shorewallrc.debian

@@ -18,4 +18,5 @@ SYSCONFFILE=default.debian              #Name of the distributed file to be inst
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
 SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                         #Directory where product variable data is stored.
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.

Shorewall-core/shorewallrc.default

@@ -10,7 +10,7 @@ PERLLIBDIR=${PREFIX}/share/shorewall    #Directory to install Shorewall Perl mod
 CONFDIR=/etc                            #Directory where subsystem configurations are installed
 SBINDIR=/sbin                           #Directory where system administration programs are installed
 MANDIR=${PREFIX}/man                    #Directory where manpages are installed.
-INITDIR=etc/init.d                      #Directory where SysV init scripts are installed.
+INITDIR=/etc/init.d                     #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.sh                      #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
@@ -18,4 +18,5 @@ SYSTEMD=                                #Directory where .service files are inst
 SYSCONFFILE=                            #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                             #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                         #Directory where product variable data is stored.
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.

Shorewall-core/shorewallrc.redhat

@@ -18,4 +18,5 @@ SYSTEMD=/lib/systemd/system             #Directory where .service files are inst
 SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
 SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                         #Directory where product variable data is stored.
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.

Shorewall-core/shorewallrc.slackware

@@ -19,4 +19,5 @@ SYSTEMD=                                   #Name of the directory where .service
 SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.
 ANNOTATED=                                 #If non-empty, install annotated configuration files
-VARDIR=/var/lib                            #Directory where product variable data is stored.
+VARLIB=/var/lib                            #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT                  #Directory where product variable data is stored.

Shorewall-core/shorewallrc.suse

@@ -18,4 +18,5 @@ SYSTEMD=                                              #Directory where .service
 SYSCONFFILE=                                          #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                                       #Directory where persistent product data is stored.
+VARLIB=/var/lib                                       #Directory where persistent product data is stored.
+VARDIR=${VARLIB}/$PRODUCT                             #Directory where product variable data is stored.

Shorewall-init/ifupdown.sh

@@ -22,6 +22,21 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
 Debian_SuSE_ppp() {
     NEWPRODUCTS=
     INTERFACE="$1"
@@ -187,8 +202,10 @@ fi
 [ -n "$LOGFILE" ] || LOGFILE=/dev/null
 
 for PRODUCT in $PRODUCTS; do
-    if [ -x $VARDIR/$PRODUCT/firewall ]; then
-	  ( ${VARDIR}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+    setstatedir
+
+    if [ -x $VARLIB/$PRODUCT/firewall ]; then
+	  ( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
     fi
 done
 

Shorewall-init/init.debian.sh

@@ -62,11 +62,29 @@ not_configured () {
 	exit 0
 }
 
+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 
+vardir=$VARDIR
+
 # check if shorewall-init is configured or not
 if [ -f "$SYSCONFDIR/shorewall-init" ]
 then
@@ -81,27 +99,27 @@ fi
 
 # Initialize the firewall
 shorewall_start () {
-  local product
-  local VARDIR
+  local PRODUCT
+  local STATEDIR
 
   echo -n "Initializing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
-      if [ -x ${VARDIR}/firewall ]; then
+  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ ! -x ${VARDIR}/$PRODUCT/firewall ]; then
+	  if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	      ${SBINDIR}/$PRODUCT compile
+	  fi
+      fi
+
+      if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
 	  #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
-	      . /usr/share/$product/lib.base
-	      #
-	      # Get mutex so the firewall state is stable
-	      #
-	      mutex_on
-	      if ! ${VARDIR}/firewall status > /dev/null 2>&1; then
-		  ${VARDIR}/firewall stop || echo_notdone
+	      if ! ${VARDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
+		  ${VARDIR}/$PRODUCT/firewall stop || echo_notdone
 	      fi
-	      mutex_off
 	  )
       fi
   done
@@ -113,19 +131,21 @@ shorewall_start () {
 
 # Clear the firewall
 shorewall_stop () {
-  local product
+  local PRODUCT
   local VARDIR
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
-      if [ -x ${VARDIR}/firewall ]; then
-	  ( . /usr/share/$product/lib.base
-	    mutex_on
-	    ${VARDIR}/firewall clear || echo_notdone
-	    mutex_off
-	  )
+  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ ! -x ${VARDIR}/$PRODUCT/firewall ]; then
+	  if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	      ${SBINDIR}/$PRODUCT compile
+	  fi
+      fi
+
+      if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
+	  ${VARDIR}/$PRODUCT/firewall clear || echo_notdone
       fi
   done
 

Shorewall-init/init.fedora.sh

@@ -14,13 +14,8 @@
 #                    prior to bringing up the network.  
 ### END INIT INFO
 #determine where the files were installed
-if [ -f ~/.shorewallrc ]; then
-    . ~/.shorewallrc || exit 1
-else
-    SBINDIR=/sbin
-    SYSCONFDIR=/etc/default
-    VARDIR=/var/lib
-fi
+
+. /usr/share/shorewall/shorewallrc
 
 prog="shorewall-init"
 logger="logger -i -t $prog"
@@ -29,6 +24,8 @@ lockfile="/var/lock/subsys/shorewall-init"
 # Source function library.
 . /etc/rc.d/init.d/functions
 
+vardir=$VARDIR
+
 # Get startup options (override default)
 OPTIONS=
 
@@ -40,9 +37,25 @@ else
     exit 6
 fi
 
+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
 # Initialize the firewall
 start () {
-    local product
+    local PRODUCT
     local vardir
 
     if [ -z "$PRODUCTS" ]; then
@@ -52,11 +65,19 @@ start () {
     fi
 
     echo -n "Initializing \"Shorewall-based firewalls\": "
-    for product in $PRODUCTS; do
-	if [ -x ${VARDIR}/$product/firewall ]; then
-	    ${VARDIR}/$product/firewall stop 2>&1 | $logger
+    for PRODUCT in $PRODUCTS; do
+	setstatedir
+
+	if [ ! -x ${VARDIR}/firewall ]; then
+	    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+		${SBINDIR}/$PRODUCT compile
+	    fi
+	fi
+
+	if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
+	    ${VARDIR}/$PRODUCT/firewall stop 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
-	    [ retval -ne 0 ] && break
+	    [ $retval -ne 0 ] && break
 	fi
     done
 
@@ -72,15 +93,23 @@ start () {
 
 # Clear the firewall
 stop () {
-    local product
+    local PRODUCT
     local vardir
 
     echo -n "Clearing \"Shorewall-based firewalls\": "
-    for product in $PRODUCTS; do
-	if [ -x ${VARDIR}/$product/firewall ]; then
-	    ${VARDIR}/$product/firewall clear 2>&1 | $logger
+    for PRODUCT in $PRODUCTS; do
+	setstatedir
+
+	if [ ! -x ${VARDIR}/firewall ]; then
+	    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+		${SBINDIR}/$PRODUCT compile
+	    fi
+	fi
+
+	if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
+	    ${VARDIR}/$PRODUCT/firewall clear 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
-	    [ retval -ne 0 ] && break
+	    [ $retval -ne 0 ] && break
 	fi
     done
 
@@ -107,11 +136,7 @@ case "$1" in
 	status_q || exit 0
 	$1
 	;;
-    restart|reload|force-reload)
-	echo "Not implemented"
-	exit 3
-	;;
-    condrestart|try-restart)
+    restart|reload|force-reload|condrestart|try-restart)
 	echo "Not implemented"
 	exit 3
 	;;
@@ -119,7 +144,7 @@ case "$1" in
 	status $prog
 	;;
   *)
-	echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+	echo "Usage: /etc/init.d/shorewall-init {start|stop|status}"
 	exit 1
 esac
 

Shorewall-init/init.sh

@@ -58,16 +58,34 @@ fi
 #
 . /usr/share/shorewall/shorewallrc
 
+# Locate the current PRODUCT's statedir
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile $STATEDIR/firewall
+	fi
+    fi
+}
+
 # Initialize the firewall
 shorewall_start () {
   local PRODUCT
-  local VARDIR
+  local STATEDIR
 
   echo -n "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      if [ -x ${VARDIR}/firewall ]; then
+      setstatedir
+
+      if [ -x ${STATEDIR}/firewall ]; then
 	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      ${VARDIR}/firewall stop || echo_notdone
+	      ${STATEDIR}/firewall stop || echo_notdone
 	  fi
       fi
   done
@@ -86,6 +104,14 @@ shorewall_stop () {
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ ! -x ${VARDIR}/firewall ]; then
+	  if [ $PRODUCT = shorewall -o $product = shorewall6 ]; then
+	      ${SBINDIR}/$PRODUCT compile
+	  fi
+      fi
+
       if [ -x ${VARDIR}/firewall ]; then
 	  ${VARDIR}/firewall clear || exit 1
       fi

Shorewall-init/init.suse.sh

@@ -57,16 +57,34 @@ fi
 #
 . /usr/share/shorewall/shorewallrc
 
+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
 # Initialize the firewall
 shorewall_start () {
   local PRODUCT
-  local VARDIR
+  local STATEDIR
 
   echo -n "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      if [ -x ${VARDIR}/firewall ]; then
+      setstatedir
+
+      if [ -x $STATEDIR/firewall ]; then
 	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      ${VARDIR}/firewall stop || echo_notdone
+	      $STATEDIR/$PRODUCT/firewall stop || echo_notdone
 	  fi
       fi
   done
@@ -81,12 +99,14 @@ shorewall_start () {
 # Clear the firewall
 shorewall_stop () {
   local PRODUCT
-  local VARDIR
+  local STATEDIR
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
-      if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall clear || exit 1
+      setstatedir
+
+      if [ -x ${STATEDIR}/firewall ]; then
+	  ${STATEDIR}/firewall clear || exit 1
       fi
   done
 

Shorewall-init/install.sh

@@ -160,7 +160,14 @@ else
     usage 1
 fi
 
-for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARDIR; do
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/${PRODUCT}
+elif [ -z "${VARDIR}" ]; then
+    VARDIR=${VARLIB}/${PRODUCT}
+fi
+
+for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
     require $var
 done
 
@@ -285,6 +292,7 @@ fi
 if [ -n "$SYSTEMD" ]; then
     mkdir -p ${DESTDIR}${SYSTEMD}
     run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}${SYSTEMD}/shorewall-init.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/shorewall-init.service
     echo "Service file installed as ${DESTDIR}${SYSTEMD}/shorewall-init.service"
     if [ -n "$DESTDIR" ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}

Shorewall-lite/install.sh

@@ -171,7 +171,14 @@ else
     usage 1
 fi
 
-for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARDIR; do
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/${PRODUCT}
+elif [ -z "${VARDIR}" ]; then
+    VARDIR=${VARLIB}/${PRODUCT}
+fi
+
+for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARLIB VARDIR; do
     require $var
 done
 
@@ -182,7 +189,6 @@ PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}
 #
 cygwin=
 INSTALLD='-D'
-INITFILE=$PRODUCT
 T='-T'
 
 if [ -z "$BUILD" ]; then
@@ -274,21 +280,11 @@ if [ -n "$DESTDIR" ]; then
 
     install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR}
     install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
-
-    if [ -n "$SYSTEMD" ]; then
-	mkdir -p ${DESTDIR}/lib/systemd/system
-	INITFILE=
-    fi
 else
     if [ ! -f /usr/share/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
 	exit 1
     fi
-
-    if [ -f /lib/systemd/system ]; then
-	SYSTEMD=Yes
-	INITFILE=
-    fi
 fi
 
 echo "Installing $Product Version $VERSION"
@@ -307,7 +303,7 @@ if [ -z "$DESTDIR" -a -d ${CONFDIR}/$PRODUCT ]; then
 else
     rm -rf ${DESTDIR}${CONFDIR}/$PRODUCT
     rm -rf ${DESTDIR}${SHAREDIR}/$PRODUCT
-    rm -rf ${DESTDIR}${VARDIR}/$PRODUCT
+    rm -rf ${DESTDIR}${VARDIR}
     [ "$LIBEXECDIR" = /usr/share ] || rm -rf ${DESTDIR}/usr/share/$PRODUCT/wait4ifup ${DESTDIR}/usr/share/$PRODUCT/shorecap
 fi
 
@@ -332,7 +328,7 @@ echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
-mkdir -p ${DESTDIR}${VARDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${VARDIR}
 
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}/usr/share/$PRODUCT
@@ -357,7 +353,9 @@ fi
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}${SYSTEMD}
     run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
     echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
 fi
 

Shorewall-lite/manpages/shorewall-lite.xml

@@ -337,6 +337,8 @@
 
       <arg choice="plain"><option>show</option></arg>
 
+      <arg><option>-b</option></arg>
+
       <arg><option>-x</option></arg>
 
       <arg><option>-l</option></arg>
@@ -841,6 +843,12 @@
                 Netfilter table to display. The default is <emphasis
                 role="bold">filter</emphasis>.</para>
 
+                <para>The <emphasis role="bold">-b</emphasis> ('brief') option
+                causes rules which have not been used (i.e. which have zero
+                packet and byte counts) to be omitted from the output. Chains
+                with no rules displayed are also omitted from the
+                output.</para>
+
                 <para>The <emphasis role="bold">-l</emphasis> option causes
                 the rule number for each Netfilter rule to be
                 displayed.</para>

Shorewall-lite/shorecap

@@ -53,10 +53,7 @@ g_program=shorewall-lite
 #
 . /usr/share/shorewall/shorewallrc
 
-g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall-lite
-g_sbindir="$SBINDIR"
-g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1
 

Shorewall-lite/shorewall-lite

@@ -25,17 +25,15 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
-g_program=shorewall-lite
+PRODUCT=shorewall-lite
 
 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 
-g_libexec="$LIBEXECDIR"
+g_program=$PRODUCT
 g_sharedir="$SHAREDIR"/shorewall-lite
-g_sbindir="$SBINDIR"
-g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1
 

Shorewall-lite/shorewall-lite.service

@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-lite $OPTIONS start
-ExecStop=/sbin/shorewall-lite $OPTIONS stop
+ExecStart=/usr/sbin/shorewall-lite $OPTIONS start
+ExecStop=/usr/sbin/shorewall-lite $OPTIONS stop
 
 [Install]
 WantedBy=multi-user.target

Shorewall/Macros/macro.A_AllowICMPs

@@ -9,7 +9,7 @@
 #ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #					PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT Needed ICMP types
+?COMMENT Needed ICMP types
 
 A_ACCEPT       -	-	icmp	fragmentation-needed
 A_ACCEPT       -	-	icmp	time-exceeded

Shorewall/Macros/macro.A_DropDNSrep

@@ -9,6 +9,6 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT Late DNS Replies
+?COMMENT Late DNS Replies
 
 A_DROP	-	-	udp	-	53

Shorewall/Macros/macro.A_DropUPnP

@@ -9,6 +9,6 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT UPnP
+?COMMENT UPnP
 
 A_DROP	-	-	udp	1900

Shorewall/Macros/macro.AllowICMPs

@@ -9,7 +9,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT Needed ICMP types
+?COMMENT Needed ICMP types
 
 DEFAULT ACCEPT
 PARAM	-	-	icmp	fragmentation-needed

Shorewall/Macros/macro.Amanda

@@ -8,7 +8,7 @@
 #	files from those nodes.
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 

Shorewall/Macros/macro.DropDNSrep

@@ -9,7 +9,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT Late DNS Replies
+?COMMENT Late DNS Replies
 
 DEFAULT DROP
 PARAM	-	-	udp	-	53

Shorewall/Macros/macro.DropUPnP

@@ -9,7 +9,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT UPnP
+?COMMENT UPnP
 
 DEFAULT DROP
 PARAM	-	-	udp	1900

Shorewall/Macros/macro.FTP

@@ -6,7 +6,7 @@
 #	This macro handles FTP traffic.
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )

Shorewall/Macros/macro.IRC

@@ -6,7 +6,7 @@
 #	This macro handles IRC traffic (Internet Relay Chat).
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 

Shorewall/Macros/macro.Puppet

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - Puppet Macro
+#
+# /usr/share/shorewall/macro.Puppet
+#
+#	This macro handles client-to-server for the Puppet configuration
+#	management system.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	tcp	8140

Shorewall/Macros/macro.Rfc1918

@@ -7,7 +7,7 @@
 #############################################################################################
 #ACTION		SOURCE		DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
 #						PORT(S)	PORT(S)	DEST		LIMIT	GROUP
-FORMAT 2
+?FORMAT 2
 PARAM		SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \
 				DEST	-	-	-	-	-	-
 PARAM		SOURCE		DEST	-	-	-	10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

Shorewall/Macros/macro.SANE

@@ -6,7 +6,7 @@
 #	This macro handles SANE network scanning.
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 

Shorewall/Macros/macro.SIP

@@ -6,7 +6,7 @@
 #	This macro handles SIP traffic.
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 

Shorewall/Macros/macro.SMB

@@ -10,7 +10,7 @@
 #	between hosts you fully trust.
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445

Shorewall/Macros/macro.SMBBI

@@ -10,7 +10,7 @@
 #	allow SMB traffic between hosts you fully trust.
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445

Shorewall/Macros/macro.SNMP

@@ -3,18 +3,17 @@
 #
 # /usr/share/shorewall/macro.SNMP
 #
-#	This macro handles SNMP traffic (including traps).
+#	This macro handles SNMP traffic.
+#
+#       Note: To allow SNMP Traps, use the SNMPTrap macro
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
  PARAM	-	-  	udp     161 ; helper=snmp
- PARAM	-	-	udp	162
 ?else
- PARAM	-	-	udp	161:162
+ PARAM	-	-	udp	161
 ?endif
-
-PARAM	-	-	tcp	161

Shorewall/Macros/macro.SNMPTrap

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - SNMP Trap Macro
+#
+# /usr/share/shorewall/macro.SNMP
+#
+#	This macro handles SNMP traps.
+#
+###############################################################################
+?FORMAT 2
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	udp	162

Shorewall/Macros/macro.TFTP

@@ -8,7 +8,7 @@
 #	Internet.
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 

Shorewall/Macros/macro.Teredo

@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - Teredo Macro
+#
+# /usr/share/shorewall/macro.Teredo
+#
+#	This macro handles Teredo IPv6 over UDP tunneling traffic
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	udp	3544

Shorewall/Macros/macro.template

@@ -71,9 +71,17 @@
 #	Remaining		Any value in the rules file REPLACES the value
 #	columns			given in the macro file.
 #
+# Multiple parameters may be passed to a macro. Within this file, $1 refers to the first parameter,
+# $2 to the second an so on. $1 is a synonym for PARAM but may be used anywhere in the file whereas
+# PARAM may only be used in the ACTION column.
+#
+# You can specify default values for parameters by using DEFAULT or DEFAULTS entry:
+#
+#      DEFAULTS  <default for $1>,<default for $2>,...
+#
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
-FORMAT 2
-####################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+?FORMAT 2
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Shorewall/Perl/Shorewall/Accounting.pm

@@ -40,18 +40,18 @@ our $VERSION = 'MODULEVERSION';
 #
 # Per-IP accounting tables. Each entry contains the associated network.
 #
-my %tables;
+our %tables;
 
-my $jumpchainref;
-my %accountingjumps;
-my $asection;
-my $defaultchain;
-my $ipsecdir;
-my $defaultrestriction;
-my $restriction;
-my $accounting_commands = { COMMENT => 0, SECTION => 2 };
-my $sectionname;
-my $acctable;
+our $jumpchainref;
+our %accountingjumps;
+our $asection;
+our $defaultchain;
+our $ipsecdir;
+our $defaultrestriction;
+our $restriction;
+our $accounting_commands = { COMMENT => 0, SECTION => 2 };
+our $sectionname;
+our $acctable;
 
 #
 # Sections in the Accounting File
@@ -417,7 +417,7 @@ sub process_accounting_rule( ) {
 
 sub setup_accounting() {
 
-    if ( my $fn = open_file 'accounting' ) {
+    if ( my $fn = open_file 'accounting', 1, 1 ) {
 
 	first_entry "$doing $fn...";
 

Shorewall/Perl/Shorewall/Chains.pm

@@ -36,7 +36,7 @@ use Shorewall::IPAddrs;
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw(
+our @EXPORT = ( qw(
 		    DONT_OPTIMIZE
 		    DONT_DELETE
 		    DONT_MOVE
@@ -85,6 +85,7 @@ our @EXPORT = qw(
 		    $nat_table
 		    $mangle_table
 		    $filter_table
+		)
 	      );
 
 our %EXPORT_TAGS = (
@@ -97,11 +98,13 @@ our %EXPORT_TAGS = (
 				       ACTION
 				       MACRO
 				       LOGRULE
+				       NFLOG
 				       NFQ
 				       CHAIN
 				       SET
 				       AUDIT
 				       HELPER
+				       INLINE
 				       NO_RESTRICT
 				       PREROUTE_RESTRICT
 				       DESTIFACE_DISALLOW
@@ -116,6 +119,7 @@ our %EXPORT_TAGS = (
 				       OPTIMIZE_RULESET_MASK
 				       OPTIMIZE_MASK
 
+				       state_match
 				       state_imatch
 				       initialize_chain_table
 				       copy_rules
@@ -123,12 +127,6 @@ our %EXPORT_TAGS = (
 				       insert_rule1
 				       delete_jumps
 				       add_tunnel_rule
-				       process_comment
-				       no_comment
-				       macro_comment
-				       clear_comment
-				       push_comment
-				       pop_comment
 				       forward_chain
 				       forward_option_chain
 				       rules_chain
@@ -205,6 +203,7 @@ our %EXPORT_TAGS = (
 				       do_dscp
 				       have_ipset_rules
 				       record_runtime_address
+				       verify_address_variables
 				       conditional_rule
 				       conditional_rule_end
 				       match_source_dev
@@ -225,6 +224,7 @@ our %EXPORT_TAGS = (
 				       handle_network_list
 				       expand_rule
 				       addnatjump
+				       split_host_list
 				       set_chain_variables
 				       mark_firewall_not_started
 				       mark_firewall6_not_started
@@ -243,6 +243,7 @@ our %EXPORT_TAGS = (
 				       preview_netfilter_load
 				       create_chainlist_reload
 				       create_stop_load
+				       initialize_switches
 				       %targets
 				       %dscpmap
 				       %nfobjects
@@ -331,10 +332,8 @@ our $rawpost_table;
 our $nat_table;
 our $mangle_table;
 our $filter_table;
-my  $comment;
-my  @comments;
-my  $export;
-my  %renamed;
+our $export;
+our %renamed;
 our %nfobjects;
 
 #
@@ -354,6 +353,8 @@ use constant { STANDARD => 1,              #defined by Netfilter
 	       SET      => 2048,           #SET
 	       AUDIT    => 4096,           #A_ACCEPT, etc
 	       HELPER   => 8192,           #CT:helper
+	       NFLOG    => 16384,          #NFLOG or ULOG
+	       INLINE   => 32768,          #Inline action
 	   };
 #
 # Valid Targets -- value is a combination of one or more of the above
@@ -374,14 +375,14 @@ use constant { NO_RESTRICT         => 0,   # FORWARD chain rule     - Both -i an
 #
 # See initialize() below for additional comments on these variables
 #
-my $iprangematch;
-my %chainseq;
-my $idiotcount;
-my $idiotcount1;
-my $warningcount;
-my $hashlimitset;
-my $global_variables;
-my $ipset_rules;
+our $iprangematch;
+our %chainseq;
+our $idiotcount;
+our $idiotcount1;
+our $hashlimitset;
+our $global_variables;
+our %address_variables;
+our $ipset_rules;
 
 #
 # Determines the commands for which a particular interface-oriented shell variable needs to be set
@@ -433,18 +434,18 @@ our %tosmap = ( 'Minimize-Delay'       => 0x10,
 #
 # These hashes hold the shell code to set shell variables. The key is the name of the variable; the value is the code to generate the variable's contents
 #
-my %interfaceaddr;         # First interface address
-my %interfaceaddrs;        # All interface addresses
-my %interfacenets;         # Networks routed out of the interface
-my %interfacemacs;         # Interface MAC
-my %interfacebcasts;       # Broadcast addresses associated with the interface (IPv4)
-my %interfaceacasts;       # Anycast addresses associated with the interface (IPv6)
-my %interfacegateways;     # Gateway of default route out of the interface
+our %interfaceaddr;         # First interface address
+our %interfaceaddrs;        # All interface addresses
+our %interfacenets;         # Networks routed out of the interface
+our %interfacemacs;         # Interface MAC
+our %interfacebcasts;       # Broadcast addresses associated with the interface (IPv4)
+our %interfaceacasts;       # Anycast addresses associated with the interface (IPv6)
+our %interfacegateways;     # Gateway of default route out of the interface
 
 #
 # Built-in Chains
 #
-my @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING);
+our @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING);
 
 #
 # Mode of the emitter (part of this module that converts rules in the chain table into iptables-restore input)
@@ -453,7 +454,7 @@ use constant { NULL_MODE => 0 ,   # Emitting neither shell commands nor iptables
 	       CAT_MODE  => 1 ,   # Emitting iptables-restore input
 	       CMD_MODE  => 2 };  # Emitting shell commands.
 
-my $mode;
+our $mode;
 #
 # Address Family
 #
@@ -462,7 +463,7 @@ our $family;
 #
 # These are the current builtin targets
 #
-my  %builtin_target = ( ACCEPT      => 1,
+our %builtin_target = ( ACCEPT      => 1,
 			ACCOUNT     => 1,
 			AUDIT       => 1,
 			CHAOS       => 1,
@@ -517,7 +518,7 @@ my  %builtin_target = ( ACCEPT      => 1,
 			ULOG        => 1,
 		        );
 
-my %ipset_exists;
+our %ipset_exists;
 
 #
 # Rules are stored in an internal form
@@ -548,7 +549,7 @@ use constant { UNIQUE      => 1,
 	       MATCH       => 8,
 	       CONTROL     => 16 };
 
-my %opttype = ( rule          => CONTROL,
+our %opttype = ( rule          => CONTROL,
 		 cmd           => CONTROL,
 
 		 dhcp          => UNIQUE,
@@ -577,7 +578,7 @@ my %opttype = ( rule          => CONTROL,
 		 targetopts    => TARGET,
 	       );
 
-my %aliases = ( protocol        => 'p',
+our %aliases = ( protocol        => 'p',
 		 source          => 's',
 		 destination     => 'd',
 		 jump            => 'j',
@@ -590,12 +591,14 @@ my %aliases = ( protocol        => 'p',
 		 'icmpv6-type'   => 'icmpv6-type',
 	       );
 
-my @unique_options = ( qw/p dport sport icmp-type icmpv6-type s d i o/ );
+our @unique_options = ( qw/p dport sport icmp-type icmpv6-type s d i o/ );
 
-my %isocodes;
+our %isocodes;
 
 use constant { ISODIR => '/usr/share/xt_geoip/LE' };
 
+our %switches;
+
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -622,11 +625,6 @@ sub initialize( $$$ ) {
     $filter_table  = $chain_table{filter};
     %renamed       = ();
     #
-    # Contents of last COMMENT line.
-    #
-    $comment  = '';
-    @comments = ();
-    #
     # Used to sequence chain names in each table.
     #
     %chainseq = () if $hard;
@@ -644,11 +642,11 @@ sub initialize( $$$ ) {
     %interfacebcasts    = ();
     %interfaceacasts    = ();
     %interfacegateways  = ();
+    %address_variables  = ();
 
     $global_variables   = 0;
     $idiotcount         = 0;
     $idiotcount1        = 0;
-    $warningcount       = 0;
     $hashlimitset       = 0;
     $ipset_rules        = 0 if $hard;
 
@@ -656,67 +654,13 @@ sub initialize( $$$ ) {
 
     %isocodes  = ();
     %nfobjects = ();
+    %switches  = ();
 
     #
     # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
     #
 }
 
-#
-# Process a COMMENT line (in $currentline)
-#
-sub process_comment() {
-    if ( have_capability( 'COMMENTS' ) ) {
-	( $comment = $currentline ) =~ s/^\s*COMMENT\s*//;
-	$comment =~ s/\s*$//;
-    } else {
-	warning_message "COMMENTs ignored -- require comment support in iptables/Netfilter" unless $warningcount++;
-    }
-}
-
-#
-# Returns True if there is a current COMMENT or if COMMENTS are not available.
-#
-sub no_comment() {
-    $comment ? 1 : ! have_capability( 'COMMENTS' );
-}
-
-#
-# Clear the $comment variable and the comment stack
-#
-sub clear_comment() {
-    $comment  = '';
-    @comments = ();
-}
-
-#
-# Push and Pop comment stack
-#
-sub push_comment( $ ) {
-    push @comments, $comment;
-    $comment = shift;
-}
-
-sub pop_comment() {
-    $comment = pop @comments;
-}
-
-#
-# Set comment
-#
-sub set_comment( $ ) {
-    $comment = shift;
-}
-
-#
-# Set $comment to the passed unless there is a current comment
-#
-sub macro_comment( $ ) {
-    my $macro = $_[0];
-
-    $comment = $macro unless $comment || ! ( have_capability( 'COMMENTS' ) && $config{AUTO_COMMENT} );
-}
-
 #
 # Functions to manipulate cmdlevel
 #
@@ -2438,11 +2382,16 @@ sub require_audit($$;$) {
 sub get_action_logging() {
     my $chainref = get_action_chain;
     my $wholeaction = $chainref->{action};
+
+    if ( $wholeaction ) {
 	my ( undef, $level, $tag, undef ) = split ':', $wholeaction;
 
 	$level = '' if $level =~ /^none/;
 
 	( $level, $tag );
+    } else {
+	( '' , '' );
+    }
 }
 
 #
@@ -2462,6 +2411,7 @@ sub initialize_chain_table($) {
 		    'A_ACCEPT'        => STANDARD  + AUDIT,
 		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
 		    'NONAT'           => STANDARD  + NONAT + NATONLY,
+		    'AUDIT'           => STANDARD  + AUDIT,
 		    'DROP'            => STANDARD,
 		    'DROP!'           => STANDARD,
 		    'A_DROP'          => STANDARD + AUDIT,
@@ -2480,8 +2430,10 @@ sub initialize_chain_table($) {
 		    'COUNT'           => STANDARD,
 		    'QUEUE'           => STANDARD,
 		    'QUEUE!'          => STANDARD,
+		    'NFLOG'           => STANDARD + LOGRULE + NFLOG,
 		    'NFQUEUE'         => STANDARD + NFQ,
 		    'NFQUEUE!'        => STANDARD + NFQ,
+		    'ULOG'            => STANDARD + LOGRULE + NFLOG,
 		    'ADD'             => STANDARD + SET,
 		    'DEL'             => STANDARD + SET,
 		    'WHITELIST'       => STANDARD,
@@ -2489,7 +2441,7 @@ sub initialize_chain_table($) {
 		   );
 
 	for my $chain ( qw(OUTPUT PREROUTING) ) {
-	    new_builtin_chain 'raw', $chain, 'ACCEPT';
+	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
 	}
 
 	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
@@ -2517,25 +2469,35 @@ sub initialize_chain_table($) {
 	#
 	%targets = ('ACCEPT'          => STANDARD,
 		    'ACCEPT!'         => STANDARD,
+		    'AUDIT'           => STANDARD  + AUDIT,
+		    'A_ACCEPT'        => STANDARD  + AUDIT,
 		    'DROP'            => STANDARD,
 		    'DROP!'           => STANDARD,
+		    'A_DROP'          => STANDARD + AUDIT,
+		    'A_DROP!'         => STANDARD + AUDIT,
 		    'REJECT'          => STANDARD,
 		    'REJECT!'         => STANDARD,
+		    'A_REJECT'        => STANDARD + AUDIT,
+		    'A_REJECT!'       => STANDARD + AUDIT,
 		    'LOG'             => STANDARD + LOGRULE,
 		    'CONTINUE'        => STANDARD,
 		    'CONTINUE!'       => STANDARD,
 		    'COUNT'           => STANDARD,
 		    'QUEUE'           => STANDARD,
 		    'QUEUE!'          => STANDARD,
+		    'NFLOG'           => STANDARD + LOGRULE + NFLOG,
 		    'NFQUEUE'         => STANDARD + NFQ,
 		    'NFQUEUE!'        => STANDARD + NFQ,
+		    'ULOG'            => STANDARD + LOGRULE + NFLOG,
 		    'ADD'             => STANDARD + SET,
 		    'DEL'             => STANDARD + SET,
+		    'WHITELIST'       => STANDARD,
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		   );
 
 	for my $chain ( qw(OUTPUT PREROUTING) ) {
-	    new_builtin_chain 'raw', $chain, 'ACCEPT';
+	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
+	    
 	}
 
 	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
@@ -3056,6 +3018,8 @@ sub optimize_level8( $$$ ) {
 
     progress_message "\n Table $table pass $passes, $chains referenced user chains, level 8...";
 
+    %renamed = ();
+
     for my $chainref ( @chains ) {
 	my $digest = '';
 
@@ -3339,6 +3303,18 @@ sub combine_dports {
     \@rules;
 }
 
+#
+# When suppressing duplicate rules, care must be taken to avoid suppressing non-adjacent duplicates 
+# using any of these matches, because an intervening rule could modify the result of the match
+# of the second duplicate
+#
+my %bad_match = ( conntrack => 1, 
+		  dscp      => 1,
+		  ecn       => 1,
+		  mark      => 1,
+		  set       => 1,
+		  tos       => 1,
+		  u32       => 1 );
 #
 # Delete duplicate rules from the passed chain.
 #
@@ -3351,32 +3327,62 @@ sub delete_duplicates {
     my $lastrule  = @_;
     my $baseref   = pop;
     my $ruleref;
+
+    while ( @_ ) {
+	my $docheck;
 	my $duplicate = 0;
 
-    while ( @_ && ! $duplicate ) {
-	{
+	if ( $baseref->{mode} == CAT_MODE ) {
 	    my $ports1;
 	    my @keys1    = sort( keys( %$baseref ) );
 	    my $rulenum  = @_;
-	    my $duplicate = 0;
+	    my $adjacent = 1;
 		
+	    {
 	      RULE:
 
 		while ( --$rulenum >= 0 ) {
 		    $ruleref = $_[$rulenum];
 
+		    last unless $ruleref->{mode} == CAT_MODE;
+
 		    my @keys2 = sort(keys( %$ruleref ) );
 
 		    next unless @keys1 == @keys2 ;
 
 		    my $keynum = 0;
 
+		    if ( $adjacent > 0 ) {
+			#
+			# There are no non-duplicate rules between this rule and the base rule
+			#
 			for my $key ( @keys1 ) {
 			    next RULE unless $key eq $keys2[$keynum++];
 			    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
 			}
-
+		    } else {
+			#
+			# There are non-duplicate rules between this rule and the base rule
+			#
+			for my $key ( @keys1 ) {
+			    next RULE unless $key eq $keys2[$keynum++];
+			    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
+			    last RULE if $bad_match{$key};
+			}
+		    }
+		    #
+		    # This rule is a duplicate
+		    #
 		    $duplicate = 1;
+		    #
+		    # Increment $adjacent so that the continue block won't set it to zero
+		    #
+		    $adjacent++;
+
+		} continue {
+		    $adjacent--;
+		}
+	    }
 	}
 
 	if ( $duplicate ) {
@@ -3388,7 +3394,6 @@ sub delete_duplicates {
 	$baseref = pop @_;
 	$lastrule--;
     }
-    }
 
     unshift @rules, $baseref if $baseref;
 
@@ -3403,17 +3408,11 @@ sub optimize_level16( $$$ ) {
 
     progress_message "\n Table $table pass $passes, $chains referenced user chains, level 16...";
 
-    if ( $table eq 'raw' ) {
-	#
-	# Helpers in rules have the potential for generating lots of duplicate iptables rules
-	# in the raw table. This step eliminates those duplicates
-	#
     for my $chainref ( @chains ) {
 	$chainref->{rules} = delete_duplicates( $chainref, @{$chainref->{rules}} );
     }
 
     $passes++;
-    }
     
     for my $chainref ( @chains ) {
 	$chainref->{rules} = combine_dports( $chainref, @{$chainref->{rules}} );
@@ -3432,7 +3431,7 @@ sub valid_tables() {
     push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
     push @table_list, 'nat'     if have_capability( 'NAT_ENABLED' );
     push @table_list, 'mangle'  if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
-    push @table_list, 'filter';
+    push @table_list, 'filter'; #MUST BE LAST!!!
 
     @table_list;
 }
@@ -3628,7 +3627,7 @@ sub source_iexclusion( $$$$$;@ ) {
 
     if ( $source =~ /^([^!]+)!([^!]+)$/ ) {
 	$source = $1;
-	@exclusion = mysplit( $2 );
+	@exclusion = split_host_list( $2 );
 
 	my $chainref1 = dont_move new_chain( $table , newexclusionchain( $table ) );
 
@@ -3679,7 +3678,7 @@ sub dest_iexclusion( $$$$$;@ ) {
 
     if ( $dest =~ /^([^!]+)!([^!]+)$/ ) {
 	$dest = $1;
-	@exclusion = mysplit( $2 );
+	@exclusion = split_host_list( $2 );
 
 	my $chainref1 = dont_move new_chain( $table , newexclusionchain( $table ) );
 
@@ -3713,6 +3712,16 @@ sub port_count( $ ) {
 #
 # Generate a state match
 #
+sub state_match( $ ) {
+    my $state = shift;
+
+    if ( $state eq 'ALL' ) {
+	''
+    } else {
+	have_capability 'CONNTRACK_MATCH' ? ( "-m conntrack --ctstate $state " ) : ( "-m state --state $state " );
+    }
+}
+
 sub state_imatch( $ ) {
     my $state = shift;
 
@@ -4324,7 +4333,7 @@ sub do_user( $ ) {
 
     require_capability 'OWNER_MATCH', 'A non-empty USER column', 's';
 
-    assert ( $user =~ /^(!)?(.*?)(:(.*))?$/ );
+    assert( $user =~ /^(!)?(.*?)(:(.+))?$/ );
     my $invert = $1 ? '! ' : '';
     my $group  = supplied $4 ? $4 : '';
 
@@ -4594,17 +4603,37 @@ sub do_probability( $ ) {
 #
 # Generate a -m condition match
 #
-sub do_condition( $ ) {
-    my $condition = shift;
+sub do_condition( $$ ) {
+    my ( $condition, $chain ) = @_;
 
     return '' if $condition eq '-';
 
     my $invert = $condition =~ s/^!// ? '! ' : '';
 
+    my $initialize;
+
+    $initialize = $1 if $condition =~ s/(?:=([01]))?$//;
+
     require_capability 'CONDITION_MATCH', 'A non-empty SWITCH column', 's';
+
+    $chain =~ s/[^\w-]//g;
+    #                          $1    $2      -     $3
+    while ( $condition =~ m( ^(.*?) @({)?(?:0|chain)(?(2)}) (.*)$ )x ) {
+	$condition = join( '', $1, $chain, $3 );
+    }
+
     fatal_error "Invalid switch name ($condition)" unless $condition =~ /^[a-zA-Z][-\w]*$/ && length $condition <= 30;
 
+    if ( defined $initialize ) {
+	if ( my $switchref = $switches{$condition} ) {
+	    fatal_error "Switch $condition was previously initialized to $switchref->{setting} at $switchref->{where}" unless $switchref->{setting} == $initialize;
+	} else {
+	    $switches{$condition} = { setting => $initialize, where => currentlineinfo };
+	}
+    }
+
     "-m condition ${invert}--condition $condition "
+	
 }
 
 #
@@ -4777,7 +4806,7 @@ sub get_set_flags( $$ ) {
 	}
     }
 
-    fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z]\w*/;
+    fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z][-\w]*/;
 
     have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options ";
 
@@ -4791,6 +4820,13 @@ sub get_interface_address( $ );
 
 sub record_runtime_address( $$;$ ) {
     my ( $addrtype, $interface, $protect ) = @_;
+
+    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
+	fatal_error "Mixed required/optional usage of address variable $1" if ( $address_variables{$1} || $addrtype ) ne $addrtype;
+	$address_variables{$1} = $addrtype;
+	return '$' . "$1 ";
+    }
+
     fatal_error "Unknown interface address variable (&$interface)" unless known_interface( $interface );
     fatal_error "Invalid interface address variable (&$interface)" if $interface =~ /\+$/;
 
@@ -4817,6 +4853,7 @@ sub conditional_rule( $$ ) {
 
     if ( $address =~ /^!?([&%])(.+)$/ ) {
 	my ($type, $interface) = ($1, $2);
+
 	if ( my $ref = known_interface $interface ) {
 	    if ( $ref->{options}{optional} ) {
 		my $variable;
@@ -4831,7 +4868,13 @@ sub conditional_rule( $$ ) {
 		incr_cmd_level $chainref;
 		return 1;
 	    }
-	};
+	} elsif ( $type eq '%' && $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
+	    fatal_error "Mixed required/optional usage of address variable $1" if ( $address_variables{$1} || $type ) ne $type;
+	    $address_variables{$1} = $type;
+	    add_commands( $chainref , "if [ \$$1 != " . NILIP . ' ]; then' );
+	    incr_cmd_level $chainref;
+	    return 1;
+	}
     }
 
     0;
@@ -4863,7 +4906,7 @@ sub load_isocodes() {
     $isocodes{substr(basename($_),0,2)} = 1 for @codes;
 }
 
-sub mysplit( $;$ );
+sub split_host_list( $;$ );
 
 #
 # Match a Source.
@@ -4893,12 +4936,12 @@ sub match_source_net( $;$\$ ) {
 
     if ( $net =~ /^\+\[(.+)\]$/ ) {
 	my $result = '';
-	my @sets = mysplit $1, 1;
+	my @sets = split_host_list $1, 1;
 
 	fatal_error "Multiple ipset matches require the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
 
 	for $net ( @sets ) {
-	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)[a-zA-Z][-\w]*(\[.*\])?/;
+	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)(6_)?[a-zA-Z][-\w]*(\[.*\])?/;
 	    $result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
 	}
 
@@ -4928,7 +4971,7 @@ sub match_source_net( $;$\$ ) {
 	    return '! -s ' . record_runtime_address $1, $2;
 	}
 
-	validate_net $net, 1;
+	$net = validate_net $net, 1;
 	return "! -s $net ";
     }
 
@@ -4936,7 +4979,7 @@ sub match_source_net( $;$\$ ) {
 	return '-s ' . record_runtime_address $1, $2;
     }
 
-    validate_net $net, 1;
+    $net = validate_net $net, 1;
     $net eq ALLIP ? '' : "-s $net ";
 }
 
@@ -4966,12 +5009,12 @@ sub imatch_source_net( $;$\$ ) {
 
     if ( $net =~ /^\+\[(.+)\]$/ ) {
 	my @result = ();
-	my @sets = mysplit $1, 1;
+	my @sets = split_host_list $1, 1;
 
 	fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
 
 	for $net ( @sets ) {
-	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)[a-zA-Z][-\w]*(\[.*\])?/;
+	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)(6_)?[a-zA-Z][-\w]*(\[.*\])?/;
 	    push @result , ( set => join( '', $1 ? '! ' : '', get_set_flags( $net, 'src' ) ) );
 	}
 
@@ -5001,7 +5044,7 @@ sub imatch_source_net( $;$\$ ) {
 	    return  ( s => '! ' . record_runtime_address( $1, $2, 1 ) );
 	}
 
-	validate_net $net, 1;
+	$net = validate_net $net, 1;
 	return ( s => "! $net " );
     }
 
@@ -5009,7 +5052,7 @@ sub imatch_source_net( $;$\$ ) {
 	return ( s =>  record_runtime_address( $1, $2, 1 ) );
     }
 
-    validate_net $net, 1;
+    $net = validate_net $net, 1;
     $net eq ALLIP ? () : ( s => $net );
 }
 
@@ -5035,12 +5078,12 @@ sub match_dest_net( $;$ ) {
 
     if ( $net =~ /^\+\[(.+)\]$/ ) {
 	my $result = '';
-	my @sets = mysplit $1, 1;
+	my @sets = split_host_list $1, 1;
 
 	fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
 
 	for $net ( @sets ) {
-	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)[a-zA-Z][-\w]*(\[.*\])?/;
+	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)(6_)?[a-zA-Z][-\w]*(\[.*\])?/;
 	    $result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) );
 	}
 
@@ -5070,7 +5113,7 @@ sub match_dest_net( $;$ ) {
 	    return '! -d ' . record_runtime_address $1, $2;
 	}
 
-	validate_net $net, 1;
+	$net = validate_net $net, 1;
 	return "! -d $net ";
     }
 
@@ -5078,7 +5121,7 @@ sub match_dest_net( $;$ ) {
 	return '-d ' . record_runtime_address $1, $2;
     }
 
-    validate_net $net, 1;
+    $net = validate_net $net, 1;
     $net eq ALLIP ? '' : "-d $net ";
 }
 
@@ -5102,12 +5145,12 @@ sub imatch_dest_net( $;$ ) {
 
     if ( $net =~ /^\+\[(.+)\]$/ ) {
 	my @result;
-	my @sets = mysplit $1, 1;
+	my @sets = split_host_list $1, 1;
 
 	fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
 
 	for $net ( @sets ) {
-	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)[a-zA-Z][-\w]*(\[.*\])?/;
+	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)(6_)?[a-zA-Z][-\w]*(\[.*\])?/;
 	    push @result , ( set => join( '', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) ) );
 	}
 
@@ -5137,7 +5180,7 @@ sub imatch_dest_net( $;$ ) {
 	    return ( d => '! ' . record_runtime_address( $1, $2, 1 ) );
 	}
 
-	validate_net $net, 1;
+	$net = validate_net $net, 1;
 	return ( d => "! $net " );
     }
 
@@ -5145,7 +5188,7 @@ sub imatch_dest_net( $;$ ) {
 	return ( d => record_runtime_address( $1, $2, 1 ) );
     }
 
-    validate_net $net, 1;
+    $net = validate_net $net, 1;
     $net eq ALLIP ? () : ( d =>  $net );
 }
 
@@ -5162,7 +5205,7 @@ sub match_orig_dest ( $ ) {
 	if ( $net =~ /^&(.+)/ ) {
 	    $net = record_runtime_address '&', $1;
 	} else {
-	    validate_net $net, 1;
+	    $net = validate_net $net, 1;
 	}
 
 	have_capability( 'OLD_CONNTRACK_MATCH' ) ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net ";
@@ -5170,7 +5213,7 @@ sub match_orig_dest ( $ ) {
 	if ( $net =~ /^&(.+)/ ) {
 	    $net = record_runtime_address '&', $1;
 	} else {
-	    validate_net $net, 1;
+	    $net = validate_net $net, 1;
 	}
 
 	$net eq ALLIP ? '' : "-m conntrack --ctorigdst $net ";
@@ -5415,7 +5458,7 @@ sub addnatjump( $$;@ ) {
 # Split a comma-separated source or destination host list but keep [...] together. Used for spliting address lists
 # where an element of the list might be +ipset[flag,...] or +[ipset[flag,...],...]
 #
-sub mysplit( $;$ ) {
+sub split_host_list( $;$ ) {
     my ( $input, $loose ) = @_;
 
     my @input = split_list $input, 'host';
@@ -5777,6 +5820,27 @@ sub set_global_variables( $ ) {
     }
 }
 
+sub verify_address_variables() {
+    while ( my ( $variable, $type ) = ( each %address_variables ) ) {
+	my $address = "\$$variable";
+
+	if ( $type eq '&' ) {
+	    emit( qq([ -n "$address" ] || startup_error "Address variable $variable had not been assigned an address") ,
+		  q() ,
+		  qq(if qt \$g_tool -A INPUT -s $address; then) );
+	} else {
+	    emit( qq(if [ -z "$address" ]; then) ,
+		  qq(    $variable=) . NILIP ,
+		  qq(elif qt \$g_tool -A INPUT -s $address; then) );
+	}
+
+	emit( qq(    qt \$g_tool -D INPUT -s $address),
+	      q(else),
+	      qq(    startup_error "Invalid value ($address) for address variable $variable"),
+	      qq(fi\n) );
+    }
+}
+
 ############################################################################################
 # Helpers for expand_rule()
 ############################################################################################
@@ -5856,7 +5920,7 @@ sub handle_network_list( $$ ) {
     my $nets = '';
     my $excl = '';
 
-    my @nets = mysplit $list;
+    my @nets = split_host_list $list;
 
     for ( @nets ) {
 	if ( /!/ ) {
@@ -5891,17 +5955,20 @@ sub isolate_source_interface( $ ) {
     my ( $iiface, $inets );
 
     if ( $family == F_IPV4 ) {
-	if ( $source =~ /^~/ ) {
-	    $inets = $source;
-	} elsif ( $source =~ /^(.+?):(.+)$/ ) {
+	if ( $source =~ /^(.+?):(.+)$/ ) {
 	    $iiface = $1;
 	    $inets  = $2;
-	} elsif ( $source =~ /\+|&|~|\..*\./ || $source =~ /^!?\^/ ) {
+	} elsif ( $source =~ /^!?(?:\+|&|~|%|\^|\d+\.)/ ) {
 	    $inets = $source;
 	} else {
 	    $iiface = $source;
 	}
-    } elsif  ( $source =~ /^(.+?):<(.+)>\s*$/ || $source =~ /^(.+?):\[(.+)\]\s*$/ || $source =~ /^(.+?):(!?\+.+)$/ ) {
+    } elsif  ( $source =~ /^(.+?):<(.+)>\s*$/   ||
+	       $source =~ /^(.+?):\[(.+)\]\s*$/ ||
+	       $source =~ /^(.+?):(!?\+.+)$/    ||
+	       $source =~ /^(.+?):(!?[&%].+)$/  ||
+	       $source =~ /^(.+?):(\[.+\]\/(?:\d+))\s*$/
+	     ) {
 	$iiface = $1;
 	$inets  = $2;
     } elsif ( $source =~ /:/ ) {
@@ -6001,12 +6068,17 @@ sub isolate_dest_interface( $$$$ ) {
 	if ( $dest =~ /^(.+?):(.+)$/ ) {
 	    $diface = $1;
 	    $dnets  = $2;
-	} elsif ( $dest =~ /\+|&|%|~|\..*\./ || $dest =~ /^!?\^/ ) {
+	} elsif ( $dest =~ /^!?(?:\+|&|%|~|\^|\d+\.)/ ) {
 	    $dnets = $dest;
 	} else {
 	    $diface = $dest;
 	}
-    } elsif ( $dest =~ /^(.+?):<(.+)>\s*$/ || $dest =~ /^(.+?):\[(.+)\]\s*$/ || $dest =~ /^(.+?):(!?\+.+)$/ ) {
+    } elsif ( $dest =~ /^(.+?):<(.+)>\s*$/   || 
+	      $dest =~ /^(.+?):\[(.+)\]\s*$/ ||
+	      $dest =~ /^(.+?):(!?\+.+)$/    ||
+	      $dest =~ /^(.+?):(!?[&%].+)$/  ||
+	      $dest =~ /^(.+?):(\[.+\]\/(?:\d+))\s*$/
+	    ) {
 	$diface = $1;
 	$dnets  = $2;
     } elsif ( $dest =~ /:/ ) {
@@ -6050,7 +6122,7 @@ sub verify_dest_interface( $$$$ ) {
 	    if ( $chainref->{accounting} ) {
 		fatal_error "Destination Interface ($diface) not allowed in the $chainref->{name} chain";
 	    } else {
-		fatal_error "Destination Interface ($diface) not allowed in the mangle OUTPUT chain";
+		fatal_error "Destination Interface ($diface) not allowed in the $chainref->{table} OUTPUT chain";
 	    }
 	}
 
@@ -6120,7 +6192,7 @@ sub handle_original_dest( $$$ ) {
 	}
 
 	unless ( $onets ) {
-	    my @oexcl = mysplit $oexcl;
+	    my @oexcl = split_host_list $oexcl;
 	    if ( @oexcl == 1 ) {
 		$rule .= match_orig_dest( "!$oexcl" );
 		$oexcl = '';
@@ -6171,19 +6243,19 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$ ) {
 	#
 	my $exclude = '-j MARK --or-mark ' . in_hex( $globals{EXCLUSION_MASK} );
 
-	for ( mysplit $iexcl ) {
+	for ( split_host_list $iexcl ) {
 	    my $cond = conditional_rule( $chainref, $_ );
 	    add_rule $chainref, ( match_source_net $_ , $restriction, $mac ) . $exclude;
 	    conditional_rule_end( $chainref ) if $cond;
 	}
 
-	for ( mysplit $dexcl ) {
+	for ( split_host_list $dexcl ) {
 	    my $cond = conditional_rule( $chainref, $_ );
 	    add_rule $chainref, ( match_dest_net $_, $restriction ) . $exclude;
 	    conditional_rule_end( $chainref ) if $cond;
 	}
 
-	for ( mysplit $oexcl ) {
+	for ( split_host_list $oexcl ) {
 	    my $cond = conditional_rule( $chainref, $_ );
 	    add_rule $chainref, ( match_orig_dest $_ ) . $exclude;
 	    conditional_rule_end( $chainref ) if $cond;
@@ -6204,19 +6276,19 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$ ) {
 	#
 	# Use the current rule and send all possible matches to the exclusion chain
 	#
-	for my $onet ( mysplit $onets ) {
+	for my $onet ( split_host_list $onets ) {
 
 	    my $cond = conditional_rule( $chainref, $onet );
 
 	    $onet = match_orig_dest $onet;
 
-	    for my $inet ( mysplit $inets ) {
+	    for my $inet ( split_host_list $inets ) {
 
 		my $cond = conditional_rule( $chainref, $inet );
 
 		my $source_match = match_source_net( $inet, $restriction, $mac ) if $globals{KLUDGEFREE};
 
-		for my $dnet ( mysplit $dnets ) {
+		for my $dnet ( split_host_list $dnets ) {
 		    $source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
 		    add_expanded_jump( $chainref, $echainref, 0, join( '', $rule, $source_match, match_dest_net( $dnet, $restriction ), $onet ) );
 		}
@@ -6229,19 +6301,19 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$ ) {
 	#
 	# Generate RETURNs for each exclusion
 	#
-	for ( mysplit $iexcl ) {
+	for ( split_host_list $iexcl ) {
 	    my $cond = conditional_rule( $echainref, $_ );
 	    add_rule $echainref, ( match_source_net $_ , $restriction, $mac ) . '-j RETURN';
 	    conditional_rule_end( $echainref ) if $cond;
 	}
 
-	for ( mysplit $dexcl ) {
+	for ( split_host_list $dexcl ) {
 	    my $cond = conditional_rule( $echainref, $_ );
 	    add_rule $echainref, ( match_dest_net $_, $restriction ) . '-j RETURN';
 	    conditional_rule_end( $echainref ) if $cond;
 	}
 
-	for ( mysplit $oexcl ) {
+	for ( split_host_list $oexcl ) {
 	    my $cond = conditional_rule( $echainref, $_ );
 	    add_rule $echainref, ( match_orig_dest $_ ) . '-j RETURN';
 	    conditional_rule_end( $echainref ) if $cond;
@@ -6366,7 +6438,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	( $inets, $iexcl ) = handle_network_list( $inets, 'SOURCE' );
 
 	unless ( $inets || $iexcl =~ /^\+\[/ || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) {
-	    my @iexcl = mysplit $iexcl, 1;
+	    my @iexcl = split_host_list $iexcl, 1;
 	    if ( @iexcl == 1 ) {
 		$rule .= match_source_net "!$iexcl" , $restriction;
 		$iexcl = '';
@@ -6381,7 +6453,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	( $dnets, $dexcl ) = handle_network_list( $dnets, 'DEST' );
 
 	unless ( $dnets || $dexcl =~ /^\+\[/ ) {
-	    my @dexcl = mysplit $dexcl, 1;
+	    my @dexcl = split_host_list $dexcl, 1;
 	    if ( @dexcl == 1 ) {
 		$rule .= match_dest_net "!$dexcl", $restriction;
 		$dexcl = '';
@@ -6427,19 +6499,19 @@ sub expand_rule( $$$$$$$$$$;$ )
 	#
 	# No non-trivial exclusions or we're using marks to handle them
 	#
-	for my $onet ( mysplit $onets ) {
+	for my $onet ( split_host_list $onets ) {
 	    my $cond1 = conditional_rule( $chainref, $onet );
 
 	    $onet = match_orig_dest $onet;
 
-	    for my $inet ( mysplit $inets ) {
+	    for my $inet ( split_host_list $inets ) {
 		my $source_match;
 
 		my $cond2 = conditional_rule( $chainref, $inet );
 
 		$source_match = match_source_net( $inet, $restriction, $mac ) if $globals{KLUDGEFREE};
 
-		for my $dnet ( mysplit $dnets ) {
+		for my $dnet ( split_host_list $dnets ) {
 		    $source_match  = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
 		    my $dest_match = match_dest_net( $dnet, $restriction );
 		    my $matches = join( '', $rule, $source_match, $dest_match, $onet );
@@ -7344,7 +7416,7 @@ sub create_stop_load( $ ) {
 
     emit '';
 
-    emit(  '[ -n "$DEBUG" ] && command=debug_restore_input || command=$' . $UTILITY,
+    emit(  '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY,
 	   '',
 	   'progress_message2 "Running $command..."',
 	   '',
@@ -7409,4 +7481,17 @@ sub create_stop_load( $ ) {
 
 }
 
+sub initialize_switches() {
+    if ( keys %switches ) {
+	emit( 'if [ $COMMAND = start ]; then' );
+	push_indent;
+	while ( my ( $switch, $setting ) = each %switches ) {
+	    my $file = "/proc/net/nf_condition/$switch";
+	    emit "[ -f $file ] && echo $setting->{setting} > $file";
+	}
+	pop_indent;
+	emit "fi\n";
+    }
+}
+
 1;

Shorewall/Perl/Shorewall/Compiler.pm

@@ -34,7 +34,6 @@ use Shorewall::Accounting;
 use Shorewall::Rules;
 use Shorewall::Proc;
 use Shorewall::Proxyarp;
-use Shorewall::IPAddrs;
 use Shorewall::Raw;
 use Shorewall::Misc;
 
@@ -45,17 +44,17 @@ our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
 our $VERSION = 'MODULEVERSION';
 
-my $export;
+our $export;
 
-my $test;
+our $test;
 
-my $family;
+our $family;
 
 #
 # Initilize the package-globals in the other modules
 #
-sub initialize_package_globals( $$ ) {
-    Shorewall::Config::initialize($family, $_[1]);
+sub initialize_package_globals( $$$ ) {
+    Shorewall::Config::initialize($family, $_[1], $_[2]);
     Shorewall::Chains::initialize ($family, 1, $export );
     Shorewall::Zones::initialize ($family, $_[0]);
     Shorewall::Nat::initialize;
@@ -158,7 +157,7 @@ sub generate_script_2() {
 
     push_indent;
 
-    if ( $shorewallrc{TEMPDIR} ) {
+    if ( $shorewallrc1{TEMPDIR} ) {
 	emit( '',
 	      qq(TMPDIR="$shorewallrc{TEMPDIR}") ,
 	      q(export TMPDIR) );
@@ -168,14 +167,14 @@ sub generate_script_2() {
 	emit( 'g_family=4' );
 
 	if ( $export ) {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall-lite),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall-lite),
 		   'g_product="Shorewall Lite"',
 		   'g_program=shorewall-lite',
 		   'g_basedir=/usr/share/shorewall-lite',
-		   qq(CONFIG_PATH="$shorewallrc{CONFDIR}/shorewall-lite:$shorewallrc{SHAREDIR}/shorewall-lite") ,
+		   qq(CONFIG_PATH="$shorewallrc1{CONFDIR}/shorewall-lite:$shorewallrc1{SHAREDIR}/shorewall-lite") ,
 		 );
 	} else {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall),
 		   'g_product=Shorewall',
 		   'g_program=shorewall',
 		   'g_basedir=/usr/share/shorewall',
@@ -186,14 +185,14 @@ sub generate_script_2() {
 	emit( 'g_family=6' );
 
 	if ( $export ) {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall6-lite),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall6-lite),
 		   'g_product="Shorewall6 Lite"',
 		   'g_program=shorewall6-lite',
 		   'g_basedir=/usr/share/shorewall6',
-		   qq(CONFIG_PATH="$shorewallrc{CONFDIR}/shorewall6-lite:$shorewallrc{SHAREDIR}/shorewall6-lite") ,
+		   qq(CONFIG_PATH="$shorewallrc1{CONFDIR}/shorewall6-lite:$shorewallrc{SHAREDIR}/shorewall6-lite") ,
 		 );
 	} else {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall6),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall6),
 		   'g_product=Shorewall6',
 		   'g_program=shorewall6',
 		   'g_basedir=/usr/share/shorewall',
@@ -203,20 +202,8 @@ sub generate_script_2() {
     }
 
     emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
-
-    if ( $family == F_IPV4 ) {
-	if ( $export ) {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall-lite}" ]' );
-	} else {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall}" ]' );
-	}
-    } else {
-	if ( $export ) {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall6-lite}" ]' );
-	} else {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall6}" ]' );
-	}
-    }
+    emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
+    emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );
 
     emit 'TEMPFILE=';
 
@@ -378,8 +365,8 @@ sub generate_script_3($) {
 	       'fi',
 	       '' );
 
+	verify_address_variables;
 	save_dynamic_chains;
-
 	mark_firewall_not_started;
 
 	emit ( '',
@@ -407,6 +394,7 @@ sub generate_script_3($) {
 	       'fi',
 	       '' );
 
+	verify_address_variables;
 	save_dynamic_chains;
 	mark_firewall_not_started;
 
@@ -472,49 +460,56 @@ sub generate_script_3($) {
         fatal_error "$iptables_save_file does not exist"
     fi
 EOF
-    pop_indent;
+    push_indent;
     setup_load_distribution;
     setup_forwarding( $family , 1 );
-    push_indent;
+    pop_indent;
 
     my $config_dir = $globals{CONFIGDIR};
 
     emit<<"EOF";
     set_state Started $config_dir
     run_restored_exit
-else
-    if [ \$COMMAND = refresh ]; then
+elif [ \$COMMAND = refresh ]; then
     chainlist_reload
 EOF
+    push_indent;
     setup_load_distribution;
     setup_forwarding( $family , 0 );
-
-    emit( '        run_refreshed_exit' ,
+    pop_indent;
+    #
+    # Use a parameter list rather than 'here documents' to avoid an extra blank line
+    #
+    emit(
+'    run_refreshed_exit',
 '    do_iptables -N shorewall',
 "    set_state Started $config_dir",
+'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
 'else',
-	  '        setup_netfilter' );
-
+'    setup_netfilter'
+	);
+    push_indent;
     setup_load_distribution;
+    pop_indent;
 
-    emit<<"EOF";
+    emit<<'EOF';
     conditionally_flush_conntrack
 EOF
+    push_indent;
+    initialize_switches;
     setup_forwarding( $family , 0 );
+    pop_indent;
 
     emit<<"EOF";
     run_start_exit
     do_iptables -N shorewall
     set_state Started $config_dir
+    [ \$0 = \${VARDIR}/firewall ] || cp -f \$(my_pathname) \${VARDIR}/firewall
     run_started_exit
 fi
-
 EOF
 
     emit<<'EOF';
-    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall
-fi
-
 date > ${VARDIR}/restarted
 
 case $COMMAND in
@@ -546,8 +541,8 @@ EOF
 #
 sub compiler {
 
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '');
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc                      , $shorewallrc1 , $directives ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 );
 
     $export = 0;
     $test   = 0;
@@ -584,8 +579,10 @@ sub compiler {
 		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
 		  convert       => { store => \$convert,       validate=> \&validate_boolean    } ,
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
+		  directives    => { store => \$directives,    validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
+		  shorewallrc1  => { store => \$shorewallrc1 } ,
 		);
     #
     #                               P A R A M E T E R    P R O C E S S I N G
@@ -603,7 +600,7 @@ sub compiler {
     #
     # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
     #
-    initialize_package_globals( $update, $shorewallrc );
+    initialize_package_globals( $update, $shorewallrc, $shorewallrc1 );
 
     set_config_path( $config_path ) if $config_path;
 
@@ -621,7 +618,7 @@ sub compiler {
     #
     #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
     #
-    get_configuration( $export , $update , $annotate );
+    get_configuration( $export , $update , $annotate , $directives );
     #
     # Create a temp file to hold the script
     #
@@ -919,6 +916,7 @@ sub compiler {
 	    # call that function during normal 'check', we must validate routestopped here.
 	    #
 	    process_routestopped;
+	    process_stoppedrules;
 	}
 
 	if ( $family == F_IPV4 ) {

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -32,7 +32,7 @@ use Socket;
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( ALLIPv4
+our @EXPORT = ( qw( ALLIPv4
                   ALLIPv6
 		  NILIPv4
 		  NILIPv6
@@ -72,27 +72,27 @@ our @EXPORT = qw( ALLIPv4
 		  validate_port_list
 		  validate_icmp
 		  validate_icmp6
-		 );
+		 ) );
 our @EXPORT_OK = qw( );
 our $VERSION = 'MODULEVERSION';
 
 #
 # Some IPv4/6 useful stuff
 #
-my @allipv4 = ( '0.0.0.0/0' );
-my @allipv6 = ( '::/0' );
-my $allip;
-my @allip;
-my @nilipv4 = ( '0.0.0.0' );
-my @nilipv6 = ( '::' );
-my $nilip;
-my @nilip;
-my $valid_address;
-my $validate_address;
-my $validate_net;
-my $validate_range;
-my $validate_host;
-my $family;
+our @allipv4 = ( '0.0.0.0/0' );
+our @allipv6 = ( '::/0' );
+our $allip;
+our @allip;
+our @nilipv4 = ( '0.0.0.0' );
+our @nilipv6 = ( '::' );
+our $nilip;
+our @nilip;
+our $valid_address;
+our $validate_address;
+our $validate_net;
+our $validate_range;
+our $validate_host;
+our $family;
 
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
@@ -109,7 +109,7 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       IPv6_SITE_ALLRTRS   => 'ff02::2' ,
 	   };
 
-my @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
+our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
 
 #
 # Note: initialize() is declared at the bottom of the file
@@ -207,11 +207,13 @@ sub validate_4net( $$ ) {
     }
 
     if ( defined wantarray ) {
-	assert ( ! $allow_name );
 	if ( wantarray ) {
+	    assert( ! $allow_name );
 	    ( decodeaddr( $net ) , $vlsm );
+	} elsif ( valid_4address $net ) {
+	    $vlsm == 32 ? $net : "$net/$vlsm";
 	} else {
-	    "$net/$vlsm";
+	    $net;
 	}
     }
 }
@@ -226,6 +228,8 @@ sub validate_4range( $$ ) {
     my $last  = decodeaddr $high;
 
     fatal_error "Invalid IP Range ($low-$high)" unless $first <= $last;
+
+    "$low-$high";
 }
 
 sub validate_4host( $$ ) {
@@ -608,7 +612,7 @@ sub validate_6address( $$ ) {
 
 sub validate_6net( $$ ) {
     my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
-    my $allow_name = $_[1];
+    my $allow_name = $_[0];
 
     if ( $net =~ /\+(\[?)/ ) {
 	if ( $1 ) {
@@ -620,22 +624,28 @@ sub validate_6net( $$ ) {
 	}
     }
 
+    fatal_error "Invalid Network address ($_[0])" unless supplied $net;
+
+    $net = $1 if $net =~ /^\[(.*)\]$/;
+
     if ( defined $vlsm ) {
         fatal_error "Invalid VLSM ($vlsm)"              unless $vlsm =~ /^\d+$/ && $vlsm <= 128;
 	fatal_error "Invalid Network address ($_[0])"   if defined $rest;
 	fatal_error "Invalid IPv6 address ($net)"       unless valid_6address $net;
     } else {
-	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
+	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/';
 	validate_6address $net, $allow_name;
 	$vlsm = 128;
     }
 
     if ( defined wantarray ) {
-	assert ( ! $allow_name );
 	if ( wantarray ) {
+	    assert( ! $allow_name );
 	    ( $net , $vlsm );
+	} elsif ( valid_6address ( $net ) ) {
+	    $vlsm == 32 ? $net : "$net/$vlsm";
 	} else {
-	    "$net/$vlsm";
+	    $net;
 	}
     }
 }
@@ -682,11 +692,13 @@ sub validate_6range( $$ ) {
     while ( @low ) {
 	my ( $l, $h) = ( shift @low, shift @high );
 	next     if hex "0x$l" == hex "0x$h";
-	return 1 if hex "0x$l"  < hex "0x$h";
+	return "$low-$high" if hex "0x$l"  < hex "0x$h";
 	last;
     }
 
     fatal_error "Invalid IPv6 Range ($low-$high)";
+
+    
 }
 
 sub validate_6host( $$ ) {

Shorewall/Perl/Shorewall/Misc.pm

@@ -41,13 +41,14 @@ our @EXPORT = qw( process_tos
 		  add_common_rules
 		  setup_mac_lists
 		  process_routestopped
+		  process_stoppedrules
 		  compile_stop_firewall
 		  generate_matrix
 		  );
 our @EXPORT_OK = qw( initialize );
 our $VERSION = 'MODULEVERSION';
 
-my $family;
+our $family;
 
 #
 # Rather than initializing globals in an INIT block or during declaration,
@@ -203,6 +204,9 @@ sub setup_blacklist() {
     my $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
     my $orig_target = $target;
 
+  BLACKLIST:
+    {
+	if ( my $fn = open_file 'blacklist' ) {
 	    #
 	    # We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary
 	    # for 'refresh' to work properly.
@@ -219,10 +223,6 @@ sub setup_blacklist() {
 		}
 	    }
 
-  BLACKLIST:
-    {
-	if ( my $fn = open_file 'blacklist' ) {
-
 	    my $first_entry = 1;
 
 	    first_entry "$doing $fn...";
@@ -668,6 +668,89 @@ sub process_routestopped() {
     }
 }
 
+#
+# Process the stoppedrules file. Returns true if the file was non-empty.
+#
+sub process_stoppedrules() {
+    my $fw = firewall_zone;
+    my $result;
+
+    if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
+	first_entry "$doing $fn...";
+
+	while ( read_a_line( NORMAL_READ ) ) {
+
+	    $result = 1;
+
+	    my ( $target, $source, $dest, $proto, $ports, $sports ) = 
+		split_line1 'stoppedrules file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 }, { COMMENT => 0 };
+
+	    fatal_error( "Invalid TARGET ($target)" ) unless $target =~ /^(?:ACCEPT|NOTRACK)$/;
+
+	    my $tableref;
+
+	    my $chainref;
+	    my $restriction = NO_RESTRICT;
+
+	    if ( $target eq 'NOTRACK' ) {
+		$tableref = $raw_table;
+		require_capability 'RAW_TABLE', 'NOTRACK', 's';
+		$chainref = $raw_table->{PREROUTING};
+		$restriction = PREROUTE_RESTRICT | DESTIFACE_DISALLOW;
+	    } else {
+		$tableref = $filter_table;
+	    }
+
+	    if ( $source eq $fw ) {
+		$chainref = ( $target eq 'NOTRACK' ? $raw_table : $filter_table)->{OUTPUT};
+		$source = '';
+		$restriction = OUTPUT_RESTRICT;
+	    } elsif ( $source =~ s/^($fw):// ) {
+		$chainref = ( $target eq 'NOTRACK' ? $raw_table : $filter_table)->{OUTPUT};
+		$restriction = OUTPUT_RESTRICT;
+	    }
+
+	    if ( $dest eq $fw ) {
+		fatal_error "\$FW may not be specified as the destination of a NOTRACK rule" if $target eq 'NOTRACK';
+		$chainref = $filter_table->{INPUT};
+		$dest = '';
+		$restriction = INPUT_RESTRICT;
+	    } elsif ( $dest =~ s/^($fw):// ) {
+		fatal_error "\$FW may not be specified as the destination of a NOTRACK rule" if $target eq 'NOTRACK';
+		$chainref = $filter_table->{INPUT};
+		$restriction = INPUT_RESTRICT;
+	    }
+
+	    $chainref = $tableref->{FORWARD} unless $chainref;
+
+	    my $disposition = $target;
+
+	    $target = 'CT --notrack' if $target eq 'NOTRACK' and have_capability( 'CT_TARGET' );
+
+	    unless ( $restriction == OUTPUT_RESTRICT
+		     && $target eq 'ACCEPT'
+		     && $config{ADMINISABSENTMINDED} ) {
+		expand_rule( $chainref ,
+			     $restriction ,
+			     do_proto( $proto, $ports, $sports ) ,
+			     $source ,
+			     $dest ,
+			     '' ,
+			     $target,
+			     '',
+			     $disposition,
+			     do_proto( $proto, '-', '-' ) );
+	    } else {
+		warning_message "Redundant OUTPUT rule ignored because ADMINISABSENTMINDED=Yes";
+	    }
+	}
+    }
+
+    clear_comment;
+
+    $result;
+}
+
 sub setup_mss();
 
 sub add_common_rules ( $ ) {
@@ -1125,7 +1208,7 @@ sub setup_mac_lists( $ ) {
 	    }
 	}
 
-	if ( my $fn = open_file 'maclist' ) {
+	if ( my $fn = open_file 'maclist', 1, 1 ) {
 
 	    first_entry "$doing $fn...";
 
@@ -1395,8 +1478,9 @@ sub handle_loopback_traffic() {
 		    my @ipsec_match = match_ipsec_in $z1 , $hostref;
 
 		    for my $net ( @{$hostref->{hosts}} ) {
-			add_ijump( $rawout,
+			insert_ijump( $rawout,
 				      j => $exclusion ,
+				      $rawout->{insert}++,
 				      imatch_source_net $net,
 				      @ipsec_match );
 		    }
@@ -1443,10 +1527,6 @@ sub add_interface_jumps {
 	addnatjump 'POSTROUTING' , snat_chain( $interface ), imatch_dest_dev( $interface );
     }
 
-    addnatjump 'PREROUTING'  , 'nat_in';
-    addnatjump 'POSTROUTING' , 'nat_out';
-    addnatjump 'PREROUTING', 'dnat';
-
     for my $interface ( @interfaces  ) {
 	addnatjump 'PREROUTING'  , input_chain( $interface )  , imatch_source_dev( $interface );
 	addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
@@ -1751,6 +1831,7 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
 
     my $dnatref         = $nat_table->{dnat_chain( $zone )};
     my $preroutingref   = $nat_table->{PREROUTING};
+    my $rawref          = $raw_table->{PREROUTING};
     my $notrackref      = ensure_chain 'raw' , notrack_chain( $zone );
     my @ipsec_in_match  = match_ipsec_in  $zone , $hostref;
 
@@ -1775,15 +1856,20 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
 	# There are notrack rules with this zone as the source.
 	# Add a jump from this source network to this zone's notrack chain
 	#
-	add_ijump $raw_table->{PREROUTING}, j => source_exclusion( $exclusions, $notrackref), imatch_source_dev( $interface), @source, @ipsec_in_match;
+	insert_ijump $rawref, j => source_exclusion( $exclusions, $notrackref), $rawref->{insert}++, imatch_source_dev( $interface), @source, @ipsec_in_match;
     }
     #
     # If this zone has parents with DNAT/REDIRECT or notrack rules and there are no CONTINUE polcies with this zone as the source
     # then add a RETURN jump for this source network.
     #
     if ( $nested ) {
-	add_ijump $preroutingref,           j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnat;
-	add_ijump $raw_table->{PREROUTING}, j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnotrack;
+	if ( $parenthasnat ) {
+	    add_ijump $preroutingref, j => 'RETURN',                      imatch_source_dev( $interface), @source, @ipsec_in_match;
+	}
+	if ( $parenthasnotrack ) {
+	    my $rawref = $raw_table->{PREROUTING};
+	    insert_ijump $rawref,     j => 'RETURN', $rawref->{insert}++, imatch_source_dev( $interface), @source, @ipsec_in_match;
+	}
     }
 }
 
@@ -1986,7 +2072,7 @@ sub optimize1_zones( $$@ ) {
 # The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
 # A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
 #
-# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table and
+# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table, raw-table and
 # nat-table rules.
 #
 sub generate_matrix() {
@@ -2149,6 +2235,11 @@ sub generate_matrix() {
     } # Source Zone Loop
 
     progress_message '  Finishing matrix...';
+    #
+    # Make sure that the 1:1 NAT jumps are last in PREROUTING
+    #
+    addnatjump 'PREROUTING'  , 'nat_in';
+    addnatjump 'POSTROUTING' , 'nat_out';
 
     add_interface_jumps @interfaces unless $interface_jumps_added;
 
@@ -2415,7 +2506,7 @@ EOF
 	}
     }
 
-    process_routestopped;
+    process_routestopped unless process_stoppedrules;
 
     add_ijump $input,  j => 'ACCEPT', i => 'lo';
     add_ijump $output, j => 'ACCEPT', o => 'lo' unless $config{ADMINISABSENTMINDED};

Shorewall/Perl/Shorewall/Nat.pm

@@ -42,8 +42,8 @@ Exporter::export_ok_tags('rules');
 
 our $VERSION = 'MODULEVERSION';
 
-my @addresses_to_add;
-my %addresses_to_add;
+our @addresses_to_add;
+our %addresses_to_add;
 
 #
 # Called by the compiler
@@ -123,7 +123,7 @@ sub process_one_masq( )
     #
     # Handle Protocol, Ports and Condition
     #
-    $baserule .= do_proto( $proto, $ports, '' ) . do_condition( $condition );
+    $baserule .= do_proto( $proto, $ports, '' );
     #
     # Handle Mark
     #
@@ -158,6 +158,8 @@ sub process_one_masq( )
 
 	my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
 
+	$baserule .= do_condition( $condition , $chainref->{name} );
+
 	my $detectaddress = 0;
 	my $exceptionrule = '';
 	my $randomize     = '';
@@ -194,12 +196,16 @@ sub process_one_masq( )
 		} else {
 		    my $addrlist = '';
 		    for my $addr ( split_list $addresses , 'address' ) {
-			if ( $addr =~ /^&(.+)$/ ) {
+			if ( $addr =~ /^([&%])(.+)$/ ) {
+			    my ( $type, $interface ) = ( $1, $2 );
 			    $target = 'SNAT ';
-			    if ( $conditional = conditional_rule( $chainref, $addr ) ) {
-				$addrlist .= '--to-source ' . get_interface_address $1;
+			    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
+				$conditional = conditional_rule( $chainref, $addr );
+				$addrlist .= '--to-source ' . "\$$1 ";
+			    } elsif ( $conditional = conditional_rule( $chainref, $addr ) ) {
+				$addrlist .= '--to-source ' . get_interface_address $interface;
 			    } else {
-				$addrlist .= '--to-source ' . record_runtime_address( '&', $1 );
+				$addrlist .= '--to-source ' . record_runtime_address( $type, $interface );
 			    }
 			} elsif ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = 'SNAT ';
@@ -276,7 +282,7 @@ sub process_one_masq( )
 #
 sub setup_masq()
 {
-    if ( my $fn = open_file 'masq' ) {
+    if ( my $fn = open_file( 'masq', 1, 1 ) ) {
 
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
 
@@ -373,7 +379,7 @@ sub do_one_nat( $$$$$ )
 #
 sub setup_nat() {
 
-    if ( my $fn = open_file 'nat' ) {
+    if ( my $fn = open_file( 'nat', 1, 1 ) ) {
 
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
 
@@ -409,7 +415,7 @@ sub setup_nat() {
 #
 sub setup_netmap() {
 
-    if ( my $fn = open_file 'netmap' ) {
+    if ( my $fn = open_file 'netmap', 1, 1 ) {
 
 	first_entry "$doing $fn...";
 
@@ -431,8 +437,8 @@ sub setup_netmap() {
 		    my @rulein;
 		    my @ruleout;
 
-		    validate_net $net1, 0;
-		    validate_net $net2, 0;
+		    $net1 = validate_net $net1, 0;
+		    $net2 = validate_net $net2, 0;
 
 		    unless ( $interfaceref->{root} ) {
 			@rulein  = imatch_source_dev( $interface );
@@ -466,7 +472,7 @@ sub setup_netmap() {
 
 		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
 
-		    validate_net $net2, 0;
+		    $net2 = validate_net $net2, 0;
 
 		    unless ( $interfaceref->{root} ) {
 			@match = imatch_dest_dev(  $interface );

Shorewall/Perl/Shorewall/Proc.pm

@@ -251,9 +251,6 @@ sub setup_forwarding( $$ ) {
 	if ( @$interfaces ) {
 	    progress_message2 "$doing Interface forwarding..." if $first;
 
-	    push_indent;
-	    push_indent;
-
 	    save_progress_message 'Setting up IPv6 Interface Forwarding...';
 
 	    for my $interface ( @$interfaces ) {
@@ -270,9 +267,6 @@ sub setup_forwarding( $$ ) {
 		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }
-
-	    pop_indent;
-	    pop_indent;
 	}
     }
 }

Shorewall/Perl/Shorewall/Providers.pm

@@ -53,28 +53,28 @@ use constant { LOCAL_TABLE   => 255,
 	       UNSPEC_TABLE  => 0
 	       };
 
-my  @routemarked_providers;
-my  %routemarked_interfaces;
+our @routemarked_providers;
+our %routemarked_interfaces;
 our @routemarked_interfaces;
-my  %provider_interfaces;
-my  @load_providers;
-my  @load_interfaces;
+our %provider_interfaces;
+our @load_providers;
+our @load_interfaces;
 
-my $balancing;
-my $fallback;
-my $metrics;
-my $first_default_route;
-my $first_fallback_route;
-my $maxload;
-my $tproxies;
+our $balancing;
+our $fallback;
+our $metrics;
+our $first_default_route;
+our $first_fallback_route;
+our $maxload;
+our $tproxies;
 
-my %providers;
+our %providers;
 
-my @providers;
+our @providers;
 
-my $family;
+our $family;
 
-my $lastmark;
+our $lastmark;
 
 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 
@@ -118,10 +118,15 @@ sub initialize( $ ) {
 #
 sub setup_route_marking() {
     my $mask = in_hex( $globals{PROVIDER_MASK} );
+    my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';
 
     require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
 
+    if ( $config{RESTORE_ROUTEMARKS} ) {
 	add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
+    } else {
+	add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;
+    }
 
     my $chainref  = new_chain 'mangle', 'routemark';
 
@@ -145,10 +150,10 @@ sub setup_route_marking() {
 
 	    if ( $providerref->{shared} ) {
 		add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
 		decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
 	    } else {
-		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface );
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface );
 	    }
 	}
 
@@ -333,24 +338,35 @@ sub balance_fallback_route( $$$$ ) {
     }
 }
 
-sub start_provider( $$$ ) {
-    my ($table, $number, $test ) = @_;
+sub start_provider( $$$$ ) {
+    my ($what, $table, $number, $test ) = @_;
 
-    emit "\n#\n# Add Provider $table ($number)\n#";
+    emit "\n#\n# Add $what $table ($number)\n#";
 
+    if ( $number ) {
 	emit "start_provider_$table() {";
+    } else {
+	emit "start_interface_$table() {";
+    }
+
     push_indent;
     emit $test;
     push_indent;
 
+
+    if ( $number ) {
 	emit "qt ip -$family route flush table $number";
 	emit "echo \"qt \$IP -$family route flush table $number\" > \${VARDIR}/undo_${table}_routing";
+    } else {
+	emit( "> \${VARDIR}/undo_${table}_routing" );
+    }
 }
 
 #
 # Process a record in the providers file
 #
-sub process_a_provider() {
+sub process_a_provider( $ ) {
+    my $pseudo = $_[0]; # When true, this is an optional interface that we are treating somewhat like a provider.
 
     my ($table, $number, $mark, $duplicate, $interface, $gateway,  $options, $copy ) =
 	split_line 'providers file', { table => 0, number => 1, mark => 2, duplicate => 3, interface => 4, gateway => 5, options => 6, copy => 7 };
@@ -358,6 +374,8 @@ sub process_a_provider() {
     fatal_error "Duplicate provider ($table)" if $providers{$table};
 
     fatal_error 'NAME must be specified' if $table eq '-';
+
+    unless ( $pseudo ) {
 	fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;
 
 	my $num = numeric_value $number;
@@ -370,6 +388,7 @@ sub process_a_provider() {
 	for my $providerref ( values %providers  ) {
 	    fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
 	}
+    }
 
     fatal_error 'INTERFACE must be specified' if $interface eq '-';
 
@@ -389,6 +408,11 @@ sub process_a_provider() {
     my $physical    = get_physical $interface;
     my $gatewaycase = '';
 
+    if ( $physical =~ /\+$/ ) {
+	return 0 if $pseudo;
+	fatal_error "Wildcard interfaces ($physical) may not be used as provider interfaces";
+    }
+
     if ( $gateway eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
 	$gateway = get_interface_gateway $interface;
@@ -402,8 +426,15 @@ sub process_a_provider() {
 	$gateway = '';
     }
 
-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load ) =
-	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0 );
+    my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what );
+
+    if ( $pseudo ) {	
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what ) =
+	( 0,      0                       , 0 ,        0,        0,                               1                                  , ''  , 0       , 0,      0,     'interface');
+    } else {
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what )=
+	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider');
+    }
 
     unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
@@ -513,7 +544,7 @@ sub process_a_provider() {
 
     }
 
-    unless ( $loose ) {
+    unless ( $loose || $pseudo ) {
 	warning_message q(The 'proxyarp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyarp' );
 	warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
     }
@@ -551,10 +582,14 @@ sub process_a_provider() {
 			   local       => $local ,
 			   tproxy      => $tproxy ,
 			   load        => $load ,
+			   pseudo      => $pseudo ,
+			   what        => $what ,
 			   rules       => [] ,
 			   routes      => [] ,
 			 };
 
+    $provider_interfaces{$interface} = $table unless $shared;
+
     if ( $track ) {
 	fatal_error "The 'track' option requires a numeric value in the MARK column" if $mark eq '-';
 
@@ -573,7 +608,22 @@ sub process_a_provider() {
 
     push @providers, $table;
 
-    progress_message "   Provider \"$currentline\" $done";
+    progress_message "   Provider \"$currentline\" $done" unless $pseudo;
+
+    return 1;
+}
+
+#
+# Emit a 'started' message
+#
+sub emit_started_message( $$$$$ ) {
+    my ( $spaces, $level, $pseudo, $name, $number ) = @_;
+
+    if ( $pseudo ) {
+	emit qq(${spaces}progress_message${level} "   Optional interface $name Started");
+    } else {
+	emit qq(${spaces}progress_message${level} "   Provider $name ($number) Started");
+    }
 }
 
 #
@@ -604,6 +654,9 @@ sub add_a_provider( $$ ) {
     my $local       = $providerref->{local};
     my $tproxy      = $providerref->{tproxy};
     my $load        = $providerref->{load};
+    my $pseudo      = $providerref->{pseudo};
+    my $what        = $providerref->{what};
+    my $label       = $pseudo ? 'Optional Interface' : 'Provider';
 
     my $dev         = chain_base $physical;
     my $base        = uc $dev;
@@ -612,14 +665,16 @@ sub add_a_provider( $$ ) {
     if ( $shared ) {
 	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
 	$realm = "realm $number";
-	start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
+	start_provider( $label , $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
+    } elsif ( $pseudo ) {
+	start_provider( $label , $table, $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
     } else {
 	if ( $optional ) {
-	    start_provider( $table, $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
+	    start_provider( $label, $table , $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
 	} elsif ( $gatewaycase eq 'detect' ) {
-	    start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
+	    start_provider( $label, $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
 	} else {
-	    start_provider( $table, $number, "if interface_is_usable $physical; then" );
+	    start_provider( $label, $table, $number, "if interface_is_usable $physical; then" );
 	}
 	$provider_interfaces{$interface} = $table;
 
@@ -737,7 +792,7 @@ CEOF
 	    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
 	    emit( "run_ip rule add from $address pref 20000 table $number" ,
 		  "echo \"qt \$IP -$family rule del from $address\" >> \${VARDIR}/undo_${table}_routing" );
-	} else {
+	} elsif ( ! $pseudo ) {
 	    emit  ( "find_interface_addresses $physical | while read address; do" );
 	    emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
 	    emit  ( "    run_ip rule add from \$address pref 20000 table $number",
@@ -800,15 +855,17 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}
 
-	emit ( qq(progress_message2 "   Provider $table ($number) Started") );
+	emit_started_message( '', 2, $pseudo, $table, $number );
 
 	pop_indent;
 
+	unless ( $pseudo ) {
 	    emit( 'else' );
-	emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) ,
-	      qq(    progress_message "   Provider $table ($number) Started"),
-	      qq(fi\n)
-	    );
+	    emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) );
+	    emit_started_message( '    ', '', $pseudo, $table, $number );
+	}
+
+	emit "fi\n";
     } else {
 	emit( qq(echo 0 > \${VARDIR}/${physical}.status) );
 	emit( qq(progress_message "Provider $table ($number) Started") );
@@ -825,6 +882,8 @@ CEOF
     if ( $optional ) {
 	if ( $shared ) {
 	    emit ( "error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Started\"" );
+	} elsif ( $pseudo ) {
+	    emit ( "error_message \"WARNING: Optional Interface $physical is not usable -- $table not Started\"" );
 	} else {
 	    emit ( "error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Started\"" );
 	}
@@ -842,14 +901,14 @@ CEOF
 
     pop_indent;
 
-    emit '}'; # End of start_provider_$table();
+    emit "} # End of start_${what}_${table}();";
 
     if ( $optional ) {
 	emit( '',
 	      '#',
-	      "# Stop provider $table",
+	      "# Stop $what $table",
 	      '#',
-	      "stop_provider_$table() {" );
+	      "stop_${what}_${table}() {" );
 
 	push_indent;
 
@@ -877,8 +936,13 @@ CEOF
 	    emit( qq(delete_gateway "$via" $tbl $physical) );
 	}
 
-	emit (". $undo",
-	      "> $undo" );
+	emit (". $undo" );
+
+	if ( $pseudo ) {
+	    emit( "rm -f $undo" );
+	} else {
+	    emit( "> $undo" );
+	}
 
 	emit ( '',
 	       "distribute_load $maxload @load_interfaces" ) if $load;
@@ -889,8 +953,13 @@ CEOF
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}
 
-	emit( "echo 1 > \${VARDIR}/${physical}.status",
-	      "progress_message2 \"   Provider $table ($number) stopped\"" );
+	emit( "echo 1 > \${VARDIR}/${physical}.status" );
+
+	if ( $pseudo ) {
+	    emit( "progress_message2 \"   Optional Interface $table stopped\"" );
+	} else {
+	    emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
+	}
 
 	pop_indent;
 
@@ -938,7 +1007,7 @@ sub add_an_rtrule( ) {
     if ( $dest eq '-' ) {
 	$dest = 'to ' . ALLIP;
     } else {
-	validate_net( $dest, 0 );
+	$dest = validate_net( $dest, 0 );
 	$dest = "to $dest";
     }
 
@@ -950,22 +1019,22 @@ sub add_an_rtrule( ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
 	    fatal_error "Invalid SOURCE" if defined $remainder;
-	    validate_net ( $source, 0 );
+	    $source = validate_net ( $source, 0 );
 	    $interface = physical_name $interface;
 	    $source = "iif $interface from $source";
 	} elsif ( $source =~ /\..*\..*/ ) {
-	    validate_net ( $source, 0 );
+	    $source = validate_net ( $source, 0 );
 	    $source = "from $source";
 	} else {
 	    $source = 'iif ' . physical_name $source;
 	}
-    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ ) {
+    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ || $source =~ /^(.+?):(\[.+?\](?:\/\d+))$/ ) {
 	my ($interface, $source ) = ($1, $2);
-	validate_net ($source, 0);
+	$source = validate_net ($source, 0);
 	$interface = physical_name $interface;
 	$source = "iif $interface from $source";
     } elsif (  $source =~ /:.*:/ || $source =~ /\..*\..*/ ) {
-	validate_net ( $source, 0 );
+	$source = validate_net ( $source, 0 );
 	$source = "from $source";
     } else {
 	$source = 'iif ' . physical_name $source;
@@ -1020,7 +1089,7 @@ sub add_a_route( ) {
     }
 
     fatal_error 'DEST must be specified' if $dest eq '-';
-    validate_net ( $dest, 1 );
+    $dest = validate_net ( $dest, 1 );
 
     validate_address ( $gateway, 1 ) if $gateway ne '-';
 
@@ -1199,12 +1268,23 @@ sub process_providers( $ ) {
     my $tcdevices = shift;
 
     our $providers = 0;
+    our $pseudoproviders = 0;
 
     $lastmark = 0;
 
     if ( my $fn = open_file 'providers' ) {
 	first_entry "$doing $fn...";
-	process_a_provider, $providers++ while read_a_line( NORMAL_READ );
+	$providers += process_a_provider(0) while read_a_line( NORMAL_READ );
+    }
+    #
+    # Treat optional interfaces as pseudo-providers
+    #
+    for ( grep interface_is_optional( $_ ) && ! $provider_interfaces{ $_ }, all_real_interfaces ) {
+	#
+	#               TABLE NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
+	$currentline = "$_    0      -    -         $_        -       -       -";
+	#
+	$pseudoproviders += process_a_provider(1);
     }
 
     if ( $providers ) {
@@ -1227,17 +1307,19 @@ sub process_providers( $ ) {
 
 	    add_an_rtrule while read_a_line( NORMAL_READ );
 	}
+    }
 
-	$fn = open_file 'routes';
+    if ( $providers || $pseudoproviders ) {
+	my $fn = open_file 'routes';
 
 	if ( $fn ) {
 	    first_entry "$doing $fn...";
 	    emit '';
 	    add_a_route while read_a_line( NORMAL_READ );
 	}
-    }
 
 	add_a_provider( $providers{$_}, $tcdevices ) for @providers;
+    }
 
     emit << 'EOF';;
 
@@ -1258,14 +1340,20 @@ EOF
 
 	if ( $providerref->{optional} ) {
 	    if ( $providerref->{shared} || $providerref->{physical} eq $provider) {
-		emit "$provider})";
+		emit "$provider)";
 	    } else {
 		emit( "$providerref->{physical}|$provider)" );
 	    }
 
+	    if ( $providerref->{pseudo} ) {
+		emit ( "    if [ ! -f \${VARDIR}/$product/undo_${provider}_routing ]; then",
+		       "        start_interface_$provider" );
+	    } else {
 		emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
-		   "        start_provider_$provider",
-		   '    else',
+		       "        start_provider_$provider" );
+	    }
+
+	    emit ( '    else',
 		   "        startup_error \"Interface $providerref->{physical} is already enabled\"",
 		   '    fi',
 		   '    ;;'
@@ -1278,7 +1366,7 @@ EOF
 
     emit << 'EOF';;
         *)
-            startup_error "$g_interface is not an optional provider or provider interface"
+            startup_error "$g_interface is not an optional provider or interface"
             ;;
     esac
 
@@ -1299,14 +1387,26 @@ EOF
     for my $provider (@providers ) {
 	my $providerref = $providers{$provider};
 
-	emit( "$providerref->{physical}|$provider)",
-	      "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
-	      "        stop_provider_$provider",
+	if ( $providerref->{optional} ) {
+	    if ( $provider eq $providerref->{physical} ) {
+		emit( "$provider)" );
+	    } else {
+		emit( "$providerref->{physical}|$provider)" );
+	    }
+
+	    if ( $providerref->{pseudo} ) {
+		emit( "    if [ -f \${VARDIR}/$product/undo_${provider}_routing ]; then" );
+	    } else {
+		emit( "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then" );
+	    }
+
+	    emit( "        stop_$providerref->{what}_$provider",
 		  '    else',
 		  "        startup_error \"Interface $providerref->{physical} is already disabled\"",
 		  '    fi',
 		  '    ;;'
-	    ) if $providerref->{optional};
+		);
+	}
     }
 
     pop_indent;
@@ -1338,7 +1438,7 @@ sub setup_providers() {
 
 	emit '';
 
-	emit "start_provider_$_" for @providers;
+	emit "start_$providers{$_}->{what}_$_" for @providers;
 
 	emit '';
 

Shorewall/Perl/Shorewall/Raw.pm

@@ -36,14 +36,23 @@ our @EXPORT = qw( setup_conntrack );
 our @EXPORT_OK = qw( handle_helper_rule );
 our $VERSION = 'MODULEVERSION';
 
-my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured => 1, protoinfo => 1, helper => 1, mark => 1, natseqinfo => 1, secmark => 1 );
+our %valid_ctevent = ( new        => 1,
+		       related    => 1,
+		       destroy    => 1,
+		       reply      => 1,
+		       assured    => 1,
+		       protoinfo  => 1,
+		       helper     => 1,
+		       mark       => 1,
+		       natseqinfo => 1,
+		       secmark    => 1 );
 
 #
 # Notrack
 #
-sub process_conntrack_rule( $$$$$$$$$ ) {
+sub process_conntrack_rule( $$$$$$$$$$ ) {
 
-    my ($chainref, $zoneref, $action, $source, $dest, $proto, $ports, $sports, $user ) = @_;
+    my ($chainref, $zoneref, $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = @_;
 
     require_capability 'RAW_TABLE', 'conntrack rules', '';
 
@@ -54,7 +63,9 @@ sub process_conntrack_rule( $$$$$$$$$ ) {
     my $zone;
     my $restriction = PREROUTE_RESTRICT;
 
-    unless ( $chainref ) {
+    if ( $chainref ) {
+	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
+    } else {
 	#
 	# Entry in the conntrack file
 	#
@@ -66,13 +77,13 @@ sub process_conntrack_rule( $$$$$$$$$ ) {
 	}
 
 	$chainref = ensure_raw_chain( notrack_chain $zone );
-	$restriction = OUTPUT_RESTRICT if $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER;
+	$restriction = OUTPUT_RESTRICT if $zoneref->{type}  & (FIREWALL | VSERVER );
 	fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
     }
 
     my $target = $action;
     my $exception_rule = '';
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );
 
     if ( $action eq 'NOTRACK' ) {
 	#
@@ -80,7 +91,7 @@ sub process_conntrack_rule( $$$$$$$$$ ) {
 	# Netfilter development list
 	#
 	$action = 'CT --notrack' if have_capability 'CT_TARGET';
-    } else {
+    } elsif ( $action ne 'DROP' ) {
 	(  $target, my ( $option, $args, $junk ) ) = split ':', $action, 4;
 
 	fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT';
@@ -160,7 +171,9 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
 				$proto ,
 				$ports ,
 				$sports ,
-				$user );
+				$user,
+				'-',
+			      );
     } else {
 	assert( $action_target );
 	#
@@ -200,21 +213,20 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
 sub process_format( $ ) {
     my $format = shift;
 
-    fatal_error q(FORMAT must be '1' or '2') unless $format =~ /^[12]$/;
+    fatal_error q(FORMAT must be '1', '2' or '3') unless $format =~ /^[123]$/;
+    format_warning;
 
-    $format;
+    $file_format = $format;
 }
 
 sub setup_conntrack() {
 
     for my $name ( qw/notrack conntrack/ ) {
 
-	my $fn = open_file( $name );
+	my $fn = open_file( $name, 3 , 1 );
 
 	if ( $fn ) {
 
-	    my $format = 1;
-
 	    my $action = 'NOTRACK';
 
 	    my $empty = 1;
@@ -222,20 +234,20 @@ sub setup_conntrack() {
 	    first_entry( "$doing $fn..." );
 
 	    while ( read_a_line( NORMAL_READ ) ) {
-		my ( $source, $dest, $proto, $ports, $sports, $user );
+		my ( $source, $dest, $proto, $ports, $sports, $user, $switch );
 
-		if ( $format == 1 ) {
-		    ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
+		if ( $file_format == 1 ) {
+		    ( $source, $dest, $proto, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 };
 
 		    if ( $source eq 'FORMAT' ) {
-			$format = process_format( $dest );
+			process_format( $dest );
 			next;
 		    }
 		} else {
-		    ( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
+		    ( $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }, { COMMENT => 0, FORMAT => 2 };
 
 		    if ( $action eq 'FORMAT' ) {
-			$format = process_format( $source );
+			process_format( $source );
 			$action = 'NOTRACK';
 			next;
 		    }
@@ -248,12 +260,32 @@ sub setup_conntrack() {
 
 		$empty = 0;
 
-		if ( $source eq 'all' ) {
-		    for my $zone (all_zones) {
-			process_conntrack_rule( undef, undef, $action, $zone, $dest, $proto, $ports, $sports, $user );
+		if ( $file_format < 3 ) {
+		    if ( $source =~ /^all(-)?(:(.+))?$/ ) {
+			fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
+			for my $zone ( $1 ? off_firewall_zones : all_zones ) {
+			    process_conntrack_rule( undef ,
+						    undef,
+						    $action,
+						    $zone . ( $2 || ''),
+						    $dest,
+						    $proto,
+						    $ports,
+						    $sports,
+						    $user ,
+						    $switch );
 			}
 		    } else {
-		    process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user );
+			process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		    }
+		} elsif ( $action =~ s/:O$// ) {
+		    process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		} elsif ( $action =~ s/:OP// || $action =~ s/:PO// ) {
+		    process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		    process_conntrack_rule( $raw_table->{OUTPUT},     undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		} else {
+		    $action =~ s/:P//;
+		    process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
 		}		    
 	    }
 

Shorewall/Perl/Shorewall/Tc.pm

@@ -86,7 +86,7 @@ use constant { NOMARK    => 0 ,
 	       HIGHMARK  => 2
 	       };
 
-my  %flow_keys = ( 'src'            => 1,
+our %flow_keys = ( 'src'            => 1,
 		   'dst'            => 1,
 		   'proto'          => 1,
 		   'proto-src'      => 1,
@@ -104,15 +104,15 @@ my  %flow_keys = ( 'src'            => 1,
 		   'sk-gid'         => 1,
 		   'vlan-tag'       => 1 );
 
-my %designator = ( F => 'tcfor' ,
+our %designator = ( F => 'tcfor' ,
 		    T => 'tcpost' );
 
-my  %tosoptions = ( 'tos-minimize-delay'       => '0x10/0x10' ,
+our %tosoptions = ( 'tos-minimize-delay'       => '0x10/0x10' ,
 		    'tos-maximize-throughput'  => '0x08/0x08' ,
 		    'tos-maximize-reliability' => '0x04/0x04' ,
 		    'tos-minimize-cost'        => '0x02/0x02' ,
 		    'tos-normal-service'       => '0x00/0x1e' );
-my  %classids;
+our %classids;
 
 #
 # Perl version of Arn Bernin's 'tc4shorewall'.
@@ -133,12 +133,12 @@ my  %classids;
 #                              name          => <interface>
 #                                               }
 #
-my  @tcdevices;
-my  %tcdevices;
-my  @devnums;
-my  $devnum;
-my  $sticky;
-my  $ipp2p;
+our @tcdevices;
+our %tcdevices;
+our @devnums;
+our $devnum;
+our $sticky;
+our $ipp2p;
 
 #
 # TCClasses Table
@@ -159,10 +159,10 @@ my  $ipp2p;
 #                                                }
 #                                     }
 #             }
-my  @tcclasses;
-my  %tcclasses;
+our @tcclasses;
+our %tcclasses;
 
-my  %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
+our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 		      PREROUTING => PREROUTE_RESTRICT ,
 		      tcpost     => POSTROUTE_RESTRICT ,
 		      tcfor      => NO_RESTRICT ,
@@ -170,10 +170,16 @@ my  %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 		      tcout      => OUTPUT_RESTRICT ,
 		    );
 
-my $family;
+our $family;
 
-my $divertref; # DIVERT chain
+our $divertref; # DIVERT chain
 
+our %validstates = ( NEW                => 0,
+		     RELATED            => 0,
+		     ESTABLISHED        => 0,
+		     UNTRACKED          => 0,
+		     INVALID            => 0,
+		   );
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -199,19 +205,17 @@ sub initialize( $ ) {
 }
 
 sub process_tc_rule( ) {
-    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp );
+    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
     if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp ) =
-	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 }, { COMMENT => 0, FORMAT => 2 } , 14;
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
+	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13, state => 14 }, { COMMENT => 0, FORMAT => 2 } , 15;
 	$headers = '-';
     } else {
-	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) =
-	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 },  { COMMENT => 0, FORMAT => 2 }, 15;
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
+	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 },  { COMMENT => 0, FORMAT => 2 }, 16;
     }
 
-    our @tccmd;
-
-    our $format;
+    our %tccmd;
 
     fatal_error 'MARK must be specified' if $originalmark eq '-';
 
@@ -221,8 +225,9 @@ sub process_tc_rule( ) {
     }
 
     if ( $originalmark eq 'FORMAT' ) {
+	format_warning;
 	if ( $source =~ /^([12])$/ ) {
-	    $format = $1;
+	    $file_format = $1;
 	    return;
 	}
 
@@ -259,6 +264,8 @@ sub process_tc_rule( ) {
     my $cmd;
     my $rest;
     my $matches = '';
+    my $mark1;
+    my $exceptionrule = '';
 
     my %processtcc = ( sticky => sub() {
 			                  if ( $chain eq 'tcout' ) {
@@ -312,7 +319,7 @@ sub process_tc_rule( ) {
 					  $target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
 				      },
 		       DIVERT => sub() {
-			                  fatal_error "Invalid MARK ($originalmark)"               unless $format == 2;
+			                  fatal_error "Invalid MARK ($originalmark)"               unless $file_format == 2;
 			                  fatal_error "Invalid DIVERT specification( $cmd/$rest )" if $rest;
 
 					  $chain = 'PREROUTING';
@@ -341,7 +348,7 @@ sub process_tc_rule( ) {
 					  my $params = $1;
 					  my ( $port, $ip, $bad );
 
-					  if ( $format == 1 ) {
+					  if ( $file_format == 1 ) {
 					      fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
 
 					      ( $mark, $port, $ip, $bad ) = split_list $params, 'Parameter';
@@ -372,7 +379,11 @@ sub process_tc_rule( ) {
 
 					  if ( supplied $ip ) {
 					      if ( $family == F_IPV6 ) {
-						  $ip = $1 if $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/;
+						  if ( $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/ ) {
+						      $ip = $1;
+						  } elsif ( $ip =~ /^\[(.+)\]\/(\d+)$/ ) {
+						      $ip = join( $1, $2 );
+						  }
 					      }
 
 					      validate_address $ip, 1;
@@ -380,19 +391,27 @@ sub process_tc_rule( ) {
 					  }
 
 					  $target .= ' --tproxy-mark';
+
+					  $exceptionrule = '-p tcp ';
 				      },
 		       TTL => sub() {
 			                  fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
 					  fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest;
-					  fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' );
-
 					  $chain = 'tcfor';
 
-					  $cmd =~ /^TTL\(([-+]?\d+)\)$/;
+					  if ( $designator ) {
+					      if ( $designator eq 'P' ) {
+						  $chain = 'tcpre';
+					      } else {
+						  fatal_error "Chain designator $designator not allowed with TTL" if $designator ne 'F';
+					      }
+					  }
+
+					  $cmd =~ /^TTL\(([-+]?(\d+))\)$/;
 
 					  my $param =  $1;
 
-					  fatal_error "Invalid TTL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+					  fatal_error "Invalid TTL specification( $cmd )" unless supplied( $1 ) && ( $1 eq $2 || $2 != 0 ) && ( $param = abs $param ) < 256;
 
 					  if ( $1 =~ /^\+/ ) {
 					      $target .= " --ttl-inc $param";
@@ -405,15 +424,22 @@ sub process_tc_rule( ) {
 		       HL => sub() {
 			                  fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4;
 					  fatal_error "Invalid HL specification( $cmd/$rest )" if $rest;
-					  fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' );
-
 					  $chain = 'tcfor';
 
-					  $cmd =~ /^HL\(([-+]?\d+)\)$/;
+
+					  if ( $designator ) {
+					      if ( $designator eq 'P' ) {
+						  $chain = 'tcpre';
+					      } else {
+						  fatal_error "Chain designator $designator not allowed with HL" if $designator ne 'F';
+					      }
+					  }
+
+					  $cmd =~ /^HL\(([-+]?(\d+))\)$/;
 
 					  my $param =  $1;
 
-					  fatal_error "Invalid HL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+					  fatal_error "Invalid HL specification( $cmd )" unless supplied( $1 ) && ( $1 eq $2 || $2 != 0 ) && ( $param = abs $param ) < 256;
 
 					  if ( $1 =~ /^\+/ ) {
 					      $target .= " --hl-inc $param";
@@ -440,6 +466,10 @@ sub process_tc_rule( ) {
 			                  assert( $cmd =~ /^TOS\((.+)\)$/ );
 					  $target .= decode_tos( $1 , 2 );
 				      },
+		       CHECKSUM => sub()
+		                        {  require_capability 'CHECKSUM_TARGET', 'The CHECKSUM action', 's';
+					   $target .= ' --checksum-fill';
+				       },
 		     );
 
     if ( $source ) {
@@ -480,13 +510,13 @@ sub process_tc_rule( ) {
 
 	    $chain    = $tcsref->{chain}                       if $tcsref->{chain};
 	    $target   = $tcsref->{target}                      if $tcsref->{target};
-	    $mark     = "$mark/" . in_hex( $globals{TC_MASK} ) if $connmark = $tcsref->{connmark};
+	    $mark     = "$mark/" . in_hex( $globals{TC_MASK} ) if $connmark = $tcsref->{connmark} && $mark !~ m'/';
 
 	    require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
 
 	} else {
 	    unless ( $classid ) {
-		fatal_error "Invalid MARK ($originalmark)" unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
+		fatal_error "Invalid ACTION ($originalmark)" unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
 		fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $chain eq 'tcin';
 		$chain = 'tcpost';
 		$mark  = $originalmark;
@@ -524,10 +554,10 @@ sub process_tc_rule( ) {
     $list = '';
 
     unless ( $classid ) {
-      MARK:
 	{
-	    for my $tccmd ( @tccmd ) {
-		if ( $tccmd->{match}($cmd) ) {
+	    if ( $cmd =~ /^([[A-Z!&]+)/ ) {
+		if ( my $tccmd = $tccmd{$1} ) {
+		    fatal_error "Invalid $1 ACTION ($originalmark)" unless $tccmd->{match}($cmd); 
 		    fatal_error "$mark not valid with :C[FPT]" if $connmark;
 
 		    require_capability ('CONNMARK' , "SAVE/RESTORE Rules", '' ) if $tccmd->{connmark};
@@ -546,7 +576,7 @@ sub process_tc_rule( ) {
 		    }
 
 		    if ( $rest ) {
-			fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK;
+			fatal_error "Invalid COMMAND ($originalmark)" if $marktype == NOMARK;
 
 			$mark = $rest if $tccmd->{mask};
 
@@ -558,11 +588,16 @@ sub process_tc_rule( ) {
 		    } elsif ( $tccmd->{mask} ) {
 			$mark = $tccmd->{mask};
 		    }
-
-		    last MARK;
+		} else {
+		    fatal_error "Invalid ACTION ($originalmark)";
 		}
-	    }
-
+	    } elsif ( $mark =~ /-/ ) {
+		( $mark, $mark1 ) = split /-/, $mark, 2;
+		validate_mark $mark;
+		fatal_error "Invalid mark range ($mark-$mark1)" if $mark =~ m'/';
+		validate_mark $mark1;
+		require_capability 'STATISTIC_MATCH', 'A mark range', 's';
+	    }  else {
 		validate_mark $mark;
 
 		if ( $config{PROVIDER_OFFSET} ) {
@@ -576,10 +611,73 @@ sub process_tc_rule( ) {
 		}
 	    }
 	}
+    }
 
     fatal_error "USER/GROUP only allowed in the OUTPUT chain" unless ( $user eq '-' || ( $chain eq 'tcout' || $chain eq 'tcpost' ) );
 
-    if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
+    if ( $state ne '-' ) {
+	my @state = split_list( $state, 'state' );
+	my %state = %validstates;
+
+	for ( @state ) {
+	    fatal_error "Invalid STATE ($_)"   unless exists $state{$_};
+	    fatal_error "Duplicate STATE ($_)" if $state{$_};
+	}
+    } else {
+	$state = 'ALL';
+    }
+
+    if ( $mark1 ) {
+	#
+	# A Mark Range
+	#
+	my $chainref = ensure_chain( 'mangle', $chain );
+
+	( $mark1, my $mask ) = split( '/', $mark1 );
+
+	my ( $markval, $mark1val ) = ( numeric_value $mark, numeric_value $mark1 );
+
+	fatal_error "Invalid mark range ($mark-$mark1)" unless $markval < $mark1val;
+
+	$mask = $globals{TC_MASK} unless supplied $mask;
+
+	$mask = numeric_value $mask;
+
+	my $increment = 1;
+	my $shift     = 0;
+
+	$increment <<= 1, $shift++ until $increment & $mask;
+
+	$mask = in_hex $mask;
+
+	my $marks = ( ( $mark1val - $markval ) >> $shift ) + 1;
+
+	for ( my $packet = 0; $packet < $marks; $packet++, $markval += $increment ) {
+	    my $match = "-m statistic --mode nth --every $marks --packet $packet ";
+
+	    expand_rule( $chainref,
+			 $restrictions{$chain} | $restriction,
+			 $match .
+			 do_user( $user ) .
+			 do_test( $testval, $globals{TC_MASK} ) .
+			 do_test( $testval, $globals{TC_MASK} ) .
+			 do_length( $length ) .
+			 do_tos( $tos ) .
+			 do_connbytes( $connbytes ) .
+			 do_helper( $helper ) .
+			 do_headers( $headers ) .
+			 do_probability( $probability ) .
+			 do_dscp( $dscp ) .
+			 state_match( $state ) ,
+			 $source ,
+			 $dest ,
+			 '' ,
+			 "$target " . join( '/', in_hex( $markval ) , $mask ) ,
+			 '',
+			 $target ,
+			 $exceptionrule );
+	}
+    } elsif ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
 					  $restrictions{$chain} | $restriction,
 					  do_proto( $proto, $ports, $sports) . $matches .
 					  do_user( $user ) .
@@ -590,14 +688,15 @@ sub process_tc_rule( ) {
 					  do_helper( $helper ) .
 					  do_headers( $headers ) .
 					  do_probability( $probability ) .
-				     do_dscp( $dscp ) ,
+					  do_dscp( $dscp ) .
+					  state_match( $state ) ,
 					  $source ,
 					  $dest ,
 					  '' ,
 					  $mark ? "$target $mark" : $target,
 					  '' ,
 					  $target ,
-				     '' ) )
+					  $exceptionrule ) )
 	      && $device ) {
 	#
 	# expand_rule() returns destination device if any
@@ -820,8 +919,9 @@ sub process_simple_device() {
     }
 
     for ( my $i = 1; $i <= 3; $i++ ) {
+	my $prio = 16 | $i;
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
-	emit "run_tc filter add dev $physical protocol all prio 2 parent $number: handle $i fw classid $number:$i";
+	emit "run_tc filter add dev $physical protocol all prio $prio parent $number: handle $i fw classid $number:$i";
 	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
 	emit '';
     }
@@ -969,6 +1069,7 @@ sub validate_tc_device( ) {
 			    mtu           => $mtu,
 			    mpu           => $mpu,
 			    tsize         => $tsize,
+			    filterpri     => 0,
 			  } ,
 
     push @tcdevices, $device;
@@ -1043,6 +1144,16 @@ my %validredoptions = ( min         => RED_INTEGER,
 			ecn         => RED_NONE,
 		      );
 
+sub validate_filter_priority( $$ ) {
+    my ( $priority, $kind ) = @_;
+
+    my $pri = numeric_value( $priority );
+
+    fatal_error "Invalid $kind priority ($priority)" unless defined $pri && $pri > 0 && $pri <= 65535;
+
+    $pri;
+}
+
 sub validate_tc_class( ) {
     my ( $devclass, $mark, $rate, $ceil, $prio, $options ) =
 	split_line 'tcclasses file', { interface => 0, mark => 1, rate => 2, ceil => 3, prio => 4, options => 5 };
@@ -1096,11 +1207,26 @@ sub validate_tc_class( ) {
 
     my $tcref = $tcclasses{$device};
 
+    if ( $devref->{qdisc} eq 'htb' ) {
+	fatal_error "Invalid PRIO ($prio)" unless defined numeric_value $prio;
+    }
+
     my $markval  = 0;
+    my $markprio;
 
     if ( $mark ne '-' ) {
 	fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};
 
+	( $mark, my $priority ) = split/:/, $mark, 2;
+
+	if ( supplied $priority ) {
+	    $markprio = validate_filter_priority( $priority, 'mark' );
+	} else {
+	    fatal_error "Missing mark priority" if $prio eq '-';
+	    $markprio =  ( $prio << 8 ) | 20;
+	    progress_message2 "   Priority of the $device packet mark $mark filter is $markprio";
+	}
+
 	$markval = numeric_value( $mark );
 	fatal_error "Invalid MARK ($markval)" unless defined $markval;
 
@@ -1169,16 +1295,15 @@ sub validate_tc_class( ) {
 	warning_message "Total RATE of classes ($devref->{guarantee}kbits) exceeds OUT-BANDWIDTH (${full}kbits)" if ( $devref->{guarantee} += $rate ) > $full;
     }
 
-    fatal_error "Invalid PRIO ($prio)" unless defined numeric_value $prio;
-
     $tcref->{$classnumber} = { tos       => [] ,
 			       rate      => $rate ,
 			       umax      => $umax ,
 			       dmax      => $dmax ,
 			       ceiling   => $ceil   = ( supplied $ceil   ? convert_rate( $ceilmax, $ceil,   'CEIL'  , $ceilname ) : 0 ),
 			       lsceil    => $lsceil = ( $lsceil          ? convert_rate( $ceilmax, $lsceil, 'LSCEIL', $ceilname ) : 0 ),
-			       priority  => $prio eq '-' ? 1 : $prio ,
+			       priority  => $prio ,
 			       mark      => $markval ,
+			       markprio  => $markprio ,
 			       flow      => '' ,
 			       pfifo     => 0,
 			       occurs    => 1,
@@ -1196,25 +1321,47 @@ sub validate_tc_class( ) {
 
     unless ( $options eq '-' ) {
 	for my $option ( split_list1 "\L$options", 'option' ) {
-	    my $optval = $tosoptions{$option};
+	    my $priority;
+	    my $optval;
+
+	    ( $option, my $pri ) =  split /:/, $option, 2;
+
+	    if ( $option =~ /^tos=(.+)/ || ( $optval = $tosoptions{$option} ) ) {
+
+		if ( supplied $pri ) {
+		    $priority = validate_filter_priority( $pri, 'mark' );
+		} else {
+		    fatal_error "Missing TOS priority" if $prio eq '-';
+		    $priority = ( $prio << 8 ) | 15;
+		    progress_message2 "   Priority of the $device $option filter is $priority";
+		}
 
 		$option = "tos=$optval" if $optval;
+	    } elsif ( supplied $pri ) {
+		$option = join ':', $option, $pri;
+	    }
 
 	    if ( $option eq 'default' ) {
 		fatal_error "Only one default class may be specified for device $device" if $devref->{default};
 		fatal_error "The $option option is not valid with 'occurs" if $tcref->{occurs} > 1;
 		$devref->{default} = $classnumber;
-	    } elsif ( $option eq 'tcp-ack' ) {
+	    } elsif ( $option =~ /tcp-ack(:(\d+|0x[0-0a-fA-F]))?$/ ) {
 		fatal_error "The $option option is not valid with 'occurs" if $tcref->{occurs} > 1;
-		$tcref->{tcp_ack} = 1;
+		if ( $1 ) {
+		    $tcref->{tcp_ack} = validate_filter_priority( $2, 'tcp-ack' );
+		} else {
+		    fatal_error "Missing tcp-ack priority" if $prio eq '-';
+		    my $ackpri = $tcref->{tcp_ack} =  ( $prio << 8 ) | 10;
+		    progress_message2 "   Priority of the $device tcp-ack filter is $ackpri";
+		}
 	    } elsif ( $option =~ /^tos=0x[0-9a-f]{2}$/ ) {
 		fatal_error "The $option option is not valid with 'occurs" if $tcref->{occurs} > 1;
 		( undef, $option ) = split /=/, $option;
-		push @{$tcref->{tos}}, "$option/0xff";
+		push @{$tcref->{tos}}, "$option/0xff:$priority";
 	    } elsif ( $option =~ /^tos=0x[0-9a-f]{2}\/0x[0-9a-f]{2}$/ ) {
 		fatal_error "The $option option is not valid with 'occurs" if $tcref->{occurs} > 1;
 		( undef, $option ) = split /=/, $option;
-		push @{$tcref->{tos}}, $option;
+		push @{$tcref->{tos}}, "$option:$priority";
 	    } elsif ( $option =~ /^flow=(.*)$/ ) {
 		fatal_error "The 'flow' option is not allowed with 'pfifo'" if $tcref->{pfifo};
 		fatal_error "The 'flow' option is not allowed with 'red'"   if $tcref->{red};
@@ -1300,10 +1447,7 @@ sub validate_tc_class( ) {
     }
 
     unless ( $devref->{classify} || $occurs > 1 ) {
-	if ( $mark ne '-' ) {
 	fatal_error "Missing MARK" if $mark eq '-';
-	    warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option"	if $devclass =~ /:/;
-	}
     }
 
     $tcref->{flow}  = $devref->{flow}  unless $tcref->{flow};
@@ -1319,6 +1463,7 @@ sub validate_tc_class( ) {
 					       ceiling  => $tcref->{ceiling} ,
 					       priority => $tcref->{priority} ,
 					       mark     => 0 ,
+					       markprio => $markprio ,
 					       flow     => $tcref->{flow} ,
 					       pfifo    => $tcref->{pfifo},
 					       occurs   => 0,
@@ -1340,7 +1485,7 @@ my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0x
 #
 sub process_tc_filter() {
 
-    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 };
+    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length, $priority ) = split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 , priority => 8 };
 
     fatal_error 'CLASS must be specified' if $devclass eq '-';
 
@@ -1350,7 +1495,7 @@ sub process_tc_filter() {
 
     fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest || ! ($device && $class );
 
-    my ( $ip, $ip32, $prio , $lo ) = $family == F_IPV4 ? ('ip', 'ip', 10, 2 ) : ('ipv6', 'ip6', 11 , 4 );
+    my ( $ip, $ip32, $lo ) = $family == F_IPV4 ? ('ip', 'ip', 2 ) : ('ipv6', 'ip6', 4 );
 
     my $devref;
 
@@ -1360,6 +1505,18 @@ sub process_tc_filter() {
 	( $device , $devref ) = dev_by_number( $device );
     }
 
+    my ( $prio, $filterpri ) = ( undef, $devref->{filterpri} );
+
+    if ( $priority eq '-' ) {
+	$prio = ++$filterpri;
+	fatal_error "Filter priority overflow" if $prio > 65535;
+    } else {
+	$prio = validate_filter_priority( $priority, 'filter' );
+	$filterpri = $prio if $prio > $filterpri;
+    }
+
+    $devref->{filterpri} = $filterpri;
+
     my $devnum = in_hexp $devref->{number};
 
     my $tcref = $tcclasses{$device};
@@ -1721,7 +1878,7 @@ sub process_tcinterfaces() {
 #
 sub process_tcpri() {
     my $fn  = find_file 'tcinterfaces';
-    my $fn1 = open_file 'tcpri';
+    my $fn1 = open_file 'tcpri', 1,1;
 
     if ( $fn1 ) {
 	first_entry
@@ -1856,7 +2013,7 @@ sub process_traffic_shaping() {
 	    handle_in_bandwidth( $device, $devref->{in_bandwidth} );
 
 	    for my $rdev ( @{$devref->{redirected}} ) {
-		my $phyrdev = get_physical( $rdev );
+		my $phyrdev = physical_name( $rdev );
 		emit ( "run_tc qdisc add dev $phyrdev handle ffff: ingress" );
 		emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
 	    }
@@ -1886,7 +2043,6 @@ sub process_traffic_shaping() {
 
 		$classids{$classid}=$devname;
 
-		my $priority = $tcref->{priority} << 8;
 		my $parent   = in_hexp $tcref->{parent};
 
 		emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" );
@@ -1945,22 +2101,23 @@ sub process_traffic_shaping() {
 		# add filters
 		#
 		unless ( $mark eq '-' ) {
-		    emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1;
+		    emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio $tcref->{markprio} handle $mark fw classid $classid" if $tcref->{occurs} == 1;
 		}
 
 		emit "run_tc filter add dev $device protocol all prio 1 parent $sfqinhex: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
 		#
 		# options
 		#
-		emit( "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . ' u32' .
+		emit( "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio $tcref->{tcp_ack} u32" .
 		      "\\\n    match ip protocol 6 0xff" .
 		      "\\\n    match u8 0x05 0x0f at 0" .
 		      "\\\n    match u16 0x0000 0xffc0 at 2" .
 		      "\\\n    match u8 0x10 0xff at 33 flowid $classid" ) if $tcref->{tcp_ack};
 
 		for my $tospair ( @{$tcref->{tos}} ) {
+		    ( $tospair, my $priority ) = split /:/, $tospair;
 		    my ( $tos, $mask ) = split q(/), $tospair;
-		    emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . " u32 match ip tos $tos $mask flowid $classid";
+		    emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio $priority u32 match ip tos $tos $mask flowid $classid";
 		}
 
 		save_progress_message_short qq("   TC Class $classid defined.");
@@ -2063,7 +2220,11 @@ sub process_secmark_rule() {
 
     my %state = ( N   => 'NEW' ,
 		  I   => 'INVALID',
+		  U   => 'UNTRACKED',
+		  IU  => 'INVALID,UNTRACKED',
 		  NI  => 'NEW,INVALID',
+		  NU  => 'NEW,UNTRACKED',
+		  NIU => 'NEW,INVALID,UNTRACKED',
 		  E   => 'ESTABLISHED' ,
 		  ER  => 'ESTABLISHED,RELATED',
 		);
@@ -2161,91 +2322,98 @@ sub setup_tc() {
     }
 
     if ( $config{MANGLE_ENABLED} ) {
-	our  @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
+	our  %tccmd = ( SAVE =>     { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 				      target    => 'CONNMARK --save-mark --mask' ,
 				      mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK,
 				      mask      => in_hex( $globals{TC_MASK} ) ,
 				      connmark  => 1
 				    } ,
-			{ match     => sub ( $ ) { $_[0] eq 'RESTORE' },
+			RESTORE =>  { match     => sub ( $ ) { $_[0] eq 'RESTORE' },
 				      target    => 'CONNMARK --restore-mark --mask' ,
 				      mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK ,
 				      mask      => in_hex( $globals{TC_MASK} ) ,
 				      connmark  => 1
 				    } ,
-			{ match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
+			CONTINUE => { match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
 				      target    => 'RETURN' ,
 				      mark      => NOMARK ,
 				      mask      => '' ,
 				      connmark  => 0
 				    } ,
-			{ match     => sub ( $ ) { $_[0] eq 'SAME' },
+			SAME =>     { match     => sub ( $ ) { $_[0] eq 'SAME' },
 				      target    => 'sticky' ,
 				      mark      => NOMARK ,
 				      mask      => '' ,
 				      connmark  => 0
 				    } ,
-			{ match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
+			IPMARK =>   { match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
 				      target    => 'IPMARK' ,
 				      mark      => NOMARK,
 				      mask      => '',
 				      connmark  => 0
 				    } ,
-			{ match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
+			'|' =>      { match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
 				      target    => 'MARK --or-mark' ,
 				      mark      => HIGHMARK ,
-			  mask      => '' } ,
-			{ match     => sub ( $ ) { $_[0] =~ '&.*' },
+				      mask      => ''
+				    } ,
+			'&' =>      { match     => sub ( $ ) { $_[0] =~ '&.*' },
 				      target    => 'MARK --and-mark' ,
 				      mark      => HIGHMARK ,
 				      mask      => '' ,
 				      connmark  => 0
 				    } ,
-			{ match     => sub ( $ ) { $_[0] =~ /^TPROXY/ },
+			TPROXY =>   { match     => sub ( $ ) { $_[0] =~ /^TPROXY/ },
 				      target    => 'TPROXY',
 				      mark      => HIGHMARK,
 				      mask      => '',
-			  connmark  => '' },
-			{ match     => sub( $ ) { $_[0] =~ /^DIVERT/ },
+				      connmark  => ''
+				    },
+			DIVERT =>   { match     => sub( $ ) { $_[0] =~ /^DIVERT/ },
 				      target    => 'DIVERT',
 				      mark      => HIGHMARK,
 				      mask      => '',
-			  connmark  => '' },
-			{ match     => sub( $ ) { $_[0] =~ /^TTL/ },
+				      connmark  => ''
+				    },
+			TTL =>      { match     => sub( $ ) { $_[0] =~ /^TTL/ },
 				      target    => 'TTL',
 				      mark      => NOMARK,
 				      mask      => '',
 				      connmark  => 0
 			            },
-			{ match     => sub( $ ) { $_[0] =~ /^HL/ },
+			HL =>       { match     => sub( $ ) { $_[0] =~ /^HL/ },
 				      target    => 'HL',
 				      mark      => NOMARK,
 				      mask      => '',
 				      connmark  => 0
 			            },
-			{ match     => sub( $ ) { $_[0] =~ /^IMQ\(\d+\)$/ },
+			IMQ =>      { match     => sub( $ ) { $_[0] =~ /^IMQ\(\d+\)$/ },
 				      target    => 'IMQ',
 				      mark      => NOMARK,
 				      mask      => '',
 				      connmark  => 0
 			            },
-			{ match     => sub( $ ) { $_[0] =~ /^DSCP\(\w+\)$/ },
+			DSCP =>     { match     => sub( $ ) { $_[0] =~ /^DSCP\(\w+\)$/ },
 				      target    => 'DSCP',
 				      mark      => NOMARK,
 				      mask      => '',
 				      connmark  => 0
 				    },
-			{ match     => sub( $ ) { $_[0] =~ /^TOS\(.+\)$/ },
+			TOS =>      { match     => sub( $ ) { $_[0] =~ /^TOS\(.+\)$/ },
 				      target    => 'TOS',
 				      mark      => NOMARK,
 				      mask      => '',
 				      connmark  => 0
 				    },
+			CHECKSUM => { match     => sub( $ ) { $_[0] eq 'CHECKSUM' },
+				      target    => 'CHECKSUM' ,
+				      mark      => NOMARK,
+				      mask      => '',
+				      connmark  => 0,
+				    }
 		      );
 
-	if ( my $fn = open_file 'tcrules' ) {
-
-	    our $format = 1;
+	if ( my $fn = open_file( 'tcrules' , 2, 1 ) ) {
 
 	    first_entry "$doing $fn...";
 
@@ -2255,7 +2423,7 @@ sub setup_tc() {
 
 	}
 
-	if ( my $fn = open_file 'secmarks' ) {
+	if ( my $fn = open_file( 'secmarks', 1, 1 ) ) {
 
 	    first_entry "$doing $fn...";
 

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -285,7 +285,7 @@ sub setup_tunnels() {
     #
     # Setup_Tunnels() Starts Here
     #
-    if ( my $fn = open_file 'tunnels' ) {
+    if ( my $fn = open_file( 'tunnels', 1, 1 ) ) {
 
 	first_entry "$doing $fn...";
 

Shorewall/Perl/Shorewall/Zones.pm

@@ -31,7 +31,7 @@ use Shorewall::IPAddrs;
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( NOTHING
+our @EXPORT = ( qw( NOTHING
 		    NUMERIC
 		    NETWORK
 		    IPSECPROTO
@@ -41,6 +41,7 @@ our @EXPORT = qw( NOTHING
 		    IP
 		    BPORT
 		    IPSEC
+		    GROUP
 		    NO_UPDOWN
 		    NO_SFILTER
 
@@ -91,6 +92,7 @@ our @EXPORT = qw( NOTHING
 		    find_zones_by_option
 		    all_ipsets
 		    have_ipsec
+		 ),
 	      );
 
 our @EXPORT_OK = qw( initialize );
@@ -146,12 +148,12 @@ use constant { IN_OUT     => 1,
 #
 #     $firewall_zone names the firewall zone.
 #
-my @zones;
-my %zones;
-my %zonetypes;
-my $firewall_zone;
+our @zones;
+our %zones;
+our %zonetypes;
+our $firewall_zone;
 
-my  %reservedName = ( all => 1,
+our %reservedName = ( all => 1,
 		      any => 1,
 		      none => 1,
 		      SOURCE => 1,
@@ -186,22 +188,24 @@ my  %reservedName = ( all => 1,
 #    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
 #    the same order as the interfaces are encountered in the configuration files.
 #
-my @interfaces;
-my %interfaces;
-my %roots;
-my @bport_zones;
-my %ipsets;
-my %physical;
-my %basemap;
-my %mapbase;
-my $family;
-my $upgrade;
-my $have_ipsec;
-my $baseseq;
-my $minroot;
-my $zonemark;
-my $zonemarkincr;
-my $zonemarklimit;
+our @interfaces;
+our %interfaces;
+our %roots;
+our @bport_zones;
+our %ipsets;
+our %physical;
+our %basemap;
+our %basemap1;
+our %mapbase;
+our %mapbase1;
+our $family;
+our $upgrade;
+our $have_ipsec;
+our $baseseq;
+our $minroot;
+our $zonemark;
+our $zonemarkincr;
+our $zonemarklimit;
 
 use constant { FIREWALL => 1,
 	       IP       => 2,
@@ -228,17 +232,18 @@ use constant { SIMPLE_IF_OPTION   => 1,
 use constant { NO_UPDOWN   => 1, 
 	       NO_SFILTER  => 2 };
 
-my %validinterfaceoptions;
+our %validinterfaceoptions;
 
-my %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
+our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
 
-my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN );
+our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN );
 
-my %validhostoptions;
+our %validhostoptions;
 
-my %validzoneoptions = ( mss          => NUMERIC,
+our %validzoneoptions = ( mss            => NUMERIC,
 			  nomark         => NOTHING,
 			  blacklist      => NOTHING,
+			  dynamic_shared => NOTHING,
 			  strict         => NOTHING,
 			  next           => NOTHING,
 			  reqid          => NUMERIC,
@@ -253,7 +258,10 @@ use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
 #
 # Hash of options that have their own key in the returned hash.
 #
-my %zonekey = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );
+our %zonekey = ( mss            => UNRESTRICTED | COMPLEX ,
+		 blacklist      => NOFW, 
+		 nomark         => NOFW | IN_OUT_ONLY,
+		 dynamic_shared => IN_OUT_ONLY );
 
 #
 # Rather than initializing globals in an INIT block or during declaration,
@@ -279,7 +287,9 @@ sub initialize( $$ ) {
     %ipsets = ();
     %physical = ();
     %basemap = ();
+    %basemap1 = ();
     %mapbase = ();
+    %mapbase1 = ();
     $baseseq = 0;
     $minroot = 0;
 
@@ -397,7 +407,7 @@ sub parse_zone_option_list($$\$$)
 
 	    if ( $key ) {
 		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype & ( FIREWALL | VSERVER) );
-		fatal_error "Opeion '$e' is only permitted in the OPTIONS columns" if $key & IN_OUT_ONLY && $column != IN_OUT;
+		fatal_error "Option '$e' is only permitted in the OPTIONS columns" if $key & IN_OUT_ONLY && $column != IN_OUT;
 		$$complexref = 1 if $key & COMPLEX;
 		$h{$e} = $val || 1;
 	    } else {
@@ -533,6 +543,7 @@ sub process_zone( \$ ) {
     }
 
     if ( $zoneref->{options}{in_out}{blacklist} ) {
+	warning_message q(The 'blacklist' option is deprecated);
 	for ( qw/in out/ ) {
 	    unless ( $zoneref->{options}{$_}{blacklist} ) {
 		$zoneref->{options}{$_}{blacklist} = 1;
@@ -540,6 +551,10 @@ sub process_zone( \$ ) {
 		warning_message( "Redundant 'blacklist' in " . uc( $_ ) . '_OPTIONS' );
 	    }
 	}
+    } else {
+	for ( qw/in out/ ) {
+	    warning_message q(The 'blacklist' option is deprecated), last if  $zoneref->{options}{$_}{blacklist};
+	}
     }
 
     return $zone;
@@ -752,6 +767,13 @@ sub add_group_to_zone($$$$$)
 	    $new = \@exclusions;
 	}
 
+	if ( substr( $host, 0, 1 ) eq '+' ) {
+	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+(6_)?[a-zA-Z][-\w]*$/;
+	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
+	} else {
+	    $host = validate_host $host, 0;
+	}
+
 	unless ( $switched ) {
 	    if ( $type == $zonetype ) {
 		fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $interfaces{$interface}{zone} eq $zone;
@@ -770,13 +792,6 @@ sub add_group_to_zone($$$$$)
 	    }
 	}
 
-	if ( substr( $host, 0, 1 ) eq '+' ) {
-	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+(6_)?[a-zA-Z]\w*$/;
-	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
-	} else {
-	    validate_host $host, 0;
-	}
-
 	push @$new, $host;
     }
 
@@ -928,6 +943,55 @@ sub chain_base($) {
     $basemap{$key} = $name;
 }
 
+#
+# This is a slightly relaxed version of the above that allows '-' in the generated name.
+#
+sub chain_base1($) {
+    my $chain = $_[0];
+    my $name  = $basemap1{$chain};
+    #
+    # Return existing mapping, if any
+    #
+    return $name if $name;
+    #
+    # Remember initial value
+    #
+    my $key = $chain;
+    #
+    # Handle VLANs and wildcards
+    #
+    $chain =~ s/\+$//;
+    $chain =~ tr/./_/;
+
+    if ( $chain eq '' || $chain =~ /^[0-9]/ || $chain =~ /[^-\w]/ ) {
+	#
+	# Must map. Remove all illegal characters
+	#
+	$chain =~ s/[^\w]//g;
+	#
+	# Prefix with if_ if it begins with a digit
+	#
+	$chain = join( '' , 'if_', $chain ) if $chain =~ /^[0-9]/;
+	#
+	# Create a new unique name
+	#
+	1 while $mapbase1{$name = join ( '_', $chain, ++$baseseq )};
+    } else {
+	#
+	# We'll store the identity mapping if it is unique
+	#
+	$chain = join( '_', $key , ++$baseseq ) while $mapbase1{$name = $chain};
+    }
+    #
+    # Store the reverse mapping
+    #
+    $mapbase1{$name} = $key;
+    #
+    # Store the mapping
+    #
+    $basemap1{$key} = $name;
+}
+
 #
 # Process a record in the interfaces file
 #
@@ -938,9 +1002,8 @@ sub process_interface( $$ ) {
     my ($zone, $originalinterface, $bcasts, $options );
     my $zoneref;
     my $bridge = '';
-    our $format;
 
-    if ( $format == 1 ) {
+    if ( $file_format == 1 ) {
 	($zone, $originalinterface, $bcasts, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 }, { COMMENT => 0, FORMAT => 2 };
     } else {
 	($zone, $originalinterface, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, options => 2 }, { COMMENT => 0, FORMAT => 2 };
@@ -948,8 +1011,9 @@ sub process_interface( $$ ) {
     }
 
     if ( $zone eq 'FORMAT' ) {
+	format_warning;
 	if ( $originalinterface =~ /^([12])$/ ) {
-	    $format = $1;
+	    $file_format = $1;
 	    return;
 	}
 
@@ -1146,7 +1210,7 @@ sub process_interface( $$ ) {
 		    $hostoptions{broadcast} = 1;
 		} elsif ( $option eq 'sfilter' ) {
 		    $filterref = [ split_list $value, 'address' ];
-		    validate_net( $_, 1) for @{$filterref}
+		    $_ = validate_net( $_, 1) for @{$filterref}
 		} else {
 		    assert(0);
 		}
@@ -1187,7 +1251,8 @@ sub process_interface( $$ ) {
 	}
 
 	if ( $netsref eq 'dynamic' ) {
-	    my $ipset = $family == F_IPV4 ? "${zone}_" . chain_base $physical : "6_${zone}_" . chain_base $physical;
+	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
+	    $ipset = join( '_', $ipset, chain_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
 	    $netsref = [ "+$ipset" ];
 	    $ipsets{$ipset} = 1;
 	}
@@ -1246,12 +1311,11 @@ sub process_interface( $$ ) {
 #
 sub validate_interfaces_file( $ ) {
     my  $export = shift;
-    our $format = 1;
 
     my @ifaces;
     my $nextinum = 1;
 
-    if ( my $fn = open_file 'interfaces' ) {
+    if ( my $fn = open_file 'interfaces', 2 ) {
 	first_entry "$doing $fn...";
 	push @ifaces, process_interface( $nextinum++, $export ) while read_a_line( NORMAL_READ );
     } else {
@@ -1758,7 +1822,8 @@ sub process_host( ) {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
     } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/               ||
-	      $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]$/ ||
+	      $hosts =~ /^([\w.@%-]+\+?)\[(.*)\]$/              ||
+	      $hosts =~ /^([\w.@%-]+\+?):(!?\[.+\](?:\/\d+)?)$/ ||
 	      $hosts =~ /^([\w.@%-]+\+?):(!?\+.*)$/             ||
 	      $hosts =~ /^([\w.@%-]+\+?):(dynamic)$/ ) {
 	$interface = $1;
@@ -1799,6 +1864,7 @@ sub process_host( ) {
 	    } elsif ( $option eq 'norfc1918' ) {
 		warning_message "The 'norfc1918' host option is no longer supported"
 	    } elsif ( $option eq 'blacklist' ) {
+		warning_message "The 'blacklist' option is deprecated";
 		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $option =~ /^mss=(\d+)$/ ) {
 		fatal_error "Invalid mss ($1)" unless $1 >= 500;
@@ -1835,8 +1901,14 @@ sub process_host( ) {
     if ( $hosts eq 'dynamic' ) {
 	fatal_error "Vserver zones may not be dynamic" if $type & VSERVER;
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
-	my $physical = chain_base( physical_name $interface );
-	my $set      = $family == F_IPV4 ? "${zone}_${physical}" : "6_${zone}_${physical}";
+
+	my $set = $family == F_IPV4 ? "${zone}" : "6_${zone}";
+	
+	unless ( $zoneref->{options}{in_out}{dynamic_shared} ) {
+	    my $physical = chain_base1( physical_name $interface );
+	    $set = join( '_', $set, $physical );
+	}
+
 	$hosts = "+$set";
 	$optionsref->{dynamic} = 1;
 	$ipsets{$set} = 1;

Shorewall/Perl/compiler.pl

@@ -37,7 +37,8 @@
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
 #         --preview                   # Preview the ruleset.
-#         --shorewallrc=<path>        # Path to shorewallrc file.
+#         --shorewallrc=<path>        # Path to global shorewallrc file.
+#         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #
 use strict;
@@ -66,7 +67,9 @@ sub usage( $ ) {
     [ --annotate ]
     [ --update ]
     [ --convert ]
+    [ --directives ]
     [ --shorewallrc=<pathname> ]
+    [ --shorewallrc1=<pathname> ]
     [ --config_path=<path-list> ]
 ';
 
@@ -92,8 +95,10 @@ my $preview       = 0;
 my $annotate      = 0;
 my $update        = 0;
 my $convert       = 0;
+my $directives    = 0;
 my $config_path   = '';
 my $shorewallrc   = '';
+my $shorewallrc1  = '';
 
 Getopt::Long::Configure ('bundling');
 
@@ -121,11 +126,14 @@ my $result = GetOptions('h'               => \$help,
 			'confess'         => \$confess,
 			'a'               => \$annotate,
 			'annotate'        => \$annotate,
+			'directives'      => \$directives,
+			'D'               => \$directives,
 			'u'               => \$update,
 			'update'          => \$update,
 			'convert'         => \$convert,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
+			'shorewallrc1=s'  => \$shorewallrc1,
 		       );
 
 usage(1) unless $result && @ARGV < 2;
@@ -147,6 +155,8 @@ compiler( script          => $ARGV[0] || '',
 	  update          => $update,
 	  convert         => $convert,
 	  annotate        => $annotate,
+	  directives      => $directives,
 	  config_path     => $config_path,
-	  shorewallrc     => $shorewallrc
+	  shorewallrc     => $shorewallrc,
+	  shorewallrc1    => $shorewallrc1,
 	);

Shorewall/Perl/getparams

@@ -25,12 +25,12 @@
 #
 #      $1 = Path name of params file
 #      $2 = $CONFIG_PATH
-#      $3 = Address family (4 o4 6)
+#      $3 = Address family (4 or 6)
 #
 if [ "$3" = 6 ]; then
-    g_program=shorewall6
+    PRODUCT=shorewall6
 else
-    g_program=shorewall
+    PRODUCT=shorewall
 fi
 
 #
@@ -38,11 +38,9 @@ fi
 #
 . /usr/share/shorewall/shorewallrc
 
-g_libexec="$LIBEXECDIR"
-g_sharedir="$SHAREDIR"/shorewall
-g_sbindir="$SBINDIR"
-g_perllib="$PERLLIBDIR"
-g_confdir="$CONFDIR"/shorewall
+g_program=$PRODUCT
+g_sharedir="$SHAREDIR/shorewall"
+g_confdir="$CONFDIR/$PRODUCT"
 g_readrc=1
 
 . $g_sharedir/lib.cli

Shorewall/Perl/lib.core

@@ -430,7 +430,7 @@ run_iptables()
     local status
 
     while [ 1 ]; do
-	$g_tool $@
+	eval $g_tool $@
 	status=$?
 	[ $status -ne 4 ] && break
     done
@@ -626,7 +626,7 @@ EOF
     fi
 }
 
-?IF __IPV4
+?if __IPV4
 #################################################################################
 #                        IPv4-specific Functions
 #################################################################################
@@ -838,13 +838,13 @@ detect_dynamic_gateway() { # $1 = interface
 	gateway=$( find_peer $($IP addr list $interface ) )
     fi
 
-    if [ -z "$gateway" -a -f /var/lib/dhcpcd/dhcpcd-${1}.info ]; then
-	eval $(grep ^GATEWAYS=  /var/lib/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
+    if [ -z "$gateway" -a -f ${VARLIB}/dhcpcd/dhcpcd-${1}.info ]; then
+	eval $(grep ^GATEWAYS=  ${VARLIB}/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
 	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
     fi
 
-    if [ -z "$gateway" -a -f /var/lib/dhcp/dhclient-${1}.lease ]; then
-	gateway=$(grep 'option routers' /var/lib/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
+    if [ -z "$gateway" -a -f ${VARLIB}/dhcp/dhclient-${1}.lease ]; then
+	gateway=$(grep 'option routers' ${VARLIB}/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
     fi
 
     [ -n "$gateway" ] && echo $gateway
@@ -1032,7 +1032,7 @@ get_all_bcasts()
     $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
 
-?ELSE
+?else
 #################################################################################
 #                        IPv6-specific Functions
 #################################################################################
@@ -1324,4 +1324,4 @@ clear_firewall() {
     logger -p kern.info "$g_product Cleared"
 }
 
-?ENDIF
+?endif

Shorewall/Perl/prog.footer

@@ -33,9 +33,9 @@ usage() {
 }
 
 checkkernelversion() {
+?if __IPV6
     local kernel
 
-    if [ $g_family -eq 6 ]; then
     kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
 
     case "$kernel" in
@@ -51,7 +51,7 @@ checkkernelversion() {
 	error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
 	return 1
     fi
-    fi
+?endif
 
     return 0
 }

Shorewall/Samples/Universal/interfaces

@@ -7,7 +7,7 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 -	lo		ignore

Shorewall/Samples/Universal/rules

@@ -6,7 +6,7 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-##############################################################################################################################################################################################
+######################################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL

Shorewall/Samples/Universal/shorewall.conf

@@ -114,6 +114,8 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
+IGNOREUNKNOWNVARIABLES=No
+
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
@@ -186,6 +188,8 @@ REQUIRE_INTERFACE=Yes
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No

Shorewall/Samples/one-interface/interfaces

@@ -11,7 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 net     eth0            dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0

Shorewall/Samples/one-interface/rules

@@ -10,7 +10,7 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-##############################################################################################################################################################################################
+######################################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL

Shorewall/Samples/one-interface/shorewall.conf

@@ -125,6 +125,8 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
+IGNOREUNKNOWNVARIABLES=No
+
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
@@ -197,6 +199,8 @@ REQUIRE_INTERFACE=No
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No

Shorewall/Samples/three-interfaces/interfaces

@@ -11,7 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0

Shorewall/Samples/three-interfaces/rules

@@ -10,7 +10,7 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-##############################################################################################################################################################################################
+######################################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -123,6 +123,8 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
+IGNOREUNKNOWNVARIABLES=No
+
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
@@ -195,6 +197,8 @@ REQUIRE_INTERFACE=No
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No

Shorewall/Samples/three-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
-# Shorewall6 version 4.0 - Sample Routestopped File for two-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Shorewall version 4.5 - Sample Stoppedrules File for three-interface configuration.
+# Copyright (C) 2012 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -9,11 +9,12 @@
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall6-routestopped"
-#
-# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
-# information.
-#
-##############################################################################
-#INTERFACE	HOST(S)                  OPTIONS
-eth1		-
+# For information about entries in this file, type "man shorewall-stoppedrules"
+###############################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
+#							PORT(S)		PORT(S)
+ACCEPT		eth1		-
+ACCEPT		-		eth1
+ACCEPT		eth2		-
+ACCEPT		-		eth2
+

Shorewall/Samples/two-interfaces/interfaces

@@ -11,7 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0

Shorewall/Samples/two-interfaces/rules

@@ -10,7 +10,7 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-##############################################################################################################################################################################################
+######################################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -126,6 +126,8 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
+IGNOREUNKNOWNVARIABLES=No
+
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
@@ -198,6 +200,8 @@ REQUIRE_INTERFACE=No
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No

Shorewall/Samples/two-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
-# Shorewall version 4.0 - Sample Routestopped File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Shorewall version 4.5 - Sample Stoppedrules File for two-interface configuration.
+# Copyright (C) 2012 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -9,7 +9,9 @@
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall-routestopped"
-##############################################################################
-#INTERFACE	HOST(S)                  OPTIONS
-eth1		-
+# For information about entries in this file, type "man shorewall-stoppedrules"
+###############################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
+#							PORT(S)		PORT(S)
+ACCEPT		eth1		-
+ACCEPT		-		eth1

Shorewall/action.Broadcast

@@ -27,7 +27,7 @@
 #       Default action is DROP
 #
 ##########################################################################################
-FORMAT 2
+?FORMAT 2
 
 DEFAULTS DROP,-
 
@@ -43,6 +43,7 @@ fatal_error "Invalid parameter ($audit) to action Broadcast"   if supplied $audi
 fatal_error "Invalid parameter ($action) to action Broadcast"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
 
 my $chainref           = get_action_chain;
+
 my ( $level, $tag )    = get_action_logging;
 my $target             = require_audit ( $action , $audit );
 

Shorewall/action.Drop

@@ -31,9 +31,9 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #
-# The following magic provides different defaults for $2 thru $5, when $1 is
+# The following magic provides different defaults for @2 thru @5, when @1 is
 # 'audit'.
 #
 ?BEGIN PERL;
@@ -66,31 +66,31 @@ COUNT
 #
 # Reject 'auth'
 #
-Auth($2)
+Auth(@2)
 #
 # Don't log broadcasts
 #
-Broadcast(DROP,$1)
+Broadcast(DROP,@1)
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs($4)	-	-	icmp
+AllowICMPs(@4)	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
-Invalid(DROP,$1)
+Invalid(DROP,@1)
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
-SMB($3)
-DropUPnP($5)
+SMB(@3)
+DropUPnP(@5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-NotSyn(DROP,$1)	-	-	tcp
+NotSyn(DROP,@1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep($5)
+DropDNSrep(@5)

Shorewall/action.DropSmurfs

@@ -9,19 +9,21 @@
 #          audit = Audit dropped packets.
 #
 #################################################################################
-FORMAT 2
+?FORMAT 2
 
 DEFAULTS -
 
 ?BEGIN PERL;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
+use Shorewall::IPAddrs qw( IPv6_MULTICAST );
 use Shorewall::Chains;
 use Shorewall::Rules;
 
 my ( $audit ) = get_action_params( 1 );
 
 my $chainref        = get_action_chain;
+
 my ( $level, $tag ) = get_action_logging;
 my $target;
 

Shorewall/action.Invalid

@@ -27,7 +27,7 @@
 #       Default action is DROP
 #
 ##########################################################################################
-FORMAT 2
+?FORMAT 2
 
 DEFAULTS DROP,-
 
@@ -43,6 +43,7 @@ fatal_error "Invalid parameter ($audit) to action Invalid"   if supplied $audit
 fatal_error "Invalid parameter ($action) to action Invalid"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
 
 my $chainref         = get_action_chain;
+
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );
 

Shorewall/action.NotSyn

@@ -27,7 +27,7 @@
 #       Default action is DROP
 #
 ##########################################################################################
-FORMAT 2
+?FORMAT 2
 
 DEFAULTS DROP,-
 
@@ -43,6 +43,7 @@ fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit &
 fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
 
 my $chainref         = get_action_chain;
+
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );
 

Shorewall/action.RST

@@ -27,7 +27,7 @@
 #       Default action is DROP
 #
 ##########################################################################################
-FORMAT 2
+?FORMAT 2
 
 DEFAULTS DROP,-
 
@@ -38,15 +38,16 @@ use Shorewall::Chains;
 
 my ( $action, $audit ) = get_action_params( 2 );
 
-fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit && $audit ne 'audit';
-fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP)$/;
+fatal_error "Invalid parameter ($audit) to action RST"   if supplied $audit && $audit ne 'audit';
+fatal_error "Invalid parameter ($action) to action RST"  unless $action =~ /^(?:ACCEPT|DROP)$/;
 
 my $chainref         = get_action_chain;
+
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );
 
 log_rule_limit $level, $chainref, 'RST' , $action, '', $tag, 'add', '-p 6 --tcp-flags RST RST ' if $level ne '';
-add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST, ';
+add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST ';
 
 allow_optimize( $chainref );
 

Shorewall/action.Reject

@@ -27,9 +27,9 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #
-# The following magic provides different defaults for $2 thru $5, when $1 is
+# The following magic provides different defaults for @2 thru @5, when @1 is
 # 'audit'.
 #
 ?BEGIN PERL;
@@ -62,33 +62,33 @@ COUNT
 #
 # Don't log 'auth' -- REJECT
 #
-Auth($2)
+Auth(@2)
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
-Broadcast(DROP,$1)
+Broadcast(DROP,@1)
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs($4)	-	-	icmp
+AllowICMPs(@4)	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
-Invalid(DROP,$1)
+Invalid(DROP,@1)
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
-SMB($3)
-DropUPnP($5)
+SMB(@3)
+DropUPnP(@5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-NotSyn(DROP,$1)	-	-	tcp
+NotSyn(DROP,@1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep($5)
+DropDNSrep(@5)

Shorewall/action.TCPFlags

@@ -1,7 +1,7 @@
 #
-# Shorewall version 4 - Drop Smurfs Action
+# Shorewall version 4 - Drop TCPFlags Action
 #
-# /usr/share/shorewall/action.DropSmurfs
+# /usr/share/shorewall/action.TCPFlags
 #
 #   Accepts a single optional parameter:
 #
@@ -9,7 +9,7 @@
 #          audit = Audit dropped packets.
 #
 #################################################################################
-FORMAT 2
+?FORMAT 2
 
 DEFAULTS DROP,-
 
@@ -21,6 +21,7 @@ use Shorewall::Chains;
 my ( $disposition, $audit ) = get_action_params( 2 );
 
 my $chainref        = get_action_chain;
+
 my ( $level, $tag ) = get_action_logging;
 
 fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/;

Shorewall/action.template

@@ -20,7 +20,7 @@
 #
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
-FORMAT 2
-####################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+?FORMAT 2
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Shorewall/actions.std

@@ -35,11 +35,11 @@
 #ACTION
 A_Drop 		                # Audited Default Action for DROP policy
 A_Reject	                # Audited Default action for REJECT policy
-Broadcast	    # Handles Broadcast/Multicast/Anycast
+Broadcast  noinline             # Handles Broadcast/Multicast/Anycast
 Drop		                # Default Action for DROP policy
-DropSmurfs          # Drop smurf packets
-Invalid             # Handles packets in the INVALID conntrack state
-NotSyn              # Handles TCP packets which do not have SYN=1 and ACK=0
+DropSmurfs noinline             # Drop smurf packets
+Invalid    noinline             # Handles packets in the INVALID conntrack state
+NotSyn     noinline             # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject                          # Default Action for REJECT policy
-RST		    # Handle packets with RST set
-TCPFlags            # Handle bad flag combinations.
+RST	   noinline             # Handle packets with RST set
+TCPFlags   noinline             # Handle bad flag combinations.

Shorewall/configfiles/actions

@@ -7,6 +7,6 @@
 #
 # Please see http://shorewall.net/Actions.html for additional information.
 #
-###############################################################################
-#ACTION             COMMENT (place '# ' below the 'C' in comment followed by
-#                           a comment describing the action)
+########################################################################################
+#ACTION    OPTIONS		COMMENT (place '# ' below the 'C' in comment followed by
+#                        	v        a comment describing the action)

Shorewall/configfiles/conntrack

@@ -3,51 +3,51 @@
 #
 # For information about entries in this file, type "man shorewall-conntrack"
 #
-#############################################################################################
-FORMAT 2
-#ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
+##############################################################################################################
+?FORMAT 3
+#ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/		SWITCH
 #								PORT(S)		PORT(S)	GROUP
 ?if $AUTOHELPERS && __CT_TARGET
 
 ?if __AMANDA_HELPER
-CT:helper:amanda	all		-		udp	10080
+CT:helper:amanda:PO	-		-		udp	10080
 ?endif
 
 ?if __FTP_HELPER
-CT:helper:ftp		all		-		tcp	21
+CT:helper:ftp:PO	-		-		tcp	21
 ?endif
 
 ?if __H323_HELPER
-CT:helper:RAS		all		-		udp	1719
-CT:helper:Q.931		all		-		tcp	1720
+CT:helper:RAS:PO	-		-		udp	1719
+CT:helper:Q.931:PO	-		-		tcp	1720
 ?endif
 
 ?if __IRC_HELPER
-CT:helper:irc		all		-		tcp	6667
+CT:helper:irc:PO	-		-		tcp	6667
 ?endif
 
 ?if __NETBIOS_NS_HELPER
-CT:helper:netbios-ns	all		-		udp	137
+CT:helper:netbios-ns:PO	-		-		udp	137
 ?endif
 
 ?if __PPTP_HELPER
-CT:helper:pptp		all		-		tcp	1729
+CT:helper:pptp:PO	-		-		tcp	1723
 ?endif
 
 ?if __SANE_HELPER
-CT:helper:sane		all		-		tcp	6566
+CT:helper:sane:PO	-		-		tcp	6566
 ?endif
 
 ?if __SIP_HELPER
-CT:helper:sip		all		-		udp	5060
+CT:helper:sip:PO	-		-		udp	5060
 ?endif
 
 ?if __SNMP_HELPER
-CT:helper:snmp		all		-		udp	161
+CT:helper:snmp:PO	-		-		udp	161
 ?endif
 
 ?if __TFTP_HELPER
-CT:helper:tftp		all		-		udp	69
+CT:helper:tftp:PO	-		-		udp	69
 ?endif
 
 ?endif

Shorewall/configfiles/interfaces

@@ -7,6 +7,6 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 ###############################################################################
 #ZONE		INTERFACE		OPTIONS

Shorewall/configfiles/routestopped

@@ -1,6 +1,8 @@
 #
 # Shorewall version 4 - Routestopped File
 #
+# This file is deprecated in favor of the stoppedrules file
+#
 # For information about entries in this file, type "man shorewall-routestopped"
 #
 # The manpage is also online at

Shorewall/configfiles/rules

@@ -6,7 +6,7 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-#################################################################################################################################################################################################
+######################################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL

Shorewall/configfiles/shorewall.conf

@@ -114,6 +114,8 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
+IGNOREUNKNOWNVARIABLES=No
+
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
@@ -186,6 +188,8 @@ REQUIRE_INTERFACE=No
 
 RESTORE_DEFAULT_ROUTE=Yes
 
+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No
 
 ROUTE_FILTER=No

Shorewall/configfiles/stoppedrules

@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - Stopped Rules File
+#
+# For information about entries in this file, type "man shorewall-stoppedrules"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-stoppedrules.html
+#
+# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
+# information.
+#
+###############################################################################
+#ACTION		SOURCE			DEST		PROTO	DEST	SOURCE
+#								PORT(S)	PORT(S)

Shorewall/configfiles/tcfilters

@@ -5,6 +5,6 @@
 #
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
-##############################################################################################
-#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE   TOS		LENGTH
+########################################################################################################
+#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE   TOS		LENGTH	PRIORITY
 #CLASS							PORT(S)	PORT(S)

Shorewall/configfiles/tcrules

@@ -10,7 +10,7 @@
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 ##########################################################################################################################################
-FORMAT 2
+?FORMAT 2
 ##########################################################################################################################################
 #ACTION	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY DSCP
 #						PORT(S)	PORT(S)

Shorewall/install.sh

@@ -193,7 +193,14 @@ else
     usage 1
 fi
 
-for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARDIR; do
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/${PRODUCT}
+elif [ -z "${VARDIR}" ]; then
+    VARDIR=${VARLIB}/${PRODUCT}
+fi
+
+for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARLIB VARDIR; do
     require $var
 done
 
@@ -371,7 +378,7 @@ mkdir -p ${DESTDIR}/${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
-mkdir -p ${DESTDIR}${VARDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${VARDIR}
 
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
@@ -388,6 +395,7 @@ fi
 if [ -n "$SYSTEMD" ]; then
     mkdir -p ${DESTDIR}${SYSTEMD}
     run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
     echo "Service file installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
 fi
 
@@ -601,14 +609,14 @@ else
     fi
 fi
 #
-# Install the Stopped Routing file
+# Install the Stopped Rules file
 #
-run_install $OWNERSHIP -m 0644 routestopped           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
-run_install $OWNERSHIP -m 0644 routestopped.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
+run_install $OWNERSHIP -m 0644 stoppedrules           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
+run_install $OWNERSHIP -m 0644 stoppedrules.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/routestopped ]; then
-    run_install $OWNERSHIP -m 0600 routestopped${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/routestopped
-    echo "Stopped Routing file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/routestopped"
+if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/stoppedrules ]; then
+    run_install $OWNERSHIP -m 0600 stoppedrules${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/stoppedrules
+    echo "Stopped Rules file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/stoppedrules"
 fi
 #
 # Install the Mac List file

Shorewall/lib.cli-std

@@ -34,8 +34,6 @@ get_config() {
 
     ensure_config_path
 
-
-
     if [ "$1" = Yes ]; then
 	params=$(find_file params)
 
@@ -138,6 +136,12 @@ get_config() {
 			exit 2
 		    fi
 		    ;;
+		ipset)
+		    #
+		    # Old config files had this as default
+		    #
+		    IPSET=''
+		    ;;
 		*)
 		    prog="$(mywhich $IPSET 2> /dev/null)"
 		    if [ -z "$prog" ] ; then
@@ -148,7 +152,7 @@ get_config() {
 		    ;;
 	    esac
 	else
-	    IPSET='ipset'
+	    IPSET=''
 	fi
 
 	if [ -n "$TC" ]; then
@@ -363,8 +367,9 @@ uptodate() {
 compiler() {
     local pc
     local shorewallrc
+    local shorewallrc1
 
-    pc=$g_libexec/shorewall/compiler.pl
+    pc=${LIBEXECDIR}/shorewall/compiler.pl
 
     if [ $(id -u) -ne 0 ]; then
 	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = /etc/$g_program ]; then
@@ -378,7 +383,7 @@ compiler() {
     #
     # Get the config from $g_shorewalldir
     #
-    [ -n "$g_shorewalldir" -a "$g_shorewalldir" != ${g_confdir} ] && get_config
+    get_config Yes
 
     case $COMMAND in
 	*start|try|refresh)
@@ -399,14 +404,15 @@ compiler() {
     [ "$1" = nolock ] && shift;
     shift
 
+    shorewallrc=${g_basedir}/shorewallrc
+    
     if [ -n "$g_export" ]; then
-	shorewallrc=$(find_file shorewallrc)
-	[ -f "$shorewallrc" ] || fatal_error "Compiling for export requires a shorewallrc file"
-    else
-	shorewallrc="${g_basedir}/shorewallrc"
+	shorewallrc1=$(find_file shorewallrc)
+	[ -f "$shorewallrc1" ] || fatal_error "Compiling for export requires a shorewallrc file"
     fi
 
     options="--verbose=$VERBOSITY --family=$g_family --config_path=$CONFIG_PATH --shorewallrc=${shorewallrc}"
+    [ -n "$shorewallrc1" ] && options="$options --shorewallrc1=${shorewallrc1}"
     [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG"
     [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY";
     [ -n "$g_export" ] && options="$options --export"
@@ -420,6 +426,7 @@ compiler() {
     [ -n "$g_update" ] && options="$options --update"
     [ -n "$g_convert" ] && options="$options --convert"
     [ -n "$g_annotate" ] && options="$options --annotate"
+    [ -n "$g_directives" ] && options="$options --directives"
 
     if [ -n "$PERL" ]; then
 	if [ ! -x "$PERL" ]; then
@@ -430,15 +437,30 @@ compiler() {
 	PERL=/usr/bin/perl
     fi
 
-    if [ $g_perllib = ${g_libexec}/shorewall ]; then
+    if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
 	$PERL $debugflags $pc $options $@
     else
-	PERL5LIB=$g_perllib
+	PERL5LIB=${PERLLIBDIR}
 	export PERL5LIB
 	$PERL $debugflags $pc $options $@
     fi
 }
 
+#
+# Run the postcompile user exit
+#
+run_postcompile() { # $1 is the compiled script
+    local script
+
+    script=$(find_file postcompile)
+
+    if [ -f $script ]; then
+	. $script $1
+    else
+	return 0
+    fi
+}
+
 #
 # Start Command Executor
 #
@@ -459,6 +481,7 @@ start_command() {
 	    progress_message3 "Compiling..."
 
 	    if compiler $g_debugging $nolock compile ${VARDIR}/.start; then
+		run_postcompile ${VARDIR}/.start
 		[ -n "$nolock" ] || mutex_on
 		run_it ${VARDIR}/.start $g_debugging start
 		rc=$?
@@ -603,6 +626,7 @@ compile_command() {
 		    case $option in
 			e*)
 			    g_export=Yes
+			    g_shorewalldir='.'
 			    option=${option#e}
 			    ;;
 			p*)
@@ -641,14 +665,14 @@ compile_command() {
 
     case $# in
 	0)
-	    file=${VARDIR}/firewall
+	    [ -n "$g_export" ] && file=firewall || file=${VARDIR}/firewall
 	    ;;
 	1)
 	    file=$1
 	    [ -d $file ] && echo "   ERROR: $file is a directory" >&2 && exit 2;
 	    ;;
 	2)
-	    [ -n "$g_shorewalldir" ] && usage 2
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
 
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -668,7 +692,7 @@ compile_command() {
 
     [ "x$file" = x- ] || progress_message3 "Compiling..."
 
-    compiler $g_debugging compile $file
+    compiler $g_debugging compile $file && run_postcompile $file
 }
 
 #
@@ -692,6 +716,7 @@ check_command() {
 			    ;;
 			e*)
 			    g_export=Yes
+			    g_shorewalldir='.'
 			    option=${option#e}
 			    ;;
 			p*)
@@ -710,10 +735,6 @@ check_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
-			a*)
-			    g_annotate=Yes
-			    option=${option#a}
-			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -731,7 +752,7 @@ check_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && usage 2
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
 
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -802,6 +823,10 @@ update_command() {
 			    g_convert=Yes
 			    option=${option#b}
 			    ;;
+			D*)
+			    g_directives=Yes
+			    option=${option#D}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -934,6 +959,7 @@ restart_command() {
 	progress_message3 "Compiling..."
 
 	if compiler $g_debugging $nolock compile ${VARDIR}/.restart; then
+	    run_postcompile ${VARDIR}/.restart
 	    [ -n "$nolock" ] || mutex_on
 	    run_it ${VARDIR}/.restart $g_debugging restart
 	    rc=$?
@@ -1025,6 +1051,7 @@ refresh_command() {
     progress_message3 "Compiling..."
 
     if compiler $g_debugging $nolock compile ${VARDIR}/.refresh; then
+	run_postcompile ${VARDIR}/.refresh
 	[ -n "$nolock" ] || mutex_on
 	run_it ${VARDIR}/.refresh $g_debugging refresh
 	rc=$?
@@ -1139,6 +1166,8 @@ safe_commands() {
 	exit $status
     fi
 
+    run_postcompile ${VARDIR}/.$command
+
     case $command in
 	start)
 	    RESTOREFILE=NONE
@@ -1270,6 +1299,8 @@ try_command() {
 	exit $status
     fi
 
+    run_postcompile ${VARDIR}/.restart
+
     case $command in
 	start)
 	    RESTOREFILE=NONE
@@ -1285,7 +1316,7 @@ try_command() {
 
     [ -n "$nolock" ] || mutex_on
 
-    if run_it ${VARDIR}/.$command $command && [ -n "$timeout" ]; then
+    if run_it ${VARDIR}/.$command $g_debugging $command && [ -n "$timeout" ]; then
 	sleep $timeout
 
 	if [ "$command" = "restart" ]; then
@@ -1638,7 +1669,7 @@ usage() # $1 = exit status
     echo "   status"
     echo "   stop"
     echo "   try <directory> [ <timeout> ]"
-    echo "   update [ -a ] [ -b ] [ -r ] [ -T ] [ <directory> ]"
+    echo "   update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ <directory> ]"
     echo "   version [ -a ]"
     echo
     exit $1
@@ -1648,7 +1679,6 @@ compiler_command() {
 
     case $COMMAND in
 	compile)
-	    get_config Yes
 	    shift
 	    compile_command $@
 	    ;;
@@ -1658,7 +1688,6 @@ compiler_command() {
 	    refresh_command $@
 	    ;;
 	check)
-	    get_config Yes
 	    shift
 	    check_command $@
 	    ;;