Remove allow_optimize() call from action.New.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.base

@@ -20,15 +20,11 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# This library contains the code common to all Shorewall components.
-#
-# - It is loaded by /sbin/shorewall.
-# - It is released as part of Shorewall[6] Lite where it is used by /sbin/shorewall[6]-lite
-#   and /usr/share/shorewall[6]-lite/shorecap.
+# This library contains the code common to all Shorewall components except the
+# generated scripts.
 #
 
-SHOREWALL_LIBVERSION=40502
-SHOREWALL_CAPVERSION=40507
+SHOREWALL_LIBVERSION=40509
 
 [ -n "${g_program:=shorewall}" ]
 
@@ -49,13 +45,13 @@ case $g_program in
     shorewall)
 	g_product="Shorewall"
 	g_family=4
-	g_tool=
+	g_tool=iptables
 	g_lite=
 	;;
     shorewall6)
 	g_product="Shorewall6"
 	g_family=6
-	g_tool=
+	g_tool=ip6tables
 	g_lite=
 	;;
     shorewall-lite)

Shorewall-core/lib.cli

@@ -21,9 +21,14 @@
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # This library contains the command processing code common to /sbin/shorewall[6] and
-# /sbin/shorewall[6]-lite.
+# /sbin/shorewall[6]-lite. In Shorewall and Shorewall6, the lib.cli-std library is 
+# loaded after this one and replaces some of the functions declared here.
 #
 
+SHOREWALL_CAPVERSION=40512
+
+[ -n "${g_program:=shorewall}" ]
+
 if [ -z "$g_readrc" ]; then
     #
     # This is modified by the installer when ${SHAREDIR} <> /usr/share
@@ -324,11 +329,30 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
     done
 }
 
+
+#
+# Try to find the arptables binary -- sets the variable 'arptables'
+#
+resolve_arptables() {
+    arptables="$ARPTABLES"
+
+    [ -n "${arptables:=arptables}" ]
+
+    case $arptables in
+	*/*)
+	    ;;
+	*)
+	    arptables=$(mywhich "$arptables")
+	    ;;
+    esac
+}
+
 #
 # Save currently running configuration
 #
 do_save() {
     local status
+    local arptables
     status=0
 
     if [ -f ${VARDIR}/firewall ]; then
@@ -348,6 +372,42 @@ do_save() {
 	status=1
     fi
 
+    case ${SAVE_ARPTABLES:=No} in
+	[Yy]es)
+	    resolve_arptables
+
+	    if [ -n "$arptables" ]; then
+	        #
+	        # 'sed' command is a hack to work around broken arptables_jf
+	        #
+		if ${arptables}-save | sed 's/-p[[:space:]]\+0\([[:digit:]]\)00\/ffff/-p 000\1\/ffff/' > ${VARDIR}/restore-$$; then
+		    if grep -q '^-A' ${VARDIR}/restore-$$; then
+			mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
+		    else
+			rm -f ${VARDIR}/restore-$$
+		    fi
+		fi
+	    else
+		case "$ARPTABLES" in
+		    */*)
+			error_message "ERROR: ARPTABLES=$ARPTABLES does not exist or is not executable - arptables not saved"
+			;;
+		    *)
+			error_message "ERROR: The arptables utility cannot be located - arptables not saved"
+		    ;;
+		esac
+
+		rm -f ${g_restorepath}-arptables
+	    fi
+	    ;;
+	[Nn]o)
+	    rm -f ${g_restorepath}-arptables
+	    ;;
+	*)
+	    error_message "WARNING: Invalid value ($SAVE_ARPTABLES) for SAVE_ARPTABLES"
+	    ;;
+    esac
+
     case ${SAVE_IPSETS:=No} in
 	[Yy]es)
 	    case ${IPSET:=ipset} in
@@ -431,21 +491,42 @@ save_config() {
 #
 sort_routes() {
     local dest
+    local second
     local rest
-    local crvsn
+    local vlsm
+    local maxvlsm
+    local rule
 
-    while read dest rest; do
+    if [ $g_family -eq 4 ]; then
+	maxvlsm=032
+    else
+	maxvlsm=128
+    fi
+
+    while read dest second rest; do
 	if [ -n "$dest" ]; then
+	    rule="$dest $second $rest"
 	    case "$dest" in
 		default)
-		    echo "00 $dest $rest"
+		    echo "000 $rule"
+		    ;;
+		blackhole|local)
+		    case "$second" in
+			*/*)
+			    vlsm=${second#*/}
+			    printf "%03d %s\n" $vlsm "$rule"
+			    ;;
+			*)
+			    echo "$maxvlsm $rule"
+			    ;;
+		    esac
 		    ;;
 		*/*)
-		    crvsn=${dest#*/}
-		    printf "%02d %s\n" $crvsn "$dest $rest"
+		    vlsm=${dest#*/}
+		    printf "%03d %s\n" $vlsm "$rule"
 		    ;;
 		*)
-		    echo "32 $dest $rest"
+		    echo "$maxvlsm $rule"
 		    ;;
 	    esac
 	fi
@@ -476,7 +557,7 @@ show_routing() {
 	ip -$g_family rule list | find_tables | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
-		ip -$g_family -o route list table $table | fgrep -v cache
+		ip -$g_family -o route list table $table | fgrep -v cache | sort_routes
 	    else
 		ip -4 -o route list table $table | sort_routes
 	    fi
@@ -489,7 +570,7 @@ show_routing() {
     else
 	heading "Routing Table"
 	if [ $g_family -eq 6 ]; then
-	    ip -$g_family -o route list | fgrep -v cache
+	    ip -$g_family -o route list | fgrep -v cache | sort_routes
 	else
 	    ip -4 -o route list table $table | sort_routes
 	fi
@@ -499,7 +580,7 @@ show_routing() {
 determine_ipset_version() {
     local setname
 
-    if [ $IPSET = ipset ]; then
+    if [ -z "$IPSET" -o $IPSET = ipset ]; then
 	IPSET=$(mywhich ipset)
 	[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
     fi
@@ -655,6 +736,9 @@ show_command() {
     table=filter
     local table_given
     table_given=
+    local output_filter
+    output_filter=cat
+    local arptables
 
     show_macro() {
 	foo=`grep 'This macro' $macro | sed 's/This macro //'`
@@ -669,6 +753,16 @@ show_command() {
 	fi
     }
 
+    # eliminates rules which have not been used from ip*tables' output
+    brief_output() {
+	awk \
+	'/^Chain /  { heading1 = $0; getline heading2; printed = 0; next; };
+         /^ +0 +0 / { next; };
+         /^$/       { if ( printed == 1 ) { print $0; }; next; };
+                    { if ( printed == 0 ) { print heading1; print heading2; printed = 1 }; };
+	            { print; }';
+    }
+
     while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
 	case $option in
@@ -721,6 +815,10 @@ show_command() {
 			    g_routecache=Yes
 			    option=${option#c}
 			    ;;
+			b*)
+			    output_filter=brief_output
+			    option=${option#b}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -738,6 +836,7 @@ show_command() {
 
 
     [ -n "$g_debugging" ] && set -x
+
     case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
@@ -781,28 +880,28 @@ show_command() {
 	    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t nat -L $g_ipt_options
+	    $g_tool -t nat -L $g_ipt_options | $output_filter
 	    ;;
 	raw)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t raw -L $g_ipt_options
+	    $g_tool -t raw -L $g_ipt_options | $output_filter
 	    ;;
 	rawpost)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t rawpost -L $g_ipt_options
+	    $g_tool -t rawpost -L $g_ipt_options | $output_filter
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t mangle -L $g_ipt_options
+	    $g_tool -t mangle -L $g_ipt_options | $output_filter
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
@@ -838,7 +937,7 @@ show_command() {
 	    shift
 
 	    if [ -z "$1" ]; then
-		$g_tool -t mangle -L -n -v
+		$g_tool -t mangle -L -n -v | $output_filter
 		echo
 	    fi
 
@@ -921,11 +1020,11 @@ show_command() {
 	    show_reset
 	    if [ $# -gt 0 ]; then
 		for chain in $*; do
-		    $g_tool -t $table -L $chain $g_ipt_options
+		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
 		    echo
 		done
 	    else
-		$g_tool -t $table -L $g_ipt_options
+		$g_tool -t $table -L $g_ipt_options | $output_filter
 	    fi
 	    ;;
 	vardir)
@@ -956,6 +1055,17 @@ show_command() {
 	    echo
 	    show_nfacct
 	    ;;
+	arptables)
+	    [ $# -gt 1 ] && usage 1
+	    resolve_arptables
+	    if [ -n "$arptables" -a -x $arptables ]; then
+		echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)"
+		echo
+		$arptables -L -n -v
+	    else
+		error_message "Cannot locate the arptables executable"
+	    fi
+	    ;;
 	*)
 	    case "$g_program" in
 		*-lite)
@@ -964,18 +1074,18 @@ show_command() {
 		    case $1 in
 			actions)
 			    [ $# -gt 1 ] && usage 1
-			    echo "A_ACCEPT            # Audit and accept the connection"
-			    echo "A_DROP              # Audit and drop the connection"
-			    echo "A_REJECT            # Audit and reject the connection "
-			    echo "allowBcast          # Silently Allow Broadcast/multicast"
-			    echo "allowInvalid        # Accept packets that are in the INVALID conntrack state."
-			    echo "allowinUPnP         # Allow UPnP inbound (to firewall) traffic"
-			    echo "allowoutUPnP        # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
-			    echo "dropBcast           # Silently Drop Broadcast/multicast"
-			    echo "dropInvalid         # Silently Drop packets that are in the INVALID conntrack state"
-			    echo "dropNotSyn          # Silently Drop Non-syn TCP packets"
-			    echo "forwardUPnP         # Allow traffic that upnpd has redirected from"
-			    echo "rejNotSyn           # Silently Reject Non-syn TCP packets"
+			    echo "A_ACCEPT                        # Audit and accept the connection"
+			    echo "A_DROP                          # Audit and drop the connection"
+			    echo "A_REJECT                        # Audit and reject the connection "
+			    echo "allowBcast                      # Silently Allow Broadcast/multicast"
+			    echo "allowInvalid                    # Accept packets that are in the INVALID conntrack state."
+			    echo "allowinUPnP                     # Allow UPnP inbound (to firewall) traffic"
+			    echo "allowoutUPnP                    # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
+			    echo "dropBcast                       # Silently Drop Broadcast/multicast"
+			    echo "dropInvalid                     # Silently Drop packets that are in the INVALID conntrack state"
+			    echo "dropNotSyn                      # Silently Drop Non-syn TCP packets"
+			    echo "forwardUPnP                     # Allow traffic that upnpd has redirected from"
+			    echo "rejNotSyn                       # Silently Reject Non-syn TCP packets"
 
 			    if [ -f ${g_confdir}/actions ]; then
 				cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
@@ -1043,14 +1153,14 @@ show_command() {
 		echo
 		show_reset
 		for chain in $*; do
-		    $g_tool -t $table -L $chain $g_ipt_options
+		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
 		    echo
 		done
 	    else
 		echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
 		echo
 		show_reset
-		$g_tool -t $table -L $g_ipt_options
+		$g_tool -t $table -L $g_ipt_options | $output_filter
 	    fi
 	    ;;
     esac
@@ -1113,6 +1223,9 @@ dump_filter() {
 do_dump_command() {
     local finished
     finished=0
+    local arptables
+
+    resolve_arptables
 
     while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -1163,7 +1276,7 @@ do_dump_command() {
 	elif [ -r $LOGFILE ]; then
 	    g_logread="tac $LOGFILE"
 	else
-	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
+	    echo "LOGFILE ($LOGFILE) does not exist! - See http://www.shorewall.net/shorewall_logging.html" >&2
 	    exit 2
 	fi
     fi
@@ -1187,6 +1300,11 @@ do_dump_command() {
     host=$(echo $g_hostname | sed 's/\..*$//')
     $g_tool -L $g_ipt_options
 
+    if [ -n "$arptables" -a -x "$arptables" ]; then
+	heading "ARP rules"
+	$arptables -L -n -v
+    fi
+
     heading "Log ($LOGFILE)"
     packet_log 20
 
@@ -1992,6 +2110,7 @@ determine_capabilities() {
     local tool
     local chain
     local chain1
+    local arptables
 
     if [ -z "$g_tool" ]; then
 	[ $g_family -eq 4 ] && tool=iptables || tool=ip6tables
@@ -2081,6 +2200,8 @@ determine_capabilities() {
     GEOIP_MATCH=
     RPFILTER_MATCH=
     NFACCT_MATCH=
+    CHECKSUM_TARGET=
+    ARPTABLESJF=
     AMANDA_HELPER=
     FTP_HELPER=
     FTP0_HELPER=
@@ -2097,6 +2218,12 @@ determine_capabilities() {
     TFTP_HELPER=
     TFTP0_HELPER=
 
+    resolve_arptables
+
+    if [ -n "$arptables" -a -x $arptables ]; then
+	qt $arptables -L OUT && ARPTABLESJF=Yes
+    fi
+
     chain=fooX$$
 
     if [ -n "$NAT_ENABLED" ]; then
@@ -2242,6 +2369,7 @@ determine_capabilities() {
 	qt $g_tool -t mangle -A $chain -m dscp --dscp 0 && DSCP_MATCH=Yes
 	qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
 	qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes
+	qt $g_tool -t mangle -A $chain -j CHECKSUM --checksum-fill && CHECKSUM_TARGET=Yes
 
 	qt $g_tool -t mangle -F $chain
 	qt $g_tool -t mangle -X $chain
@@ -2370,7 +2498,9 @@ determine_capabilities() {
     fi
 
     qt $g_tool -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
+
     qt $g_tool -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
+
     qt $g_tool -S INPUT && IPTABLES_S=Yes
     qt $g_tool -F $chain
     qt $g_tool -X $chain
@@ -2395,7 +2525,7 @@ determine_capabilities() {
     esac
 }
 
-report_capabilities() {
+report_capabilities_unsorted() {
     report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
     {
 	local setting
@@ -2406,120 +2536,125 @@ report_capabilities() {
 	echo "  " $1: $setting
     }
 
+    report_capability "NAT (NAT_ENABLED)" $NAT_ENABLED
+    report_capability "Packet Mangling (MANGLE_ENABLED)" $MANGLE_ENABLED
+    report_capability "Multi-port Match (MULTIPORT)" $MULTIPORT
+    [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match (XMULIPORT)" $XMULTIPORT
+    report_capability "Connection Tracking Match (CONNTRACK_MATCH)" $CONNTRACK_MATCH
+    if [ -n "$CONNTRACK_MATCH" ]; then
+	report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
+	[ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH
+    fi
+    report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE
+    report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH
+    report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH
+    report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE
+    report_capability "Packet length Match (LENGTH_MATCH)" $LENGTH_MATCH
+    report_capability "IP range Match(IPRANGE_MATCH)" $IPRANGE_MATCH
+    report_capability "Recent Match (RECENT_MATCH)" $RECENT_MATCH
+    report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
+    report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
+    if [ -n "$IPSET_MATCH" ]; then
+	report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
+	[ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)" $OLD_IPSET_MATCH
+    fi
+    report_capability "CONNMARK Target (CONNMARK)" $CONNMARK
+    [ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target (XCONNMARK)" $XCONNMARK
+    report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH
+    [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH
+    report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE
+    report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE
+    report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH
+    [ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH
+    report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET
+    report_capability "Extended REJECT (ENHANCED_REJECT)" $ENHANCED_REJECT
+    report_capability "Repeat match (KLUDGEFREE)" $KLUDGEFREE
+    report_capability "MARK Target (MARK)" $MARK
+    [ -n "$MARK" ] && report_capability "Extended MARK Target (XMARK)" $XMARK
+    [ -n "$XMARK" ] && report_capability "Extended MARK Target 2 (EXMARK)" $EXMARK
+    report_capability "Mangle FORWARD Chain (MANGLE_FORWARD)" $MANGLE_FORWARD
+    report_capability "Comments (COMMENTS)" $COMMENTS
+    report_capability "Address Type Match (ADDRTYPE)" $ADDRTYPE
+    report_capability "TCPMSS Match (TCPMSS_MATCH)" $TCPMSS_MATCH
+    report_capability "Hashlimit Match (HASHLIMIT_MATCH)" $HASHLIMIT_MATCH
+    [ -n "$OLD_HL_MATCH" ] && report_capability "Old Hashlimit Match (OLD_HL_MATCH)" $OLD_HL_MATCH
+    report_capability "NFQUEUE Target (NFQUEUE_TARGET)" $NFQUEUE_TARGET
+    report_capability "Realm Match (REALM_MATCH)" $REALM_MATCH
+    report_capability "Helper Match (HELPER_MATCH)" $HELPER_MATCH
+    report_capability "Connlimit Match (CONNLIMIT_MATCH)" $CONNLIMIT_MATCH
+    report_capability "Time Match (TIME_MATCH)" $TIME_MATCH
+    report_capability "Goto Support (GOTO_TARGET)" $GOTO_TARGET
+    report_capability "LOGMARK Target (LOGMARK_TARGET)" $LOGMARK_TARGET
+    report_capability "IPMARK Target (IPMARK_TARGET)" $IPMARK_TARGET
+    report_capability "LOG Target (LOG_TARGET)" $LOG_TARGET
+    report_capability "ULOG Target (ULOG_TARGET)" $ULOG_TARGET
+    report_capability "NFLOG Target (NFLOG_TARGET)" $NFLOG_TARGET
+    report_capability "Persistent SNAT (PERSISTENT_SNAT)" $PERSISTENT_SNAT
+    report_capability "TPROXY Target (TPROXY_TARGET)" $TPROXY_TARGET
+    report_capability "FLOW Classifier (FLOW_FILTER)" $FLOW_FILTER
+    report_capability "fwmark route mask (FWMARK_RT_MASK)" $FWMARK_RT_MASK
+    report_capability "Mark in any table (MARK_ANYWHERE)" $MARK_ANYWHERE
+    report_capability "Header Match (HEADER_MATCH)" $HEADER_MATCH
+    report_capability "ACCOUNT Target (ACCOUNT_TARGET)" $ACCOUNT_TARGET
+    report_capability "AUDIT Target (AUDIT_TARGET)" $AUDIT_TARGET
+    report_capability "ipset V5 (IPSET_V5)" $IPSET_V5
+    report_capability "Condition Match (CONDITION_MATCH)" $CONDITION_MATCH
+    report_capability "Statistic Match (STATISTIC_MATCH)" $STATISTIC_MATCH
+    report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
+    report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
+    report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
+    report_capability "Geo IP match" $GEOIP_MATCH
+    report_capability "RPFilter match" $RPFILTER_MATCH
+    report_capability "NFAcct match" $NFACCT_MATCH
+    report_capability "Checksum Target" $CHECKSUM_TARGET
+    report_capability "Arptables JF" $ARPTABLESJF
+
+    report_capability "Amanda Helper" $AMANDA_HELPER
+    report_capability "FTP Helper" $FTP_HELPER
+    report_capability "FTP-0 Helper" $FTP0_HELPER
+    report_capability "IRC Helper" $IRC_HELPER
+    report_capability "IRC-0 Helper" $IRC0_HELPER
+    report_capability "Netbios_ns Helper" $NETBIOS_NS_HELPER
+    report_capability "H323 Helper" $H323_HELPER
+    report_capability "PPTP Helper" $PPTP_HELPER
+    report_capability "SANE Helper" $SANE_HELPER
+    report_capability "SANE-0 Helper" $SANE0_HELPER
+    report_capability "SIP Helper" $SIP_HELPER
+    report_capability "SIP-0 Helper" $SIP0_HELPER
+    report_capability "SNMP Helper" $SNMP_HELPER
+    report_capability "TFTP Helper" $TFTP_HELPER
+    report_capability "TFTP-0 Helper" $TFTP0_HELPER
+
+    if [ $g_family -eq 4 ]; then
+	report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
+    else
+	report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
+    fi
+
+    report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
+    report_capability "CT Target (CT_TARGET)" $CT_TARGET
+
+    echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
+    echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
+}
+
+report_capabilities() {
+
     if [ $VERBOSITY -gt 1 ]; then
 	echo "$g_product has detected the following iptables/netfilter capabilities:"
-	report_capability "NAT (NAT_ENABLED)" $NAT_ENABLED
-	report_capability "Packet Mangling (MANGLE_ENABLED)" $MANGLE_ENABLED
-	report_capability "Multi-port Match (MULTIPORT)" $MULTIPORT
-	[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match (XMULIPORT)" $XMULTIPORT
-	report_capability "Connection Tracking Match (CONNTRACK_MATCH)" $CONNTRACK_MATCH
-	if [ -n "$CONNTRACK_MATCH" ]; then
-	    report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
-	    [ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH
-	fi
-	report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE
-	report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH
-	report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH
-	report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE
-	report_capability "Packet length Match (LENGTH_MATCH)" $LENGTH_MATCH
-	report_capability "IP range Match(IPRANGE_MATCH)" $IPRANGE_MATCH
-	report_capability "Recent Match (RECENT_MATCH)" $RECENT_MATCH
-	report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
-	report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
-	if [ -n "$IPSET_MATCH" ]; then
-	    report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
-	    [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)" $OLD_IPSET_MATCH
-	fi
-	report_capability "CONNMARK Target (CONNMARK)" $CONNMARK
-	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target (XCONNMARK)" $XCONNMARK
-	report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH
-	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH
-	report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE
-	report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE
-	report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH
-	[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH
-	report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET
-	report_capability "Extended REJECT (ENHANCED_REJECT)" $ENHANCED_REJECT
-	report_capability "Repeat match (KLUDGEFREE)" $KLUDGEFREE
-	report_capability "MARK Target (MARK)" $MARK
-	[ -n "$MARK" ] && report_capability "Extended MARK Target (XMARK)" $XMARK
-	[ -n "$XMARK" ] && report_capability "Extended MARK Target 2 (EXMARK)" $EXMARK
-	report_capability "Mangle FORWARD Chain (MANGLE_FORWARD)" $MANGLE_FORWARD
-	report_capability "Comments (COMMENTS)" $COMMENTS
-	report_capability "Address Type Match (ADDRTYPE)" $ADDRTYPE
-	report_capability "TCPMSS Match (TCPMSS_MATCH)" $TCPMSS_MATCH
-	report_capability "Hashlimit Match (HASHLIMIT_MATCH)" $HASHLIMIT_MATCH
-	[ -n "$OLD_HL_MATCH" ] && report_capability "Old Hashlimit Match (OLD_HL_MATCH)" $OLD_HL_MATCH
-	report_capability "NFQUEUE Target (NFQUEUE_TARGET)" $NFQUEUE_TARGET
-	report_capability "Realm Match (REALM_MATCH)" $REALM_MATCH
-	report_capability "Helper Match (HELPER_MATCH)" $HELPER_MATCH
-	report_capability "Connlimit Match (CONNLIMIT_MATCH)" $CONNLIMIT_MATCH
-	report_capability "Time Match (TIME_MATCH)" $TIME_MATCH
-	report_capability "Goto Support (GOTO_TARGET)" $GOTO_TARGET
-	report_capability "LOGMARK Target (LOGMARK_TARGET)" $LOGMARK_TARGET
-	report_capability "IPMARK Target (IPMARK_TARGET)" $IPMARK_TARGET
-	report_capability "LOG Target (LOG_TARGET)" $LOG_TARGET
-	report_capability "ULOG Target (ULOG_TARGET)" $ULOG_TARGET
-	report_capability "NFLOG Target (NFLOG_TARGET)" $NFLOG_TARGET
-	report_capability "Persistent SNAT (PERSISTENT_SNAT)" $PERSISTENT_SNAT
-	report_capability "TPROXY Target (TPROXY_TARGET)" $TPROXY_TARGET
-	report_capability "FLOW Classifier (FLOW_FILTER)" $FLOW_FILTER
-	report_capability "fwmark route mask (FWMARK_RT_MASK)" $FWMARK_RT_MASK
-	report_capability "Mark in any table (MARK_ANYWHERE)" $MARK_ANYWHERE
-	report_capability "Header Match (HEADER_MATCH)" $HEADER_MATCH
-        report_capability "ACCOUNT Target (ACCOUNT_TARGET)" $ACCOUNT_TARGET
-	report_capability "AUDIT Target (AUDIT_TARGET)" $AUDIT_TARGET
-	report_capability "ipset V5 (IPSET_V5)" $IPSET_V5
-	report_capability "Condition Match (CONDITION_MATCH)" $CONDITION_MATCH
-	report_capability "Statistic Match (STATISTIC_MATCH)" $STATISTIC_MATCH
-	report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
-	report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
-	report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
-	report_capability "Geo IP match" $GEOIP_MATCH
-	report_capability "RPFilter match" $RPFILTER_MATCH
-	report_capability "NFAcct match" $NFACCT_MATCH
-	report_capability "Amanda Helper" $AMANDA_HELPER
-	report_capability "FTP Helper" $FTP_HELPER
-	report_capability "FTP-0 Helper" $FTP0_HELPER
-	report_capability "IRC Helper" $IRC_HELPER
-	report_capability "IRC-0 Helper" $IRC0_HELPER
-	report_capability "Netbios_ns Helper" $NETBIOS_NS_HELPER
-	report_capability "H323 Helper" $H323_HELPER
-	report_capability "PPTP Helper" $PPTP_HELPER
-	report_capability "SANE Helper" $SANE_HELPER
-	report_capability "SANE-0 Helper" $SANE0_HELPER
-	report_capability "SIP Helper" $SIP_HELPER
-	report_capability "SIP-0 Helper" $SIP0_HELPER
-	report_capability "SNMP Helper" $SNMP_HELPER
-	report_capability "TFTP Helper" $TFTP_HELPER
-	report_capability "TFTP-0 Helper" $TFTP0_HELPER
-
-	if [ $g_family -eq 4 ]; then
-	    report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
-	else
-	    report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
-	fi
-
-	report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
-	report_capability "CT Target (CT_TARGET)" $CT_TARGET
-
-	echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
-	echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
+	report_capabilities_unsorted | sort
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
 
 }
 
-report_capabilities1() {
+report_capabilities_unsorted1() {
     report_capability1() # $1 = Capability
     {
 	eval echo $1=\$$1
     }
 
-    echo "#"
-    echo "# $g_product $SHOREWALL_VERSION detected the following iptables/netfilter capabilities - $(date)"
-    echo "#"
     report_capability1 NAT_ENABLED
     report_capability1 MANGLE_ENABLED
     report_capability1 MULTIPORT
@@ -2589,6 +2724,9 @@ report_capabilities1() {
     report_capability1 GEOIP_MATCH
     report_capability1 RPFILTER_MATCH
     report_capability1 NFACCT_MATCH
+    report_capability1 CHECKSUM_TARGET
+    report_capability1 ARPTABLESJF
+
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER
     report_capability1 FTP0_HELPER
@@ -2609,6 +2747,13 @@ report_capabilities1() {
     echo KERNELVERSION=$KERNELVERSION
 }
 
+report_capabilities1() {
+    echo "#"
+    echo "# $g_product $SHOREWALL_VERSION detected the following iptables/netfilter capabilities - $(date)"
+    echo "#"
+    report_capabilities_unsorted1 | sort
+}
+
 show_status() {
     if product_is_started ; then
 	echo "$g_product is running"
@@ -2724,6 +2869,7 @@ forget_command() {
 	rm -f $g_restorepath
 	rm -f ${g_restorepath}-iptables
 	rm -f ${g_restorepath}-ipsets
+	rm -f ${g_restorepath}-arptables
 	echo "    $g_restorepath removed"
     elif [ -f $g_restorepath ]; then
 	echo "   $g_restorepath exists and is not a saved $g_product configuration"
@@ -2907,27 +3053,6 @@ get_config() {
 	fi
     fi
 
-    if [ -n "$IPSET" ]; then
-	case "$IPSET" in
-	    */*)
-		if [ ! -x "$IPSET" ] ; then
-		    echo "   ERROR: The program specified in IPSET ($IPSET) does not exist or is not executable" >&2
-		    exit 2
-		fi
-		;;
-	    *)
-		prog="$(mywhich $IPSET 2> /dev/null)"
-		if [ -z "$prog" ] ; then
-		    echo "   ERROR: Can't find $IPSET executable" >&2
-		    exit 2
-		fi
-		IPSET=$prog
-		;;
-	esac
-    else
-	IPSET='ipset'
-    fi
-
     [ -n "$RESTOREFILE" ] || RESTOREFILE=restore
 
     validate_restorefile RESTOREFILE
@@ -2968,7 +3093,7 @@ get_config() {
 		;;
 	esac
     else
-	IPSET='ipset'
+	IPSET=''
     fi
 
     TC=tc
@@ -3174,8 +3299,9 @@ usage() # $1 = exit status
     echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
+    echo "   show [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
     echo "   show [ -f ] capabilities"
+    echo "   show arptables"
     echo "   show classifiers"
     echo "   show config"
     echo "   show connections"

Shorewall-core/lib.common

@@ -84,7 +84,7 @@ get_script_version() { # $1 = script
 
     temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 | sed 's/-.*//' )
 
-    if [ $? -ne 0 ]; then
+    if [ -z "$temp" ]; then
 	version=0
     else
 	ifs=$IFS

Shorewall-core/shorewallrc.archlinux

@@ -1,21 +1,21 @@
 #
-# Archlinux Shorewall 4.5 rc file
+# Arch Linux Shorewall 4.5 rc file
 #
-BUILD=archlinux
+BUILD=                                 #Default is to detect the build system
 HOST=archlinux
 PREFIX=/usr                            #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share               #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share             #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall   #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                           #Directory where subsystem configurations are installed
-SBINDIR=/sbin                          #Directory where system administration programs are installed
+SBINDIR=/usr/sbin                      #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                 #Directory where manpages are installed.
-INITDIR=/etc/rc.d                      #Directory where SysV init scripts are installed.
-INITFILE=$PRODUCT                      #Name of the product's installed SysV init script
-INITSOURCE=init.sh                     #Name of the distributed file to be installed as the SysV init script
+INITDIR=                               #Directory where SysV init scripts are installed.
+INITFILE=                              #Name of the product's installed SysV init script
+INITSOURCE=                            #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                             #If non-zero, annotated configuration files are installed
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
-SYSTEMD=                               #Directory where .service files are installed (systems running systemd only)
+SYSTEMD=/usr/lib/systemd/system        #Directory where .service files are installed (systems running systemd only)
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                        #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.

Shorewall-init/shorewall-init.service

@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-init $OPTIONS start
-ExecStop=/sbin/shorewall-init $OPTIONS stop
+ExecStart=/shorewall-init $OPTIONS start
+ExecStop=/shorewall-init $OPTIONS stop
 
 [Install]
 WantedBy=multi-user.target

Shorewall-lite/init.archlinux.sh

@@ -1,58 +0,0 @@
-#!/bin/bash
-
-OPTIONS="-f"
-
-if [ -f /etc/sysconfig/shorewall ] ; then
-	. /etc/sysconfig/shorewall
-elif [ -f /etc/default/shorewall ] ; then
-	. /etc/default/shorewall
-fi
-
-# if you want to override options, do so in /etc/sysconfig/shorewall or
-# in /etc/default/shorewall --
-# i strongly encourage you use the latter, since /etc/sysconfig/ does not exist.
-
-. /etc/rc.conf
-. /etc/rc.d/functions
-
-DAEMON_NAME="shorewall" # of course shorewall is NOT a deamon.
-
-case "$1" in
-	start)
-		stat_busy "Starting $DAEMON_NAME"
-		/sbin/shorewall-lite $OPTIONS start &>/dev/null
-		if [ $? -gt 0 ]; then
-			stat_fail
-		else
-			add_daemon $DAEMON_NAME
-			stat_done
-		fi
-		;;
-
-
-	stop)
-		stat_busy "Stopping $DAEMON_NAME"
-		/sbin/shorewall-lite stop &>/dev/null
-		if [ $? -gt 0 ]; then
-			stat_fail
-		else
-			rm_daemon $DAEMON_NAME
-			stat_done
-		fi
-		;;
-
-	restart|reload)
-		stat_busy "Restarting $DAEMON_NAME"
-		/sbin/shorewall-lite restart &>/dev/null
-		if [ $? -gt 0  ]; then
-			stat_fail
-		else
-			stat_done
-		fi
-		;;
-
-	*)
-		echo "usage: $0 {start|stop|restart}"
-esac
-exit 0
-

Shorewall-lite/manpages/shorewall-lite.xml

@@ -337,6 +337,8 @@
 
       <arg choice="plain"><option>show</option></arg>
 
+      <arg><option>-b</option></arg>
+
       <arg><option>-x</option></arg>
 
       <arg><option>-l</option></arg>
@@ -841,6 +843,12 @@
                 Netfilter table to display. The default is <emphasis
                 role="bold">filter</emphasis>.</para>
 
+                <para>The <emphasis role="bold">-b</emphasis> ('brief') option
+                causes rules which have not been used (i.e. which have zero
+                packet and byte counts) to be omitted from the output. Chains
+                with no rules displayed are also omitted from the
+                output.</para>
+
                 <para>The <emphasis role="bold">-l</emphasis> option causes
                 the rule number for each Netfilter rule to be
                 displayed.</para>

Shorewall-lite/shorewall-lite.service

@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
-ExecStart=/usr/sbin/shorewall-lite $OPTIONS start
-ExecStop=/usr/sbin/shorewall-lite $OPTIONS stop
+ExecStart=/sbin/shorewall-lite $OPTIONS start
+ExecStop=/sbin/shorewall-lite $OPTIONS stop
 
 [Install]
 WantedBy=multi-user.target

Shorewall/Macros/macro.A_AllowICMPs

@@ -9,7 +9,7 @@
 #ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #					PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT Needed ICMP types
+?COMMENT Needed ICMP types
 
 A_ACCEPT       -	-	icmp	fragmentation-needed
 A_ACCEPT       -	-	icmp	time-exceeded

Shorewall/Macros/macro.A_DropDNSrep

@@ -9,6 +9,6 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT Late DNS Replies
+?COMMENT Late DNS Replies
 
 A_DROP	-	-	udp	-	53

Shorewall/Macros/macro.A_DropUPnP

@@ -9,6 +9,6 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT UPnP
+?COMMENT UPnP
 
 A_DROP	-	-	udp	1900

Shorewall/Macros/macro.ActiveDir

@@ -0,0 +1,40 @@
+#
+# Shorewall version 4 - Samba 4 Macro
+#
+# /usr/share/shorewall/macro.ActiveDir
+#
+#       This macro handles ports for Samba 4 Active Directory Service
+#
+# You can comment out the ports you do not want open
+#
+# 
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
+#                               PORT(S) PORT(S) LIMIT   GROUP
+PARAM   -       -       tcp     389 	#LDAP services
+PARAM   -       -       udp	389  
+PARAM   -       -       tcp     636	#LDAP SSL
+PARAM   -       -       tcp     3268	#LDAP GC
+PARAM   -       -       tcp     3269	#LDAP GC SSL
+PARAM   -       -       tcp     88	#Kerberos
+PARAM   -       -       udp	88
+
+# Use macro.DNS for DNS sevice
+
+PARAM   -       -       tcp     445	#Replication, User and Computer Authentication, Group Policy, Trusts
+PARAM   -       -       udp	445
+
+# Use macro.SMTP for Mail service
+
+PARAM   -       -       tcp     135	#RPC, EPM
+PARAM   -       -       tcp     5722	#RPC, DFSR (SYSVOL)
+PARAM   -       -       udp	123	#Windows Time
+PARAM   -       -       tcp     464	#Kerberosb change/set password
+PARAM   -       -       udp	464
+PARAM   -       -       udp	138	#DFS, Group Policy
+PARAM   -       -       tcp     9389	#SOAP
+PARAM   -       -       tcp     2535	#MADCAP
+PARAM   -       -       udp	2535
+PARAM   -       -       udp     137	#NetLogon, NetBIOS Name Resolution
+PARAM   -       -       tcp	139	#DFSN, NetBIOS Session Service, NetLogon    
+  

Shorewall/Macros/macro.AllowICMPs

@@ -9,7 +9,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT Needed ICMP types
+?COMMENT Needed ICMP types
 
 DEFAULT ACCEPT
 PARAM	-	-	icmp	fragmentation-needed

Shorewall/Macros/macro.Amanda

@@ -8,7 +8,7 @@
 #	files from those nodes.
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 

Shorewall/Macros/macro.DropDNSrep

@@ -9,7 +9,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT Late DNS Replies
+?COMMENT Late DNS Replies
 
 DEFAULT DROP
 PARAM	-	-	udp	-	53

Shorewall/Macros/macro.DropUPnP

@@ -9,7 +9,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 
-COMMENT UPnP
+?COMMENT UPnP
 
 DEFAULT DROP
 PARAM	-	-	udp	1900

Shorewall/Macros/macro.FTP

@@ -6,7 +6,7 @@
 #	This macro handles FTP traffic.
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )

Shorewall/Macros/macro.IRC

@@ -6,7 +6,7 @@
 #	This macro handles IRC traffic (Internet Relay Chat).
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 

Shorewall/Macros/macro.PPtP

@@ -6,7 +6,7 @@
 #	This macro handles PPTP traffic.
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	47

Shorewall/Macros/macro.Puppet

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - Puppet Macro
+#
+# /usr/share/shorewall/macro.Puppet
+#
+#	This macro handles client-to-server for the Puppet configuration
+#	management system.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	tcp	8140

Shorewall/Macros/macro.Rfc1918

@@ -7,7 +7,7 @@
 #############################################################################################
 #ACTION		SOURCE		DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
 #						PORT(S)	PORT(S)	DEST		LIMIT	GROUP
-FORMAT 2
+?FORMAT 2
 PARAM		SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \
 				DEST	-	-	-	-	-	-
 PARAM		SOURCE		DEST	-	-	-	10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

Shorewall/Macros/macro.SANE

@@ -6,7 +6,7 @@
 #	This macro handles SANE network scanning.
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 

Shorewall/Macros/macro.SIP

@@ -6,7 +6,7 @@
 #	This macro handles SIP traffic.
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 

Shorewall/Macros/macro.SMB

@@ -10,7 +10,7 @@
 #	between hosts you fully trust.
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445

Shorewall/Macros/macro.SMBBI

@@ -10,7 +10,7 @@
 #	allow SMB traffic between hosts you fully trust.
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445

Shorewall/Macros/macro.SNMP

@@ -8,7 +8,7 @@
 #       Note: To allow SNMP Traps, use the SNMPTrap macro
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 

Shorewall/Macros/macro.SNMPTrap

@@ -6,7 +6,7 @@
 #	This macro handles SNMP traps.
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	162

Shorewall/Macros/macro.TFTP

@@ -8,7 +8,7 @@
 #	Internet.
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 

Shorewall/Macros/macro.Teredo

@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - Teredo Macro
+#
+# /usr/share/shorewall/macro.Teredo
+#
+#	This macro handles Teredo IPv6 over UDP tunneling traffic
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	udp	3544

Shorewall/Macros/macro.template

@@ -71,9 +71,17 @@
 #	Remaining		Any value in the rules file REPLACES the value
 #	columns			given in the macro file.
 #
+# Multiple parameters may be passed to a macro. Within this file, $1 refers to the first parameter,
+# $2 to the second an so on. $1 is a synonym for PARAM but may be used anywhere in the file whereas
+# PARAM may only be used in the ACTION column.
+#
+# You can specify default values for parameters by using DEFAULT or DEFAULTS entry:
+#
+#      DEFAULTS  <default for $1>,<default for $2>,...
+#
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
-FORMAT 2
-####################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+?FORMAT 2
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Shorewall/Perl/Shorewall/ARP.pm

@@ -0,0 +1,314 @@
+#
+# Shorewall 4.5 -- /usr/share/shorewall/Shorewall/ARP.pm
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2013 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#  This file is responsible for Shorewall's arptables support
+#
+package Shorewall::ARP;
+require Exporter;
+
+use Shorewall::Config qw(:DEFAULT :internal);
+use Shorewall::Zones;
+use Shorewall::IPAddrs;
+use strict;
+
+our @ISA = qw(Exporter);
+our @EXPORT = ( qw( process_arprules create_arptables_load preview_arptables_load ) );
+
+our %arp_table;
+our $arp_input;
+our $arp_output;
+our $arp_forward;
+our $sourcemac;
+our $destmac;
+our $addrlen;
+our $hw;
+our @builtins;
+our $arptablesjf;
+our @map = ( qw( 0 Request Reply Request_Reverse Reply_Reverse DRARP_Request DRARP_Reply DRARP_Error InARP_Request ARP_NAK ) );
+
+
+#
+# Handles the network and mac parts of the SOURCE ($source == 1 ) and DEST ($source == 0) columns in the arprules file.
+# Returns any match(es) specified.
+#
+sub match_arp_net( $$$ ) {
+    my ( $net, $mac, $source ) = @_;
+
+    my $return = '';
+
+    if ( supplied $net ) {
+	my $invert = ( $net =~ s/^!// ) ? '! ' : '';
+	validate_net $net, 0;
+	$return = $source ? "-s ${invert}$net " : "-d ${invert}$net ";
+    }
+
+    if ( supplied $mac ) {
+	my ( $addr , $mask ) = split( '/', $mac, 2 );
+
+	my $invert = ( $addr =~ s/^!// ) ? '! ' : '';
+
+	fatal_error "Invalid MAC address ($addr)" unless $addr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+	if ( supplied $mask ) {
+	    fatal_error "Invalid MAC Mask ($mask)" unless $mask =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+	    $return .= $source ? "$sourcemac $invert$addr/$mask " : "$destmac $invert$addr/mask ";
+	} else {
+	    $return .= $source ? "$sourcemac $invert$addr " : "$destmac $invert$addr ";
+	}
+    }
+
+    $return;
+}
+
+#
+# Process a rule in the arprules file
+#
+sub process_arprule() {
+    my ( $originalaction, $source, $dest, $opcode ) = split_line( 'arprules file entry', {action => 0, source => 1, dest => 2, opcode => 3 } );
+
+    my $chainref;
+    my $iifaceref;
+    my $iiface;
+    my $difaceref;
+    my $diface;
+    my $saddr;
+    my $smac;
+    my $daddr;
+    my $dmac;
+    my $rule = '';
+
+    fatal_error "ACTION must be specified" if $originalaction eq '-';
+
+    my ( $action, $newaddr ) = split( ':', $originalaction, 2 );
+
+    my %functions = ( DROP   => sub() { $rule .= "-j DROP" },
+		      ACCEPT => sub() { $rule .= "-j ACCEPT" },
+		      SNAT   => sub() { validate_address $newaddr, 0;
+					$rule .= "-j mangle --mangle-ip-s $newaddr"; },
+		      DNAT   => sub() { validate_address $newaddr, 0;
+					$rule .= "-j mangle --mangle-ip-d $newaddr"; },
+		      SMAT   => sub() { fatal_error "Invalid MAC address ($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+					$rule .= "$addrlen 6 -j mangle --mangle-$hw-s $newaddr"; },
+		      DMAT   => sub() { fatal_error "Invalid MAC address ($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+					$rule .= "$addrlen 6 -j mangle --mangle-$hw-d $newaddr"; },
+		      SNATC  => sub() { validate_address $newaddr, 0;
+					$rule .= "-j mangle --mangle-ip-s $newaddr --mangle-target CONTINUE"; },
+		      DNATC  => sub() { validate_address $newaddr, 0;
+					$rule .= "-j mangle --mangle-ip-d $newaddr --mangle-target CONTINUE"; },
+		      SMATC  => sub() { fatal_error "Invalid MAC address ($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+					$rule .= "$addrlen 6 -j mangle --mangle-$hw-s $newaddr --mangle-target CONTINUE"; },
+		      DMATC  => sub() { fatal_error "Invalid MAC address ($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+					$rule .= "$addrlen 6 -j mangle --mangle-$hw-d $newaddr --mangle-target CONTINUE"; },
+		    );
+
+    if ( supplied $newaddr ) {
+	fatal_error "The $action ACTION does not allow a new address" unless $action =~ /^(?:SNAT|DNAT|SMAT|DMAT)C?$/;
+    } else {
+	fatal_error "The $action ACTION requires a new address" if $action =~ /^(?:SNAT|DNAT|SMAT|DMAT)C?$/;
+    }
+
+    my $function = $functions{$action};
+
+    fatal_error "Unknown ACTION ($action)" unless $function;
+
+    if ( $source ne '-' ) {
+	( $iiface, $saddr, $smac ) = split /:/, $source, 3;
+
+	fatal_error "SOURCE interface missing" unless supplied $iiface; 
+
+	$iiface = ( $iifaceref = find_interface( $iiface ) )->{physical};
+
+	fatal_error "Wildcard Interfaces ( $iiface )may not be used in this context" if $iiface =~ /\+$/;
+
+	$rule .= "-i $iiface ";
+	$rule .= match_arp_net( $saddr , $smac, 1 ) if supplied( $saddr );
+	$chainref = $arp_input;
+    }
+
+    if ( $dest ne '-' ) {
+	( $diface, $daddr, $dmac ) = split /:/, $dest, 3;
+
+	fatal_error "DEST interface missing" unless supplied $diface; 
+
+	$diface = ( $difaceref = find_interface( $diface ) )->{physical};
+
+	fatal_error "A wildcard interfaces ( $diface) may not be used in this context" if $diface =~ /\+$/;
+
+	if ( $iiface ) {
+	    fatal_error "When both SOURCE and DEST are given, the interfaces must be ports on the same bridge"
+		if $iifaceref->{bridge} ne $difaceref->{bridge};
+	    $chainref = $arp_forward;
+	} else {
+	    $chainref = $arp_output;
+	}
+
+	$rule .= "-o $diface ";
+	$rule .= match_arp_net( $daddr , $dmac, 0 ) if supplied( $daddr );
+
+    }
+
+    if ( $opcode ne '-' ) {
+	my $invert = ( $opcode =~ s/^!// ) ? '! ' : '';
+	warning_message q(arptables versions through 0.3.4 ignore '!' after '--opcode') if $invert && ! $arptablesjf;
+	fatal_error "Invalid ARP OPCODE ($opcode)" unless $opcode =~ /^\d$/ && $opcode;
+	$rule .= $arptablesjf ? " --arpop ${invert}$map[$opcode] " : "--opcode ${invert}$opcode ";
+    }
+
+    $function ->();
+
+    fatal_error "Either SOURCE or DEST must be specified" unless $chainref;
+
+    push @$chainref, $rule;
+
+}
+
+#
+# Process the arprules file -- returns true if there were any arp rules
+#
+sub process_arprules() {
+    my $result = 0;
+
+    if ( $arptablesjf = have_capability 'ARPTABLESJF' ) {
+	$arp_input  = $arp_table{IN}       = [];
+	$arp_output = $arp_table{OUT}      = [];
+	$arp_forward = $arp_table{FORWARD} = [];
+	@builtins = qw( IN OUT FORWARD );
+	$sourcemac = '-z';
+	$destmac   = '-y';
+	$addrlen   = '--arhln';
+	$hw        = 'hw';
+    } else {
+	$arp_input   = $arp_table{INPUT}   = [];
+	$arp_output  = $arp_table{OUTPUT}  = [];
+	$arp_forward = $arp_table{FORWARD} = [];
+	@builtins = qw( INPUT OUTPUT FORWARD );
+	$sourcemac = '--source-mac';
+	$destmac   = '--destination-mac';
+	$addrlen   = '--h-length';
+	$hw        = 'mac';
+    }
+
+    my $fn = open_file 'arprules';
+
+    if ( $fn ) {
+	first_entry( sub() {
+			 $result = 1;
+			 progress_message2 "$doing $fn..."; }
+		   );
+	process_arprule while read_a_line( NORMAL_READ );
+    }
+
+    $result;
+}
+
+#
+# Generate the arptables_load() function
+#
+sub create_arptables_load( $ ) {
+    my $test = shift;
+
+    emit ( '#',
+	   '# Create the input to arptables-restore and pass that input to the utility',
+	   '#',
+	   'setup_arptables()',
+	   '{'
+	   );
+
+    push_indent;
+
+    save_progress_message "Preparing arptables-restore input...";
+
+    emit '';
+
+    emit "exec 3>\${VARDIR}/.arptables-input";
+
+    my $date = localtime;
+
+    unless ( $test ) {
+	emit_unindented '#';
+	emit_unindented "# Generated by Shorewall $globals{VERSION} - $date";
+	emit_unindented '#';
+    }
+
+    emit '';
+    emit 'cat >&3 << __EOF__';
+
+    emit_unindented "*filter";
+
+    emit_unindented ":$_ ACCEPT" for @builtins;
+
+    for ( @builtins ) {
+	my $rules = $arp_table{$_};
+
+	while ( my $rule = shift @$rules ) {
+	    emit_unindented "-A $_ $rule";
+	}
+    }
+
+    emit_unindented "COMMIT\n" if $arptablesjf;
+
+    emit_unindented "__EOF__";
+
+    #
+    # Now generate the actual ip[6]tables-restore command
+    #
+    emit(  'exec 3>&-',
+	   '',
+	   'progress_message2 "Running $ARPTABLES_RESTORE..."',
+	   '',
+	   'cat ${VARDIR}/.arptables-input | $ARPTABLES_RESTORE # Use this nonsensical form to appease SELinux',
+	   'if [ $? != 0 ]; then',
+	   qq(    fatal_error "arptables-restore Failed. Input is in \${VARDIR}/.arptables-input"),
+	   "fi\n",
+	   "run_ip neigh flush nud stale nud reachable\n",
+	   );    
+
+    pop_indent;
+    emit "}\n";
+}	  
+
+#
+# Preview the generated ARP rules
+#
+sub preview_arptables_load() {
+
+    my $date = localtime;
+
+    print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
+
+    print "*filter\n";
+
+    print ":$_ ACCEPT\n" for qw( INPUT OUTPUT FORWARD );
+
+    for ( @builtins ) {
+	my $rules = $arp_table{$_};
+
+	while ( my $rule = shift @$rules ) {
+	    print "-A $rule\n";
+	}
+    }
+
+    print "COMMIT\n" if $arptablesjf;
+
+    print "\n";
+}	  
+
+1;

Shorewall/Perl/Shorewall/Accounting.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -40,18 +40,17 @@ our $VERSION = 'MODULEVERSION';
 #
 # Per-IP accounting tables. Each entry contains the associated network.
 #
-my %tables;
+our %tables;
 
-my $jumpchainref;
-my %accountingjumps;
-my $asection;
-my $defaultchain;
-my $ipsecdir;
-my $defaultrestriction;
-my $restriction;
-my $accounting_commands = { COMMENT => 0, SECTION => 2 };
-my $sectionname;
-my $acctable;
+our $jumpchainref;
+our %accountingjumps;
+our $asection;
+our $defaultchain;
+our $ipsecdir;
+our $defaultrestriction;
+our $restriction;
+our $sectionname;
+our $acctable;
 
 #
 # Sections in the Accounting File
@@ -142,27 +141,14 @@ sub process_section ($) {
 #
 # Accounting
 #
-sub process_accounting_rule( ) {
+sub process_accounting_rule1( $$$$$$$$$$$ ) {
+
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = @_;
 
     $acctable = $config{ACCOUNTING_TABLE};
 
     $jumpchainref = 0;
 
-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) =
-	split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 }, $accounting_commands;
-
-    fatal_error 'ACTION must be specified' if $action eq '-';
-
-    if ( $action eq 'COMMENT' ) {
-	process_comment;
-	return 0;
-    }
-
-    if ( $action eq 'SECTION' ) {
-	process_section( $chain );
-	return 0;
-    }
-
     $asection = LEGACY if $asection < 0;
 
     our $disposition = '';
@@ -415,9 +401,31 @@ sub process_accounting_rule( ) {
     return 1;
 }
 
+sub process_accounting_rule( ) {
+
+    my ($action, $chain, $source, $dest, $protos, $ports, $sports, $user, $mark, $ipsec, $headers ) =
+	split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 };
+
+    my $nonempty = 0;
+
+    for my $proto ( split_list $protos, 'Protocol' ) {
+	fatal_error 'ACTION must be specified' if $action eq '-';
+
+	if ( $action eq 'SECTION' ) {
+	    process_section( $chain );
+	} else {
+	    for my $proto ( split_list $protos, 'Protocol' ) {
+		$nonempty |= process_accounting_rule1( $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers );
+	    }
+	}
+    }
+
+    $nonempty;
+}
+
 sub setup_accounting() {
 
-    if ( my $fn = open_file 'accounting' ) {
+    if ( my $fn = open_file 'accounting', 1, 1 ) {
 
 	first_entry "$doing $fn...";
 
@@ -425,8 +433,6 @@ sub setup_accounting() {
 
 	$nonEmpty |= process_accounting_rule while read_a_line( NORMAL_READ );
 
-	clear_comment;
-
 	if ( $nonEmpty ) {
 	    my $tableref = $chain_table{$acctable};
 

Shorewall/Perl/Shorewall/Compiler.pm

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -36,6 +36,7 @@ use Shorewall::Proc;
 use Shorewall::Proxyarp;
 use Shorewall::Raw;
 use Shorewall::Misc;
+use Shorewall::ARP;
 
 use strict;
 
@@ -44,11 +45,13 @@ our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
 our $VERSION = 'MODULEVERSION';
 
-my $export;
+our $export;
 
-my $test;
+our $test;
 
-my $family;
+our $family;
+
+our $have_arptables;
 
 #
 # Initilize the package-globals in the other modules
@@ -203,6 +206,7 @@ sub generate_script_2() {
 
     emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
     emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
+    emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );
 
     emit 'TEMPFILE=';
 
@@ -225,6 +229,22 @@ sub generate_script_2() {
 
     set_chain_variables;
 
+    my $need_arptables = $have_arptables || $config{SAVE_ARPTABLES};
+
+    if ( my $arptables = $config{ARPTABLES} ) {
+	emit( qq(ARPTABLES="$arptables"),
+	      '[ -x "$ARPTABLES" ] || startup_error "ARPTABLES=$ARPTABLES does not exist or is not executable"',
+	    );
+    } elsif ( $need_arptables ) {
+	emit( '[ -z "$ARPTABLES" ] && ARPTABLES=$(mywhich arptables)',
+	      '[ -n "$ARPTABLES" -a -x "$ARPTABLES" ] || startup_error "Can\'t find arptables executable"' );
+    }
+
+    if ( $need_arptables ) {
+	emit( 'ARPTABLES_RESTORE=${ARPTABLES}-restore',
+	      '[ -x "$ARPTABLES_RESTORE" ] || startup_error "$ARPTABLES_RESTORE does not exist or is not executable"' );
+    }
+
     if ( $config{EXPORTPARAMS} ) {
 	append_file 'params';
     } else {
@@ -322,6 +342,7 @@ sub generate_script_3($) {
     }
 
     create_netfilter_load( $test );
+    create_arptables_load( $test ) if $have_arptables;
     create_chainlist_reload( $_[0] );
 
     emit "#\n# Start/Restart the Firewall\n#";
@@ -364,8 +385,8 @@ sub generate_script_3($) {
 	       'fi',
 	       '' );
 
+	verify_address_variables;
 	save_dynamic_chains;
-
 	mark_firewall_not_started;
 
 	emit ( '',
@@ -393,6 +414,7 @@ sub generate_script_3($) {
 	       'fi',
 	       '' );
 
+	verify_address_variables;
 	save_dynamic_chains;
 	mark_firewall_not_started;
 
@@ -448,59 +470,76 @@ sub generate_script_3($) {
 	  '    if [ -f $iptables_save_file ]; then' );
 
     if ( $family == F_IPV4 ) {
-	emit '        cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux'
+	emit( '        cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux' );
+
+	emit( '',
+	      '        arptables_save_file=${VARDIR}/$(basename $0)-arptables',
+	      '        if [ -f $arptables_save_file ]; then',
+	      '            cat $arptables_save_file | $ARPTABLES_RESTORE',
+	      '        fi')
+	    if $config{SAVE_ARPTABLES};
+
     } else {
 	emit '        cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux'
     }
 
-    emit<<'EOF';
-    else
-        fatal_error "$iptables_save_file does not exist"
-    fi
-EOF
-    pop_indent;
+    emit( '    else',
+	  '       fatal_error "$iptables_save_file does not exist"',
+	  '    fi',
+	  ''
+	);
+
+    push_indent;
     setup_load_distribution;
     setup_forwarding( $family , 1 );
-    push_indent;
+    pop_indent;
 
     my $config_dir = $globals{CONFIGDIR};
 
     emit<<"EOF";
     set_state Started $config_dir
     run_restored_exit
-else
-    if [ \$COMMAND = refresh ]; then
-        chainlist_reload
+elif [ \$COMMAND = refresh ]; then
+    chainlist_reload
 EOF
+    push_indent;
     setup_load_distribution;
     setup_forwarding( $family , 0 );
-
-    emit( '        run_refreshed_exit' ,
-	  '        do_iptables -N shorewall' ,
-	  "        set_state Started $config_dir" ,
-	  '    else' ,
-	  '        setup_netfilter' );
-
+    pop_indent;
+    #
+    # Use a parameter list rather than 'here documents' to avoid an extra blank line
+    #
+    emit(
+'    run_refreshed_exit',
+'    do_iptables -N shorewall',
+"    set_state Started $config_dir",
+'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
+'else',
+'    setup_netfilter'
+	);
+    push_indent;
+    emit 'setup_arptables' if $have_arptables;
     setup_load_distribution;
+    pop_indent;
 
-    emit<<"EOF";
-        conditionally_flush_conntrack
+    emit<<'EOF';
+    conditionally_flush_conntrack
 EOF
+    push_indent;
+    initialize_switches;
     setup_forwarding( $family , 0 );
+    pop_indent;
 
     emit<<"EOF";
-        run_start_exit
-        do_iptables -N shorewall
-        set_state Started $config_dir
-        run_started_exit
-    fi
-
+    run_start_exit
+    do_iptables -N shorewall
+    set_state Started $config_dir
+    [ \$0 = \${VARDIR}/firewall ] || cp -f \$(my_pathname) \${VARDIR}/firewall
+    run_started_exit
+fi
 EOF
 
     emit<<'EOF';
-    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall
-fi
-
 date > ${VARDIR}/restarted
 
 case $COMMAND in
@@ -532,11 +571,12 @@ EOF
 #
 sub compiler {
 
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc                      , $shorewallrc1 ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '/usr/share/shorewall/shorewallrc', '' );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc                      , $shorewallrc1 , $directives ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 );
 
-    $export = 0;
-    $test   = 0;
+    $export         = 0;
+    $test           = 0;
+    $have_arptables = 0;
 
     sub validate_boolean( $ ) {
 	 my $val = numeric_value( shift );
@@ -570,6 +610,7 @@ sub compiler {
 		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
 		  convert       => { store => \$convert,       validate=> \&validate_boolean    } ,
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
+		  directives    => { store => \$directives,    validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
 		  shorewallrc1  => { store => \$shorewallrc1 } ,
@@ -608,7 +649,7 @@ sub compiler {
     #
     #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
     #
-    get_configuration( $export , $update , $annotate );
+    get_configuration( $export , $update , $annotate , $directives );
     #
     # Create a temp file to hold the script
     #
@@ -744,6 +785,8 @@ sub compiler {
 	emit "}\n"; # End of setup_routing_and_traffic_shaping()
     }
 
+    $have_arptables = process_arprules if $family == F_IPV4;
+
     disable_script;
     #
     #                                       N E T F I L T E R
@@ -827,7 +870,7 @@ sub compiler {
 	generate_script_2;
 	#
 	#                          N E T F I L T E R   L O A D
-	#    (Produces setup_netfilter(), chainlist_reload() and define_firewall() )
+	#    (Produces setup_netfilter(), setup_arptables(), chainlist_reload() and define_firewall() )
 	#
 	generate_script_3( $chains );
 	#
@@ -840,7 +883,7 @@ sub compiler {
 	#                           S T O P _ F I R E W A L L
 	#         (Writes the stop_firewall() function to the compiled script)
 	#
-	compile_stop_firewall( $test, $export );
+	compile_stop_firewall( $test, $export , $have_arptables );
 	#
 	#                               U P D O W N
 	#               (Writes the updown() function to the compiled script)
@@ -872,7 +915,7 @@ sub compiler {
 
 	    optimize_level0;
 
-	    if ( ( my $optimize = $config{OPTIMIZE} & OPTIMIZE_MASK ) ) {
+	    if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1e ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
 		# Optimize Policy Chains
@@ -888,7 +931,10 @@ sub compiler {
 
 	    generate_script_2 if $debug;
 
-	    preview_netfilter_load if $preview;
+	    if ( $preview ) {
+		preview_netfilter_load;
+		preview_arptables_load if $have_arptables;
+	    }
 	}
 	#
 	# Re-initialize the chain table so that process_routestopped() has the same
@@ -898,7 +944,7 @@ sub compiler {
 	initialize_chain_table(0);
 
 	if ( $debug ) {
-	    compile_stop_firewall( $test, $export );
+	    compile_stop_firewall( $test, $export, $have_arptables );
 	    disable_script;
 	} else {
 	    #

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -26,7 +26,7 @@
 #
 package Shorewall::IPAddrs;
 require Exporter;
-use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 :protocols );
+use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 :protocols %config );
 use Socket;
 
 use strict;
@@ -49,6 +49,7 @@ our @EXPORT = ( qw( ALLIPv4
 		  NILIP
 		  ALL
 
+		  valid_address
 		  validate_address
 		  validate_net
 		  decompose_net
@@ -65,6 +66,7 @@ our @EXPORT = ( qw( ALLIPv4
 		  nilip
 		  rfc1918_networks
 		  resolve_proto
+		  resolve_dnsname
 		  proto_name
 		  validate_port
 		  validate_portpair
@@ -79,20 +81,21 @@ our $VERSION = 'MODULEVERSION';
 #
 # Some IPv4/6 useful stuff
 #
-my @allipv4 = ( '0.0.0.0/0' );
-my @allipv6 = ( '::/0' );
-my $allip;
-my @allip;
-my @nilipv4 = ( '0.0.0.0' );
-my @nilipv6 = ( '::' );
-my $nilip;
-my @nilip;
-my $valid_address;
-my $validate_address;
-my $validate_net;
-my $validate_range;
-my $validate_host;
-my $family;
+our @allipv4 = ( '0.0.0.0/0' );
+our @allipv6 = ( '::/0' );
+our $allip;
+our @allip;
+our @nilipv4 = ( '0.0.0.0' );
+our @nilipv6 = ( '::' );
+our $nilip;
+our @nilip;
+our $valid_address;
+our $validate_address;
+our $validate_net;
+our $resolve_dnsname;
+our $validate_range;
+our $validate_host;
+our $family;
 
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
@@ -109,7 +112,7 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       IPv6_SITE_ALLRTRS   => 'ff02::2' ,
 	   };
 
-my @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
+our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
 
 #
 # Note: initialize() is declared at the bottom of the file
@@ -152,6 +155,21 @@ sub validate_4address( $$ ) {
     defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
 }
 
+sub resolve_4dnsname( $ ) {
+    my $net = $_[0];
+    my @addrs;
+
+    fatal_error "Unknown Host ($net)" unless  @addrs = gethostbyname( $net );
+
+    shift @addrs for (1..4);
+    for ( @addrs ) {
+	$_ = ( inet_ntoa( $_ ) );
+    }
+
+    @addrs;
+} 
+    
+
 sub decodeaddr( $ ) {
     my $address = $_[0];
 
@@ -202,7 +220,8 @@ sub validate_4net( $$ ) {
 	fatal_error "Invalid IP address ($net)"       unless valid_4address $net;
     } else {
 	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
-	validate_4address $net, $_[1];
+	my $net1 = validate_4address $net, $allow_name;
+	$net  = $net1 unless $config{DEFER_DNS_RESOLUTION};
 	$vlsm = 32;
     }
 
@@ -324,6 +343,7 @@ sub resolve_proto( $ ) {
 	$number = numeric_value ( $proto );
 	defined $number && $number <= 255 ? $number : undef;
     } else {
+	fatal_error "A protocol list  ($proto) is not allowed in this context" if $proto =~ /,/; 
 	#
 	# Allow 'icmp' as a synonym for 'ipv6-icmp' in IPv6 compilations
 	#
@@ -610,6 +630,21 @@ sub validate_6address( $$ ) {
     defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
 }
 
+sub resolve_6dnsname( $ ) {
+    my $net = $_[0];
+    my @addrs;
+    
+    require Socket6;
+    fatal_error "Unknown Host ($net)" unless (@addrs = Socket6::gethostbyname2( $net, Socket6::AF_INET6()));
+
+    shift @addrs for (1..4);
+    for ( @addrs ) {
+	$_ = Socket6::inet_ntop( Socket6::AF_INET6(), $_ );
+    }
+
+    @addrs;
+} 
+
 sub validate_6net( $$ ) {
     my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
     my $allow_name = $_[0];
@@ -634,7 +669,8 @@ sub validate_6net( $$ ) {
 	fatal_error "Invalid IPv6 address ($net)"       unless valid_6address $net;
     } else {
 	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/';
-	validate_6address $net, $allow_name;
+	my $net1 = validate_6address $net, $allow_name;
+	$net  = $net1 unless $config{DEFER_DNS_RESOLUTION};
 	$vlsm = 128;
     }
 
@@ -777,6 +813,10 @@ sub validate_net ( $$ ) {
     $validate_net->(@_);
 }
 
+sub resolve_dnsname( $ ) {
+    $resolve_dnsname->(@_);
+}
+
 sub validate_range ($$ ) {
     $validate_range->(@_);
 }
@@ -808,6 +848,7 @@ sub initialize( $ ) {
 	$validate_net     = \&validate_4net;
 	$validate_range   = \&validate_4range;
 	$validate_host    = \&validate_4host;
+	$resolve_dnsname  = \&resolve_4dnsname;
     } else {
 	$allip            = ALLIPv6;
 	@allip            = @allipv6;
@@ -818,6 +859,7 @@ sub initialize( $ ) {
 	$validate_net     = \&validate_6net;
 	$validate_range   = \&validate_6range;
 	$validate_host    = \&validate_6host;
+	$resolve_dnsname  = \&resolve_6dnsname;
     }
 }
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -48,7 +48,7 @@ our @EXPORT = qw( process_tos
 our @EXPORT_OK = qw( initialize );
 our $VERSION = 'MODULEVERSION';
 
-my $family;
+our $family;
 
 #
 # Rather than initializing globals in an INIT block or during declaration,
@@ -675,15 +675,15 @@ sub process_stoppedrules() {
     my $fw = firewall_zone;
     my $result;
 
-    if ( my $fn = open_file 'stoppedrules' ) {
+    if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
 	first_entry "$doing $fn...";
 
 	while ( read_a_line( NORMAL_READ ) ) {
 
 	    $result = 1;
 
-	    my ( $target, $source, $dest, $proto, $ports, $sports ) = 
-		split_line1 'stoppedrules file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 }, { COMMENT => 0, FORMAT => 2 };
+	    my ( $target, $source, $dest, $protos, $ports, $sports ) = 
+		split_line1 'stoppedrules file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 };
 
 	    fatal_error( "Invalid TARGET ($target)" ) unless $target =~ /^(?:ACCEPT|NOTRACK)$/;
 
@@ -702,13 +702,11 @@ sub process_stoppedrules() {
 	    }
 
 	    if ( $source eq $fw ) {
-		$chainref = $tableref->{OUTPUT};
+		$chainref = ( $target eq 'NOTRACK' ? $raw_table : $filter_table)->{OUTPUT};
 		$source = '';
 		$restriction = OUTPUT_RESTRICT;
-	    } 
-
-	    if ( $source =~ s/^($fw):// ) {
-		$chainref = $filter_table->{OUTPUT};
+	    } elsif ( $source =~ s/^($fw):// ) {
+		$chainref = ( $target eq 'NOTRACK' ? $raw_table : $filter_table)->{OUTPUT};
 		$restriction = OUTPUT_RESTRICT;
 	    }
 
@@ -717,9 +715,7 @@ sub process_stoppedrules() {
 		$chainref = $filter_table->{INPUT};
 		$dest = '';
 		$restriction = INPUT_RESTRICT;
-	    }
-
-	    if ( $dest =~ s/^($fw):// ) {
+	    } elsif ( $dest =~ s/^($fw):// ) {
 		fatal_error "\$FW may not be specified as the destination of a NOTRACK rule" if $target eq 'NOTRACK';
 		$chainref = $filter_table->{INPUT};
 		$restriction = INPUT_RESTRICT;
@@ -734,24 +730,24 @@ sub process_stoppedrules() {
 	    unless ( $restriction == OUTPUT_RESTRICT
 		     && $target eq 'ACCEPT'
 		     && $config{ADMINISABSENTMINDED} ) {
-		expand_rule( $chainref ,
-			     $restriction ,
-			     do_proto( $proto, $ports, $sports ) ,
-			     $source ,
-			     $dest ,
-			     '' ,
-			     $target,
-			     '',
-			     $disposition,
-			     do_proto( $proto, '-', '-' ) );
+		for my $proto ( split_list $protos, 'Protocol' ) {
+		    expand_rule( $chainref ,
+				 $restriction ,
+				 do_proto( $proto, $ports, $sports ) ,
+				 $source ,
+				 $dest ,
+				 '' ,
+				 $target,
+				 '',
+				 $disposition,
+				 do_proto( $proto, '-', '-' ) );
+		}
 	    } else {
 		warning_message "Redundant OUTPUT rule ignored because ADMINISABSENTMINDED=Yes";
 	    }
 	}
     }
 
-    clear_comment;
-
     $result;
 }
 
@@ -768,7 +764,7 @@ sub add_common_rules ( $ ) {
     my $chain;
     my $dynamicref;
 
-    my @state     = $config{BLACKLISTNEWONLY} ? have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
+    my @state     = state_imatch( $globals{BLACKLIST_STATES} );
     my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED';
     my $level     = $config{BLACKLIST_LOGLEVEL};
     my $rejectref = $filter_table->{reject};
@@ -1130,7 +1126,7 @@ sub add_common_rules ( $ ) {
 
 	    for $interface ( @$list ) {
 		my $chainref = $filter_table->{input_option_chain $interface};
-		my $base     = uc chain_base get_physical $interface;
+		my $base     = uc var_base get_physical $interface;
 		my $optional = interface_is_optional( $interface );
 		my $variable = get_interface_gateway( $interface, ! $optional );
 
@@ -1212,7 +1208,7 @@ sub setup_mac_lists( $ ) {
 	    }
 	}
 
-	if ( my $fn = open_file 'maclist' ) {
+	if ( my $fn = open_file 'maclist', 1, 1 ) {
 
 	    first_entry "$doing $fn...";
 
@@ -1220,50 +1216,44 @@ sub setup_mac_lists( $ ) {
 
 		my ( $original_disposition, $interface, $mac, $addresses  ) = split_line1 'maclist file', { disposition => 0, interface => 1, mac => 2, addresses => 3 };
 
-		if ( $original_disposition eq 'COMMENT' ) {
-		    process_comment;
-		} else {
-		    my ( $disposition, $level, $remainder) = split( /:/, $original_disposition, 3 );
+		my ( $disposition, $level, $remainder) = split( /:/, $original_disposition, 3 );
 
-		    fatal_error "Invalid DISPOSITION ($original_disposition)" if defined $remainder || ! $disposition;
+		fatal_error "Invalid DISPOSITION ($original_disposition)" if defined $remainder || ! $disposition;
 
-		    my $targetref = $maclist_targets{$disposition};
+		my $targetref = $maclist_targets{$disposition};
 
-		    fatal_error "Invalid DISPOSITION ($original_disposition)"              if ! $targetref || ( ( $table eq 'mangle' ) && ! $targetref->{mangle} );
-		    fatal_error "Unknown Interface ($interface)"                           unless known_interface( $interface );
-		    fatal_error "No hosts on $interface have the maclist option specified" unless $maclist_interfaces{$interface};
+		fatal_error "Invalid DISPOSITION ($original_disposition)"              if ! $targetref || ( ( $table eq 'mangle' ) && ! $targetref->{mangle} );
+		fatal_error "Unknown Interface ($interface)"                           unless known_interface( $interface );
+		fatal_error "No hosts on $interface have the maclist option specified" unless $maclist_interfaces{$interface};
 
-		    my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
+		my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
 
-		    $mac       = '' unless $mac && ( $mac ne '-' );
-		    $addresses = '' unless defined $addresses && ( $addresses ne '-' );
+		$mac       = '' unless $mac && ( $mac ne '-' );
+		$addresses = '' unless defined $addresses && ( $addresses ne '-' );
 
-		    fatal_error "You must specify a MAC address or an IP address" unless $mac || $addresses;
+		fatal_error "You must specify a MAC address or an IP address" unless $mac || $addresses;
 
-		    $mac = do_mac $mac if $mac;
+		$mac = do_mac $mac if $mac;
 
-		    if ( $addresses ) {
-			for my $address ( split ',', $addresses ) {
-			    my $source = match_source_net $address;
-			    log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
-				if supplied $level;
-
-			    add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
-			    add_jump( $chainref , $targetref->{target}, 0, "${mac}${source}" );
-			}
-		    } else {
-			log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
+		if ( $addresses ) {
+		    for my $address ( split ',', $addresses ) {
+			my $source = match_source_net $address;
+			log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
 			    if supplied $level;
 
 			add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
-			add_jump ( $chainref , $targetref->{target}, 0, "$mac" );
+			add_jump( $chainref , $targetref->{target}, 0, "${mac}${source}" );
 		    }
+		} else {
+		    log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
+			if supplied $level;
 
-		    progress_message "      Maclist entry \"$currentline\" $done";
+		    add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
+		    add_jump ( $chainref , $targetref->{target}, 0, "$mac" );
 		}
-	    }
 
-	    clear_comment;
+		progress_message "      Maclist entry \"$currentline\" $done";
+	    }
 	}
 	#
 	# Generate jumps from the input and forward chains
@@ -1482,10 +1472,11 @@ sub handle_loopback_traffic() {
 		    my @ipsec_match = match_ipsec_in $z1 , $hostref;
 
 		    for my $net ( @{$hostref->{hosts}} ) {
-			add_ijump( $rawout,
-				   j => $exclusion ,
-				   imatch_source_net $net,
-				   @ipsec_match );
+			insert_ijump( $rawout,
+				      j => $exclusion ,
+				      $rawout->{insert}++,
+				      imatch_source_net $net,
+				      @ipsec_match );
 		    }
 		}
 	    }
@@ -1834,6 +1825,7 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
 
     my $dnatref         = $nat_table->{dnat_chain( $zone )};
     my $preroutingref   = $nat_table->{PREROUTING};
+    my $rawref          = $raw_table->{PREROUTING};
     my $notrackref      = ensure_chain 'raw' , notrack_chain( $zone );
     my @ipsec_in_match  = match_ipsec_in  $zone , $hostref;
 
@@ -1858,15 +1850,20 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
 	# There are notrack rules with this zone as the source.
 	# Add a jump from this source network to this zone's notrack chain
 	#
-	add_ijump $raw_table->{PREROUTING}, j => source_exclusion( $exclusions, $notrackref), imatch_source_dev( $interface), @source, @ipsec_in_match;
+	insert_ijump $rawref, j => source_exclusion( $exclusions, $notrackref), $rawref->{insert}++, imatch_source_dev( $interface), @source, @ipsec_in_match;
     }
     #
     # If this zone has parents with DNAT/REDIRECT or notrack rules and there are no CONTINUE polcies with this zone as the source
     # then add a RETURN jump for this source network.
     #
     if ( $nested ) {
-	add_ijump $preroutingref,           j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnat;
-	add_ijump $raw_table->{PREROUTING}, j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnotrack;
+	if ( $parenthasnat ) {
+	    add_ijump $preroutingref, j => 'RETURN',                      imatch_source_dev( $interface), @source, @ipsec_in_match;
+	}
+	if ( $parenthasnotrack ) {
+	    my $rawref = $raw_table->{PREROUTING};
+	    insert_ijump $rawref,     j => 'RETURN', $rawref->{insert}++, imatch_source_dev( $interface), @source, @ipsec_in_match;
+	}
     }
 }
 
@@ -2069,7 +2066,7 @@ sub optimize1_zones( $$@ ) {
 # The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
 # A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
 #
-# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table and
+# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table, raw-table and
 # nat-table rules.
 #
 sub generate_matrix() {
@@ -2322,8 +2319,8 @@ sub setup_mss( ) {
 #
 # Compile the stop_firewall() function
 #
-sub compile_stop_firewall( $$ ) {
-    my ( $test, $export ) = @_;
+sub compile_stop_firewall( $$$ ) {
+    my ( $test, $export, $have_arptables ) = @_;
 
     my $input   = $filter_table->{INPUT};
     my $output  = $filter_table->{OUTPUT};
@@ -2528,6 +2525,8 @@ EOF
     create_stop_load $test;
 
     if ( $family == F_IPV4 ) {
+	emit( '$ARPTABLES -F',
+	      '' ) if $have_arptables; 
 	if ( $config{IP_FORWARDING} eq 'on' ) {
 	    emit( 'echo 1 > /proc/sys/net/ipv4/ip_forward',
 		  'progress_message2 IPv4 Forwarding Enabled' );

Shorewall/Perl/Shorewall/Nat.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -42,8 +42,8 @@ Exporter::export_ok_tags('rules');
 
 our $VERSION = 'MODULEVERSION';
 
-my @addresses_to_add;
-my %addresses_to_add;
+our @addresses_to_add;
+our %addresses_to_add;
 
 #
 # Called by the compiler
@@ -56,17 +56,9 @@ sub initialize() {
 #
 # Process a single rule from the the masq file
 #
-sub process_one_masq( )
+sub process_one_masq1( $$$$$$$$$$ )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest ) =
-	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 };
-
-    if ( $interfacelist eq 'COMMENT' ) {
-	process_comment;
-	return 1;
-    }
-
-    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest ) = @_;
 
     my $pre_nat;
     my $add_snat_aliases = $config{ADD_SNAT_ALIASES};
@@ -123,7 +115,7 @@ sub process_one_masq( )
     #
     # Handle Protocol, Ports and Condition
     #
-    $baserule .= do_proto( $proto, $ports, '' ) . do_condition( $condition );
+    $baserule .= do_proto( $proto, $ports, '' );
     #
     # Handle Mark
     #
@@ -158,6 +150,8 @@ sub process_one_masq( )
 
 	my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
 
+	$baserule .= do_condition( $condition , $chainref->{name} );
+
 	my $detectaddress = 0;
 	my $exceptionrule = '';
 	my $randomize     = '';
@@ -194,12 +188,16 @@ sub process_one_masq( )
 		} else {
 		    my $addrlist = '';
 		    for my $addr ( split_list $addresses , 'address' ) {
-			if ( $addr =~ /^&(.+)$/ ) {
+			if ( $addr =~ /^([&%])(.+)$/ ) {
+			    my ( $type, $interface ) = ( $1, $2 );
 			    $target = 'SNAT ';
-			    if ( $conditional = conditional_rule( $chainref, $addr ) ) {
-				$addrlist .= '--to-source ' . get_interface_address $1;
+			    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
+				$conditional = conditional_rule( $chainref, $addr );
+				$addrlist .= '--to-source ' . "\$$1 ";
+			    } elsif ( $conditional = conditional_rule( $chainref, $addr ) ) {
+				$addrlist .= '--to-source ' . get_interface_address $interface;
 			    } else {
-				$addrlist .= '--to-source ' . record_runtime_address( '&', $1 );
+				$addrlist .= '--to-source ' . record_runtime_address( $type, $interface );
 			    }
 			} elsif ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = 'SNAT ';
@@ -271,18 +269,28 @@ sub process_one_masq( )
 
 }
 
+sub process_one_masq( )
+{
+    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest ) =
+	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 };
+
+    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+
+    for my $proto ( split_list $protos, 'Protocol' ) {
+	process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest );
+    }
+}
+
 #
 # Process the masq file
 #
 sub setup_masq()
 {
-    if ( my $fn = open_file 'masq' ) {
+    if ( my $fn = open_file( 'masq', 1, 1 ) ) {
 
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
 
 	process_one_masq while read_a_line( NORMAL_READ );
-
-	clear_comment;
     }
 }
 
@@ -373,7 +381,7 @@ sub do_one_nat( $$$$$ )
 #
 sub setup_nat() {
 
-    if ( my $fn = open_file 'nat' ) {
+    if ( my $fn = open_file( 'nat', 1, 1 ) ) {
 
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
 
@@ -381,26 +389,20 @@ sub setup_nat() {
 
 	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 0, interface => 1, internal => 2, allints => 3, local => 4 };
 
-	    if ( $external eq 'COMMENT' ) {
-		process_comment;
-	    } else {
-		( $interfacelist, my $digit ) = split /:/, $interfacelist;
+	    ( $interfacelist, my $digit ) = split /:/, $interfacelist;
 
-		$digit = defined $digit ? ":$digit" : '';
+	    $digit = defined $digit ? ":$digit" : '';
 
-		fatal_error 'EXTERNAL must be specified' if $external eq '-';
-		fatal_error 'INTERNAL must be specified' if $interfacelist eq '-';
+	    fatal_error 'EXTERNAL must be specified' if $external eq '-';
+	    fatal_error 'INTERNAL must be specified' if $interfacelist eq '-';
 
-		for my $interface ( split_list $interfacelist , 'interface' ) {
-		    fatal_error "Invalid Interface List ($interfacelist)" unless supplied $interface;
-		    do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
-		}
-
-		progress_message "   NAT entry \"$currentline\" $done";
+	    for my $interface ( split_list $interfacelist , 'interface' ) {
+		fatal_error "Invalid Interface List ($interfacelist)" unless supplied $interface;
+		do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
 	    }
-	}
 
-	clear_comment;
+	    progress_message "   NAT entry \"$currentline\" $done";
+	}
     }
 }
 
@@ -409,7 +411,7 @@ sub setup_nat() {
 #
 sub setup_netmap() {
 
-    if ( my $fn = open_file 'netmap' ) {
+    if ( my $fn = open_file 'netmap', 1, 1 ) {
 
 	first_entry "$doing $fn...";
 
@@ -512,8 +514,6 @@ sub setup_netmap() {
 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
 	    }
 	}
-
-	clear_comment;
     }
 
 }
@@ -724,8 +724,6 @@ sub handle_nonat_rule( $$$$$$$$$$ ) {
 	}
     }
 
-    set_optflags( $nonat_chain, DONT_MOVE | DONT_OPTIMIZE ) if $tgt eq 'RETURN';
-
     expand_rule( $nonat_chain ,
 		 PREROUTE_RESTRICT ,
 		 $rule ,

Shorewall/Perl/Shorewall/Proc.pm

@@ -219,30 +219,30 @@ sub setup_forwarding( $$ ) {
 
     if ( $family == F_IPV4 ) {
 	if ( $config{IP_FORWARDING} eq 'on' ) {
-	    emit '        echo 1 > /proc/sys/net/ipv4/ip_forward';
-	    emit '        progress_message2 IPv4 Forwarding Enabled';
+	    emit 'echo 1 > /proc/sys/net/ipv4/ip_forward';
+	    emit 'progress_message2 IPv4 Forwarding Enabled';
 	} elsif ( $config{IP_FORWARDING} eq 'off' ) {
-	    emit '        echo 0 > /proc/sys/net/ipv4/ip_forward';
-	    emit '        progress_message2 IPv4 Forwarding Disabled!';
+	    emit 'echo 0 > /proc/sys/net/ipv4/ip_forward';
+	    emit 'progress_message2 IPv4 Forwarding Disabled!';
 	}
 
 	emit '';
 
-	emit ( '        echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables' ,
+	emit ( 'echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables' ,
 	       ''
 	     ) if have_bridges;
     } else {
 	if ( $config{IP_FORWARDING} eq 'on' ) {
-	    emit '        echo 1 > /proc/sys/net/ipv6/conf/all/forwarding';
-	    emit '        progress_message2 IPv6 Forwarding Enabled';
+	    emit 'echo 1 > /proc/sys/net/ipv6/conf/all/forwarding';
+	    emit 'progress_message2 IPv6 Forwarding Enabled';
 	} elsif ( $config{IP_FORWARDING} eq 'off' ) {
-	    emit '        echo 0 > /proc/sys/net/ipv6/conf/all/forwarding';
-	    emit '        progress_message2 IPv6 Forwarding Disabled!';
+	    emit 'echo 0 > /proc/sys/net/ipv6/conf/all/forwarding';
+	    emit 'progress_message2 IPv6 Forwarding Disabled!';
 	}
 
 	emit '';
 
-	emit ( '        echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables' ,
+	emit ( 'echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables' ,
 	       ''
 	     ) if have_bridges;
 
@@ -251,9 +251,6 @@ sub setup_forwarding( $$ ) {
 	if ( @$interfaces ) {
 	    progress_message2 "$doing Interface forwarding..." if $first;
 
-	    push_indent;
-	    push_indent;
-
 	    save_progress_message 'Setting up IPv6 Interface Forwarding...';
 
 	    for my $interface ( @$interfaces ) {
@@ -270,9 +267,6 @@ sub setup_forwarding( $$ ) {
 		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }
-
-	    pop_indent;
-	    pop_indent;
 	}
     }
 }

Shorewall/Perl/Shorewall/Providers.pm

@@ -53,28 +53,28 @@ use constant { LOCAL_TABLE   => 255,
 	       UNSPEC_TABLE  => 0
 	       };
 
-my  @routemarked_providers;
-my  %routemarked_interfaces;
+our @routemarked_providers;
+our %routemarked_interfaces;
 our @routemarked_interfaces;
-my  %provider_interfaces;
-my  @load_providers;
-my  @load_interfaces;
+our %provider_interfaces;
+our @load_providers;
+our @load_interfaces;
 
-my $balancing;
-my $fallback;
-my $metrics;
-my $first_default_route;
-my $first_fallback_route;
-my $maxload;
-my $tproxies;
+our $balancing;
+our $fallback;
+our $metrics;
+our $first_default_route;
+our $first_fallback_route;
+our $maxload;
+our $tproxies;
 
-my %providers;
+our %providers;
 
-my @providers;
+our @providers;
 
-my $family;
+our $family;
 
-my $lastmark;
+our $lastmark;
 
 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 
@@ -118,6 +118,7 @@ sub initialize( $ ) {
 #
 sub setup_route_marking() {
     my $mask = in_hex( $globals{PROVIDER_MASK} );
+    my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';
 
     require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
 
@@ -149,10 +150,10 @@ sub setup_route_marking() {
 
 	    if ( $providerref->{shared} ) {
 		add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
 		decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
 	    } else {
-		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface );
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface );
 	    }
 	}
 
@@ -337,24 +338,35 @@ sub balance_fallback_route( $$$$ ) {
     }
 }
 
-sub start_provider( $$$ ) {
-    my ($table, $number, $test ) = @_;
+sub start_provider( $$$$ ) {
+    my ($what, $table, $number, $test ) = @_;
 
-    emit "\n#\n# Add Provider $table ($number)\n#";
+    emit "\n#\n# Add $what $table ($number)\n#";
+
+    if ( $number ) {
+	emit "start_provider_$table() {";
+    } else {
+	emit "start_interface_$table() {";
+    }
 
-    emit "start_provider_$table() {";
     push_indent;
     emit $test;
     push_indent;
 
-    emit "qt ip -$family route flush table $number";
-    emit "echo \"qt \$IP -$family route flush table $number\" > \${VARDIR}/undo_${table}_routing";
+
+    if ( $number ) {
+	emit "qt ip -$family route flush table $number";
+	emit "echo \"qt \$IP -$family route flush table $number\" > \${VARDIR}/undo_${table}_routing";
+    } else {
+	emit( "> \${VARDIR}/undo_${table}_routing" );
+    }
 }
 
 #
 # Process a record in the providers file
 #
-sub process_a_provider() {
+sub process_a_provider( $ ) {
+    my $pseudo = $_[0]; # When true, this is an optional interface that we are treating somewhat like a provider.
 
     my ($table, $number, $mark, $duplicate, $interface, $gateway,  $options, $copy ) =
 	split_line 'providers file', { table => 0, number => 1, mark => 2, duplicate => 3, interface => 4, gateway => 5, options => 6, copy => 7 };
@@ -362,17 +374,20 @@ sub process_a_provider() {
     fatal_error "Duplicate provider ($table)" if $providers{$table};
 
     fatal_error 'NAME must be specified' if $table eq '-';
-    fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;
 
-    my $num = numeric_value $number;
+    unless ( $pseudo ) {
+	fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;
 
-    fatal_error 'NUMBER must be specified' if $number eq '-';
-    fatal_error "Invalid Provider number ($number)" unless defined $num;
+	my $num = numeric_value $number;
 
-    $number = $num;
+	fatal_error 'NUMBER must be specified' if $number eq '-';
+	fatal_error "Invalid Provider number ($number)" unless defined $num;
 
-    for my $providerref ( values %providers  ) {
-	fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
+	$number = $num;
+
+	for my $providerref ( values %providers  ) {
+	    fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
+	}
     }
 
     fatal_error 'INTERFACE must be specified' if $interface eq '-';
@@ -393,6 +408,11 @@ sub process_a_provider() {
     my $physical    = get_physical $interface;
     my $gatewaycase = '';
 
+    if ( $physical =~ /\+$/ ) {
+	return 0 if $pseudo;
+	fatal_error "Wildcard interfaces ($physical) may not be used as provider interfaces";
+    }
+
     if ( $gateway eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
 	$gateway = get_interface_gateway $interface;
@@ -406,8 +426,15 @@ sub process_a_provider() {
 	$gateway = '';
     }
 
-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load ) =
-	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0 );
+    my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what );
+
+    if ( $pseudo ) {	
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what ) =
+	( 0,      0                       , 0 ,        0,        0,                               1                                  , ''  , 0       , 0,      0,     'interface');
+    } else {
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what )=
+	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider');
+    }
 
     unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
@@ -517,7 +544,7 @@ sub process_a_provider() {
 
     }
 
-    unless ( $loose ) {
+    unless ( $loose || $pseudo ) {
 	warning_message q(The 'proxyarp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyarp' );
 	warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
     }
@@ -555,10 +582,14 @@ sub process_a_provider() {
 			   local       => $local ,
 			   tproxy      => $tproxy ,
 			   load        => $load ,
+			   pseudo      => $pseudo ,
+			   what        => $what ,
 			   rules       => [] ,
 			   routes      => [] ,
 			 };
 
+    $provider_interfaces{$interface} = $table unless $shared;
+
     if ( $track ) {
 	fatal_error "The 'track' option requires a numeric value in the MARK column" if $mark eq '-';
 
@@ -577,7 +608,22 @@ sub process_a_provider() {
 
     push @providers, $table;
 
-    progress_message "   Provider \"$currentline\" $done";
+    progress_message "   Provider \"$currentline\" $done" unless $pseudo;
+
+    return 1;
+}
+
+#
+# Emit a 'started' message
+#
+sub emit_started_message( $$$$$ ) {
+    my ( $spaces, $level, $pseudo, $name, $number ) = @_;
+
+    if ( $pseudo ) {
+	emit qq(${spaces}progress_message${level} "   Optional interface $name Started");
+    } else {
+	emit qq(${spaces}progress_message${level} "   Provider $name ($number) Started");
+    }
 }
 
 #
@@ -608,22 +654,27 @@ sub add_a_provider( $$ ) {
     my $local       = $providerref->{local};
     my $tproxy      = $providerref->{tproxy};
     my $load        = $providerref->{load};
+    my $pseudo      = $providerref->{pseudo};
+    my $what        = $providerref->{what};
+    my $label       = $pseudo ? 'Optional Interface' : 'Provider';
 
-    my $dev         = chain_base $physical;
+    my $dev         = var_base $physical;
     my $base        = uc $dev;
     my $realm = '';
 
     if ( $shared ) {
 	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
 	$realm = "realm $number";
-	start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
+	start_provider( $label , $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
+    } elsif ( $pseudo ) {
+	start_provider( $label , $table, $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
     } else {
 	if ( $optional ) {
-	    start_provider( $table, $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
+	    start_provider( $label, $table , $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
 	} elsif ( $gatewaycase eq 'detect' ) {
-	    start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
+	    start_provider( $label, $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
 	} else {
-	    start_provider( $table, $number, "if interface_is_usable $physical; then" );
+	    start_provider( $label, $table, $number, "if interface_is_usable $physical; then" );
 	}
 	$provider_interfaces{$interface} = $table;
 
@@ -741,7 +792,7 @@ CEOF
 	    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
 	    emit( "run_ip rule add from $address pref 20000 table $number" ,
 		  "echo \"qt \$IP -$family rule del from $address\" >> \${VARDIR}/undo_${table}_routing" );
-	} else {
+	} elsif ( ! $pseudo ) {
 	    emit  ( "find_interface_addresses $physical | while read address; do" );
 	    emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
 	    emit  ( "    run_ip rule add from \$address pref 20000 table $number",
@@ -804,15 +855,17 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}
 
-	emit ( qq(progress_message2 "   Provider $table ($number) Started") );
+	emit_started_message( '', 2, $pseudo, $table, $number );
 
 	pop_indent;
 
-	emit( 'else' );
-	emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) ,
-	      qq(    progress_message "   Provider $table ($number) Started"),
-	      qq(fi\n)
-	    );
+	unless ( $pseudo ) {
+	    emit( 'else' );
+	    emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) );
+	    emit_started_message( '    ', '', $pseudo, $table, $number );
+	}
+
+	emit "fi\n";
     } else {
 	emit( qq(echo 0 > \${VARDIR}/${physical}.status) );
 	emit( qq(progress_message "Provider $table ($number) Started") );
@@ -829,6 +882,8 @@ CEOF
     if ( $optional ) {
 	if ( $shared ) {
 	    emit ( "error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Started\"" );
+	} elsif ( $pseudo ) {
+	    emit ( "error_message \"WARNING: Optional Interface $physical is not usable -- $table not Started\"" );
 	} else {
 	    emit ( "error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Started\"" );
 	}
@@ -846,14 +901,14 @@ CEOF
 
     pop_indent;
 
-    emit '}'; # End of start_provider_$table();
+    emit "} # End of start_${what}_${table}();";
 
     if ( $optional ) {
 	emit( '',
 	      '#',
-	      "# Stop provider $table",
+	      "# Stop $what $table",
 	      '#',
-	      "stop_provider_$table() {" );
+	      "stop_${what}_${table}() {" );
 
 	push_indent;
 
@@ -881,8 +936,13 @@ CEOF
 	    emit( qq(delete_gateway "$via" $tbl $physical) );
 	}
 
-	emit (". $undo",
-	      "> $undo" );
+	emit (". $undo" );
+
+	if ( $pseudo ) {
+	    emit( "rm -f $undo" );
+	} else {
+	    emit( "> $undo" );
+	}
 
 	emit ( '',
 	       "distribute_load $maxload @load_interfaces" ) if $load;
@@ -893,8 +953,13 @@ CEOF
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}
 
-	emit( "echo 1 > \${VARDIR}/${physical}.status",
-	      "progress_message2 \"   Provider $table ($number) stopped\"" );
+	emit( "echo 1 > \${VARDIR}/${physical}.status" );
+
+	if ( $pseudo ) {
+	    emit( "progress_message2 \"   Optional Interface $table stopped\"" );
+	} else {
+	    emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
+	}
 
 	pop_indent;
 
@@ -1024,7 +1089,7 @@ sub add_a_route( ) {
     }
 
     fatal_error 'DEST must be specified' if $dest eq '-';
-    $dest = validate_net ( $dest, 1 );
+    $dest = validate_net ( $dest, 0 );
 
     validate_address ( $gateway, 1 ) if $gateway ne '-';
 
@@ -1203,12 +1268,23 @@ sub process_providers( $ ) {
     my $tcdevices = shift;
 
     our $providers = 0;
+    our $pseudoproviders = 0;
 
     $lastmark = 0;
 
     if ( my $fn = open_file 'providers' ) {
 	first_entry "$doing $fn...";
-	process_a_provider, $providers++ while read_a_line( NORMAL_READ );
+	$providers += process_a_provider(0) while read_a_line( NORMAL_READ );
+    }
+    #
+    # Treat optional interfaces as pseudo-providers
+    #
+    for ( grep interface_is_optional( $_ ) && ! $provider_interfaces{ $_ }, all_real_interfaces ) {
+	#
+	#               TABLE             NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
+	$currentline =  var_base($_) ." 0      -    -         $_        -       -       -";
+	#
+	$pseudoproviders += process_a_provider(1);
     }
 
     if ( $providers ) {
@@ -1231,17 +1307,19 @@ sub process_providers( $ ) {
 
 	    add_an_rtrule while read_a_line( NORMAL_READ );
 	}
+    }
 
-	$fn = open_file 'routes';
+    if ( $providers || $pseudoproviders ) {
+	my $fn = open_file 'routes';
 
 	if ( $fn ) {
 	    first_entry "$doing $fn...";
 	    emit '';
 	    add_a_route while read_a_line( NORMAL_READ );
 	}
-    }
 
-    add_a_provider( $providers{$_}, $tcdevices ) for @providers;
+	add_a_provider( $providers{$_}, $tcdevices ) for @providers;
+    }
 
     emit << 'EOF';;
 
@@ -1262,14 +1340,20 @@ EOF
 
 	if ( $providerref->{optional} ) {
 	    if ( $providerref->{shared} || $providerref->{physical} eq $provider) {
-		emit "$provider})";
+		emit "$provider)";
 	    } else {
 		emit( "$providerref->{physical}|$provider)" );
 	    }
 
-	    emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
-		   "        start_provider_$provider",
-		   '    else',
+	    if ( $providerref->{pseudo} ) {
+		emit ( "    if [ ! -f \${VARDIR}/$product/undo_${provider}_routing ]; then",
+		       "        start_interface_$provider" );
+	    } else {
+		emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
+		       "        start_provider_$provider" );
+	    }
+
+	    emit ( '    else',
 		   "        startup_error \"Interface $providerref->{physical} is already enabled\"",
 		   '    fi',
 		   '    ;;'
@@ -1282,7 +1366,7 @@ EOF
 
     emit << 'EOF';;
         *)
-            startup_error "$g_interface is not an optional provider or provider interface"
+            startup_error "$g_interface is not an optional provider or interface"
             ;;
     esac
 
@@ -1303,14 +1387,26 @@ EOF
     for my $provider (@providers ) {
 	my $providerref = $providers{$provider};
 
-	emit( "$providerref->{physical}|$provider)",
-	      "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
-	      "        stop_provider_$provider",
-	      '    else',
-	      "        startup_error \"Interface $providerref->{physical} is already disabled\"",
-	      '    fi',
-	      '    ;;'
-	    ) if $providerref->{optional};
+	if ( $providerref->{optional} ) {
+	    if ( $provider eq $providerref->{physical} ) {
+		emit( "$provider)" );
+	    } else {
+		emit( "$providerref->{physical}|$provider)" );
+	    }
+
+	    if ( $providerref->{pseudo} ) {
+		emit( "    if [ -f \${VARDIR}/$product/undo_${provider}_routing ]; then" );
+	    } else {
+		emit( "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then" );
+	    }
+
+	    emit( "        stop_$providerref->{what}_$provider",
+		  '    else',
+		  "        startup_error \"Interface $providerref->{physical} is already disabled\"",
+		  '    fi',
+		  '    ;;'
+		);
+	}
     }
 
     pop_indent;
@@ -1342,7 +1438,7 @@ sub setup_providers() {
 
 	emit '';
 
-	emit "start_provider_$_" for @providers;
+	emit "start_$providers{$_}->{what}_$_" for @providers;
 
 	emit '';
 
@@ -1636,7 +1732,7 @@ sub handle_optional_interfaces( $ ) {
 	#
 	# Clear the '_IS_USABLE' variables
 	#
-	emit( join( '_', 'SW', uc chain_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
+	emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
 
 	if ( $wildcards ) {
 	    #
@@ -1656,7 +1752,7 @@ sub handle_optional_interfaces( $ ) {
 	for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
 	    my $provider    = $provider_interfaces{$interface};
 	    my $physical    = get_physical $interface;
-	    my $base        = uc chain_base( $physical );
+	    my $base        = uc var_base( $physical );
 	    my $providerref = $providers{$provider};
 
 	    emit( "$physical)" ), push_indent if $wildcards;
@@ -1677,7 +1773,7 @@ sub handle_optional_interfaces( $ ) {
 
 	for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
 	    my $physical    = get_physical $interface;
-	    my $base        = uc chain_base( $physical );
+	    my $base        = uc var_base( $physical );
 	    my $case        = $physical;
 	    my $wild        = $case =~ s/\+$/*/;
 
@@ -1765,7 +1861,7 @@ sub handle_stickiness( $ ) {
 
 	for my $providerref ( @routemarked_providers ) {
 	    my $interface = $providerref->{physical};
-	    my $base      = uc chain_base $interface;
+	    my $base      = uc var_base $interface;
 	    my $mark      = $providerref->{mark};
 
 	    for ( grep rule_target($_) eq 'sticky', @{$tcpreref->{rules}} ) {
@@ -1856,7 +1952,7 @@ sub handle_stickiness( $ ) {
 
 sub setup_load_distribution() {
     emit ( '',
-	   "        distribute_load $maxload @load_interfaces" ,
+	   "distribute_load $maxload @load_interfaces" ,
 	   ''
 	 ) if @load_interfaces;
 }

Shorewall/Perl/Shorewall/Raw.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -36,14 +36,23 @@ our @EXPORT = qw( setup_conntrack );
 our @EXPORT_OK = qw( handle_helper_rule );
 our $VERSION = 'MODULEVERSION';
 
-my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured => 1, protoinfo => 1, helper => 1, mark => 1, natseqinfo => 1, secmark => 1 );
+our %valid_ctevent = ( new        => 1,
+		       related    => 1,
+		       destroy    => 1,
+		       reply      => 1,
+		       assured    => 1,
+		       protoinfo  => 1,
+		       helper     => 1,
+		       mark       => 1,
+		       natseqinfo => 1,
+		       secmark    => 1 );
 
 #
 # Notrack
 #
-sub process_conntrack_rule( $$$$$$$$$ ) {
+sub process_conntrack_rule( $$$$$$$$$$ ) {
 
-    my ($chainref, $zoneref, $action, $source, $dest, $proto, $ports, $sports, $user ) = @_;
+    my ($chainref, $zoneref, $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = @_;
 
     require_capability 'RAW_TABLE', 'conntrack rules', '';
 
@@ -54,7 +63,9 @@ sub process_conntrack_rule( $$$$$$$$$ ) {
     my $zone;
     my $restriction = PREROUTE_RESTRICT;
 
-    unless ( $chainref ) {
+    if ( $chainref ) {
+	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
+    } else {
 	#
 	# Entry in the conntrack file
 	#
@@ -66,13 +77,13 @@ sub process_conntrack_rule( $$$$$$$$$ ) {
 	}
 
 	$chainref = ensure_raw_chain( notrack_chain $zone );
-	$restriction = OUTPUT_RESTRICT if $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER;
+	$restriction = OUTPUT_RESTRICT if $zoneref->{type}  & (FIREWALL | VSERVER );
 	fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
     }
 
     my $target = $action;
     my $exception_rule = '';
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );
 
     if ( $action eq 'NOTRACK' ) {
 	#
@@ -80,7 +91,7 @@ sub process_conntrack_rule( $$$$$$$$$ ) {
 	# Netfilter development list
 	#
 	$action = 'CT --notrack' if have_capability 'CT_TARGET';
-    } else {
+    } elsif ( $action ne 'DROP' ) {
 	(  $target, my ( $option, $args, $junk ) ) = split ':', $action, 4;
 
 	fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT';
@@ -160,7 +171,9 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
 				$proto ,
 				$ports ,
 				$sports ,
-				$user );
+				$user,
+				'-',
+			      );
     } else {
 	assert( $action_target );
 	#
@@ -200,65 +213,69 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
 sub process_format( $ ) {
     my $format = shift;
 
-    fatal_error q(FORMAT must be '1' or '2') unless $format =~ /^[12]$/;
+    fatal_error q(FORMAT must be '1', '2' or '3') unless $format =~ /^[123]$/;
+    format_warning;
 
-    $format;
+    $file_format = $format;
 }
 
 sub setup_conntrack() {
 
     for my $name ( qw/notrack conntrack/ ) {
 
-	my $fn = open_file( $name );
+	my $fn = open_file( $name, 3 , 1 );
 
 	if ( $fn ) {
 
-	    my $format = 1;
-
-	    my $action = 'NOTRACK';
+	    my $action;
 
 	    my $empty = 1;
 
 	    first_entry( "$doing $fn..." );
 
 	    while ( read_a_line( NORMAL_READ ) ) {
-		my ( $source, $dest, $proto, $ports, $sports, $user );
+		my ( $source, $dest, $protos, $ports, $sports, $user, $switch );
 
-		if ( $format == 1 ) {
-		    ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
-
-		    if ( $source eq 'FORMAT' ) {
-			$format = process_format( $dest );
-			next;
-		    }
+		if ( $file_format == 1 ) {
+		    ( $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 };
+		    $action = 'NOTRACK';
 		} else {
-		    ( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
-
-		    if ( $action eq 'FORMAT' ) {
-			$format = process_format( $source );
-			$action = 'NOTRACK';
-			next;
-		    }
-		}
-
-		if ( $action eq 'COMMENT' ) {
-		    process_comment;
-		    next;
+		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };
 		}
 
 		$empty = 0;
 
-		if ( $source eq 'all' ) {
-		    for my $zone (all_zones) {
-			process_conntrack_rule( undef, undef, $action, $zone, $dest, $proto, $ports, $sports, $user );
+		for my $proto ( split_list $protos, 'Protocol' ) {
+		    if ( $file_format < 3 ) {
+			if ( $source =~ /^all(-)?(:(.+))?$/ ) {
+			    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
+			    for my $zone ( $1 ? off_firewall_zones : all_zones ) {
+				process_conntrack_rule( undef ,
+							undef,
+							$action,
+							$zone . ( $2 || ''),
+							$dest,
+							$proto,
+							$ports,
+							$sports,
+							$user ,
+							$switch );
+			    }
+			} else {
+			    process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+			}
+		    } elsif ( $action =~ s/:O$// ) {
+			process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		    } elsif ( $action =~ s/:OP// || $action =~ s/:PO// ) {
+			process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+			process_conntrack_rule( $raw_table->{OUTPUT},     undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		    } else {
+			$action =~ s/:P//;
+			process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
 		    }
-		} else {
-		    process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user );
 		}
 	    }
 
-	    clear_comment;
-
 	    if ( $name eq 'notrack') {
 		if ( $empty ) {
 		    if ( unlink( $fn ) ) {

Shorewall/Perl/Shorewall/Tc.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
 #
 #     Traffic Control is from tc4shorewall Version 0.5
 #     (c) 2005 Arne Bernin <arne@ucbering.de>
@@ -86,7 +86,7 @@ use constant { NOMARK    => 0 ,
 	       HIGHMARK  => 2
 	       };
 
-my  %flow_keys = ( 'src'            => 1,
+our %flow_keys = ( 'src'            => 1,
 		   'dst'            => 1,
 		   'proto'          => 1,
 		   'proto-src'      => 1,
@@ -104,15 +104,15 @@ my  %flow_keys = ( 'src'            => 1,
 		   'sk-gid'         => 1,
 		   'vlan-tag'       => 1 );
 
-my %designator = ( F => 'tcfor' ,
-		   T => 'tcpost' );
+our %designator = ( F => 'tcfor' ,
+		    T => 'tcpost' );
 
-my  %tosoptions = ( 'tos-minimize-delay'       => '0x10/0x10' ,
+our %tosoptions = ( 'tos-minimize-delay'       => '0x10/0x10' ,
 		    'tos-maximize-throughput'  => '0x08/0x08' ,
 		    'tos-maximize-reliability' => '0x04/0x04' ,
 		    'tos-minimize-cost'        => '0x02/0x02' ,
 		    'tos-normal-service'       => '0x00/0x1e' );
-my  %classids;
+our %classids;
 
 #
 # Perl version of Arn Bernin's 'tc4shorewall'.
@@ -133,12 +133,12 @@ my  %classids;
 #                              name          => <interface>
 #                                               }
 #
-my  @tcdevices;
-my  %tcdevices;
-my  @devnums;
-my  $devnum;
-my  $sticky;
-my  $ipp2p;
+our @tcdevices;
+our %tcdevices;
+our @devnums;
+our $devnum;
+our $sticky;
+our $ipp2p;
 
 #
 # TCClasses Table
@@ -159,10 +159,10 @@ my  $ipp2p;
 #                                                }
 #                                     }
 #             }
-my  @tcclasses;
-my  %tcclasses;
+our @tcclasses;
+our %tcclasses;
 
-my  %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
+our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 		      PREROUTING => PREROUTE_RESTRICT ,
 		      tcpost     => POSTROUTE_RESTRICT ,
 		      tcfor      => NO_RESTRICT ,
@@ -170,10 +170,16 @@ my  %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 		      tcout      => OUTPUT_RESTRICT ,
 		    );
 
-my $family;
+our $family;
 
-my $divertref; # DIVERT chain
+our $divertref; # DIVERT chain
 
+our %validstates = ( NEW                => 0,
+		     RELATED            => 0,
+		     ESTABLISHED        => 0,
+		     UNTRACKED          => 0,
+		     INVALID            => 0,
+		   );
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -198,37 +204,13 @@ sub initialize( $ ) {
     $divertref = 0;
 }
 
-sub process_tc_rule( ) {
-    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp );
-    if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp ) =
-	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 }, { COMMENT => 0, FORMAT => 2 } , 14;
-	$headers = '-';
-    } else {
-	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) =
-	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 },  { COMMENT => 0, FORMAT => 2 }, 15;
-    }
+sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
+    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_;
 
-    our @tccmd;
-
-    our $format;
+    our %tccmd;
 
     fatal_error 'MARK must be specified' if $originalmark eq '-';
 
-    if ( $originalmark eq 'COMMENT' ) {
-	process_comment;
-	return;
-    }
-
-    if ( $originalmark eq 'FORMAT' ) {
-	if ( $source =~ /^([12])$/ ) {
-	    $format = $1;
-	    return;
-	}
-
-	fatal_error "Invalid FORMAT ($source)";
-    }
-
     my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 );
 
     fatal_error "Invalid MARK ($originalmark)" unless supplied $mark;
@@ -259,6 +241,8 @@ sub process_tc_rule( ) {
     my $cmd;
     my $rest;
     my $matches = '';
+    my $mark1;
+    my $exceptionrule = '';
 
     my %processtcc = ( sticky => sub() {
 			                  if ( $chain eq 'tcout' ) {
@@ -312,7 +296,7 @@ sub process_tc_rule( ) {
 					  $target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
 				      },
 		       DIVERT => sub() {
-			                  fatal_error "Invalid MARK ($originalmark)"               unless $format == 2;
+			                  fatal_error "Invalid MARK ($originalmark)"               unless $file_format == 2;
 			                  fatal_error "Invalid DIVERT specification( $cmd/$rest )" if $rest;
 
 					  $chain = 'PREROUTING';
@@ -341,7 +325,7 @@ sub process_tc_rule( ) {
 					  my $params = $1;
 					  my ( $port, $ip, $bad );
 
-					  if ( $format == 1 ) {
+					  if ( $file_format == 1 ) {
 					      fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
 
 					      ( $mark, $port, $ip, $bad ) = split_list $params, 'Parameter';
@@ -384,6 +368,8 @@ sub process_tc_rule( ) {
 					  }
 
 					  $target .= ' --tproxy-mark';
+
+					  $exceptionrule = '-p tcp ';
 				      },
 		       TTL => sub() {
 			                  fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
@@ -457,6 +443,10 @@ sub process_tc_rule( ) {
 			                  assert( $cmd =~ /^TOS\((.+)\)$/ );
 					  $target .= decode_tos( $1 , 2 );
 				      },
+		       CHECKSUM => sub()
+		                        {  require_capability 'CHECKSUM_TARGET', 'The CHECKSUM action', 's';
+					   $target .= ' --checksum-fill';
+				       },
 		     );
 
     if ( $source ) {
@@ -497,13 +487,13 @@ sub process_tc_rule( ) {
 
 	    $chain    = $tcsref->{chain}                       if $tcsref->{chain};
 	    $target   = $tcsref->{target}                      if $tcsref->{target};
-	    $mark     = "$mark/" . in_hex( $globals{TC_MASK} ) if $connmark = $tcsref->{connmark};
+	    $mark     = "$mark/" . in_hex( $globals{TC_MASK} ) if $connmark = $tcsref->{connmark} && $mark !~ m'/';
 
 	    require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
 
 	} else {
 	    unless ( $classid ) {
-		fatal_error "Invalid MARK ($originalmark)" unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
+		fatal_error "Invalid ACTION ($originalmark)" unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
 		fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $chain eq 'tcin';
 		$chain = 'tcpost';
 		$mark  = $originalmark;
@@ -541,10 +531,10 @@ sub process_tc_rule( ) {
     $list = '';
 
     unless ( $classid ) {
-      MARK:
 	{
-	    for my $tccmd ( @tccmd ) {
-		if ( $tccmd->{match}($cmd) ) {
+	    if ( $cmd =~ /^([[A-Z!&]+)/ ) {
+		if ( my $tccmd = $tccmd{$1} ) {
+		    fatal_error "Invalid $1 ACTION ($originalmark)" unless $tccmd->{match}($cmd); 
 		    fatal_error "$mark not valid with :C[FPT]" if $connmark;
 
 		    require_capability ('CONNMARK' , "SAVE/RESTORE Rules", '' ) if $tccmd->{connmark};
@@ -563,7 +553,7 @@ sub process_tc_rule( ) {
 		    }
 
 		    if ( $rest ) {
-			fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK;
+			fatal_error "Invalid COMMAND ($originalmark)" if $marktype == NOMARK;
 
 			$mark = $rest if $tccmd->{mask};
 
@@ -575,20 +565,26 @@ sub process_tc_rule( ) {
 		    } elsif ( $tccmd->{mask} ) {
 			$mark = $tccmd->{mask};
 		    }
-
-		    last MARK;
+		} else {
+		    fatal_error "Invalid ACTION ($originalmark)";
 		}
-	    }
+	    } elsif ( $mark =~ /-/ ) {
+		( $mark, $mark1 ) = split /-/, $mark, 2;
+		validate_mark $mark;
+		fatal_error "Invalid mark range ($mark-$mark1)" if $mark =~ m'/';
+		validate_mark $mark1;
+		require_capability 'STATISTIC_MATCH', 'A mark range', 's';
+	    }  else {
+		validate_mark $mark;
 
-	    validate_mark $mark;
-
-	    if ( $config{PROVIDER_OFFSET} ) {
-		my $val = numeric_value( $cmd );
-		fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
-		my $limit = $globals{TC_MASK};
-		unless ( have_capability 'FWMARK_RT_MASK' ) {
-		    fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
-			if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
+		if ( $config{PROVIDER_OFFSET} ) {
+		    my $val = numeric_value( $cmd );
+		    fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
+		    my $limit = $globals{TC_MASK};
+		    unless ( have_capability 'FWMARK_RT_MASK' ) {
+			fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
+			    if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
+		    }
 		}
 	    }
 	}
@@ -596,26 +592,89 @@ sub process_tc_rule( ) {
 
     fatal_error "USER/GROUP only allowed in the OUTPUT chain" unless ( $user eq '-' || ( $chain eq 'tcout' || $chain eq 'tcpost' ) );
 
-    if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
-				     $restrictions{$chain} | $restriction,
-				     do_proto( $proto, $ports, $sports) . $matches .
-				     do_user( $user ) .
-				     do_test( $testval, $globals{TC_MASK} ) .
-				     do_length( $length ) .
-				     do_tos( $tos ) .
-				     do_connbytes( $connbytes ) .
-				     do_helper( $helper ) .
-				     do_headers( $headers ) .
-				     do_probability( $probability ) .
-				     do_dscp( $dscp ) ,
-				     $source ,
-				     $dest ,
-				     '' ,
-				     $mark ? "$target $mark" : $target,
-				     '' ,
-				     $target ,
-				     '' ) )
-	  && $device ) {
+    if ( $state ne '-' ) {
+	my @state = split_list( $state, 'state' );
+	my %state = %validstates;
+
+	for ( @state ) {
+	    fatal_error "Invalid STATE ($_)"   unless exists $state{$_};
+	    fatal_error "Duplicate STATE ($_)" if $state{$_};
+	}
+    } else {
+	$state = 'ALL';
+    }
+
+    if ( $mark1 ) {
+	#
+	# A Mark Range
+	#
+	my $chainref = ensure_chain( 'mangle', $chain );
+
+	( $mark1, my $mask ) = split( '/', $mark1 );
+
+	my ( $markval, $mark1val ) = ( numeric_value $mark, numeric_value $mark1 );
+
+	fatal_error "Invalid mark range ($mark-$mark1)" unless $markval < $mark1val;
+
+	$mask = $globals{TC_MASK} unless supplied $mask;
+
+	$mask = numeric_value $mask;
+
+	my $increment = 1;
+	my $shift     = 0;
+
+	$increment <<= 1, $shift++ until $increment & $mask;
+
+	$mask = in_hex $mask;
+
+	my $marks = ( ( $mark1val - $markval ) >> $shift ) + 1;
+
+	for ( my $packet = 0; $packet < $marks; $packet++, $markval += $increment ) {
+	    my $match = "-m statistic --mode nth --every $marks --packet $packet ";
+
+	    expand_rule( $chainref,
+			 $restrictions{$chain} | $restriction,
+			 $match .
+			 do_user( $user ) .
+			 do_test( $testval, $globals{TC_MASK} ) .
+			 do_test( $testval, $globals{TC_MASK} ) .
+			 do_length( $length ) .
+			 do_tos( $tos ) .
+			 do_connbytes( $connbytes ) .
+			 do_helper( $helper ) .
+			 do_headers( $headers ) .
+			 do_probability( $probability ) .
+			 do_dscp( $dscp ) .
+			 state_match( $state ) ,
+			 $source ,
+			 $dest ,
+			 '' ,
+			 "$target " . join( '/', in_hex( $markval ) , $mask ) ,
+			 '',
+			 $target ,
+			 $exceptionrule );
+	}
+    } elsif ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
+					  $restrictions{$chain} | $restriction,
+					  do_proto( $proto, $ports, $sports) . $matches .
+					  do_user( $user ) .
+					  do_test( $testval, $globals{TC_MASK} ) .
+					  do_length( $length ) .
+					  do_tos( $tos ) .
+					  do_connbytes( $connbytes ) .
+					  do_helper( $helper ) .
+					  do_headers( $headers ) .
+					  do_probability( $probability ) .
+					  do_dscp( $dscp ) .
+					  state_match( $state ) ,
+					  $source ,
+					  $dest ,
+					  '' ,
+					  $mark ? "$target $mark" : $target,
+					  '' ,
+					  $target ,
+					  $exceptionrule ) )
+	      && $device ) {
 	#
 	# expand_rule() returns destination device if any
 	#
@@ -626,6 +685,22 @@ sub process_tc_rule( ) {
 
 }
 
+sub process_tc_rule( ) {
+    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
+    if ( $family == F_IPV4 ) {
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
+	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13, state => 14 }, {}, 15;
+	$headers = '-';
+    } else {
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
+	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 }, {}, 16;
+    }
+
+    for my $proto (split_list( $protos, 'Protocol' ) ) {
+	process_tc_rule1( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
+    }
+}
+
 sub rate_to_kbit( $ ) {
     my $rate = $_[0];
 
@@ -756,7 +831,7 @@ sub process_simple_device() {
     fatal_error "Unknown interface( $device )" unless known_interface $device;
 
     my $physical = physical_name $device;
-    my $dev      = chain_base( $physical );
+    my $dev      = var_base( $physical );
 
     push @tcdevices, $device;
 
@@ -1062,6 +1137,17 @@ my %validredoptions = ( min         => RED_INTEGER,
 			ecn         => RED_NONE,
 		      );
 
+use constant { CODEL_INTEGER => 1, CODEL_INTERVAL => 2, CODEL_NONE => 3 };
+
+my %validcodeloptions = ( flows       => CODEL_INTEGER,
+			  target      => CODEL_INTERVAL,
+			  interval    => CODEL_INTERVAL,
+			  limit       => CODEL_INTEGER,
+			  ecn         => CODEL_NONE,
+			  noecn       => CODEL_NONE,
+			  quantum     => CODEL_INTEGER
+			);
+
 sub validate_filter_priority( $$ ) {
     my ( $priority, $kind ) = @_;
 
@@ -1236,6 +1322,7 @@ sub validate_tc_class( ) {
     fatal_error "RATE ($rate) exceeds CEIL ($ceil)" if $rate && $ceil && $rate > $ceil;
 
     my ( $red, %redopts ) = ( 0, ( avpkt => 1000 ) );
+    my ( $codel, %codelopts ) = ( 0, ( ) );
 
     unless ( $options eq '-' ) {
 	for my $option ( split_list1 "\L$options", 'option' ) {
@@ -1285,8 +1372,9 @@ sub validate_tc_class( ) {
 		fatal_error "The 'flow' option is not allowed with 'red'"   if $tcref->{red};
 		$tcref->{flow} = process_flow $1;
 	    } elsif ( $option eq 'pfifo' ) {
-		fatal_error "The 'pfifo' option is not allowed with 'flow='" if $tcref->{flow};
-		fatal_error "The 'pfifo' option is not allowed with 'red='"  if $tcref->{red};
+		fatal_error "The 'pfifo' option is not allowed with 'flow='"      if $tcref->{flow};
+		fatal_error "The 'pfifo' option is not allowed with 'red='"       if $tcref->{red};
+		fatal_error "The 'pfifo' option is not allowed with 'fq_codel='"  if $tcref->{fq_codel};
 		$tcref->{pfifo} = 1;
 	    } elsif ( $option =~ /^occurs=(\d+)$/ ) {
 		my $val = $1;
@@ -1308,8 +1396,9 @@ sub validate_tc_class( ) {
 		fatal_error "Invalid limit ($1)" if $1 < 3 || $1 > 128;
 		$tcref->{limit} = $1;
 	    } elsif ( $option =~ s/^red=// ) {
-		fatal_error "The 'red=' option is not allowed with 'flow='" if $tcref->{flow};
-		fatal_error "The 'red=' option is not allowed with 'pfifo'" if $tcref->{pfifo};
+		fatal_error "The 'red=' option is not allowed with 'flow='"       if $tcref->{flow};
+		fatal_error "The 'red=' option is not allowed with 'pfifo'"       if $tcref->{pfifo};
+		fatal_error "The 'pfifo' option is not allowed with 'fq_codel='"  if $tcref->{fq_codel};
 		$tcref->{red} = 1;
 		my $opttype;
 
@@ -1358,6 +1447,61 @@ sub validate_tc_class( ) {
 		fatal_error "The 'limit' red option must be at least 2 * 'max'" unless $redopts{limit} >= 2 * $redopts{min};
 		$redopts{ecn} = 1 if exists $redopts{ecn};
 		$tcref->{redopts} = \%redopts;
+	    } elsif ( $option =~ /^fq_codel(?:=.+)?$/ ) {
+		fatal_error "The 'fq_codel' option is not allowed with 'red='"       if $tcref->{red};
+		fatal_error "The 'fq_codel' option is not allowed with 'pfifo'"      if $tcref->{pfifo};
+		$tcref->{fq_codel} = 1;
+		my $opttype;
+
+		$option =~ s/fq_codel=?//;
+
+		for my $codelopt ( split_list( $option , q('fq_codel' option list) ) ) {
+		    #
+		    #              $1  ------      $2 --------------
+		    #                 |      |        |    $3 ---- | 
+		    #                 |      |        |       |  | |
+		    if ( $codelopt =~ /^([a-z]+) (?:= ((?:\d+)(ms)?))?$/x )
+			    {
+			fatal_error "Invalid CODEL option ($1)" unless $opttype = $validcodeloptions{$1};
+			if ( $2 ) {
+			    #
+			    # '=<value>' supplied
+			    #
+			    fatal_error "The $1 option does not take a value" if $opttype == CODEL_NONE;
+			    if ( $3 ) {
+				#
+				# Rate
+				#
+				fatal_error "The $1 option requires an integer value"  if $opttype == CODEL_INTEGER;
+			    } else {
+				#
+				# Interval value
+				#
+				fatal_error "The $1 option requires an interval value" if $opttype == CODEL_INTERVAL;
+			    }
+			} else {
+			    #
+			    # No value supplied
+			    #
+			    fatal_error "The $1 option requires a value" unless $opttype == CODEL_NONE;
+			}
+
+			$codelopts{$1} = $2;
+		    } else {
+			fatal_error "Invalid fq_codel option specification ($codelopt)";
+		    }
+		}
+
+		if ( exists $codelopts{ecn} ) {
+		    fatal_error "The 'ecn' and 'noecn' fq_codel options are mutually exclusive" if exists $codelopts{noecn};
+		    $codelopts{ecn} = 1;
+		} elsif ( exists $codelopts{noecn} ) {
+		    $codelopts{noecn} = 1;
+		} else {
+		    $codelopts{ecn} = 1;
+		}
+		    
+		$tcref->{codelopts} = \%codelopts;
 	    } else {
 		fatal_error "Unknown option ($option)";
 	    }
@@ -1365,10 +1509,7 @@ sub validate_tc_class( ) {
     }
 
     unless ( $devref->{classify} || $occurs > 1 ) {
-	if ( $mark ne '-' ) {
-	    fatal_error "Missing MARK" if $mark eq '-';
-	    warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option"	if $devclass =~ /:/;
-	}
+	fatal_error "Missing MARK" if $mark eq '-';
     }
 
     $tcref->{flow}  = $devref->{flow}  unless $tcref->{flow};
@@ -1379,19 +1520,21 @@ sub validate_tc_class( ) {
     while ( --$occurs ) {
 	fatal_error "Duplicate class number ($classnumber)" if $tcclasses{$device}{++$classnumber};
 
-	$tcclasses{$device}{$classnumber} =  { tos      => [] ,
-					       rate     => $tcref->{rate} ,
-					       ceiling  => $tcref->{ceiling} ,
-					       priority => $tcref->{priority} ,
-					       mark     => 0 ,
-					       markprio => $markprio ,
-					       flow     => $tcref->{flow} ,
-					       pfifo    => $tcref->{pfifo},
-					       occurs   => 0,
-					       parent   => $parentclass,
-					       limit    => $tcref->{limit},
-					       red      => $tcref->{red},
-					       redopts  => $tcref->{redopts},
+	$tcclasses{$device}{$classnumber} =  { tos       => [] ,
+					       rate      => $tcref->{rate} ,
+					       ceiling   => $tcref->{ceiling} ,
+					       priority  => $tcref->{priority} ,
+					       mark      => 0 ,
+					       markprio  => $markprio ,
+					       flow      => $tcref->{flow} ,
+					       pfifo     => $tcref->{pfifo},
+					       occurs    => 0,
+					       parent    => $parentclass,
+					       limit     => $tcref->{limit},
+					       red       => $tcref->{red},
+					       redopts   => $tcref->{redopts},
+					       fq_codel  => $tcref->{fq_codel},
+					       codelopts => $tcref->{codelopts},
 					     };
 	push @tcclasses, "$device:$classnumber";
     };
@@ -1404,11 +1547,9 @@ my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0x
 #
 # Process a record from the tcfilters file
 #
-sub process_tc_filter() {
+sub process_tc_filter1( $$$$$$$$$ ) {
 
-    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length, $priority ) = split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 , priority => 8 };
-
-    fatal_error 'CLASS must be specified' if $devclass eq '-';
+    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length, $priority ) = @_;
 
     my ($device, $class, $rest ) = split /:/, $devclass, 3;
 
@@ -1679,6 +1820,18 @@ sub process_tc_filter() {
 
 }
 
+sub process_tc_filter() {
+
+    my ( $devclass, $source, $dest , $protos, $portlist , $sportlist, $tos, $length, $priority )
+	= split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 , priority => 8 };
+
+    fatal_error 'CLASS must be specified' if $devclass eq '-';
+
+    for my $proto ( split_list $protos, 'Protocol' ) {
+	process_tc_filter1( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length, $priority );
+    }
+}
+
 #
 # Process the tcfilter file storing the compiled filters in the %tcdevices table
 #
@@ -1719,21 +1872,8 @@ sub process_tcfilters() {
 #
 # Process a tcpri record
 #
-sub process_tc_priority() {
-    my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 'tcpri', { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 };
-
-    fatal_error 'BAND must be specified' if $band eq '-';
-
-    if ( $band eq 'COMMENT' ) {
-	process_comment;
-	return;
-    }
-
-    fatal_error "Invalid tcpri entry" if ( $proto     eq '-' &&
-					   $ports     eq '-' &&
-					   $address   eq '-' &&
-					   $interface eq '-' &&
-					   $helper    eq '-' );
+sub process_tc_priority1( $$$$$$ ) {
+    my ( $band, $proto, $ports , $address, $interface, $helper ) = @_;
 
     my $val = numeric_value $band;
 
@@ -1781,6 +1921,26 @@ sub process_tc_priority() {
     }
 }
 
+sub process_tc_priority() {
+    my ( $band, $protos, $ports , $address, $interface, $helper ) = split_line1 'tcpri', { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 };
+
+    fatal_error 'BAND must be specified' if $band eq '-';
+
+    fatal_error "Invalid tcpri entry" if ( $protos    eq '-' &&
+					   $ports     eq '-' &&
+					   $address   eq '-' &&
+					   $interface eq '-' &&
+					   $helper    eq '-' );
+
+    my $val = numeric_value $band;
+
+    fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
+
+    for my $proto ( split_list $protos, 'Protocol' ) {
+	process_tc_priority1( $band, $proto, $ports , $address, $interface, $helper );
+    }
+}
+
 #
 # Process tcinterfaces
 #
@@ -1799,7 +1959,7 @@ sub process_tcinterfaces() {
 #
 sub process_tcpri() {
     my $fn  = find_file 'tcinterfaces';
-    my $fn1 = open_file 'tcpri';
+    my $fn1 = open_file 'tcpri', 1,1;
 
     if ( $fn1 ) {
 	first_entry
@@ -1810,8 +1970,6 @@ sub process_tcpri() {
 
 	process_tc_priority while read_a_line( NORMAL_READ );
 
-	clear_comment;
-
 	if ( $ipp2p ) {
 	    insert_irule( $mangle_table->{tcpost} ,
 			  j => 'CONNMARK --restore-mark --ctmask ' . in_hex( $globals{TC_MASK} ) ,
@@ -1875,7 +2033,7 @@ sub process_traffic_shaping() {
 
 	unless ( $config{TC_ENABLED} eq 'Shared' ) {
 
-	    my $dev = chain_base( $device );
+	    my $dev = var_base( $device );
 
 	    emit( '',
 		  '#',
@@ -1934,7 +2092,7 @@ sub process_traffic_shaping() {
 	    handle_in_bandwidth( $device, $devref->{in_bandwidth} );
 
 	    for my $rdev ( @{$devref->{redirected}} ) {
-		my $phyrdev = get_physical( $rdev );
+		my $phyrdev = physical_name( $rdev );
 		emit ( "run_tc qdisc add dev $phyrdev handle ffff: ingress" );
 		emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
 	    }
@@ -2006,8 +2164,25 @@ sub process_traffic_shaping() {
 			}
 
 			emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: red${options}" );
+		    } elsif ( $tcref->{fq_codel} ) {
+			1 while $devnums[++$sfq];
+			$sfqinhex = in_hexp( $sfq);
 
-		    } elsif ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
+			my ( $options, $codelopts ) = ( '', $tcref->{codelopts} );
+
+			while ( my ( $option, $type ) = each %validcodeloptions ) {
+			    if ( my $value = $codelopts->{$option} ) {
+				if ( $type == CODEL_NONE ) {
+				    $options = join( ' ', $options, $option );
+				} else {
+				    $options = join( ' ', $options, $option, $value );
+				}
+			    }
+			}
+
+			emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: fq_codel${options}" );
+			
+		    } elsif ( ! $tcref->{pfifo} ) {
 			1 while $devnums[++$sfq];
 
 			$sfqinhex = in_hexp( $sfq);
@@ -2113,7 +2288,7 @@ sub setup_traffic_shaping() {
 
     for my $device ( @tcdevices ) {
 	my $interfaceref = known_interface( $device );
-	my $dev          = chain_base( $interfaceref ? $interfaceref->{physical} : $device );
+	my $dev          = var_base( $interfaceref ? $interfaceref->{physical} : $device );
 
 	emit "setup_${dev}_tc";
     }
@@ -2122,16 +2297,8 @@ sub setup_traffic_shaping() {
 #
 # Process a record in the secmarks file
 #
-sub process_secmark_rule() {
-    my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) =
-	split_line1( 'Secmarks file' , { secmark => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8 } );
-
-    fatal_error 'SECMARK must be specified' if $secmark eq '-';
-
-    if ( $secmark eq 'COMMENT' ) {
-	process_comment;
-	return;
-    }
+sub process_secmark_rule1( $$$$$$$$$ ) {
+    my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) = @_;
 
     my %chns = ( T => 'tcpost'  ,
 		 P => 'tcpre'   ,
@@ -2139,11 +2306,15 @@ sub process_secmark_rule() {
 		 I => 'tcin'    ,
 		 O => 'tcout'   , );
 
-    my %state = ( N =>  'NEW' ,
-		  I => 'INVALID',
-		  NI => 'NEW,INVALID',
-		  E =>  'ESTABLISHED' ,
-		  ER => 'ESTABLISHED,RELATED',
+    my %state = ( N   => 'NEW' ,
+		  I   => 'INVALID',
+		  U   => 'UNTRACKED',
+		  IU  => 'INVALID,UNTRACKED',
+		  NI  => 'NEW,INVALID',
+		  NU  => 'NEW,UNTRACKED',
+		  NIU => 'NEW,INVALID,UNTRACKED',
+		  E   => 'ESTABLISHED' ,
+		  ER  => 'ESTABLISHED,RELATED',
 		);
 
     my ( $chain , $state, $rest) = split ':', $chainin , 3;
@@ -2187,6 +2358,20 @@ sub process_secmark_rule() {
 
 }
 
+#
+# Process a record in the secmarks file
+#
+sub process_secmark_rule() {
+    my ( $secmark, $chainin, $source, $dest, $protos, $dport, $sport, $user, $mark ) =
+	split_line1( 'Secmarks file' , { secmark => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8 } );
+
+    fatal_error 'SECMARK must be specified' if $secmark eq '-';
+
+    for my $proto ( split_list( $protos, 'Protocol' ) ) {
+	process_secmark_rule1( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark );
+    }
+}
+
 #
 # Process the tcrules file and setup traffic shaping
 #
@@ -2239,107 +2424,111 @@ sub setup_tc() {
     }
 
     if ( $config{MANGLE_ENABLED} ) {
-	our  @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
-			  target    => 'CONNMARK --save-mark --mask' ,
-			  mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK,
-			  mask      => in_hex( $globals{TC_MASK} ) ,
-			  connmark  => 1
-			} ,
-			{ match     => sub ( $ ) { $_[0] eq 'RESTORE' },
-			  target    => 'CONNMARK --restore-mark --mask' ,
-			  mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK ,
-			  mask      => in_hex( $globals{TC_MASK} ) ,
-			  connmark  => 1
-			} ,
-			{ match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
-			  target    => 'RETURN' ,
-			  mark      => NOMARK ,
-			  mask      => '' ,
-			  connmark  => 0
-			} ,
-			{ match     => sub ( $ ) { $_[0] eq 'SAME' },
-			  target    => 'sticky' ,
-			  mark      => NOMARK ,
-			  mask      => '' ,
-			  connmark  => 0
-			} ,
-			{ match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
-			  target    => 'IPMARK' ,
-			  mark      => NOMARK,
-			  mask      => '',
-			  connmark  => 0
-			} ,
-			{ match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
-			  target    => 'MARK --or-mark' ,
-			  mark      => HIGHMARK ,
-			  mask      => '' } ,
-			{ match     => sub ( $ ) { $_[0] =~ '&.*' },
-			  target    => 'MARK --and-mark' ,
-			  mark      => HIGHMARK ,
-			  mask      => '' ,
-			  connmark  => 0
-			} ,
-			{ match     => sub ( $ ) { $_[0] =~ /^TPROXY/ },
-			  target    => 'TPROXY',
-			  mark      => HIGHMARK,
-			  mask      => '',
-			  connmark  => '' },
-			{ match     => sub( $ ) { $_[0] =~ /^DIVERT/ },
-			  target    => 'DIVERT',
-			  mark      => HIGHMARK,
-			  mask      => '',
-			  connmark  => '' },
-			{ match     => sub( $ ) { $_[0] =~ /^TTL/ },
-			  target    => 'TTL',
-			  mark      => NOMARK,
-			  mask      => '',
-			  connmark  => 0
-			},
-			{ match     => sub( $ ) { $_[0] =~ /^HL/ },
-			  target    => 'HL',
-			  mark      => NOMARK,
-			  mask      => '',
-			  connmark  => 0
-			},
-			{ match     => sub( $ ) { $_[0] =~ /^IMQ\(\d+\)$/ },
-			  target    => 'IMQ',
-			  mark      => NOMARK,
-			  mask      => '',
-			  connmark  => 0
-			},
-			{ match     => sub( $ ) { $_[0] =~ /^DSCP\(\w+\)$/ },
-			  target    => 'DSCP',
-			  mark      => NOMARK,
-			  mask      => '',
-			  connmark  => 0
-			},
-			{ match     => sub( $ ) { $_[0] =~ /^TOS\(.+\)$/ },
-			  target    => 'TOS',
-			  mark      => NOMARK,
-			  mask      => '',
-			  connmark  => 0
-			},
+	our  %tccmd = ( SAVE =>     { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
+				      target    => 'CONNMARK --save-mark --mask' ,
+				      mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK,
+				      mask      => in_hex( $globals{TC_MASK} ) ,
+				      connmark  => 1
+				    } ,
+			RESTORE =>  { match     => sub ( $ ) { $_[0] eq 'RESTORE' },
+				      target    => 'CONNMARK --restore-mark --mask' ,
+				      mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK ,
+				      mask      => in_hex( $globals{TC_MASK} ) ,
+				      connmark  => 1
+				    } ,
+			CONTINUE => { match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
+				      target    => 'RETURN' ,
+				      mark      => NOMARK ,
+				      mask      => '' ,
+				      connmark  => 0
+				    } ,
+			SAME =>     { match     => sub ( $ ) { $_[0] eq 'SAME' },
+				      target    => 'sticky' ,
+				      mark      => NOMARK ,
+				      mask      => '' ,
+				      connmark  => 0
+				    } ,
+			IPMARK =>   { match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
+				      target    => 'IPMARK' ,
+				      mark      => NOMARK,
+				      mask      => '',
+				      connmark  => 0
+				    } ,
+			'|' =>      { match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
+				      target    => 'MARK --or-mark' ,
+				      mark      => HIGHMARK ,
+				      mask      => ''
+				    } ,
+			'&' =>      { match     => sub ( $ ) { $_[0] =~ '&.*' },
+				      target    => 'MARK --and-mark' ,
+				      mark      => HIGHMARK ,
+				      mask      => '' ,
+				      connmark  => 0
+				    } ,
+			TPROXY =>   { match     => sub ( $ ) { $_[0] =~ /^TPROXY/ },
+				      target    => 'TPROXY',
+				      mark      => HIGHMARK,
+				      mask      => '',
+				      connmark  => ''
+				    },
+			DIVERT =>   { match     => sub( $ ) { $_[0] =~ /^DIVERT/ },
+				      target    => 'DIVERT',
+				      mark      => HIGHMARK,
+				      mask      => '',
+				      connmark  => ''
+				    },
+			TTL =>      { match     => sub( $ ) { $_[0] =~ /^TTL/ },
+				      target    => 'TTL',
+				      mark      => NOMARK,
+				      mask      => '',
+				      connmark  => 0
+			            },
+			HL =>       { match     => sub( $ ) { $_[0] =~ /^HL/ },
+				      target    => 'HL',
+				      mark      => NOMARK,
+				      mask      => '',
+				      connmark  => 0
+			            },
+			IMQ =>      { match     => sub( $ ) { $_[0] =~ /^IMQ\(\d+\)$/ },
+				      target    => 'IMQ',
+				      mark      => NOMARK,
+				      mask      => '',
+				      connmark  => 0
+			            },
+			DSCP =>     { match     => sub( $ ) { $_[0] =~ /^DSCP\(\w+\)$/ },
+				      target    => 'DSCP',
+				      mark      => NOMARK,
+				      mask      => '',
+				      connmark  => 0
+				    },
+			TOS =>      { match     => sub( $ ) { $_[0] =~ /^TOS\(.+\)$/ },
+				      target    => 'TOS',
+				      mark      => NOMARK,
+				      mask      => '',
+				      connmark  => 0
+				    },
+			CHECKSUM => { match     => sub( $ ) { $_[0] eq 'CHECKSUM' },
+				      target    => 'CHECKSUM' ,
+				      mark      => NOMARK,
+				      mask      => '',
+				      connmark  => 0,
+				    }
 		      );
 
-	if ( my $fn = open_file 'tcrules' ) {
-
-	    our $format = 1;
+	if ( my $fn = open_file( 'tcrules' , 2, 1 ) ) {
 
 	    first_entry "$doing $fn...";
 
 	    process_tc_rule while read_a_line( NORMAL_READ );
 
-	    clear_comment;
-
 	}
 
-	if ( my $fn = open_file 'secmarks' ) {
+	if ( my $fn = open_file( 'secmarks', 1, 1 ) ) {
 
 	    first_entry "$doing $fn...";
 
 	    process_secmark_rule while read_a_line( NORMAL_READ );
 
-	    clear_comment;
 	}
 
 	handle_stickiness( $sticky );

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -285,25 +285,19 @@ sub setup_tunnels() {
     #
     # Setup_Tunnels() Starts Here
     #
-    if ( my $fn = open_file 'tunnels' ) {
+    if ( my $fn = open_file( 'tunnels', 1, 1 ) ) {
 
 	first_entry "$doing $fn...";
 
 	while ( read_a_line( NORMAL_READ ) ) {
 
-	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 , gateway_zones => 3 }, undef, 4;
+	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 , gateway_zones => 3 }, {}, 4;
 
 	    fatal_error 'TYPE must be specified' if $kind eq '-';
 
-	    if ( $kind eq 'COMMENT' ) {
-		process_comment;
-	    } else {
-		fatal_error 'ZONE must be specified' if $zone eq '-';
-		setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
-	    }
+	    fatal_error 'ZONE must be specified' if $zone eq '-';
+	    setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
 	}
-
-	clear_comment;
     }
 }
 

Shorewall/Perl/Shorewall/Zones.pm

@@ -62,7 +62,7 @@ our @EXPORT = ( qw( NOTHING
 		    off_firewall_zones
 		    non_firewall_zones
 		    single_interface
-		    chain_base
+		    var_base
 		    validate_interfaces_file
 		    all_interfaces
 		    all_real_interfaces
@@ -148,12 +148,12 @@ use constant { IN_OUT     => 1,
 #
 #     $firewall_zone names the firewall zone.
 #
-my @zones;
-my %zones;
-my %zonetypes;
-my $firewall_zone;
+our @zones;
+our %zones;
+our %zonetypes;
+our $firewall_zone;
 
-my  %reservedName = ( all => 1,
+our %reservedName = ( all => 1,
 		      any => 1,
 		      none => 1,
 		      SOURCE => 1,
@@ -173,7 +173,7 @@ my  %reservedName = ( all => 1,
 #                                     zone        => <zone name>
 #                                     multizone   => undef|1   #More than one zone interfaces through this interface
 #                                     nets        => <number of nets in interface/hosts records referring to this interface>
-#                                     bridge      => <bridge name>
+#                                     bridge      => <bridge name> # Same as ->{name} if not a bridge port.
 #                                     ports       => <number of port on this bridge>
 #                                     ipsec       => undef|1 # Has an ipsec host group
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
@@ -188,24 +188,24 @@ my  %reservedName = ( all => 1,
 #    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
 #    the same order as the interfaces are encountered in the configuration files.
 #
-my @interfaces;
-my %interfaces;
-my %roots;
-my @bport_zones;
-my %ipsets;
-my %physical;
-my %basemap;
-my %basemap1;
-my %mapbase;
-my %mapbase1;
-my $family;
-my $upgrade;
-my $have_ipsec;
-my $baseseq;
-my $minroot;
-my $zonemark;
-my $zonemarkincr;
-my $zonemarklimit;
+our @interfaces;
+our %interfaces;
+our %roots;
+our @bport_zones;
+our %ipsets;
+our %physical;
+our %basemap;
+our %basemap1;
+our %mapbase;
+our %mapbase1;
+our $family;
+our $upgrade;
+our $have_ipsec;
+our $baseseq;
+our $minroot;
+our $zonemark;
+our $zonemarkincr;
+our $zonemarklimit;
 
 use constant { FIREWALL => 1,
 	       IP       => 2,
@@ -232,24 +232,24 @@ use constant { SIMPLE_IF_OPTION   => 1,
 use constant { NO_UPDOWN   => 1, 
 	       NO_SFILTER  => 2 };
 
-my %validinterfaceoptions;
+our %validinterfaceoptions;
 
-my %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
+our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
 
-my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN );
+our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN );
 
-my %validhostoptions;
+our %validhostoptions;
 
-my %validzoneoptions = ( mss            => NUMERIC,
-			 nomark         => NOTHING,
-			 blacklist      => NOTHING,
-			 dynamic_shared => NOTHING,
-			 strict         => NOTHING,
-			 next           => NOTHING,
-			 reqid          => NUMERIC,
-			 spi            => NUMERIC,
-			 proto          => IPSECPROTO,
-			 mode           => IPSECMODE,
+our %validzoneoptions = ( mss            => NUMERIC,
+			  nomark         => NOTHING,
+			  blacklist      => NOTHING,
+			  dynamic_shared => NOTHING,
+			  strict         => NOTHING,
+			  next           => NOTHING,
+			  reqid          => NUMERIC,
+			  spi            => NUMERIC,
+			  proto          => IPSECPROTO,
+			  mode           => IPSECMODE,
 			 "tunnel-src"   => NETWORK,
 			 "tunnel-dst"   => NETWORK,
 		       );
@@ -258,7 +258,10 @@ use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
 #
 # Hash of options that have their own key in the returned hash.
 #
-my %zonekey = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY, dynamic_shared => IN_OUT_ONLY );
+our %zonekey = ( mss            => UNRESTRICTED | COMPLEX ,
+		 blacklist      => NOFW, 
+		 nomark         => NOFW | IN_OUT_ONLY,
+		 dynamic_shared => IN_OUT_ONLY );
 
 #
 # Rather than initializing globals in an INIT block or during declaration,
@@ -894,9 +897,9 @@ sub is_a_bridge( $ ) {
 #
 # Transform the passed interface name into a legal shell variable name.
 #
-sub chain_base($) {
-    my $chain = $_[0];
-    my $name  = $basemap{$chain};
+sub var_base($) {
+    my $var = $_[0];
+    my $name  = $basemap{$var};
     #
     # Return existing mapping, if any
     #
@@ -904,31 +907,31 @@ sub chain_base($) {
     #
     # Remember initial value
     #
-    my $key = $chain;
+    my $key = $var;
     #
     # Handle VLANs and wildcards
     #
-    $chain =~ s/\+$//;
-    $chain =~ tr/./_/;
+    $var =~ s/\+$/_plus/;
+    $var =~ tr/./_/;
 
-    if ( $chain eq '' || $chain =~ /^[0-9]/ || $chain =~ /[^\w]/ ) {
+    if ( $var eq '' || $var =~ /^[0-9]/ || $var =~ /[^\w]/ ) {
 	#
 	# Must map. Remove all illegal characters
 	#
-	$chain =~ s/[^\w]//g;
+	$var =~ s/[^\w]//g;
 	#
 	# Prefix with if_ if it begins with a digit
 	#
-	$chain = join( '' , 'if_', $chain ) if $chain =~ /^[0-9]/;
+	$var = join( '' , 'if_', $var ) if $var =~ /^[0-9]/;
 	#
 	# Create a new unique name
 	#
-	1 while $mapbase{$name = join ( '_', $chain, ++$baseseq )};
+	1 while $mapbase{$name = join ( '_', $var, ++$baseseq )};
     } else {
 	#
 	# We'll store the identity mapping if it is unique
 	#
-	$chain = join( '_', $key , ++$baseseq ) while $mapbase{$name = $chain};
+	$var = join( '_', $key , ++$baseseq ) while $mapbase{$name = $var};
     }
     #
     # Store the reverse mapping
@@ -943,9 +946,9 @@ sub chain_base($) {
 #
 # This is a slightly relaxed version of the above that allows '-' in the generated name.
 #
-sub chain_base1($) {
-    my $chain = $_[0];
-    my $name  = $basemap1{$chain};
+sub var_base1($) {
+    my $var = $_[0];
+    my $name  = $basemap1{$var};
     #
     # Return existing mapping, if any
     #
@@ -953,31 +956,31 @@ sub chain_base1($) {
     #
     # Remember initial value
     #
-    my $key = $chain;
+    my $key = $var;
     #
     # Handle VLANs and wildcards
     #
-    $chain =~ s/\+$//;
-    $chain =~ tr/./_/;
+    $var =~ s/\+$//;
+    $var =~ tr/./_/;
 
-    if ( $chain eq '' || $chain =~ /^[0-9]/ || $chain =~ /[^-\w]/ ) {
+    if ( $var eq '' || $var =~ /^[0-9]/ || $var =~ /[^-\w]/ ) {
 	#
 	# Must map. Remove all illegal characters
 	#
-	$chain =~ s/[^\w]//g;
+	$var =~ s/[^\w]//g;
 	#
 	# Prefix with if_ if it begins with a digit
 	#
-	$chain = join( '' , 'if_', $chain ) if $chain =~ /^[0-9]/;
+	$var = join( '' , 'if_', $var ) if $var =~ /^[0-9]/;
 	#
 	# Create a new unique name
 	#
-	1 while $mapbase1{$name = join ( '_', $chain, ++$baseseq )};
+	1 while $mapbase1{$name = join ( '_', $var, ++$baseseq )};
     } else {
 	#
 	# We'll store the identity mapping if it is unique
 	#
-	$chain = join( '_', $key , ++$baseseq ) while $mapbase1{$name = $chain};
+	$var = join( '_', $key , ++$baseseq ) while $mapbase1{$name = $var};
     }
     #
     # Store the reverse mapping
@@ -999,24 +1002,14 @@ sub process_interface( $$ ) {
     my ($zone, $originalinterface, $bcasts, $options );
     my $zoneref;
     my $bridge = '';
-    our $format;
 
-    if ( $format == 1 ) {
-	($zone, $originalinterface, $bcasts, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 }, { COMMENT => 0, FORMAT => 2 };
+    if ( $file_format == 1 ) {
+	($zone, $originalinterface, $bcasts, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 };
     } else {
-	($zone, $originalinterface, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, options => 2 }, { COMMENT => 0, FORMAT => 2 };
+	($zone, $originalinterface, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, options => 2 };
 	$bcasts = '-';
     }
 
-    if ( $zone eq 'FORMAT' ) {
-	if ( $originalinterface =~ /^([12])$/ ) {
-	    $format = $1;
-	    return;
-	}
-
-	fatal_error "Invalid FORMAT ($originalinterface)";
-    }
-
     if ( $zone eq '-' ) {
 	$zone = '';
     } else {
@@ -1207,7 +1200,7 @@ sub process_interface( $$ ) {
 		    $hostoptions{broadcast} = 1;
 		} elsif ( $option eq 'sfilter' ) {
 		    $filterref = [ split_list $value, 'address' ];
-		    $_ = validate_net( $_, 1) for @{$filterref}
+		    validate_net( $_, 0) for @{$filterref}
 		} else {
 		    assert(0);
 		}
@@ -1249,7 +1242,7 @@ sub process_interface( $$ ) {
 
 	if ( $netsref eq 'dynamic' ) {
 	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
-	    $ipset = join( '_', $ipset, chain_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
+	    $ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
 	    $netsref = [ "+$ipset" ];
 	    $ipsets{$ipset} = 1;
 	}
@@ -1284,7 +1277,7 @@ sub process_interface( $$ ) {
 						       options    => \%options ,
 						       zone       => '',
 						       physical   => $physical ,
-						       base       => chain_base( $physical ),
+						       base       => var_base( $physical ),
 						       zones      => {},
 						     };
 
@@ -1308,12 +1301,11 @@ sub process_interface( $$ ) {
 #
 sub validate_interfaces_file( $ ) {
     my  $export = shift;
-    our $format = 1;
 
     my @ifaces;
     my $nextinum = 1;
 
-    if ( my $fn = open_file 'interfaces' ) {
+    if ( my $fn = open_file 'interfaces', 2 ) {
 	first_entry "$doing $fn...";
 	push @ifaces, process_interface( $nextinum++, $export ) while read_a_line( NORMAL_READ );
     } else {
@@ -1409,7 +1401,7 @@ sub known_interface($)
 						   name     => $i ,
 						   number   => $interfaceref->{number} ,
 						   physical => $physical ,
-						   base     => chain_base( $physical ) ,
+						   base     => var_base( $physical ) ,
 						 };
 	    }
 	}
@@ -1756,7 +1748,7 @@ sub verify_required_interfaces( $ ) {
 	    my $physical = get_physical $interface;
 
 	    if ( $physical =~ /\+$/ ) {
-		my $base = uc chain_base $physical;
+		my $base = uc var_base $physical;
 
 		$physical =~ s/\+$/*/;
 
@@ -1903,7 +1895,7 @@ sub process_host( ) {
 	my $set = $family == F_IPV4 ? "${zone}" : "6_${zone}";
 	
 	unless ( $zoneref->{options}{in_out}{dynamic_shared} ) {
-	    my $physical = chain_base1( physical_name $interface );
+	    my $physical = var_base1( physical_name $interface );
 	    $set = join( '_', $set, $physical );
 	}
 

Shorewall/Perl/compiler.pl

@@ -67,6 +67,7 @@ sub usage( $ ) {
     [ --annotate ]
     [ --update ]
     [ --convert ]
+    [ --directives ]
     [ --shorewallrc=<pathname> ]
     [ --shorewallrc1=<pathname> ]
     [ --config_path=<path-list> ]
@@ -94,6 +95,7 @@ my $preview       = 0;
 my $annotate      = 0;
 my $update        = 0;
 my $convert       = 0;
+my $directives    = 0;
 my $config_path   = '';
 my $shorewallrc   = '';
 my $shorewallrc1  = '';
@@ -124,6 +126,8 @@ my $result = GetOptions('h'               => \$help,
 			'confess'         => \$confess,
 			'a'               => \$annotate,
 			'annotate'        => \$annotate,
+			'directives'      => \$directives,
+			'D'               => \$directives,
 			'u'               => \$update,
 			'update'          => \$update,
 			'convert'         => \$convert,
@@ -151,6 +155,7 @@ compiler( script          => $ARGV[0] || '',
 	  update          => $update,
 	  convert         => $convert,
 	  annotate        => $annotate,
+	  directives      => $directives,
 	  config_path     => $config_path,
 	  shorewallrc     => $shorewallrc,
 	  shorewallrc1    => $shorewallrc1,

Shorewall/Perl/lib.core

@@ -216,8 +216,8 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
 delete_tc1()
 {
     clear_one_tc() {
-        $TC qdisc del dev $1 root 2> /dev/null
-        $TC qdisc del dev $1 ingress 2> /dev/null
+        $TC qdisc del dev ${1%@*} root 2> /dev/null
+        $TC qdisc del dev ${1%@*} ingress 2> /dev/null
 
     }
 
@@ -430,7 +430,7 @@ run_iptables()
     local status
 
     while [ 1 ]; do
-	$g_tool $@
+	eval $g_tool $@
 	status=$?
 	[ $status -ne 4 ] && break
     done
@@ -626,7 +626,7 @@ EOF
     fi
 }
 
-?IF __IPV4
+?if __IPV4
 #################################################################################
 #                        IPv4-specific Functions
 #################################################################################
@@ -838,13 +838,13 @@ detect_dynamic_gateway() { # $1 = interface
 	gateway=$( find_peer $($IP addr list $interface ) )
     fi
 
-    if [ -z "$gateway" -a -f /var/lib/dhcpcd/dhcpcd-${1}.info ]; then
-	eval $(grep ^GATEWAYS=  /var/lib/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
+    if [ -z "$gateway" -a -f ${VARLIB}/dhcpcd/dhcpcd-${1}.info ]; then
+	eval $(grep ^GATEWAYS=  ${VARLIB}/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
 	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
     fi
 
-    if [ -z "$gateway" -a -f /var/lib/dhcp/dhclient-${1}.lease ]; then
-	gateway=$(grep 'option routers' /var/lib/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
+    if [ -z "$gateway" -a -f ${VARLIB}/dhcp/dhclient-${1}.lease ]; then
+	gateway=$(grep 'option routers' ${VARLIB}/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
     fi
 
     [ -n "$gateway" ] && echo $gateway
@@ -1032,7 +1032,7 @@ get_all_bcasts()
     $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
 
-?ELSE
+?else
 #################################################################################
 #                        IPv6-specific Functions
 #################################################################################
@@ -1324,4 +1324,4 @@ clear_firewall() {
     logger -p kern.info "$g_product Cleared"
 }
 
-?ENDIF
+?endif # IPv6-specific functions.

Shorewall/Perl/prog.footer

@@ -33,25 +33,25 @@ usage() {
 }
 
 checkkernelversion() {
+?if __IPV6
     local kernel
 
-    if [ $g_family -eq 6 ]; then
-	kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
+    kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
 
-	case "$kernel" in
-	    *.*.*)
-		kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
-		;;
-	    *)
-		kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
-		;;
-	esac
+    case "$kernel" in
+	*.*.*)
+	    kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+	    ;;
+	*)
+	    kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
+	    ;;
+    esac
 
-	if [ $kernel -lt 20624 ]; then
-	    error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
-	    return 1
-	fi
+    if [ $kernel -lt 20624 ]; then
+	error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
+	return 1
     fi
+?endif
 
     return 0
 }

Shorewall/Samples/Universal/interfaces

@@ -7,7 +7,7 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 -	lo		ignore

Shorewall/Samples/Universal/rules

@@ -6,12 +6,14 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-##############################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
+######################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
 SECTION NEW
 Invalid(DROP)	net		$FW		tcp
 SSH(ACCEPT)	net		$FW

Shorewall/Samples/Universal/shorewall.conf

@@ -23,6 +23,8 @@ VERBOSITY=1
 
 BLACKLIST_LOGLEVEL=
 
+INVALID_LOG_LEVEL=
+
 LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
@@ -51,10 +53,14 @@ STARTUP_LOG=/var/log/shorewall-init.log
 
 TCP_FLAGS_LOG_LEVEL=info
 
+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
+ARPTABLES=
+
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -114,13 +120,15 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
+IGNOREUNKNOWNVARIABLES=No
+
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CLAMPMSS=No
 
@@ -128,6 +136,8 @@ CLEAR_TC=Yes
 
 COMPLETE=Yes
 
+DEFER_DNS_RESOLUTION=Yes
+
 DISABLE_IPV6=No
 
 DELETE_THEN_ADD=Yes
@@ -192,6 +202,8 @@ RETAIN_ALIASES=No
 
 ROUTE_FILTER=No
 
+SAVE_ARPTABLES=No
+
 SAVE_IPSETS=No
 
 TC_ENABLED=Internal
@@ -206,6 +218,8 @@ USE_DEFAULT_RT=No
 
 USE_PHYSICAL_NAMES=No
 
+WARNOLDCAPVERSION=Yes
+
 ZONE2ZONE=2
 
 ###############################################################################
@@ -214,6 +228,8 @@ ZONE2ZONE=2
 
 BLACKLIST_DISPOSITION=DROP
 
+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
@@ -226,6 +242,8 @@ SFILTER_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################

Shorewall/Samples/one-interface/interfaces

@@ -11,7 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 net     eth0            dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0

Shorewall/Samples/one-interface/rules

@@ -10,12 +10,14 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-##############################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
+######################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
 SECTION NEW
 
 # Drop packets in the INVALID state

Shorewall/Samples/one-interface/shorewall.conf

@@ -34,6 +34,8 @@ VERBOSITY=1
 
 BLACKLIST_LOGLEVEL=
 
+INVALID_LOG_LEVEL=
+
 LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
@@ -62,10 +64,14 @@ STARTUP_LOG=/var/log/shorewall-init.log
 
 TCP_FLAGS_LOG_LEVEL=info
 
+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
+ARPTABLES=
+
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -125,13 +131,15 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
+IGNOREUNKNOWNVARIABLES=No
+
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CLAMPMSS=No
 
@@ -139,6 +147,8 @@ CLEAR_TC=Yes
 
 COMPLETE=No
 
+DEFER_DNS_RESOLUTION=Yes
+
 DISABLE_IPV6=No
 
 DELETE_THEN_ADD=Yes
@@ -203,6 +213,8 @@ RETAIN_ALIASES=No
 
 ROUTE_FILTER=No
 
+SAVE_ARPTABLES=No
+
 SAVE_IPSETS=No
 
 TC_ENABLED=Internal
@@ -217,6 +229,8 @@ USE_DEFAULT_RT=No
 
 USE_PHYSICAL_NAMES=No
 
+WARNOLDCAPVERSION=Yes
+
 ZONE2ZONE=2
 
 ###############################################################################
@@ -225,6 +239,8 @@ ZONE2ZONE=2
 
 BLACKLIST_DISPOSITION=DROP
 
+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
@@ -237,6 +253,8 @@ SFILTER_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################

Shorewall/Samples/three-interfaces/interfaces

@@ -11,7 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0

Shorewall/Samples/three-interfaces/rules

@@ -10,12 +10,14 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-##############################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
+######################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
 SECTION NEW
 
 #       Don't allow connection pickup from the net

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -32,6 +32,8 @@ VERBOSITY=1
 
 BLACKLIST_LOGLEVEL=
 
+INVALID_LOG_LEVEL=
+
 LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
@@ -60,10 +62,14 @@ STARTUP_LOG=/var/log/shorewall-init.log
 
 TCP_FLAGS_LOG_LEVEL=info
 
+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
+ARPTABLES=
+
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -123,13 +129,15 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
+IGNOREUNKNOWNVARIABLES=No
+
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CLAMPMSS=Yes
 
@@ -137,6 +145,8 @@ CLEAR_TC=Yes
 
 COMPLETE=No
 
+DEFER_DNS_RESOLUTION=Yes
+
 DISABLE_IPV6=No
 
 DELETE_THEN_ADD=Yes
@@ -201,6 +211,8 @@ RETAIN_ALIASES=No
 
 ROUTE_FILTER=No
 
+SAVE_ARPTABLES=No
+
 SAVE_IPSETS=No
 
 TC_ENABLED=Internal
@@ -215,6 +227,8 @@ USE_DEFAULT_RT=No
 
 USE_PHYSICAL_NAMES=No
 
+WARNOLDCAPVERSION=Yes
+
 ZONE2ZONE=2
 
 ###############################################################################
@@ -223,6 +237,8 @@ ZONE2ZONE=2
 
 BLACKLIST_DISPOSITION=DROP
 
+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
@@ -235,6 +251,8 @@ SFILTER_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################

Shorewall/Samples/two-interfaces/interfaces

@@ -11,7 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0

Shorewall/Samples/two-interfaces/rules

@@ -10,12 +10,14 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-##############################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
+######################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
 SECTION NEW
 
 #       Don't allow connection pickup from the net

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -35,6 +35,8 @@ VERBOSITY=1
 
 BLACKLIST_LOGLEVEL=
 
+INVALID_LOG_LEVEL=
+
 LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
@@ -63,10 +65,14 @@ STARTUP_LOG=/var/log/shorewall-init.log
 
 TCP_FLAGS_LOG_LEVEL=info
 
+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
+ARPTABLES=
+
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -126,13 +132,15 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
+IGNOREUNKNOWNVARIABLES=No
+
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CLAMPMSS=Yes
 
@@ -140,6 +148,8 @@ CLEAR_TC=Yes
 
 COMPLETE=No
 
+DEFER_DNS_RESOLUTION=Yes
+
 DISABLE_IPV6=No
 
 DELETE_THEN_ADD=Yes
@@ -204,6 +214,8 @@ RETAIN_ALIASES=No
 
 ROUTE_FILTER=No
 
+SAVE_ARPTABLES=No
+
 SAVE_IPSETS=No
 
 TC_ENABLED=Internal
@@ -218,6 +230,8 @@ USE_DEFAULT_RT=No
 
 USE_PHYSICAL_NAMES=No
 
+WARNOLDCAPVERSION=Yes
+
 ZONE2ZONE=2
 
 ###############################################################################
@@ -226,6 +240,8 @@ ZONE2ZONE=2
 
 BLACKLIST_DISPOSITION=DROP
 
+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
@@ -238,6 +254,8 @@ SFILTER_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################

Shorewall/action.Broadcast

@@ -27,7 +27,7 @@
 #       Default action is DROP
 #
 ##########################################################################################
-FORMAT 2
+?FORMAT 2
 
 DEFAULTS DROP,-
 
@@ -43,6 +43,7 @@ fatal_error "Invalid parameter ($audit) to action Broadcast"   if supplied $audi
 fatal_error "Invalid parameter ($action) to action Broadcast"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
 
 my $chainref           = get_action_chain;
+
 my ( $level, $tag )    = get_action_logging;
 my $target             = require_audit ( $action , $audit );
 

Shorewall/action.Drop

@@ -31,9 +31,9 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #
-# The following magic provides different defaults for $2 thru $5, when $1 is
+# The following magic provides different defaults for @2 thru @5, when @1 is
 # 'audit'.
 #
 ?BEGIN PERL;
@@ -66,31 +66,31 @@ COUNT
 #
 # Reject 'auth'
 #
-Auth($2)
+Auth(@2)
 #
 # Don't log broadcasts
 #
-Broadcast(DROP,$1)
+Broadcast(DROP,@1)
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs($4)	-	-	icmp
+AllowICMPs(@4)	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
-Invalid(DROP,$1)
+Invalid(DROP,@1)
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
-SMB($3)
-DropUPnP($5)
+SMB(@3)
+DropUPnP(@5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-NotSyn(DROP,$1)	-	-	tcp
+NotSyn(DROP,@1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep($5)
+DropDNSrep(@5)

Shorewall/action.DropSmurfs

@@ -9,19 +9,21 @@
 #          audit = Audit dropped packets.
 #
 #################################################################################
-FORMAT 2
+?FORMAT 2
 
 DEFAULTS -
 
 ?BEGIN PERL;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
+use Shorewall::IPAddrs qw( IPv6_MULTICAST );
 use Shorewall::Chains;
 use Shorewall::Rules;
 
 my ( $audit ) = get_action_params( 1 );
 
 my $chainref        = get_action_chain;
+
 my ( $level, $tag ) = get_action_logging;
 my $target;
 

Shorewall/action.Established

@@ -0,0 +1,49 @@
+#
+# Shorewall 4 - Established Action
+#
+#    /usr/share/shorewall/action.Established
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   Established[([<action>])]
+#
+#       Default action is ACCEPT
+#
+##########################################################################################
+?FORMAT 2
+
+DEFAULTS ACCEPT
+
+?BEGIN PERL;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action ) = get_action_params( 1 );
+
+if ( my $check = check_state( 'ESTABLISHED' ) ) {
+    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} ESTABLISHED" : '', 'ESTABLISHED' );
+}
+
+1;
+
+?END PERL;

Shorewall/action.Invalid

@@ -5,7 +5,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -22,12 +22,12 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Invalid[([<action>|-[,{audit|-}])]
+#   Invalid[([<action>])]
 #
 #       Default action is DROP
 #
 ##########################################################################################
-FORMAT 2
+?FORMAT 2
 
 DEFAULTS DROP,-
 
@@ -36,20 +36,18 @@ DEFAULTS DROP,-
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
+use Shorewall::Rules;
 
 my ( $action, $audit ) = get_action_params( 2 );
 
-fatal_error "Invalid parameter ($audit) to action Invalid"   if supplied $audit && $audit ne 'audit';
-fatal_error "Invalid parameter ($action) to action Invalid"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
+     $action = "A_$action";
+}
 
-my $chainref         = get_action_chain;
-my ( $level, $tag )  = get_action_logging;
-my $target           = require_audit ( $action , $audit );
-
-log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
-add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID ";
-
-allow_optimize( $chainref );
+if ( my $check = check_state( 'INVALID' ) ) {
+    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} INVALID" : '' , 'INVALID' );
+}
 
 1;
 

Shorewall/action.New

@@ -0,0 +1,49 @@
+#
+# Shorewall 4 - New Action
+#
+#    /usr/share/shorewall/action.New
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   Untracked[([<action>])]
+#
+#       Default action is ACCEPT
+#
+##########################################################################################
+?FORMAT 2
+
+DEFAULTS ACCEPT
+
+?BEGIN PERL;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action ) = get_action_params( 1 );
+
+if ( my $check = check_state( 'NEW' ) ) {
+    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} NEW" : '' , 'NEW' );
+}
+
+1;
+
+?END PERL;

Shorewall/action.NotSyn

@@ -22,34 +22,31 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   NotSyn[([<action>|-[,{audit|-}])]
+#   NotSyn[([<action>])]
 #
 #       Default action is DROP
 #
 ##########################################################################################
-FORMAT 2
+?FORMAT 2
 
 DEFAULTS DROP,-
 
 ?BEGIN PERL;
 
+use strict;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
+use Shorewall::Rules;
 
 my ( $action, $audit ) = get_action_params( 2 );
 
-fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit && $audit ne 'audit';
-fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action NotSyn" if $audit ne 'audit';
+     $action = "A_$action";
+}    
 
-my $chainref         = get_action_chain;
-my ( $level, $tag )  = get_action_logging;
-my $target           = require_audit ( $action , $audit );
-
-log_rule_limit $level, $chainref, 'NotSyn' , $action, '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
-add_jump $chainref , $target, 0, '-p 6 ! --syn ';
-
-allow_optimize( $chainref );
+perl_action_tcp_helper( $action, '-p 6 ! --syn' );
 
 1;
 

Shorewall/action.RST

@@ -22,12 +22,12 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   RST[([<action>|-[,{audit|-}])]
+#   RST[([<action>])]
 #
 #       Default action is DROP
 #
 ##########################################################################################
-FORMAT 2
+?FORMAT 2
 
 DEFAULTS DROP,-
 
@@ -35,20 +35,16 @@ DEFAULTS DROP,-
 
 use Shorewall::Config;
 use Shorewall::Chains;
+use Shorewall::Rules;
 
 my ( $action, $audit ) = get_action_params( 2 );
 
-fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit && $audit ne 'audit';
-fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP)$/;
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action RST" if $audit ne 'audit';
+     $action = "A_$action";
+}    
 
-my $chainref         = get_action_chain;
-my ( $level, $tag )  = get_action_logging;
-my $target           = require_audit ( $action , $audit );
-
-log_rule_limit $level, $chainref, 'RST' , $action, '', $tag, 'add', '-p 6 --tcp-flags RST RST ' if $level ne '';
-add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST, ';
-
-allow_optimize( $chainref );
+perl_action_tcp_helper( $action, '-p 6 --tcp-flags RST RST' );
 
 1;
 

Shorewall/action.Reject

@@ -27,9 +27,9 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 #
-# The following magic provides different defaults for $2 thru $5, when $1 is
+# The following magic provides different defaults for @2 thru @5, when @1 is
 # 'audit'.
 #
 ?BEGIN PERL;
@@ -62,33 +62,33 @@ COUNT
 #
 # Don't log 'auth' -- REJECT
 #
-Auth($2)
+Auth(@2)
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
-Broadcast(DROP,$1)
+Broadcast(DROP,@1)
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs($4)	-	-	icmp
+AllowICMPs(@4)	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
-Invalid(DROP,$1)
+Invalid(DROP,@1)
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
-SMB($3)
-DropUPnP($5)
+SMB(@3)
+DropUPnP(@5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-NotSyn(DROP,$1)	-	-	tcp
+NotSyn(DROP,@1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep($5)
+DropDNSrep(@5)

Shorewall/action.Related

@@ -0,0 +1,50 @@
+#
+# Shorewall 4 - Related Action
+#
+#    /usr/share/shorewall/action.Related
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   Related[([<action>])]
+#
+#       Default action is DROP
+#
+##########################################################################################
+?FORMAT 2
+
+DEFAULTS DROP
+
+?BEGIN PERL;
+
+use strict;
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action ) = get_action_params( 1 );
+
+if ( my $check = check_state( 'RELATED' ) ) {
+    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} RELATED" : '', 'RELATED' );
+}
+
+1;
+
+?END PERL;

Shorewall/action.TCPFlags

@@ -1,7 +1,7 @@
 #
-# Shorewall version 4 - Drop Smurfs Action
+# Shorewall version 4 - Drop TCPFlags Action
 #
-# /usr/share/shorewall/action.DropSmurfs
+# /usr/share/shorewall/action.TCPFlags
 #
 #   Accepts a single optional parameter:
 #
@@ -9,50 +9,30 @@
 #          audit = Audit dropped packets.
 #
 #################################################################################
-FORMAT 2
+?FORMAT 2
 
-DEFAULTS DROP,-
+DEFAULTS -
 
 ?BEGIN PERL;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
 use Shorewall::Chains;
+use Shorewall::Rules;
 
-my ( $disposition, $audit ) = get_action_params( 2 );
+my $action = 'DROP';
 
-my $chainref        = get_action_chain;
-my ( $level, $tag ) = get_action_logging;
+my ( $audit ) = get_action_params( 1 );
 
-fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/;
-
-if ( $level ne '-' || $audit ne '-' ) {
-    my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
-
-    log_rule_limit( $level,
-		    $logchainref,
-		    $chainref->{name},
-		    $disposition,
-		    '',
-		    $tag,
-		    'add',
-		    '' ) if $level;
-
-    if ( supplied $audit ) {
-	fatal_error "Invalid argument ($audit) to TCPFlags" if $audit ne 'audit';
-	require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's';
-	add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition );
-    }
-
-    add_ijump( $logchainref, g => $disposition );
-
-    $disposition = $logchainref;
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action TCPFlags" if $audit ne 'audit';
+     $action = "A_DROP";
 }    
 
-add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL FIN,URG,PSH';
-add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL NONE';
-add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST';
-add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,FIN SYN,FIN';
-add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0';
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL FIN,URG,PSH' );
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL NONE' );
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,RST SYN,RST' );
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,FIN SYN,FIN' );
+perl_action_tcp_helper( $action, '-p tcp --syn --sport 0' );
 
 ?END PERL;
 

Shorewall/action.Untracked

@@ -0,0 +1,49 @@
+#
+# Shorewall 4 - Untracked Action
+#
+#    /usr/share/shorewall/action.Untracked
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   Untracked[([<action>])]
+#
+#       Default action is DROP
+#
+##########################################################################################
+?FORMAT 2
+
+DEFAULTS DROP
+
+?BEGIN PERL;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action ) = get_action_params( 1 );
+
+if ( my $check = check_state( 'UNTRACKED' ) ) {
+    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} UNTRACKED" : '' , 'UNTRACKED' );
+}
+
+1;
+
+?END PERL;

Shorewall/action.allowInvalid

@@ -0,0 +1,53 @@
+#
+# Shorewall 4 - allowInvalid Action
+#
+#    /usr/share/shorewall/action.allowInvalid
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   allowInvalid[([audit])]
+#
+##########################################################################################
+?FORMAT 2
+
+DEFAULTS -
+
+?BEGIN PERL;
+
+use strict;
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my $action = 'ACCEPT';
+
+my ( $audit ) = get_action_params( 1 );
+
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action allowInvalid" if $audit ne 'audit';
+     $action = "A_ACCEPT";
+}    
+
+perl_action_helper( "Invalid($action)", '' );
+
+1;
+
+?END PERL;

Shorewall/action.dropInvalid

@@ -0,0 +1,53 @@
+#
+# Shorewall 4 - dropInvalid Action
+#
+#    /usr/share/shorewall/action.dropInvalid
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   dropInvalid[([audit])]
+#
+##########################################################################################
+?FORMAT 2
+
+DEFAULTS -
+
+?BEGIN PERL;
+
+use strict;
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my $action = 'DROP';
+
+my ( $audit ) = get_action_params( 1 );
+
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action dropInvalid" if $audit ne 'audit';
+     $action = "A_DROP";
+}    
+
+perl_action_helper( "Invalid($action)", '' );
+
+1;
+
+?END PERL;

Shorewall/action.template

@@ -20,7 +20,7 @@
 #
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
-FORMAT 2
-####################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+?FORMAT 2
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Shorewall/actions.std

@@ -15,31 +15,29 @@
 #    dropBcast		# Silently Drop Broadcast/multicast
 #    dropNotSyn		# Silently Drop Non-syn TCP packets
 #    rejNotSyn		# Silently Reject Non-syn TCP packets
-#    dropInvalid	# Silently Drop packets that are in the INVALID
-#			# conntrack state.
-#    allowInvalid	# Accept packets that are in the INVALID
-#			# conntrack state.
 #    allowoutUPnP	# Allow traffic from local command 'upnpd' (does not
 #                       # work with kernel 2.6.14 and later).
 #    allowinUPnP	# Allow UPnP inbound (to firewall) traffic
 #    forwardUPnP	# Allow traffic that upnpd has redirected from
 #			# 'upnp' interfaces.
-#    drop1918src        # Drop packets with an RFC 1918 source address
-#    drop1918dst        # Drop packets with an RFC 1918 original dest address
-#    rej1918src         # Reject packets with an RFC 1918 source address
-#    rej1918dst         # Reject packets with an RFC 1918 original dest address
 #    Limit              # Limit the rate of connections from each individual
 #                       # IP address
 #
 ###############################################################################
 #ACTION
-A_Drop 		    # Audited Default Action for DROP policy
-A_Reject	    # Audited Default action for REJECT policy
-Broadcast	    # Handles Broadcast/Multicast/Anycast
-Drop		    # Default Action for DROP policy
-DropSmurfs          # Drop smurf packets
-Invalid             # Handles packets in the INVALID conntrack state
-NotSyn              # Handles TCP packets which do not have SYN=1 and ACK=0
-Reject		    # Default Action for REJECT policy
-RST		    # Handle packets with RST set
-TCPFlags            # Handle bad flag combinations.
+A_Drop 		                # Audited Default Action for DROP policy
+A_Reject	                # Audited Default action for REJECT policy
+allowInvalid inline		# Accepts packets in the INVALID conntrack state
+Broadcast    noinline           # Handles Broadcast/Multicast/Anycast
+Drop		                # Default Action for DROP policy
+dropInvalid  inline		# Drops packets in the INVALID conntrack state
+DropSmurfs   noinline           # Drop smurf packets
+Established  inline		# Handles packets in the ESTABLISHED state
+Invalid      inline             # Handles packets in the INVALID conntrack state
+New	     inline             # Handles packets in the NEW conntrack state
+NotSyn       inline             # Handles TCP packets which do not have SYN=1 and ACK=0
+Reject                          # Default Action for REJECT policy
+Related      inline             # Handles packets in the RELATED conntrack state
+RST	     inline             # Handle packets with RST set
+TCPFlags    			# Handle bad flag combinations.
+Untracked    inline             # Handles packets in the UNTRACKED conntrack state

Shorewall/configfiles/actions

@@ -7,6 +7,6 @@
 #
 # Please see http://shorewall.net/Actions.html for additional information.
 #
-###############################################################################
-#ACTION             COMMENT (place '# ' below the 'C' in comment followed by
-#                           a comment describing the action)
+########################################################################################
+#ACTION    OPTIONS		COMMENT (place '# ' below the 'C' in comment followed by
+#                        	v        a comment describing the action)

Shorewall/configfiles/arprules

@@ -0,0 +1,8 @@
+#
+# Shorewall version 4 - arprules File
+#
+# For information about entries in this file, type "man shorewall-arprules"
+#
+##############################################################################################################
+#ACTION				SOURCE				DEST				ARP
+#												OPCODE

Shorewall/configfiles/conntrack

@@ -3,51 +3,51 @@
 #
 # For information about entries in this file, type "man shorewall-conntrack"
 #
-#############################################################################################
-FORMAT 2
-#ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
+##############################################################################################################
+?FORMAT 3
+#ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/		SWITCH
 #								PORT(S)		PORT(S)	GROUP
 ?if $AUTOHELPERS && __CT_TARGET
 
 ?if __AMANDA_HELPER
-CT:helper:amanda	all		-		udp	10080
+CT:helper:amanda:PO	-		-		udp	10080
 ?endif
 
 ?if __FTP_HELPER
-CT:helper:ftp		all		-		tcp	21
+CT:helper:ftp:PO	-		-		tcp	21
 ?endif
 
 ?if __H323_HELPER
-CT:helper:RAS		all		-		udp	1719
-CT:helper:Q.931		all		-		tcp	1720
+CT:helper:RAS:PO	-		-		udp	1719
+CT:helper:Q.931:PO	-		-		tcp	1720
 ?endif
 
 ?if __IRC_HELPER
-CT:helper:irc		all		-		tcp	6667
+CT:helper:irc:PO	-		-		tcp	6667
 ?endif
 
 ?if __NETBIOS_NS_HELPER
-CT:helper:netbios-ns	all		-		udp	137
+CT:helper:netbios-ns:PO	-		-		udp	137
 ?endif
 
 ?if __PPTP_HELPER
-CT:helper:pptp		all		-		tcp	1723
+CT:helper:pptp:PO	-		-		tcp	1723
 ?endif
 
 ?if __SANE_HELPER
-CT:helper:sane		all		-		tcp	6566
+CT:helper:sane:PO	-		-		tcp	6566
 ?endif
 
 ?if __SIP_HELPER
-CT:helper:sip		all		-		udp	5060
+CT:helper:sip:PO	-		-		udp	5060
 ?endif
 
 ?if __SNMP_HELPER
-CT:helper:snmp		all		-		udp	161
+CT:helper:snmp:PO	-		-		udp	161
 ?endif
 
 ?if __TFTP_HELPER
-CT:helper:tftp		all		-		udp	69
+CT:helper:tftp:PO	-		-		udp	69
 ?endif
 
 ?endif

Shorewall/configfiles/interfaces

@@ -7,6 +7,6 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
-FORMAT 2
+?FORMAT 2
 ###############################################################################
 #ZONE		INTERFACE		OPTIONS

Shorewall/configfiles/rules

@@ -6,10 +6,12 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
+######################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
 SECTION NEW

Shorewall/configfiles/shorewall.conf

@@ -23,6 +23,8 @@ VERBOSITY=1
 
 BLACKLIST_LOGLEVEL=
 
+INVALID_LOG_LEVEL=
+
 LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
@@ -51,10 +53,14 @@ STARTUP_LOG=/var/log/shorewall-init.log
 
 TCP_FLAGS_LOG_LEVEL=info
 
+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
+ARPTABLES=
+
 CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -114,13 +120,15 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
+IGNOREUNKNOWNVARIABLES=No
+
 AUTOCOMMENT=Yes
 
 AUTOHELPERS=Yes
 
 AUTOMAKE=No
 
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CLAMPMSS=No
 
@@ -128,6 +136,8 @@ CLEAR_TC=Yes
 
 COMPLETE=No
 
+DEFER_DNS_RESOLUTION=Yes
+
 DELETE_THEN_ADD=Yes
 
 DETECT_DNAT_IPADDRS=No
@@ -192,6 +202,8 @@ RETAIN_ALIASES=No
 
 ROUTE_FILTER=No
 
+SAVE_ARPTABLES=No
+
 SAVE_IPSETS=No
 
 TC_ENABLED=Internal
@@ -206,6 +218,8 @@ USE_DEFAULT_RT=No
 
 USE_PHYSICAL_NAMES=No
 
+WARNOLDCAPVERSION=Yes
+
 ZONE2ZONE=2
 
 ###############################################################################
@@ -214,6 +228,8 @@ ZONE2ZONE=2
 
 BLACKLIST_DISPOSITION=DROP
 
+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT
 
 RELATED_DISPOSITION=ACCEPT
@@ -226,6 +242,8 @@ SFILTER_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################

Shorewall/configfiles/tcinterfaces

@@ -7,4 +7,4 @@
 # information.
 #
 ###############################################################################
-#INTERFACE	TYPE		IN-BANDWIDTH
+#INTERFACE	TYPE		IN-BANDWIDTH		OUT-BANDWIDTH

Shorewall/configfiles/tcrules

@@ -10,7 +10,7 @@
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 ##########################################################################################################################################
-FORMAT 2
+?FORMAT 2
 ##########################################################################################################################################
 #ACTION	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY DSCP
 #						PORT(S)	PORT(S)

Shorewall/init.archlinux.sh

@@ -1,60 +0,0 @@
-#!/bin/bash
-
-OPTIONS="-f"
-
-if [ -f /etc/sysconfig/shorewall ] ; then
-	. /etc/sysconfig/shorewall
-elif [ -f /etc/default/shorewall ] ; then
-	. /etc/default/shorewall
-fi
-
-# if you want to override options, do so in /etc/sysconfig/shorewall or
-# in /etc/default/shorewall --
-# i strongly encourage you use the latter, since /etc/sysconfig/ does not exist.
-
-. /etc/rc.conf
-. /etc/rc.d/functions
-
-DAEMON_NAME="shorewall" # of course shorewall is NOT a deamon.
-
-export SHOREWALL_INIT_SCRIPT=1
-
-case "$1" in
-	start)
-		stat_busy "Starting $DAEMON_NAME"
-		/sbin/shorewall $OPTIONS start &>/dev/null
-		if [ $? -gt 0 ]; then
-			stat_fail
-		else
-			add_daemon $DAEMON_NAME
-			stat_done
-		fi
-		;;
-
-
-	stop)
-		stat_busy "Stopping $DAEMON_NAME"
-		/sbin/shorewall stop &>/dev/null
-		if [ $? -gt 0 ]; then
-			stat_fail
-		else
-			rm_daemon $DAEMON_NAME
-			stat_done
-		fi
-		;;
-
-	restart|reload)
-		stat_busy "Restarting $DAEMON_NAME"
-		/sbin/shorewall restart &>/dev/null
-		if [ $? -gt 0  ]; then
-			stat_fail
-		else
-			stat_done
-		fi
-		;;
-
-	*)
-		echo "usage: $0 {start|stop|restart}"
-esac
-exit 0
-

Shorewall/install.sh

@@ -641,6 +641,19 @@ if [ -f masq ]; then
 	echo "Masquerade file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/masq"
     fi
 fi
+
+if [ -f arprules ]; then
+    #
+    # Install the ARP rules file
+    #
+    run_install $OWNERSHIP -m 0644 arprules           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+    run_install $OWNERSHIP -m 0644 arprules.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+
+    if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/arprules ]; then
+	run_install $OWNERSHIP -m 0600 arprules${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/arprules
+	echo "ARP rules file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/arprules"
+    fi
+fi
 #
 # Install the Conntrack file
 #

Shorewall/lib.cli-std

@@ -136,6 +136,12 @@ get_config() {
 			exit 2
 		    fi
 		    ;;
+		ipset)
+		    #
+		    # Old config files had this as default
+		    #
+		    IPSET=''
+		    ;;
 		*)
 		    prog="$(mywhich $IPSET 2> /dev/null)"
 		    if [ -z "$prog" ] ; then
@@ -146,7 +152,7 @@ get_config() {
 		    ;;
 	    esac
 	else
-	    IPSET='ipset'
+	    IPSET=''
 	fi
 
 	if [ -n "$TC" ]; then
@@ -420,6 +426,7 @@ compiler() {
     [ -n "$g_update" ] && options="$options --update"
     [ -n "$g_convert" ] && options="$options --convert"
     [ -n "$g_annotate" ] && options="$options --annotate"
+    [ -n "$g_directives" ] && options="$options --directives"
 
     if [ -n "$PERL" ]; then
 	if [ ! -x "$PERL" ]; then
@@ -728,10 +735,6 @@ check_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
-			a*)
-			    g_annotate=Yes
-			    option=${option#a}
-			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -820,6 +823,10 @@ update_command() {
 			    g_convert=Yes
 			    option=${option#b}
 			    ;;
+			D*)
+			    g_directives=Yes
+			    option=${option#D}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1309,7 +1316,7 @@ try_command() {
 
     [ -n "$nolock" ] || mutex_on
 
-    if run_it ${VARDIR}/.$command $command && [ -n "$timeout" ]; then
+    if run_it ${VARDIR}/.$command $g_debugging $command && [ -n "$timeout" ]; then
 	sleep $timeout
 
 	if [ "$command" = "restart" ]; then
@@ -1662,7 +1669,7 @@ usage() # $1 = exit status
     echo "   status"
     echo "   stop"
     echo "   try <directory> [ <timeout> ]"
-    echo "   update [ -a ] [ -b ] [ -r ] [ -T ] [ <directory> ]"
+    echo "   update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ <directory> ]"
     echo "   version [ -a ]"
     echo
     exit $1

Shorewall/manpages/shorewall-accounting.xml

@@ -182,7 +182,7 @@
         <term><emphasis role="bold">ACTION</emphasis> - {<emphasis
         role="bold">COUNT</emphasis>|<emphasis
         role="bold">DONE</emphasis>|<emphasis>chain</emphasis>[:<emphasis
-        role="bold">{COUNT</emphasis>|JUMP}]|ACCOUNT(<replaceable>table</replaceable>,<replaceable>network</replaceable>)|COMMENT
+        role="bold">{COUNT</emphasis>|JUMP}]|ACCOUNT(<replaceable>table</replaceable>,<replaceable>network</replaceable>)|[?]COMMENT
         <emphasis>comment</emphasis>}</term>
 
         <listitem>
@@ -323,7 +323,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">COMMENT</emphasis></term>
+              <term><emphasis role="bold">[?]COMMENT</emphasis></term>
 
               <listitem>
                 <para>The remainder of the line is treated as a comment which
@@ -331,6 +331,11 @@
                 found or until the end of the file is reached. To stop adding
                 comments to rules, use a line with only the word
                 COMMENT.</para>
+
+                <note>
+                  <para>Beginning with Shorewall 4.5.11, ?COMMENT is a synonym
+                  for COMMENT and is preferred.</para>
+                </note>
               </listitem>
             </varlistentry>
           </variablelist>
@@ -344,7 +349,9 @@
         <listitem>
           <para>The name of a <emphasis>chain</emphasis>. If specified as
           <emphasis role="bold">-</emphasis> the <emphasis
-          role="bold">accounting</emphasis> chain is assumed. This is the
+          role="bold">accounting</emphasis> chain is assumed when the file is
+          un-sectioned. When the file is sectioned, the default is one of
+          accountin, accountout, etc. depending on the section. This is the
           chain where the accounting rule is added. The
           <emphasis>chain</emphasis> will be created if it doesn't already
           exist. The <emphasis>chain</emphasis> may not exceed 29 characters
@@ -365,7 +372,8 @@
           <para>The name of an <replaceable>interface</replaceable>, an
           <replaceable>address</replaceable> (host or net) or an
           <replaceable>interface</replaceable> name followed by ":" and a host
-          or net <replaceable>address</replaceable>.</para>
+          or net <replaceable>address</replaceable>. An ipset name is also
+          accepted as an <replaceable>address</replaceable>.</para>
         </listitem>
       </varlistentry>
 
@@ -387,12 +395,12 @@
       <varlistentry>
         <term><emphasis role="bold">PROTOCOL (proto)</emphasis> - {<emphasis
         role="bold">-</emphasis>|<emphasis
-        role="bold">any</emphasis>|<emphasis
+        role="bold">{any</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis
         role="bold">ipp2p</emphasis>[<emphasis
         role="bold">:</emphasis>{<emphasis
         role="bold">udp</emphasis>|<emphasis
-        role="bold">all</emphasis>}]}</term>
+        role="bold">all</emphasis>}]}[,...]}</term>
 
         <listitem>
           <para>A <emphasis>protocol-name</emphasis> (from protocols(5)), a
@@ -400,6 +408,9 @@
           role="bold">ipp2p</emphasis>, <emphasis
           role="bold">ipp2p:udp</emphasis> or <emphasis
           role="bold">ipp2p:all</emphasis></para>
+
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols.</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-actions.xml

@@ -28,11 +28,87 @@
     the iptables rules to be performed in an ACTION in
     /etc/shorewall/action.<emphasis>action-name</emphasis>.</para>
 
-    <para>ACTION names should begin with an upper-case letter to distinguish
-    them from Shorewall-generated chain names and be composed of letters,
-    digits or numbers. If you intend to log from the action then the name must
-    be no longer than 11 characters in length if you use the standard
-    LOGFORMAT.</para>
+    <para>Columns are:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>NAME</term>
+
+        <listitem>
+          <para>The name of the action. ACTION names should begin with an
+          upper-case letter to distinguish them from Shorewall-generated chain
+          names and be composed of letters, digits or numbers. If you intend
+          to log from the action then the name must be no longer than 11
+          characters in length if you use the standard LOGFORMAT.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>OPTIONS</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.10. Available options are:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>inline</term>
+
+              <listitem>
+                <para>Causes the action body (defined in
+                action.<replaceable>action-name</replaceable>) to be expanded
+                in-line like a macro rather than in its own chain. You can
+                list Shorewall Standard Actions in this file to specify the
+                <option>inline</option> option.</para>
+
+                <caution>
+                  <para>Some of the Shorewall standard actions cannot be used
+                  in-line and will generate a warning and the compiler will
+                  ignore <option>inline</option> if you try to use them that
+                  way:</para>
+
+                  <simplelist>
+                    <member>Broadcast</member>
+
+                    <member>DropSmurfs</member>
+
+                    <member>Invalid (Prior to Shorewall 4.5.13)</member>
+
+                    <member>NotSyn (Prior to Shorewall 4.5.13)</member>
+
+                    <member>RST (Prior to Shorewall 4.5.13)</member>
+
+                    <member>TCPFlags</member>
+                  </simplelist>
+                </caution>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>noinline</term>
+
+              <listitem>
+                <para>Causes any later <option>inline</option> option for the
+                same action to be ignored with a warning.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>nolog</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.11. When this option is
+                specified, the compiler does not automatically apply the log
+                level and/or tag from the invocation of the action to all
+                rules inside of the action. Rather, it simply sets the
+                $_loglevel and $_logtag shell variables which can be used
+                within the action body to apply those logging options only to
+                a subset of the rules.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+    </variablelist>
   </refsect1>
 
   <refsect1>

Shorewall/manpages/shorewall-arprules.xml

@@ -0,0 +1,378 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-arprules</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>arprules</refname>
+
+    <refpurpose>Shorewall ARP rules file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall/arprules</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file was added in Shorwall 4.5.12 and is used to describe
+    low-level rules managed by arptables (8). These rules only affect Address
+    Resolution Protocol (ARP), Reverse Address Resolution Protocol (RARP) and
+    Dynamic Reverse Address Resolution Protocol (DRARP) frames.</para>
+
+    <para>The columns in the file are as shown below. MAC addresses are
+    specified normally (6 hexidecimal numbers separated by colons).</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">ACTION</emphasis></term>
+
+        <listitem>
+          <para>Describes the action to take when a frame matches the criteria
+          in the other columns. Possible values are:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><emphasis role="bold">ACCEPT</emphasis></term>
+
+              <listitem>
+                <para>This is the default action if no rules matches a frame;
+                it lets the frame go through.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">DROP</emphasis></term>
+
+              <listitem>
+                <para>Causes the frame to be dropped.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">SNAT:</emphasis><replaceable>ip-address</replaceable></term>
+
+              <listitem>
+                <para>Modifies the source IP address to the specified
+                <replaceable>ip-address</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">DNAT:</emphasis><replaceable>ip-address</replaceable></term>
+
+              <listitem>
+                <para>Modifies the destination IP address to the specified
+                <replaceable>ip-address</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">SMAT:</emphasis><replaceable>mac-address</replaceable></term>
+
+              <listitem>
+                <para>Modifies the source MAC address to the specified
+                <replaceable>mac-address</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">DMAT:</emphasis><replaceable>mac-address</replaceable></term>
+
+              <listitem>
+                <para>Modifies the destination MAC address to the specified
+                <replaceable>mac-address</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">SNATC:</emphasis><replaceable>ip-address</replaceable></term>
+
+              <listitem>
+                <para>Like SNAT except that the frame is then passed to the
+                next rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">DNATC:</emphasis><replaceable>ip-address</replaceable></term>
+
+              <listitem>
+                <para>Like DNAT except that the frame is then passed to the
+                next rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">SMATC:</emphasis><replaceable>mac-address</replaceable></term>
+
+              <listitem>
+                <para>Like SMAT except that the frame is then passed to the
+                next rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">DMATC:</emphasis><replaceable>mac-address</replaceable></term>
+
+              <listitem>
+                <para>Like DMAT except that the frame is then passed to the
+                next rule.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SOURCE</emphasis> - <emphasis
+        role="bold">[<replaceable>interface</replaceable>[:[!]<replaceable>ipaddress</replaceable>[/ip<replaceable>mask</replaceable>][:[!]<replaceable>macaddress</replaceable>[/<replaceable>macmask</replaceable>]]]]</emphasis></term>
+
+        <listitem>
+          <para>Where</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><replaceable>interface</replaceable></term>
+
+              <listitem>
+                <para>Is an interface defined in
+                shorewall-interfaces(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>ipaddress</replaceable></term>
+
+              <listitem>
+                <para>is an IPv4 address. DNS names are not allowed.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>ipmask</replaceable></term>
+
+              <listitem>
+                <para>specifies a mask to be applied to
+                <replaceable>ipaddress</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>macaddress</replaceable></term>
+
+              <listitem>
+                <para>The source MAC address.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>macmask</replaceable></term>
+
+              <listitem>
+                <para>Mask for MAC address; must be specified as 6 hexidecimal
+                numbers separated by colons.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>When '!' is specified, the test is inverted.</para>
+
+          <para>If not specified, matches only frames originating on the
+          firewall itself.</para>
+
+          <caution>
+            <para>Either SOURCE or DEST must be specified.</para>
+          </caution>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEST</emphasis> - <emphasis
+        role="bold">[<replaceable>interface</replaceable>[:[!]<replaceable>ipaddress</replaceable>[/ip<replaceable>mask</replaceable>][:[!]<replaceable>macaddress</replaceable>[/<replaceable>macmask</replaceable>]]]]</emphasis></term>
+
+        <listitem>
+          <para>Where</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><replaceable>interface</replaceable></term>
+
+              <listitem>
+                <para>Is an interface defined in
+                shorewall-interfaces(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>ipaddress</replaceable></term>
+
+              <listitem>
+                <para>is an IPv4 address. DNS Names are not allowed.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>ipmask</replaceable></term>
+
+              <listitem>
+                <para>specifies a mask to be applied to frame
+                addresses.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>macaddress</replaceable></term>
+
+              <listitem>
+                <para>The destination MAC address.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>macmask</replaceable></term>
+
+              <listitem>
+                <para>Mask for MAC address; must be specified as 6 hexidecimal
+                numbers separated by colons.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>When '!' is specified, the test is inverted and the rule
+          matches frames which do not match the specified address/mask.</para>
+
+          <para>If not specified, matches only frames originating on the
+          firewall itself.</para>
+
+          <para>If both SOURCE and DEST are specified, then both interfaces
+          must be bridge ports on the same bridge.</para>
+
+          <caution>
+            <para>Either SOURCE or DEST must be specified.</para>
+          </caution>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>ARP OPCODE - [[!]<replaceable>opcode</replaceable>]</term>
+
+        <listitem>
+          <para>Optional. Describes the type of frame. Possible
+          <replaceable>opcode</replaceable> values are:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>1</term>
+
+              <listitem>
+                <para>ARP Request</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>2</term>
+
+              <listitem>
+                <para>ARP Reply</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>3</term>
+
+              <listitem>
+                <para>RARP Request</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>4</term>
+
+              <listitem>
+                <para>RARP Reply</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>5</term>
+
+              <listitem>
+                <para>Dynamic RARP Request</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>6</term>
+
+              <listitem>
+                <para>Dynamic RARP Reply</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>7</term>
+
+              <listitem>
+                <para>Dynamic RARP Error</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>8</term>
+
+              <listitem>
+                <para>InARP Request</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>9</term>
+
+              <listitem>
+                <para>ARP NAK</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>When '!' is specified, the test is inverted and the rule
+          matches frames which do not match the specifed
+          <replaceable>opcode</replaceable>.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>Example</title>
+
+    <para>The eth1 interface has both a pubiic IP address and a private
+    address (10.1.10.11/24). When sending ARP requests to 10.1.10.0/24, use
+    the private address as the IP source:</para>
+
+    <programlisting>#ACTION                SOURCE                  DEST                ARP OPCODE
+SNAT:10.1.10.11        -                       eth1:10.1.10.0/24   1</programlisting>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall/arprules</para>
+  </refsect1>
+</refentry>

Shorewall/manpages/shorewall-blrules.xml

@@ -46,7 +46,7 @@
         role="bold">NFQUEUE</emphasis>[<emphasis
         role="bold">(</emphasis><emphasis>queuenumber</emphasis><emphasis
         role="bold">)</emphasis>]<emphasis
-        role="bold">|COMMENT</emphasis>|<emphasis>action</emphasis>|<emphasis>macro</emphasis>[<emphasis
+        role="bold">|[?]COMMENT</emphasis>|<emphasis>action</emphasis>|<emphasis>macro</emphasis>[<emphasis
         role="bold">(</emphasis><emphasis>target</emphasis><emphasis
         role="bold">)</emphasis>]}<emphasis
         role="bold">[:</emphasis>{<emphasis>log-level</emphasis>|<emphasis
@@ -182,15 +182,20 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">COMMENT</emphasis></term>
+              <term><emphasis role="bold">[?]COMMENT</emphasis></term>
 
               <listitem>
-                <para>the rest of the line will be attached as a comment to
+                <para>The rest of the line will be attached as a comment to
                 the Netfilter rule(s) generated by the following entries. The
                 comment will appear delimited by "/* ... */" in the output of
                 "shorewall show &lt;chain&gt;". To stop the comment from being
                 attached to further rules, simply include COMMENT on a line by
                 itself.</para>
+
+                <note>
+                  <para>Beginning with Shorewall 4.5.11, ?COMMENT is a synonym
+                  for COMMENT and is preferred.</para>
+                </note>
               </listitem>
             </varlistentry>
 

Shorewall/manpages/shorewall-conntrack.xml

@@ -32,19 +32,39 @@
     role="bold">raw</emphasis> table. In 4.5.7, the file's name was changed to
     <emphasis role="bold">conntrack</emphasis>.</para>
 
-    <para>The file supports two different column layouts: FORMAT 1 and FORMAT
-    2, FORMAT 1 being the default. The two differ in that FORMAT 2 has an
-    additional leading ACTION column. When an entry in the file of this form
-    is encountered, the format of the following entries are assumed to be of
-    the specified <replaceable>format</replaceable>.</para>
+    <para>The file supports two different column layouts: FORMAT 1, FORMAT 2,
+    and FORMAT 3, FORMAT 1 being the default. The three differ as
+    follows:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>in FORMAT 2 and 3, there is an additional leading ACTION
+        column.</para>
+      </listitem>
+
+      <listitem>
+        <para>in FORMAT 3, the SOURCE column accepts no zone name; rather the
+        ACTION column allows a SUFFIX that determines the chain(s) that the
+        generated rule will be added to.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>When an entry in the following form is encountered, the format of
+    the following entries are assumed to be of the specified
+    <replaceable>format</replaceable>.</para>
 
     <simplelist>
-      <member><emphasis role="bold">FORMAT</emphasis>
+      <member><emphasis role="bold">[?]FORMAT</emphasis>
       <replaceable>format</replaceable></member>
     </simplelist>
 
     <para>where <replaceable>format</replaceable> is either <emphasis
-    role="bold">1</emphasis> or <emphasis role="bold">2</emphasis>.</para>
+    role="bold">1</emphasis>,<emphasis role="bold">2</emphasis> or <emphasis
+    role="bold">3</emphasis>.</para>
+
+    <para>Format 3 was introduced in Shorewall 4.5.10. The optional '?' was
+    introduced in Shorewall 4.5.11 and ?FORMAT is the preferred form; the form
+    without the '?' is deprecated.</para>
 
     <para>Comments may be attached to Netfilter rules generated from entries
     in this file through the use of COMMENT lines. These lines begin with the
@@ -53,6 +73,11 @@
     the end of the file is reached. To stop adding comments to rules, use a
     line with only the word COMMENT.</para>
 
+    <note>
+      <para>Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for COMMENT
+      and is preferred.</para>
+    </note>
+
     <para>The columns in the file are as follows (where the column name is
     followed by a different name in parentheses, the different name is used in
     the alternate specification syntax).</para>
@@ -63,12 +88,12 @@
         role="bold">NOTRACK</emphasis>|<emphasis
         role="bold">CT</emphasis>:<emphasis
         role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
-        role="bold">CT:notrack</emphasis>}</term>
+        role="bold">CT:notrack</emphasis>|DROP}[:<replaceable>chain-designator</replaceable>]</term>
 
         <listitem>
-          <para>This column is only present when FORMAT = 2. Values other than
-          NOTRACK require <firstterm>CT Target </firstterm>support in your
-          iptables and kernel.</para>
+          <para>This column is only present when FORMAT &gt;= 2. Values other
+          than NOTRACK or DROP require <firstterm>CT Target
+          </firstterm>support in your iptables and kernel.</para>
 
           <itemizedlist>
             <listitem>
@@ -78,6 +103,13 @@
               <para>Disables connection tracking for this packet.</para>
             </listitem>
 
+            <listitem>
+              <para><option>DROP</option></para>
+
+              <para>Added in Shorewall 4.5.10. Silently discard the
+              packet.</para>
+            </listitem>
+
             <listitem>
               <para><option>helper</option>:<replaceable>name</replaceable></para>
 
@@ -143,6 +175,14 @@
                   </listitem>
                 </varlistentry>
 
+                <varlistentry>
+                  <term></term>
+
+                  <listitem>
+                    <para></para>
+                  </listitem>
+                </varlistentry>
+
                 <varlistentry>
                   <term>sane</term>
 
@@ -217,11 +257,46 @@
 
           <para>When FORMAT = 1, this column is not present and the rule is
           processed as if NOTRACK had been entered in this column.</para>
+
+          <para>Beginning with Shorewall 4.5.10, when FORMAT = 3, this column
+          can end with a colon followed by a
+          <replaceable>chain-designator</replaceable>. The
+          <replaceable>chain-designator</replaceable> can be one of the
+          following:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>P</term>
+
+              <listitem>
+                <para>The rule is added to the raw table PREROUTING chain.
+                This is the default if no
+                <replaceable>chain-designator</replaceable> is present.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>O</term>
+
+              <listitem>
+                <para>The rule is added to the raw table OUTPUT chain.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>PO or OP</term>
+
+              <listitem>
+                <para>The rule is added to the raw table PREROUTING and OUTPUT
+                chains.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>SOURCE ‒
+        <term>SOURCE (formats 1 and 2) ‒
         {<emphasis>zone</emphasis>[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>]|COMMENT}</term>
 
         <listitem>
@@ -235,54 +310,56 @@
           <para>Beginning with Shorewall 4.5.7, <option>all</option> can be
           used as the <replaceable>zone</replaceable> name to mean
           <firstterm>all zones</firstterm>.</para>
+
+          <para>Beginning with Shorewall 4.5.10, <option>all-</option> can be
+          used as the <replaceable>zone</replaceable> name to mean all
+          <firstterm>off-firewall zone</firstterm>s.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>SOURCE (format 3) ‒
+        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>
+
+        <listitem>
+          <para>Where <replaceable>interface</replaceable> is an interface to
+          that zone, and <replaceable>address-list</replaceable> is a
+          comma-separated list of addresses (may contain exclusion - see
+          <ulink url="shorewall-exclusion.html">shorewall-exclusion</ulink>
+          (5)).</para>
+
+          <para>COMMENT is only allowed in format 1; the remainder of the line
+          is treated as a comment that will be associated with the generated
+          rule(s).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>DEST ‒
-        [<replaceable>interface</replaceable>|<replaceable>address-list</replaceable>]</term>
+        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>
 
         <listitem>
-          <para>where <replaceable>interface</replaceable> is the name of a
-          network interface and <replaceable>address-list</replaceable> is a
+          <para>where <replaceable>address-list</replaceable> is a
           comma-separated list of addresses (may contain exclusion - see
-          <ulink url="shorewall-exclusion.html">shorewall-exclusion</ulink>
-          (5)). If an interface is given:</para>
-
-          <itemizedlist>
-            <listitem>
-              <para>It must be up and configured with an IPv4 address when
-              Shorewall is started or restarted.</para>
-            </listitem>
-
-            <listitem>
-              <para>All routes out of the interface must be configured when
-              Shorewall is started or restarted.</para>
-            </listitem>
-
-            <listitem>
-              <para>Default routes out of the interface will result in a
-              warning message and will be ignored.</para>
-            </listitem>
-          </itemizedlist>
-
-          <para>These restrictions are because Netfilter doesn't support
-          NOTRACK rules that specify a destination interface (these rules are
-          applied before packets are routed and hence the destination
-          interface is unknown). Shorewall uses the routes out of the
-          interface to replace the interface with an address list
-          corresponding to the networks routed out of the named
-          interface.</para>
+          <ulink url="shorewall-exclusion.html">shorewall6-exclusion</ulink>
+          (5)).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>PROTO ‒
-        <replaceable>protocol-name-or-number</replaceable></term>
+        <replaceable>protocol-name-or-number</replaceable>[,...]</term>
 
         <listitem>
           <para>A protocol name from <filename>/etc/protocols</filename> or a
           protocol number.</para>
+
+          <para>Beginning with Shorewall 4.5.12, this column is labeled
+          <emphasis role="bold">PROTOS</emphasis> and can accept a
+          comma-separated list of protocols. Either <emphasis
+          role="bold">proto</emphasis> or <emphasis
+          role="bold">protos</emphasis> is accepted in the alternate input
+          format.</para>
         </listitem>
       </varlistentry>
 
@@ -320,15 +397,82 @@
           id and or group id of the process sending the traffic.</para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SWITCH -
+        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.10 and allows enabling and disabling
+          the rule without requiring <command>shorewall
+          restart</command>.</para>
+
+          <para>The rule is enabled if the value stored in
+          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
+          is 1. The rule is disabled if that file contains 0 (the default). If
+          '!' is supplied, the test is inverted such that the rule is enabled
+          if the file contains 0.</para>
+
+          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
+          '@{0}' are replaced by the name of the chain to which the rule is a
+          added. The <replaceable>switch-name</replaceable> (after '...'
+          expansion) must begin with a letter and be composed of letters,
+          decimal digits, underscores or hyphens. Switch names must be 30
+          characters or less in length.</para>
+
+          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
+          turn a switch <emphasis role="bold">on</emphasis>:</para>
+
+          <simplelist>
+            <member><command>echo 1 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
+
+          <simplelist>
+            <member><command>echo 0 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>Switch settings are retained over <command>shorewall
+          restart</command>.</para>
+
+          <para>When the <replaceable>switch-name</replaceable> is followed by
+          <option>=0</option> or <option>=1</option>, then the switch is
+          initialized to off or on respectively by the
+          <command>start</command> command. Other commands do not affect the
+          switch setting.</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
   <refsect1>
     <title>EXAMPLE</title>
 
+    <para>Example 1:</para>
+
     <programlisting>#ACTION                       SOURCE            DEST               PROTO            DEST              SOURCE              USER/GROUP
 #                                                                                   PORT(S)           PORT(S)
 CT:helper:ftp(expevents=new)  fw                -                  tcp              21              </programlisting>
+
+    <para>Example 2 (Shorewall 4.5.10 or later):</para>
+
+    <para>Drop traffic to/from all zones to IP address 1.2.3.4</para>
+
+    <programlisting>FORMAT 2
+#ACTION                       SOURCE             DEST               PROTO            DEST              SOURCE              USER/GROUP
+#                                                                                   PORT(S)           PORT(S)
+DROP                          all-:1.2.3.4       -
+DROP                          all                1.2.3.4</programlisting>
+
+    <para>or<programlisting>FORMAT 3
+#ACTION                       SOURCE             DEST               PROTO            DEST              SOURCE              USER/GROUP
+#                                                                                   PORT(S)           PORT(S)
+DROP:P                        1.2.3.4            -
+DROP:PO                       -                  1.2.3.4
+</programlisting></para>
   </refsect1>
 
   <refsect1>

Shorewall/manpages/shorewall-interfaces.xml

@@ -52,9 +52,12 @@
     <para>The format is specified by a line as follows:</para>
 
     <blockquote>
-      <para><emphasis role="bold">FORMAT {1|2}</emphasis></para>
+      <para><emphasis role="bold">[?]FORMAT {1|2}</emphasis></para>
     </blockquote>
 
+    <para>The optional '?' was introduced in Shorewall 4.5.11 and ?FORMAT is
+    the preferred form; the form without the '?' is deprecated.</para>
+
     <para>The columns in the file are as follows.</para>
 
     <variablelist>
@@ -461,7 +464,7 @@ loc     eth2            -</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term>nosmurfs</term>
+              <term><emphasis role="bold">nosmurfs</emphasis></term>
 
               <listitem>
                 <para>Filter packets for smurfs (packets with a broadcast
@@ -637,7 +640,7 @@ loc     eth2            -</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term>rpfilter</term>
+              <term><emphasis role="bold">rpfilter</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.5.7. This is an anti-spoofing
@@ -651,7 +654,8 @@ loc     eth2            -</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term>sfilter=(<emphasis>net</emphasis>[,...])</term>
+              <term><emphasis
+              role="bold">sfilter=(<emphasis>net</emphasis>[,...])</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.4.20. This option provides an

Shorewall/manpages/shorewall-masq.xml

@@ -49,7 +49,7 @@
         role="bold">+</emphasis>]<emphasis>interfacelist</emphasis>[<emphasis
         role="bold">:</emphasis>[<emphasis>digit</emphasis>]][<emphasis
         role="bold">:</emphasis>[<emphasis>dest-address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis>exclusion</emphasis>]]|COMMENT}</term>
+        role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis>exclusion</emphasis>]]|[?]COMMENT}</term>
 
         <listitem>
           <para>Outgoing <emphasis>interfacelist</emphasis>. This may be a
@@ -118,13 +118,18 @@
           COMMENT line is found or until the end of the file is reached. To
           stop adding comments to rules, use a line with only the word
           COMMENT.</para>
+
+          <note>
+            <para>Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for
+            COMMENT and is preferred.</para>
+          </note>
         </listitem>
       </varlistentry>
 
       <varlistentry>
         <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET)
         -
-        {<emphasis>interface</emphasis>[:<emphasis>exclusion</emphasis>]|<emphasis>address</emphasis>[<emphasis
+        {<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>
 
         <listitem>
@@ -137,20 +142,6 @@
           fact. (Shorewall will use your main routing table to determine the
           appropriate addresses to masquerade).</para>
 
-          <para>In order to exclude a address of the specified SOURCE, you may
-          append an <emphasis>exclusion</emphasis> ("!" and a comma-separated
-          list of IP addresses (host or net) that you wish to exclude (see
-          <ulink
-          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5))).
-          Note that a colon (":") must appear between an
-          <replaceable>interface</replaceable> name and the
-          <replaceable>exclusion</replaceable>;</para>
-
-          <para>Example: eth1:!192.168.1.4,192.168.32.0/27</para>
-
-          <para>In that example traffic from eth1 would be masqueraded unless
-          it came from 192.168.1.4 or 196.168.32.0/27</para>
-
           <para>The preferred way to specify the SOURCE is to supply one or
           more host or network addresses separated by comma. You may use ipset
           names preceded by a plus sign (+) to specify a set of hosts.</para>
@@ -228,12 +219,15 @@
 
       <varlistentry>
         <term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
-        role="bold">-</emphasis>|[!]<emphasis>protocol-name</emphasis>|[!]<emphasis>protocol-number</emphasis>}</term>
+        role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]}</term>
 
         <listitem>
           <para>If you wish to restrict this entry to a particular protocol
           then enter the protocol name (from protocols(5)) or number
           here.</para>
+
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols.</para>
         </listitem>
       </varlistentry>
 
@@ -475,7 +469,7 @@
 
       <varlistentry>
         <term><emphasis role="bold">SWITCH -
-        [!]<replaceable>switch-name</replaceable></emphasis></term>
+        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
 
         <listitem>
           <para>Added in Shorewall 4.5.1 and allows enabling and disabling the
@@ -485,10 +479,14 @@
           <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
           is 1. The rule is disabled if that file contains 0 (the default). If
           '!' is supplied, the test is inverted such that the rule is enabled
-          if the file contains 0. <replaceable>switch-name</replaceable> must
-          begin with a letter and be composed of letters, decimal digits,
-          underscores or hyphens. Switch names must be 30 characters or less
-          in length.</para>
+          if the file contains 0.</para>
+
+          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
+          '@{0}' are replaced by the name of the chain to which the rule is a
+          added. The <replaceable>switch-name</replaceable> (after '@...'
+          expansion) must begin with a letter and be composed of letters,
+          decimal digits, underscores or hyphens. Switch names must be 30
+          characters or less in length.</para>
 
           <para>Switches are normally <emphasis role="bold">off</emphasis>. To
           turn a switch <emphasis role="bold">on</emphasis>:</para>
@@ -507,6 +505,13 @@
 
           <para>Switch settings are retained over <command>shorewall
           restart</command>.</para>
+
+          <para>Beginning with Shoreawll 4.5.10, when the
+          <replaceable>switch-name</replaceable> is followed by
+          <option>=0</option> or <option>=1</option>, then the switch is
+          initialized to off or on respectively by the
+          <command>start</command> command. Other commands do not affect the
+          switch setting.</para>
         </listitem>
       </varlistentry>
 
@@ -619,6 +624,29 @@
         eth0:+myset[dst]        -               206.124.146.177</programlisting>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>Example 7:</term>
+
+        <listitem>
+          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
+          round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
+          (Shorewall 4.5.9 and later).</para>
+
+          <programlisting>/etc/shorewall/tcrules:
+
+       #ACTION   SOURCE         DEST         PROTO   PORT(S)       SOURCE  USER    TEST
+       #                                                           PORT(S)
+       1-3:CF    192.168.1.0/24 eth0 ; state=NEW
+
+/etc/shorewall/masq:
+
+       #INTERFACE SOURCE         ADDRESS     ...
+       eth0       192.168.1.0/24 1.1.1.1 ; mark=1:C
+       eth0       192.168.1.0/24 1.1.1.3 ; mark=2:C
+       eth0       192.168.1.0/24 1.1.1.4 ; mark=3:C</programlisting>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 

Shorewall/manpages/shorewall-nat.xml

@@ -42,7 +42,7 @@
     <variablelist>
       <varlistentry>
         <term><emphasis role="bold">EXTERNAL</emphasis> -
-        {<emphasis>address</emphasis>|COMMENT}</term>
+        {<emphasis>address</emphasis>|[?]COMMENT}</term>
 
         <listitem>
           <para>External IP Address - this should NOT be the primary IP
@@ -56,6 +56,11 @@
 
           <para>To stop the comment from being attached to further rules,
           simply include COMMENT on a line by itself.</para>
+
+          <note>
+            <para>Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for
+            COMMENT and is preferred.</para>
+          </note>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-policy.xml

@@ -91,7 +91,7 @@
         role="bold">QUEUE</emphasis>|<emphasis
         role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber</emphasis>)]|<emphasis
         role="bold">NONE</emphasis>}[<emphasis
-        role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>|<emphasis
+        role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>[:level]|<emphasis
         role="bold">None</emphasis>}]</term>
 
         <listitem>
@@ -109,24 +109,19 @@
             </listitem>
 
             <listitem>
-              <para>The name of an action (requires that USE_ACTIONS=Yes in
-              <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5)).
-              That action will be invoked before the policy is
-              enforced.</para>
-            </listitem>
-
-            <listitem>
-              <para>The name of a macro. The rules in that macro will be
-              applied before the policy is enforced. This does not require
-              USE_ACTIONS=Yes.</para>
+              <para>The name of an action. The action will be invoked before
+              the policy is enforced.</para>
             </listitem>
           </orderedlist>
 
-          <blockquote>
-            <programlisting></programlisting>
+          <para>Actions can have parameters specified.</para>
 
-            <para>Possible policies are:</para>
-          </blockquote>
+          <para>Beginning with Shorewall 4.5.10, the action name can be
+          followed optionally by a colon and a log level. The level will be
+          applied to each rule in the action or body that does not already
+          have a log level.</para>
+
+          <para>Possible actions are:</para>
 
           <variablelist>
             <varlistentry>

Shorewall/manpages/shorewall-rules.xml

@@ -81,8 +81,41 @@
           <para>The only ACTIONs allowed in this section are ACCEPT, DROP,
           REJECT, LOG and QUEUE</para>
 
-          <para>There is an implicit ACCEPT rule inserted at the end of this
-          section.</para>
+          <para>There is an implicit rule added at the end of this section
+          that invokes the RELATED_DISPOSITION (<ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">INVALID</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Packets in the INVALID state are
+          processed by rules in this section.</para>
+
+          <para>The only Actions allowed in this section are ACCEPT, DROP,
+          REJECT, LOG and QUEUE.</para>
+
+          <para>There is an implicit rule added at the end of this section
+          that invokes the INVALID_DISPOSITION (<ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">UNTRACKED</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state are
+          processed by rules in this section.</para>
+
+          <para>The only Actions allowed in this section are ACCEPT, DROP,
+          REJECT, LOG and QUEUE.</para>
+
+          <para>There is an implicit rule added at the end of this section
+          that invokes the UNTRACKED_DISPOSITION (<ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
         </listitem>
       </varlistentry>
 
@@ -191,6 +224,50 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis>action</emphasis></term>
+
+              <listitem>
+                <para>The name of an <emphasis>action</emphasis> declared in
+                <ulink
+                url="shorewall-actions.html">shorewall-actions</ulink>(5) or
+                in /usr/share/shorewall/actions.std.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.12. Causes addresses and/or port
+                numbers to be added to the named
+                <replaceable>ipset</replaceable>. The
+                <replaceable>flags</replaceable> specify the address or tupple
+                to be added to the set and must match the type of ipset
+                involved. For example, for an iphash ipset, either the SOURCE
+                or DESTINATION address can be added using
+                <replaceable>flags</replaceable> <emphasis
+                role="bold">src</emphasis> or <emphasis
+                role="bold">dst</emphasis> respectively (see the -A command in
+                ipset (8)).</para>
+
+                <para>ADD is non-terminating. Even if a packet matches the
+                rule, it is passed on to the next rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>AUDIT[(accept|drop|reject)]</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.10. Audits the packet with the
+                specified type; if the type is omitted, then
+                <option>drop</option> is assumed. Require AUDIT_TARGET support
+                in the kernel and iptables.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term>A_ACCEPT, A_ACCEPT+ and A_ACCEPT!</term>
 
@@ -201,35 +278,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis role="bold">NONAT</emphasis></term>
-
-              <listitem>
-                <para>Excludes the connection from any subsequent <emphasis
-                role="bold">DNAT</emphasis>[-] or <emphasis
-                role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
-                a rule to accept the traffic.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">DROP</emphasis></term>
-
-              <listitem>
-                <para>Ignore the request.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">DROP!</emphasis></term>
-
-              <listitem>
-                <para>like DROP but exempts the rule from being suppressed by
-                OPTIMIZE=1 in <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term>A_DROP and A_DROP!</term>
 
@@ -240,25 +288,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis role="bold">REJECT</emphasis></term>
-
-              <listitem>
-                <para>disallow the request and return an icmp-unreachable or
-                an RST packet.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">REJECT!</emphasis></term>
-
-              <listitem>
-                <para>like REJECT but exempts the rule from being suppressed
-                by OPTIMIZE=1 in <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term>A_REJECT AND A_REJECT!</term>
 
@@ -270,46 +299,20 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">DNAT</emphasis></term>
+              <term><emphasis role="bold">[?]COMMENT</emphasis></term>
 
               <listitem>
-                <para>Forward the request to another system (and optionally
-                another port).</para>
-              </listitem>
-            </varlistentry>
+                <para>the rest of the line will be attached as a comment to
+                the Netfilter rule(s) generated by the following entries. The
+                comment will appear delimited by "/* ... */" in the output of
+                "shorewall show &lt;chain&gt;". To stop the comment from being
+                attached to further rules, simply include COMMENT on a line by
+                itself.</para>
 
-            <varlistentry>
-              <term><emphasis role="bold">DNAT-</emphasis></term>
-
-              <listitem>
-                <para>Advanced users only.</para>
-
-                <para>Like <emphasis role="bold">DNAT</emphasis> but only
-                generates the <emphasis role="bold">DNAT</emphasis> iptables
-                rule and not the companion <emphasis
-                role="bold">ACCEPT</emphasis> rule.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">REDIRECT</emphasis></term>
-
-              <listitem>
-                <para>Redirect the request to a server running on the
-                firewall.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">REDIRECT-</emphasis></term>
-
-              <listitem>
-                <para>Advanced users only.</para>
-
-                <para>Like <emphasis role="bold">REDIRECT</emphasis> but only
-                generates the <emphasis role="bold">REDIRECT</emphasis>
-                iptables rule and not the companion <emphasis
-                role="bold">ACCEPT</emphasis> rule.</para>
+                <note>
+                  <para>Beginning with Shorewall 4.5.11, ?COMMENT is a synonym
+                  for COMMENT and is preferred.</para>
+                </note>
               </listitem>
             </varlistentry>
 
@@ -341,69 +344,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis role="bold">LOG</emphasis></term>
-
-              <listitem>
-                <para>Simply log the packet and continue with the next
-                rule.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">QUEUE</emphasis></term>
-
-              <listitem>
-                <para>Queue the packet to a user-space application such as
-                ftwall (http://p2pwall.sf.net). The application may reinsert
-                the packet for further processing.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">QUEUE!</emphasis></term>
-
-              <listitem>
-                <para>like QUEUE but exempts the rule from being suppressed by
-                OPTIMIZE=1 in <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
-
-              <listitem>
-                <para>queues matching packets to a backend logging daemon via
-                a netlink socket then continues to the next rule. See <ulink
-                url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">NFQUEUE</emphasis>[(<replaceable>queuenumber</replaceable>)]</term>
-
-              <listitem>
-                <para>Queues the packet to a user-space application using the
-                nfnetlink_queue mechanism. If a
-                <replaceable>queuenumber</replaceable> is not specified, queue
-                zero (0) is assumed.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">NFQUEUE![(<replaceable>queuenumber</replaceable>)]</emphasis></term>
-
-              <listitem>
-                <para>like NFQUEUE but exempts the rule from being suppressed
-                by OPTIMIZE=1 in <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">COUNT</emphasis></term>
 
@@ -414,26 +354,86 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">COMMENT</emphasis></term>
+              <term><emphasis
+              role="bold">DEL(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
 
               <listitem>
-                <para>the rest of the line will be attached as a comment to
-                the Netfilter rule(s) generated by the following entries. The
-                comment will appear delimited by "/* ... */" in the output of
-                "shorewall show &lt;chain&gt;". To stop the comment from being
-                attached to further rules, simply include COMMENT on a line by
-                itself.</para>
+                <para>Added in Shorewall 4.4.12. Causes an entry to be deleted
+                from the named <replaceable>ipset</replaceable>. The
+                <replaceable>flags</replaceable> specify the address or tupple
+                to be deleted from the set and must match the type of ipset
+                involved. For example, for an iphash ipset, either the SOURCE
+                or DESTINATION address can be deletec using
+                <replaceable>flags</replaceable> <emphasis
+                role="bold">src</emphasis> or <emphasis
+                role="bold">dst</emphasis> respectively (see the -D command in
+                ipset (8)).</para>
+
+                <para>DEL is non-terminating. Even if a packet matches the
+                rule, it is passed on to the next rule.</para>
               </listitem>
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis>action</emphasis></term>
+              <term><emphasis role="bold">DNAT</emphasis></term>
 
               <listitem>
-                <para>The name of an <emphasis>action</emphasis> declared in
-                <ulink
-                url="shorewall-actions.html">shorewall-actions</ulink>(5) or
-                in /usr/share/shorewall/actions.std.</para>
+                <para>Forward the request to another system (and optionally
+                another port).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">DNAT-</emphasis></term>
+
+              <listitem>
+                <para>Advanced users only.</para>
+
+                <para>Like <emphasis role="bold">DNAT</emphasis> but only
+                generates the <emphasis role="bold">DNAT</emphasis> iptables
+                rule and not the companion <emphasis
+                role="bold">ACCEPT</emphasis> rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">DROP</emphasis></term>
+
+              <listitem>
+                <para>Ignore the request.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">DROP!</emphasis></term>
+
+              <listitem>
+                <para>like DROP but exempts the rule from being suppressed by
+                OPTIMIZE=1 in <ulink
+                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>HELPER</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.7. This action requires that the
+                HELPER column contains the name of the Netfilter helper to be
+                associated with connections matching this connection. May only
+                be specified in the NEW section and is useful for being able
+                to specify a helper when the applicable policy is ACCEPT. No
+                destination zone should be specified in HELPER rules.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">LOG:<replaceable>level</replaceable></emphasis></term>
+
+              <listitem>
+                <para>Simply log the packet and continue with the next
+                rule.</para>
               </listitem>
             </varlistentry>
 
@@ -463,57 +463,132 @@
 
             <varlistentry>
               <term><emphasis
-              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
+              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
 
               <listitem>
-                <para>Added in Shorewall 4.4.12. Causes addresses and/or port
-                numbers to be added to the named
-                <replaceable>ipset</replaceable>. The
-                <replaceable>flags</replaceable> specify the address or tupple
-                to be added to the set and must match the type of ipset
-                involved. For example, for an iphash ipset, either the SOURCE
-                or DESTINATION address can be added using
-                <replaceable>flags</replaceable> <emphasis
-                role="bold">src</emphasis> or <emphasis
-                role="bold">dst</emphasis> respectively (see the -A command in
-                ipset (8)).</para>
+                <para>Added in Shorewall 4.5.9.3. Queues matching packets to a
+                backend logging daemon via a netlink socket then continues to
+                the next rule. See <ulink
+                url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
 
-                <para>ADD is non-terminating. Even if a packet matches the
-                rule, it is passed on to the next rule.</para>
+                <para>Similar to<emphasis role="bold">
+                LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
+                except that the log level is not changed when this ACTION is
+                used in an action or macro body and the invocation of that
+                action or macro specifies a log level.</para>
               </listitem>
             </varlistentry>
 
             <varlistentry>
               <term><emphasis
-              role="bold">DEL(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
+              role="bold">NFQUEUE</emphasis>[(<replaceable>queuenumber</replaceable>)]</term>
 
               <listitem>
-                <para>Added in Shorewall 4.4.12. Causes an entry to be deleted
-                from the named <replaceable>ipset</replaceable>. The
-                <replaceable>flags</replaceable> specify the address or tupple
-                to be deleted from the set and must match the type of ipset
-                involved. For example, for an iphash ipset, either the SOURCE
-                or DESTINATION address can be deletec using
-                <replaceable>flags</replaceable> <emphasis
-                role="bold">src</emphasis> or <emphasis
-                role="bold">dst</emphasis> respectively (see the -D command in
-                ipset (8)).</para>
-
-                <para>DEL is non-terminating. Even if a packet matches the
-                rule, it is passed on to the next rule.</para>
+                <para>Queues the packet to a user-space application using the
+                nfnetlink_queue mechanism. If a
+                <replaceable>queuenumber</replaceable> is not specified, queue
+                zero (0) is assumed.</para>
               </listitem>
             </varlistentry>
 
             <varlistentry>
-              <term>HELPER</term>
+              <term><emphasis
+              role="bold">NFQUEUE![(<replaceable>queuenumber</replaceable>)]</emphasis></term>
 
               <listitem>
-                <para>Added in Shorewall 4.5.7. This action requires that the
-                HELPER column contains the name of the Netfilter helper to be
-                associated with connections matching this connection. May only
-                be specified in the NEW section and is useful for being able
-                to specify a helper when the applicable policy is ACCEPT. No
-                destination zone should be specified in HELPER rules.</para>
+                <para>like NFQUEUE but exempts the rule from being suppressed
+                by OPTIMIZE=1 in <ulink
+                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">NONAT</emphasis></term>
+
+              <listitem>
+                <para>Excludes the connection from any subsequent <emphasis
+                role="bold">DNAT</emphasis>[-] or <emphasis
+                role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
+                a rule to accept the traffic.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">QUEUE</emphasis></term>
+
+              <listitem>
+                <para>Queue the packet to a user-space application such as
+                ftwall (http://p2pwall.sf.net). The application may reinsert
+                the packet for further processing.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">QUEUE!</emphasis></term>
+
+              <listitem>
+                <para>like QUEUE but exempts the rule from being suppressed by
+                OPTIMIZE=1 in <ulink
+                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">REJECT</emphasis></term>
+
+              <listitem>
+                <para>disallow the request and return an icmp-unreachable or
+                an RST packet.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">REJECT!</emphasis></term>
+
+              <listitem>
+                <para>like REJECT but exempts the rule from being suppressed
+                by OPTIMIZE=1 in <ulink
+                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">REDIRECT</emphasis></term>
+
+              <listitem>
+                <para>Redirect the request to a server running on the
+                firewall.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">REDIRECT-</emphasis></term>
+
+              <listitem>
+                <para>Advanced users only.</para>
+
+                <para>Like <emphasis role="bold">REDIRECT</emphasis> but only
+                generates the <emphasis role="bold">REDIRECT</emphasis>
+                iptables rule and not the companion <emphasis
+                role="bold">ACCEPT</emphasis> rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)]</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.10. Queues matching packets to a
+                backend logging daemon via a netlink socket then continues to
+                the next rule. See <ulink
+                url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+
+                <para>Similar to<emphasis role="bold">
+                LOG:ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)],
+                except that the log level is not changed when this ACTION is
+                used in an action or macro body and the invocation of that
+                action or macro specifies a log level.</para>
               </listitem>
             </varlistentry>
           </variablelist>
@@ -1332,7 +1407,7 @@
 
       <varlistentry>
         <term><emphasis role="bold">SWITCH -
-        [!]<replaceable>switch-name</replaceable></emphasis></term>
+        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
 
         <listitem>
           <para>Added in Shorewall 4.4.24 and allows enabling and disabling
@@ -1343,10 +1418,14 @@
           <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
           is 1. The rule is disabled if that file contains 0 (the default). If
           '!' is supplied, the test is inverted such that the rule is enabled
-          if the file contains 0. <replaceable>switch-name</replaceable> must
-          begin with a letter and be composed of letters, decimal digits,
-          underscores or hyphens. Switch names must be 30 characters or less
-          in length.</para>
+          if the file contains 0.</para>
+
+          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
+          '@{0}' are replaced by the name of the chain to which the rule is a
+          added. The <replaceable>switch-name</replaceable> (after '@...'
+          expansion) must begin with a letter and be composed of letters,
+          decimal digits, underscores or hyphens. Switch names must be 30
+          characters or less in length.</para>
 
           <para>Switches are normally <emphasis role="bold">off</emphasis>. To
           turn a switch <emphasis role="bold">on</emphasis>:</para>
@@ -1365,6 +1444,13 @@
 
           <para>Switch settings are retained over <command>shorewall
           restart</command>.</para>
+
+          <para>Beginning with Shoreawll 4.5.10, when the
+          <replaceable>switch-name</replaceable> is followed by
+          <option>=0</option> or <option>=1</option>, then the switch is
+          initialized to off or on respectively by the
+          <command>start</command> command. Other commands do not affect the
+          switch setting.</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-secmarks.xml

@@ -76,7 +76,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term>COMMENT</term>
+              <term>[?]COMMENT</term>
 
               <listitem>
                 <para>The remainder of the line is treated as a comment which
@@ -84,6 +84,11 @@
                 found or until the end of the file is reached. To stop adding
                 comments to rules, use a line with only the word
                 COMMENT.</para>
+
+                <note>
+                  <para>Beginning with Shorewall 4.5.11, ?COMMENT is a synonym
+                  for COMMENT and is preferred.</para>
+                </note>
               </listitem>
             </varlistentry>
           </variablelist>
@@ -92,7 +97,7 @@
 
       <varlistentry>
         <term><emphasis role="bold">CHAIN:STATE (chain) -
-        {P|I|F|O|T}[:{N|I|NI|E|ER}]</emphasis></term>
+        {P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}]</emphasis></term>
 
         <listitem>
           <para>This column determines the CHAIN where the SElinux context is
@@ -125,6 +130,19 @@
 
             <member>:ER - ESTABLISHED or RELATED connection</member>
           </simplelist>
+
+          <para>Beginning with Shorewall 4.5.10, the following additional
+          options are available</para>
+
+          <simplelist>
+            <member>:U - UNTRACKED connection</member>
+
+            <member>:IU - INVALID or UNTRACKED connection</member>
+
+            <member>:NU - NEW or UNTRACKED connection</member>
+
+            <member>:NIU - NEW, INVALID or UNTRACKED connection.</member>
+          </simplelist>
         </listitem>
       </varlistentry>
     </variablelist>
@@ -209,11 +227,14 @@
         role="bold">ipp2p</emphasis>|<emphasis
         role="bold">ipp2p:udp</emphasis>|<emphasis
         role="bold">ipp2p:all</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
-        role="bold">all}</emphasis></term>
+        role="bold">all}[,...]</emphasis></term>
 
         <listitem>
           <para>Protocol - <emphasis role="bold">ipp2p</emphasis> requires
           ipp2p match support in your kernel and iptables.</para>
+
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols.</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-stoppedrules.xml

@@ -92,10 +92,13 @@
 
       <varlistentry>
         <term>PROTO (Optional) ‒
-        <replaceable>protocol-name-or-number</replaceable></term>
+        <replaceable>protocol-name-or-number</replaceable>[,...]</term>
 
         <listitem>
           <para>Protocol.</para>
+
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols.</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-tcclasses.xml

@@ -120,10 +120,7 @@
         <emphasis>interface</emphasis>[[:<emphasis>parent</emphasis>]:<emphasis>class</emphasis>]</term>
 
         <listitem>
-          <para>Name of <emphasis>interface</emphasis>. Each interface may be
-          listed only once in this file. You may NOT specify the name of an
-          alias (e.g., eth0:0) here; see <ulink
-          url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink></para>
+          <para>Name of <emphasis>interface</emphasis>.</para>
 
           <para>You may specify the interface number rather than the interface
           name. If the <emphasis role="bold">classify</emphasis> option is
@@ -263,8 +260,8 @@
             </listitem>
           </itemizedlist>
 
-          <para> The rules for classes with lower numeric priorities will
-          appear before those with higher numeric priorities. </para>
+          <para>The rules for classes with lower numeric priorities will
+          appear before those with higher numeric priorities.</para>
 
           <para>Beginning with Shorewall 4.5.8, the PRIORITY may be omitted
           from an HFSC class if you do not use the MARK column or the
@@ -504,7 +501,8 @@
                 Detection) queuing discipline rather than SFQ. See tc-red (8)
                 for additional information.</para>
 
-                <para>Allowable redoptions are:</para>
+                <para>Allowable <replaceable>redoptions</replaceable>
+                are:</para>
 
                 <variablelist>
                   <varlistentry>
@@ -601,8 +599,96 @@
                       dropping a packet. If this parameter is specified,
                       packets which indicate that their hosts honor ECN will
                       only be marked and not dropped, unless the queue size
-                      hits <replaceable>limit</replaceable> bytes. Needs a tc
-                      binary with RED support compiled in. Recommended.</para>
+                      hits <replaceable>limit</replaceable> bytes.
+                      Recommended.</para>
+                    </listitem>
+                  </varlistentry>
+                </variablelist>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>fq_codel[=(<replaceable>codeloption</replaceable>=<replaceable>value</replaceable>,
+              ...)]</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.12. When specified for a leaf
+                class, causes the class to use the FQ_CODEL (Fair-queuing
+                Controlled Delay) queuing discipline rather than SFQ. See
+                tc-fq_codel (8) for additional information.</para>
+
+                <para>Allowable <replaceable>codeloptions</replaceable>
+                are:</para>
+
+                <variablelist>
+                  <varlistentry>
+                    <term>limit</term>
+
+                    <listitem>
+                      <para>hard limit on the real queue size. When this limit
+                      is reached, incoming packets are dropped. If the value
+                      is lowered, packets are dropped so that the new limit is
+                      met. Default is 1000 packets.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>flows</term>
+
+                    <listitem>
+                      <para>is the number of flows into which the incoming
+                      packets are classified. Due to the stochastic nature of
+                      hashing, multiple flows may end up being hashed into the
+                      same slot. Newer flows have priority over older ones.
+                      This parameter can be set only at load time since memory
+                      has to be allocated for the hash table. Default value is
+                      1024.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>target</term>
+
+                    <listitem>
+                      <para>is the acceptable minimum standing/persistent
+                      queue delay. This minimum delay is identified by
+                      tracking the local minimum queue delay that packets
+                      experience. Default and recommended value is 5ms.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>interval</term>
+
+                    <listitem>
+                      <para>is used to ensure that the measured minimum delay
+                      does not become too stale. The minimum delay must be
+                      experienced in the last epoch of length interval. It
+                      should be set on the order of the worst-case RTT through
+                      the bottleneck to give endpoints sufficient time to
+                      react. Default value is 100ms.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>quantum</term>
+
+                    <listitem>
+                      <para>is the number of bytes used as 'deficit' in the
+                      fair queuing algorithm. Default is set to 1514 bytes
+                      which corresponds to the Ethernet MTU plus the hardware
+                      header length of 14 bytes.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>ecn | noecn</term>
+
+                    <listitem>
+                      <para>can be used to mark packets instead of dropping
+                      them. If ecn has been enabled, noecn can be used to turn
+                      it off and vice-a-versa. By default, ecn is
+                      enabled.</para>
                     </listitem>
                   </varlistentry>
                 </variablelist>