Merge branch '4.6.1' of ssh://git.code.sf.net/p/shorewall/code into 4.6.1

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -98,7 +98,7 @@ if [ -z "$vendor" ]; then
 	eval $(cat /etc/os-release | grep ^ID=)
 
 	case $ID in
-	    fedora)
+	    fedora|rhel)
 		vendor=redhat
 		;;
 	    debian|ubuntu)

Shorewall-core/configure.pl

@@ -64,7 +64,7 @@ unless ( defined $vendor ) {
 
 	$id =~ s/ID=//;
 	
-	if ( $id eq 'fedora' ) {
+	if ( $id eq 'fedora' || $id eq 'rhel' ) {
 	    $vendor = 'redhat';
 	} elsif ( $id eq 'opensuse' ) {
 	    $vendor = 'suse';

Shorewall-core/install.sh

@@ -198,7 +198,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 
 		case $ID in
-		    fedora)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian)

Shorewall-core/lib.cli

@@ -252,7 +252,15 @@ show_classifiers() {
 
 	if [ -n "$qdisc" ]; then
 	    echo Device $device:
-	    tc -s filter ls dev $device
+	    qt tc -s filter ls root dev $device && tc -s filter ls root dev $device | grep -v '^$'
+	    tc filter show dev $device
+	    tc class show dev $device | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
+		if [ -n "$class" ]; then
+		    echo
+		    echo Node $class
+		    tc filter show dev $device parent $class
+		fi
+	    done
 	    echo
 	fi
     }

Shorewall-init/init.debian.sh

@@ -105,19 +105,19 @@ shorewall_start () {
   for PRODUCT in $PRODUCTS; do
       setstatedir
 
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+      if [ -x ${STATEDIR}/firewall ]; then
           #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
-	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
+	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || echo_notdone
+		  ${STATEDIR}/firewall ${OPTIONS} stop || echo_notdone
 	      else
 		  echo_notdone
 	      fi
 	  )
       else
-	  echo echo_notdone
+	  echo_notdone
       fi
   done
 
@@ -135,8 +135,8 @@ shorewall_stop () {
   for PRODUCT in $PRODUCTS; do
       setstatedir
 
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+      if [ -x ${STATEDIR}/firewall ]; then
-	  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || echo_notdone
+	  ${STATEDIR}/firewall ${OPTIONS} clear || echo_notdone
       fi
   done
 

Shorewall-init/install.sh

@@ -191,7 +191,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID=)
 
 		case $ID in
-		    fedora)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian|ubuntu)

Shorewall-lite/install.sh

@@ -206,7 +206,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 
 		case $ID in
-		    fedora)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian)

Shorewall/Macros/macro.AMQP

@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - AMQP Macro
+#
+# /usr/share/shorewall/macro.AMQP
+#
+#	This macro handles AMQP traffic.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	5672
+PARAM	-	-	udp	5672

Shorewall/Macros/macro.Amanda

@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
- PARAM	-	-	udp	10080 ; helper=amanda
+ PARAM	-	-	udp	10080 { helper=amanda }
 ?else
  PARAM	-	-	udp	10080
 ?endif

Shorewall/Macros/macro.FTP

@@ -11,7 +11,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
- PARAM	-	-	tcp	21 ; helper=ftp
+ PARAM	-	-	tcp	21 { helper=ftp }
 ?else
  PARAM	-	-	tcp	21
 ?endif

Shorewall/Macros/macro.IPMI

@@ -0,0 +1,17 @@
+#
+# Shorewall version 4 - IPMI Macro
+#
+# /usr/share/shorewall/macro.IPMI
+#
+#	This macro handles IPMI console redirection with Dell and Supermicro.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	623		# RMCP
+PARAM	-	-	tcp	5900,5901	# Remote Console
+PARAM	-	-	udp	623		# RMCP
+HTTP
+HTTPS

Shorewall/Macros/macro.IRC

@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
- PARAM	-	-	tcp	6667 ; helper=irc
+ PARAM	-	-	tcp	6667 { helper=irc }
 ?else
  PARAM	-	-	tcp	6667
 ?endif

Shorewall/Macros/macro.MongoDB

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - MongoDB Macro
+#
+# /usr/share/shorewall/macro.MongoDB
+#
+#	This macro handles MongoDB Daemon/Router traffic.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	27017

Shorewall/Macros/macro.PPtP

@@ -14,7 +14,7 @@ PARAM	-	-	47
 PARAM	DEST	SOURCE	47
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
- PARAM	-	-	tcp	1723 ; helper=pptp
+ PARAM	-	-	tcp	1723 { helper=pptp }
 ?else
  PARAM	-	-	tcp	1723
 ?endif

Shorewall/Macros/macro.Redis

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Redis Macro
+#
+# /usr/share/shorewall/macro.Redis
+#
+#	This macro handles Redis traffic.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	6379

Shorewall/Macros/macro.SANE

@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
- PARAM	-	-	tcp	6566 ; helper=sane
+ PARAM	-	-	tcp	6566 { helper=sane }
 ?else
  PARAM	-	-	tcp	6566
 ?endif

Shorewall/Macros/macro.SIP

@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER  )
- PARAM	-	-	udp	5060 ; helper=sip
+ PARAM	-	-	udp	5060 { helper=sip }
 ?else
  PARAM	-	-	udp	5060
 ?endif

Shorewall/Macros/macro.SMB

@@ -17,7 +17,7 @@
 PARAM	-	-	udp	135,445
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	-	-	udp	137 ; helper=netbios-ns
+ PARAM	-	-	udp	137 { helper=netbios-ns }
  PARAM	-	-	udp	138:139
 ?else
  PARAM	-	-	udp	137:139

Shorewall/Macros/macro.SMBBI

@@ -17,7 +17,7 @@
 PARAM	-	-	udp	135,445
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	-	-	udp	137 ; helper=netbios-ns
+ PARAM	-	-	udp	137 { helper=netbios-ns }
  PARAM	-	-	udp	138:139
 ?else
  PARAM	-	-	udp	137:139
@@ -28,7 +28,7 @@ PARAM	-	-	tcp	135,139,445
 PARAM	DEST	SOURCE	udp	135,445
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	DEST	SOURCE	udp	137 ; helper=netbios-ns
+ PARAM	DEST	SOURCE	udp	137 { helper=netbios-ns }
  PARAM	DEST	SOURCE	udp	138:139
 ?else
  PARAM	DEST	SOURCE	udp	137:139

Shorewall/Macros/macro.SNMP

@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
- PARAM	-	-  	udp     161 ; helper=snmp
+ PARAM	-	-  	udp     161 { helper=snmp }
 ?else
  PARAM	-	-	udp	161
 ?endif

Shorewall/Macros/macro.Sieve

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Sieve Macro
+#
+# /usr/share/shorewall/macro.Sieve
+#
+#	This macro handles sieve aka ManageSieve protocol.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	4190

Shorewall/Macros/macro.TFTP

@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
- PARAM	-	-	udp	69 ; helper=tftp
+ PARAM	-	-	udp	69 { helper=tftp }
 ?else
  PARAM	-	-	udp	69
 ?endif

Shorewall/Perl/Shorewall/Compiler.pm

@@ -730,7 +730,7 @@ sub compiler {
     #
     # Do all of the zone-independent stuff (mostly /proc)
     #
-    add_common_rules( $convert );
+    add_common_rules( $convert, $tcrules );
     #
     # More /proc
     #
@@ -819,7 +819,7 @@ sub compiler {
     #
     # Setup Nat
     #
-    setup_nat if $family == F_IPV4;
+    setup_nat;
     #
     # Setup NETMAP
     #

Shorewall/Perl/Shorewall/Misc.pm

@@ -775,8 +775,8 @@ sub process_stoppedrules() {
 
 sub setup_mss();
 
-sub add_common_rules ( $ ) {
+sub add_common_rules ( $$ ) {
-    my $upgrade = shift;
+    my ( $upgrade_blacklist, $upgrade_tcrules ) = @_;
     my $interface;
     my $chainref;
     my $target;
@@ -929,8 +929,8 @@ sub add_common_rules ( $ ) {
 	    
     run_user_exit1 'initdone';
 
-    if ( $upgrade ) {
+    if ( $upgrade_blacklist ) {
-	exit 0 unless convert_blacklist;
+	exit 0 unless convert_blacklist || $upgrade_tcrules;
     } else {
 	setup_blacklist;
     }

Shorewall/Perl/Shorewall/Nat.pm

@@ -633,7 +633,7 @@ sub setup_netmap() {
 }
 
 #
-# Called from process_rule1 to add a rule to the NAT table
+# Called from process_rule to add a rule to the NAT table
 #
 sub handle_nat_rule( $$$$$$$$$$$$$ ) {
     my ( $dest,           # <server>[:port]
@@ -687,6 +687,11 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	#
 	$server = $dest;
     }
+
+    #
+    # Check for list in $server
+    #
+    fatal_error "An address list ($server) is not allowed in the DEST column of a $action RULE" if $server =~ /,/;
     #
     # Generate the target
     #

Shorewall/Perl/Shorewall/Rules.pm

@@ -2950,7 +2950,7 @@ sub perl_action_helper($$;$) {
 
     $matches .= ' ' unless $matches =~ /^(?:.+\s)?$/;
 
-    set_inline_matches $matches if $target =~ /^INLINE(?::.*)?$/;
+    set_inline_matches( $target =~ /^INLINE(?::.*)?$/ ? $matches : '' );
 
     if ( $isstatematch ) {
 	if ( $statematch ) {
@@ -3023,6 +3023,8 @@ sub perl_action_tcp_helper($$) {
 
     $proto .= ' ' unless $proto =~ /^(?:.+\s)?$/;
 
+    set_inline_matches( '' ) if $config{INLINE_MATCHES};
+
     if ( $passedproto eq '-' || $passedproto eq 'tcp' || $passedproto eq '6' ) {
 	#
 	# For other protos, a 'no rule generated' warning will be issued

Shorewall/Perl/Shorewall/Tc.pm

@@ -423,7 +423,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    function       => sub () {
 		require_capability 'DSCP_TARGET', 'The DSCP action', 's';
 		my $dscp = numeric_value( $params );
-		$dscp = $dscpmap{$1} unless defined $dscp;
+		$dscp = $dscpmap{$params} unless defined $dscp;
 		fatal_error( "Invalid DSCP ($params)" ) unless defined $dscp && $dscp <= 0x38 && ! ( $dscp & 1 );
 		$target = 'DSCP --set-dscp ' . in_hex( $dscp );
 	    },
@@ -562,7 +562,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 
 	RESTORE    => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | FORWARD | POSTROUTING,
+	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -591,7 +591,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 
 	SAVE       => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | FORWARD | POSTROUTING,
+	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {

Shorewall/configfiles/blrules

@@ -6,7 +6,7 @@
 # Please see http://shorewall.net/blacklisting_support.htm for additional
 # information.
 #
-###################################################################################################################################################################################################
+################################################################################################################################################################################################
-#ACTION		SOURCE			DEST			PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#ACTION		SOURCE			DEST			PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME	HEADERS		SWITCH
 #									PORT	PORT(S)		DEST		LIMIT		GROUP
 

Shorewall/configfiles/clear

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/clear
 #
-#	Add commands below that you want to be executed after Shorewall
+# Add commands below that you want to be executed after Shorewall has
-#       has processed the 'clear' command.
+# processed the 'clear' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/findgw

@@ -3,12 +3,12 @@
 #
 # /etc/shorewall/findgw
 #
-#    The code in this file is executed when Shorewall is trying to detect the
+# The code in this file is executed when Shorewall is trying to detect the
-#    gateway through an interface in /etc/shorewall/providers that has GATEWAY
+# gateway through an interface in /etc/shorewall/providers that has GATEWAY
-#    specified as 'detect'.
+# specified as 'detect'.
 #
-#    The function should echo the IP address of the gateway if it knows what
+# The function should echo the IP address of the gateway if it knows what
-#    it is; the name of the interface is in $1.
+# it is; the name of the interface is in $1.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/initdone

@@ -5,7 +5,7 @@
 #
 #	Add commands below that you want to be executed during
 #	"shorewall start" or "shorewall restart" commands at the point where
-#	Shorewall has not yet added any perminent rules to the builtin chains.
+#	Shorewall has not yet added any permanent rules to the builtin chains.
 #
 # For additional information, see
 # http://shorewall.net/shorewall_extension_scripts.htm

Shorewall/configfiles/lib.private

@@ -3,9 +3,9 @@
 #
 # /etc/shorewall/lib.private
 #
-#	Use this file to declare shell functions to be called in the other
+# Use this file to declare shell functions to be called in the other
-#	run-time extension scripts. The file will be copied into the generated
+# run-time extension scripts. The file will be copied into the generated
-#       firewall script.
+# firewall script.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/mangle

@@ -9,7 +9,6 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-##################################################################################################################################################
+####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY DSCP
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
 #							PORT(S)	PORT(S)
-

Shorewall/configfiles/refresh

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/refresh
 #
-#	Add commands below that you want to be executed before Shorewall
+# Add commands below that you want to be executed before Shorewall
-#       has processed the 'refresh' command.
+# has processed the 'refresh' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/refreshed

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/refreshed
 #
-#	Add commands below that you want to be executed after Shorewall
+# Add commands below that you want to be executed after Shorewall has
-#       has processed the 'refresh' command.
+# processed the 'refresh' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/scfilter

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/scfilter
 #
-#	Replace the 'cat' command below to filter the output of
+# Replace the 'cat' command below to filter the output of
-#       'show connections.
+# 'show connections'.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/shorewall.conf

@@ -12,13 +12,13 @@
 STARTUP_ENABLED=No
 
 ###############################################################################
-#		              V E R B O S I T Y
+#			     V E R B O S I T Y
 ###############################################################################
 
 VERBOSITY=1
 
 ###############################################################################
-#		                L O G G I N G
+#			       L O G G I N G
 ###############################################################################
 
 BLACKLIST_LOG_LEVEL=
@@ -100,7 +100,7 @@ QUEUE_DEFAULT=none
 REJECT_DEFAULT=Reject
 
 ###############################################################################
-#                        R S H / R C P  C O M M A N D S
+#			 R S H / R C P	C O M M A N D S
 ###############################################################################
 
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
@@ -271,8 +271,8 @@ MASK_BITS=
 ZONE_BITS=0
 
 ################################################################################
-#                            L E G A C Y  O P T I O N
+#			     L E G A C Y  O P T I O N
-#                      D O  N O T  D E L E T E  O R  A L T E R
+#		       D O  N O T  D E L E T E	O R  A L T E R
 ################################################################################
 
 IPSECFILE=zones

Shorewall/configfiles/tcclasses

@@ -7,4 +7,4 @@
 #
 ###############################################################################
 #INTERFACE:CLASS	MARK	RATE:		CEIL	PRIORITY	OPTIONS
-#                               DMAX:UMAX
+#				DMAX:UMAX

Shorewall/configfiles/tcclear

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/tcclear
 #
-#	Add commands below that you want to be executed before Shorewall
+# Add commands below that you want to be executed before Shorewall clears
-#       clears the traffic shaping configuration.
+# the traffic shaping configuration.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/tcfilters

@@ -6,5 +6,5 @@
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
 ########################################################################################################
-#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE   TOS		LENGTH	PRIORITY
+#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE	TOS		LENGTH	PRIORITY
 #CLASS							PORT(S)	PORT(S)

Shorewall/install.sh

@@ -216,7 +216,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 
 		case $ID in
-		    fedora)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian)

Shorewall/manpages/shorewall-masq.xml

@@ -143,9 +143,10 @@
       </varlistentry>
 
       <varlistentry>
-        <term>(Formerly called SUBNET) -
+        <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET
-        {<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
+        - Optional) -
-        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>
+        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
 
         <listitem>
           <para>Set of hosts that you wish to masquerade. You can specify this

Shorewall/manpages/shorewall-nat.xml

@@ -136,6 +136,80 @@
     </variablelist>
   </refsect1>
 
+  <refsect1>
+    <title>RESTRICTIONS</title>
+
+    <para>DNAT rules always preempt one-to-one NAT rules. This has subtile
+    consequences when there are sub-zones on an
+    <replaceable>interface</replaceable>. Consider the following:</para>
+
+    <para><filename>/etc/shorewall/zones</filename>:</para>
+
+    <programlisting>#ZONE   TYPE    OPTIONS                 IN                      OUT
+#                                       OPTIONS                 OPTIONS
+fw      firewall
+net     ipv4
+loc     ipv4
+smc:net ipv4</programlisting>
+
+    <para><filename>/etc/shorewall/interfaces</filename>:</para>
+
+    <programlisting>#ZONE   INTERFACE       OPTIONS
+net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
+loc     eth1            tcpflags,nosmurfs,routefilter,logmartians</programlisting>
+
+    <para><filename>/etc/shorewall/hosts</filename>:</para>
+
+    <programlisting>#ZONE   HOST(S)                                 OPTIONS
+smc     eth0:10.1.10.0/24</programlisting>
+
+    <para><filename>/etc/shorewall/nat</filename>:</para>
+
+    <programlisting>#EXTERNAL       INTERFACE       INTERNAL        ALL             LOCAL
+#                                               INTERFACES
+10.1.10.100     eth0            172.20.1.100
+</programlisting>
+
+    <para>Note that the EXTERNAL address is in the <emphasis
+    role="bold">smc</emphasis> zone.</para>
+
+    <para><filename>/etc/shorewall/rules</filename>:</para>
+
+    <programlisting>#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME            HEADERS     SWITCH           HELPER
+#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
+?SECTION ALL
+?SECTION ESTABLISHED
+?SECTION RELATED
+?SECTION INVALID
+?SECTION UNTRACKED
+?SECTION NEW
+...
+DNAT            net             loc:172.20.1.4  tcp     80</programlisting>
+
+    <para>For the one-to-one NAT to work correctly in this configuration, one
+    of two approaches can be taken:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>Define a CONTINUE policy with <emphasis
+        role="bold">smc</emphasis> as the SOURCE zone (preferred):</para>
+
+        <programlisting>#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+<emphasis role="bold">smc		$FW		CONTINUE</emphasis>
+loc		net		ACCEPT
+net		all		DROP		info
+# THE FOLLOWING POLICY MUST BE LAST
+all		all		REJECT		info
+</programlisting>
+      </listitem>
+
+      <listitem>
+        <para>Set IMPLICIT_CONTINUE=Yes in <ulink
+        url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+      </listitem>
+    </orderedlist>
+  </refsect1>
+
   <refsect1>
     <title>FILES</title>
 

Shorewall6/configfiles/actions

@@ -7,7 +7,6 @@
 #
 # Please see http://shorewall.net/Actions.html for additional information.
 #
-###############################################################################
 ########################################################################################
 #ACTION    OPTIONS              COMMENT (place '# ' below the 'C' in comment followed by
 #                               v        a comment describing the action)

Shorewall6/configfiles/blrules

@@ -6,6 +6,6 @@
 # Please see http://shorewall.net/blacklisting_support.htm for additional
 # information.
 #
-###########################################################################################################################################################################
+########################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME	HEADERS	SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Shorewall6/configfiles/clear

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall6/clear
 #
-#	Add commands below that you want to be executed after Shorewall6
+# Add commands below that you want to be executed after Shorewall6 has
-#       has processed the 'clear' command.
+# processed the 'clear' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall6/configfiles/lib.private

@@ -3,9 +3,9 @@
 #
 # /etc/shorewall6/lib.private
 #
-#	Use this file to declare shell functions to be called in the other
+# Use this file to declare shell functions to be called in the other
-#	run-time extension scripts. The file will be copied into the generated
+# run-time extension scripts. The file will be copied into the generated
-#       firewall script.
+# firewall script.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall6/configfiles/mangle

@@ -1,7 +1,7 @@
 #
 # Shorewall6 version 4 - Mangle File
 #
-# For information about entries in this file, type "man shorewall6-mangle
+# For information about entries in this file, type "man shorewall6-mangle"
 #
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 # For usage in selecting among multiple ISPs, see
@@ -9,6 +9,6 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-###########################################################################################################################################################
+############################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER	HEADERS    PROBABILITY DSCP
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP
 #							PORT(S)	PORT(S)

Shorewall6/configfiles/refresh

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall6/refresh
 #
-#	Add commands below that you want to be executed before Shorewall6
+# Add commands below that you want to be executed before Shorewall6 has
-#       has processed the 'refresh' command.
+# processed the 'refresh' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall6/configfiles/refreshed

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall6/refreshed
 #
-#	Add commands below that you want to be executed after Shorewall6
+# Add commands below that you want to be executed after Shorewall6 has
-#       has processed the 'refresh' command.
+# processed the 'refresh' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall6/configfiles/scfilter

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/scfilter
 #
-#	Replace the 'cat' command below to filter the output of
+# Replace the 'cat' command below to filter the output of
-#       'show connections.
+# 'show connections'.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall6/configfiles/shorewall6.conf

@@ -13,7 +13,7 @@
 STARTUP_ENABLED=No
 
 ###############################################################################
-#		              V E R B O S I T Y
+#			     V E R B O S I T Y
 ###############################################################################
 
 VERBOSITY=1
@@ -97,7 +97,7 @@ QUEUE_DEFAULT=none
 REJECT_DEFAULT=Reject
 
 ###############################################################################
-#                        R S H / R C P  C O M M A N D S
+#			 R S H / R C P	C O M M A N D S
 ###############################################################################
 
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'

Shorewall6/configfiles/tcclear

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall6/tcclear
 #
-#	Add commands below that you want to be executed before Shorewall6
+# Add commands below that you want to be executed before Shorewall6 clears
-#       clears the traffic shaping configuration.
+# the traffic shaping configuration.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall6/configfiles/tcfilters

@@ -6,5 +6,5 @@
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
 ########################################################################################################
-#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE   TOS		LENGTH	PRIORITY
+#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE	TOS		LENGTH	PRIORITY
 #CLASS							PORT(S)	PORT(S)

Shorewall6/manpages/shorewall6-masq.xml

@@ -116,9 +116,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE</emphasis> -
+        <term><emphasis role="bold">SOURCE</emphasis> (Optional) -
-        {<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
+        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>
+        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
 
         <listitem>
           <para>Set of hosts that you wish to SNAT; one or more host or
@@ -530,7 +530,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 8:</term>
+        <term>Example 2:</term>
 
         <listitem>
           <para>Your sit1 interface has two public IP addresses:

docs/Anatomy.xml

@@ -504,7 +504,7 @@
     <section id="sbin-lite">
       <title>/sbin</title>
 
-      <para>The <filename>/sbin/shorewall-lite</filename> shell program is use
+      <para>The <filename>/sbin/shorewall-lite</filename> shell program is used
       to interact with Shorewall lite. See <ulink
       url="manpages/shorewall-lite.html">shorewall-lite</ulink>(8).</para>
     </section>

docs/Build.xml

@@ -134,7 +134,7 @@
       <para>Added in Shorewall 4.4.22, this directory contains the files that
       contain release-dependent information (change.txt, releasenotes.txt,
       .spec files, etc). This is actually a symbolic link to ../release which
-      has it's own Git repository.</para>
+      has its own Git repository.</para>
     </section>
   </section>
 

docs/ConnectionRate.xml

@@ -67,7 +67,7 @@
     by 1 but is not allowed to exceed its initial setting (5).</para>
 
     <para>By default, the aggregate connection rate is limited. If the
-    specification is preceeded by "<option>s:</option>" or
+    specification is preceded by "<option>s:</option>" or
     "<option>d:</option>", then the rate is limited per SOURCE or per
     DESTINATION IP address respectively.</para>
 

docs/Events.xml

@@ -35,7 +35,7 @@
   </articleinfo>
 
   <caution>
-    <para>This article applies to Shorewall 4.5.19 and later and supercedes
+    <para>This article applies to Shorewall 4.5.19 and later and supersedes
     <ulink url="PortKnocking.html">this article.</ulink></para>
   </caution>
 
@@ -477,7 +477,7 @@ root@gateway:~# </programlisting>
 
       <para>This example is taken from <ulink
       url="http://www.briandowney.net/blog/2009/08/20/firewalling-brute-force-attempts-with-iptables/">this
-      article</ulink> which explains the nice benifits of this approach. This
+      article</ulink> which explains the nice benefits of this approach. This
       example is for ssh, but it can be adapted for any application.</para>
 
       <para>The name SSH has been changed to SSHLIMIT so as not to override

docs/FAQ.xml

@@ -746,6 +746,12 @@ DNAT       loc           loc:192.168.1.5    tcp      www         -         <emph
           DHCP/PPPoE/PPTP/… client to automatically restart Shorewall each
           time that you get a new IP address.</para>
 
+          <note>
+            <para>If your local interface is a bridge, see <link
+            linkend="faq2e">FAQ 2e</link> for additional configuration
+            steps.</para>
+          </note>
+
           <note>
             <para>For optional interfaces, use the function <emphasis
             role="bold">find_first_interface_address_if_any()</emphasis>
@@ -915,6 +921,59 @@ DNAT       loc           dmz:192.168.2.4    tcp      80          -         <emph
         INTERFACES column of each entry in <ulink
         url="manpages/shorewall-nat.html">/etc/shorewall/nat</ulink>.</para>
       </section>
+
+      <section id="faq2e">
+        <title>(FAQ 2e) I have the situation in FAQ 2 but my local interface
+        is a bridge and the solution in FAQ 2 doesn't work</title>
+
+        <para><emphasis role="bold">Answer</emphasis>: Assume that the bridge
+        is br0 and that eth2 is the bridge port that connects to the LAN
+        containing 192.168.1.5</para>
+
+        <para>In addition to the steps in FAQ 2 (replacing eth1 with br0), you
+        also need to:</para>
+
+        <orderedlist>
+          <listitem>
+            <para>Set the <firstterm>hairpin</firstterm> option on
+            eth2.</para>
+
+            <programlisting>brctl hairpin br0 eth2 on</programlisting>
+
+            <para>On Debian and derivitives, you can place that command in
+            /etc/network/interfaces as a post-up command:</para>
+
+            <programlisting>auto br0
+iface br0 inet static
+        bridge_ports    eth2
+        bridge_fd       0
+        bridge_maxwait  0
+        address         192.168.1.1
+        netmask         255.255.255.0
+        <emphasis role="bold">post-up /sbin/brctl hairpin br0 eth2 on</emphasis></programlisting>
+          </listitem>
+
+          <listitem>
+            <para>Install ebtables if it is not already installed.</para>
+          </listitem>
+
+          <listitem>
+            <para>Be sure that all traffic going out of eth2 has the correct
+            MAC address.</para>
+
+            <programlisting>ebtables -t nat -A POSTROUTING -o eth2 -j snat --to-source <emphasis>br0-MAC-address</emphasis> </programlisting>
+
+            <para>where br0-MAC-address is the MAC address of br0.</para>
+
+            <para>Here's a working example of /etc/shorewall/start that
+            executes the above command.</para>
+
+            <programlisting>if [ $(ebtables -t nat -L POSTROUTING | wc -l) -lt 4 ]; then
+   <emphasis role="bold">ebtables -t nat -A POSTROUTING -o eth2 -j snat --to-source 0:19:21:d0:61:65</emphasis>
+fi</programlisting>
+          </listitem>
+        </orderedlist>
+      </section>
     </section>
   </section>
 
@@ -940,6 +999,12 @@ DNAT       loc           dmz:192.168.2.4    tcp      80          -         <emph
         url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
         to implement blacklisting by destination IP address.</para>
       </note>
+
+      <note>
+        <para>Beginning with Shorewall 4.4.26, you can use <ulink
+        url="manpages/shorewall-blrules.html">/etc/shorewall/blrules</ulink>
+        to implement arbitrary blacklist rules.</para>
+      </note>
     </section>
 
     <section id="faq84">

docs/IPSEC-2.6.xml

@@ -59,7 +59,7 @@
 
   <important>
     <para><emphasis role="bold">Shorewall does not configure IPSEC for
-    you</emphasis> -- it rather configures netfilter to accomodate your IPSEC
+    you</emphasis> -- it rather configures netfilter to accommodate your IPSEC
     configuration.</para>
   </important>
 
@@ -139,7 +139,7 @@
     and zones was made easy by the presence of IPSEC pseudo-interfaces with
     names of the form <filename class="devicefile">ipsecN</filename> (e.g.
     <filename class="devicefile">ipsec0</filename>). Outgoing unencrypted
-    traffic (case 1.) was send through an <filename
+    traffic (case 1.) was sent through an <filename
     class="devicefile">ipsecN</filename> device while incoming unencrypted
     traffic (case 2) arrived from an <filename
     class="devicefile">ipsecN</filename> device. The 2.6 kernel-based

docs/IPSEC.xml

@@ -200,12 +200,12 @@ vpn          eth0:192.168.1.0/24</programlisting>
 
       <para>/etc/shorewall/masq - System A</para>
 
-      <programlisting>#INTERFACE            SUBNET                ADDRESS
+      <programlisting>#INTERFACE            SOURCE                ADDRESS
 eth0:!10.0.0.0/8      192.168.1.0/24</programlisting>
 
       <para>/etc/shorewall/masq - System B</para>
 
-      <programlisting>#INTERFACE            SUBNET                ADDRESS
+      <programlisting>#INTERFACE            SOURCE                ADDRESS
 eth0:!192.168.1.0/24  10.0.0.0/8</programlisting>
     </blockquote>
 
@@ -425,8 +425,8 @@ ipsec       net        0.0.0.0/0       vpn1,vpn2,vpn3</programlisting>
     Shorewall will issue warnings to that effect. These warnings may be safely
     ignored. FreeS/Wan may now be configured to have three different Road
     Warrior connections with the choice of connection being based on X-509
-    certificates or some other means. Each of these connections will utilize
+    certificates or some other means. Each of these connections will utilize a
-    a different updown script that adds the remote station to the appropriate
+    different updown script that adds the remote station to the appropriate
     zone when the connection comes up and that deletes the remote station when
     the connection comes down. For example, when 134.28.54.2 connects for the
     vpn2 zone the <quote>up</quote> part of the script will issue the

docs/Install.xml

@@ -147,7 +147,7 @@
       <emphasis role="bold">Shorewall-core</emphasis> 4.5.2 or later, a
       shorewallrc file named ${HOME}/.shorewallrc will be installed. That file
       will provide the default parameters for installing other Shorewall
-      components of the same or later verion.</para>
+      components of the same or later version.</para>
 
       <para>Note that <emphasis role="bold">you must install Shorewall-core
       before installing any other Shorewall package</emphasis>.</para>
@@ -730,7 +730,7 @@
 
           <programlisting><command>./install.sh -s</command></programlisting>
 
-          <para>The <emphasis role="bold">-s</emphasis> option supresses
+          <para>The <emphasis role="bold">-s</emphasis> option suppresses
           installation of all files in <filename
           class="directory">/etc/shorewall</filename> except
           <filename>shorewall.conf</filename>. You can copy any other files

docs/KVM.xml

@@ -66,7 +66,7 @@
   <section>
     <title>Networking Configuration</title>
 
-    <para>I use a network configuration where each VM has it's own VNET and
+    <para>I use a network configuration where each VM has its own VNET and
     tap device and the tap devices are all configured as ports on a Linux
     Bridge. For clarity, I've only shown four of the virtual machines
     available on the system.</para>

docs/Manpages.xml

@@ -89,7 +89,7 @@
         Define MAC verification.</member>
 
         <member><ulink url="manpages/shorewall-mangle.html">mangle</ulink> -
-        Supercedes tcrules and describes packet/connection marking.</member>
+        Supersedes tcrules and describes packet/connection marking.</member>
 
         <member><ulink url="manpages/shorewall-masq.html">masq</ulink> -
         Define Masquerade/SNAT</member>
@@ -168,7 +168,7 @@
         state (added in Shorewall 4.5.8).</member>
 
         <member><ulink url="manpages/shorewall-tcrules.html">tcrules</ulink> -
-        Define packet marking rules, usually for traffic shaping. Superceded
+        Define packet marking rules, usually for traffic shaping. Superseded
         by mangle (above) in Shorewall 4.6.0.</member>
 
         <member><ulink url="manpages/shorewall-tos.html">tos</ulink> - Define

docs/Manpages6.xml

@@ -79,7 +79,7 @@
         - Define MAC verification.</member>
 
         <member><ulink url="manpages6/shorewall6-mangle.html">mangle</ulink> -
-        Supercedes tcrules and describes packet/connection marking.</member>
+        Supersedes tcrules and describes packet/connection marking.</member>
 
         <member><ulink url="manpages6/shorewall6-masq.html">masq</ulink> -
         Define Masquerade/SNAT</member>
@@ -149,7 +149,7 @@
         Classify traffic for simplified traffic shaping.</member>
 
         <member><ulink url="manpages6/shorewall6-tcrules.html">tcrules</ulink>
-        - Define packet marking rules, usually for traffic shaping. Superceded
+        - Define packet marking rules, usually for traffic shaping. Superseded
         by mangle (above) in Shorewall 4.6.0.</member>
 
         <member><ulink url="manpages6/shorewall6-tos.html">tos</ulink> -

docs/ManualChains.xml

@@ -201,11 +201,11 @@ SSHKnock         net               $FW            tcp         22,1599,1600,1601
 
     <para>becomes:<programlisting>PERL Knock 'net', '$FW', {target =&gt; 22, knocker =&gt; 1600, trap =&gt; [1599, 1601]};</programlisting>Similarly<programlisting>#ACTION          SOURCE            DEST            PROTO       DEST PORT(S)  SOURCE      ORIGINAL
 #                                                                            PORT(S)     DEST
-DNAT-            net               loc:192.168.1.5 tcp         22            -           206.124.146.178
+DNAT-            net               192.168.1.5 tcp             22            -           206.124.146.178
 SSHKnock         net               $FW             tcp         1599,1600,1601
 SSHKnock         net               loc:192.168.1.5 tcp         22            -           206.124.146.178</programlisting>becomes:<programlisting>#ACTION          SOURCE            DEST            PROTO       DEST PORT(S)  SOURCE      ORIGINAL
 #                                                                            PORT(S)     DEST
-DNAT-            net               loc:192.168.1.5 tcp         22            -           206.124.146.178
+DNAT-            net               192.168.1.5 tcp             22            -           206.124.146.178
 
 PERL Knock 'net', '$FW', {name =&gt; 'SSH', knocker =&gt; 1600, trap =&gt; [1599, 1601]};
 PERL Knock 'net', 'loc:192.168.1.5', {name =&gt; 'SSH', target =&gt; 22, original_dest =&gt; '206.124.136.178'};</programlisting></para>

docs/MultiISP.xml

@@ -155,7 +155,7 @@
       Shorewall can set up the correct marking rules for you.</para>
 
       <important>
-        <para><filename>/etc/shorewall/mangle</filename> superceded
+        <para><filename>/etc/shorewall/mangle</filename> superseded
         <filename>/etc/shorewall/tcrules</filename> in Shorewall 4.6.0.</para>
       </important>
 

docs/MyNetwork.xml

@@ -171,7 +171,7 @@
   <section>
     <title>Shorewall Configuration</title>
 
-    <para>This section contains exerpts from the Shorewall
+    <para>This section contains excerpts from the Shorewall
     configuration.</para>
 
     <para>It is important to keep in mind that parts of my configuration are

docs/OPENVPN.xml

@@ -603,7 +603,7 @@ net    COM_IF     detect    dhcp,blacklist,optional,routefilter=0,logmartians,pr
 6to4                    net
 <emphasis role="bold">6to4                    vpn</emphasis></programlisting>
 
-      <para>Similarly, here are exerpts from the Shorewall6
+      <para>Similarly, here are excerpts from the Shorewall6
       configuration.</para>
 
       <para><filename>/etc/shorewall6/zones</filename>:</para>

docs/OpenVZ.xml

@@ -452,7 +452,7 @@ NAME="server"</emphasis></programlisting>
     <section>
       <title>Shorewall Configuration on the Host</title>
 
-      <para>Below are exerpts from the configuration files as they pertain to
+      <para>Below are excerpts from the configuration files as they pertain to
       the OpenVZ environment.</para>
 
       <para><filename>/etc/shorewall/zones</filename>:</para>
@@ -762,7 +762,7 @@ NAME="server"
     <section>
       <title>Shorewall Configuration on the Host</title>
 
-      <para>Below are exerpts from the configuration files as they pertain to
+      <para>Below are excerpts from the configuration files as they pertain to
       the OpenVZ environment. Again, bold font indicates change from the prior
       configuration.</para>
 

docs/PacketMarking.xml

@@ -44,7 +44,7 @@
   </caution>
 
   <important>
-    <para>/etc/shorewall/mangle superceded /etc/shorewall/tcruels in Shorewall
+    <para>/etc/shorewall/mangle superseded /etc/shorewall/tcruels in Shorewall
     4.6.0. /etc/shorwall/tcrules is still supported but its use is
     deprecated.</para>
   </important>

docs/PortKnocking.xml

@@ -41,7 +41,7 @@
   </articleinfo>
 
   <note>
-    <para>The techniques described in this article were superceded in
+    <para>The techniques described in this article were superseded in
     Shorewall 4.5.19 with the introduction of Shorewall Events.</para>
   </note>
 
@@ -148,7 +148,7 @@ SSHKnock:info    net               $FW            tcp         22,1599,1600,1601<
 
         <programlisting>#ACTION          SOURCE            DEST            PROTO       DEST PORT(S)  SOURCE      ORIGINAL
 #                                                                            PORT(S)     DEST
-DNAT-            net               loc:192.168.1.5 tcp         22            -           206.124.146.178
+DNAT-            net               192.168.1.5     tcp         22            -           206.124.146.178
 SSHKnock         net               $FW             tcp         1599,1600,1601
 SSHKnock         net               loc:192.168.1.5 tcp         22            -           206.124.146.178</programlisting>
 

docs/Shorewall-4.xml

@@ -147,16 +147,16 @@
   </section>
 
   <section>
-    <title>Shorewall 4.5</title>
+    <title>Shorewall 4.5/4.6</title>
 
-    <para>Shorewall 4.5 adds an additional <emphasis
+    <para>Shorewall 4.5 added an additional <emphasis
     role="bold">Shorewall-core</emphasis> package. This package contains the
     core Shorewall shell libraries that are required by the other
     packages.</para>
   </section>
 
   <section id="Prereqs">
-    <title>Prerequisites for using the Shorewall Version 4.2/4.4/4.5
+    <title>Prerequisites for using the Shorewall Version 4.2/4.4/4.5/4.6
     Perl-based Compiler</title>
 
     <itemizedlist>

docs/SplitDNS.xml

@@ -167,7 +167,7 @@ linksys.shorewall.net has address 172.20.1.1
 teastep@tipper:~$ </programlisting></para>
 
     <para>As a bonus, dnsmasq can also act as a DHCP server. Here are some
-    exerpts from the corresponding /etc/dnsmasq.conf:</para>
+    excerpts from the corresponding /etc/dnsmasq.conf:</para>
 
     <programlisting>interface=eth1
 

docs/XenMyWay-Routed.xml

@@ -376,7 +376,7 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
       has an RFC 1918 address (192.168.1.7). That configuration is established
       by Xen which clones the primary IP address of eth0 on all of the routed
       virtual interfaces that it creates. <emphasis
-      role="bold">test</emphasis> is configured with it's default route via
+      role="bold">test</emphasis> is configured with its default route via
       192.168.1.254 which is the IP address of the firewall's br0. That works
       because of the way that the Linux network stack treats local IPv4
       addresses; by default, it will respond to ARP "who-has" broadcasts for
@@ -624,7 +624,7 @@ $EXT_IF:192.168.99.1    192.168.98.1    192.168.1.98
 
 COMMENT Masquerade Local Network
 
-$EXT_IF                 $INT_IF 206.124.146.179
+$EXT_IF                 192.168.1.0/24  206.124.146.179
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
 
         <para><filename>/etc/shorewall/proxyarp</filename>:</para>

docs/configuration_file_basics.xml

@@ -110,7 +110,7 @@
         </listitem>
 
         <listitem>
-          <para><filename>/etc/shorewall/mangle</filename> - supercedes
+          <para><filename>/etc/shorewall/mangle</filename> - supersedes
           <filename>/etc/shorewall/tcrules</filename> in Shorewall 4.6.0.
           Contains rules for packet marking, TTL, TPROXY, etc.</para>
         </listitem>
@@ -140,7 +140,7 @@
           <para><filename>/etc/shorewall/tcrules </filename>- The file has a
           rather unfortunate name because it is used to define marking of
           packets for later use by both traffic control/shaping and policy
-          routing. This file is superceded by
+          routing. This file is superseded by
           <filename>/etc/shorewall/mangle</filename> in Shorewall
           4.6.0.</para>
         </listitem>
@@ -288,7 +288,7 @@
 
         <listitem>
           <para><filename>/etc/shorewall/mangle</filename> -- Added in
-          Shorewall 4.6.0. Supercedes<filename>
+          Shorewall 4.6.0. Supersedes<filename>
           /etc/shorewall/tcrules</filename>.</para>
         </listitem>
       </itemizedlist></para>
@@ -1168,7 +1168,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
       <para>Beginning with Shorewall 4.5.2, in files other than
       <filename>/etc/shorewall/params</filename> and
       <filename>/etc/shorewall/conf</filename>, INCLUDE may be immediately
-      preceeded with '?' to signal that the line is a compiler directive and
+      preceded with '?' to signal that the line is a compiler directive and
       not configuration data.</para>
 
       <para>Example:</para>
@@ -1483,7 +1483,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
         <programlisting>EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</programlisting>
 
         <para>The <command>shorewall-lite call</command> command allows you to
-        to call interactively any Shorewall function that you can call in an
+        call interactively any Shorewall function that you can call in an
         extension script.</para>
 
         <note>
@@ -2150,7 +2150,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
 ACCEPT loc fw tcp 22
 ACCEPT dmz fw tcp 22</programlisting></para>
 
-    <para>Perl scripts run in the context of of the compiler process using
+    <para>Perl scripts run in the context of the compiler process using
     Perl's eval() function. Perl scripts are implicitly prefixed by the
     following:</para>
 
@@ -2370,7 +2370,7 @@ POP(ACCEPT)     loc                  net:pop.gmail.com</programlisting>
     192.168.1.4</quote>. There must be no white space following the
     <quote>!</quote>.</para>
 
-    <para>Similarly, in columns that specify an IP protocol, you can preceed
+    <para>Similarly, in columns that specify an IP protocol, you can precede
     the protocol name or number by "!". For example, !tcp means "any protocol
     except tcp".</para>
 

docs/ipsets.xml

@@ -130,7 +130,7 @@ ACCEPT       net:+sshok  $FW      tcp      22</programlisting></para>
 
     <para>Beginning with Shorewall 4.4.14, multiple source or destination
     matches may be specified by placing multiple set names in '+[...]' (e.g.,
-    +[myset,myotherset]). When so inclosed, the set names need not be prefixed
+    +[myset,myotherset]). When so enclosed, the set names need not be prefixed
     with a plus sign.</para>
 
     <para>Shorewall can save/restore your ipset contents with certain

docs/support.xml

@@ -42,7 +42,7 @@
     <itemizedlist>
       <listitem>
         <para>The currently-supported Shorewall <ulink
-        url="ReleaseModel.html">major release</ulink> is 4.5.</para>
+        url="ReleaseModel.html">major release</ulink>s are 4.5 and 4.6.</para>
 
         <note>
           <para>Shorewall versions earlier than 4.5.0 are no longer supported;
@@ -60,7 +60,7 @@
 
       <listitem>
         <para>The <ulink url="FAQ.htm">FAQ</ulink> has solutions to more than
-        90 common problems.</para>
+        100 common problems.</para>
       </listitem>
 
       <listitem>

docs/traffic_shaping.xml

@@ -908,7 +908,7 @@ ppp0           6000kbit         500kbit</programlisting>
       qualifier (see below).</emphasis></para>
 
       <para>See shorewall-mangle(5) and shorewall-tcrules(5) for a description
-      of the entries in these files. Note that the mangle file superceded the
+      of the entries in these files. Note that the mangle file superseded the
       tcrules file in Shorewall 4.6.0.</para>
 
       <para>The following examples are for the mangle file.</para>

docs/upgrade_issues.xml

@@ -95,7 +95,7 @@
 
       <listitem>
         <para>Beginning with Shorewall 4.6.0, the 'tcrules' file has been
-        superceded by the 'mangle' file. Existing 'tcrules' files will still
+        superseded by the 'mangle' file. Existing 'tcrules' files will still
         be processed, with the restriction that TPROXY is no longer supported
         in FORMAT 1. If your 'tcrules' file has non-commentary entries, the
         following warning message is issued:</para>

docs/useful_links.xml

@@ -32,7 +32,7 @@
         <row>
           <entry>NIST <emphasis>Guide on Firewalls and Firewall
           Policy</emphasis> - <ulink
-          url="http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf">http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf</ulink></entry>
+          url="http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf">http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf</ulink></entry>
         </row>
 
         <row>
@@ -59,7 +59,7 @@
 
         <row rowsep="0" valign="middle">
           <entry align="left">Iproute Downloads: <ulink
-          url="http://developer.osdl.org/dev/iproute2/download/">http://developer.osdl.org/dev/iproute2/download/</ulink></entry>
+          url="https://www.kernel.org/pub/linux/utils/net/iproute2/">https://www.kernel.org/pub/linux/utils/net/iproute2/</ulink></entry>
         </row>
 
         <row rowsep="0" valign="middle">
@@ -74,7 +74,7 @@
 
         <row rowsep="0" valign="middle">
           <entry>Iptables Tutorial: <ulink
-          url="http://iptables-tutorial.frozentux.net/">http://iptables-tutorial.frozentux.net/</ulink></entry>
+          url="https://www.frozentux.net/documents/iptables-tutorial/">https://www.frozentux.net/documents/iptables-tutorial/</ulink></entry>
         </row>
 
         <row rowsep="0" valign="middle">
@@ -127,10 +127,6 @@
           url="http://www.shorewall.net/SeaGL2013.pdf">http://www.shorewall.net/SeaGL2013.pdf</ulink></entry>
         </row>
 
-        <row>
-          <entry>Shorewall CIA tracker <ulink
-          url="http://cia.navi.cx/stats/project/shorewall">http://cia.navi.cx/stats/project/shorewall</ulink></entry>
-        </row>
       </tbody>
     </tgroup>
   </informaltable>