Reinstate IPv6 DropSmurfs

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -98,7 +98,7 @@ if [ -z "$vendor" ]; then
 	eval $(cat /etc/os-release | grep ^ID=)
 
 	case $ID in
-	    fedora)
+	    fedora|rhel)
 		vendor=redhat
 		;;
 	    debian|ubuntu)

Shorewall-core/configure.pl

@@ -64,7 +64,7 @@ unless ( defined $vendor ) {
 
 	$id =~ s/ID=//;
 	
-	if ( $id eq 'fedora' ) {
+	if ( $id eq 'fedora' || $id eq 'rhel' ) {
 	    $vendor = 'redhat';
 	} elsif ( $id eq 'opensuse' ) {
 	    $vendor = 'suse';
@@ -100,7 +100,7 @@ if ( defined $vendor ) {
     } elsif ( `uname` =~ '^Darwin' ) {
 	$vendor = 'apple';
 	$rcfilename = 'shorewallrc.apple';
-    } elsif ( `uname` =~ '^Cygwin' ) {
+    } elsif ( `uname` =~ /^Cygwin/i ) {
 	$vendor = 'cygwin';
 	$rcfilename = 'shorewallrc.cygwin';
     } else {

Shorewall-core/install.sh

@@ -187,7 +187,7 @@ INSTALLD='-D'
 
 if [ -z "$BUILD" ]; then
     case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -198,7 +198,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 
 		case $ID in
-		    fedora)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian)

Shorewall-core/lib.cli

@@ -252,7 +252,15 @@ show_classifiers() {
 
 	if [ -n "$qdisc" ]; then
 	    echo Device $device:
-	    tc -s filter ls dev $device
+	    qt tc -s filter ls root dev $device && tc -s filter ls root dev $device | grep -v '^$'
+	    tc filter show dev $device
+	    tc class show dev $device | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
+		if [ -n "$class" ]; then
+		    echo
+		    echo Node $class
+		    tc filter show dev $device parent $class
+		fi
+	    done
 	    echo
 	fi
     }
@@ -263,6 +271,19 @@ show_classifiers() {
 
 }
 
+#
+# Display blacklist chains
+#
+show_bl() {
+    $g_tool -L $g_ipt_options | \
+	awk 'BEGIN           {prnt=0; };
+            /^$/             {if (prnt == 1) print ""; prnt=0; };
+            /Chain .*~ /     {prnt=1; };
+            /Chain dynamic / {prnt=1; };
+            {if (prnt == 1)  print; };
+            END {if (prnt == 1 ) print "" };'
+}
+
 #
 # Watch the Firewall Log
 #
@@ -407,45 +428,47 @@ do_save() {
 	    ;;
     esac
 
-    case ${SAVE_IPSETS:=No} in
-	[Yy]es)
-	    case ${IPSET:=ipset} in
-		*/*)
-		    if [ ! -x "$IPSET" ]; then
-			error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
-			IPSET=
+    if ! run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets; then
+	case ${SAVE_IPSETS:=No} in
+	    [Yy]es)
+		case ${IPSET:=ipset} in
+		    */*)
+			if [ ! -x "$IPSET" ]; then
+			    error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
+			    IPSET=
+			fi
+			;;
+		    *)
+			IPSET="$(mywhich $IPSET)"
+			[ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
+			;;
+		esac
+
+		if [ -n "$IPSET" ]; then
+		    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
+			#
+			# The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
+			#
+			hack='| grep -v /31'
+		    else
+			hack=
 		    fi
-		    ;;
-		*)
-		    IPSET="$(mywhich $IPSET)"
-		    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
-		    ;;
-	    esac
 
-	    if [ -n "$IPSET" ]; then
-		if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
-                    #
-                    # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
-                    #
-		    hack='| grep -v /31'
-		else
-		    hack=
+		    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
+			#
+			# Don't save an 'empty' file
+			#
+			grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
+		    fi
 		fi
-
-		if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
-                    #
-                    # Don't save an 'empty' file
-                    #
-		    grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
-		fi
-	    fi
-	    ;;
-	[Nn]o)
-	    ;;
-	*)
-	    error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
-	    ;;
-    esac
+		;;
+	    [Nn]o)
+		;;
+	    *)
+		error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
+		;;
+	esac
+    fi
 
     return $status
 }
@@ -1181,7 +1204,13 @@ show_command() {
 	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
 	    echo
 	    show_events
-	    ;;	    
+	    ;;
+	bl|blacklists)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
+	    echo
+	    show_bl;
+	    ;;
 	*)
 	    case "$g_program" in
 		*-lite)
@@ -1443,10 +1472,22 @@ do_dump_command() {
 	$g_tool -t rawpost -L $g_ipt_options
     fi
 
-    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+    local count
+    local max
 
-    heading "Conntrack Table ($count out of $max)"
+    if [ -f /proc/sys/net/netfilter/nf_conntrack_count ]; then
+	count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+	max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+
+	heading "Conntrack Table ($count out of $max)"
+    elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_count ]; then
+	count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count)
+	max=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max)
+
+	heading "Conntrack Table ($count out of $max)"
+    else
+	heading "Conntrack Table"
+    fi
 
     if [ $g_family -eq 4 ]; then
     	[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
@@ -2944,9 +2985,74 @@ show_status() {
 
 }
 
+interface_status() {
+    case $(cat $1) in
+	0)
+	    echo Enabled
+	    ;;
+	1)
+	    echo Disabled
+	    ;;
+	*)
+	    echo Unknown
+	    ;;
+    esac
+}
+
+show_interfaces() {
+    local f
+    local interface
+    local printed
+
+    for f in ${VARDIR}/*.status; do
+	interface=$(basename $f)
+	echo "   Interface ${interface%.status} is $(interface_status $f)"
+	printed=Yes
+    done
+
+    [ -n "$printed" ] && echo
+}
+
 status_command() {
+     local finished
+    finished=0
+    local option
+    local interfaces
+
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
+	option=$1
+	case $option in
+	    -*)
+		option=${option#-}
+
+		while [ -n "$option" ]; do
+		    case $option in
+			-)
+			    finished=1
+			    option=
+			    ;;
+			i*)
+			    interfaces=Yes
+			    option=${option#i}
+			    ;;
+			*)
+			    usage 1
+			    ;;
+		    esac
+		done
+		shift
+		;;
+	    *)
+		finished=1
+		;;
+	esac
+    done
+
+    [ $# -eq 0 ] || usage 1
+
     [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
     show_status
+    [ -n "$interfaces" ] && show_interfaces
     exit $status
 }
 
@@ -3423,6 +3529,14 @@ restart_command() {
     return $rc
 }
 
+run_command() {
+    if [ -x ${VARDIR}/firewall ] ; then
+	run_it ${VARDIR}/firewall $g_debugging $@
+    else
+	fatal_error "${VARDIR}/firewall does not exist or is not executable"
+    fi
+}
+
 #
 # Give Usage Information
 #
@@ -3454,10 +3568,12 @@ usage() # $1 = exit status
     echo "   reset [ <chain> ... ]"
     echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
     echo "   restore [ -n ] [ <file name> ]"
+    echo "   run <command> [ <parameter> ... ]"
     echo "   save [ <file name> ]"
     echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
     echo "   [ show | list | ls ] [ -f ] capabilities"
     echo "   [ show | list | ls ] arptables"
+    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
     echo "   [ show | list | ls ] classifiers"
     echo "   [ show | list | ls ] config"
     echo "   [ show | list | ls ] connections"
@@ -3480,7 +3596,7 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] zones"
     echo "   start [ -f ] [ -p ] [ <directory> ]"
     echo "   stop"
-    echo "   status"
+    echo "   status [ -i ]"
     echo "   version [ -a ]"
     echo
     exit $1
@@ -3725,16 +3841,21 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
+	run)
+	    [ $# -gt 1 ] || fatal_error "Missing function name"
+	    get_config Yes
+	    run_command $@
+	    ;;
 	show|list|ls)
 	    get_config Yes No Yes
     	    shift
     	    show_command $@
 	    ;;
 	status)
-	    [ $# -eq 1 ] || usage 1
 	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	    get_config
-	    status_command
+	    shift
+	    status_command $@
 	    ;;
 	dump)
 	    get_config Yes No Yes

Shorewall-core/lib.common

@@ -172,6 +172,7 @@ run_it() {
 error_message() # $* = Error Message
 {
    echo "   $@" >&2
+   return 1
 }
 
 #

Shorewall-core/shorewallrc.suse

@@ -8,7 +8,7 @@ CONFDIR=/etc                                          #Directory where subsystem
 SHAREDIR=${PREFIX}/share                              #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/lib                              #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
-SBINDIR=/sbin                                         #Directory where system administration programs are installed
+SBINDIR=/usr/sbin                                     #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                                     #Name of the product's SysV init script

Shorewall-init/init.debian.sh

@@ -105,24 +105,35 @@ shorewall_start () {
   for PRODUCT in $PRODUCTS; do
       setstatedir
 
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+      if [ -x ${STATEDIR}/firewall ]; then
           #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
-	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || echo_notdone
+	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop || echo_notdone
 	      else
 		  echo_notdone
 	      fi
 	  )
       else
-	  echo echo_notdone
+	  echo_notdone
       fi
   done
 
   echo "done."
 
+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+
+      echo -n "Restoring ipsets: "
+
+      if ! ipset -R < "$SAVE_IPSETS"; then
+	  echo_notdone
+      fi
+
+      echo "done."
+  fi
+
   return 0
 }
 
@@ -135,13 +146,27 @@ shorewall_stop () {
   for PRODUCT in $PRODUCTS; do
       setstatedir
 
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
-	  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || echo_notdone
+      if [ -x ${STATEDIR}/firewall ]; then
+	  ${STATEDIR}/firewall ${OPTIONS} clear || echo_notdone
       fi
   done
 
   echo "done."
 
+  if [ -n "$SAVE_IPSETS" ]; then
+
+      echo "Saving ipsets: "
+
+      mkdir -p $(dirname "$SAVE_IPSETS")
+      if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+      else
+	  echo_notdone
+      fi
+
+      echo "done."
+  fi
+
   return 0
 }
 

Shorewall-init/install.sh

@@ -35,6 +35,7 @@ usage() # $1 = exit status
     echo "usage: $ME [ <configuration-file> ]"
     echo "       $ME -v"
     echo "       $ME -h"
+    echo "       $ME -n"
     exit $1
 }
 
@@ -105,9 +106,12 @@ PRODUCT=shorewall-init
 T='-T'
 
 finished=0
+configure=1
 
 while [ $finished -eq 0 ] ; do
-    case "$1" in
+    option="$1"
+
+    case "$option" in
 	-*)
 	    option=${option#-}
 
@@ -120,6 +124,10 @@ while [ $finished -eq 0 ] ; do
 			echo "Shorewall-init Firewall Installer Version $VERSION"
 			exit 0
 			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
 		    *)
 			usage 1
 			;;
@@ -176,6 +184,8 @@ for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
     require $var
 done
 
+[ -n "$SANDBOX" ] && configure=0
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 if [ -z "$BUILD" ]; then
@@ -191,7 +201,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID=)
 
 		case $ID in
-		    fedora)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian|ubuntu)
@@ -306,6 +316,7 @@ fi
 # Install the Firewall Script
 #
 if [ -n "$INITFILE" ]; then
+    mkdir -p ${DESTDIR}${INITDIR}
     install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
     [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
     
@@ -325,7 +336,7 @@ if [ -n "$SYSTEMD" ]; then
     run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
     [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
     echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
-    if [ -n "$DESTDIR" ]; then
+    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
         chmod 755 ${DESTDIR}${SBINDIR}
     fi
@@ -357,6 +368,8 @@ chmod 644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
 #
 # Remove and create the symbolic link to the init script
 #
+echo CONFDIR is $CONFDIR
+
 if [ -z "$DESTDIR" ]; then
     rm -f ${SHAREDIR}/shorewall-init/init
     ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
@@ -366,14 +379,24 @@ if [ $HOST = debian ]; then
     if [ -n "${DESTDIR}" ]; then
 	mkdir -p ${DESTDIR}/etc/network/if-up.d/
 	mkdir -p ${DESTDIR}/etc/network/if-down.d/
+	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
+    elif [ $configure -eq 0 ]; then
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-post-down.d/
     fi
 
-    if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
+    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
 	    mkdir ${DESTDIR}/etc/default
 	fi
 
-	install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
+	if [ $configure -eq 1 ]; then
+	    install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
+	else
+	    mkdir -p ${DESTDIR}${CONFDIR}/default
+	    install_file sysconfig ${DESTDIR}${CONFDIR}/default/shorewall-init 0644
+	fi
     fi
 
     IFUPDOWN=ifupdown.debian.sh
@@ -384,7 +407,7 @@ else
 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
 		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d
+		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
@@ -415,17 +438,33 @@ mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
 install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
 
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
+    if [ $configure -eq 1 ]; then
+	install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
+    else
+	mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
+	install_file ifupdown ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall 0544
+    fi
 fi
 
 case $HOST in
     debian)
-	install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-	install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
-	install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+	if [ $configure -eq 1 ]; then
+	    install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+	else
+	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-up.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-down.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-post-down.d/shorewall 0544
+	fi
 	;;
     suse)
 	if [ -z "$RPM" ]; then
+	    if [ $configure -eq 0 ]; then
+		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-up.d/
+		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d/
+	    fi
+
 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-down.d/shorewall 0544
 	fi
@@ -453,7 +492,7 @@ case $HOST in
 esac
 
 if [ -z "$DESTDIR" ]; then
-    if [ -n "$first_install" ]; then
+    if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
 	    if mywhich insserv; then
 		if insserv ${INITDIR}/shorewall-init; then
@@ -505,7 +544,7 @@ if [ -z "$DESTDIR" ]; then
 	fi
     fi
 else
-    if [ -n "$first_install" ]; then
+    if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d

Shorewall-init/shorewall-init

@@ -63,18 +63,19 @@ shorewall_start () {
   for PRODUCT in $PRODUCTS; do
       setstatedir
 
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+      if [ -x ${STATEDIR}/firewall ]; then
           #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  (
-	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || exit 1
+	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop || exit 1
 	      else
 		  exit 1
 	      fi
 	  )
       else
+          echo ERROR:  ${STATEDIR}/firewall does not exist or is not executable!
 	  exit 1
       fi
   done
@@ -95,8 +96,8 @@ shorewall_stop () {
   for PRODUCT in $PRODUCTS; do
       setstatedir
 
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
-	  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || exit 1
+      if [ -x ${STATEDIR}/firewall ]; then
+	  ${STATEDIR}/firewall ${OPTIONS} clear || exit 1
       fi
   done
 

Shorewall-init/shorewall-init.service

@@ -1,12 +1,12 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
-Description=Shorewall IPv4 firewall
-After=syslog.target
+Description=Shorewall IPv4 firewall (bootup security)
 Before=network.target
+Conflicts=iptables.service firewalld.service
 
 [Service]
 Type=oneshot
@@ -17,4 +17,4 @@ ExecStart=/sbin/shorewall-init $OPTIONS start
 ExecStop=/sbin/shorewall-init $OPTIONS stop
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target

Shorewall-init/uninstall.sh

@@ -1,4 +1,4 @@
-\#!/bin/sh
+#!/bin/sh
 #
 # Script to back uninstall Shoreline Firewall
 #
@@ -69,6 +69,42 @@ remove_file() # $1 = file to restore
     fi
 }
 
+finished=0
+configure=1
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
 #
 # Read the RC file
 #
@@ -114,22 +150,29 @@ fi
 
 echo "Uninstalling Shorewall Init $VERSION"
 
+[ -n "$SANDBOX" ] && configure=0
+
 INITSCRIPT=${CONFDIR}/init.d/shorewall-init
 
 if [ -f "$INITSCRIPT" ]; then
-    if mywhich updaterc.d ; then
-	updaterc.d shorewall-init remove
-    elif mywhich insserv ; then
-        insserv -r $INITSCRIPT
-    elif mywhich chkconfig ; then
-	chkconfig --del $(basename $INITSCRIPT)
-    elif mywhich systemctl ; then
-	systemctl disable shorewall-init
+    if [ $configure -eq 1 ]; then
+	if mywhich updaterc.d ; then
+	    updaterc.d shorewall-init remove
+	elif mywhich insserv ; then
+            insserv -r $INITSCRIPT
+	elif mywhich chkconfig ; then
+	    chkconfig --del $(basename $INITSCRIPT)
+	fi
     fi
 
     remove_file $INITSCRIPT
 fi
 
+if [ -n "$SYSTEMD" ]; then
+    [ $configure -eq 1 ] && systemctl disable shorewall-init.service
+    rm -f $SYSTEMD/shorewall-init.service
+fi
+
 [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
 [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
 
@@ -159,8 +202,9 @@ if [ -d ${CONFDIR}/ppp ]; then
     done
 fi
 
+rm -f  ${SBINDIR}/shorewall-init
 rm -rf ${SHAREDIR}/shorewall-init
-rm -rf ${LIBEXEC}/shorewall-init
+rm -rf ${LIBEXECDIR}/shorewall-init
 
 echo "Shorewall Init Uninstalled"
 

Shorewall-lite/install.sh

@@ -30,6 +30,7 @@ usage() # $1 = exit status
     echo "usage: $ME [ <configuration-file> ]"
     echo "       $ME -v"
     echo "       $ME -h"
+    echo "       $ME -n"
     exit $1
 }
 
@@ -113,9 +114,13 @@ fi
 # Parse the run line
 #
 finished=0
+configure=1
 
 while [ $finished -eq 0 ] ; do
-    case "$1" in
+
+    option=$1
+
+    case "$option" in
 	-*)
 	    option=${option#-}
 
@@ -128,6 +133,10 @@ while [ $finished -eq 0 ] ; do
 			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
 		    *)
 			usage 1
 			;;
@@ -186,6 +195,8 @@ done
 
 PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}
 
+[ -n "$SANDBOX" ] && configure=0
+
 #
 # Determine where to install the firewall script
 #
@@ -195,7 +206,7 @@ T='-T'
 
 if [ -z "$BUILD" ]; then
     case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -206,7 +217,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 
 		case $ID in
-		    fedora)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian)
@@ -242,7 +253,7 @@ if [ -z "$BUILD" ]; then
 fi
 
 case $BUILD in
-    cygwin*)
+    cygwin*|CYGWIN*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
@@ -346,6 +357,7 @@ fi
 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
 
 install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
+[ -n "${INITFILE}" ] && install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
 
 echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 
@@ -358,7 +370,7 @@ mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${VARDIR}
 
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
-chmod 755 ${DESTDIR}/usr/share/$PRODUCT
+chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
 
 if [ -n "$DESTDIR" ]; then
     mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
@@ -466,18 +478,18 @@ done
 if [ -d manpages ]; then
     cd manpages
 
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${SHAREDIR}/man/man5/ ${DESTDIR}${SHAREDIR}/man/man8/
+    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
 
     for f in *.5; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man5/$f.gz"
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz
+	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
     done
 
     for f in *.8; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man8/$f.gz"
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
+	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
     done
 
     cd ..
@@ -499,7 +511,7 @@ chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 # Remove and create the symbolic link to the init script
 #
 
-if [ -z "$DESTDIR" ]; then
+if [ -z "${DESTDIR}" -a -n "${INITFILE}" ]; then
     rm -f ${SHAREDIR}/$PRODUCT/init
     ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
 fi
@@ -526,7 +538,7 @@ if [ ${SHAREDIR} != /usr/share ]; then
     eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SBINDIR}/$PRODUCT
 fi
 
-if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
+if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
     if [ -n "$SYSTEMD" ]; then
 	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"

Shorewall-lite/manpages/shorewall-lite.xml

@@ -317,6 +317,21 @@
       <arg><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>run</option></arg>
+
+      <arg choice="plain">function</arg>
+
+      <arg><replaceable>parameter ...</replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall-lite</command>
 
@@ -352,6 +367,20 @@
       rep="repeat"><replaceable>chain</replaceable></arg></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="opt"><option>show | list | ls </option></arg>
+
+      <arg><option>-x</option></arg>
+
+      <arg choice="plain"><option>{bl|blacklists}</option></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall-lite</command>
 
@@ -465,7 +494,8 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
+      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -807,6 +837,23 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">run</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.3. Executes
+          <replaceable>command</replaceable> in the context of the generated
+          script passing the supplied <replaceable>parameter</replaceable>s.
+          Normally, the <replaceable>command</replaceable> will be a function
+          declared in <filename>lib.private</filename>.</para>
+
+          <para>Before executing the <replaceable>command</replaceable>, the
+          script will detect the configuration, setting all SW_* variables and
+          will run your <filename>init</filename> extension script with
+          $COMMAND = 'run'.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">save</emphasis></term>
 
@@ -829,6 +876,19 @@
           arguments:</para>
 
           <variablelist>
+            <varlistentry>
+              <term><emphasis role="bold">bl|blacklists</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
+                along with any chains produced by entries in
+                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
+                option is passed directly through to iptables and causes
+                actual packet and byte counts to be displayed. Without this
+                option, those counts are abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">capabilities</emphasis></term>
 
@@ -1073,6 +1133,10 @@
         <listitem>
           <para>Produces a short report about the state of the
           Shorewall-configured firewall.</para>
+
+          <para>The <option>-i </option>option was added in Shorewall 4.6.2
+          and causes the status of each optional or provider interface to be
+          displayed.</para>
         </listitem>
       </varlistentry>
 

Shorewall-lite/shorewall-lite.service

@@ -1,12 +1,12 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
-After=syslog.target
 After=network.target
+Conflicts=iptables.service firewalld.service
 
 [Service]
 Type=oneshot
@@ -17,4 +17,4 @@ ExecStart=/sbin/shorewall-lite $OPTIONS start
 ExecStop=/sbin/shorewall-lite $OPTIONS stop
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target

Shorewall-lite/uninstall.sh

@@ -27,11 +27,16 @@
 #       shown below. Simply run this script to remove Shorewall Firewall
 
 VERSION=xxx  #The Build script inserts the actual version
+PRODUCT=shorewall-lite
 
 usage() # $1 = exit status
 {
     ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "where <option> is one of"
+    echo "  -h"
+    echo "  -v"
+    echo "  -n"
     exit $1
 }
 
@@ -69,6 +74,42 @@ remove_file() # $1 = file to restore
     fi
 }
 
+finished=0
+configure=1
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
 #
 # Read the RC file
 #
@@ -112,8 +153,12 @@ fi
 
 echo "Uninstalling Shorewall Lite $VERSION"
 
-if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
-   shorewall-lite clear
+[ -n "$SANDBOX" ] && configure=0
+
+if [ $configure -eq 1 ]; then
+    if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
+	shorewall-lite clear
+    fi
 fi
 
 if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
@@ -123,28 +168,34 @@ elif [ -n "$INITFILE" ]; then
 fi
 
 if [ -f "$FIREWALL" ]; then
-    if mywhich updaterc.d ; then
-	updaterc.d shorewall-lite remove
-    elif mywhich insserv ; then
-        insserv -r $FIREWALL
-    elif [ mywhich chkconfig ; then
-	chkconfig --del $(basename $FIREWALL)
-    elif mywhich systemctl ; then
-	systemctl disable shorewall-lite
+    if [ $configure -eq 1 ]; then
+	if mywhich updaterc.d ; then
+	    updaterc.d shorewall-lite remove
+	elif mywhich insserv ; then
+            insserv -r $FIREWALL
+	elif mywhich chkconfig ; then
+	    chkconfig --del $(basename $FIREWALL)
+	fi
     fi
 
     remove_file $FIREWALL
 fi
 
+if [ -n "$SYSTEMD" ]; then
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
+    rm -f $SYSTEMD/shorewall-lite.service
+fi
+
 rm -f ${SBINDIR}/shorewall-lite
 
-rm -rf ${SBINDIR}/shorewall-lite
+rm -rf ${CONFDIR}/shorewall-lite
 rm -rf ${VARDIR}/shorewall-lite
 rm -rf ${SHAREDIR}/shorewall-lite
-rm -rf ${LIBEXEC}/shorewall-lite
+rm -rf ${LIBEXECDIR}/shorewall-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
-[ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall-lite.service
+
+rm -f ${MANDIR}/man5/shorewall-lite*
+rm -f ${MANDIR}/man8/shorewall-lite*
 
 echo "Shorewall Lite Uninstalled"
 
-

Shorewall/Macros/macro.AMQP

@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - AMQP Macro
+#
+# /usr/share/shorewall/macro.AMQP
+#
+#	This macro handles AMQP traffic.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	5672
+PARAM	-	-	udp	5672

Shorewall/Macros/macro.Amanda

@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
- PARAM	-	-	udp	10080 ; helper=amanda
+ PARAM	-	-	udp	10080 { helper=amanda }
 ?else
  PARAM	-	-	udp	10080
 ?endif

Shorewall/Macros/macro.FTP

@@ -11,7 +11,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
- PARAM	-	-	tcp	21 ; helper=ftp
+ PARAM	-	-	tcp	21 { helper=ftp }
 ?else
  PARAM	-	-	tcp	21
 ?endif

Shorewall/Macros/macro.Goto-Meeting

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - Citrix/Goto Meeting macro
+#
+# /usr/share/shorewall/macro.Goto-Meeting
+#          by Eric Teeter
+#       This macro handles Citrix/Goto Meeting
+#       Assumes that ports 80 and 443 are already open
+#       If needed, use the macros that open Http and Https to reduce redundancy
+####################################################################################
+#ACTION	   SOURCE	DEST    PROTO   DEST    SOURCE  RATE    USER/
+#                                       PORT(S) PORT(S) LIMIT   GROUP
+PARAM      -         	-       tcp     8200    # Goto Meeting only needed (TCP outbound)

Shorewall/Macros/macro.ILO

@@ -0,0 +1,23 @@
+#
+# Shorewall version 4 - ILO Macro
+#
+# /usr/share/shorewall/macro.ILO
+#
+#	This macro handles console redirection with HP ILO 2+,
+#	Use this macro to open access to your ILO interface from management
+#	workstations.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	3002		# Raw serial data
+PARAM	-	-	tcp	9300		# Shared Remote Console
+PARAM	-	-	tcp	17988		# Virtual Media
+PARAM	-	-	tcp	17990		# Console Replay
+HTTP
+HTTPS
+RDP
+SSH
+Telnet						# Remote Console/Telnet

Shorewall/Macros/macro.IPMI

@@ -0,0 +1,26 @@
+#
+# Shorewall version 4 - IPMI Macro
+#
+# /usr/share/shorewall/macro.IPMI
+#
+#	This macro handles IPMI console redirection with Asus (AMI),
+#	Dell DRAC5+ (Avocent), and Supermicro (Aten or AMI).
+#	Use this macro to open access to your IPMI interface from management
+#	workstations.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	623		# RMCP
+PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
+PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
+PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
+PARAM	-	-	tcp	7578		# Remote Console (AMI)
+PARAM	-	-	udp	623		# RMCP
+HTTP
+HTTPS
+SNMP
+SSH						# Serial over Lan
+Telnet

Shorewall/Macros/macro.IRC

@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
- PARAM	-	-	tcp	6667 ; helper=irc
+ PARAM	-	-	tcp	6667 { helper=irc }
 ?else
  PARAM	-	-	tcp	6667
 ?endif

Shorewall/Macros/macro.MongoDB

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - MongoDB Macro
+#
+# /usr/share/shorewall/macro.MongoDB
+#
+#	This macro handles MongoDB Daemon/Router traffic.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	27017

Shorewall/Macros/macro.PPtP

@@ -14,7 +14,7 @@ PARAM	-	-	47
 PARAM	DEST	SOURCE	47
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
- PARAM	-	-	tcp	1723 ; helper=pptp
+ PARAM	-	-	tcp	1723 { helper=pptp }
 ?else
  PARAM	-	-	tcp	1723
 ?endif

Shorewall/Macros/macro.Redis

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Redis Macro
+#
+# /usr/share/shorewall/macro.Redis
+#
+#	This macro handles Redis traffic.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	6379

Shorewall/Macros/macro.SANE

@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
- PARAM	-	-	tcp	6566 ; helper=sane
+ PARAM	-	-	tcp	6566 { helper=sane }
 ?else
  PARAM	-	-	tcp	6566
 ?endif

Shorewall/Macros/macro.SIP

@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER  )
- PARAM	-	-	udp	5060 ; helper=sip
+ PARAM	-	-	udp	5060 { helper=sip }
 ?else
  PARAM	-	-	udp	5060
 ?endif

Shorewall/Macros/macro.SMB

@@ -17,7 +17,7 @@
 PARAM	-	-	udp	135,445
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	-	-	udp	137 ; helper=netbios-ns
+ PARAM	-	-	udp	137 { helper=netbios-ns }
  PARAM	-	-	udp	138:139
 ?else
  PARAM	-	-	udp	137:139

Shorewall/Macros/macro.SMBBI

@@ -17,7 +17,7 @@
 PARAM	-	-	udp	135,445
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	-	-	udp	137 ; helper=netbios-ns
+ PARAM	-	-	udp	137 { helper=netbios-ns }
  PARAM	-	-	udp	138:139
 ?else
  PARAM	-	-	udp	137:139
@@ -28,7 +28,7 @@ PARAM	-	-	tcp	135,139,445
 PARAM	DEST	SOURCE	udp	135,445
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	DEST	SOURCE	udp	137 ; helper=netbios-ns
+ PARAM	DEST	SOURCE	udp	137 { helper=netbios-ns }
  PARAM	DEST	SOURCE	udp	138:139
 ?else
  PARAM	DEST	SOURCE	udp	137:139

Shorewall/Macros/macro.SNMP

@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
- PARAM	-	-  	udp     161 ; helper=snmp
+ PARAM	-	-  	udp     161 { helper=snmp }
 ?else
  PARAM	-	-	udp	161
 ?endif

Shorewall/Macros/macro.Sieve

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Sieve Macro
+#
+# /usr/share/shorewall/macro.Sieve
+#
+#	This macro handles sieve aka ManageSieve protocol.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	4190

Shorewall/Macros/macro.TFTP

@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
- PARAM	-	-	udp	69 ; helper=tftp
+ PARAM	-	-	udp	69 { helper=tftp }
 ?else
  PARAM	-	-	udp	69
 ?endif

Shorewall/Perl/Shorewall/Accounting.pm

@@ -155,8 +155,6 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 
     my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = @_;
 
-    $acctable = $config{ACCOUNTING_TABLE};
-
     $jumpchainref = 0;
 
     $asection = LEGACY if $asection < 0;
@@ -453,6 +451,8 @@ sub setup_accounting() {
 
 	set_section_function( &process_section );
 
+	$acctable = $config{ACCOUNTING_TABLE};
+
 	first_entry "$doing $fn...";
 
 	my $nonEmpty = 0;

Shorewall/Perl/Shorewall/Chains.pm

@@ -73,6 +73,7 @@ our @EXPORT = ( qw(
 		    allow_optimize
 		    allow_delete
 		    allow_move
+                    make_terminating
 		    set_optflags
 		    reset_optflags
 		    has_return
@@ -104,7 +105,6 @@ our @EXPORT = ( qw(
 		    AUDIT
 		    HELPER
 		    INLINE
-		    TERMINATING
 		    STATEMATCH
 		    USERBUILTIN
 		    INLINERULE
@@ -262,6 +262,7 @@ our %EXPORT_TAGS = (
 				       set_global_variables
 				       save_dynamic_chains
 				       load_ipsets
+				       create_save_ipsets
 				       validate_nfobject
 				       create_nfobjects
 				       create_netfilter_load
@@ -793,6 +794,13 @@ sub decr_cmd_level( $ ) {
     assert( --$_[0]->{cmdlevel} >= 0, $_[0] );
 }
 
+#
+# Mark an action as terminating
+#
+sub make_terminating( $ ) {
+    $terminating{$_[0]} = 1;
+}
+
 #
 # Transform the passed iptables rule into an internal-form hash reference.
 # Most of the compiler has been converted to use the new form natively.
@@ -1654,7 +1662,8 @@ sub insert_rule($$$) {
 sub insert_irule( $$$$;@ ) {
     my ( $chainref, $jump, $target, $number, @matches ) = @_;
 
-    my $ruleref = {};
+    my $rulesref = $chainref->{rules};
+    my $ruleref  = {};
 
     $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;
 
@@ -1673,7 +1682,15 @@ sub insert_irule( $$$$;@ ) {
     
     $ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment;
 
-    splice( @{$chainref->{rules}}, $number, 0, $ruleref );
+    if ( $number >= @$rulesref ) {
+	#
+	# Avoid failure in spice if we insert beyond the end of the chain
+	#
+	$number = @$rulesref;
+	push @$rulesref, $ruleref;
+    } else {
+	splice( @$rulesref, $number, 0, $ruleref );
+    }
 
     trace( $chainref, 'I', ++$number, format_rule( $chainref, $ruleref ) ) if $debug;
 
@@ -3503,7 +3520,7 @@ sub optimize_level8( $$$ ) {
     %renamed = ();
 
     while ( $progress ) {
-	my @chains   = ( sort level8_compare grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} );
+	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} ) );
 	my @chains1  = @chains;
 	my $chains   = @chains;
 	my %rename;
@@ -6723,20 +6740,25 @@ sub interface_mac( $$ ) {
 #
 # Record the fact that the ruleset requires MAC address of the passed gateway IP routed out of the passed interface for the passed provider number
 #
-sub get_interface_mac( $$$ ) {
-    my ( $ipaddr, $logical , $table ) = @_;
+sub get_interface_mac( $$$$ ) {
+    my ( $ipaddr, $logical , $table, $mac ) = @_;
 
     my $interface = get_physical( $logical );
     my $variable = interface_mac( $interface , $table );
 
     $global_variables |= NOT_RESTORE;
-
-    if ( interface_is_optional $logical ) {
-	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
+    
+    if ( $mac ) {
+	$interfacemacs{$table} = qq($variable=$mac);
     } else {
-	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
+	if ( interface_is_optional $logical ) {
+	    $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
+	} else {
+	    $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
 [ -n "\$$variable" ] || startup_error "Unable to determine the MAC address of $ipaddr through interface \\"$interface\\""
 );
+
+       }
     }
 
     "\$$variable";
@@ -7565,7 +7587,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
 						     $exceptionrule,
 						     $actparms{disposition} || $disposition,
 						     $target ),
-					   $terminating{$basictarget} || ( $targetref || $targetref->{complete} ),
+					   $terminating{$basictarget} || ( $targetref && $targetref->{complete} ),
 					   $matches );
 		    }
 
@@ -7974,11 +7996,99 @@ sub ensure_ipset( $ ) {
     }
 }
 
+#
+# Generate the save_ipsets() function
+#
+sub create_save_ipsets() {
+    my @ipsets = all_ipsets;
+
+    emit( "#\n#Save the ipsets specified by the SAVE_IPSETS setting and by dynamic zones\n#",
+	  'save_ipsets() {' );
+
+    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+	emit( '    local file' ,
+	      '',
+	      '    file=$1'
+	    );
+
+	if ( @ipsets ) {
+	    emit '';
+	    ensure_ipset( $_ ) for @ipsets;
+	}
+
+	if ( $config{SAVE_IPSETS} ) {
+	    if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) {
+		my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
+
+		emit( '' ,
+		      '    rm -f $file' ,
+		      '    touch $file' ,
+		      '    local set' ,
+		    );
+
+		if ( @ipsets ) {
+		    emit '';
+		    emit( "    \$IPSET -S $_ >> \$file" ) for @ipsets;
+		}
+
+		emit( '',
+		      "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
+		      "        \$IPSET save \$set >> \$file" ,
+		      "    done" );
+	    } else {
+		emit ( '' ,
+		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
+		       '        #',
+		       '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
+		       '        #',
+		       '        hack=\'| grep -v /31\'' ,
+		       '    else' ,
+		       '        hack=' ,
+		       '    fi' ,
+		       '',
+		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
+		       "        grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
+		       '    fi' );
+ 	    }
+
+	    emit("}\n" );
+	} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
+	    emit( '' ,
+		  '    rm -f ${VARDIR}/ipsets.tmp' ,
+		  '    touch ${VARDIR}/ipsets.tmp' ,
+		);
+
+	    if ( @ipsets ) {
+		emit '';
+		emit( "    \$IPSET -S $_ >> \${VARDIR}/ipsets.tmp" ) for @ipsets;
+	    }
+
+	    emit( '' ,
+		  "    if qt \$IPSET list $_; then" ,
+		  "        \$IPSET save $_ >> \${VARDIR}/ipsets.tmp" ,
+		  '    else' ,
+		  "        error_message 'ipset $_ not saved (not found)'" ,
+		  "    fi\n" ) for @{$globals{SAVED_IPSETS}};
+
+	    emit( '' ,
+		  "    grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" ,
+		  '' ,
+		  "}\n" );
+	}
+    } elsif ( $config{SAVE_IPSETS} ) {
+	emit( '    error_message "WARNING: No ipsets were saved"',
+	      "}\n" );
+    } else {
+	emit( '    true',
+	      "}\n" );
+    }
+}
+
 sub load_ipsets() {
 
     my @ipsets = all_ipsets;
 
-    if ( @ipsets || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
 	emit ( '',
 	       'local hack',
 	       '',
@@ -8005,9 +8115,25 @@ sub load_ipsets() {
 		emit ( '' );
 		ensure_ipset( $_ ) for @ipsets;
 		emit ( '' );
+
+		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
+		       '        $IPSET flush' ,
+		       '        $IPSET destroy' ,
+		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
+		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	    }
 	} else {
 	    ensure_ipset( $_ ) for @ipsets;
+
+	    if ( @{$globals{SAVED_IPSETS}} ) {
+		emit ( '' );
+
+		emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
+		       '        $IPSET flush' ,
+		       '        $IPSET destroy' ,
+		       '        $IPSET restore < ${VARDIR}/ipsets.save' ,
+		       "    fi\n" ) for @{$globals{SAVED_IPSETS}};
+	    }
 	}
 
 	emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' );
@@ -8031,6 +8157,12 @@ sub load_ipsets() {
 	    }
 	} else {
 	    ensure_ipset( $_ ) for @ipsets;
+
+	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
+		   '        $IPSET flush' ,
+		   '        $IPSET destroy' ,
+		   '        $IPSET restore < ${VARDIR}/ipsets.save' ,
+		   "    fi\n" ) for @{$globals{SAVED_IPSETS}};
 	}
 
 	if ( @ipsets ) {
@@ -8038,36 +8170,14 @@ sub load_ipsets() {
 	    ensure_ipset( $_ ) for @ipsets;
 	}
 
-	emit( 'elif [ "$COMMAND" = stop ]; then' );
-
-	if ( @ipsets ) {
-	    ensure_ipset( $_ ) for @ipsets;
-	    emit( '' );
-	}
-
-	if ( $family == F_IPV4 ) {
-	    emit ( '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
-		   '        #',
-		   '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
-		   '        #',
-		   '        hack=\'| grep -v /31\'' ,
-		   '    else' ,
-		   '        hack=' ,
-		   '    fi' ,
-		   '',
-		   '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
-		   '        grep -qE -- "^(-N|create )" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
-		   '    fi' );
-	} else {
-	    emit ( '    if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
-		   '        grep -qE -- "^(-N|create )" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
-		   '    fi' );
-	}
+	emit( 'elif [ "$COMMAND" = stop ]; then' ,
+	      '   save_ipsets'
+	    );
 
 	if ( @ipsets ) {
 	    emit( 'elif [ "$COMMAND" = refresh ]; then' );
 	    ensure_ipset( $_ ) for @ipsets;
-	}
+	};
 
 	emit ( 'fi' ,
 	       '' );

Shorewall/Perl/Shorewall/Compiler.pm

@@ -280,42 +280,43 @@ sub generate_script_2() {
 
     if ( $global_variables ) {
 
-	emit( 'case $COMMAND in' );
-
-	push_indent;
-
 	if ( $global_variables & NOT_RESTORE ) {
-	    emit( 'start|restart|refresh|disable|enable)' );
-	} else {
-	    emit( 'start|restart|refresh|disable|enable|restore)' );
-	}
 
-	push_indent;
+	    emit( 'case $COMMAND in' );
 
-	set_global_variables(1);
-
-	handle_optional_interfaces(0);
-
-	emit ';;';
-
-	if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
-	    pop_indent;
+	    push_indent;
 
 	    emit 'restore)';
 
 	    push_indent;
 
-	    set_global_variables(0);
+	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
 
-	    handle_optional_interfaces(0);
+		set_global_variables(0);
+
+		handle_optional_interfaces(0);
+	    }
 
 	    emit ';;';
+
+	    pop_indent;
+
+	    emit '*)';
+
+	    push_indent;
 	}
 
-	pop_indent;
-	pop_indent;
+	set_global_variables(1);
 
-	emit ( 'esac' ) ,
+	if ( $global_variables & NOT_RESTORE ) {
+	    handle_optional_interfaces(0);
+	    emit ';;';
+	    pop_indent;
+	    pop_indent;
+	    emit ( 'esac' );
+	} else {
+	    handle_optional_interfaces(1);
+	}
     } else {
 	emit( 'true' ) unless handle_optional_interfaces(1);
     }
@@ -347,6 +348,7 @@ sub generate_script_3($) {
     create_netfilter_load( $test );
     create_arptables_load( $test ) if $have_arptables;
     create_chainlist_reload( $_[0] );
+    create_save_ipsets;
 
     emit "#\n# Start/Restart the Firewall\n#";
 
@@ -730,7 +732,7 @@ sub compiler {
     #
     # Do all of the zone-independent stuff (mostly /proc)
     #
-    add_common_rules( $convert );
+    add_common_rules( $convert, $tcrules );
     #
     # More /proc
     #
@@ -741,6 +743,8 @@ sub compiler {
     }
 
     setup_source_routing($family);
+
+    setup_log_backend($family);
     #
     # Proxy Arp/Ndp
     #
@@ -819,7 +823,7 @@ sub compiler {
     #
     # Setup Nat
     #
-    setup_nat if $family == F_IPV4;
+    setup_nat;
     #
     # Setup NETMAP
     #
@@ -974,8 +978,7 @@ sub compiler {
 	    # compile_stop_firewall() also validates the routestopped file. Since we don't
 	    # call that function during normal 'check', we must validate routestopped here.
 	    #
-	    process_routestopped;
-	    process_stoppedrules;
+	    process_routestopped unless process_stoppedrules;
 	}
 	#
 	# Report used/required capabilities

Shorewall/Perl/Shorewall/Config.pm

@@ -741,6 +741,7 @@ sub initialize( $;$$) {
 	  RPFILTER_LOG_LEVEL => undef,
 	  INVALID_LOG_LEVEL => undef,
 	  UNTRACKED_LOG_LEVEL => undef,
+	  LOG_BACKEND => undef,
 	  #
 	  # Location of Files
 	  #
@@ -1105,7 +1106,8 @@ sub initialize( $;$$) {
 			 $family == F_IPV4 ? 'shorewall' : 'shorewall6'
 		       ) if defined $shorewallrc;
 
-    $globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";
+    $globals{SHAREDIRPL}   = "$shorewallrc{SHAREDIR}/shorewall/";
+    $globals{SAVED_IPSETS} = [];
 
     if ( $family == F_IPV4 ) {
 	$globals{SHAREDIR}      = "$shorewallrc{SHAREDIR}/shorewall";
@@ -3259,7 +3261,11 @@ sub expand_variables( \$ ) {
 	fatal_error "Variable Expansion Loop" if ++$count > 100;
     }
 
-    if ( $actparms{0} ) {
+    if ( $chain ) {
+	#
+	# We're in an action body -- allow escaping at signs (@) for u32
+	#
+	$$lineref =~ s/\\@/??/g;
 	#                         $1      $2   $3                     -     $4
 	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
@@ -3268,6 +3274,8 @@ sub expand_variables( \$ ) {
 	    $$lineref = join( '', $first , $val , $rest );
 	    fatal_error "Variable Expansion Loop" if ++$count > 100;
 	}
+
+	$$lineref =~ s/\?\?/@/g;
     }
 }
 
@@ -3496,8 +3504,9 @@ sub default ( $$ ) {
 #
 # Provide a default value for a yes/no configuration variable.
 #
-sub default_yes_no ( $$ ) {
-    my ( $var, $val ) = @_;
+sub default_yes_no ( $$;$ ) {
+    my ( $var, $val, $other ) = @_;
+    my $result = 1;
 
     my $curval = $config{$var};
 
@@ -3506,12 +3515,31 @@ sub default_yes_no ( $$ ) {
 
 	if (  $curval eq 'no' ) {
 	    $config{$var} = '';
+	} elsif ( defined( $other ) ) {
+	    if ( $other eq '*' ) {
+		if ( $curval eq 'yes' ) {
+		    $config{$var} = 'Yes';
+		} else {
+		    $result = 0;
+		}
+	    } elsif ( $curval eq $other ) {
+		#
+		# Downshift value for later comparison
+		#
+		$config{$var} = $curval;
+	    }
 	} else {
 	    fatal_error "Invalid value for $var ($curval)" unless $curval eq 'yes';
+	    #
+	    # Make Case same as default
+	    #
+	    $config{$var} = 'Yes';
 	}
     } else {
 	$config{$var} = $val;
     }
+
+    $result;
 }
 
 sub default_yes_no_ipv4 ( $$ ) {
@@ -4118,7 +4146,7 @@ sub IPSet_Match() {
     if ( $ipset && -x $ipset ) {
 	qt( "$ipset -X $sillyname" );
 
-	if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) {
+	if ( qt( "$ipset -N $sillyname hash:ip family $fam" ) || qt( "$ipset -N $sillyname iphash" ) ) {
 	    if ( qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
 		$capabilities{IPSET_MATCH_NOMATCH}  = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --return-nomatch -j ACCEPT" );
 		$capabilities{IPSET_MATCH_COUNTERS} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --packets-lt 100 -j ACCEPT" );
@@ -4140,7 +4168,7 @@ sub IPSet_Match_Nomatch() {
 }
 
 sub IPSet_Match_Counters() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTGERS};
+    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTERS};
 }
 
 sub IPSET_V5() {
@@ -4615,6 +4643,7 @@ sub determine_capabilities() {
 	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
 	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );
 	$capabilities{ACCOUNT_TARGET}  = detect_capability( 'ACCOUNT_TARGET' );
+	$capabilities{HEADER_MATCH}    = detect_capability( 'HEADER_MATCH' );
 	$capabilities{AUDIT_TARGET}    = detect_capability( 'AUDIT_TARGET' );
 	$capabilities{IPSET_V5}        = detect_capability( 'IPSET_V5' );
 	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
@@ -4630,6 +4659,7 @@ sub determine_capabilities() {
 	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
 	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
 	$capabilities{CHECKSUM_TARGET} = detect_capability( 'CHECKSUM_TARGET' );
+	$capabilities{ARPTABLESJF}     = detect_capability( 'ARPTABLESJF' );
 	$capabilities{MASQUERADE_TGT}  = detect_capability( 'MASQUERADE_TGT' );
 	$capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' );
 	$capabilities{NEW_TOS_MATCH}   = detect_capability( 'NEW_TOS_MATCH' );
@@ -5541,7 +5571,16 @@ sub get_configuration( $$$$$ ) {
     unsupported_yes_no         'BRIDGING';
     unsupported_yes_no_warning 'RFC1918_STRICT';
 
-    default_yes_no 'SAVE_IPSETS'                , '';
+    unless (default_yes_no 'SAVE_IPSETS', '', '*' ) {
+	$val = $config{SAVE_IPSETS};
+	unless ( $val eq 'ipv4' ) {
+	    my @sets = split_list( $val , 'ipset' );
+	    $globals{SAVED_IPSETS} = \@sets;
+	    require_capability 'IPSET_V5', 'A saved ipset list', 's';
+	    $config{SAVE_IPSETS} = '';
+	}
+    }
+
     default_yes_no 'SAVE_ARPTABLES'             , '';
     default_yes_no 'STARTUP_ENABLED'            , 'Yes';
     default_yes_no 'DELAYBLACKLISTLOAD'         , '';
@@ -5739,6 +5778,20 @@ sub get_configuration( $$$$$ ) {
     default_log_level 'INVALID_LOG_LEVEL',    '';
     default_log_level 'UNTRACKED_LOG_LEVEL',  '';
 
+    if ( supplied( $val = $config{LOG_BACKEND} ) ) {
+	if ( $family == F_IPV4 && $val eq 'ULOG' ) {
+	    $val = 'ipt_ULOG';
+	} elsif ( $val eq 'netlink' ) {
+	    $val = 'nfnetlink_log';
+	} elsif ( $val eq 'LOG' ) {
+	    $val = $family == F_IPV4 ? 'ipt_LOG' : 'ip6t_log';
+	} else {
+	    fatal_error "Invalid LOG Backend ($val)";
+	}
+
+	$config{LOG_BACKEND} = $val;
+    }
+
     warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
 
     default_log_level 'SMURF_LOG_LEVEL',     '';

Shorewall/Perl/Shorewall/Misc.pm

@@ -690,11 +690,10 @@ sub process_stoppedrules() {
     my $result;
 
     if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
-	first_entry sub() {
-	    progress_message2("$doing $fn...");
+	first_entry sub () {
+	    progress_message2( "$doing $fn..." );
 	    unless ( $config{ADMINISABSENTMINDED} ) {
-		warning_message("Entries in the routestopped file are processed as if ADMINISABSENTMINDED=Yes");
-		$config{ADMINISABSENTMINDED} = 'Yes';
+		insert_ijump $filter_table ->{$_}, j => 'ACCEPT', 0, state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
 	    }
 	};
 
@@ -775,8 +774,8 @@ sub process_stoppedrules() {
 
 sub setup_mss();
 
-sub add_common_rules ( $ ) {
-    my $upgrade = shift;
+sub add_common_rules ( $$ ) {
+    my ( $upgrade_blacklist, $upgrade_tcrules ) = @_;
     my $interface;
     my $chainref;
     my $target;
@@ -929,8 +928,8 @@ sub add_common_rules ( $ ) {
 	    
     run_user_exit1 'initdone';
 
-    if ( $upgrade ) {
-	exit 0 unless convert_blacklist;
+    if ( $upgrade_blacklist ) {
+	exit 0 unless convert_blacklist || $upgrade_tcrules;
     } else {
 	setup_blacklist;
     }
@@ -994,7 +993,7 @@ sub add_common_rules ( $ ) {
 	for my $hostref  ( @$list ) {
 	    $interface     = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
 
 	    for $chain ( option_chains $interface ) {
@@ -1118,7 +1117,8 @@ sub add_common_rules ( $ ) {
 	for my $hostref  ( @$list ) {
 	    my $interface  = $hostref->[0];
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
-	    my @policy     = have_ipsec ? ( policy => "--pol $hostref->[1] --dir in" ) : ();
+	    my $ipsec      = $hostref->[1];
+	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 
 	    for $chain ( option_chains $interface ) {
 		add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
@@ -1289,7 +1289,7 @@ sub setup_mac_lists( $ ) {
 	for my $hostref ( @$maclist_hosts ) {
 	    my $interface  = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my @source     = imatch_source_net $hostref->[2];
 
 	    my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
@@ -2606,42 +2606,11 @@ EOF
 
     my @ipsets = all_ipsets;
 
-    if ( @ipsets || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
-	emit <<'EOF';
-
-    case $IPSET in
-        */*)
-            if [ ! -x "$IPSET" ]; then
-                error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
-                IPSET=
-            fi
-	    ;;
-	*)
-	    IPSET="$(mywhich $IPSET)"
-	    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
-	    ;;
-    esac
-
-    if [ -n "$IPSET" ]; then
-        if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
-            #
-            # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
-            #
-            hack='| grep -v /31'
-        else
-            hack=
-        fi
-
-        if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
-            #
-            # Don't save an 'empty' file
-            #
-            grep -qE '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save
-        fi
-    fi
-EOF
+    if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+	emit( '',
+	      '    save_ipsets ${VARDIR}/ipsets.save' );
     }
-
+	
     emit '
 
     set_state "Stopped"

Shorewall/Perl/Shorewall/Nat.pm

@@ -633,7 +633,7 @@ sub setup_netmap() {
 }
 
 #
-# Called from process_rule1 to add a rule to the NAT table
+# Called from process_rule to add a rule to the NAT table
 #
 sub handle_nat_rule( $$$$$$$$$$$$$ ) {
     my ( $dest,           # <server>[:port]
@@ -687,6 +687,11 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	#
 	$server = $dest;
     }
+
+    #
+    # Check for list in $server
+    #
+    fatal_error "An address list ($server) is not allowed in the DEST column of a $action RULE" if $server =~ /,/;
     #
     # Generate the target
     #

Shorewall/Perl/Shorewall/Proc.pm

@@ -42,6 +42,7 @@ our @EXPORT = qw(
 		 setup_source_routing
 		 setup_accept_ra
 		 setup_forwarding
+                 setup_log_backend
 		 );
 our @EXPORT_OK = qw( setup_interface_proc );
 our $VERSION = 'MODULEVERSION';
@@ -348,5 +349,23 @@ sub setup_interface_proc( $ ) {
     }
 }
 
+sub setup_log_backend($) {
+    if ( my $setting = $config{LOG_BACKEND} ) {
+	my $family   = shift;
+	my $file     = '/proc/sys/net/netfilter/nf_log/' . ( $family == F_IPV4 ? '2' : '10' );
+
+	emit( 'progress_message2 "Setting up log backend"',
+	      '',
+	      "if [ -f $file ]; then",
+	      "   if echo $setting > $file; then",
+	      "       progress_message 'Log Backend set to $setting'",
+	      '   else',
+	      "       error_message 'WARNING: Unable to set log backend to $setting'",
+	      '   fi',
+	      'else',
+	      "   error_message 'WARNING: $file does not exist - log backend not set'",
+	      "fi\n" );
+    }
+}
 
 1;

Shorewall/Perl/Shorewall/Providers.pm

@@ -258,7 +258,7 @@ sub copy_and_edit_table( $$$$$ ) {
     emit '';
 
     if ( $realm ) {
-	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | ${filter}while read net route; do" )
+	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | ${filter}while read net route; do" )
     } else {
 	emit  ( "\$IP -$family -o route show table $duplicate | ${filter}while read net route; do" )
     }
@@ -442,10 +442,11 @@ sub process_a_provider( $ ) {
 
     fatal_error 'INTERFACE must be specified' if $interface eq '-';
 
-    ( $interface, my $address ) = split /:/, $interface;
+    ( $interface, my $address ) = split /:/, $interface, 2;
 
     my $shared = 0;
     my $noautosrc = 0;
+    my $mac = '';
 
     if ( defined $address ) {
 	validate_address $address, 0;
@@ -453,10 +454,33 @@ sub process_a_provider( $ ) {
 	require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
     }
 
-    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface );
+    my $interfaceref = known_interface( $interface );
+
+    fatal_error "Unknown Interface ($interface)" unless $interfaceref;
+
     fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
 
-    my $physical    = get_physical $interface;
+    #
+    # Switch to the logical name if a physical name was passed
+    #
+    my $physical;
+
+    if ( $interface eq $interfaceref->{name} ) {
+	#
+	# The logical interface name was specified
+	#
+	$physical = $interfaceref->{physical};
+    } else {
+	#
+	# A Physical name was specified
+	#
+	$physical = $interface;
+	#
+	# Switch to the logical name unless it is a wildcard
+	#
+	$interface = $interfaceref->{name} unless $interfaceref->{wildcard};
+    } 
+
     my $gatewaycase = '';
 
     if ( $physical =~ /\+$/ ) {
@@ -469,7 +493,17 @@ sub process_a_provider( $ ) {
 	$gateway = get_interface_gateway $interface;
 	$gatewaycase = 'detect';
     } elsif ( $gateway && $gateway ne '-' ) {
+	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
+
+	if ( defined $mac ) {
+	    $mac =~ tr/-/:/;
+	    $mac =~ s/^~//;
+	    fatal_error "Invalid MAC address ($mac)" unless $mac =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+	} else {
+	    $mac = '';
+	}
+
 	$gatewaycase = 'specified';
     } else {
 	$gatewaycase = 'none';
@@ -644,6 +678,7 @@ sub process_a_provider( $ ) {
 			   loose       => $loose ,
 			   duplicate   => $duplicate ,
 			   address     => $address ,
+			   mac         => $mac ,
 			   local       => $local ,
 			   tproxy      => $tproxy ,
 			   load        => $load ,
@@ -720,6 +755,7 @@ sub add_a_provider( $$ ) {
     my $loose       = $providerref->{loose};
     my $duplicate   = $providerref->{duplicate};
     my $address     = $providerref->{address};
+    my $mac         = $providerref->{mac};
     my $local       = $providerref->{local};
     my $tproxy      = $providerref->{tproxy};
     my $load        = $providerref->{load};
@@ -733,7 +769,7 @@ sub add_a_provider( $$ ) {
     my $realm = '';
 
     if ( $shared ) {
-	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
+	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table, $mac );
 	$realm = "realm $number";
 	start_provider( $label , $table, $number, $id, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
     } elsif ( $pseudo ) {
@@ -1260,9 +1296,11 @@ sub start_providers() {
 	    emit_unindented "$providers{$_}{number}\t$_" unless $providers{$_}{pseudo};
 	}
 
-	emit_unindented "EOF\n";
+	emit_unindented 'EOF';
 
-	emit "fi\n";
+	emit( 'else',
+	      '    error_message "WARNING: /etc/iproute2/rt_tables is missing or is not writeable"',
+	      "fi\n" );
     }
 
     emit  ( '#',
@@ -1859,8 +1897,10 @@ sub handle_optional_interfaces( $ ) {
 
     if ( @$interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
+	my $gencase     = shift;
 
-	verify_required_interfaces( shift );
+	verify_required_interfaces( $gencase );
+	emit '' if $gencase;
 
 	emit( 'HAVE_INTERFACE=', '' ) if $require;
 	#

Shorewall/Perl/Shorewall/Rules.pm

@@ -818,9 +818,7 @@ sub apply_policy_rules() {
     progress_message2 'Applying Policies...';
 
     for my $chainref ( @policy_chains ) {
-	my $policy      = $chainref->{policy};
-
-	unless ( $policy eq 'NONE' ) {
+	unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) {
 	    my $loglevel    = $chainref->{loglevel};
 	    my $provisional = $chainref->{provisional};
 	    my $default     = $chainref->{default};
@@ -1673,9 +1671,11 @@ sub process_action($$) {
 	    $origdest = $connlimit = $time = $headers = $condition = $helper = '-';
 	} else {
 	    ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
-		= split_line1( 'action file',
+		= split_line2( 'action file',
 			       \%rulecolumns,
-			       $action_commands );
+			       $action_commands,
+			       undef,
+			       1 );
 	}
 
 	fatal_error 'TARGET must be specified' if $target eq '-';
@@ -1748,14 +1748,15 @@ sub process_actions() {
 						    undef, #Columns
 						    1 );   #Allow inline matches
 
-	    my $type     = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
-	    my $noinline = 0;
-	    my $nolog    = ( $type == INLINE ) || 0;
-	    my $builtin  = 0;
-	    my $raw      = 0;
-	    my $mangle   = 0;
-	    my $filter   = 0;
-	    my $nat      = 0;
+	    my $type        = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
+	    my $noinline    = 0;
+	    my $nolog       = ( $type == INLINE ) || 0;
+	    my $builtin     = 0;
+	    my $raw         = 0;
+	    my $mangle      = 0;
+	    my $filter      = 0;
+	    my $nat         = 0;
+	    my $terminating = 0;
 
 	    if ( $action =~ /:/ ) {
 		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -1774,6 +1775,8 @@ sub process_actions() {
 			$nolog = 1;
 		    } elsif ( $_ eq 'builtin' ) {
 			$builtin = 1;
+		    } elsif ( $_ eq 'terminating' ) {
+			$terminating = 1;
 		    } elsif ( $_ eq 'mangle' ) {
 			$mangle = 1;
 		    } elsif ( $_ eq 'raw' ) {
@@ -1822,6 +1825,8 @@ sub process_actions() {
 		}
 
 		$targets{$action} = $actiontype;
+
+		make_terminating( $action ) if $terminating;
 	    } else {
 		fatal_error "Table names are only allowed for builtin actions" if $mangle || $raw || $nat || $filter;
 		new_action $action, $type, $noinline, $nolog;
@@ -2374,7 +2379,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		      my ( $tgt, $options ) = split / /, $param;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
-		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
+		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';
@@ -2387,7 +2392,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		      my ( $tgt, $options ) = split / /, $param;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
-		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
+		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';
@@ -2950,7 +2955,7 @@ sub perl_action_helper($$;$) {
 
     $matches .= ' ' unless $matches =~ /^(?:.+\s)?$/;
 
-    set_inline_matches $matches if $target =~ /^INLINE(?::.*)?$/;
+    set_inline_matches( $target =~ /^INLINE(?::.*)?$/ ? $matches : '' );
 
     if ( $isstatematch ) {
 	if ( $statematch ) {
@@ -3023,6 +3028,8 @@ sub perl_action_tcp_helper($$) {
 
     $proto .= ' ' unless $proto =~ /^(?:.+\s)?$/;
 
+    set_inline_matches( '' ) if $config{INLINE_MATCHES};
+
     if ( $passedproto eq '-' || $passedproto eq 'tcp' || $passedproto eq '6' ) {
 	#
 	# For other protos, a 'no rule generated' warning will be issued

Shorewall/Perl/Shorewall/Tc.pm

@@ -174,8 +174,8 @@ sub initialize( $ ) {
 #
 # Process a rule from the tcrules or mangle file
 #
-sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
-    our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_;
+sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
+    our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time ) = @_;
 
     use constant {
 	PREROUTING     => 1,        #Actually tcpre
@@ -229,7 +229,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 
     sub handle_mark_param( $$ ) {
 	my ( $option, $marktype ) = @_;
-	my $and_or = $1 if $params =~ s/^([|&])//;
+	my $and_or = $params =~ s/^([|&])// ? $1 : '';
 
 	if ( $params =~ /-/ ) {
 	    #
@@ -423,7 +423,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    function       => sub () {
 		require_capability 'DSCP_TARGET', 'The DSCP action', 's';
 		my $dscp = numeric_value( $params );
-		$dscp = $dscpmap{$1} unless defined $dscp;
+		$dscp = $dscpmap{$params} unless defined $dscp;
 		fatal_error( "Invalid DSCP ($params)" ) unless defined $dscp && $dscp <= 0x38 && ! ( $dscp & 1 );
 		$target = 'DSCP --set-dscp ' . in_hex( $dscp );
 	    },
@@ -556,13 +556,13 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    mask           => in_hex( $globals{TC_MASK} ),
 	    function       => sub () {
 		$target = 'MARK';
-		handle_mark_param('--set-mark', , HIGHMARK );
+		handle_mark_param('', , HIGHMARK );
 	    },
 	},
 
 	RESTORE    => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | FORWARD | POSTROUTING,
+	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -591,7 +591,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 
 	SAVE       => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | FORWARD | POSTROUTING,
+	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -798,6 +798,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 					 do_probability( $probability ) .
 					 do_dscp( $dscp ) .
 					 state_match( $state ) .
+					 do_time( $time ) .
 					 $raw_matches ,
 					 $source ,
 					 $dest ,
@@ -926,21 +927,22 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 	$designator = '';
     }
 
-    my ( $cmd, $rest );
-
-    if ( $mark =~ /^TOS/ ) {
-	$cmd = $mark;
-	$rest = '';
-    } else {
-	($cmd, $rest) = split( '/', $mark, 2 );
-    }
-
     unless ( $command ) {
 	{
-	    if ( $cmd =~ /^([A-Z]+)/ ) {
+	    my ( $cmd, $rest ) = split( '/', $mark, 2 );
+
+	    if ( $cmd =~ /^([A-Z]+)(?:\((.+)\))?/ ) {
 		if ( my $tccmd = $tccmd{$1} ) {
 		    fatal_error "Invalid $1 ACTION ($originalmark)" unless $tccmd->{match}($cmd); 
-		    $command = $tccmd->{command} if $tccmd->{command};
+		    $command = $1;
+		    if ( supplied $rest ) {
+			fatal_error "Invalid $1 ACTION ($originalmark)" if supplied $2;
+			$mark = $rest;
+		    } elsif ( supplied $2 ) {
+			$mark = $2;
+		    } else {
+			$mark = '';
+		    }
 		}
 	    } else {
 		$command = 'MARK';
@@ -986,7 +988,9 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 			      $headers,
 			      $probability,
 			      $dscp,
-			      $state );
+			      $state,
+			      '-',
+	    );
     }
 }
 
@@ -1046,9 +1050,9 @@ sub process_tc_rule( ) {
 }    
 
 sub process_mangle_rule( ) {
-    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
+    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
     if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
 	    split_line2( 'tcrules file',
 			 { mark => 0,
 			   action => 0,
@@ -1065,13 +1069,15 @@ sub process_mangle_rule( ) {
 			   helper => 11,
 			   probability => 12 , 
 			   scp => 13,
-			   state => 14 },
+			   state => 14,
+			   time => 15,
+			 },
 			 {},
-			 15,
+			 16,
 	                 1 );
 	$headers = '-';
     } else {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
 	    split_line2( 'tcrules file',
 			 { mark => 0,
 			   action => 0,
@@ -1089,14 +1095,16 @@ sub process_mangle_rule( ) {
 			   headers => 12,
 			   probability => 13,
 			   dscp => 14,
-			   state => 15 },
+			   state => 15,
+			   time => 16,
+			 },
 			 {},
-			 16,
+			 17,
 	                 1 );
     }
 
     for my $proto (split_list( $protos, 'Protocol' ) ) {
-	process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
+	process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
     }
 }
  

Shorewall/Perl/Shorewall/Zones.pm

@@ -193,6 +193,7 @@ our %reservedName = ( all => 1,
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
 #                                     provider    => <Provider Name, if interface is associated with a provider>
+#                                     wildcard    => undef|1 # Wildcard Name
 #                                     zones       => { zone1 => 1, ... }
 #                                   }
 #                 }
@@ -1375,6 +1376,7 @@ sub process_interface( $$ ) {
 						       base       => var_base( $physical ),
 						       zones      => {},
 						       origin     => shortlineinfo(''),
+						       wildcard   => $wildcard,
 						     };
 
     if ( $zone ) {
@@ -1497,7 +1499,7 @@ sub map_physical( $$ ) {
 
     $physical =~ s/\+$//;
 
-    $physical . substr( $name, length  $interfaceref->{root} );
+    $physical . substr( $name, length( $interfaceref->{root} ) );
 }
 
 #
@@ -1531,6 +1533,7 @@ sub known_interface($)
 						   number   => $interfaceref->{number} ,
 						   physical => $physical ,
 						   base     => var_base( $physical ) ,
+						   wildcard => $interfaceref->{wildcard} ,
 						   zones    => $interfaceref->{zones} ,
 						 };
 	    }
@@ -1768,7 +1771,7 @@ sub find_interfaces_by_option1( $ ) {
 	my $optionsref = $interfaceref->{options};
 
 	if ( $optionsref && defined $optionsref->{$option} ) {
-	    $wild ||= ( $interfaceref->{physical} =~ /\+$/ );
+	    $wild ||= $interfaceref->{wildcard};
 	    push @ints , $interface
 	}
     }
@@ -2118,14 +2121,26 @@ sub have_ipsec() {
 sub find_hosts_by_option( $ ) {
     my $option = $_[0];
     my @hosts;
+    my %done;
+
+    for my $interface ( @interfaces ) {
+	my $value = $interfaces{$interface}{options}{$option};
+	if ( ! $interfaces{$interface}{zone} && $value ) {
+	    push @hosts, [ $interface, '', ALLIP , [], $value ];
+	    $done{$interface} = 1;
+	}
+    }
 
     for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
 	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
 	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 		for my $host ( @{$arrayref} ) {
-		    if ( my $value = $host->{options}{$option} ) {
-			for my $net ( @{$host->{hosts}} ) {
-			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ];
+		    my $ipsec = $host->{ipsec};
+		    unless ( $done{$interface} ) { 
+			if ( my $value = $host->{options}{$option} ) {
+			    for my $net ( @{$host->{hosts}} ) {
+				push @hosts, [ $interface, $ipsec , $net , $host->{exclusions}, $value ];
+			    }
 			}
 		    }
 		}
@@ -2133,12 +2148,6 @@ sub find_hosts_by_option( $ ) {
 	}
     }
 
-    for my $interface ( @interfaces ) {
-	if ( ! $interfaces{$interface}{zone} && $interfaces{$interface}{options}{$option} ) {
-	    push @hosts, [ $interface, 'none', ALLIP , [] ];
-	}
-    }
-
     \@hosts;
 }
 

Shorewall/Perl/prog.footer

@@ -17,8 +17,10 @@ usage() {
     echo "   reset"
     echo "   refresh"
     echo "   restart"
+    echo "   run <command> [ <parameter> ... ]"
     echo "   status"
     echo "   up <interface>"
+    echo "   savesets <file>"
     echo "   version"
     echo
     echo "Options are:"
@@ -371,6 +373,24 @@ case "$COMMAND" in
 	fi
 	status=0
 	;;
+    run)
+	if [ $# -gt 1 ]; then
+	    shift
+	    detect_configuration
+	    run_init_exit
+	    eval $@
+	    status=$?
+	else
+	    error_message "ERROR: Missing command"
+	fi
+	;;
+    savesets)
+	if [ $# -eq 2 ]; then
+	    save_ipsets $2
+	else
+	    usage 2
+	fi
+	;;
     version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION

Shorewall/Samples/Universal/shorewall.conf

@@ -25,6 +25,8 @@ BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
 
+LOG_BACKEND=
+
 LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2

Shorewall/Samples/one-interface/README.txt

@@ -3,7 +3,7 @@ For instructions on using this sample configuration, please see
 http://www.shorewall.net/standalone.htm
 
     Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall/Samples/one-interface/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/one-interface/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Policy File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/one-interface/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/one-interface/shorewall.conf

@@ -2,7 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for one-interface
 #                         configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -36,6 +36,8 @@ BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
 
+LOG_BACKEND=
+
 LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2

Shorewall/Samples/one-interface/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/README.txt

@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/three-interface.htm
 
     Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall/Samples/three-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/masq

@@ -1,6 +1,6 @@
 #
 # Shorewall version 3.4 - Sample Masq file for three-interface configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall version 3.4 - Sample Policy File for three-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for three-interface configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -2,8 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for three-interface
 #                         configuration.
-# Copyright (C) 2006 by the Shorewall Team
-#               2011 by Thomas M. Eastep
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -34,6 +33,8 @@ BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
 
+LOG_BACKEND=
+
 LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2

Shorewall/Samples/three-interfaces/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for three-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/README.txt

@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/two-interface.htm
 
     Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall/Samples/two-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/masq

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Masq file for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Policy File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for two-interface configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014,2007 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -2,8 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for two-interface
 #                         configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
-#               2011 by Thomas M. Eastep
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -37,6 +36,8 @@ BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
 
+LOG_BACKEND=
+
 LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2

Shorewall/Samples/two-interfaces/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/action.DNSAmp

@@ -0,0 +1,34 @@
+#
+# Shorewall 4 - DNS Amplification Action
+#
+#    /usr/share/shorewall/action.DNSAmp
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   DNSAmp[([<action>])]
+#
+#       Default action is DROP
+#
+##########################################################################################
+?format 2
+
+DEFAULTS DROP
+
+IPTABLES(@1)	-	-	udp	53	; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"

Shorewall/actions.std

@@ -31,6 +31,7 @@ allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
 Broadcast    noinline           # Handles Broadcast/Multicast/Anycast
+DNSAmp                          # Matches one-question recursive DNS queries
 Drop		                # Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline           # Drop smurf packets

Shorewall/configfiles/blrules

@@ -6,7 +6,7 @@
 # Please see http://shorewall.net/blacklisting_support.htm for additional
 # information.
 #
-###################################################################################################################################################################################################
-#ACTION		SOURCE			DEST			PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+################################################################################################################################################################################################
+#ACTION		SOURCE			DEST			PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME	HEADERS		SWITCH
 #									PORT	PORT(S)		DEST		LIMIT		GROUP
 

Shorewall/configfiles/clear

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/clear
 #
-#	Add commands below that you want to be executed after Shorewall
-#       has processed the 'clear' command.
+# Add commands below that you want to be executed after Shorewall has
+# processed the 'clear' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/findgw

@@ -3,12 +3,12 @@
 #
 # /etc/shorewall/findgw
 #
-#    The code in this file is executed when Shorewall is trying to detect the
-#    gateway through an interface in /etc/shorewall/providers that has GATEWAY
-#    specified as 'detect'.
+# The code in this file is executed when Shorewall is trying to detect the
+# gateway through an interface in /etc/shorewall/providers that has GATEWAY
+# specified as 'detect'.
 #
-#    The function should echo the IP address of the gateway if it knows what
-#    it is; the name of the interface is in $1.
+# The function should echo the IP address of the gateway if it knows what
+# it is; the name of the interface is in $1.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/initdone

@@ -5,7 +5,7 @@
 #
 #	Add commands below that you want to be executed during
 #	"shorewall start" or "shorewall restart" commands at the point where
-#	Shorewall has not yet added any perminent rules to the builtin chains.
+#	Shorewall has not yet added any permanent rules to the builtin chains.
 #
 # For additional information, see
 # http://shorewall.net/shorewall_extension_scripts.htm

Shorewall/configfiles/lib.private

@@ -3,9 +3,9 @@
 #
 # /etc/shorewall/lib.private
 #
-#	Use this file to declare shell functions to be called in the other
-#	run-time extension scripts. The file will be copied into the generated
-#       firewall script.
+# Use this file to declare shell functions to be called in the other
+# run-time extension scripts. The file will be copied into the generated
+# firewall script.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/mangle

@@ -9,7 +9,6 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-##################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY DSCP
+####################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
 #							PORT(S)	PORT(S)
-

Shorewall/configfiles/refresh

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/refresh
 #
-#	Add commands below that you want to be executed before Shorewall
-#       has processed the 'refresh' command.
+# Add commands below that you want to be executed before Shorewall
+# has processed the 'refresh' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/refreshed

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/refreshed
 #
-#	Add commands below that you want to be executed after Shorewall
-#       has processed the 'refresh' command.
+# Add commands below that you want to be executed after Shorewall has
+# processed the 'refresh' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/scfilter

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/scfilter
 #
-#	Replace the 'cat' command below to filter the output of
-#       'show connections.
+# Replace the 'cat' command below to filter the output of
+# 'show connections'.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/shorewall.conf

@@ -12,19 +12,21 @@
 STARTUP_ENABLED=No
 
 ###############################################################################
-#		              V E R B O S I T Y
+#			     V E R B O S I T Y
 ###############################################################################
 
 VERBOSITY=1
 
 ###############################################################################
-#		                L O G G I N G
+#			       L O G G I N G
 ###############################################################################
 
 BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
 
+LOG_BACKEND=
+
 LOG_MARTIANS=Yes
 
 LOG_VERBOSITY=2
@@ -100,7 +102,7 @@ QUEUE_DEFAULT=none
 REJECT_DEFAULT=Reject
 
 ###############################################################################
-#                        R S H / R C P  C O M M A N D S
+#			 R S H / R C P	C O M M A N D S
 ###############################################################################
 
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
@@ -271,8 +273,8 @@ MASK_BITS=
 ZONE_BITS=0
 
 ################################################################################
-#                            L E G A C Y  O P T I O N
-#                      D O  N O T  D E L E T E  O R  A L T E R
+#			     L E G A C Y  O P T I O N
+#		       D O  N O T  D E L E T E	O R  A L T E R
 ################################################################################
 
 IPSECFILE=zones

Shorewall/configfiles/tcclasses

@@ -7,4 +7,4 @@
 #
 ###############################################################################
 #INTERFACE:CLASS	MARK	RATE:		CEIL	PRIORITY	OPTIONS
-#                               DMAX:UMAX
+#				DMAX:UMAX

Shorewall/configfiles/tcclear

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/tcclear
 #
-#	Add commands below that you want to be executed before Shorewall
-#       clears the traffic shaping configuration.
+# Add commands below that you want to be executed before Shorewall clears
+# the traffic shaping configuration.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/tcfilters

@@ -6,5 +6,5 @@
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
 ########################################################################################################
-#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE   TOS		LENGTH	PRIORITY
+#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE	TOS		LENGTH	PRIORITY
 #CLASS							PORT(S)	PORT(S)

Shorewall/default.debian

@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=
 
 #
-# Global start/restart/stop options
+# Global start/restart options
 #
 OPTIONS=""
 

Shorewall/helpers

@@ -57,3 +57,9 @@ loadmodule nf_nat_proto_gre
 loadmodule nf_nat_sip
 loadmodule nf_nat_snmp_basic
 loadmodule nf_nat_tftp
+#
+# While not actually helpers, these are handy to have
+#
+loadmodule xt_NFLOG
+loadmodule xt_ULOG
+loadmodule nfnetlink_log

Shorewall/install.sh

@@ -35,6 +35,7 @@ usage() # $1 = exit status
     echo "       $ME -h"
     echo "       $ME -s"
     echo "       $ME -a"
+    echo "       $ME -n"
     exit $1
 }
 
@@ -118,6 +119,7 @@ T="-T"
 INSTALLD='-D'
 
 finished=0
+configure=1
 
 while [ $finished -eq 0 ]; do
     option=$1
@@ -147,6 +149,10 @@ while [ $finished -eq 0 ]; do
 			ANNOTATED=
 			option=${option#p}
 			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
 		    *)
 			usage 1
 			;;
@@ -203,9 +209,11 @@ done
 
 [ -n "${INITFILE}" ] && require INITSOURCE && require INITDIR
 
+[ -n "$SANDBOX" ] && configure=0
+
 if [ -z "$BUILD" ]; then
     case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -216,7 +224,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 
 		case $ID in
-		    fedora)
+		    fedora|rhel|centos|foobar)
 			BUILD=redhat
 			;;
 		    debian)
@@ -399,7 +407,7 @@ fi
 #
 # Create /etc/$PRODUCT and other directories
 #
-mkdir -p ${DESTDIR}/${CONFDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
@@ -1120,7 +1128,7 @@ chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 # Remove and create the symbolic link to the init script
 #
 
-if [ -z "$DESTDIR" ]; then
+if [ -z "${DESTDIR}" -a -n "${INITFILE}" ]; then
     rm -f ${SHAREDIR}/$PRODUCT/init
     ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
 fi
@@ -1167,7 +1175,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
     echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
 
-if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
+if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
     if [ -n "$SYSTEMD" ]; then
 	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"

Shorewall/lib.cli-std

@@ -1615,6 +1615,15 @@ export_command() # $* = original arguments less the command.
     fi
 }
 
+run_command() {
+    if [ -x ${VARDIR}/firewall ] ; then
+	uptodate ${VARDIR}/firewall || echo "   WARNING: ${VARDIR}/firewall is not up to date" >&2
+	run_it ${VARDIR}/firewall $g_debugging $@
+    else
+	fatal_error "${VARDIR}/firewall does not exist or is not executable"
+    fi
+}
+
 #
 # Give Usage Information
 #
@@ -1666,11 +1675,13 @@ usage() # $1 = exit status
     echo "   reset [ <chain> ... ]"
     echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
     echo "   restore [ -n ] [ <file name> ]"
+    echo "   run <command> [ <parameter> ... ]"
     echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
     echo "   safe-start [ -t <timeout> ] [ <directory> ]"
     echo "   save [ <file name> ]"
     echo "   [ show | list | ls ] [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
     echo "   [ show | list | ls ] actions"
+    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
     echo "   [ show | list | ls ] [ -f ] capabilities"
     echo "   [ show | list | ls ] classifiers"
     echo "   [ show | list | ls ] config"
@@ -1695,7 +1706,7 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] vardir"
     echo "   [ show | list | ls ] zones"
     echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
-    echo "   status"
+    echo "   status [ -i ]"
     echo "   stop"
     echo "   try <directory> [ <timeout> ]"
     echo "   update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [-t] [-A] [ <directory> ]"

Shorewall/manpages/shorewall-actions.xml

@@ -71,10 +71,17 @@
                 role="bold">raw</emphasis>. If no table name(s) are given,
                 then <emphasis role="bold">filter</emphasis> is assumed. The
                 table names follow <emphasis role="bold">builtin</emphasis>
-                and are separated by commas; for example,
-                "FOOBAR,filter,mangle" would specify FOOBAR as a builtin
+                and are separated by commas; for example, "FOOBAR
+                builtin,filter,mangle" would specify FOOBAR as a builtin
                 target that can be used in the filter and mangle
                 tables.</para>
+
+                <para>Beginning with Shorewall 4.6.4, you may specify the
+                <emphasis role="bold">terminating</emphasis> option with
+                <emphasis role="bold">builtin</emphasis> to indicate to the
+                Shorewall optimizer that the action is terminating (the
+                current packet will not be passed to the next rule in the
+                chain).</para>
               </listitem>
             </varlistentry>
 
@@ -133,6 +140,17 @@
                 a subset of the rules.</para>
               </listitem>
             </varlistentry>
+
+            <varlistentry>
+              <term>terminating</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.4. When used with
+                <replaceable>builtin</replaceable>, indicates that the
+                built-in action is termiating (i.e., if the action is jumped
+                to, the next rule in the chain is not evaluated).</para>
+              </listitem>
+            </varlistentry>
           </variablelist>
         </listitem>
       </varlistentry>

Shorewall/manpages/shorewall-mangle.xml

@@ -27,7 +27,7 @@
 
     <para>This file was introduced in Shorewall 4.6.0 and is intended to
     replace <ulink
-    url="/manpages/shorewall-mangle.html">shorewall-rules(5)</ulink>. This
+    url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5)</ulink>. This
     file is only processed by the compiler if:</para>
 
     <orderedlist numeration="loweralpha">
@@ -1109,6 +1109,104 @@ Normal-Service       =&gt; 0x00</programlisting>
           of the listed states.</para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">TIME</emphasis> -
+        <emphasis>timeelement</emphasis>[&amp;<emphasis>timeelement</emphasis>...]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.2.</para>
+
+          <para>May be used to limit the rule to a particular time period each
+          day, to particular days of the week or month, or to a range defined
+          by dates and times. Requires time match support in your kernel and
+          ip6tables.</para>
+
+          <para><replaceable>timeelement</replaceable> may be:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
+
+              <listitem>
+                <para>Defines the starting time of day.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
+
+              <listitem>
+                <para>Defines the ending time of day.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>utc</term>
+
+              <listitem>
+                <para>Times are expressed in Greenwich Mean Time.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>localtz</term>
+
+              <listitem>
+                <para>Deprecated by the Netfilter team in favor of <emphasis
+                role="bold">kerneltz</emphasis>. Times are expressed in Local
+                Civil Time (default).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>kerneltz</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.2. Times are expressed in Local
+                Kernel Time (requires iptables 1.4.12 or later).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>weekdays=ddd[,ddd]...</term>
+
+              <listitem>
+                <para>where <replaceable>ddd</replaceable> is one of
+                <option>Mon</option>, <option>Tue</option>,
+                <option>Wed</option>, <option>Thu</option>,
+                <option>Fri</option>, <option>Sat</option> or
+                <option>Sun</option></para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>monthdays=dd[,dd],...</term>
+
+              <listitem>
+                <para>where <replaceable>dd</replaceable> is an ordinal day of
+                the month</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
+
+              <listitem>
+                <para>Defines the starting date and time.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
+
+              <listitem>
+                <para>Defines the ending date and time.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 

Shorewall/manpages/shorewall-masq.xml

@@ -143,9 +143,10 @@
       </varlistentry>
 
       <varlistentry>
-        <term>(Formerly called SUBNET) -
-        {<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>
+        <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET
+        - Optional) -
+        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
 
         <listitem>
           <para>Set of hosts that you wish to masquerade. You can specify this

Shorewall/manpages/shorewall-nat.xml

@@ -136,6 +136,80 @@
     </variablelist>
   </refsect1>
 
+  <refsect1>
+    <title>RESTRICTIONS</title>
+
+    <para>DNAT rules always preempt one-to-one NAT rules. This has subtile
+    consequences when there are sub-zones on an
+    <replaceable>interface</replaceable>. Consider the following:</para>
+
+    <para><filename>/etc/shorewall/zones</filename>:</para>
+
+    <programlisting>#ZONE   TYPE    OPTIONS                 IN                      OUT
+#                                       OPTIONS                 OPTIONS
+fw      firewall
+net     ipv4
+loc     ipv4
+smc:net ipv4</programlisting>
+
+    <para><filename>/etc/shorewall/interfaces</filename>:</para>
+
+    <programlisting>#ZONE   INTERFACE       OPTIONS
+net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
+loc     eth1            tcpflags,nosmurfs,routefilter,logmartians</programlisting>
+
+    <para><filename>/etc/shorewall/hosts</filename>:</para>
+
+    <programlisting>#ZONE   HOST(S)                                 OPTIONS
+smc     eth0:10.1.10.0/24</programlisting>
+
+    <para><filename>/etc/shorewall/nat</filename>:</para>
+
+    <programlisting>#EXTERNAL       INTERFACE       INTERNAL        ALL             LOCAL
+#                                               INTERFACES
+10.1.10.100     eth0            172.20.1.100
+</programlisting>
+
+    <para>Note that the EXTERNAL address is in the <emphasis
+    role="bold">smc</emphasis> zone.</para>
+
+    <para><filename>/etc/shorewall/rules</filename>:</para>
+
+    <programlisting>#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME            HEADERS     SWITCH           HELPER
+#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
+?SECTION ALL
+?SECTION ESTABLISHED
+?SECTION RELATED
+?SECTION INVALID
+?SECTION UNTRACKED
+?SECTION NEW
+...
+DNAT            net             loc:172.20.1.4  tcp     80</programlisting>
+
+    <para>For the one-to-one NAT to work correctly in this configuration, one
+    of two approaches can be taken:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>Define a CONTINUE policy with <emphasis
+        role="bold">smc</emphasis> as the SOURCE zone (preferred):</para>
+
+        <programlisting>#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+<emphasis role="bold">smc		$FW		CONTINUE</emphasis>
+loc		net		ACCEPT
+net		all		DROP		info
+# THE FOLLOWING POLICY MUST BE LAST
+all		all		REJECT		info
+</programlisting>
+      </listitem>
+
+      <listitem>
+        <para>Set IMPLICIT_CONTINUE=Yes in <ulink
+        url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+      </listitem>
+    </orderedlist>
+  </refsect1>
+
   <refsect1>
     <title>FILES</title>
 

Shorewall/manpages/shorewall-providers.xml

@@ -129,11 +129,15 @@
 
       <varlistentry>
         <term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
-        role="bold">-</emphasis>|<emphasis>address</emphasis>|<emphasis
+        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>mac</emphasis>]|<emphasis
         role="bold">detect</emphasis>}</term>
 
         <listitem>
-          <para>The IP address of the provider's gateway router.</para>
+          <para>The IP address of the provider's gateway router. Beginning
+          with Shorewall 4.6.2, you may also specify the MAC address of the
+          gateway when there are multiple providers serviced through the same
+          interface. When the MAC is not specified, Shorewall will detect the
+          MAC during firewall start or restart.</para>
 
           <para>You can enter "detect" here and Shorewall will attempt to
           detect the gateway automatically.</para>

Shorewall/manpages/shorewall-rules.xml

@@ -476,24 +476,32 @@
             </varlistentry>
 
             <varlistentry>
-              <term>IPTABLES({<replaceable>target</replaceable>
+              <term>IPTABLES({<replaceable>iptables-target</replaceable>
               [<replaceable>option</replaceable> ...])</term>
 
               <listitem>
                 <para>This action allows you to specify an iptables target
                 with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
-                the target is not one recognized by Shorewall, the following
-                error message will be issued:</para>
+                the <replaceable>iptables-target</replaceable> is not one
+                recognized by Shorewall, the following error message will be
+                issued:</para>
 
-                <simplelist>
-                  <member>ERROR: Unknown target
-                  (<replaceable>target</replaceable>)</member>
-                </simplelist>
+                <programlisting>    ERROR: Unknown target (<replaceable>iptables-target</replaceable>)</programlisting>
 
                 <para>This error message may be eliminated by adding the
-                <replaceable>target</replaceable> as a builtin action in
-                <ulink
+                <replaceable>iptables-</replaceable><replaceable>target</replaceable>
+                as a builtin action in <ulink
                 url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
+
+                <important>
+                  <para>If you specify REJECT as the
+                  <replaceable>iptables-target</replaceable>, the target of
+                  the rule will be the iptables REJECT target and not
+                  Shorewall's builtin 'reject' chain which is used when REJECT
+                  (see below) is specified as the
+                  <replaceable>target</replaceable> in the ACTION
+                  column.</para>
+                </important>
               </listitem>
             </varlistentry>
 

Shorewall/manpages/shorewall-tcfilters.xml

@@ -88,9 +88,11 @@
           <replaceable>address</replaceable>. DNS names are not allowed.
           Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
           may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm>capability. The ipset name may optionally be
-          followed by a number or a comma separated list of src and/or dst
-          enclosed in square brackets ([...]). See <ulink
+          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
+          <ulink url="shorewall.conf.html">shorewall.conf (5)</ulink>. The
+          ipset name may optionally be followed by a number or a comma
+          separated list of src and/or dst enclosed in square brackets
+          ([...]). See <ulink
           url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
           details.</para>
         </listitem>
@@ -105,9 +107,11 @@
           <replaceable>address</replaceable>. DNS names are not allowed.
           Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
           may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm>capability. The ipset name may optionally be
-          followed by a number or a comma separated list of src and/or dst
-          enclosed in square brackets ([...]). See <ulink
+          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
+          <ulink url="shorewall.conf.html">shorewall.conf (5)</ulink>. The
+          ipset name may optionally be followed by a number or a comma
+          separated list of src and/or dst enclosed in square brackets
+          ([...]). See <ulink
           url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
           details.</para>
 

Shorewall/manpages/shorewall-tcrules.xml

@@ -6,6 +6,8 @@
     <refentrytitle>shorewall-mangle</refentrytitle>
 
     <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
   </refmeta>
 
   <refnamediv>
@@ -28,10 +30,10 @@
 
     <important>
       <para>Unlike rules in the <ulink
-      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
-      of rules in this file will continue after a match. So the final mark for
-      each packet will be the one assigned by the LAST tcrule that
-      matches.</para>
+      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file,
+      evaluation of rules in this file will continue after a match. So the
+      final mark for each packet will be the one assigned by the LAST tcrule
+      that matches.</para>
 
       <para>If you use multiple internet providers with the 'track' option, in
       /etc/shorewall/providers be sure to read the restrictions at <ulink
@@ -311,8 +313,8 @@
               <para>When using Shorewall's built-in traffic shaping tool, the
               <emphasis>major</emphasis> class is the device number (the first
               device in <ulink
-              url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5) is
-              major class 1, the second device is major class 2, and so on)
+              url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
+              is major class 1, the second device is major class 2, and so on)
               and the <emphasis>minor</emphasis> class is the class's MARK
               value in <ulink
               url="/manpages/shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5)
@@ -487,7 +489,8 @@
               [<replaceable>option</replaceable>] ...") after any matches
               specified at the end of the rule. If the target is not one known
               to Shorewall, then it must be defined as a builtin action in
-              <ulink url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
+              <ulink
+              url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
               (5).</para>
 
               <para>The following rules are equivalent:</para>
@@ -500,8 +503,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
 </programlisting>
 
               <para>If INLINE_MATCHES=Yes in <ulink
-              url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink> then the
-              third rule above can be specified as follows:</para>
+              url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>
+              then the third rule above can be specified as follows:</para>
 
               <programlisting>2:P             eth0              -                 ; -p tcp</programlisting>
             </listitem>

Shorewall/manpages/shorewall.conf.xml

@@ -309,17 +309,22 @@
               <term>stoppedrules</term>
 
               <listitem>
-                <para>If ADMINISABSENTMINDED=No, a warning message is issued
-                and the setting is ignored.</para>
-
-                <para>In addition to connections matching entries in
-                <filename>stoppedrules</filename>, existing connections
-                continue to work and all new connections from the firewall
-                system itself are allowed. To sever all existing connections
-                when the firewall is stopped, install the conntrack utility
-                and place the command <command>conntrack -F</command> in the
-                stopped user exit
+                <para>All existing connections continue to work. To sever all
+                existing connections when the firewall is stopped, install the
+                conntrack utility and place the command <command>conntrack
+                -F</command> in the stopped user exit
                 (<filename>/etc/shorewall/stopped</filename>).</para>
+
+                <para>If ADMINISABSENTMINDED=No, only new connections matching
+                entries in <filename>stoppedrules</filename> are accepted when
+                Shorewall is stopped. Response packets and related connections
+                are automatically accepted.</para>
+
+                <para>If ADMINISABSENTMINDED=Yes, in addition to connections
+                matching entries in <filename>stoppedrules</filename>, all new
+                connections from the firewall system itself are allowed when
+                the firewall is stopped. Response packets and related
+                connections are automatically accepted.</para>
               </listitem>
             </varlistentry>
           </variablelist>
@@ -1306,6 +1311,45 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">LOG_BACKEND=</emphasis>[<emphasis>backend</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.4. LOG_BACKEND determines the logging
+          backend to be used for the <command>iptrace</command> command (see
+          <ulink url="manpages/shorewall.html">shorewall(8)</ulink>).</para>
+
+          <para><replaceable>backend</replaceable> is one of:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>LOG</term>
+
+              <listitem>
+                <para>Use standard kernel logging.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>ULOG</term>
+
+              <listitem>
+                <para>Use ULOG logging to ulogd.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>netlink</term>
+
+              <listitem>
+                <para>Use netlink logging to ulogd version 2 or later.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis
@@ -2425,7 +2469,8 @@ INLINE          -       -       -       ; -j REJECT
 
       <varlistentry>
         <term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+        role="bold">Yes</emphasis>|<emphasis
+        role="bold">No|ipv4|<replaceable>setlist</replaceable></emphasis>}</term>
 
         <listitem>
           <para>Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the
@@ -2434,6 +2479,11 @@ INLINE          -       -       -       ; -j REJECT
           role="bold">shorewall save</emphasis> commands and restored by the
           <emphasis role="bold">shorewall start</emphasis> and <emphasis
           role="bold">shorewall restore</emphasis> commands.</para>
+
+          <para>Beginning with Shorewall 4.6.4, you can restrict the set of
+          ipsets saved by specifying a setlist (a comma-separated list of ipv4
+          ipset names). You may also restrict the saved sets to just the ipv4
+          ones by specifying <emphasis role="bold">ipv4</emphasis>.</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall.xml

@@ -457,6 +457,21 @@
       <arg><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>run</option></arg>
+
+      <arg choice="plain"><replaceable>command</replaceable></arg>
+
+      <arg><replaceable>parameter ...</replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall</command>
 
@@ -507,6 +522,20 @@
       <arg choice="opt"><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="opt"><option>show | list | ls </option></arg>
+
+      <arg><option>-x</option></arg>
+
+      <arg choice="plain"><option>{bl|blacklists}</option></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall</command>
 
@@ -664,7 +693,8 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
+      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -1099,11 +1129,10 @@
           be one or more matches that may appear in both the raw table OUTPUT
           and raw table PREROUTING chains.</para>
 
-          <para>The trace records are written to the kernel's log buffer with
-          facility = kernel and priority = warning, and they are routed from
-          there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
-          Shorewall has no control over where the messages go; consult your
-          logging daemon's documentation.</para>
+          <para>The log message destination is determined by the
+          currently-selected IPv4 <ulink
+          url="/shorewall_logging.html#Backends">logging
+          backend</ulink>.</para>
         </listitem>
       </varlistentry>
 
@@ -1394,6 +1423,32 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">run</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.3. Executes
+          <replaceable>command</replaceable> in the context of the generated
+          script passing the supplied <replaceable>parameter</replaceable>s.
+          Normally, the <replaceable>command</replaceable> will be a function
+          declared in <filename>lib.private</filename>.</para>
+
+          <para>Before executing the <replaceable>command</replaceable>, the
+          script will detect the configuration, setting all SW_* variables and
+          will run your <filename>init</filename> extension script with
+          $COMMAND = 'run'.</para>
+
+          <para>If there are files in the CONFIG_PATH that were modified after
+          the current firewall script was generated, the following warning
+          message is issued:</para>
+
+          <simplelist>
+            <member>WARNING: /var/lib/shorewall/firewall is not up to
+            date</member>
+          </simplelist>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">safe-restart</emphasis></term>
 
@@ -1473,6 +1528,19 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">bl|blacklists</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
+                along with any chains produced by entries in
+                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
+                option is passed directly through to iptables and causes
+                actual packet and byte counts to be displayed. Without this
+                option, those counts are abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">capabilities</emphasis></term>
 
@@ -1775,6 +1843,10 @@
         <listitem>
           <para>Produces a short report about the state of the
           Shorewall-configured firewall.</para>
+
+          <para>The <option>-i </option>option was added in Shorewall 4.6.2
+          and causes the status of each optional or provider interface to be
+          displayed.</para>
         </listitem>
       </varlistentry>
 

Shorewall/shorewall.service

@@ -1,12 +1,12 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall
-After=syslog.target
 After=network.target
+Conflicts=iptables.service firewalld.service
 
 [Service]
 Type=oneshot
@@ -17,4 +17,4 @@ ExecStart=/sbin/shorewall $OPTIONS start
 ExecStop=/sbin/shorewall $OPTIONS stop
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target

Shorewall/uninstall.sh

@@ -27,11 +27,16 @@
 #       shown below. Simply run this script to remove Shorewall Firewall
 
 VERSION=xxx #The Build script inserts the actual version
+PRODUCT=shorewall
 
 usage() # $1 = exit status
 {
     ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "where <option> is one of"
+    echo "  -h"
+    echo "  -v"
+    echo "  -n"
     exit $1
 }
 
@@ -69,6 +74,43 @@ remove_file() # $1 = file to restore
     fi
 }
 
+finished=0
+configure=1
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
+
 if [ $# -eq 0 ]; then
     if [ -f ./shorewallrc ]; then
 	. ./shorewallrc
@@ -110,24 +152,39 @@ fi
 
 echo "Uninstalling shorewall $VERSION"
 
-if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall-lite ]; then
-   shorewall clear
+[ -n "$SANDBOX" ] && configure=0
+
+if [ $configure -eq 1 ]; then
+    if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall-lite ]; then
+	shorewall clear
+    fi
 fi
 
 rm -f ${SBINDIR}/shorewall
 
-if [ -f "$INITSCRIPT" ]; then
-    if mywhich updaterc.d ; then
-	updaterc.d ${PRODUCT} remove
-    elif mywhich insserv ; then
-        insserv -r $INITSCRIPT
-    elif mywhich chkconfig ; then
-	chkconfig --del $(basename $INITSCRIPT)
-    elif mywhich systemctl ; then
-	systemctl disable ${PRODUCT}
+if [ -L ${SHAREDIR}/shorewall6/init ]; then
+    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall6/init)
+elif [ -n "$INITFILE" ]; then
+    FIREWALL=${INITDIR}/${INITFILE}
+fi
+
+if [ -f "$FIREWALL" ]; then
+    if [ $configure -eq 1 ]; then
+	if mywhich updaterc.d ; then
+	    updaterc.d ${PRODUCT} remove
+	elif mywhich insserv ; then
+            insserv -r $FIREWALL
+	elif mywhich chkconfig ; then
+	    chkconfig --del $(basename $FIREWALL)
+	fi
     fi
 
-    remove_file $INITSCRIPT
+    remove_file $FIREWALL
+fi
+
+if [ -n "$SYSTEMD" ]; then
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
+    rm -f $SYSTEMD/shorewall.service
 fi
 
 rm -rf ${SHAREDIR}/shorewall/version
@@ -139,8 +196,8 @@ if [ -n "$SYSCONFDIR" ]; then
 fi
 
 rm -rf ${VARDIR}/shorewall
-rm -rf ${PERLLIB}/Shorewall/*
-rm -rf ${LIBEXEC}/shorewall
+rm -rf ${PERLLIBDIR}/Shorewall/*
+rm -rf ${LIBEXECDIR}/shorewall
 rm -rf ${SHAREDIR}/shorewall/configfiles/
 rm -rf ${SHAREDIR}/shorewall/Samples/
 rm -rf ${SHAREDIR}/shorewall/Shorewall/

Shorewall6-lite/manpages/shorewall6-lite.xml

@@ -317,6 +317,21 @@
       <arg><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>run</option></arg>
+
+      <arg choice="plain">command</arg>
+
+      <arg><replaceable>parameter ...</replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6-lite</command>
 
@@ -366,6 +381,20 @@
       <arg choice="plain"><option>capabilities</option></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="opt"><option>show | list | ls </option></arg>
+
+      <arg><option>-x</option></arg>
+
+      <arg choice="plain"><option>{bl|blacklists}</option></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6-lite</command>
 
@@ -465,7 +494,8 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
+      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -805,6 +835,23 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">run</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.3. Executes
+          <replaceable>command</replaceable> in the context of the generated
+          script passing the supplied <replaceable>parameter</replaceable>s.
+          Normally, the <replaceable>command</replaceable> will be a function
+          declared in <filename>lib.private</filename>.</para>
+
+          <para>Before executing the command, the script will detect the
+          configuration, setting all SW_* variables and will run your
+          <filename>init</filename> extension script with $COMMAND =
+          'run'.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">save</emphasis></term>
 
@@ -827,6 +874,19 @@
           arguments:</para>
 
           <variablelist>
+            <varlistentry>
+              <term><emphasis role="bold">bl|blacklists</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
+                along with any chains produced by entries in
+                shorewall6-blrules(5).The <emphasis role="bold">-x</emphasis>
+                option is passed directly through to ip6tables and causes
+                actual packet and byte counts to be displayed. Without this
+                option, those counts are abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">capabilities</emphasis></term>
 
@@ -1071,6 +1131,10 @@
         <listitem>
           <para>Produces a short report about the state of the
           Shorewall-configured firewall.</para>
+
+          <para>The <option>-i </option>option was added in Shorewall 4.6.2
+          and causes the status of each optional or provider interface to be
+          displayed.</para>
         </listitem>
       </varlistentry>
 

Shorewall6-lite/shorewall6-lite.service

@@ -1,12 +1,12 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv6 firewall (lite)
-After=syslog.target
 After=network.target
+Conflicts=ip6tables.service firewalld.service
 
 [Service]
 Type=oneshot
@@ -17,4 +17,4 @@ ExecStart=/sbin/shorewall6-lite $OPTIONS start
 ExecStop=/sbin/shorewall6-lite $OPTIONS stop
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target

Shorewall6-lite/uninstall.sh

@@ -27,6 +27,7 @@
 #       shown below. Simply run this script to remove Shorewall Firewall
 
 VERSION=xxx  #The Build script inserts the actual version
+PRODUCT=shorewall6-lite
 
 usage() # $1 = exit status
 {
@@ -69,6 +70,42 @@ remove_file() # $1 = file to restore
     fi
 }
 
+finished=0
+configure=1
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
 #
 # Read the RC file
 #
@@ -112,38 +149,50 @@ fi
 
 echo "Uninstalling Shorewall Lite $VERSION"
 
-if qt ip6tables -L shorewall -n && [ ! -f ${SBINDIR)/shorewall6 ]; then
-   ${SBINDIR}/shorewall6-lite clear
+[ -n "$SANDBOX" ] && configure=0
+
+if [ $configure -eq 1 ]; then
+    if qt ip6tables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall6 ]; then
+	${SBINDIR}/shorewall6-lite clear
+    fi
 fi
 
-if [ -l ${SHAREDIR}/shorewall6-lite/init ]; then
+if [ -f ${SHAREDIR}/shorewall6-lite/init ]; then
     FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall6-lite/init)
 elif [ -n "$INITFILE" ]; then
     FIREWALL=${INITDIR}/${INITFILE}
 fi
 
 if [ -f "$FIREWALL" ]; then
-    if mywhich updaterc.d ; then
-	updaterc.d shorewall6-lite remove
-    elif mywhich insserv ; then
-        insserv -r $FIREWALL
-    elif mywhich chkconfig ; then
-	chkconfig --del $(basename $FIREWALL)
-    elif mywhich systemctl ; then
-	systemctl disable shorewall6-lite
+    if [ $configure -eq 1 ]; then
+	if mywhich updaterc.d ; then
+	    updaterc.d shorewall6-lite remove
+	elif mywhich insserv ; then
+            insserv -r $FIREWALL
+	elif mywhich chkconfig ; then
+	    chkconfig --del $(basename $FIREWALL)
+	elif mywhich systemctl ; then
+	    systemctl disable shorewall6-lite
+	fi
     fi
 
     remove_file $FIREWALL
 fi
 
+if [ -n "$SYSTEMD" ]; then
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
+    rm -f $SYSTEMD/shorewall6-lite.service
+fi
+
 rm -f ${SBINDIR}/shorewall6-lite
 rm -rf ${CONFDIR}/shorewall6-lite
 rm -rf ${VARDIR}/shorewall6-lite
 rm -rf ${SHAREDIR}/shorewall6-lite
-rm -rf ${LIBEXEC}/shorewall6-lite
+rm -rf ${LIBEXECDIR}/shorewall6-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall6-lite
 [ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall6-lite.service
 
+rm -f ${MANDIR}/man5/shorewall6-lite*
+rm -f ${MANDIR}/man8/shorewall6-lite*
+
 echo "Shorewall6 Lite Uninstalled"
-
-

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=
 
 INVALID_LOG_LEVEL=
 
+LOG_BACKEND=
+
 LOG_VERBOSITY=2
 
 LOGALLNEW=
@@ -187,6 +189,8 @@ REQUIRE_INTERFACE=Yes
 
 RESTORE_ROUTEMARKS=Yes
 
+SAVE_IPSETS=No
+
 TC_ENABLED=No
 
 TC_EXPERT=No