Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure.pl

@@ -100,7 +100,7 @@ if ( defined $vendor ) {
     } elsif ( `uname` =~ '^Darwin' ) {
 	$vendor = 'apple';
 	$rcfilename = 'shorewallrc.apple';
-    } elsif ( `uname` =~ '^Cygwin' ) {
+    } elsif ( `uname` =~ /^Cygwin/i ) {
 	$vendor = 'cygwin';
 	$rcfilename = 'shorewallrc.cygwin';
     } else {

Shorewall-core/install.sh

@@ -187,7 +187,7 @@ INSTALLD='-D'
 
 if [ -z "$BUILD" ]; then
     case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)

Shorewall-core/lib.cli

@@ -253,7 +253,14 @@ show_classifiers() {
 	if [ -n "$qdisc" ]; then
 	    echo Device $device:
 	    qt tc -s filter ls root dev $device && tc -s filter ls root dev $device | grep -v '^$'
-	    tc -s filter ls dev $device
+	    tc filter show dev $device
+	    tc class show dev $device | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
+		if [ -n "$class" ]; then
+		    echo
+		    echo Node $class
+		    tc filter show dev $device parent $class
+		fi
+	    done
 	    echo
 	fi
     }
@@ -264,6 +271,19 @@ show_classifiers() {
 
 }
 
+#
+# Display blacklist chains
+#
+show_bl() {
+    $g_tool -L $g_ipt_options | \
+	awk 'BEGIN           {prnt=0; };
+            /^$/             {if (prnt == 1) print ""; prnt=0; };
+            /Chain .*~ /     {prnt=1; };
+            /Chain dynamic / {prnt=1; };
+            {if (prnt == 1)  print; };
+            END {if (prnt == 1 ) print "" };'
+}
+
 #
 # Watch the Firewall Log
 #
@@ -1182,7 +1202,13 @@ show_command() {
 	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
 	    echo
 	    show_events
-	    ;;	    
+	    ;;
+	bl|blacklists)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
+	    echo
+	    show_bl;
+	    ;;
 	*)
 	    case "$g_program" in
 		*-lite)
@@ -2945,9 +2971,74 @@ show_status() {
 
 }
 
+interface_status() {
+    case $(cat $1) in
+	0)
+	    echo Enabled
+	    ;;
+	1)
+	    echo Disabled
+	    ;;
+	*)
+	    echo Unknown
+	    ;;
+    esac
+}
+
+show_interfaces() {
+    local f
+    local interface
+    local printed
+
+    for f in ${VARDIR}/*.status; do
+	interface=$(basename $f)
+	echo "   Interface ${interface%.status} is $(interface_status $f)"
+	printed=Yes
+    done
+
+    [ -n "$printed" ] && echo
+}
+
 status_command() {
+     local finished
+    finished=0
+    local option
+    local interfaces
+
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
+	option=$1
+	case $option in
+	    -*)
+		option=${option#-}
+
+		while [ -n "$option" ]; do
+		    case $option in
+			-)
+			    finished=1
+			    option=
+			    ;;
+			i*)
+			    interfaces=Yes
+			    option=${option#i}
+			    ;;
+			*)
+			    usage 1
+			    ;;
+		    esac
+		done
+		shift
+		;;
+	    *)
+		finished=1
+		;;
+	esac
+    done
+
+    [ $# -eq 0 ] || usage 1
+
     [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
     show_status
+    [ -n "$interfaces" ] && show_interfaces
     exit $status
 }
 
@@ -3459,6 +3550,7 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
     echo "   [ show | list | ls ] [ -f ] capabilities"
     echo "   [ show | list | ls ] arptables"
+    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
     echo "   [ show | list | ls ] classifiers"
     echo "   [ show | list | ls ] config"
     echo "   [ show | list | ls ] connections"
@@ -3481,7 +3573,7 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] zones"
     echo "   start [ -f ] [ -p ] [ <directory> ]"
     echo "   stop"
-    echo "   status"
+    echo "   status [ -i ]"
     echo "   version [ -a ]"
     echo
     exit $1
@@ -3732,10 +3824,10 @@ shorewall_cli() {
     	    show_command $@
 	    ;;
 	status)
-	    [ $# -eq 1 ] || usage 1
 	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	    get_config
-	    status_command
+	    shift
+	    status_command $@
 	    ;;
 	dump)
 	    get_config Yes No Yes

Shorewall-init/init.debian.sh

@@ -105,19 +105,19 @@ shorewall_start () {
   for PRODUCT in $PRODUCTS; do
       setstatedir
 
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+      if [ -x ${STATEDIR}/firewall ]; then
           #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
-	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || echo_notdone
+	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop || echo_notdone
 	      else
 		  echo_notdone
 	      fi
 	  )
       else
-	  echo echo_notdone
+	  echo_notdone
       fi
   done
 
@@ -135,8 +135,8 @@ shorewall_stop () {
   for PRODUCT in $PRODUCTS; do
       setstatedir
 
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
-	  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || echo_notdone
+      if [ -x ${STATEDIR}/firewall ]; then
+	  ${STATEDIR}/firewall ${OPTIONS} clear || echo_notdone
       fi
   done
 

Shorewall-init/install.sh

@@ -191,7 +191,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID=)
 
 		case $ID in
-		    fedora)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian|ubuntu)

Shorewall-lite/install.sh

@@ -195,7 +195,7 @@ T='-T'
 
 if [ -z "$BUILD" ]; then
     case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -242,7 +242,7 @@ if [ -z "$BUILD" ]; then
 fi
 
 case $BUILD in
-    cygwin*)
+    cygwin*|CYGWIN*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;

Shorewall/Macros/macro.AMQP

@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - AMQP Macro
+#
+# /usr/share/shorewall/macro.AMQP
+#
+#	This macro handles AMQP traffic.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	5672
+PARAM	-	-	udp	5672

Shorewall/Macros/macro.Amanda

@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
- PARAM	-	-	udp	10080 ; helper=amanda
+ PARAM	-	-	udp	10080 { helper=amanda }
 ?else
  PARAM	-	-	udp	10080
 ?endif

Shorewall/Macros/macro.FTP

@@ -11,7 +11,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
- PARAM	-	-	tcp	21 ; helper=ftp
+ PARAM	-	-	tcp	21 { helper=ftp }
 ?else
  PARAM	-	-	tcp	21
 ?endif

Shorewall/Macros/macro.ILO

@@ -0,0 +1,23 @@
+#
+# Shorewall version 4 - ILO Macro
+#
+# /usr/share/shorewall/macro.ILO
+#
+#	This macro handles console redirection with HP ILO 2+,
+#	Use this macro to open access to your ILO interface from management
+#	workstations.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	3002		# Raw serial data
+PARAM	-	-	tcp	9300		# Shared Remote Console
+PARAM	-	-	tcp	17988		# Virtual Media
+PARAM	-	-	tcp	17990		# Console Replay
+HTTP
+HTTPS
+RDP
+SSH
+Telnet						# Remote Console/Telnet

Shorewall/Macros/macro.IPMI

@@ -0,0 +1,26 @@
+#
+# Shorewall version 4 - IPMI Macro
+#
+# /usr/share/shorewall/macro.IPMI
+#
+#	This macro handles IPMI console redirection with Asus (AMI),
+#	Dell DRAC5+ (Avocent), and Supermicro (Aten or AMI).
+#	Use this macro to open access to your IPMI interface from management
+#	workstations.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	623		# RMCP
+PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
+PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
+PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
+PARAM	-	-	tcp	7578		# Remote Console (AMI)
+PARAM	-	-	udp	623		# RMCP
+HTTP
+HTTPS
+SNMP
+SSH						# Serial over Lan
+Telnet

Shorewall/Macros/macro.IRC

@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
- PARAM	-	-	tcp	6667 ; helper=irc
+ PARAM	-	-	tcp	6667 { helper=irc }
 ?else
  PARAM	-	-	tcp	6667
 ?endif

Shorewall/Macros/macro.MongoDB

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - MongoDB Macro
+#
+# /usr/share/shorewall/macro.MongoDB
+#
+#	This macro handles MongoDB Daemon/Router traffic.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	27017

Shorewall/Macros/macro.PPtP

@@ -14,7 +14,7 @@ PARAM	-	-	47
 PARAM	DEST	SOURCE	47
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
- PARAM	-	-	tcp	1723 ; helper=pptp
+ PARAM	-	-	tcp	1723 { helper=pptp }
 ?else
  PARAM	-	-	tcp	1723
 ?endif

Shorewall/Macros/macro.Redis

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Redis Macro
+#
+# /usr/share/shorewall/macro.Redis
+#
+#	This macro handles Redis traffic.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	6379

Shorewall/Macros/macro.SANE

@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
- PARAM	-	-	tcp	6566 ; helper=sane
+ PARAM	-	-	tcp	6566 { helper=sane }
 ?else
  PARAM	-	-	tcp	6566
 ?endif

Shorewall/Macros/macro.SIP

@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER  )
- PARAM	-	-	udp	5060 ; helper=sip
+ PARAM	-	-	udp	5060 { helper=sip }
 ?else
  PARAM	-	-	udp	5060
 ?endif

Shorewall/Macros/macro.SMB

@@ -17,7 +17,7 @@
 PARAM	-	-	udp	135,445
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	-	-	udp	137 ; helper=netbios-ns
+ PARAM	-	-	udp	137 { helper=netbios-ns }
  PARAM	-	-	udp	138:139
 ?else
  PARAM	-	-	udp	137:139

Shorewall/Macros/macro.SMBBI

@@ -17,7 +17,7 @@
 PARAM	-	-	udp	135,445
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	-	-	udp	137 ; helper=netbios-ns
+ PARAM	-	-	udp	137 { helper=netbios-ns }
  PARAM	-	-	udp	138:139
 ?else
  PARAM	-	-	udp	137:139
@@ -28,7 +28,7 @@ PARAM	-	-	tcp	135,139,445
 PARAM	DEST	SOURCE	udp	135,445
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	DEST	SOURCE	udp	137 ; helper=netbios-ns
+ PARAM	DEST	SOURCE	udp	137 { helper=netbios-ns }
  PARAM	DEST	SOURCE	udp	138:139
 ?else
  PARAM	DEST	SOURCE	udp	137:139

Shorewall/Macros/macro.SNMP

@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
- PARAM	-	-  	udp     161 ; helper=snmp
+ PARAM	-	-  	udp     161 { helper=snmp }
 ?else
  PARAM	-	-	udp	161
 ?endif

Shorewall/Macros/macro.Sieve

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Sieve Macro
+#
+# /usr/share/shorewall/macro.Sieve
+#
+#	This macro handles sieve aka ManageSieve protocol.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	4190

Shorewall/Macros/macro.TFTP

@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
- PARAM	-	-	udp	69 ; helper=tftp
+ PARAM	-	-	udp	69 { helper=tftp }
 ?else
  PARAM	-	-	udp	69
 ?endif

Shorewall/Perl/Shorewall/Chains.pm

@@ -6723,20 +6723,25 @@ sub interface_mac( $$ ) {
 #
 # Record the fact that the ruleset requires MAC address of the passed gateway IP routed out of the passed interface for the passed provider number
 #
-sub get_interface_mac( $$$ ) {
-    my ( $ipaddr, $logical , $table ) = @_;
+sub get_interface_mac( $$$$ ) {
+    my ( $ipaddr, $logical , $table, $mac ) = @_;
 
     my $interface = get_physical( $logical );
     my $variable = interface_mac( $interface , $table );
 
     $global_variables |= NOT_RESTORE;
-
-    if ( interface_is_optional $logical ) {
-	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
+    
+    if ( $mac ) {
+	$interfacemacs{$table} = qq($variable=$mac);
     } else {
-	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
+	if ( interface_is_optional $logical ) {
+	    $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
+	} else {
+	    $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
 [ -n "\$$variable" ] || startup_error "Unable to determine the MAC address of $ipaddr through interface \\"$interface\\""
 );
+
+       }
     }
 
     "\$$variable";

Shorewall/Perl/Shorewall/Compiler.pm

@@ -819,7 +819,7 @@ sub compiler {
     #
     # Setup Nat
     #
-    setup_nat if $family == F_IPV4;
+    setup_nat;
     #
     # Setup NETMAP
     #

Shorewall/Perl/Shorewall/Nat.pm

@@ -633,7 +633,7 @@ sub setup_netmap() {
 }
 
 #
-# Called from process_rule1 to add a rule to the NAT table
+# Called from process_rule to add a rule to the NAT table
 #
 sub handle_nat_rule( $$$$$$$$$$$$$ ) {
     my ( $dest,           # <server>[:port]
@@ -687,6 +687,11 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	#
 	$server = $dest;
     }
+
+    #
+    # Check for list in $server
+    #
+    fatal_error "An address list ($server) is not allowed in the DEST column of a $action RULE" if $server =~ /,/;
     #
     # Generate the target
     #

Shorewall/Perl/Shorewall/Providers.pm

@@ -258,7 +258,7 @@ sub copy_and_edit_table( $$$$$ ) {
     emit '';
 
     if ( $realm ) {
-	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | ${filter}while read net route; do" )
+	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | ${filter}while read net route; do" )
     } else {
 	emit  ( "\$IP -$family -o route show table $duplicate | ${filter}while read net route; do" )
     }
@@ -442,10 +442,11 @@ sub process_a_provider( $ ) {
 
     fatal_error 'INTERFACE must be specified' if $interface eq '-';
 
-    ( $interface, my $address ) = split /:/, $interface;
+    ( $interface, my $address ) = split /:/, $interface, 2;
 
     my $shared = 0;
     my $noautosrc = 0;
+    my $mac = '';
 
     if ( defined $address ) {
 	validate_address $address, 0;
@@ -469,7 +470,17 @@ sub process_a_provider( $ ) {
 	$gateway = get_interface_gateway $interface;
 	$gatewaycase = 'detect';
     } elsif ( $gateway && $gateway ne '-' ) {
+	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
+
+	if ( defined $mac ) {
+	    $mac =~ tr/-/:/;
+	    $mac =~ s/^~//;
+	    fatal_error "Invalid MAC address ($mac)" unless $mac =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+	} else {
+	    $mac = '';
+	}
+
 	$gatewaycase = 'specified';
     } else {
 	$gatewaycase = 'none';
@@ -644,6 +655,7 @@ sub process_a_provider( $ ) {
 			   loose       => $loose ,
 			   duplicate   => $duplicate ,
 			   address     => $address ,
+			   mac         => $mac ,
 			   local       => $local ,
 			   tproxy      => $tproxy ,
 			   load        => $load ,
@@ -720,6 +732,7 @@ sub add_a_provider( $$ ) {
     my $loose       = $providerref->{loose};
     my $duplicate   = $providerref->{duplicate};
     my $address     = $providerref->{address};
+    my $mac         = $providerref->{mac};
     my $local       = $providerref->{local};
     my $tproxy      = $providerref->{tproxy};
     my $load        = $providerref->{load};
@@ -733,7 +746,7 @@ sub add_a_provider( $$ ) {
     my $realm = '';
 
     if ( $shared ) {
-	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
+	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table, $mac );
 	$realm = "realm $number";
 	start_provider( $label , $table, $number, $id, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
     } elsif ( $pseudo ) {

Shorewall/Perl/Shorewall/Rules.pm

@@ -2950,7 +2950,7 @@ sub perl_action_helper($$;$) {
 
     $matches .= ' ' unless $matches =~ /^(?:.+\s)?$/;
 
-    set_inline_matches $matches if $target =~ /^INLINE(?::.*)?$/;
+    set_inline_matches( $target =~ /^INLINE(?::.*)?$/ ? $matches : '' );
 
     if ( $isstatematch ) {
 	if ( $statematch ) {
@@ -3023,6 +3023,8 @@ sub perl_action_tcp_helper($$) {
 
     $proto .= ' ' unless $proto =~ /^(?:.+\s)?$/;
 
+    set_inline_matches( '' ) if $config{INLINE_MATCHES};
+
     if ( $passedproto eq '-' || $passedproto eq 'tcp' || $passedproto eq '6' ) {
 	#
 	# For other protos, a 'no rule generated' warning will be issued

Shorewall/Perl/Shorewall/Tc.pm

@@ -174,8 +174,8 @@ sub initialize( $ ) {
 #
 # Process a rule from the tcrules or mangle file
 #
-sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
-    our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_;
+sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
+    our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time ) = @_;
 
     use constant {
 	PREROUTING     => 1,        #Actually tcpre
@@ -423,7 +423,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    function       => sub () {
 		require_capability 'DSCP_TARGET', 'The DSCP action', 's';
 		my $dscp = numeric_value( $params );
-		$dscp = $dscpmap{$1} unless defined $dscp;
+		$dscp = $dscpmap{$params} unless defined $dscp;
 		fatal_error( "Invalid DSCP ($params)" ) unless defined $dscp && $dscp <= 0x38 && ! ( $dscp & 1 );
 		$target = 'DSCP --set-dscp ' . in_hex( $dscp );
 	    },
@@ -562,7 +562,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 
 	RESTORE    => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | FORWARD | POSTROUTING,
+	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -591,7 +591,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 
 	SAVE       => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | FORWARD | POSTROUTING,
+	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -798,6 +798,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 					 do_probability( $probability ) .
 					 do_dscp( $dscp ) .
 					 state_match( $state ) .
+					 do_time( $time ) .
 					 $raw_matches ,
 					 $source ,
 					 $dest ,
@@ -986,7 +987,9 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 			      $headers,
 			      $probability,
 			      $dscp,
-			      $state );
+			      $state,
+			      '-',
+	    );
     }
 }
 
@@ -1046,9 +1049,9 @@ sub process_tc_rule( ) {
 }    
 
 sub process_mangle_rule( ) {
-    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
+    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
     if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
 	    split_line2( 'tcrules file',
 			 { mark => 0,
 			   action => 0,
@@ -1065,13 +1068,15 @@ sub process_mangle_rule( ) {
 			   helper => 11,
 			   probability => 12 , 
 			   scp => 13,
-			   state => 14 },
+			   state => 14,
+			   time => 15,
+			 },
 			 {},
-			 15,
+			 16,
 	                 1 );
 	$headers = '-';
     } else {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
 	    split_line2( 'tcrules file',
 			 { mark => 0,
 			   action => 0,
@@ -1089,14 +1094,16 @@ sub process_mangle_rule( ) {
 			   headers => 12,
 			   probability => 13,
 			   dscp => 14,
-			   state => 15 },
+			   state => 15,
+			   time => 16,
+			 },
 			 {},
-			 16,
+			 17,
 	                 1 );
     }
 
     for my $proto (split_list( $protos, 'Protocol' ) ) {
-	process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
+	process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
     }
 }
  

Shorewall/Samples/one-interface/README.txt

@@ -3,7 +3,7 @@ For instructions on using this sample configuration, please see
 http://www.shorewall.net/standalone.htm
 
     Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall/Samples/one-interface/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/one-interface/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Policy File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/one-interface/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/one-interface/shorewall.conf

@@ -2,7 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for one-interface
 #                         configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/one-interface/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/README.txt

@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/three-interface.htm
 
     Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall/Samples/three-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/masq

@@ -1,6 +1,6 @@
 #
 # Shorewall version 3.4 - Sample Masq file for three-interface configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall version 3.4 - Sample Policy File for three-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for three-interface configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -2,8 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for three-interface
 #                         configuration.
-# Copyright (C) 2006 by the Shorewall Team
-#               2011 by Thomas M. Eastep
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for three-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/README.txt

@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/two-interface.htm
 
     Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall/Samples/two-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/masq

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Masq file for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Policy File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for two-interface configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014,2007 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -2,8 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for two-interface
 #                         configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
-#               2011 by Thomas M. Eastep
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/configfiles/initdone

@@ -5,7 +5,7 @@
 #
 #	Add commands below that you want to be executed during
 #	"shorewall start" or "shorewall restart" commands at the point where
-#	Shorewall has not yet added any perminent rules to the builtin chains.
+#	Shorewall has not yet added any permanent rules to the builtin chains.
 #
 # For additional information, see
 # http://shorewall.net/shorewall_extension_scripts.htm

Shorewall/install.sh

@@ -205,7 +205,7 @@ done
 
 if [ -z "$BUILD" ]; then
     case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -399,7 +399,7 @@ fi
 #
 # Create /etc/$PRODUCT and other directories
 #
-mkdir -p ${DESTDIR}/${CONFDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles

Shorewall/lib.cli-std

@@ -1671,6 +1671,7 @@ usage() # $1 = exit status
     echo "   save [ <file name> ]"
     echo "   [ show | list | ls ] [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
     echo "   [ show | list | ls ] actions"
+    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
     echo "   [ show | list | ls ] [ -f ] capabilities"
     echo "   [ show | list | ls ] classifiers"
     echo "   [ show | list | ls ] config"
@@ -1695,7 +1696,7 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] vardir"
     echo "   [ show | list | ls ] zones"
     echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
-    echo "   status"
+    echo "   status [ -i ]"
     echo "   stop"
     echo "   try <directory> [ <timeout> ]"
     echo "   update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [-t] [-A] [ <directory> ]"

Shorewall/manpages/shorewall-mangle.xml

@@ -1109,6 +1109,104 @@ Normal-Service       =&gt; 0x00</programlisting>
           of the listed states.</para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">TIME</emphasis> -
+        <emphasis>timeelement</emphasis>[&amp;<emphasis>timeelement</emphasis>...]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.2.</para>
+
+          <para>May be used to limit the rule to a particular time period each
+          day, to particular days of the week or month, or to a range defined
+          by dates and times. Requires time match support in your kernel and
+          ip6tables.</para>
+
+          <para><replaceable>timeelement</replaceable> may be:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
+
+              <listitem>
+                <para>Defines the starting time of day.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
+
+              <listitem>
+                <para>Defines the ending time of day.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>utc</term>
+
+              <listitem>
+                <para>Times are expressed in Greenwich Mean Time.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>localtz</term>
+
+              <listitem>
+                <para>Deprecated by the Netfilter team in favor of <emphasis
+                role="bold">kerneltz</emphasis>. Times are expressed in Local
+                Civil Time (default).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>kerneltz</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.2. Times are expressed in Local
+                Kernel Time (requires iptables 1.4.12 or later).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>weekdays=ddd[,ddd]...</term>
+
+              <listitem>
+                <para>where <replaceable>ddd</replaceable> is one of
+                <option>Mon</option>, <option>Tue</option>,
+                <option>Wed</option>, <option>Thu</option>,
+                <option>Fri</option>, <option>Sat</option> or
+                <option>Sun</option></para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>monthdays=dd[,dd],...</term>
+
+              <listitem>
+                <para>where <replaceable>dd</replaceable> is an ordinal day of
+                the month</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
+
+              <listitem>
+                <para>Defines the starting date and time.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
+
+              <listitem>
+                <para>Defines the ending date and time.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 

Shorewall/manpages/shorewall-masq.xml

@@ -143,10 +143,10 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET)
-        -
-        {<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>
+        <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET
+        - Optional) -
+        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
 
         <listitem>
           <para>Set of hosts that you wish to masquerade. You can specify this

Shorewall/manpages/shorewall-nat.xml

@@ -136,6 +136,80 @@
     </variablelist>
   </refsect1>
 
+  <refsect1>
+    <title>RESTRICTIONS</title>
+
+    <para>DNAT rules always preempt one-to-one NAT rules. This has subtile
+    consequences when there are sub-zones on an
+    <replaceable>interface</replaceable>. Consider the following:</para>
+
+    <para><filename>/etc/shorewall/zones</filename>:</para>
+
+    <programlisting>#ZONE   TYPE    OPTIONS                 IN                      OUT
+#                                       OPTIONS                 OPTIONS
+fw      firewall
+net     ipv4
+loc     ipv4
+smc:net ipv4</programlisting>
+
+    <para><filename>/etc/shorewall/interfaces</filename>:</para>
+
+    <programlisting>#ZONE   INTERFACE       OPTIONS
+net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
+loc     eth1            tcpflags,nosmurfs,routefilter,logmartians</programlisting>
+
+    <para><filename>/etc/shorewall/hosts</filename>:</para>
+
+    <programlisting>#ZONE   HOST(S)                                 OPTIONS
+smc     eth0:10.1.10.0/24</programlisting>
+
+    <para><filename>/etc/shorewall/nat</filename>:</para>
+
+    <programlisting>#EXTERNAL       INTERFACE       INTERNAL        ALL             LOCAL
+#                                               INTERFACES
+10.1.10.100     eth0            172.20.1.100
+</programlisting>
+
+    <para>Note that the EXTERNAL address is in the <emphasis
+    role="bold">smc</emphasis> zone.</para>
+
+    <para><filename>/etc/shorewall/rules</filename>:</para>
+
+    <programlisting>#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME            HEADERS     SWITCH           HELPER
+#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
+?SECTION ALL
+?SECTION ESTABLISHED
+?SECTION RELATED
+?SECTION INVALID
+?SECTION UNTRACKED
+?SECTION NEW
+...
+DNAT            net             loc:172.20.1.4  tcp     80</programlisting>
+
+    <para>For the one-to-one NAT to work correctly in this configuration, one
+    of two approaches can be taken:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>Define a CONTINUE policy with <emphasis
+        role="bold">smc</emphasis> as the SOURCE zone (preferred):</para>
+
+        <programlisting>#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+<emphasis role="bold">smc		$FW		CONTINUE</emphasis>
+loc		net		ACCEPT
+net		all		DROP		info
+# THE FOLLOWING POLICY MUST BE LAST
+all		all		REJECT		info
+</programlisting>
+      </listitem>
+
+      <listitem>
+        <para>Set IMPLICIT_CONTINUE=Yes in <ulink
+        url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+      </listitem>
+    </orderedlist>
+  </refsect1>
+
   <refsect1>
     <title>FILES</title>
 

Shorewall/manpages/shorewall-providers.xml

@@ -129,11 +129,15 @@
 
       <varlistentry>
         <term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
-        role="bold">-</emphasis>|<emphasis>address</emphasis>|<emphasis
+        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>mac</emphasis>]|<emphasis
         role="bold">detect</emphasis>}</term>
 
         <listitem>
-          <para>The IP address of the provider's gateway router.</para>
+          <para>The IP address of the provider's gateway router. Beginning
+          with Shorewall 4.6.2, you may also specify the MAC address of the
+          gateway when there are multiple providers serviced through the same
+          interface. When the MAC is not specified, Shorewall will detect the
+          MAC during firewall start or restart.</para>
 
           <para>You can enter "detect" here and Shorewall will attempt to
           detect the gateway automatically.</para>

Shorewall/manpages/shorewall.xml

@@ -507,6 +507,20 @@
       <arg choice="opt"><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="opt"><option>show | list | ls </option></arg>
+
+      <arg><option>-x</option></arg>
+
+      <arg choice="plain"><option>{bl|blacklists}</option></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall</command>
 
@@ -664,7 +678,8 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
+      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -1473,6 +1488,19 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">bl|blacklists</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
+                along with any chains produced by entries in
+                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
+                option is passed directly through to iptables and causes
+                actual packet and byte counts to be displayed. Without this
+                option, those counts are abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">capabilities</emphasis></term>
 
@@ -1775,6 +1803,10 @@
         <listitem>
           <para>Produces a short report about the state of the
           Shorewall-configured firewall.</para>
+
+          <para>The <option>-i </option>option was added in Shorewall 4.6.2
+          and causes the status of each optional or provider interface to be
+          displayed.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/Samples6/one-interface/README.txt

@@ -3,7 +3,7 @@ For instructions on using this sample configuration, please see
 http://www.shorewall.net/standalone.htm
 
     Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall6/Samples6/one-interface/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/one-interface/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Policy File for one-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/one-interface/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Rules File for one-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/one-interface/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Zones File for one-interface IPv6 configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/three-interfaces/README.txt

@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/three-interface.htm
 
     Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall6/Samples6/three-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/three-interfaces/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall6 Version 4 - Sample Policy File for three-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/three-interfaces/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.0 - Sample Rules File for three-interface configuration.
-# Copyright (C) 2006,2007,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/three-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.5 Sample Stoppedrules File for three-interface configuration.
-# Copyright (C) 2012 by the Shorewall Team
+# Copyright (C) 2012-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/three-interfaces/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Zones File for three-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/two-interfaces/README.txt

@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/two-interface.htm
 
     Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall6/Samples6/two-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.0 - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/two-interfaces/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Policy File for two-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/two-interfaces/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.0 - Sample Rules File for two-interface configuration.
-# Copyright (C) 2006-2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/two-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.5 Sample Stoppedrules File for two-interface configuration.
-# Copyright (C) 2012 by the Shorewall Team
+# Copyright (C) 2012-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/two-interfaces/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.0 - Sample Zones File for two-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/manpages/shorewall6-mangle.xml

@@ -1194,6 +1194,104 @@ Normal-Service       =&gt; 0x00</programlisting>
           of the listed states.</para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">TIME</emphasis> -
+        <emphasis>timeelement</emphasis>[&amp;<emphasis>timeelement</emphasis>...]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.2.</para>
+
+          <para>May be used to limit the rule to a particular time period each
+          day, to particular days of the week or month, or to a range defined
+          by dates and times. Requires time match support in your kernel and
+          ip6tables.</para>
+
+          <para><replaceable>timeelement</replaceable> may be:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
+
+              <listitem>
+                <para>Defines the starting time of day.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
+
+              <listitem>
+                <para>Defines the ending time of day.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>utc</term>
+
+              <listitem>
+                <para>Times are expressed in Greenwich Mean Time.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>localtz</term>
+
+              <listitem>
+                <para>Deprecated by the Netfilter team in favor of <emphasis
+                role="bold">kerneltz</emphasis>. Times are expressed in Local
+                Civil Time (default).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>kerneltz</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.2. Times are expressed in Local
+                Kernel Time (requires iptables 1.4.12 or later).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>weekdays=ddd[,ddd]...</term>
+
+              <listitem>
+                <para>where <replaceable>ddd</replaceable> is one of
+                <option>Mon</option>, <option>Tue</option>,
+                <option>Wed</option>, <option>Thu</option>,
+                <option>Fri</option>, <option>Sat</option> or
+                <option>Sun</option></para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>monthdays=dd[,dd],...</term>
+
+              <listitem>
+                <para>where <replaceable>dd</replaceable> is an ordinal day of
+                the month</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
+
+              <listitem>
+                <para>Defines the starting date and time.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
+
+              <listitem>
+                <para>Defines the ending date and time.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 

Shorewall6/manpages/shorewall6-masq.xml

@@ -116,9 +116,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE</emphasis> -
-        {<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>
+        <term><emphasis role="bold">SOURCE</emphasis> (Optional) -
+        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
 
         <listitem>
           <para>Set of hosts that you wish to SNAT; one or more host or

Shorewall6/manpages/shorewall6.xml

@@ -123,7 +123,7 @@
     </cmdsynopsis>
 
     <cmdsynopsis>
-      <command>shorewall</command>
+      <command>shorewall6</command>
 
       <arg
       choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@@ -166,7 +166,7 @@
     </cmdsynopsis>
 
     <cmdsynopsis>
-      <command>shorewall</command>
+      <command>shorewall6</command>
 
       <arg
       choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@@ -452,6 +452,20 @@
       <arg choice="opt"><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="opt"><option>show | list | ls </option></arg>
+
+      <arg><option>-x</option></arg>
+
+      <arg choice="plain"><option>{bl|blacklists}</option></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6</command>
 
@@ -581,7 +595,8 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
+      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -1354,6 +1369,19 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">bl|blacklists</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
+                along with any chains produced by entries in
+                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
+                option is passed directly through to ip6tables and causes
+                actual packet and byte counts to be displayed. Without this
+                option, those counts are abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">capabilities</emphasis></term>
 
@@ -1611,6 +1639,10 @@
         <listitem>
           <para>Produces a short report about the state of the
           Shorewall6-configured firewall.</para>
+
+          <para>The <option>-i </option>option was added in Shorewall 4.6.2
+          and causes the status of each optional or provider interface to be
+          displayed.</para>
         </listitem>
       </varlistentry>
 

docs/Anatomy.xml

@@ -504,7 +504,7 @@
     <section id="sbin-lite">
       <title>/sbin</title>
 
-      <para>The <filename>/sbin/shorewall-lite</filename> shell program is use
+      <para>The <filename>/sbin/shorewall-lite</filename> shell program is used
       to interact with Shorewall lite. See <ulink
       url="manpages/shorewall-lite.html">shorewall-lite</ulink>(8).</para>
     </section>

docs/Build.xml

@@ -134,7 +134,7 @@
       <para>Added in Shorewall 4.4.22, this directory contains the files that
       contain release-dependent information (change.txt, releasenotes.txt,
       .spec files, etc). This is actually a symbolic link to ../release which
-      has it's own Git repository.</para>
+      has its own Git repository.</para>
     </section>
   </section>
 

docs/ConnectionRate.xml

@@ -67,7 +67,7 @@
     by 1 but is not allowed to exceed its initial setting (5).</para>
 
     <para>By default, the aggregate connection rate is limited. If the
-    specification is preceeded by "<option>s:</option>" or
+    specification is preceded by "<option>s:</option>" or
     "<option>d:</option>", then the rate is limited per SOURCE or per
     DESTINATION IP address respectively.</para>
 

docs/Events.xml

@@ -35,7 +35,7 @@
   </articleinfo>
 
   <caution>
-    <para>This article applies to Shorewall 4.5.19 and later and supercedes
+    <para>This article applies to Shorewall 4.5.19 and later and supersedes
     <ulink url="PortKnocking.html">this article.</ulink></para>
   </caution>
 
@@ -477,7 +477,7 @@ root@gateway:~# </programlisting>
 
       <para>This example is taken from <ulink
       url="http://www.briandowney.net/blog/2009/08/20/firewalling-brute-force-attempts-with-iptables/">this
-      article</ulink> which explains the nice benifits of this approach. This
+      article</ulink> which explains the nice benefits of this approach. This
       example is for ssh, but it can be adapted for any application.</para>
 
       <para>The name SSH has been changed to SSHLIMIT so as not to override
@@ -701,5 +701,87 @@ ResetEvent(SSH,DROP:info)        </programlisting>
 #                                                         PORT(S)
 Knock                 net            $FW       tcp        22,1599-1601          </programlisting>
     </section>
+
+    <section id="Stateful">
+      <title>Stateful Port Knocking (knock with a sequence of ports)</title>
+
+      <para>Gerhard Wiesinger has contributed a Perl module that allows you to
+      define portknocking sequences. Download <ulink
+      url="pub/shorewall/contrib/PortKnocking/KnockEnhanced.pm">the
+      module</ulink> and copy it into your site_perl directory.</para>
+
+      <para>Using Gerhard's module, a port-knocking rule is defined via a
+      '?PERL' statement. This example opens the SSH port from net-&gt;fw using
+      the knock sequence 52245, 15623, 19845:</para>
+
+      <programlisting>?BEGIN PERL
+use KnockEnhanced;
+KnockEnhanced 'net', '$FW', {name =&gt; 'SSH1', log_level =&gt; 3, proto =&gt; 'tcp', target =&gt; 'ssh', knocker =&gt; [52245,15623,19845]};
+?END PERL</programlisting>
+
+      <para>A few notes on the parameters:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para>The first parameter is the rule SOURCE</para>
+        </listitem>
+
+        <listitem>
+          <para>The second parameter is the rule DEST</para>
+        </listitem>
+
+        <listitem>
+          <para>The third parameter is a Perl hash reference that defines the
+          remaining parameters. Each parameter is specified via
+          <replaceable>param</replaceable> =&gt;
+          <replaceable>value</replaceable>.</para>
+
+          <itemizedlist>
+            <listitem>
+              <para><emphasis role="bold">proto</emphasis> is the protocol --
+              if not specified, the default is tcp</para>
+            </listitem>
+
+            <listitem>
+              <para><emphasis role="bold">seconds</emphasis> is the timeout
+              between successive events -- default is 60 seconds.</para>
+            </listitem>
+
+            <listitem>
+              <para><emphasis role="bold">original_dest</emphasis> is the rule
+              ORIGINAL DEST</para>
+            </listitem>
+
+            <listitem>
+              <para><emphasis role="bold">target</emphasis> is the port(s)
+              that you are trying to open. May either be a single name or
+              number, or it may be a list of names and/or numbers separated by
+              commas and enclosed in square brackets ("[...]").</para>
+            </listitem>
+
+            <listitem>
+              <para><emphasis role="bold">name</emphasis> is a name used as
+              the base for event and chain names. If not supplied, the first
+              <emphasis role="bold">target</emphasis> is used, in which case
+              the first target must be a port name.</para>
+            </listitem>
+
+            <listitem>
+              <para><emphasis role="bold">log_level </emphasis>specifies
+              logging for the generated rules</para>
+            </listitem>
+          </itemizedlist>
+
+          <note>
+            <para>Port names and numbers may be optionally followed by a colon
+            (":") and a protocol name or number to override the specified
+            protocol.</para>
+          </note>
+        </listitem>
+      </itemizedlist>
+
+      <para>The module itself contains additional examples of its
+      usage.</para>
+    </section>
   </section>
 </article>

docs/FAQ.xml

@@ -20,7 +20,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2013</year>
+      <year>2001-2014</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -2304,6 +2304,15 @@ gateway:~# </programlisting>
         </listitem>
       </orderedlist>
     </section>
+
+    <section id="faq103">
+      <title>(FAQ 103) Shorewall fails to start at boot but will start
+      immediately after</title>
+
+      <para>Answer: This is usually associated with SELinux. <ulink
+      url="https://lists.fedoraproject.org/pipermail/selinux/2010-June/012680.html">Here</ulink>
+      is an example.</para>
+    </section>
   </section>
 
   <section id="MultiISP">

docs/IPSEC-2.6.xml

@@ -59,7 +59,7 @@
 
   <important>
     <para><emphasis role="bold">Shorewall does not configure IPSEC for
-    you</emphasis> -- it rather configures netfilter to accomodate your IPSEC
+    you</emphasis> -- it rather configures netfilter to accommodate your IPSEC
     configuration.</para>
   </important>
 
@@ -139,7 +139,7 @@
     and zones was made easy by the presence of IPSEC pseudo-interfaces with
     names of the form <filename class="devicefile">ipsecN</filename> (e.g.
     <filename class="devicefile">ipsec0</filename>). Outgoing unencrypted
-    traffic (case 1.) was send through an <filename
+    traffic (case 1.) was sent through an <filename
     class="devicefile">ipsecN</filename> device while incoming unencrypted
     traffic (case 2) arrived from an <filename
     class="devicefile">ipsecN</filename> device. The 2.6 kernel-based

docs/IPSEC.xml

@@ -200,12 +200,12 @@ vpn          eth0:192.168.1.0/24</programlisting>
 
       <para>/etc/shorewall/masq - System A</para>
 
-      <programlisting>#INTERFACE            SUBNET                ADDRESS
+      <programlisting>#INTERFACE            SOURCE                ADDRESS
 eth0:!10.0.0.0/8      192.168.1.0/24</programlisting>
 
       <para>/etc/shorewall/masq - System B</para>
 
-      <programlisting>#INTERFACE            SUBNET                ADDRESS
+      <programlisting>#INTERFACE            SOURCE                ADDRESS
 eth0:!192.168.1.0/24  10.0.0.0/8</programlisting>
     </blockquote>
 
@@ -425,8 +425,8 @@ ipsec       net        0.0.0.0/0       vpn1,vpn2,vpn3</programlisting>
     Shorewall will issue warnings to that effect. These warnings may be safely
     ignored. FreeS/Wan may now be configured to have three different Road
     Warrior connections with the choice of connection being based on X-509
-    certificates or some other means. Each of these connections will utilize
-    a different updown script that adds the remote station to the appropriate
+    certificates or some other means. Each of these connections will utilize a
+    different updown script that adds the remote station to the appropriate
     zone when the connection comes up and that deletes the remote station when
     the connection comes down. For example, when 134.28.54.2 connects for the
     vpn2 zone the <quote>up</quote> part of the script will issue the

docs/Install.xml

@@ -147,7 +147,7 @@
       <emphasis role="bold">Shorewall-core</emphasis> 4.5.2 or later, a
       shorewallrc file named ${HOME}/.shorewallrc will be installed. That file
       will provide the default parameters for installing other Shorewall
-      components of the same or later verion.</para>
+      components of the same or later version.</para>
 
       <para>Note that <emphasis role="bold">you must install Shorewall-core
       before installing any other Shorewall package</emphasis>.</para>
@@ -730,7 +730,7 @@
 
           <programlisting><command>./install.sh -s</command></programlisting>
 
-          <para>The <emphasis role="bold">-s</emphasis> option supresses
+          <para>The <emphasis role="bold">-s</emphasis> option suppresses
           installation of all files in <filename
           class="directory">/etc/shorewall</filename> except
           <filename>shorewall.conf</filename>. You can copy any other files

docs/KVM.xml

@@ -66,7 +66,7 @@
   <section>
     <title>Networking Configuration</title>
 
-    <para>I use a network configuration where each VM has it's own VNET and
+    <para>I use a network configuration where each VM has its own VNET and
     tap device and the tap devices are all configured as ports on a Linux
     Bridge. For clarity, I've only shown four of the virtual machines
     available on the system.</para>

docs/Manpages.xml

@@ -89,7 +89,7 @@
         Define MAC verification.</member>
 
         <member><ulink url="manpages/shorewall-mangle.html">mangle</ulink> -
-        Supercedes tcrules and describes packet/connection marking.</member>
+        Supersedes tcrules and describes packet/connection marking.</member>
 
         <member><ulink url="manpages/shorewall-masq.html">masq</ulink> -
         Define Masquerade/SNAT</member>
@@ -168,7 +168,7 @@
         state (added in Shorewall 4.5.8).</member>
 
         <member><ulink url="manpages/shorewall-tcrules.html">tcrules</ulink> -
-        Define packet marking rules, usually for traffic shaping. Superceded
+        Define packet marking rules, usually for traffic shaping. Superseded
         by mangle (above) in Shorewall 4.6.0.</member>
 
         <member><ulink url="manpages/shorewall-tos.html">tos</ulink> - Define

docs/Manpages6.xml

@@ -79,7 +79,7 @@
         - Define MAC verification.</member>
 
         <member><ulink url="manpages6/shorewall6-mangle.html">mangle</ulink> -
-        Supercedes tcrules and describes packet/connection marking.</member>
+        Supersedes tcrules and describes packet/connection marking.</member>
 
         <member><ulink url="manpages6/shorewall6-masq.html">masq</ulink> -
         Define Masquerade/SNAT</member>
@@ -149,7 +149,7 @@
         Classify traffic for simplified traffic shaping.</member>
 
         <member><ulink url="manpages6/shorewall6-tcrules.html">tcrules</ulink>
-        - Define packet marking rules, usually for traffic shaping. Superceded
+        - Define packet marking rules, usually for traffic shaping. Superseded
         by mangle (above) in Shorewall 4.6.0.</member>
 
         <member><ulink url="manpages6/shorewall6-tos.html">tos</ulink> -

docs/ManualChains.xml

@@ -201,11 +201,11 @@ SSHKnock         net               $FW            tcp         22,1599,1600,1601
 
     <para>becomes:<programlisting>PERL Knock 'net', '$FW', {target =&gt; 22, knocker =&gt; 1600, trap =&gt; [1599, 1601]};</programlisting>Similarly<programlisting>#ACTION          SOURCE            DEST            PROTO       DEST PORT(S)  SOURCE      ORIGINAL
 #                                                                            PORT(S)     DEST
-DNAT-            net               loc:192.168.1.5 tcp         22            -           206.124.146.178
+DNAT-            net               192.168.1.5 tcp             22            -           206.124.146.178
 SSHKnock         net               $FW             tcp         1599,1600,1601
 SSHKnock         net               loc:192.168.1.5 tcp         22            -           206.124.146.178</programlisting>becomes:<programlisting>#ACTION          SOURCE            DEST            PROTO       DEST PORT(S)  SOURCE      ORIGINAL
 #                                                                            PORT(S)     DEST
-DNAT-            net               loc:192.168.1.5 tcp         22            -           206.124.146.178
+DNAT-            net               192.168.1.5 tcp             22            -           206.124.146.178
 
 PERL Knock 'net', '$FW', {name =&gt; 'SSH', knocker =&gt; 1600, trap =&gt; [1599, 1601]};
 PERL Knock 'net', 'loc:192.168.1.5', {name =&gt; 'SSH', target =&gt; 22, original_dest =&gt; '206.124.136.178'};</programlisting></para>

docs/MultiISP.xml

@@ -155,7 +155,7 @@
       Shorewall can set up the correct marking rules for you.</para>
 
       <important>
-        <para><filename>/etc/shorewall/mangle</filename> superceded
+        <para><filename>/etc/shorewall/mangle</filename> superseded
         <filename>/etc/shorewall/tcrules</filename> in Shorewall 4.6.0.</para>
       </important>
 
@@ -750,8 +750,10 @@ eth1             0.0.0.0/0            130.252.99.27</programlisting>
       <title>Martians</title>
 
       <para>One problem that often arises with Multi-ISP configuration is
-      'Martians'. If your Internet interfaces are configured with the
-      <emphasis role="bold">routefilter</emphasis> option in
+      'Martians'. If you set ROUTE_FILTER=Yes in
+      <filename>/etc/shorewall/shorewall.conf</filename> or if your Internet
+      interfaces are configured with the <emphasis
+      role="bold">routefilter</emphasis> option in
       <filename>/etc/shorewall/interfaces</filename> (remember that if you set
       that option, you should also select <emphasis
       role="bold">logmartians</emphasis>), then things may not work correctly
@@ -810,6 +812,18 @@ DROP:info        net:192.168.1.0/24         all</programlisting>
 
       <para>Be sure the above rule is added before any other rules with
       <emphasis>net</emphasis> in the SOURCE column.</para>
+
+      <important>
+        <para>If you set ROUTE_FILTER=Yes in
+        <filename>/etc/shorewall/shorewall.conf</filename>, then setting
+        <emphasis role="bold">routefilter</emphasis>=0 in <ulink
+        url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
+        (5) will not disable route filtering on a given interface. You must
+        set ROUTE_FILTER=No in <ulink
+        url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
+        (5), then set the <emphasis role="bold">routefilter</emphasis> option
+        on those interfaces on which you want route filtering.</para>
+      </important>
     </section>
 
     <section id="Example1">

docs/MyNetwork.xml

@@ -171,7 +171,7 @@
   <section>
     <title>Shorewall Configuration</title>
 
-    <para>This section contains exerpts from the Shorewall
+    <para>This section contains excerpts from the Shorewall
     configuration.</para>
 
     <para>It is important to keep in mind that parts of my configuration are

docs/OPENVPN.xml

@@ -603,7 +603,7 @@ net    COM_IF     detect    dhcp,blacklist,optional,routefilter=0,logmartians,pr
 6to4                    net
 <emphasis role="bold">6to4                    vpn</emphasis></programlisting>
 
-      <para>Similarly, here are exerpts from the Shorewall6
+      <para>Similarly, here are excerpts from the Shorewall6
       configuration.</para>
 
       <para><filename>/etc/shorewall6/zones</filename>:</para>

docs/OpenVZ.xml

@@ -452,7 +452,7 @@ NAME="server"</emphasis></programlisting>
     <section>
       <title>Shorewall Configuration on the Host</title>
 
-      <para>Below are exerpts from the configuration files as they pertain to
+      <para>Below are excerpts from the configuration files as they pertain to
       the OpenVZ environment.</para>
 
       <para><filename>/etc/shorewall/zones</filename>:</para>
@@ -762,7 +762,7 @@ NAME="server"
     <section>
       <title>Shorewall Configuration on the Host</title>
 
-      <para>Below are exerpts from the configuration files as they pertain to
+      <para>Below are excerpts from the configuration files as they pertain to
       the OpenVZ environment. Again, bold font indicates change from the prior
       configuration.</para>
 

docs/PacketMarking.xml

@@ -44,7 +44,7 @@
   </caution>
 
   <important>
-    <para>/etc/shorewall/mangle superceded /etc/shorewall/tcruels in Shorewall
+    <para>/etc/shorewall/mangle superseded /etc/shorewall/tcruels in Shorewall
     4.6.0. /etc/shorwall/tcrules is still supported but its use is
     deprecated.</para>
   </important>

docs/PortKnocking.xml

@@ -41,7 +41,7 @@
   </articleinfo>
 
   <note>
-    <para>The techniques described in this article were superceded in
+    <para>The techniques described in this article were superseded in
     Shorewall 4.5.19 with the introduction of Shorewall Events.</para>
   </note>
 
@@ -148,7 +148,7 @@ SSHKnock:info    net               $FW            tcp         22,1599,1600,1601<
 
         <programlisting>#ACTION          SOURCE            DEST            PROTO       DEST PORT(S)  SOURCE      ORIGINAL
 #                                                                            PORT(S)     DEST
-DNAT-            net               loc:192.168.1.5 tcp         22            -           206.124.146.178
+DNAT-            net               192.168.1.5     tcp         22            -           206.124.146.178
 SSHKnock         net               $FW             tcp         1599,1600,1601
 SSHKnock         net               loc:192.168.1.5 tcp         22            -           206.124.146.178</programlisting>
 

docs/Shorewall-4.xml

@@ -147,16 +147,16 @@
   </section>
 
   <section>
-    <title>Shorewall 4.5</title>
+    <title>Shorewall 4.5/4.6</title>
 
-    <para>Shorewall 4.5 adds an additional <emphasis
+    <para>Shorewall 4.5 added an additional <emphasis
     role="bold">Shorewall-core</emphasis> package. This package contains the
     core Shorewall shell libraries that are required by the other
     packages.</para>
   </section>
 
   <section id="Prereqs">
-    <title>Prerequisites for using the Shorewall Version 4.2/4.4/4.5
+    <title>Prerequisites for using the Shorewall Version 4.2/4.4/4.5/4.6
     Perl-based Compiler</title>
 
     <itemizedlist>

docs/SplitDNS.xml

@@ -167,7 +167,7 @@ linksys.shorewall.net has address 172.20.1.1
 teastep@tipper:~$ </programlisting></para>
 
     <para>As a bonus, dnsmasq can also act as a DHCP server. Here are some
-    exerpts from the corresponding /etc/dnsmasq.conf:</para>
+    excerpts from the corresponding /etc/dnsmasq.conf:</para>
 
     <programlisting>interface=eth1
 

docs/XenMyWay-Routed.xml

@@ -376,7 +376,7 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
       has an RFC 1918 address (192.168.1.7). That configuration is established
       by Xen which clones the primary IP address of eth0 on all of the routed
       virtual interfaces that it creates. <emphasis
-      role="bold">test</emphasis> is configured with it's default route via
+      role="bold">test</emphasis> is configured with its default route via
       192.168.1.254 which is the IP address of the firewall's br0. That works
       because of the way that the Linux network stack treats local IPv4
       addresses; by default, it will respond to ARP "who-has" broadcasts for
@@ -624,7 +624,7 @@ $EXT_IF:192.168.99.1    192.168.98.1    192.168.1.98
 
 COMMENT Masquerade Local Network
 
-$EXT_IF                 $INT_IF 206.124.146.179
+$EXT_IF                 192.168.1.0/24  206.124.146.179
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
 
         <para><filename>/etc/shorewall/proxyarp</filename>:</para>

docs/configuration_file_basics.xml

@@ -110,7 +110,7 @@
         </listitem>
 
         <listitem>
-          <para><filename>/etc/shorewall/mangle</filename> - supercedes
+          <para><filename>/etc/shorewall/mangle</filename> - supersedes
           <filename>/etc/shorewall/tcrules</filename> in Shorewall 4.6.0.
           Contains rules for packet marking, TTL, TPROXY, etc.</para>
         </listitem>
@@ -140,7 +140,7 @@
           <para><filename>/etc/shorewall/tcrules </filename>- The file has a
           rather unfortunate name because it is used to define marking of
           packets for later use by both traffic control/shaping and policy
-          routing. This file is superceded by
+          routing. This file is superseded by
           <filename>/etc/shorewall/mangle</filename> in Shorewall
           4.6.0.</para>
         </listitem>
@@ -288,7 +288,7 @@
 
         <listitem>
           <para><filename>/etc/shorewall/mangle</filename> -- Added in
-          Shorewall 4.6.0. Supercedes<filename>
+          Shorewall 4.6.0. Supersedes<filename>
           /etc/shorewall/tcrules</filename>.</para>
         </listitem>
       </itemizedlist></para>
@@ -1168,7 +1168,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
       <para>Beginning with Shorewall 4.5.2, in files other than
       <filename>/etc/shorewall/params</filename> and
       <filename>/etc/shorewall/conf</filename>, INCLUDE may be immediately
-      preceeded with '?' to signal that the line is a compiler directive and
+      preceded with '?' to signal that the line is a compiler directive and
       not configuration data.</para>
 
       <para>Example:</para>
@@ -1483,7 +1483,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
         <programlisting>EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</programlisting>
 
         <para>The <command>shorewall-lite call</command> command allows you to
-        to call interactively any Shorewall function that you can call in an
+        call interactively any Shorewall function that you can call in an
         extension script.</para>
 
         <note>
@@ -2150,7 +2150,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
 ACCEPT loc fw tcp 22
 ACCEPT dmz fw tcp 22</programlisting></para>
 
-    <para>Perl scripts run in the context of of the compiler process using
+    <para>Perl scripts run in the context of the compiler process using
     Perl's eval() function. Perl scripts are implicitly prefixed by the
     following:</para>
 
@@ -2370,7 +2370,7 @@ POP(ACCEPT)     loc                  net:pop.gmail.com</programlisting>
     192.168.1.4</quote>. There must be no white space following the
     <quote>!</quote>.</para>
 
-    <para>Similarly, in columns that specify an IP protocol, you can preceed
+    <para>Similarly, in columns that specify an IP protocol, you can precede
     the protocol name or number by "!". For example, !tcp means "any protocol
     except tcp".</para>
 

docs/ipsets.xml

@@ -130,7 +130,7 @@ ACCEPT       net:+sshok  $FW      tcp      22</programlisting></para>
 
     <para>Beginning with Shorewall 4.4.14, multiple source or destination
     matches may be specified by placing multiple set names in '+[...]' (e.g.,
-    +[myset,myotherset]). When so inclosed, the set names need not be prefixed
+    +[myset,myotherset]). When so enclosed, the set names need not be prefixed
     with a plus sign.</para>
 
     <para>Shorewall can save/restore your ipset contents with certain

docs/traffic_shaping.xml

@@ -818,7 +818,7 @@ ppp0           6000kbit         500kbit</programlisting>
               SFQ. See tc-fq_codel (8) for additional information.</para>
 
               <para>See <ulink
-              url="manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>
+              url="manpages/shorewall-tcclasses.html">shorewall-tcclasses</ulink>
               (5) for a description of the allowable
               <replaceable>codloptions</replaceable>.</para>
             </listitem>
@@ -908,7 +908,7 @@ ppp0           6000kbit         500kbit</programlisting>
       qualifier (see below).</emphasis></para>
 
       <para>See shorewall-mangle(5) and shorewall-tcrules(5) for a description
-      of the entries in these files. Note that the mangle file superceded the
+      of the entries in these files. Note that the mangle file superseded the
       tcrules file in Shorewall 4.6.0.</para>
 
       <para>The following examples are for the mangle file.</para>