Apply Thomas D's patch for SAVE_IPSET in the debian shorewall-init script

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Update the Build document
2014-08-14 09:49:18 -07:00 · 2014-08-14 08:03:31 -07:00 · 2014-08-11 08:30:44 -07:00 · 2014-08-10 12:15:08 -07:00 · 2014-08-10 09:50:21 -07:00 · 2014-08-10 08:09:31 -07:00
75 changed files with 1338 additions and 337 deletions
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -100,7 +100,7 @@ if ( defined $vendor ) {
    } elsif ( `uname` =~ '^Darwin' ) {
 	$vendor = 'apple';
 	$rcfilename = 'shorewallrc.apple';
-    } elsif ( `uname` =~ '^Cygwin' ) {
+    } elsif ( `uname` =~ /^Cygwin/i ) {
 	$vendor = 'cygwin';
 	$rcfilename = 'shorewallrc.cygwin';
    } else {
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -187,7 +187,7 @@ INSTALLD='-D'
 if [ -z "$BUILD" ]; then
    case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -271,6 +271,19 @@ show_classifiers() {
 }
 #
 # Display blacklist chains
 #
 show_bl() {
    $g_tool -L $g_ipt_options | \
 	awk 'BEGIN           {prnt=0; };
            /^$/             {if (prnt == 1) print ""; prnt=0; };
            /Chain .*~ /     {prnt=1; };
            /Chain dynamic / {prnt=1; };
            {if (prnt == 1)  print; };
            END {if (prnt == 1 ) print "" };'
 }
 #
 # Watch the Firewall Log
 #
@@ -1189,7 +1202,13 @@ show_command() {
 	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
 	    echo
 	    show_events
-	    ;;	    
+	    ;;
 	bl|blacklists)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
 	    echo
 	    show_bl;
 	    ;;
 	*)
 	    case "$g_program" in
 		*-lite)
@@ -2952,9 +2971,74 @@ show_status() {
 }
 interface_status() {
    case $(cat $1) in
 	0)
 	    echo Enabled
 	    ;;
 	1)
 	    echo Disabled
 	    ;;
 	*)
 	    echo Unknown
 	    ;;
    esac
 }
 show_interfaces() {
    local f
    local interface
    local printed
    for f in ${VARDIR}/*.status; do
 	interface=$(basename $f)
 	echo "   Interface ${interface%.status} is $(interface_status $f)"
 	printed=Yes
    done
    [ -n "$printed" ] && echo
 }
 status_command() {
     local finished
    finished=0
    local option
    local interfaces
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
 	case $option in
 	    -*)
 		option=${option#-}
 		while [ -n "$option" ]; do
 		    case $option in
 			-)
 			    finished=1
 			    option=
 			    ;;
 			i*)
 			    interfaces=Yes
 			    option=${option#i}
 			    ;;
 			*)
 			    usage 1
 			    ;;
 		    esac
 		done
 		shift
 		;;
 	    *)
 		finished=1
 		;;
 	esac
    done
    [ $# -eq 0 ] || usage 1
    [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
    show_status
    [ -n "$interfaces" ] && show_interfaces
    exit $status
 }
@@ -3431,6 +3515,14 @@ restart_command() {
    return $rc
 }
 run_command() {
    if [ -x ${VARDIR}/firewall ] ; then
 	run_it ${VARDIR}/firewall $g_debugging $@
    else
 	fatal_error "${VARDIR}/firewall does not exist or is not executable"
    fi
 }
 #
 # Give Usage Information
 #
@@ -3462,10 +3554,12 @@ usage() # $1 = exit status
    echo "   reset [ <chain> ... ]"
    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   run <command> [ <parameter> ... ]"
    echo "   save [ <file name> ]"
    echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   [ show | list | ls ] [ -f ] capabilities"
    echo "   [ show | list | ls ] arptables"
    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
    echo "   [ show | list | ls ] classifiers"
    echo "   [ show | list | ls ] config"
    echo "   [ show | list | ls ] connections"
@@ -3488,7 +3582,8 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] zones"
    echo "   start [ -f ] [ -p ] [ <directory> ]"
    echo "   stop"
-    echo "   status"
+    echo "   status [ -i ]"
    echo "   run <function> [ function ... ]"
    echo "   version [ -a ]"
    echo
    exit $1
@@ -3733,16 +3828,21 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
 	run)
 	    [ $# -gt 1 ] || fatal_error "Missing function name"
 	    get_config Yes
 	    run_command $@
 	    ;;
 	show|list|ls)
 	    get_config Yes No Yes
    	    shift
    	    show_command $@
 	    ;;
 	status)
 	    [ $# -eq 1 ] || usage 1
 	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	    get_config
-	    status_command
+	    shift
 	    status_command $@
 	    ;;
 	dump)
 	    get_config Yes No Yes
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -172,6 +172,7 @@ run_it() {
 error_message() # $* = Error Message
 {
   echo "   $@" >&2
   return 1
 }
 #
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -123,6 +123,17 @@ shorewall_start () {
  echo "done."
  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
      echo -n "Restoring ipsets: "
      if ! ipset -R < "$SAVE_IPSETS"; then
 	  echo_notdone
      fi
      echo "done."
  fi
  return 0
 }
@@ -142,6 +153,20 @@ shorewall_stop () {
  echo "done."
  if [ -n "$SAVE_IPSETS" ]; then
      echo "Saving ipsets: "
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
 	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
      else
 	  echo_notdone
      fi
      echo "done."
  fi
  return 0
 }
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -195,7 +195,7 @@ T='-T'
 if [ -z "$BUILD" ]; then
    case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -242,7 +242,7 @@ if [ -z "$BUILD" ]; then
 fi
 case $BUILD in
-    cygwin*)
+    cygwin*|CYGWIN*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -317,6 +317,21 @@
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>run</option></arg>
      <arg choice="plain">function</arg>
      <arg><replaceable>parameter ...</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
@@ -352,6 +367,20 @@
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-x</option></arg>
      <arg choice="plain"><option>{bl|blacklists}</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
@@ -465,7 +494,8 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -807,6 +837,23 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">run</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
          <replaceable>command</replaceable> in the context of the generated
          script passing the supplied <replaceable>parameter</replaceable>s.
          Normally, the <replaceable>command</replaceable> will be a function
          declared in <filename>lib.private</filename>.</para>
          <para>Before executing the <replaceable>command</replaceable>, the
          script will detect the configuration, setting all SW_* variables and
          will run your <filename>init</filename> extension script with
          $COMMAND = 'run'.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">save</emphasis></term>
@@ -829,6 +876,19 @@
          arguments:</para>
          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">bl|blacklists</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
                along with any chains produced by entries in
                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
                option is passed directly through to iptables and causes
                actual packet and byte counts to be displayed. Without this
                option, those counts are abbreviated.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">capabilities</emphasis></term>
@@ -1073,6 +1133,10 @@
        <listitem>
          <para>Produces a short report about the state of the
          Shorewall-configured firewall.</para>
          <para>The <option>-i </option>option was added in Shorewall 4.6.2
          and causes the status of each optional or provider interface to be
          displayed.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/Macros/macro.ILO
+++ b/Shorewall/Macros/macro.ILO
@@ -0,0 +1,23 @@
 #
 # Shorewall version 4 - ILO Macro
 #
 # /usr/share/shorewall/macro.ILO
 #
 #	This macro handles console redirection with HP ILO 2+,
 #	Use this macro to open access to your ILO interface from management
 #	workstations.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	3002		# Raw serial data
 PARAM	-	-	tcp	9300		# Shared Remote Console
 PARAM	-	-	tcp	17988		# Virtual Media
 PARAM	-	-	tcp	17990		# Console Replay
 HTTP
 HTTPS
 RDP
 SSH
 Telnet						# Remote Console/Telnet
--- a/Shorewall/Macros/macro.IPMI
+++ b/Shorewall/Macros/macro.IPMI
@@ -3,7 +3,10 @@
 #
 # /usr/share/shorewall/macro.IPMI
 #
-#	This macro handles IPMI console redirection with Dell and Supermicro.
+#	This macro handles IPMI console redirection with Asus (AMI),
 #	Dell DRAC5+ (Avocent), and Supermicro (Aten or AMI).
 #	Use this macro to open access to your IPMI interface from management
 #	workstations.
 #
 ###############################################################################
 ?FORMAT 2
@@ -11,7 +14,13 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	623		# RMCP
-PARAM	-	-	tcp	5900,5901	# Remote Console
+PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
 PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
 PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
 PARAM	-	-	tcp	7578		# Remote Console (AMI)
 PARAM	-	-	udp	623		# RMCP
 HTTP
 HTTPS
 SNMP
 SSH						# Serial over Lan
 Telnet
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -3503,7 +3503,7 @@ sub optimize_level8( $$$ ) {
    %renamed = ();
    while ( $progress ) {
-	my @chains   = ( sort level8_compare grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} );
+	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} ) );
 	my @chains1  = @chains;
 	my $chains   = @chains;
 	my %rename;
@@ -6723,20 +6723,25 @@ sub interface_mac( $$ ) {
 #
 # Record the fact that the ruleset requires MAC address of the passed gateway IP routed out of the passed interface for the passed provider number
 #
-sub get_interface_mac( $$$ ) {
+sub get_interface_mac( $$$$ ) {
-    my ( $ipaddr, $logical , $table ) = @_;
+    my ( $ipaddr, $logical , $table, $mac ) = @_;
    my $interface = get_physical( $logical );
    my $variable = interface_mac( $interface , $table );
    $global_variables |= NOT_RESTORE;
-
+    
-    if ( interface_is_optional $logical ) {
+    if ( $mac ) {
-	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
+	$interfacemacs{$table} = qq($variable=$mac);
    } else {
-	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
+	if ( interface_is_optional $logical ) {
 	    $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
 	} else {
 	    $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
 [ -n "\$$variable" ] || startup_error "Unable to determine the MAC address of $ipaddr through interface \\"$interface\\""
 );
       }
    }
    "\$$variable";
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -280,42 +280,42 @@ sub generate_script_2() {
    if ( $global_variables ) {
 	emit( 'case $COMMAND in' );
 	push_indent;
 	if ( $global_variables & NOT_RESTORE ) {
 	    emit( 'start|restart|refresh|disable|enable)' );
 	} else {
 	    emit( 'start|restart|refresh|disable|enable|restore)' );
 	}
-	push_indent;
+	    emit( 'case $COMMAND in' );
-	set_global_variables(1);
+	    push_indent;
 	handle_optional_interfaces(0);
 	emit ';;';
 	if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
 	    pop_indent;
 	    emit 'restore)';
 	    push_indent;
-	    set_global_variables(0);
+	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
-	    handle_optional_interfaces(0);
+		set_global_variables(0);
 		handle_optional_interfaces(0);
 	    }
 	    emit ';;';
 	    pop_indent;
 	    emit '*)';
 	    push_indent;
 	}
-	pop_indent;
+	set_global_variables(1);
 	pop_indent;
-	emit ( 'esac' ) ,
+	handle_optional_interfaces(0);
 	if ( $global_variables & NOT_RESTORE ) {
 	    emit ';;';
 	    pop_indent;
 	    pop_indent;
 	    emit ( 'esac' );
 	}
    } else {
 	emit( 'true' ) unless handle_optional_interfaces(1);
    }
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -3260,6 +3260,10 @@ sub expand_variables( \$ ) {
    }
    if ( $actparms{0} ) {
 	#
 	# Allow escaping at signs (@) for u32
 	#
 	$$lineref =~ s/\\@/??/g;
 	#                         $1      $2   $3                     -     $4
 	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
@@ -3268,6 +3272,8 @@ sub expand_variables( \$ ) {
 	    $$lineref = join( '', $first , $val , $rest );
 	    fatal_error "Variable Expansion Loop" if ++$count > 100;
 	}
 	$$lineref =~ s/\?\?/@/g;
    }
 }
@@ -4118,7 +4124,7 @@ sub IPSet_Match() {
    if ( $ipset && -x $ipset ) {
 	qt( "$ipset -X $sillyname" );
-	if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) {
+	if ( qt( "$ipset -N $sillyname hash:ip family $fam" ) || qt( "$ipset -N $sillyname iphash" ) ) {
 	    if ( qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
 		$capabilities{IPSET_MATCH_NOMATCH}  = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --return-nomatch -j ACCEPT" );
 		$capabilities{IPSET_MATCH_COUNTERS} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --packets-lt 100 -j ACCEPT" );
@@ -4140,7 +4146,7 @@ sub IPSet_Match_Nomatch() {
 }
 sub IPSet_Match_Counters() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTGERS};
+    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTERS};
 }
 sub IPSET_V5() {
@@ -4615,6 +4621,7 @@ sub determine_capabilities() {
 	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
 	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );
 	$capabilities{ACCOUNT_TARGET}  = detect_capability( 'ACCOUNT_TARGET' );
 	$capabilities{HEADER_MATCH}    = detect_capability( 'HEADER_MATCH' );
 	$capabilities{AUDIT_TARGET}    = detect_capability( 'AUDIT_TARGET' );
 	$capabilities{IPSET_V5}        = detect_capability( 'IPSET_V5' );
 	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
@@ -4630,6 +4637,7 @@ sub determine_capabilities() {
 	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
 	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
 	$capabilities{CHECKSUM_TARGET} = detect_capability( 'CHECKSUM_TARGET' );
 	$capabilities{ARPTABLESJF}     = detect_capability( 'ARPTABLESJF' );
 	$capabilities{MASQUERADE_TGT}  = detect_capability( 'MASQUERADE_TGT' );
 	$capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' );
 	$capabilities{NEW_TOS_MATCH}   = detect_capability( 'NEW_TOS_MATCH' );
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -258,7 +258,7 @@ sub copy_and_edit_table( $$$$$ ) {
    emit '';
    if ( $realm ) {
-	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | ${filter}while read net route; do" )
+	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | ${filter}while read net route; do" )
    } else {
 	emit  ( "\$IP -$family -o route show table $duplicate | ${filter}while read net route; do" )
    }
@@ -442,10 +442,11 @@ sub process_a_provider( $ ) {
    fatal_error 'INTERFACE must be specified' if $interface eq '-';
-    ( $interface, my $address ) = split /:/, $interface;
+    ( $interface, my $address ) = split /:/, $interface, 2;
    my $shared = 0;
    my $noautosrc = 0;
    my $mac = '';
    if ( defined $address ) {
 	validate_address $address, 0;
@@ -453,10 +454,30 @@ sub process_a_provider( $ ) {
 	require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
    }
-    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface );
+    my $interfaceref = known_interface( $interface );
    fatal_error "Unknown Interface ($interface)" unless $interfaceref;
    fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
-    my $physical    = get_physical $interface;
+    my $physical;
    if ( $interface eq $interfaceref->{name} ) {
 	#
 	# The logical interface name was specified
 	#
 	$physical = $interfaceref->{physical};
    } else {
 	#
 	# A Physical name was specified
 	#
 	$physical = $interface;
 	#
 	# Switch to the logical name unless it is a wildcard
 	#
 	$interface = $interfaceref->{name} unless $interfaceref->{wildcard};
    } 
    my $gatewaycase = '';
    if ( $physical =~ /\+$/ ) {
@@ -469,7 +490,17 @@ sub process_a_provider( $ ) {
 	$gateway = get_interface_gateway $interface;
 	$gatewaycase = 'detect';
    } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
 	if ( defined $mac ) {
 	    $mac =~ tr/-/:/;
 	    $mac =~ s/^~//;
 	    fatal_error "Invalid MAC address ($mac)" unless $mac =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
 	} else {
 	    $mac = '';
 	}
 	$gatewaycase = 'specified';
    } else {
 	$gatewaycase = 'none';
@@ -644,6 +675,7 @@ sub process_a_provider( $ ) {
 			   loose       => $loose ,
 			   duplicate   => $duplicate ,
 			   address     => $address ,
 			   mac         => $mac ,
 			   local       => $local ,
 			   tproxy      => $tproxy ,
 			   load        => $load ,
@@ -720,6 +752,7 @@ sub add_a_provider( $$ ) {
    my $loose       = $providerref->{loose};
    my $duplicate   = $providerref->{duplicate};
    my $address     = $providerref->{address};
    my $mac         = $providerref->{mac};
    my $local       = $providerref->{local};
    my $tproxy      = $providerref->{tproxy};
    my $load        = $providerref->{load};
@@ -733,7 +766,7 @@ sub add_a_provider( $$ ) {
    my $realm = '';
    if ( $shared ) {
-	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
+	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table, $mac );
 	$realm = "realm $number";
 	start_provider( $label , $table, $number, $id, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
    } elsif ( $pseudo ) {
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -818,9 +818,7 @@ sub apply_policy_rules() {
    progress_message2 'Applying Policies...';
    for my $chainref ( @policy_chains ) {
-	my $policy      = $chainref->{policy};
+	unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) {
 	unless ( $policy eq 'NONE' ) {
 	    my $loglevel    = $chainref->{loglevel};
 	    my $provisional = $chainref->{provisional};
 	    my $default     = $chainref->{default};
@@ -1673,9 +1671,11 @@ sub process_action($$) {
 	    $origdest = $connlimit = $time = $headers = $condition = $helper = '-';
 	} else {
 	    ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
-		= split_line1( 'action file',
+		= split_line2( 'action file',
 			       \%rulecolumns,
-			       $action_commands );
+			       $action_commands,
 			       undef,
 			       1 );
 	}
 	fatal_error 'TARGET must be specified' if $target eq '-';
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -174,8 +174,8 @@ sub initialize( $ ) {
 #
 # Process a rule from the tcrules or mangle file
 #
-sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
+sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
-    our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_;
+    our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time ) = @_;
    use constant {
 	PREROUTING     => 1,        #Actually tcpre
@@ -229,7 +229,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
    sub handle_mark_param( $$ ) {
 	my ( $option, $marktype ) = @_;
-	my $and_or = $1 if $params =~ s/^([|&])//;
+	my $and_or = $params =~ s/^([|&])// ? $1 : '';
 	if ( $params =~ /-/ ) {
 	    #
@@ -556,7 +556,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    mask           => in_hex( $globals{TC_MASK} ),
 	    function       => sub () {
 		$target = 'MARK';
-		handle_mark_param('--set-mark', , HIGHMARK );
+		handle_mark_param('', , HIGHMARK );
 	    },
 	},
@@ -798,6 +798,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 					 do_probability( $probability ) .
 					 do_dscp( $dscp ) .
 					 state_match( $state ) .
 					 do_time( $time ) .
 					 $raw_matches ,
 					 $source ,
 					 $dest ,
@@ -926,21 +927,22 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 	$designator = '';
    }
    my ( $cmd, $rest );
    if ( $mark =~ /^TOS/ ) {
 	$cmd = $mark;
 	$rest = '';
    } else {
 	($cmd, $rest) = split( '/', $mark, 2 );
    }
    unless ( $command ) {
 	{
-	    if ( $cmd =~ /^([A-Z]+)/ ) {
+	    my ( $cmd, $rest ) = split( '/', $mark, 2 );
 	    if ( $cmd =~ /^([A-Z]+)(?:\((.+)\))?/ ) {
 		if ( my $tccmd = $tccmd{$1} ) {
 		    fatal_error "Invalid $1 ACTION ($originalmark)" unless $tccmd->{match}($cmd); 
-		    $command = $tccmd->{command} if $tccmd->{command};
+		    $command = $1;
 		    if ( supplied $rest ) {
 			fatal_error "Invalid $1 ACTION ($originalmark)" if supplied $2;
 			$mark = $rest;
 		    } elsif ( supplied $2 ) {
 			$mark = $2;
 		    } else {
 			$mark = '';
 		    }
 		}
 	    } else {
 		$command = 'MARK';
@@ -986,7 +988,9 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 			      $headers,
 			      $probability,
 			      $dscp,
-			      $state );
+			      $state,
 			      '-',
 	    );
    }
 }
@@ -1046,9 +1050,9 @@ sub process_tc_rule( ) {
 }    
 sub process_mangle_rule( ) {
-    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
+    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
    if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
 	    split_line2( 'tcrules file',
 			 { mark => 0,
 			   action => 0,
@@ -1065,13 +1069,15 @@ sub process_mangle_rule( ) {
 			   helper => 11,
 			   probability => 12 , 
 			   scp => 13,
-			   state => 14 },
+			   state => 14,
 			   time => 15,
 			 },
 			 {},
-			 15,
+			 16,
 	                 1 );
 	$headers = '-';
    } else {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
 	    split_line2( 'tcrules file',
 			 { mark => 0,
 			   action => 0,
@@ -1089,14 +1095,16 @@ sub process_mangle_rule( ) {
 			   headers => 12,
 			   probability => 13,
 			   dscp => 14,
-			   state => 15 },
+			   state => 15,
 			   time => 16,
 			 },
 			 {},
-			 16,
+			 17,
 	                 1 );
    }
    for my $proto (split_list( $protos, 'Protocol' ) ) {
-	process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
+	process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
    }
 }
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -193,6 +193,7 @@ our %reservedName = ( all => 1,
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
 #                                     provider    => <Provider Name, if interface is associated with a provider>
 #                                     wildcard    => undef|1 # Wildcard Name
 #                                     zones       => { zone1 => 1, ... }
 #                                   }
 #                 }
@@ -1375,6 +1376,7 @@ sub process_interface( $$ ) {
 						       base       => var_base( $physical ),
 						       zones      => {},
 						       origin     => shortlineinfo(''),
 						       wildcard   => $wildcard,
 						     };
    if ( $zone ) {
@@ -1497,7 +1499,7 @@ sub map_physical( $$ ) {
    $physical =~ s/\+$//;
-    $physical . substr( $name, length  $interfaceref->{root} );
+    $physical . substr( $name, length( $interfaceref->{root} ) );
 }
 #
@@ -1531,6 +1533,7 @@ sub known_interface($)
 						   number   => $interfaceref->{number} ,
 						   physical => $physical ,
 						   base     => var_base( $physical ) ,
 						   wildcard => $interfaceref->{wildcard} ,
 						   zones    => $interfaceref->{zones} ,
 						 };
 	    }
@@ -1768,7 +1771,7 @@ sub find_interfaces_by_option1( $ ) {
 	my $optionsref = $interfaceref->{options};
 	if ( $optionsref && defined $optionsref->{$option} ) {
-	    $wild ||= ( $interfaceref->{physical} =~ /\+$/ );
+	    $wild ||= $interfaceref->{wildcard};
 	    push @ints , $interface
 	}
    }
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -17,6 +17,7 @@ usage() {
    echo "   reset"
    echo "   refresh"
    echo "   restart"
    echo "   run <command> [ <parameter> ... ]"
    echo "   status"
    echo "   up <interface>"
    echo "   version"
@@ -371,6 +372,17 @@ case "$COMMAND" in
 	fi
 	status=0
 	;;
    run)
 	if [ $# -gt 1 ]; then
 	    shift
 	    detect_configuration
 	    run_init_exit
 	    eval $@
 	    status=$?
 	else
 	    error_message "ERROR: Missing command"
 	fi
 	;;
    version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION
--- a/Shorewall/Samples/one-interface/README.txt
+++ b/Shorewall/Samples/one-interface/README.txt
@@ -3,7 +3,7 @@ For instructions on using this sample configuration, please see
 http://www.shorewall.net/standalone.htm
    Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez
--- a/Shorewall/Samples/one-interface/interfaces
+++ b/Shorewall/Samples/one-interface/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/one-interface/policy
+++ b/Shorewall/Samples/one-interface/policy
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Policy File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/one-interface/rules
+++ b/Shorewall/Samples/one-interface/rules
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -2,7 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for one-interface
 #                         configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/one-interface/zones
+++ b/Shorewall/Samples/one-interface/zones
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/README.txt
+++ b/Shorewall/Samples/three-interfaces/README.txt
@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/three-interface.htm
    Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez
--- a/Shorewall/Samples/three-interfaces/interfaces
+++ b/Shorewall/Samples/three-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/masq
+++ b/Shorewall/Samples/three-interfaces/masq
@@ -1,6 +1,6 @@
 #
 # Shorewall version 3.4 - Sample Masq file for three-interface configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/policy
+++ b/Shorewall/Samples/three-interfaces/policy
@@ -1,6 +1,6 @@
 #
 # Shorewall version 3.4 - Sample Policy File for three-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/rules
+++ b/Shorewall/Samples/three-interfaces/rules
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for three-interface configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -2,8 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for three-interface
 #                         configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #               2011 by Thomas M. Eastep
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/three-interfaces/zones
+++ b/Shorewall/Samples/three-interfaces/zones
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for three-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/README.txt
+++ b/Shorewall/Samples/two-interfaces/README.txt
@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/two-interface.htm
    Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez
--- a/Shorewall/Samples/two-interfaces/interfaces
+++ b/Shorewall/Samples/two-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/masq
+++ b/Shorewall/Samples/two-interfaces/masq
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Masq file for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/policy
+++ b/Shorewall/Samples/two-interfaces/policy
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Policy File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/rules
+++ b/Shorewall/Samples/two-interfaces/rules
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for two-interface configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014,2007 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -2,8 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for two-interface
 #                         configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #               2011 by Thomas M. Eastep
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/Samples/two-interfaces/zones
+++ b/Shorewall/Samples/two-interfaces/zones
@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall/action.DNSAmp
+++ b/Shorewall/action.DNSAmp
@@ -0,0 +1,34 @@
 #
 # Shorewall 4 - DNS Amplification Action
 #
 #    /usr/share/shorewall/action.DNSAmp
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #   DNSAmp[([<action>])]
 #
 #       Default action is DROP
 #
 ##########################################################################################
 ?format 2
 DEFAULTS DROP
 IPTABLES(@1)	-	-	udp	53	; -m u32 --u32 "0>>22&0x3C\@8&0x0100=0x0100 && 0>>22&0x3C\@12>>16=1"
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -31,6 +31,7 @@ allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
 Broadcast    noinline           # Handles Broadcast/Multicast/Anycast
 DNSAmp                          # Matches one-question recursive DNS queries
 Drop		                # Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline           # Drop smurf packets
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -205,7 +205,7 @@ done
 if [ -z "$BUILD" ]; then
    case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -399,7 +399,7 @@ fi
 #
 # Create /etc/$PRODUCT and other directories
 #
-mkdir -p ${DESTDIR}/${CONFDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -1615,6 +1615,15 @@ export_command() # $* = original arguments less the command.
    fi
 }
 run_command() {
    if [ -x ${VARDIR}/firewall ] ; then
 	uptodate ${VARDIR}/firewall || echo "   WARNING: ${VARDIR}/firewall is not up to date" >&2
 	run_it ${VARDIR}/firewall $g_debugging $@
    else
 	fatal_error "${VARDIR}/firewall does not exist or is not executable"
    fi
 }
 #
 # Give Usage Information
 #
@@ -1666,11 +1675,13 @@ usage() # $1 = exit status
    echo "   reset [ <chain> ... ]"
    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   run <command> [ <parameter> ... ]"
    echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
    echo "   safe-start [ -t <timeout> ] [ <directory> ]"
    echo "   save [ <file name> ]"
    echo "   [ show | list | ls ] [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   [ show | list | ls ] actions"
    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
    echo "   [ show | list | ls ] [ -f ] capabilities"
    echo "   [ show | list | ls ] classifiers"
    echo "   [ show | list | ls ] config"
@@ -1695,7 +1706,7 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] vardir"
    echo "   [ show | list | ls ] zones"
    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
-    echo "   status"
+    echo "   status [ -i ]"
    echo "   stop"
    echo "   try <directory> [ <timeout> ]"
    echo "   update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [-t] [-A] [ <directory> ]"
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -27,7 +27,7 @@
    <para>This file was introduced in Shorewall 4.6.0 and is intended to
    replace <ulink
-    url="/manpages/shorewall-mangle.html">shorewall-rules(5)</ulink>. This
+    url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5)</ulink>. This
    file is only processed by the compiler if:</para>
    <orderedlist numeration="loweralpha">
@@ -1109,6 +1109,104 @@ Normal-Service       =&gt; 0x00</programlisting>
          of the listed states.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">TIME</emphasis> -
        <emphasis>timeelement</emphasis>[&amp;<emphasis>timeelement</emphasis>...]</term>
        <listitem>
          <para>Added in Shorewall 4.6.2.</para>
          <para>May be used to limit the rule to a particular time period each
          day, to particular days of the week or month, or to a range defined
          by dates and times. Requires time match support in your kernel and
          ip6tables.</para>
          <para><replaceable>timeelement</replaceable> may be:</para>
          <variablelist>
            <varlistentry>
              <term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
              <listitem>
                <para>Defines the starting time of day.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
              <listitem>
                <para>Defines the ending time of day.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>utc</term>
              <listitem>
                <para>Times are expressed in Greenwich Mean Time.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>localtz</term>
              <listitem>
                <para>Deprecated by the Netfilter team in favor of <emphasis
                role="bold">kerneltz</emphasis>. Times are expressed in Local
                Civil Time (default).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>kerneltz</term>
              <listitem>
                <para>Added in Shorewall 4.5.2. Times are expressed in Local
                Kernel Time (requires iptables 1.4.12 or later).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>weekdays=ddd[,ddd]...</term>
              <listitem>
                <para>where <replaceable>ddd</replaceable> is one of
                <option>Mon</option>, <option>Tue</option>,
                <option>Wed</option>, <option>Thu</option>,
                <option>Fri</option>, <option>Sat</option> or
                <option>Sun</option></para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>monthdays=dd[,dd],...</term>
              <listitem>
                <para>where <replaceable>dd</replaceable> is an ordinal day of
                the month</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
              <listitem>
                <para>Defines the starting date and time.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
              <listitem>
                <para>Defines the ending date and time.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -129,11 +129,15 @@
      <varlistentry>
        <term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
-        role="bold">-</emphasis>|<emphasis>address</emphasis>|<emphasis
+        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>mac</emphasis>]|<emphasis
        role="bold">detect</emphasis>}</term>
        <listitem>
-          <para>The IP address of the provider's gateway router.</para>
+          <para>The IP address of the provider's gateway router. Beginning
          with Shorewall 4.6.2, you may also specify the MAC address of the
          gateway when there are multiple providers serviced through the same
          interface. When the MAC is not specified, Shorewall will detect the
          MAC during firewall start or restart.</para>
          <para>You can enter "detect" here and Shorewall will attempt to
          detect the gateway automatically.</para>
--- a/Shorewall/manpages/shorewall-tcfilters.xml
+++ b/Shorewall/manpages/shorewall-tcfilters.xml
@@ -88,9 +88,11 @@
          <replaceable>address</replaceable>. DNS names are not allowed.
          Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
          may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm>capability. The ipset name may optionally be
+          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          followed by a number or a comma separated list of src and/or dst
+          <ulink url="shorewall.conf.html">shorewall.conf (5)</ulink>. The
-          enclosed in square brackets ([...]). See <ulink
+          ipset name may optionally be followed by a number or a comma
          separated list of src and/or dst enclosed in square brackets
          ([...]). See <ulink
          url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
          details.</para>
        </listitem>
@@ -105,9 +107,11 @@
          <replaceable>address</replaceable>. DNS names are not allowed.
          Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
          may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm>capability. The ipset name may optionally be
+          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          followed by a number or a comma separated list of src and/or dst
+          <ulink url="shorewall.conf.html">shorewall.conf (5)</ulink>. The
-          enclosed in square brackets ([...]). See <ulink
+          ipset name may optionally be followed by a number or a comma
          separated list of src and/or dst enclosed in square brackets
          ([...]). See <ulink
          url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
          details.</para>
--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@@ -6,6 +6,8 @@
    <refentrytitle>shorewall-mangle</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@@ -28,10 +30,10 @@
    <important>
      <para>Unlike rules in the <ulink
-      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
+      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file,
-      of rules in this file will continue after a match. So the final mark for
+      evaluation of rules in this file will continue after a match. So the
-      each packet will be the one assigned by the LAST tcrule that
+      final mark for each packet will be the one assigned by the LAST tcrule
-      matches.</para>
+      that matches.</para>
      <para>If you use multiple internet providers with the 'track' option, in
      /etc/shorewall/providers be sure to read the restrictions at <ulink
@@ -311,8 +313,8 @@
              <para>When using Shorewall's built-in traffic shaping tool, the
              <emphasis>major</emphasis> class is the device number (the first
              device in <ulink
-              url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5) is
+              url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
-              major class 1, the second device is major class 2, and so on)
+              is major class 1, the second device is major class 2, and so on)
              and the <emphasis>minor</emphasis> class is the class's MARK
              value in <ulink
              url="/manpages/shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5)
@@ -487,7 +489,8 @@
              [<replaceable>option</replaceable>] ...") after any matches
              specified at the end of the rule. If the target is not one known
              to Shorewall, then it must be defined as a builtin action in
-              <ulink url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
+              <ulink
              url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
              (5).</para>
              <para>The following rules are equivalent:</para>
@@ -500,8 +503,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
 </programlisting>
              <para>If INLINE_MATCHES=Yes in <ulink
-              url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink> then the
+              url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>
-              third rule above can be specified as follows:</para>
+              then the third rule above can be specified as follows:</para>
              <programlisting>2:P             eth0              -                 ; -p tcp</programlisting>
            </listitem>
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -457,6 +457,21 @@
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>run</option></arg>
      <arg choice="plain">function</arg>
      <arg><replaceable>parameter ...</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
@@ -507,6 +522,20 @@
      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-x</option></arg>
      <arg choice="plain"><option>{bl|blacklists}</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
@@ -664,7 +693,8 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -1394,6 +1424,32 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">run</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
          <replaceable>command</replaceable> in the context of the generated
          script passing the supplied <replaceable>parameter</replaceable>s.
          Normally, the <replaceable>command</replaceable> will be a function
          declared in <filename>lib.private</filename>.</para>
          <para>Before executing the <replaceable>command</replaceable>, the
          script will detect the configuration, setting all SW_* variables and
          will run your <filename>init</filename> extension script with
          $COMMAND = 'run'.</para>
          <para>If there are files in the CONFIG_PATH that were modified after
          the current firewall script was generated, the following warning
          message is issued:</para>
          <simplelist>
            <member>WARNING: /var/lib/shorewall/firewall is not up to
            date</member>
          </simplelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">safe-restart</emphasis></term>
@@ -1473,6 +1529,19 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">bl|blacklists</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
                along with any chains produced by entries in
                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
                option is passed directly through to iptables and causes
                actual packet and byte counts to be displayed. Without this
                option, those counts are abbreviated.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">capabilities</emphasis></term>
@@ -1775,6 +1844,10 @@
        <listitem>
          <para>Produces a short report about the state of the
          Shorewall-configured firewall.</para>
          <para>The <option>-i </option>option was added in Shorewall 4.6.2
          and causes the status of each optional or provider interface to be
          displayed.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
@@ -317,6 +317,21 @@
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>run</option></arg>
      <arg choice="plain">command</arg>
      <arg><replaceable>parameter ...</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
@@ -366,6 +381,20 @@
      <arg choice="plain"><option>capabilities</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-x</option></arg>
      <arg choice="plain"><option>{bl|blacklists}</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6-lite</command>
@@ -465,7 +494,8 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -805,6 +835,23 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">run</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
          <replaceable>command</replaceable> in the context of the generated
          script passing the supplied <replaceable>parameter</replaceable>s.
          Normally, the <replaceable>command</replaceable> will be a function
          declared in <filename>lib.private</filename>.</para>
          <para>Before executing the command, the script will detect the
          configuration, setting all SW_* variables and will run your
          <filename>init</filename> extension script with $COMMAND =
          'run'.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">save</emphasis></term>
@@ -827,6 +874,19 @@
          arguments:</para>
          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">bl|blacklists</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
                along with any chains produced by entries in
                shorewall6-blrules(5).The <emphasis role="bold">-x</emphasis>
                option is passed directly through to ip6tables and causes
                actual packet and byte counts to be displayed. Without this
                option, those counts are abbreviated.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">capabilities</emphasis></term>
@@ -1071,6 +1131,10 @@
        <listitem>
          <para>Produces a short report about the state of the
          Shorewall-configured firewall.</para>
          <para>The <option>-i </option>option was added in Shorewall 4.6.2
          and causes the status of each optional or provider interface to be
          displayed.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall6/Samples6/one-interface/README.txt
+++ b/Shorewall6/Samples6/one-interface/README.txt
@@ -3,7 +3,7 @@ For instructions on using this sample configuration, please see
 http://www.shorewall.net/standalone.htm
    Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez
--- a/Shorewall6/Samples6/one-interface/interfaces
+++ b/Shorewall6/Samples6/one-interface/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall6/Samples6/one-interface/policy
+++ b/Shorewall6/Samples6/one-interface/policy
@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Policy File for one-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall6/Samples6/one-interface/rules
+++ b/Shorewall6/Samples6/one-interface/rules
@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Rules File for one-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall6/Samples6/one-interface/zones
+++ b/Shorewall6/Samples6/one-interface/zones
@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Zones File for one-interface IPv6 configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall6/Samples6/three-interfaces/README.txt
+++ b/Shorewall6/Samples6/three-interfaces/README.txt
@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/three-interface.htm
    Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez
--- a/Shorewall6/Samples6/three-interfaces/interfaces
+++ b/Shorewall6/Samples6/three-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall6/Samples6/three-interfaces/policy
+++ b/Shorewall6/Samples6/three-interfaces/policy
@@ -1,6 +1,6 @@
 #
 # Shorewall6 Version 4 - Sample Policy File for three-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall6/Samples6/three-interfaces/rules
+++ b/Shorewall6/Samples6/three-interfaces/rules
@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.0 - Sample Rules File for three-interface configuration.
-# Copyright (C) 2006,2007,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall6/Samples6/three-interfaces/stoppedrules
+++ b/Shorewall6/Samples6/three-interfaces/stoppedrules
@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.5 Sample Stoppedrules File for three-interface configuration.
-# Copyright (C) 2012 by the Shorewall Team
+# Copyright (C) 2012-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall6/Samples6/three-interfaces/zones
+++ b/Shorewall6/Samples6/three-interfaces/zones
@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Zones File for three-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall6/Samples6/two-interfaces/README.txt
+++ b/Shorewall6/Samples6/two-interfaces/README.txt
@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/two-interface.htm
    Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez
--- a/Shorewall6/Samples6/two-interfaces/interfaces
+++ b/Shorewall6/Samples6/two-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.0 - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall6/Samples6/two-interfaces/policy
+++ b/Shorewall6/Samples6/two-interfaces/policy
@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Policy File for two-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall6/Samples6/two-interfaces/rules
+++ b/Shorewall6/Samples6/two-interfaces/rules
@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.0 - Sample Rules File for two-interface configuration.
-# Copyright (C) 2006-2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall6/Samples6/two-interfaces/stoppedrules
+++ b/Shorewall6/Samples6/two-interfaces/stoppedrules
@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.5 Sample Stoppedrules File for two-interface configuration.
-# Copyright (C) 2012 by the Shorewall Team
+# Copyright (C) 2012-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall6/Samples6/two-interfaces/zones
+++ b/Shorewall6/Samples6/two-interfaces/zones
@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.0 - Sample Zones File for two-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -1194,6 +1194,104 @@ Normal-Service       =&gt; 0x00</programlisting>
          of the listed states.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">TIME</emphasis> -
        <emphasis>timeelement</emphasis>[&amp;<emphasis>timeelement</emphasis>...]</term>
        <listitem>
          <para>Added in Shorewall 4.6.2.</para>
          <para>May be used to limit the rule to a particular time period each
          day, to particular days of the week or month, or to a range defined
          by dates and times. Requires time match support in your kernel and
          ip6tables.</para>
          <para><replaceable>timeelement</replaceable> may be:</para>
          <variablelist>
            <varlistentry>
              <term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
              <listitem>
                <para>Defines the starting time of day.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
              <listitem>
                <para>Defines the ending time of day.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>utc</term>
              <listitem>
                <para>Times are expressed in Greenwich Mean Time.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>localtz</term>
              <listitem>
                <para>Deprecated by the Netfilter team in favor of <emphasis
                role="bold">kerneltz</emphasis>. Times are expressed in Local
                Civil Time (default).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>kerneltz</term>
              <listitem>
                <para>Added in Shorewall 4.5.2. Times are expressed in Local
                Kernel Time (requires iptables 1.4.12 or later).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>weekdays=ddd[,ddd]...</term>
              <listitem>
                <para>where <replaceable>ddd</replaceable> is one of
                <option>Mon</option>, <option>Tue</option>,
                <option>Wed</option>, <option>Thu</option>,
                <option>Fri</option>, <option>Sat</option> or
                <option>Sun</option></para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>monthdays=dd[,dd],...</term>
              <listitem>
                <para>where <replaceable>dd</replaceable> is an ordinal day of
                the month</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
              <listitem>
                <para>Defines the starting date and time.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
              <listitem>
                <para>Defines the ending date and time.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
--- a/Shorewall6/manpages/shorewall6-tcfilters.xml
+++ b/Shorewall6/manpages/shorewall6-tcfilters.xml
@@ -88,9 +88,11 @@
          <replaceable>address</replaceable>. DNS names are not allowed.
          Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
          may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch </firstterm>capability. The ipset name may optionally be
+          Ematch </firstterm>capability and you set BASIC_FILTERS=Yes in
-          followed by a number or a comma separated list of src and/or dst
+          <ulink url="shorewall6.conf.html">shorewall6.conf (5)</ulink>. The
-          enclosed in square brackets ([...]). See <ulink
+          ipset name may optionally be followed by a number or a comma
          separated list of src and/or dst enclosed in square brackets
          ([...]). See <ulink
          url="shorewall6-ipsets.html">shorewall6-ipsets(5)</ulink> for
          details.</para>
        </listitem>
@@ -105,9 +107,11 @@
          <replaceable>address</replaceable>. DNS names are not allowed.
          Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
          may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm>capability. The ipset name may optionally be
+          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          followed by a number or a comma separated list of src and/or dst
+          <ulink url="shorewall6.conf.html">shorewall6.conf (5)</ulink>. The
-          enclosed in square brackets ([...]). See <ulink
+          ipset name may optionally be followed by a number or a comma
          separated list of src and/or dst enclosed in square brackets
          ([...]). See <ulink
          url="shorewall6-ipsets.html">shorewall6-ipsets(5)</ulink> for
          details.</para>
        </listitem>
--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
@@ -123,7 +123,7 @@
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall</command>
+      <command>shorewall6</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@@ -166,7 +166,7 @@
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall</command>
+      <command>shorewall6</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@@ -406,6 +406,21 @@
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>run</option></arg>
      <arg choice="plain">function</arg>
      <arg><replaceable>parameter ...</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6</command>
@@ -452,6 +467,20 @@
      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-x</option></arg>
      <arg choice="plain"><option>{bl|blacklists}</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6</command>
@@ -581,7 +610,8 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -1275,6 +1305,33 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">run</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
          <replaceable>command</replaceable> in the context of the generated
          script passing the supplied <replaceable>parameter</replaceable>s.
          Normally, the <replaceable>command</replaceable> will be a function
          declared in <filename>lib.private</filename>.</para>
          <para>Before executing the <replaceable>command</replaceable>, the
          script will detect the configuration, setting all SW_* variables and
          will run your <filename>init</filename> extension script with
          $COMMAND = 'run'.</para>
          <para>If there are files in the CONFIG_PATH that were modified after
          the current firewall script was generated, the following warning
          message is issued before the script's run command is
          executed:</para>
          <simplelist>
            <member>WARNING: /var/lib/shorewall6/firewall is not up to
            date</member>
          </simplelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">safe-restart</emphasis></term>
@@ -1354,6 +1411,19 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">bl|blacklists</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
                along with any chains produced by entries in
                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
                option is passed directly through to ip6tables and causes
                actual packet and byte counts to be displayed. Without this
                option, those counts are abbreviated.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">capabilities</emphasis></term>
@@ -1611,6 +1681,10 @@
        <listitem>
          <para>Produces a short report about the state of the
          Shorewall6-configured firewall.</para>
          <para>The <option>-i </option>option was added in Shorewall 4.6.2
          and causes the status of each optional or provider interface to be
          displayed.</para>
        </listitem>
      </varlistentry>
--- a/docs/Build.xml
+++ b/docs/Build.xml
@@ -164,7 +164,7 @@
    <section>
      <title>build</title>
-      <para>This is the script that builds Shorewall 4.4 packages from
+      <para>This is the script that builds Shorewall 4.6 packages from
      Git.</para>
      <para>The script copies content from Git using the <command>git
@@ -220,7 +220,7 @@
      <para>You should ensure that you have the latest scripts. The scripts
      change periodically as we move through the release cycles.</para>
-      <para>The build44 script may need to be modified to fit your particular
+      <para>The build46 script may need to be modified to fit your particular
      environment. There are a number of variables that are set near the top
      of the file:</para>
@@ -270,10 +270,12 @@
      </variablelist>
      <para>The scripts assume that there will be a separate <firstterm>build
-      directory</firstterm> per major release. To build a release, you cd to
+      directory</firstterm> per major release.</para>
      the appropriate directory and run the build script.</para>
-      <para>The general form of the build command is:</para>
+      <para>To build a release, you cd to the appropriate directory and run
      the build46 script.</para>
      <para>The general form of the build46 command is:</para>
      <blockquote>
        <para><command>build</command> [ -<replaceable>options</replaceable> ]
@@ -401,13 +403,13 @@
    </section>
    <section>
-      <title>build45</title>
+      <title>build45 and build46</title>
-      <para>This is the script that builds Shorewall 4.5 packages from
+      <para>These are the scripts that respectively build Shorewall 4.5 and
-      Git.</para>
+      Shorewall 4.6 packages from Git.</para>
-      <para>The script copies content from Git using the <command>git
+      <para>The scripts copy content from Git using the <command>git
-      archive</command> command. It then uses that content to build the
+      archive</command> command. They then use that content to build the
      packages. In addition to the usual Gnu utilities, the following software
      is required:</para>
@@ -451,7 +453,7 @@
          <listitem>
            <para>Required to convert the XML manpages to manpages. Be sure
-            that you have a recent version; I use 0.0.23.</para>
+            that you have a recent version; I use 0.0.25.</para>
          </listitem>
        </varlistentry>
      </variablelist>
@@ -459,7 +461,7 @@
      <para>You should ensure that you have the latest scripts. The scripts
      change periodically as we move through the release cycles.</para>
-      <para>The build44 script may need to be modified to fit your particular
+      <para>The scripts may need to be modified to fit your particular
      environment. There are a number of variables that are set near the top
      of the file:</para>
@@ -509,14 +511,17 @@
      </variablelist>
      <para>The scripts assume that there will be a separate <firstterm>build
-      directory</firstterm> per major release. To build a release, you cd to
+      directory</firstterm> per major release. Each build directory should
-      the appropriate directory and run the build script.</para>
+      contain the empty file <filename>shorewall-pkg.config</filename>; that
      file is no longer used but has been retained just as a guard against
      initiating a build in an unintended directory. To build a release, you
      cd to the appropriate directory and run the build script.</para>
      <para>The general form of the build command is:</para>
      <blockquote>
-        <para><command>build</command> [ -<replaceable>options</replaceable> ]
+        <para><command>build</command>4x [ -<replaceable>options</replaceable>
-        <replaceable>release</replaceable> [ <replaceable>prior
+        ] <replaceable>release</replaceable> [ <replaceable>prior
        release</replaceable> ]</para>
      </blockquote>
@@ -632,8 +637,8 @@
        </varlistentry>
      </variablelist>
-      <para>Example 1 - Build Shorewall 4.3.7 and generate patches against
+      <para>Example 1 - Build Shorewall 4.5.7 and generate patches against
-      4.3.6:</para>
+      4.5.6:</para>
      <blockquote>
        <para><command>build45 4.5.7 4.5.6</command></para>
--- a/docs/Events.xml
+++ b/docs/Events.xml
@@ -701,5 +701,87 @@ ResetEvent(SSH,DROP:info)        </programlisting>
 #                                                         PORT(S)
 Knock                 net            $FW       tcp        22,1599-1601          </programlisting>
    </section>
    <section id="Stateful">
      <title>Stateful Port Knocking (knock with a sequence of ports)</title>
      <para>Gerhard Wiesinger has contributed a Perl module that allows you to
      define portknocking sequences. Download <ulink
      url="pub/shorewall/contrib/PortKnocking/KnockEnhanced.pm">the
      module</ulink> and copy it into your site_perl directory.</para>
      <para>Using Gerhard's module, a port-knocking rule is defined via a
      '?PERL' statement. This example opens the SSH port from net-&gt;fw using
      the knock sequence 52245, 15623, 19845:</para>
      <programlisting>?BEGIN PERL
 use KnockEnhanced;
 KnockEnhanced 'net', '$FW', {name =&gt; 'SSH1', log_level =&gt; 3, proto =&gt; 'tcp', target =&gt; 'ssh', knocker =&gt; [52245,15623,19845]};
 ?END PERL</programlisting>
      <para>A few notes on the parameters:</para>
      <itemizedlist>
        <listitem>
          <para>The first parameter is the rule SOURCE</para>
        </listitem>
        <listitem>
          <para>The second parameter is the rule DEST</para>
        </listitem>
        <listitem>
          <para>The third parameter is a Perl hash reference that defines the
          remaining parameters. Each parameter is specified via
          <replaceable>param</replaceable> =&gt;
          <replaceable>value</replaceable>.</para>
          <itemizedlist>
            <listitem>
              <para><emphasis role="bold">proto</emphasis> is the protocol --
              if not specified, the default is tcp</para>
            </listitem>
            <listitem>
              <para><emphasis role="bold">seconds</emphasis> is the timeout
              between successive events -- default is 60 seconds.</para>
            </listitem>
            <listitem>
              <para><emphasis role="bold">original_dest</emphasis> is the rule
              ORIGINAL DEST</para>
            </listitem>
            <listitem>
              <para><emphasis role="bold">target</emphasis> is the port(s)
              that you are trying to open. May either be a single name or
              number, or it may be a list of names and/or numbers separated by
              commas and enclosed in square brackets ("[...]").</para>
            </listitem>
            <listitem>
              <para><emphasis role="bold">name</emphasis> is a name used as
              the base for event and chain names. If not supplied, the first
              <emphasis role="bold">target</emphasis> is used, in which case
              the first target must be a port name.</para>
            </listitem>
            <listitem>
              <para><emphasis role="bold">log_level </emphasis>specifies
              logging for the generated rules</para>
            </listitem>
          </itemizedlist>
          <note>
            <para>Port names and numbers may be optionally followed by a colon
            (":") and a protocol name or number to override the specified
            protocol.</para>
          </note>
        </listitem>
      </itemizedlist>
      <para>The module itself contains additional examples of its
      usage.</para>
    </section>
  </section>
 </article>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -20,7 +20,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
    <copyright>
-      <year>2001-2013</year>
+      <year>2001-2014</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -2304,6 +2304,15 @@ gateway:~# </programlisting>
        </listitem>
      </orderedlist>
    </section>
    <section id="faq103">
      <title>(FAQ 103) Shorewall fails to start at boot but will start
      immediately after</title>
      <para>Answer: This is usually associated with SELinux. <ulink
      url="https://lists.fedoraproject.org/pipermail/selinux/2010-June/012680.html">Here</ulink>
      is an example.</para>
    </section>
  </section>
  <section id="MultiISP">
--- a/docs/FTP.xml
+++ b/docs/FTP.xml
@@ -294,9 +294,164 @@ xt_tcpudp               3328  0
    /etc/shorewall/shorewall.conf to point to that directory.</para>
  </section>
  <section>
    <title>FTP with Kernel 3.5 and Later</title>
    <para>Because of the potential for attackers to subvert Netfilter helpers
    like the one for FTP, the Netfilter team are in the process of eliminating
    the automatic association of helpers to connections. In the 3.5 kernel, it
    is possible to disable this automatic association, and the team have
    announced that automatic association will eventually be eliminated. While
    it is certainly more secure to add explicit rules that create these
    associations, for Shorewall to require users to add those rules would
    present a gross inconvenience during a Shorewall upgrade. To make
    Shorewall and kernel upgrades as smooth as possible, several new features
    were added to the Shorewall 4.5.7:</para>
    <itemizedlist>
      <listitem>
        <para>Shorewall automatically disables the kernel's automatic
        association of helpers to connections on kernel 3.5 and later.</para>
      </listitem>
      <listitem>
        <para>An automatic association of helpers with connections that
        performs the same function as in the pre-3.5 kernels has been added.
        This automatic association is controlled by the AUTOHELPERS
        shorewall.conf option which is set to 'Yes' by default.</para>
      </listitem>
      <listitem>
        <para>A HELPERS column has been added to the /etc/shorewall/rules In
        the NEW section: When the ACTION is ACCEPT, DNAT or REDIRECT, the
        specified helper is automatically associated with the
        connection.</para>
      </listitem>
      <listitem>
        <para>HELPERS may be specified in action files, macros and in the
        rules file itself. In the RELATED section: The rule will only match
        related connections that have the named helper attached. - The
        standard Macros for applications requiring a helper (FTP, IRC, etc)
        have been modified to automatically specify the correct helper in the
        HELPER column.</para>
      </listitem>
      <listitem>
        <para>HELPER is now a valid action in /etc/shorewall/rules. This
        action requires that a helper be present in the HELPER column and
        causes the specified helper to be associated with connections matching
        the rule. No destination zone should be specified in HELPER rules.
        HELPER rules allow specification of a helper for connections that are
        ACCEPTed by the applicable policy.</para>
        <para> Example (loc-&gt;net policy is ACCEPT) - In
        /etc/shorewall/rules:</para>
        <programlisting>#ACTION     SOURCE       DEST
 FTP(HELPER) loc          - </programlisting>
        <para>or equivalently </para>
        <programlisting>#ACTION     SOURCE       DEST    PROTO  DEST
 #                                       PORT(S)
 HELPER      loc          -       tcp    21   { helper=ftp }</programlisting>
      </listitem>
      <listitem>
        <para> The set of enabled helpers (either by AUTOHELPERS=Yes or by the
        HELPERS column) can be taylored using the new HELPERS option in
        shorewall.conf. </para>
      </listitem>
    </itemizedlist>
    <para>By making AUTOHELPERS=Yes the default, users can upgrade their
    systems to a 3.5+ kernel without disrupting the operation of their
    firewalls. Beyond such upgrades, we suggest setting AUTOHELPERS=No and
    follow one of two strategies:</para>
    <itemizedlist>
      <listitem>
        <para>Use the HELPERS column in the rules file to enable helpers as
        needed (preferred); or</para>
      </listitem>
      <listitem>
        <para>Taylor the conntrack file to enable helpers on only those
        connections that are required.</para>
      </listitem>
    </itemizedlist>
    <para>With either of these approaches, the list if available helpers can
    be trimmed using the HELPERS option and rules can be added to the RELATED
    section of the rules file to further restrict the effect of helpers. The
    implementation of these new function places conditional rules in the
    /etc/shorewall[6]/conntrack file. These rules are included conditionally
    based in the setting of AUTOHELPERS.</para>
    <para> Example:</para>
    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
 #                                                               PORT(S)         PORT(S) GROUP
 ?if $AUTOHELPERS &amp;&amp; __CT_TARGET
 ?if __FTP_HELPER
 CT:helper:ftp           all             -               tcp     21
 ?endif
 ...
 ?endif</programlisting>
    <para> __FTP_HELPER evaluates to false if the HELPERS setting is non-empty
    and 'ftp' is not listed in that setting. For example, if you only need FTP
    access from your 'loc' zone, then add this rule outside of the outer-most
    ?if....?endif shown above.</para>
    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
 #                                                               PORT(S)         PORT(S) GROUP
 ...
 CT:helper:ftp           loc             -               tcp     21</programlisting>
    <para> For an overview of Netfilter Helpers and Shorewall's support for
    dealing with them, see <ulink
    url="Helpers.html">http://www.shorewall.net/Helpers.html</ulink>.</para>
    <para>See <ulink
    url="https://home.regit.org/netfilter-en/secure-use-of-helpers/">https://home.regit.org/netfilter-en/secure-use-of-helpers/</ulink>
    for additional information. </para>
  </section>
  <section id="Ports">
    <title>FTP on Non-standard Ports</title>
    <para>If you are running kernel 3.5 or later and Shorewall 4.5.7 or later,
    then please read the preceding section. You can add appropriate entries
    into <ulink url="manpages/shorewall-rules.html">shorewall-rules(5)</ulink>
    or <ulink
    url="manpages/shorewall-conntrack.html">shorewall-conntrack(5)</ulink> to
    associate the FTP helpers with a nonstandard port.</para>
    <para>Examples using port 12345:</para>
    <para><filename>/etc/shorewall/rules:</filename></para>
    <programlisting>#ACTION         SOURCE         DEST                 PROTO     DEST
 #                                                             PORT(S)
 DNAT            net            loc:192.168.1.2:21   tcp       12345  { helper=ftp }the</programlisting>
    <para>That entry will accept ftp connections on port 12345 from the net
    and forward them to host 192.168.1..2 and port 21 in the loc zone.</para>
    <para><filename>/etc/shorewall/conntrack:</filename></para>
    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
 #                                                               PORT(S)         PORT(S) GROUP
 ...
 CT:helper:ftp           loc             -               tcp     12345</programlisting>
    <para>That rule automatically associates the ftp helper with TCP port
    12345 from the 'loc' zone.</para>
    <para>Otherwise, read on.</para>
    <note>
      <para>If you are running <emphasis role="bold">kernel 2.6.19 or
      earlier</emphasis>, replace <emphasis
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -710,7 +710,7 @@
      up.</para>
    </section>
-    <section>
+    <section id="masq">
      <title>./etc/shorewall/masq and Multi-ISP</title>
      <para>If you masquerade a local network, you will need to add masquerade
@@ -750,8 +750,10 @@ eth1             0.0.0.0/0            130.252.99.27</programlisting>
      <title>Martians</title>
      <para>One problem that often arises with Multi-ISP configuration is
-      'Martians'. If your Internet interfaces are configured with the
+      'Martians'. If you set ROUTE_FILTER=Yes in
-      <emphasis role="bold">routefilter</emphasis> option in
+      <filename>/etc/shorewall/shorewall.conf</filename> or if your Internet
      interfaces are configured with the <emphasis
      role="bold">routefilter</emphasis> option in
      <filename>/etc/shorewall/interfaces</filename> (remember that if you set
      that option, you should also select <emphasis
      role="bold">logmartians</emphasis>), then things may not work correctly
@@ -810,6 +812,18 @@ DROP:info        net:192.168.1.0/24         all</programlisting>
      <para>Be sure the above rule is added before any other rules with
      <emphasis>net</emphasis> in the SOURCE column.</para>
      <important>
        <para>If you set ROUTE_FILTER=Yes in
        <filename>/etc/shorewall/shorewall.conf</filename>, then setting
        <emphasis role="bold">routefilter</emphasis>=0 in <ulink
        url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
        (5) will not disable route filtering on a given interface. You must
        set ROUTE_FILTER=No in <ulink
        url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5), then
        set the <emphasis role="bold">routefilter</emphasis> option on those
        interfaces on which you want route filtering.</para>
      </important>
    </section>
    <section id="Example1">
@@ -962,51 +976,6 @@ eth1             0.0.0.0/0         130.252.99.27
 eth3             0.0.0.0/0         16.105.78.4</programlisting></para>
    </section>
    <section id="Local">
      <title>Applications running on the Firewall -making them use a
      particular provider</title>
      <para>As <link linkend="Applications">noted above</link>, separate
      entries in <filename>/etc/shorewall/mangle</filename> are required for
      traffic originating from the firewall.</para>
      <para>Experience has shown that in some cases, problems occur with
      applications running on the firewall itself. This is especially true
      when you have specified <emphasis role="bold">routefilter</emphasis> on
      your external interfaces in /etc/shorewall/interfaces (see <link
      linkend="Martians">above</link>). When this happens, it is suggested
      that you have the application use specific local IP addresses rather
      than 0.</para>
      <para>Examples:</para>
      <itemizedlist>
        <listitem>
          <para>Squid: In <filename>squid.conf</filename>, set <emphasis
          role="bold">tcp_outgoing_address</emphasis> to the IP address of the
          interface that you want Squid to use.</para>
        </listitem>
        <listitem>
          <para>In OpenVPN, set <emphasis role="bold">local
          </emphasis>(<emphasis role="bold">--local</emphasis> on the command
          line) to the IP address that you want the server to receive
          connections on.</para>
        </listitem>
      </itemizedlist>
      <para>Note that some traffic originating on the firewall doesn't have a
      SOURCE IP address before routing. At least one Shorewall user reports
      that an entry in <filename>/etc/shorewall/rtrules</filename> with 'lo'
      in the SOURCE column seems to be the most reliable way to direct such
      traffic to a particular ISP.</para>
      <para>Example:</para>
      <programlisting>#SOURCE     DEST      PROVIDER        PRIORITY
 lo          -         shorewall       1000</programlisting>
    </section>
    <section id="rtrules">
      <title>/etc/shorewall/rtrules (formerly
      /etc/shorewall/route_rules)</title>
@@ -1172,6 +1141,51 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
      </section>
    </section>
    <section id="Local">
      <title>Applications running on the Firewall - making them use a
      particular provider</title>
      <para>As <link linkend="Applications">noted above</link>, separate
      entries in <filename>/etc/shorewall/mangle</filename> are required for
      traffic originating from the firewall.</para>
      <para>Experience has shown that in some cases, problems occur with
      applications running on the firewall itself. This is especially true
      when you have specified <emphasis role="bold">routefilter</emphasis> on
      your external interfaces in /etc/shorewall/interfaces (see <link
      linkend="Martians">above</link>). When this happens, it is suggested
      that you have the application use specific local IP addresses rather
      than 0.</para>
      <para>Examples:</para>
      <itemizedlist>
        <listitem>
          <para>Squid: In <filename>squid.conf</filename>, set <emphasis
          role="bold">tcp_outgoing_address</emphasis> to the IP address of the
          interface that you want Squid to use.</para>
        </listitem>
        <listitem>
          <para>In OpenVPN, set <emphasis role="bold">local
          </emphasis>(<emphasis role="bold">--local</emphasis> on the command
          line) to the IP address that you want the server to receive
          connections on.</para>
        </listitem>
      </itemizedlist>
      <para>Note that some traffic originating on the firewall doesn't have a
      SOURCE IP address before routing. At least one Shorewall user reports
      that an entry in <filename>/etc/shorewall/rtrules</filename> with 'lo'
      in the SOURCE column seems to be the most reliable way to direct such
      traffic to a particular ISP.</para>
      <para>Example:</para>
      <programlisting>#SOURCE     DEST      PROVIDER        PRIORITY
 lo          -         shorewall       1000</programlisting>
    </section>
    <section id="routes">
      <title>/etc/shorewall/routes File</title>
--- a/docs/Shorewall_and_Aliased_Interfaces.xml
+++ b/docs/Shorewall_and_Aliased_Interfaces.xml
@@ -182,6 +182,13 @@ ACCEPT    net        $FW:206.124.146.178  tcp        22</programlisting></para>
      <programlisting>#ACTION   SOURCE     DEST                 PROTO      DEST PORT(S)   SOURCE    ORIGINAL
 #                                                                   PORT(S)   DEST
 DNAT      net        loc:192.168.1.3      tcp        80             -         206.124.146.178    </programlisting>
      <para>If I wished to forward tcp port 10000 on that virtual interface to
      port 22 on local host 192.168.1.3, the rule would be:</para>
      <programlisting>#ACTION   SOURCE     DEST                 PROTO      DEST PORT(S)   SOURCE    ORIGINAL
 #                                                                   PORT(S)   DEST
 DNAT      net        loc:192.168.1.3:22   tcp        10000          -         206.124.146.178    </programlisting>
    </section>
    <section id="SNAT">
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -388,122 +388,31 @@ ACCEPT  net     $FW      tcp     www     #This is an end-of-line comment</progra
    details.</para>
  </section>
-  <section id="COMMENT">
+  <section id="capabilities">
-    <title>Attach Comment to Netfilter Rules</title>
+    <title>Capabilities</title>
-    <para>If you kernel and iptables contain comment match support (see the
+    <para>Shorewall probes your system to determine the features that it
-    output of <command>shorewall show capabilities</command>), then you can
+    supports. The result of this probing is a set of
-    attach comments to Netfilter rules. This feature is available in the
+    <firstterm>capabilities</firstterm>. This probing is normally done each
-    following files:</para>
+    time that the compiler is run but can also be done by executing the
    <command>shorewall show capabilities</command> command. Regardless of
    whether the compiler or the command does the probing, this probing may
    produce error messages in your system log. These log messages are to be
    expected and do not represent a problem; they merely indicate that
    capabilities that are being probed are not supported on your
    system.</para>
-    <itemizedlist>
+    <para>Probing may be suppressed by using a <firstterm>capabilities
-      <listitem>
+    file</firstterm>. A capabilities file may be generated using this
-        <para><filename>/etc/shorewall/conntrack</filename> (formerly
+    command:</para>
        <filename>/etc/shorewall/notrack</filename>)</para>
      </listitem>
-      <listitem>
+    <programlisting><command>shorewall show -f capabilities &gt; /etc/shorewall/capabilities</command></programlisting>
        <para><filename>/etc/shorewall/accounting</filename></para>
      </listitem>
-      <listitem>
+    <important>
-        <para><filename>/etc/shorewall/masq</filename></para>
+      <para>If you use a capabilities file, be sure to regenerate it after you
-      </listitem>
+      have performed a Shorewall upgrade to ensure that all current
-
+      capabilities have been recorded in your file.</para>
-      <listitem>
+    </important>
        <para><filename>/etc/shorewall/nat</filename></para>
      </listitem>
      <listitem>
        <para><filename>/etc/shorewall/rules</filename></para>
      </listitem>
      <listitem>
        <para><filename>/etc/shorewall/secmarks</filename></para>
      </listitem>
      <listitem>
        <para><filename>/etc/shorewall/tcrules</filename></para>
      </listitem>
      <listitem>
        <para><filename>/etc/shorewall/tunnels</filename></para>
      </listitem>
      <listitem>
        <para>Action definition files
        (<filename>/etc/shorewall/action.*</filename>)</para>
      </listitem>
      <listitem>
        <para>Macro definition files (/etc/shorewall/macro.*)</para>
      </listitem>
    </itemizedlist>
    <para>To attach a comment to one or more rules, insert a record above the
    rules that begins with the word ?COMMENT (must be in all caps). The
    remainder of the line is treated as a comment -- that comment will appear
    delimited by "/* ... */" in the output of the <command>shorewall[-lite]
    show</command> and <command>shorewall[-lite] dump</command> commands. The
    comment will be attached to each generated rule until another ?COMMENT
    line appears. To stop attaching comments to rules, simply insert a line
    that contains the single word ?COMMENT.</para>
    <para>Example (<filename>/etc/shorewall/rules</filename>):</para>
    <programlisting>?COMMENT Stop NETBIOS noise
 REJECT          loc                             net                     tcp     137,445
 REJECT          loc                             net                     udp     137:139
 ?COMMENT Stop my idiotic work laptop from sending to the net with an HP source/dest IP address
 DROP            loc:!192.168.0.0/22             net
 ?COMMENT</programlisting>
    <para>Here's the corresponding output from
    <filename>/sbin/shorewall-lite</filename>:</para>
    <programlisting>gateway:~ # <command>shorewall-lite show loc-net</command>
 Shorewall Lite 4.3.3 Chains loc2net at gateway - Mon Oct 16 15:04:52 PDT 2008
 Counters reset Mon Oct 16 14:52:17 PDT 2006
 Chain loc-net (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:'
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:1025:1031 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:'
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:1025:1031
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 137,445 <emphasis
        role="bold">/* Stop NETBIOS noise */</emphasis>
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:137:139 <emphasis
        role="bold">/* Stop NETBIOS noise */</emphasis>
    0     0 DROP       all  --  *      *      !192.168.0.0/22       0.0.0.0/0           <emphasis
        role="bold">/* Stop my idiotic work laptop from sending to the net with an HP source/dest IP address */</emphasis>
    5   316 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
 gateway:~ #
 </programlisting>
    <para>?COMMENT lines in macro files work somewhat differently from other
    files. ?COMMENT lines in macros are ignored if COMMENT support is not
    available or if there was a COMMENT in use when the top-level macro was
    invoked. This allows the following:</para>
    <para><filename>/usr/share/shorewall/macro.SSH</filename>:</para>
    <para><programlisting>#ACTION SOURCE DEST  PROTO DEST    SOURCE  RATE  USER/
 #                          PORT(S) PORT(S) LIMIT GROUP
 ?COMMENT SSH
 PARAM   -      -     tcp   22 </programlisting>
    <filename>/etc/shorewall/rules</filename>:<programlisting>?COMMENT Allow SSH from home
 SSH(ACCEPT)    net:$MYIP      $FW
 ?COMMENT</programlisting>The comment line in macro.SSH will not override the
    ?COMMENT line in the rules file and the generated rule will show <emphasis
    role="bold">/* Allow SSH from home */</emphasis> when displayed through
    the Shorewall show and dump commands.</para>
  </section>
  <section id="BlankColumn">
@@ -626,9 +535,11 @@ ACCEPT      net:\
          port:1024</emphasis></member>
        </simplelist>
-        <para>That usage is deprecated beginning with Shorewall 4.6.0. See the
+        <important>
-        INLINE_MATCHES option in <ulink
+          <para>That usage is deprecated beginning with Shorewall 4.6.0. See
-        url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+          the INLINE_MATCHES option in <ulink
          url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
        </important>
      </listitem>
    </itemizedlist>
@@ -1180,7 +1091,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
  <section>
    <title>?FORMAT Directive</title>
-    <para>A number of different files support multiple formats. Prior to
+    <para>A number of configuration files support multiple formats. Prior to
    Shorewall 4.5.11, the format was specified by a line having 'FORMAT' as
    the first token. This requires each of the file processors to handle
    FORMAT separately.</para>
@@ -1284,11 +1195,16 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
    centralize processing of COMMENT directives. The old entries, while still
    supported, are now deprecated.</para>
    <para>Use of this directive requires Comment support in your kernel and
    iptables - see the output of <command><link
    linkend="capabilities">shorewall show
    capabilities</link></command>.</para>
    <para>The ?COMMENT directive is as follows:</para>
    <variablelist>
      <varlistentry>
-        <term>COMMENT [ <replaceable>comment</replaceable> ]</term>
+        <term>[?]COMMENT [ <replaceable>comment</replaceable> ]</term>
        <listitem>
          <para>If <replaceable>comment</replaceable> is present, it will
@@ -1299,13 +1215,69 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
        </listitem>
      </varlistentry>
    </variablelist>
    <para>Example (<filename>/etc/shorewall/rules</filename>):</para>
    <programlisting>?COMMENT Stop NETBIOS noise
 REJECT          loc                             net                     tcp     137,445
 REJECT          loc                             net                     udp     137:139
 ?COMMENT Stop my idiotic work laptop from sending to the net with an HP source/dest IP address
 DROP            loc:!192.168.0.0/22             net
 ?COMMENT</programlisting>
    <para>Here's the corresponding output from
    <filename>/sbin/shorewall-lite</filename>:</para>
    <programlisting>gateway:~ # <command>shorewall-lite show loc-net</command>
 Shorewall Lite 4.3.3 Chains loc2net at gateway - Mon Oct 16 15:04:52 PDT 2008
 Counters reset Mon Oct 16 14:52:17 PDT 2006
 Chain loc-net (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:'
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:1025:1031 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:'
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:1025:1031
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 137,445 <emphasis
        role="bold">/* Stop NETBIOS noise */</emphasis>
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:137:139 <emphasis
        role="bold">/* Stop NETBIOS noise */</emphasis>
    0     0 DROP       all  --  *      *      !192.168.0.0/22       0.0.0.0/0           <emphasis
        role="bold">/* Stop my idiotic work laptop from sending to the net with an HP source/dest IP address */</emphasis>
    5   316 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
 gateway:~ #
 </programlisting>
    <para>?COMMENT lines in macro files work somewhat differently from other
    files. ?COMMENT lines in macros are ignored if COMMENT support is not
    available or if there was a COMMENT in use when the top-level macro was
    invoked. This allows the following:</para>
    <para><filename>/usr/share/shorewall/macro.SSH</filename>:</para>
    <para><programlisting>#ACTION SOURCE DEST  PROTO DEST    SOURCE  RATE  USER/
 #                          PORT(S) PORT(S) LIMIT GROUP
 ?COMMENT SSH
 PARAM   -      -     tcp   22 </programlisting>
    <filename>/etc/shorewall/rules</filename>:<programlisting>?COMMENT Allow SSH from home
 SSH(ACCEPT)    net:$MYIP      $FW
 ?COMMENT</programlisting>The comment line in macro.SSH will not override the
    ?COMMENT line in the rules file and the generated rule will show <emphasis
    role="bold">/* Allow SSH from home */</emphasis> when displayed through
    the Shorewall show and dump commands.</para>
  </section>
  <section id="CONFIG_PATH">
    <title>CONFIG_PATH</title>
    <para>The CONFIG_PATH option in shorewall.conf determines where the
-    compiler searches for files. The default setting is
+    compiler searches for configuration files. The default setting is
    CONFIG_PATH=/etc/shorewall:/usr/share/shorewall which means that the
    compiler first looks in /etc/shorewall and if it doesn't find the file, it
    then looks in /usr/share/shorewall.</para>
@@ -2150,8 +2122,8 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
 ACCEPT loc fw tcp 22
 ACCEPT dmz fw tcp 22</programlisting></para>
-    <para>Perl scripts run in the context of the compiler process using
+    <para>Perl scripts run in the context of the compiler process using Perl's
-    Perl's eval() function. Perl scripts are implicitly prefixed by the
+    eval() function. Perl scripts are implicitly prefixed by the
    following:</para>
    <programlisting>package Shorewall::User;
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@@ -818,7 +818,7 @@ ppp0           6000kbit         500kbit</programlisting>
              SFQ. See tc-fq_codel (8) for additional information.</para>
              <para>See <ulink
-              url="manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>
+              url="manpages/shorewall-tcclasses.html">shorewall-tcclasses</ulink>
              (5) for a description of the allowable
              <replaceable>codloptions</replaceable>.</para>
            </listitem>
Author	SHA1	Message	Date
Tom Eastep	96102623ee	Apply Thomas D's patch for SAVE_IPSET in the debian shorewall-init script Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-14 09:49:18 -07:00
Tom Eastep	aa6bd2819c	Update the Build document - Add build46 - Mention shorewall-pkg.config Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-14 08:03:31 -07:00
Tom Eastep	aedd9b5a76	Add 'wildcard' member to the interface table Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-11 08:30:44 -07:00
Tom Eastep	cf33bac318	Revert most of last change Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-10 12:15:08 -07:00
Tom Eastep	0005bb697b	Describe a way to improve provider selection from the firewall Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-10 09:50:21 -07:00
Tom Eastep	c5549ff21e	Update the Configuration File Basics document Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-10 08:09:31 -07:00
Tom Eastep	427f38109e	Some cosmetic cleanup Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-10 07:20:23 -07:00
Tom Eastep	0e1a1a3f44	Modify the preceding fix to work with wildcard interfaces Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-08 10:34:29 -07:00
Tom Eastep	b6161b8be7	Merge branch '4.6.2'	2014-08-08 08:30:04 -07:00
Tom Eastep	d3209ca624	Correct handling of a physical name in the provider INTERFACE column Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-08 08:15:26 -07:00
Tom Eastep	34ecbb9074	Correct Cygwin64 detection in the Shorewall installer Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-07 07:17:34 -07:00
Tom Eastep	beb70854ef	Correct Cygwin64 detection in the Shorewall installer Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-07 06:40:34 -07:00
Tom Eastep	7030fad572	Revert "Install the core components along with Shorewall" This reverts commit `c653a04a43`.	2014-08-07 06:36:23 -07:00
Tom Eastep	c653a04a43	Install the core components along with Shorewall Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-06 12:59:12 -07:00
Tom Eastep	5ef5aa8cdb	Allow inline matches in an action file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-05 07:34:24 -07:00
Tom Eastep	0ca12bd86f	Correct syntax error caused by replacing '%%' with '??' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-03 15:29:58 -07:00
Tom Eastep	a2f1c57246	Add DNSAmp action - Allow escaping '@' allowing u32 in action body - Allow inline matches in actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-03 15:11:25 -07:00
Tom Eastep	fd42fa9f74	Make 'detect_configuration' work in the 'run' command Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-08-01 07:34:40 -07:00
Tom Eastep	e49832f4b5	Run the 'init' script in the 'run' command. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-30 10:25:00 -07:00
Tom Eastep	0bf80c15d8	Detect missing <commmand> in the generated scrip Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-29 11:35:32 -07:00
Tom Eastep	4e9a0b989d	Update 'run' help text Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-29 10:46:28 -07:00
Tom Eastep	31e5aeeaea	Refine the 'run' command Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-29 10:30:07 -07:00
Tom Eastep	eb5026d3b7	Merge branch '4.6.2'	2014-07-28 14:47:23 -07:00
Tom Eastep	a799d74901	Correct typo and link in the shorewall-mangle manpage Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-28 08:39:07 -07:00
Tom Eastep	7a41981487	Bring the -lite manpages up to date Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-28 08:31:43 -07:00
Tom Eastep	aae23d7a9e	Bring the -lite manpages up to date Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-28 08:31:20 -07:00
Tom Eastep	a7b18ca875	Implement 'run' command Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-28 07:04:56 -07:00
Tom Eastep	ad6c91bcbd	Allow optimize level 8 to work with Perl 5.20.0. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-25 21:03:48 -07:00
Tom Eastep	8c0fe063a7	Another tweak to the FTP module documentation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-25 09:03:23 -07:00
Tom Eastep	dbf78d7dd0	Merge branch '4.6.2'	2014-07-25 09:02:48 -07:00
Tom Eastep	bea2b49eb0	More FTP module documentation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-25 08:38:46 -07:00
Tom Eastep	3b4012b60a	Document FTP helpers on kernel 3.5 and later in the FTP document Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-25 08:15:58 -07:00
Tom Eastep	21209504c5	Correct example from preceding commit Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-23 10:47:11 -07:00
Tom Eastep	44a34ceb95	Add complex port-forwarding example to the aliased interfaces article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-23 10:36:34 -07:00
Tom Eastep	848078873d	Update tcfilters manpages to mention BASIC_FILTERS=Yes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-22 07:19:10 -07:00
Tom Eastep	3e6f57e699	Correct link in the Multi-ISP document Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-21 14:33:59 -07:00
Tom Eastep	461f7b10ba	Detect Arptables JF capability when LOAD_HELPERS_ONLY = No. - Move detection of Header Match to its proper ordinal. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-20 07:19:02 -07:00
Tom Eastep	2c9eda9cee	Add some white space for readability Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-19 18:33:02 -07:00
Tom Eastep	64fc3d2e43	Correct a typo that caused iset couter match to be mis-detected Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-19 10:27:29 -07:00
Tom Eastep	d0aed87546	Correct IPV6 ipset capabilities checking on 3.14 kernels Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-19 10:25:46 -07:00
Tom Eastep	56fa6bd78a	Revert "Correct ipset detection on later kernels." This reverts commit `b207f64a85`.	2014-07-19 10:22:12 -07:00
Tom Eastep	b207f64a85	Correct ipset detection on later kernels. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-19 08:55:02 -07:00
Tom Eastep	9f381209d5	Detect HEADER_MATCH when LOAD_MODULES_ONLY=No Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-19 07:20:28 -07:00
Tom Eastep	29e6bc9379	Merge branch '4.6.2' of ssh://server.shorewall.net/home/teastep/shorewall/code into 4.6.2	2014-07-18 15:15:33 -07:00
Tom Eastep	4b3196b959	Add refmiscinfo to the shorewall-tcrules manpage Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-18 13:49:30 -07:00
Tom Eastep	6771dc54ad	Streamline some code from the last commit Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-18 12:58:49 -07:00
Tom Eastep	ba69708092	Merge branch '4.6.2' of ssh://server.shorewall.net/home/teastep/shorewall/code into 4.6.2	2014-07-18 08:45:06 -07:00
Tom Eastep	417bd0138e	Correct two problems with tcrules processing: - SAVE and RESTORE didn't work - '\|' and '&' were ignored Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-18 08:32:22 -07:00
Tom Eastep	a1cc4847c7	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2014-07-16 15:40:25 -07:00
Tom Eastep	0ec4cfd18d	Fix incorrect link in the complex TC document. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-16 15:39:37 -07:00
Tom Eastep	d5ea667c61	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2014-07-13 07:55:56 -07:00
Tom Eastep	3e6e0b4a09	Amplify the route filtering problem in the multi-ISP document. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-13 07:45:51 -07:00
Tom Eastep	a97e2fd3d9	Update manpages regarding 'status -i' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-12 19:37:05 -07:00
Tom Eastep	53dda803e2	More Cygwin64 changes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-09 11:28:45 -07:00
Tom Eastep	cc935009ce	Correct install problems under Cygwin - configure.pl doesn't understand CYGWIN return from uname - shorewall-core install.sh doesn't understand CYGWIN return from uname - shorewall install.sh generates 'mkdir -p //etc/shorewall' which is broken under Cygwin Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-09 10:48:03 -07:00
Tom Eastep	a0ab9f6ab2	Update FAQ copyright Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-08 07:45:34 -07:00
Tom Eastep	a7856e4dd6	Update another copyright Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-06 15:11:16 -07:00
Tom Eastep	4a4cea46c0	Update copyrights in the Sample files Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-06 13:44:34 -07:00
Tom Eastep	cf626b58da	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2014-07-06 09:55:21 -07:00
Tom Eastep	2ed523101c	Allow specification of the MAC address of a gateway Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-06 09:54:53 -07:00
Tom Eastep	c72265667f	Add FAQ 103 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-06 08:51:42 -07:00
Tom Eastep	77513da27e	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2014-07-04 08:17:48 -07:00
Tom Eastep	c663a14c4d	Correct TIME column handling in IPv6 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-04 08:17:19 -07:00
Tom Eastep	c17a196838	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2014-07-04 08:02:29 -07:00
Tom Eastep	8bfff55ed2	Add a TIME column to the mangle file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-04 08:01:14 -07:00
Tom Eastep	7184c9aa58	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2014-07-02 21:45:34 -07:00
Tom Eastep	b1a6ec7f03	Merge branch '4.6.1'	2014-07-02 21:41:27 -07:00
Tom Eastep	9f71791919	Merge branch '4.6.1' of ssh://server.shorewall.net/home/teastep/shorewall/code into 4.6.1	2014-07-02 16:44:32 -07:00
Tom Eastep	b8777c0fd5	Merge branch '4.6.1' of ssh://server.shorewall.net/home/teastep/shorewall/code	2014-07-02 12:47:07 -07:00
Tom Eastep	cad8443e01	Allow SAVE/RESTORE rules in the OUTPUT chain Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-02 12:38:02 -07:00
Tom Eastep	2ad81f1a81	Apply Thibaut Chèze's patch for DSCP names Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-02 12:37:50 -07:00
Tom Eastep	166e1a3df9	Allow SAVE/RESTORE rules in the OUTPUT chain Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-01 06:54:54 -07:00
Tom Eastep	84437ea689	Apply Thibaut Chèze's patch for DSCP names Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-01 06:52:58 -07:00
Tom Eastep	20a567fea7	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code	2014-07-01 06:43:36 -07:00
Tom Eastep	7082bf1971	Update Events.xml with stateful knocking example/description Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-07-01 06:43:20 -07:00
Tuomo Soini	87b5751a49	macro.IPMI: add missing ports from Asus, Supermicro, and Dell documentation Signed-off-by: Tuomo Soini <tis@foobar.fi>	2014-07-01 13:14:01 +03:00
Tuomo Soini	49aada0f9c	macro.ILO: add support for HP Integrated Lights-Out Signed-off-by: Tuomo Soini <tis@foobar.fi>	2014-07-01 12:25:26 +03:00
Tom Eastep	2701b0a756	Correct number of columns in split_line2() calls. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-06-25 08:22:09 -07:00
Tom Eastep	380a159c8c	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2014-06-25 07:32:23 -07:00
Tom Eastep	80c09c4747	Merge branch '4.6.1'	2014-06-25 07:31:36 -07:00
Tom Eastep	0b1dda2a31	Allow INLINE_MATCHES=Yes and AUTOHELPERS=No to work correctly. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-06-20 07:00:06 -07:00
Tom Eastep	50736fb8ae	Correct last patch (s/-i/-x/) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-06-18 15:38:11 -07:00
Tom Eastep	a2e514c0ab	Add the -i option to the 'show bl' help text Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-06-18 15:35:49 -07:00
Tom Eastep	7b0cf2b665	Add 'show bl' to the usage output Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-06-18 15:16:07 -07:00
Tom Eastep	6ad9b95351	Implement 'show bl' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-06-18 13:27:25 -07:00
Tom Eastep	ac4bf15606	Implement 'status -i' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2014-06-18 11:07:37 -07:00