Change Default IPv6 .conf to specify INLINE_MATCHES=No

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -388,16 +388,30 @@ do_save() {
     status=0
 
     if [ -f ${VARDIR}/firewall ]; then
-	if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
-	    cp -f ${VARDIR}/firewall $g_restorepath
-	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
-	    chmod +x $g_restorepath
-	    echo "   Currently-running Configuration Saved to $g_restorepath"
-	    run_user_exit save
+	if [ -n "$WORKAROUNDS" ]; then
+	    if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
+		cp -f ${VARDIR}/firewall $g_restorepath
+		mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
+		chmod +x $g_restorepath
+		echo "   Currently-running Configuration Saved to $g_restorepath"
+		run_user_exit save
+	    else
+		rm -f ${VARDIR}/restore-$$
+		echo "   ERROR: Currently-running Configuration Not Saved" >&2
+		status=1
+	    fi
 	else
-	    rm -f ${VARDIR}/restore-$$
-	    echo "   ERROR: Currently-running Configuration Not Saved" >&2
-	    status=1
+	    if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
+		cp -f ${VARDIR}/firewall $g_restorepath
+		mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
+		chmod +x $g_restorepath
+		echo "   Currently-running Configuration Saved to $g_restorepath"
+		run_user_exit save
+	    else
+		rm -f ${VARDIR}/restore-$$
+		echo "   ERROR: Currently-running Configuration Not Saved" >&2
+		status=1
+	    fi
 	fi
     else
 	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
@@ -409,14 +423,24 @@ do_save() {
 	    resolve_arptables
 
 	    if [ -n "$arptables" ]; then
-	        #
-	        # 'sed' command is a hack to work around broken arptables_jf
-	        #
-		if ${arptables}-save | sed 's/-p[[:space:]]\+0\([[:digit:]]\)00\/ffff/-p 000\1\/ffff/' > ${VARDIR}/restore-$$; then
-		    if grep -q '^-A' ${VARDIR}/restore-$$; then
-			mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
-		    else
-			rm -f ${VARDIR}/restore-$$
+		if [ -n "$WORKAROUNDS" ]; then
+	            #
+	            # 'sed' command is a hack to work around broken arptables_jf
+	            #
+		    if ${arptables}-save | sed 's/-p[[:space:]]\+0\([[:digit:]]\)00\/ffff/-p 000\1\/ffff/' > ${VARDIR}/restore-$$; then
+			if grep -q '^-A' ${VARDIR}/restore-$$; then
+			    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
+			else
+			    rm -f ${VARDIR}/restore-$$
+			fi
+		    fi
+		else
+		    if ${arptables}-save > ${VARDIR}/restore-$$; then
+			if grep -q '^-A' ${VARDIR}/restore-$$; then
+			    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
+			else
+			    rm -f ${VARDIR}/restore-$$
+			fi
 		    fi
 		fi
 	    else
@@ -457,21 +481,28 @@ do_save() {
 		esac
 
 		if [ -n "$IPSET" ]; then
-		    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
-			#
-			# The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
-			#
-			hack='| grep -v /31'
-		    else
-			hack=
-		    fi
+		    if [ -n "$WORKAROUNDS" ]; then
+			if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
+			    #
+			    # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
+			    #
+			    hack='| grep -v /31'
+			else
+			    hack=
+			fi
 
-		    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
-			#
-			# Don't save an 'empty' file
-			#
-			grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
+			if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
+			    #
+			    # Don't save an 'empty' file
+			    #
+			    grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
+			fi
 		    fi
+		elif eval $IPSET -S > ${VARDIR}/ipsets.tmp; then
+		    #
+		    # Don't save an 'empty' file
+		    #
+		    grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
 		fi
 		;;
 	    [Nn]o|ipv4|ipv6)
@@ -981,8 +1012,7 @@ show_command() {
 
     case "$1" in
 	connections)
-	    [ $# -gt 1 ] && usage 1
-
+	    show_connections
 	    if [ $g_family -eq 4 ]; then
 		if [ -d /proc/sys/net/netfilter/ ]; then
 		    local count
@@ -997,8 +1027,10 @@ show_command() {
 		echo
 
 		if qt mywhich conntrack ; then
-		    conntrack -f ipv${g_family} -L | show_connections_filter
+		    shift
+		    conntrack -f ipv4 -L $@ | show_connections_filter
 		else
+		    [ $# -gt 1 ] && usage 1
 		    if [ -f /proc/net/ip_conntrack ]; then
 			cat /proc/net/ip_conntrack | show_connections_filter
 		    else
@@ -1006,10 +1038,12 @@ show_command() {
 		    fi
 	        fi
 	    elif qt mywhich conntrack ; then
+		shift
 		echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
 		echo
-		conntrack -f ipv6 -L | show_connections_filter
+		conntrack -f ipv6 -L $@ | show_connections_filter
 	    else
+		[ $# -gt 1 ] && usage 1
 		local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 		local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 		echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
@@ -1513,7 +1547,9 @@ do_dump_command() {
 	heading "Conntrack Table"
     fi
 
-    if [ $g_family -eq 4 ]; then
+    if qt mywhich conntrack; then
+	conntrack -f ipv${g_family} -L 2> /dev/null
+    elif [ $g_family -eq 4 ]; then
     	[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
     else
 	grep '^ipv6' /proc/net/nf_conntrack
@@ -3619,6 +3655,19 @@ get_config() {
 	IPSET=''
     fi
 
+    if [ -n "$WORKAROUNDS" ]; then
+	case $WORKAROUNDS in
+	    [Yy]es)
+	        ;;
+	    [Nn]o)
+		WORKAROUNDS=''
+		;;
+	    *)
+		fatal_error "Invalid setting ($WORKAROUNDS) for WORKAROUNDS"
+		;;
+	esac
+    fi
+
     TC=tc
 
     IP=$(mywhich ip 2> /dev/null)
@@ -3818,6 +3867,12 @@ run_command() {
     fi
 }
 
+#
+# Echo the parameters if product is Shorewall or Shorewall6
+#
+ecko() {
+    [ -z "$g_lite" ] && echo "$@"
+}
 #
 # Give Usage Information
 #
@@ -3827,13 +3882,16 @@ usage() # $1 = exit status
     echo "where <command> is one of:"
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
+    ecko "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
     echo "   clear"
+    ecko "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
     echo "   close <source> <dest> [ <protocol> [ <port> ] ]" 
     echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   disable <interface>"
     echo "   drop <address> ..."
     echo "   dump [ -x ] [ -l ] [ -m ]"
     echo "   enable <interface>"
+    ecko "   export [ <directory1> ] [<user>@]<system>[:<directory2>]"
     echo "   forget [ <file name> ]"
     echo "   help"
 
@@ -3843,21 +3901,46 @@ usage() # $1 = exit status
 	echo "   iprange <address>-<address>"
     fi
 
+    if [ $g_family -eq 4 ]; then
+	echo "   iptrace <iptables match expression>"
+    else
+	echo "   iptrace <ip6tables match expression>"
+    fi
+
+    ecko "   load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
     echo "   logdrop <address> ..."
     echo "   logreject <address> ..."
     echo "   logwatch [<refresh interval>]"
+
+    if [ $g_family -eq 4 ]; then
+	echo "   noiptrace <iptables match expression>"
+    else
+	echo "   noiptrace <ip6tables match expression>"
+    fi
+
     echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
-    echo "   reject <address> ..."
     echo "   reenable <interface>"
+    ecko "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
+    echo "   reject <address> ..."
+    ecko "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
     echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
+
+    if [ -n "$g_lite" ]; then
+	echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
+    else
+	echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+    fi
+
     echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
     echo "   run <command> [ <parameter> ... ]"
+    ecko "   safe-restart [ -t <timeout> ] [ <directory> ]"
+    ecko "   safe-start [ -t <timeout> ] [ <directory> ]"
     echo "   save [ -C ] [ <file name> ]"
     echo "   savesets"
     echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
-    echo "   [ show | list | ls ] [ -f ] capabilities"
+    ecko "   [ show | list | ls ] actions"
     echo "   [ show | list | ls ] arptables"
+    echo "   [ show | list | ls ] [ -f ] capabilities"
     echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
     echo "   [ show | list | ls ] classifiers"
     echo "   [ show | list | ls ] config"
@@ -3873,6 +3956,8 @@ usage() # $1 = exit status
 
     echo "   [ show | list | ls ] [ -m ] log [<regex>]"
     echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
+    ecko "   [ show | list | ls ] macro <macro>"
+    ecko "   [ show | list | ls ] macros"
     echo "   [ show | list | ls ] nfacct"
     echo "   [ show | list | ls ] opens"
     echo "   [ show | list | ls ] policies"
@@ -3880,9 +3965,17 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] tc [ device ]"
     echo "   [ show | list | ls ] vardir"
     echo "   [ show | list | ls ] zones"
-    echo "   start [ -f ] [ -p ] [ -C ] [ <directory> ]"
-    echo "   stop"
+
+    if [ -n "$g_lite" ]; then
+	echo "   start [ -f ] [ -p ] [ -C ] [ <directory> ]"
+    else
+	echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+    fi
+
     echo "   status [ -i ]"
+    echo "   stop"
+    ecko "   try <directory> [ <timeout> ]"
+    ecko "   update [ -a ] [ -b ] [ -r ] [ -T ]  [ -D ] [ -i ] [-t] [-A] [ <directory> ]"
     echo "   version [ -a ]"
     echo
     exit $1
@@ -3934,6 +4027,7 @@ shorewall_cli() {
     g_tcrules=
     g_counters=
     g_loopback=
+    g_compiled=
 
     VERBOSE=
     VERBOSITY=1

Shorewall-core/lib.common

@@ -98,14 +98,23 @@ get_script_version() { # $1 = script
     local digits
     local verbosity
 
-    verbosity="$VERBOSITY"
-    VERBOSITY=0
+    if [ -z "$WORKAROUNDS" -o "$g_compiled" = "$g_file" ]; then
+	#
+	# Unless WORKAROUNDS=No, either this script was just compiled or AUTOMAKE
+	# determined that re-compilation wasn't needed
+	#
+	temp="$SHOREWALL_VERSION"
+    else
+	verbosity="$VERBOSITY"
+	VERBOSITY=0
 
-    temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 | sed 's/-.*//' )
+	temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 )
+    fi
 
     if [ -z "$temp" ]; then
 	version=0
     else
+	temp=${temp%-*}
 	ifs=$IFS
 	IFS=.
 	temp=$(echo $temp)

Shorewall-lite/manpages/shorewall-lite.xml

@@ -1243,11 +1243,19 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">connections</emphasis></term>
+              <term><emphasis role="bold">connections
+              [<replaceable>filter_parameter</replaceable>
+              ...]</emphasis></term>
 
               <listitem>
                 <para>Displays the IP connections currently being tracked by
                 the firewall.</para>
+
+                <para>If the <command>conntrack</command> utility is
+                installed, beginning with Shorewall 4.6.11 the set of
+                connections displayed can be limited by including conntrack
+                filter parameters (-p , -s, --dport, etc). See conntrack(8)
+                for details.</para>
               </listitem>
             </varlistentry>
 

Shorewall/Perl/Shorewall/Chains.pm

@@ -8102,7 +8102,7 @@ sub create_save_ipsets() {
 		      "    done" ,
 		      '',
 		    );
-	    } else {
+	    } elsif ( $config{WORKAROUNDS} ) {
 		emit ( '' ,
 		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
 		       '        #',
@@ -8116,7 +8116,13 @@ sub create_save_ipsets() {
 		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
 		       "        grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
 		       '    fi' );
- 	    }
+	    } else {
+		emit ( 
+		       '',
+		       '    if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
+		       "        grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
+		       '    fi' );
+	    }
 
 	    emit( "    return 0",
 		  '',
@@ -8161,9 +8167,9 @@ sub load_ipsets() {
     my @ipsets = all_ipsets;
 
     if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
+	emit ( '', );
+	emit ( 'local hack' ) if $config{WORKAROUNDS};
 	emit ( '',
-	       'local hack',
-	       '',
 	       'case $IPSET in',
 	       '    */*)',
 	       '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',

Shorewall/Perl/Shorewall/Compiler.pm

@@ -529,14 +529,12 @@ EOF
     emit( '    run_refreshed_exit',
 	  '    do_iptables -N shorewall' );
 
-    emit ( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
+    emit( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
 
-    emit(
-	"    set_state Started $config_dir",
-	'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
-        'else',
-	'    setup_netfilter'
-	);
+    emit( "    set_state Started $config_dir",
+	  '    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
+	  'else',
+	  '    setup_netfilter'	);
 
     push_indent;
     emit 'setup_arptables' if $have_arptables;
@@ -604,12 +602,12 @@ sub compiler {
     sub validate_boolean( $ ) {
 	 my $val = numeric_value( shift );
 	 defined($val) && ($val >= 0) && ($val < 2);
-     }
+    }
 
     sub validate_verbosity( $ ) {
 	 my $val = numeric_value( shift );
 	 defined($val) && ($val >= MIN_VERBOSITY) && ($val <= MAX_VERBOSITY);
-     }
+    }
 
     sub validate_family( $ ) {
 	my $val = numeric_value( shift );
@@ -852,7 +850,7 @@ sub compiler {
     #
     setup_tunnels;
     #
-    # Clear the current filename
+    # Clear the current filename so that the last one processed doesn't appear in error and warning messages
     #
     clear_currentfilename;
     #

Shorewall/Perl/Shorewall/Config.pm

@@ -854,6 +854,7 @@ sub initialize( $;$$) {
 	  REJECT_ACTION => undef,
 	  INLINE_MATCHES => undef,
 	  BASIC_FILTERS => undef,
+	  WORKAROUNDS => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -5397,6 +5398,16 @@ sub get_configuration( $$$$$ ) {
 
     ensure_config_path;
 
+    my $default_path = '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin';
+
+    default 'PATH' , $default_path;
+
+    if ( supplied( $ENV{PATH} ) ) {
+	$ENV{PATH} .= ":$default_path";
+    } else {
+	$ENV{PATH} = $default_path;
+    }
+
     get_params( $export );
 
     process_shorewall_conf( $update, $annotate, $directives );
@@ -5407,7 +5418,6 @@ sub get_configuration( $$$$$ ) {
 
     unshift @INC, @config_path;
 
-    default 'PATH' , '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin';
     #
     # get_capabilities requires that the true settings of these options be established
     #
@@ -5717,6 +5727,7 @@ sub get_configuration( $$$$$ ) {
     default_yes_no 'TRACK_RULES'                , '';
     default_yes_no 'INLINE_MATCHES'             , '';
     default_yes_no 'BASIC_FILTERS'              , '';
+    default_yes_no 'WORKAROUNDS'                , 'Yes';
 
     require_capability( 'BASIC_EMATCH', 'BASIC_FILTERS=Yes', 's' ) if $config{BASIC_FILTERS};
 
@@ -6261,7 +6272,7 @@ sub generate_aux_config() {
 
     emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";
 
-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE) ) {
+    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS) ) {
 	conditionally_add_option $option;
     }
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -918,12 +918,29 @@ sub add_common_rules ( $$ ) {
 	    $target = $policy eq 'REJECT' ? 'reject' : $policy;
 	}
 
-	add_ijump( ensure_mangle_chain( 'rpfilter' ),
+	my $rpfilterref = ensure_mangle_chain( 'rpfilter' );
+
+	if ( $family == F_IPV4 ) {
+	    for $interface ( @$list ) {
+		if ( get_interface_option( $interface, 'dhcp' ) ) {
+		    add_ijump( $rpfilterref,
+			       j        => 'RETURN',
+			       s        => NILIPv4,
+			       p        => UDP,
+			       dport    => 67,
+			       sport    => 68
+			);
+		    last;
+		}
+	    }
+	}
+
+	add_ijump( $rpfilterref,
 		   j        => $target,
 		   rpfilter => '--validmark --invert',
 		   state_imatch 'NEW,RELATED,INVALID',
 		   @ipsec
-		 );
+	    );
     }
 	    
     run_user_exit1 'initdone';
@@ -2136,11 +2153,9 @@ sub optimize1_zones( $$@ ) {
 #
 sub generate_matrix() {
     my @interfaces = ( managed_interfaces );
-    #
-    # Should this be the real PREROUTING chain?
-    #
-    my @zones     = off_firewall_zones;
-    our @vservers = vserver_zones;
+    my @zones      = off_firewall_zones;
+
+    our @vservers  = vserver_zones;
 
     my $interface_jumps_added = 0;
 
@@ -2399,13 +2414,22 @@ sub compile_stop_firewall( $$$ ) {
     my $output  = $filter_table->{OUTPUT};
     my $forward = $filter_table->{FORWARD};
 
-    emit <<'EOF';
+    if ( $config{WORKAROUNDS} ) {
+	emit <<'EOF';
 #
 # Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
 #
 stop_firewall() {
     local hack
 EOF
+    } else {
+	emit <<'EOF';
+#
+# Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
+#
+stop_firewall() {
+EOF
+    }
 
     $output->{policy} = 'ACCEPT' if $config{ADMINISABSENTMINDED};
 

Shorewall/Perl/prog.footer

@@ -100,6 +100,8 @@ g_sha1sum2=
 # Other Globals
 #
 g_counters=
+g_compiled=
+g_file=
 
 initialize
 

Shorewall/Samples/Universal/shorewall.conf

@@ -234,6 +234,8 @@ USE_RT_NAMES=No
 
 WARNOLDCAPVERSION=Yes
 
+WORKAROUNDS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall/Samples/one-interface/shorewall.conf

@@ -245,6 +245,8 @@ USE_RT_NAMES=No
 
 WARNOLDCAPVERSION=Yes
 
+WORKAROUNDS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -242,6 +242,8 @@ USE_RT_NAMES=No
 
 WARNOLDCAPVERSION=Yes
 
+WORKAROUNDS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -245,6 +245,8 @@ USE_RT_NAMES=No
 
 WARNOLDCAPVERSION=Yes
 
+WORKAROUNDS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall/configfiles/shorewall.conf

@@ -234,6 +234,8 @@ USE_RT_NAMES=No
 
 WARNOLDCAPVERSION=Yes
 
+WORKAROUNDS=Yes
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall/lib.cli-std

@@ -323,6 +323,19 @@ get_config() {
 	    ;;
     esac
 
+    if [ -n "$WORKAROUNDS" ]; then
+	case $WORKAROUNDS in
+	    [Yy]es)
+	        ;;
+	    [Nn]o)
+		WORKAROUNDS=''
+		;;
+	    *)
+		fatal_error "Invalid setting ($WORKAROUNDS) for WORKAROUNDS"
+		;;
+	esac
+    fi
+
     g_loopback=$(find_loopback_interfaces)
 }
 
@@ -350,6 +363,21 @@ uptodate() {
     return 0
 }
 
+#
+# Run the postcompile user exit
+#
+run_postcompile() { # $1 is the compiled script
+    local script
+
+    script=$(find_file postcompile)
+
+    if [ -f $script ]; then
+	. $script $1
+    else
+	return 0
+    fi
+}
+
 #
 # Run the compiler
 #
@@ -357,11 +385,12 @@ compiler() {
     local pc
     local shorewallrc
     local shorewallrc1
+    local options
 
     pc=${LIBEXECDIR}/shorewall/compiler.pl
 
     if [ $(id -u) -ne 0 ]; then
-	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = /etc/$g_program ]; then
+	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$g_program ]; then
 	    startup_error "Ordinary users may not $COMMAND the $CONFDIR/$g_program configuration"
 	fi
     fi
@@ -374,8 +403,6 @@ compiler() {
     #
     get_config Yes
 
-    [ -n "$g_doing" ] && progress_message3 "$g_doing..."
-
     case $COMMAND in
 	*start|try|refresh)
 	    ;;
@@ -391,7 +418,7 @@ compiler() {
 
     # Perl compiler only takes the output file as a argument
 
-    [ "$1" = debug -o "$1" = trace ]  && shift;
+    [ "$1" = debug -o "$1" = trace ] && shift;
     [ "$1" = nolock ] && shift;
     shift
 
@@ -402,8 +429,9 @@ compiler() {
 	[ -f "$shorewallrc1" ] || fatal_error "Compiling for export requires a shorewallrc file"
     fi
 
-    if [ -n "$g_conditional" ] && uptodate $g_file; then
+    if [ -n "$g_conditional" ] && uptodate "$g_file"; then
 	echo "$g_file is up to date -- no compilation required"
+	g_compiled="$g_file"
 	return 0
     fi
 
@@ -435,28 +463,23 @@ compiler() {
 	PERL=/usr/bin/perl
     fi
 
+    [ -n "$g_doing" ] && progress_message3 "$g_doing..."
+
     if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
 	$PERL $debugflags $pc $options $@
     else
-	PERL5LIB=${PERLLIBDIR}
-	export PERL5LIB
-	$PERL $debugflags $pc $options $@
+	PERL5LIB=${PERLLIBDIR} $PERL $debugflags $pc $options $@
     fi
-}
 
-#
-# Run the postcompile user exit
-#
-run_postcompile() { # $1 is the compiled script
-    local script
+    status=$?
 
-    script=$(find_file postcompile)
-
-    if [ -f $script ]; then
-	. $script $1
-    else
-	return 0
+    if [ $status -eq 0 -a $COMMAND != check ]; then
+	g_compiled="$g_file"
+	run_postcompile "$g_compiled"
+	return
     fi
+
+    return $status
 }
 
 #
@@ -476,8 +499,8 @@ start_command() {
 	    rc=$?
 	    [ -n "$nolock" ] || mutex_off
 	else
-	    if compiler $g_debugging $nolock compile ${VARDIR}/.start; then
-		run_postcompile ${VARDIR}/.start
+	    g_file="${VARDIR}/.start"
+	    if compiler $g_debugging $nolock compile "$g_file"; then
 		[ -n "$nolock" ] || mutex_on
 		run_it ${VARDIR}/.start $g_debugging start
 		rc=$?
@@ -681,7 +704,7 @@ compile_command() {
 	    ;;
 	1)
 	    g_file=$1
-	    [ -d $g_file ] && fatal_error "$g_file is a directory"
+	    [ -d "$g_file" ] && fatal_error "$g_file is a directory"
 	    ;;
 	2)
 	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
@@ -704,7 +727,7 @@ compile_command() {
 
     [ "x$g_file" = x- ] && g_doing=''
 
-    compiler $g_debugging compile $g_file && run_postcompile $g_file
+    compiler $g_debugging compile "$g_file"
 }
 
 #
@@ -994,9 +1017,10 @@ restart_command() {
 	uptodate ${VARDIR}/firewall && g_fast=Yes
     fi
 
+    g_file="${VARDIR}/.restart"
+
     if [ -z "$g_fast" ]; then
-	if compiler $g_debugging $nolock compile ${VARDIR}/.restart; then
-	    run_postcompile ${VARDIR}/.restart
+	if compiler $g_debugging $nolock compile "$g_file"; then
 	    [ -n "$nolock" ] || mutex_on
 	    run_it ${VARDIR}/.restart $g_debugging restart
 	    rc=$?
@@ -1089,8 +1113,9 @@ refresh_command() {
 
     [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled"
 
-    if compiler $g_debugging $nolock compile ${VARDIR}/.refresh; then
-	run_postcompile ${VARDIR}/.refresh
+    g_file="${VARDIR}/.refresh"
+
+    if compiler $g_debugging $nolock compile "$g_file"; then
 	[ -n "$nolock" ] || mutex_on
 	run_it ${VARDIR}/.refresh $g_debugging refresh
 	rc=$?
@@ -1198,13 +1223,13 @@ safe_commands() {
 	command="restart"
     fi
 
-    if ! compiler $g_debugging nolock compile ${VARDIR}/.$command; then
+    g_file="${VARDIR}/.$command"
+
+    if ! compiler $g_debugging nolock compile "$g_file"; then
 	status=$?
 	exit $status
     fi
 
-    run_postcompile ${VARDIR}/.$command
-
     case $command in
 	start)
 	    RESTOREFILE=NONE
@@ -1329,7 +1354,9 @@ try_command() {
 	command="restart"
     fi
 
-    if ! compiler $g_debugging $nolock compile ${VARDIR}/.$command; then
+    g_file="${VARDIR}/.$command"
+
+    if ! compiler $g_debugging $nolock compile "$g_file"; then
 	status=$?
 	exit $status
     fi
@@ -1523,7 +1550,9 @@ reload_command() # $* = original arguments less the command.
 
     [ -n "$litedir" ] || litedir=${VARLIB}/${g_program}-lite
 
-    if compiler $g_debugging compiler $g_shorewalldir/firewall && \
+    g_file="$g_shorewalldir/firewall"
+
+    if compiler $g_debugging compiler "$g_file" && \
 	progress_message3 "Copying $file and ${file}.conf to ${system}:${litedir}..." && \
 	rcp_command "$g_shorewalldir/firewall $g_shorewalldir/firewall.conf" ${litedir}
     then
@@ -1612,7 +1641,9 @@ export_command() # $* = original arguments less the command.
 
     g_export=Yes
 
-    if compiler $g_debugging compile $g_shorewalldir/firewall && \
+    g_file="$g_shorewalldir/firewall"
+
+    if compiler $g_debugging compile "$g_file" && \
 	echo "Copying $file and ${file}.conf to ${target#*@}..." && \
 	scp $g_shorewalldir/firewall $g_shorewalldir/firewall.conf $target
     then
@@ -1633,102 +1664,6 @@ run_command() {
     fi
 }
 
-#
-# Give Usage Information
-#
-usage() # $1 = exit status
-{
-    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
-    echo "where <command> is one of:"
-    echo "   add <interface>[:<host-list>] ... <zone>"
-    echo "   allow <address> ..."
-    echo "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
-    echo "   clear"
-    echo "   close <source> <dest> [ <protocol> [ <port> ] ]" 
-    echo "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
-    echo "   delete <interface>[:<host-list>] ... <zone>"
-    echo "   disable <interface>"
-    echo "   drop <address> ..."
-    echo "   dump [ -x ] [ -l ] [ -m ]"
-    echo "   enable <interface>"
-    echo "   export [ <directory1> ] [<user>@]<system>[:<directory2>]"
-    echo "   forget [ <file name> ]"
-    echo "   help"
-
-    if [ $g_family -eq 4 ]; then
-	echo "   hits [ -t ]"
-	echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
-	echo "   ipdecimal { <address> | <integer> }"
-	echo "   iprange <address>-<address>"
-    fi
-
-    if [ $g_family -eq 4 ]; then
-	echo "   iptrace <iptables match expression>"
-    else
-	echo "   iptrace <ip6tables match expression>"
-    fi
-
-    echo "   load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
-    echo "   logdrop <address> ..."
-    echo "   logreject <address> ..."
-    echo "   logwatch [<refresh interval>]"
-
-    if [ $g_family -eq 4 ]; then
-	echo "   noiptrace <iptables match expression>"
-    else
-	echo "   noiptrace <ip6tables match expression>"
-    fi
-
-    echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
-    echo "   reenable <interface>"
-    echo "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
-    echo "   reject <address> ..."
-    echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
-    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
-    echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
-    echo "   run <command> [ <parameter> ... ]"
-    echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
-    echo "   safe-start [ -t <timeout> ] [ <directory> ]"
-    echo "   save [ -C ] [ <file name> ]"
-    echo "   savesets"
-    echo "   [ show | list | ls ] [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
-    echo "   [ show | list | ls ] actions"
-    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
-    echo "   [ show | list | ls ] [ -f ] capabilities"
-    echo "   [ show | list | ls ] classifiers"
-    echo "   [ show | list | ls ] config"
-    echo "   [ show | list | ls ] connections"
-    echo "   [ show | list | ls ] dynamic <zone>"
-    echo "   [ show | list | ls ] filters"
-    echo "   [ show | list | ls ] ip"
-
-    if [ $g_family -eq 4 ]; then
-	echo "   [ show | list | ls ] ipa"
-    fi
-
-    echo "   [ show | list | ls ] [ -m ] log [<regex>]"
-    echo "   [ show | list | ls ] macro <macro>"
-    echo "   [ show | list | ls ] macros"
-    echo "   [ show | list | ls ] marks"
-    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost|routing"
-    echo "   [ show | list | ls ] nfacct"
-    echo "   [ show | list | ls ] opens"
-    echo "   [ show | list | ls ] policies"
-    echo "   [ show | list | ls ] routing"
-    echo "   [ show | list | ls ] tc [ device ]"
-    echo "   [ show | list | ls ] vardir"
-    echo "   [ show | list | ls ] zones"
-    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
-    echo "   status [ -i ]"
-    echo "   stop"
-    echo "   try <directory> [ <timeout> ]"
-    echo "   update [ -a ] [ -b ] [ -r ] [ -T ]  [ -D ] [ -i ] [-t] [-A] [ <directory> ]"
-    echo "   version [ -a ]"
-    echo
-    exit $1
-}
-
 compiler_command() {
 
     case $COMMAND in

Shorewall/manpages/shorewall.conf.xml

@@ -2973,8 +2973,8 @@ INLINE          -       -       -       ; -j REJECT
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">WIDE_TC_MARKS=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+        <term><emphasis role="bold">WIDE_TC_MARKS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
 
         <listitem>
           <para>Deprecated in Shorewall 4.4.26 in favor of TC_BITS and
@@ -2988,6 +2988,27 @@ INLINE          -       -       -       ; -j REJECT
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">WORKAROUNDS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.11. Over time, there have been a number
+          of changes in Shorewall that work around defects in other products
+          such as iptables and ipset. When WORKAROUNDS=Yes, these workarounds
+          are enabled; when WORKAROUNDS=No, they are disabled. If not
+          specified or if specified as empty, WORKAROUNDS=Yes is
+          assumed.</para>
+
+          <warning>
+            <para>Do not set WORKAROUNDS=Yes if you need to be able to use
+            Shorewall-generated scripts (such as created by the
+            <command>save</command> command) built by Shorewall 4.4.7 or
+            older.</para>
+          </warning>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">ZONE_BITS</emphasis>=[<replaceable>number</replaceable>]</term>
@@ -3002,7 +3023,7 @@ INLINE          -       -       -       ; -j REJECT
 
       <varlistentry>
         <term><emphasis
-        role="bold">ZONE2ZONE</emphasis>={<option>2</option>|<option>-</option>}</term>
+        role="bold">ZONE2ZONE</emphasis>=[<option>2</option>|<option>-</option>]</term>
 
         <listitem>
           <para>Added in Shorewall 4.4.4. This option determines how Shorewall

Shorewall/manpages/shorewall.xml

@@ -1931,11 +1931,19 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">connections</emphasis></term>
+              <term><emphasis role="bold">connections
+              [<replaceable>filter_parameter</replaceable>
+              ...]</emphasis></term>
 
               <listitem>
                 <para>Displays the IP connections currently being tracked by
                 the firewall.</para>
+
+                <para>If the <command>conntrack</command> utility is
+                installed, beginning with Shorewall 4.6.11 the set of
+                connections displayed can be limited by including conntrack
+                filter parameters (-p , -s, --dport, etc). See conntrack(8)
+                for details.</para>
               </listitem>
             </varlistentry>
 

Shorewall6-lite/manpages/shorewall6-lite.xml

@@ -1216,11 +1216,19 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">connections</emphasis></term>
+              <term><emphasis role="bold">connections
+              [<replaceable>filter_parameter</replaceable>
+              ...]</emphasis></term>
 
               <listitem>
                 <para>Displays the IP connections currently being tracked by
                 the firewall.</para>
+
+                <para>If the <command>conntrack</command> utility is
+                installed, beginning with Shorewall 4.6.11 the set of
+                connections displayed can be limited by including conntrack
+                filter parameters (-p , -s, --dport, etc). See conntrack(8)
+                for details.</para>
               </listitem>
             </varlistentry>
 

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -209,6 +209,8 @@ USE_RT_NAMES=No
 
 WARNOLDCAPVERSION=Yes
 
+WORKAROUNDS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -209,6 +209,8 @@ USE_RT_NAMES=No
 
 WARNOLDCAPVERSION=Yes
 
+WORKAROUNDS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -209,6 +209,8 @@ USE_RT_NAMES=No
 
 WARNOLDCAPVERSION=Yes
 
+WORKAROUNDS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -209,6 +209,8 @@ USE_RT_NAMES=No
 
 WARNOLDCAPVERSION=Yes
 
+WORKAROUNDS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall6/configfiles/shorewall6.conf

@@ -155,7 +155,7 @@ HELPERS=
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=Yes
+INLINE_MATCHES=No
 
 IPSET_WARNINGS=Yes
 
@@ -209,6 +209,8 @@ USE_RT_NAMES=No
 
 WARNOLDCAPVERSION=Yes
 
+WORKAROUNDS=Yes
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall6/manpages/shorewall6.conf.xml

@@ -2622,8 +2622,8 @@ INLINE          -       -       -       ; -j REJECT
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">WIDE_TC_MARKS=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+        <term><emphasis role="bold">WIDE_TC_MARKS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
 
         <listitem>
           <para>Deprecated in Shorewall 4.4.26 in favor of TC_BITS and
@@ -2637,6 +2637,27 @@ INLINE          -       -       -       ; -j REJECT
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">WORKAROUNDS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.11. Over time, there have been a number
+          of changes in Shorewall that work around defects in other products
+          such as iptables and ipset. When WORKAROUNDS=Yes, these workarounds
+          are enabled; when WORKAROUNDS=No, they are disabled. If not
+          specified or if specified as empty, WORKAROUNDS=Yes is
+          assumed.</para>
+
+          <warning>
+            <para>Do not set WORKAROUNDS=Yes if you need to be able to use
+            Shorewall-generated scripts (such as created by the
+            <command>save</command> command) built by Shorewall 4.4.7 or
+            older.</para>
+          </warning>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">ZONE_BITS</emphasis>=[<replaceable>number</replaceable>]</term>

Shorewall6/manpages/shorewall6.xml

@@ -1817,11 +1817,19 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">connections</emphasis></term>
+              <term><emphasis role="bold">connections
+              [<replaceable>filter_parameter</replaceable>
+              ...]</emphasis></term>
 
               <listitem>
                 <para>Displays the IP connections currently being tracked by
                 the firewall.</para>
+
+                <para>If the <command>conntrack</command> utility is
+                installed, beginning with Shorewall 4.6.11 the set of
+                connections displayed can be limited by including conntrack
+                filter parameters (-p , -s, --dport, etc). See conntrack(8)
+                for details.</para>
               </listitem>
             </varlistentry>
 

docs/Build.xml

@@ -53,8 +53,10 @@
     required to produce a directory that is suitable for the
     <command>install.sh</command> script to run in.</para>
 
+    <para>My local git repositories are:</para>
+
     <section>
-      <title>trunk</title>
+      <title>trunk (clone of Code)</title>
 
       <para>The development branch of each product is kept here.</para>
 
@@ -97,14 +99,14 @@
     </section>
 
     <section>
-      <title>tools</title>
+      <title>tools (Clone of Tools)</title>
 
       <para>This is where the release and build tools are kept. There are two
       subordinate directories:</para>
 
       <variablelist>
         <varlistentry>
-          <term>trunk/tools/build</term>
+          <term>tools/build</term>
 
           <listitem>
             <para>Tools for building and uploading new releases.</para>
@@ -112,7 +114,7 @@
         </varlistentry>
 
         <varlistentry>
-          <term>trunk/tools/web</term>
+          <term>tools/web</term>
 
           <listitem>
             <para>Tools for publishing web content</para>
@@ -122,14 +124,14 @@
     </section>
 
     <section>
-      <title>web</title>
+      <title>web (Clone of Web)</title>
 
       <para>The files from the web site that are maintained in HTML format.
       are kept in this directory.</para>
     </section>
 
     <section>
-      <title>release</title>
+      <title>release (Clone of Release)</title>
 
       <para>Added in Shorewall 4.4.22, this directory contains the files that
       contain release-dependent information (change.txt, releasenotes.txt,
@@ -142,7 +144,7 @@
     <title>Build Tools</title>
 
     <para>As described above, the build tools are kept in <filename
-    class="directory">trunk/tools/build.</filename> They are described in the
+    class="directory">tools/build.</filename> They are described in the
     following sections.</para>
 
     <section>
@@ -161,247 +163,6 @@
       version or a patch version.</para>
     </section>
 
-    <section>
-      <title>build</title>
-
-      <para>This is the script that builds Shorewall 4.6 packages from
-      Git.</para>
-
-      <para>The script copies content from Git using the <command>git
-      archive</command> command. It then uses that content to build the
-      packages. In addition to the usual Gnu utilities, the following software
-      is required:</para>
-
-      <variablelist>
-        <varlistentry>
-          <term>rpmbuild</term>
-
-          <listitem>
-            <para>Required to build the RPM packages.</para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>xsltproc (libxslt)</term>
-
-          <listitem>
-            <para>Required to convert the XML documents to other
-            formats.</para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>Docbook XSL Stylesheets</term>
-
-          <listitem>
-            <para>Required to convert the XML documents to other
-            formats.</para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>Perl</term>
-
-          <listitem>
-            <para>Required to massage some of the config files.</para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>xmlto</term>
-
-          <listitem>
-            <para>Required to convert the XML manpages to manpages. Be sure
-            that you have a recent version; I use 0.0.23.</para>
-          </listitem>
-        </varlistentry>
-      </variablelist>
-
-      <para>You should ensure that you have the latest scripts. The scripts
-      change periodically as we move through the release cycles.</para>
-
-      <para>The build46 script may need to be modified to fit your particular
-      environment. There are a number of variables that are set near the top
-      of the file:</para>
-
-      <variablelist>
-        <varlistentry>
-          <term>STYLESHEET</term>
-
-          <listitem>
-            <para>Must point to the XHTML docbook.xsl stylesheet from your
-            Docbook XSL Stylesheets installation.</para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>LOGDIR</term>
-
-          <listitem>
-            <para>Directory where you want the build log placed. Defaults to
-            the current working directory.</para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>RPMDIR</term>
-
-          <listitem>
-            <para>Points to your RPM directory .</para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>DIR</term>
-
-          <listitem>
-            <para>Directory where you want the release to be built. Defaults
-            to the current working directory.</para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>GIT</term>
-
-          <listitem>
-            <para>Shorewall GIT repository.</para>
-          </listitem>
-        </varlistentry>
-      </variablelist>
-
-      <para>The scripts assume that there will be a separate <firstterm>build
-      directory</firstterm> per major release.</para>
-
-      <para>To build a release, you cd to the appropriate directory and run
-      the build46 script.</para>
-
-      <para>The general form of the build46 command is:</para>
-
-      <blockquote>
-        <para><command>build</command> [ -<replaceable>options</replaceable> ]
-        <replaceable>release</replaceable> [ <replaceable>prior
-        release</replaceable> ]</para>
-      </blockquote>
-
-      <para>where</para>
-
-      <variablelist>
-        <varlistentry>
-          <term>opt<emphasis>i</emphasis>ons</term>
-
-          <listitem>
-            <para>are one or more of the following. If no options are given
-            then all options are assumed</para>
-
-            <variablelist>
-              <varlistentry>
-                <term>t</term>
-
-                <listitem>
-                  <para>build tar files</para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term>r</term>
-
-                <listitem>
-                  <para>build RPMs</para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term>c</term>
-
-                <listitem>
-                  <para>Build the shorewall package.</para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term>i</term>
-
-                <listitem>
-                  <para>Build the shorewall-init package.</para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term>l</term>
-
-                <listitem>
-                  <para>Build the shorewall-lite package.</para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term>6</term>
-
-                <listitem>
-                  <para>Build the shorewall6 package.</para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term>L</term>
-
-                <listitem>
-                  <para>Build the shorewall6-lite package.</para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term>h</term>
-
-                <listitem>
-                  <para>Build the html document package.</para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term>x</term>
-
-                <listitem>
-                  <para>Build the xml document package.</para>
-                </listitem>
-              </varlistentry>
-            </variablelist>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><emphasis>release</emphasis></term>
-
-          <listitem>
-            <para>The release version to build. Must match the version in the
-            associated Git path.</para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><emphasis>prior release</emphasis></term>
-
-          <listitem>
-            <para>The release to be used to generate patch files.</para>
-          </listitem>
-        </varlistentry>
-      </variablelist>
-
-      <para>Example 1 - Build Shorewall 4.4.7 and generate patches against
-      4.4.6:</para>
-
-      <blockquote>
-        <para><command>build 4.4.7 4.4.6</command></para>
-      </blockquote>
-
-      <para>Example 2 - Build Shorewall 4.2.7.1 Shorewall and generate patches
-      against 4.4.7:</para>
-
-      <blockquote>
-        <para><command>build -trc 4.4.7.1 4.4.7</command></para>
-      </blockquote>
-    </section>
-
     <section>
       <title>build45 and build46</title>
 
@@ -655,7 +416,7 @@
     <section>
       <title>upload</title>
 
-      <para>This script is used to upload a release to www1.shorewall.net. The
+      <para>This script is used to upload a release to www.shorewall.org. The
       command is run in the build directory for the minor release of the
       product.</para>
 
@@ -742,7 +503,7 @@
         <para><command>upload 4.3.7</command></para>
       </blockquote>
 
-      <para>Example 2 - Upload shorewall-4.3.7.3:</para>
+      <para>Example 2 - Upload shorewall-core-4.3.7.3:</para>
 
       <blockquote>
         <para><command>upload -c 4.3.7.3</command></para>

docs/GettingStarted.xml

@@ -67,6 +67,12 @@
     <listitem>
       <para><ulink url="Universal.html">Universal</ulink> configuration --
       requires no configuration to protect a single system.</para>
+
+      <caution>
+        <para>This configuration places all interfaces in the net zone. If you
+        add another interface or VPN, you will want to select a different
+        QuickStart Guide.</para>
+      </caution>
     </listitem>
   </itemizedlist>
 
@@ -182,7 +188,7 @@
                     url="configuration_file_basics.htm#Ranges">Port
                     Ranges</ulink></entry>
 
-                    <entry></entry>
+                    <entry/>
                   </row>
                 </tbody>
               </tgroup>

docs/IPSEC-2.6.xml

@@ -5,7 +5,7 @@
   <!--$Id$-->
 
   <articleinfo>
-    <title>IPSEC</title>
+    <title>IPsec</title>
 
     <authorgroup>
       <author>
@@ -58,25 +58,25 @@
   </caution>
 
   <important>
-    <para><emphasis role="bold">Shorewall does not configure IPSEC for
-    you</emphasis> -- it rather configures netfilter to accommodate your IPSEC
+    <para><emphasis role="bold">Shorewall does not configure IPsec for
+    you</emphasis> -- it rather configures netfilter to accommodate your IPsec
     configuration.</para>
   </important>
 
   <important>
     <para>The information in this article is only applicable if you plan to
-    have IPSEC end-points on the same system where Shorewall is used.</para>
+    have IPsec end-points on the same system where Shorewall is used.</para>
   </important>
 
   <important>
     <para>While this <emphasis role="bold">article shows configuration of
-    IPSEC using ipsec-tools</emphasis>, <emphasis role="bold">Shorewall
+    IPsec using ipsec-tools</emphasis>, <emphasis role="bold">Shorewall
     configuration is exactly the same when using OpenSwan</emphasis> or
     FreeSwan.</para>
   </important>
 
   <warning>
-    <para>When running a Linux kernel prior to 2.6.20, the Netfilter+ipsec and
+    <para>When running a Linux kernel prior to 2.6.20, the Netfilter+IPsec and
     policy match support are broken when used with a bridge device. The
     problem was corrected in Kernel 2.6.20 as a result of the removal of
     deferred FORWARD/OUTPUT processing of traffic destined for a bridge. See
@@ -85,10 +85,10 @@
   </warning>
 
   <section id="Overview">
-    <title>Shorwall and Kernel 2.6 IPSEC</title>
+    <title>Shorwall and Kernel 2.6 IPsec</title>
 
     <para>This is <emphasis role="bold">not</emphasis> a HOWTO for Kernel 2.6
-    IPSEC -- for that, please see <ulink
+    IPsec -- for that, please see <ulink
     url="http://www.ipsec-howto.org/">http://www.ipsec-howto.org/</ulink>.</para>
 
     <para>The 2.6 Linux Kernel introduced new facilities for defining
@@ -107,7 +107,7 @@
     traffic is verified against the SPD to ensure that no unencrypted traffic
     is accepted in violation of the administrator's policies.</para>
 
-    <para>There are three ways in which IPSEC traffic can interact with
+    <para>There are three ways in which IPsec traffic can interact with
     Shorewall policies and rules:</para>
 
     <orderedlist>
@@ -136,7 +136,7 @@
     by normal rules and policies.</para>
 
     <para>Under the 2.4 Linux Kernel, the association of unencrypted traffic
-    and zones was made easy by the presence of IPSEC pseudo-interfaces with
+    and zones was made easy by the presence of IPsec pseudo-interfaces with
     names of the form <filename class="devicefile">ipsecN</filename> (e.g.
     <filename class="devicefile">ipsec0</filename>). Outgoing unencrypted
     traffic (case 1.) was sent through an <filename
@@ -175,7 +175,7 @@
     </orderedlist>
 
     <para>In summary, Shorewall provides the facilities to replace the use of
-    ipsec pseudo-interfaces in zone and MASQUERADE/SNAT definition.</para>
+    IPsec pseudo-interfaces in zone and MASQUERADE/SNAT definition.</para>
 
     <para>There are two cases to consider:</para>
 
@@ -226,15 +226,15 @@
     ipsec-tools and racoon although the ipsec-tools project releases them as a
     single package.</para>
 
-    <para>For more information on IPSEC, Kernel 2.6 and Shorewall see <ulink
+    <para>For more information on IPsec, Kernel 2.6 and Shorewall see <ulink
     url="LinuxFest.pdf">my presentation on the subject given at LinuxFest NW
     2005</ulink>. Be warned though that the presentation is based on Shorewall
-    2.2 and there are some differences in the details of how IPSEC is
+    2.2 and there are some differences in the details of how IPsec is
     configured.</para>
   </section>
 
   <section id="GwFw">
-    <title>IPSec Gateway on the Firewall System</title>
+    <title>IPsec Gateway on the Firewall System</title>
 
     <para>Suppose that we have the following situation:</para>
 
@@ -248,7 +248,7 @@
 
     <orderedlist numeration="loweralpha">
       <listitem>
-        <para>Open the firewall so that the IPSEC tunnel can be established
+        <para>Open the firewall so that the IPsec tunnel can be established
         (allow the ESP protocol and UDP Port 500).</para>
       </listitem>
 
@@ -257,7 +257,7 @@
       </listitem>
     </orderedlist>
 
-    <para>Opening the firewall for the IPSEC tunnel is accomplished by adding
+    <para>Opening the firewall for the IPsec tunnel is accomplished by adding
     an entry to the <filename>/etc/shorewall/tunnels</filename> file.</para>
 
     <para>In <filename>/etc/shorewall/tunnels</filename> on system A, we need
@@ -357,7 +357,7 @@ ACCEPT     vpn:134.28.54.2  $FW</programlisting>
     below).</para>
 
     <para>Once you have these entries in place, restart Shorewall (type
-    shorewall restart); you are now ready to configure IPSEC.</para>
+    shorewall restart); you are now ready to configure IPsec.</para>
 
     <para>For full encrypted connectivity in this configuration (between the
     subnets, between each subnet and the opposite gateway, and between the
@@ -450,7 +450,7 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
 }</programlisting>
 
       <warning>
-        <para>If you have hosts that access the Internet through an IPSEC
+        <para>If you have hosts that access the Internet through an IPsec
         tunnel, then it is a good idea to set the MSS value for traffic from
         those hosts explicitly in the
         <filename>/etc/shorewall/zones</filename> file. For example, if hosts
@@ -467,8 +467,8 @@ sec     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis
         adjusted.</para>
 
         <para>Note that CLAMPMSS=Yes in <filename>shorewall.conf</filename>
-        isn't effective with the 2.6 native IPSEC implementation because there
-        is no separate ipsec device with a lower mtu as there was under the
+        isn't effective with the 2.6 native IPsec implementation because there
+        is no separate IPsec device with a lower mtu as there was under the
         2.4 and earlier kernels.</para>
       </warning>
     </blockquote>
@@ -556,7 +556,7 @@ vpn               eth0:0.0.0.0/0
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
       </blockquote>
 
-      <para>On system A, here are the IPSEC files:</para>
+      <para>On system A, here are the IPsec files:</para>
 
       <blockquote>
         <para><filename>/etc/racoon/racoon.conf</filename> - System A:</para>
@@ -606,7 +606,7 @@ spdflush;</programlisting>
       running ipsec-tools (racoon) 0.5rc1 or later.</para>
 
       <para>On the mobile system (system B), it is not possible to create a
-      static IPSEC configuration because the IP address of the laptop's
+      static IPsec configuration because the IP address of the laptop's
       Internet connection isn't static. I have created an 'ipsecvpn' script
       and included in the tarball and in the RPM's documentation directory;
       this script can be used to start and stop the connection.</para>
@@ -620,7 +620,7 @@ spdflush;</programlisting>
 #
 INTERFACE=eth0
 #
-# Remote IPSEC Gateway
+# Remote IPsec Gateway
 #
 GATEWAY=206.162.148.9
 #
@@ -675,10 +675,10 @@ RACOON=/usr/sbin/racoon</programlisting>
     you read it thoroughly and understand it. The setup described in this
     section is more complex because you are including an additional layer of
     tunneling. Again, make sure that you have read the previous section and it
-    is highly recommended to have the IPSEC-only configuration working
+    is highly recommended to have the IPsec-only configuration working
     first.</para>
 
-    <para>Additionally, this section assumes that you are running IPSEC,
+    <para>Additionally, this section assumes that you are running IPsec,
     xl2tpd and pppd on the same system that is running shorewall. However,
     configuration of these additional services is beyond the scope of this
     document.</para>
@@ -698,7 +698,7 @@ RACOON=/usr/sbin/racoon</programlisting>
         MS Windows or Mac OS X) and you do not want them to have to install
         third party software in order to connect to the VPN (both MS Windows
         and Mac OS X include VPN clients which natively support L2TP over
-        IPSEC, but not plain IPSEC).</para>
+        IPsec, but not plain IPsec).</para>
       </listitem>
 
       <listitem>
@@ -805,7 +805,7 @@ all             all             REJECT          info
       <programlisting>#ACTION         SOURCE  DEST    PROTO   DEST    SOURCE
 #                                       PORT(S) PORT(S)
 SECTION ESTABLISHED
-# Prevent IPSEC bypass by hosts behind a NAT gateway
+# Prevent IPsec bypass by hosts behind a NAT gateway
 L2TP(REJECT)    net     $FW
 REJECT          $FW     net     udp     -       1701
 # l2tp over the IPsec VPN
@@ -824,7 +824,7 @@ HTTPS(ACCEPT)   l2tp    $FW
 
     <para>In today's wireless world, it is often the case that individual
     hosts in a network need to establish secure connections with the other
-    hosts in that network. In that case, IPSEC transport mode is an
+    hosts in that network. In that case, IPsec transport mode is an
     appropriate solution.</para>
 
     <para><graphic fileref="images/TransportMode.png"/>Here's an example using
@@ -914,7 +914,7 @@ loc             eth0:192.168.20.0/24
 
       <para>It is worth noting that although <emphasis>loc</emphasis> is a
       sub-zone of <emphasis>net</emphasis>, because <emphasis>loc</emphasis>
-      is an IPSEC-only zone it does not need to be defined before
+      is an IPsec-only zone it does not need to be defined before
       <emphasis>net</emphasis> in
       <emphasis>/etc/shorewall/zones</emphasis>.</para>
 
@@ -938,7 +938,7 @@ all             all             REJECT          info
   <section id="ipcomp">
     <title>IPCOMP</title>
 
-    <para>If your IPSEC tunnel or transport mode connection fails to work with
+    <para>If your IPsec tunnel or transport mode connection fails to work with
     Shorewall started and you see log messages like the following when you try
     to use the connection, the problem is that ip compression is being
     used.<programlisting>Feb 18 23:43:52 vpngw kernel: Shorewall:<emphasis
@@ -948,14 +948,14 @@ all             all             REJECT          info
     add an IPCOMP tunnel to /etc/shorewall/tunnels as follows:<programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY
 #                                               ZONE
 ipip                    <emphasis role="bold">vpn</emphasis>     0.0.0.0/0</programlisting>The
-    above assumes that the name of your IPSEC vpn zone is
+    above assumes that the name of your IPsec vpn zone is
     <emphasis>vpn</emphasis>.</para>
   </section>
 
   <section id="XP">
-    <title>IPSEC and <trademark>Windows</trademark> XP</title>
+    <title>IPsec and <trademark>Windows</trademark> XP</title>
 
-    <para>I have successfully configured my work laptop to use IPSEC with
+    <para>I have successfully configured my work laptop to use IPsec with
     X.509 certificates for wireless IP communication when it is undocked at
     home. I looked at dozens of sites and the one I found most helpful was
     <ulink
@@ -974,7 +974,7 @@ ipip                    <emphasis role="bold">vpn</emphasis>     0.0.0.0/0</prog
       do I generate a PKCS#12 certificate to import into Windows?". Here's the
       openssl command that I used:</para>
 
-      <programlisting><command>openssl pkcs12 -export -in eastepnc6000.pem -inkey eastepnc6000_key.pem -out eastepnc6000.pfx -name "IPSEC Cert for Home Wireless"</command> </programlisting>
+      <programlisting><command>openssl pkcs12 -export -in eastepnc6000.pem -inkey eastepnc6000_key.pem -out eastepnc6000.pfx -name "IPsec Cert for Home Wireless"</command> </programlisting>
 
       <para>I was prompted for a password to associate with the certificate.
       This password is entered on the Windows system during import.</para>
@@ -999,7 +999,7 @@ ipip                    <emphasis role="bold">vpn</emphasis>     0.0.0.0/0</prog
         </listitem>
 
         <listitem>
-          <para>"IPSEC Cert for Home Wireless" is the friendly name for the
+          <para>"IPsec Cert for Home Wireless" is the friendly name for the
           certificate.</para>
         </listitem>
       </itemizedlist>
@@ -1007,7 +1007,7 @@ ipip                    <emphasis role="bold">vpn</emphasis>     0.0.0.0/0</prog
       <para>I started to write an article about how to do this, complete with
       graphics captured from my laptop. I gave up. I had captured 12 images
       and hadn't really started yet. The Windows interface for configuring
-      IPSEC is the worst GUI that I have ever used. What can be displayed on
+      IPsec is the worst GUI that I have ever used. What can be displayed on
       one split Emacs screen (racoon.conf plus setkey.conf) takes 20+
       different dialog boxes on Windows XP!!!</para>
     </warning>

docs/Introduction.xml

@@ -16,7 +16,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2003-2014</year>
+      <year>2003-2015</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -145,18 +145,8 @@
     setups, you will only need to deal with a few of them.</para>
 
     <para>Shorewall views the network where it is running as being composed of
-    a set of <firstterm>zones</firstterm>. In the <ulink
-    url="three-interface.htm">three-interface sample configuration</ulink> for
-    example, the following zone names are used:</para>
-
-    <programlisting>#NAME                  DESCRIPTION
-fw                     The firewall itself
-net                    The Internet
-loc                    Your Local Network
-dmz                    Demilitarized Zone</programlisting>
-
-    <para>Zones are declared and given a type in the <ulink
-    url="manpages/shorewall-zones.html"><filename
+    a set of <firstterm>zones</firstterm>. Zones are declared and given a type
+    in the <ulink url="manpages/shorewall-zones.html"><filename
     class="directory">/etc/shorewall/</filename><filename>zones</filename></ulink>
     file.Here is the <ulink url="manpages/shorewall-zones.html"><filename
     class="directory">/etc/shorewall/</filename><filename>zones</filename></ulink>
@@ -433,8 +423,8 @@ ACCEPT     net           $FW       tcp        22</programlisting>
       <listitem>
         <para><emphasis role="bold">Shorewall-init</emphasis>. May be
         installed with any of the other firewall packages. Allows the firewall
-        to be close prior to bringing up network interfaces. It can also react
-        to interface up/down events.</para>
+        to be closed prior to bringing up network interfaces. It can also
+        react to interface up/down events.</para>
       </listitem>
     </orderedlist>
   </section>

docs/Shorewall-4.xml

@@ -22,6 +22,8 @@
 
       <year>2009</year>
 
+      <year>2015</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -97,11 +99,12 @@
   <section id="Install">
     <title>Shorewall 4.4</title>
 
-    <para>Shorewall 4.4 discontinues the availability of the legacy
+    <para>Shorewall 4.4 discontinued the availability of the legacy
     shell-based compiler. All users must migrate to the perl-based compiler
-    before or during an upgrade to Shorewall version 4.4. We highly recommend
-    that current users of the shell-based compiler migrate before upgrading to
-    4.4 so that both compilers are available during the migration.</para>
+    before or during an upgrade to Shorewall version 4.4 or later. We highly
+    recommend that current users of the shell-based compiler migrate before
+    upgrading to 4.4 or later so that both compilers are available during the
+    migration.</para>
 
     <para>Shorewall 4.4 contains five packages:</para>
 
@@ -161,11 +164,12 @@
 
     <itemizedlist>
       <listitem>
-        <para>Perl (I use Perl 5.8.10 but other 5.8 versions should work
-        fine). <note>
+        <para>Perl (I use Perl 5.14.2 but other 5.8 or later versions should
+        work fine). <note>
             <para>If you want to be able to use DNS names in your Shorewall6
-            configuration files, then Perl 5.10 is required together with the
-            Perl <emphasis role="bold">Socket6</emphasis> module.</para>
+            configuration files, then Perl 5.10 or later is required together
+            with the Perl <emphasis role="bold">Socket6</emphasis>
+            module.</para>
           </note></para>
       </listitem>
 

docs/configuration_file_basics.xml

@@ -819,6 +819,16 @@ DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting
     <para>In the Shorewall documentation and manpages, we have tried to make
     it clear which type of address is accepted in each specific case.</para>
 
+    <para>Because Shorewall uses a colon (":") as a separator in many
+    contexts, IPv6 addresses are best written using the standard convention in
+    which the address itself is enclosed in square brackets:</para>
+
+    <simplelist>
+      <member>[2001:227:e857:1::1]</member>
+
+      <member>[2001:227:e857:1:0:0:0:0:1]/64</member>
+    </simplelist>
+
     <para>For more information about addressing, see the<ulink
     url="shorewall_setup_guide.htm#Addressing"> Setup Guide</ulink>.</para>
   </section>

docs/shorewall_logging.xml

@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001 - 2009</year>
+      <year>2001 - 2015</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -293,7 +293,7 @@ gateway:/etc/shorewall#                                               </programl
 
       <itemizedlist>
         <listitem>
-          <para>The first number specifies the netlink group (1-32). If
+          <para>The first number specifies the netlink group (0-32). If
           omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.</para>
         </listitem>