Correct documentation index link

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -91,6 +91,8 @@ for p in $@; do
     fi
 done
 
+cd $(dirname $0)
+
 vendor=${params[HOST]}
 
 if [ -z "$vendor" ]; then
@@ -122,7 +124,6 @@ if [ -z "$vendor" ]; then
 	    params[HOST]=apple
 	    rcfile=shorewallrc.apple
 	    ;;
-
 	cygwin*|CYGWIN*)
 	    params[HOST]=cygwin
 	    rcfile=shorewallrc.cygwin
@@ -130,7 +131,7 @@ if [ -z "$vendor" ]; then
 	*)
 	    if [ -f /etc/debian_version ]; then
 		params[HOST]=debian
-		rcfile=shorewallrc.debian
+		ls -l /sbin/init | fgrep -q systemd &&  rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
 	    elif [ -f /etc/redhat-release ]; then
 		params[HOST]=redhat
 		rcfile=shorewallrc.redhat
@@ -143,28 +144,41 @@ if [ -z "$vendor" ]; then
 	    elif [ -f /etc/arch-release ] ; then
 		params[HOST]=archlinux
 		rcfile=shorewallrc.archlinux
+	    elif [ -f /etc/openwrt_release ]; then
+		params[HOST]=openwrt
+		rcfile=shorewallrc.openwrt
 	    else
 		params[HOST]=linux
 		rcfile=shorewallrc.default
 	    fi
 	    ;;
     esac
-
     vendor=${params[HOST]}
-elif [ $vendor = linux ]; then
-    rcfile=shorewallrc.default;
 else
-    rcfile=shorewallrc.$vendor
+    if [ $vendor = linux ]; then
+	rcfile=shorewallrc.default;
+    elif [ $vendor = debian -a -f /etc/debian_version ]; then
+	ls -l /sbin/init | fgrep -q systemd && rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
+    else
+	rcfile=shorewallrc.$vendor
+    fi
+
     if [ ! -f $rcfile ]; then
 	echo "ERROR: $vendor is not a recognized host type" >&2
 	exit 1
+    elif [ $vendor = default ]; then
+	params[HOST]=linux
+	vendor=linux
+    elif [[ $vendor == debian.* ]]; then
+	params[HOST]=debian
+	vendor=debian
     fi
 fi
 
 if [ $vendor = linux ]; then
     echo "INFO: Creating a generic Linux installation - " `date`;
 else
-    echo "INFO: Creating a ${vendor}-specific installation - " `date`;
+    echo "INFO: Creating a ${params[HOST]}-specific installation - " `date`;
 fi
 
 echo
@@ -177,6 +191,7 @@ done
 
 echo '#'                                                                 > shorewallrc
 echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
+echo "# rc file: $rcfile"                                               >> shorewallrc
 echo '#'                                                                >> shorewallrc
 
 if [ $# -gt 0 ]; then

Shorewall-core/configure.pl

@@ -52,6 +52,9 @@ for ( @ARGV ) {
     $params{$pn} = $pv;
 }
 
+use File::Basename;
+chdir dirname($0);
+
 my $vendor = $params{HOST};
 my $rcfile;
 my $rcfilename;
@@ -68,23 +71,52 @@ unless ( defined $vendor ) {
 	    $vendor = 'redhat';
 	} elsif ( $id eq 'opensuse' ) {
 	    $vendor = 'suse';
-	} elsif ( $id eq 'ubuntu' ) {
-	    $vendor = 'debian';
+	} elsif ( $id eq 'ubuntu' || $id eq 'debian' ) {
+	    my $init = `ls -l /sbin/init`;
+	    $vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit';
 	} else {
 	    $vendor = $id;
 	}
     }
 
     $params{HOST} = $vendor;
+    $params{HOST} =~ s/\..*//;
 }
 
 if ( defined $vendor ) {
-    $rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
-    die qq("ERROR: $vendor" is not a recognized host type) unless -f $rcfilename;
+    if ( $vendor eq 'debian' && -f '/etc/debian_version' ) {
+	if ( -l '/sbin/init' ) {
+	    if ( readlink('/sbin/init') =~ /systemd/ ) {
+		$rcfilename = 'shorewallrc.debian.systemd';
+	    } else {
+		$rcfilename = 'shorewallrc.debian.sysvinit';
+	    }
+	} else {
+	    $rcfilename = 'shorewallrc.debian.sysvinit';
+	}
+    } else {
+	$rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
+    }
+
+    unless ( -f $rcfilename ) {
+	die qq("ERROR: $vendor" is not a recognized host type);
+    } elsif ( $vendor eq 'default' ) {
+	$params{HOST} = $vendor = 'linux';
+    } elsif ( $vendor =~ /^debian\./ ) {
+	$params{HOST} = $vendor = 'debian';
+    }
 } else {
     if ( -f '/etc/debian_version' ) {
 	$vendor = 'debian';
-	$rcfilename = 'shorewallrc.debian';
+	if ( -l '/sbin/init' ) {
+	    if ( readlink( '/sbin/init' ) =~ /systemd/ ) {
+		$rcfilename = 'shorewallrc.debian.systemd';
+	    } else {
+		$rcfilename = 'shorewallrc.debian.sysvinit';
+	    }
+	} else {
+	    $rcfilename = 'shorewallrc.debian.sysvinit';
+	}
     } elsif ( -f '/etc/redhat-release' ){
 	$vendor = 'redhat';
 	$rcfilename = 'shorewallrc.redhat';
@@ -117,7 +149,7 @@ my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
 if ( $vendor eq 'linux' ) {
     printf "INFO: Creating a generic Linux installation - %s %2d %04d %02d:%02d:%02d\n\n", $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
 } else {
-    printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $vendor, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
+    printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $params{HOST}, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
 }
 
 open $rcfile, '<', $rcfilename or die "Unable to open $rcfilename for input: $!";
@@ -141,7 +173,8 @@ my $outfile;
 
 open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";
 
-printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n#\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
+printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
+print $outfile "# rc file: $rcfilename\n#\n";
 
 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;
 

Shorewall-core/install.sh

@@ -66,15 +66,6 @@ mywhich() {
     return 2
 }
 
-run_install()
-{
-    if ! install $*; then
-	echo
-	echo "ERROR: Failed to install $*" >&2
-	exit 1
-    fi
-}
-
 cant_autostart()
 {
     echo
@@ -88,7 +79,20 @@ delete_file() # $1 = file to delete
 
 install_file() # $1 = source $2 = target $3 = mode
 {
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
+    if cp -f $1 $2; then
+	if chmod $3 $2; then
+	    if [ -n "$OWNER" ]; then
+		if chown $OWNER:$GROUP $2; then
+		    return
+		fi
+	    else
+		return 0
+	    fi
+	fi
+    fi
+
+    echo "ERROR: Failed to install $2" >&2
+    exit 1
 }
 
 require()
@@ -181,10 +185,6 @@ done
 
 [ "${INITFILE}" != 'none/' ] && require INITSOURCE && require INITDIR
 
-T="-T"
-
-INSTALLD='-D'
-
 if [ -z "$BUILD" ]; then
     case $(uname) in
 	cygwin*|CYGWIN*)
@@ -226,6 +226,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=suse
 	    elif [ -f /etc/arch-release ] ; then
 		BUILD=archlinux
+	    elif [ -f ${CONFDIR}/openwrt_release ] ; then
+		BUILD=openwrt
 	    else
 		BUILD=linux
 	    fi
@@ -252,17 +254,15 @@ case $BUILD in
 
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=wheel
-	INSTALLD=
-	T=
 	;;
     *)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=root
+	if [ $(id -u) -eq 0 ]; then
+	    [ -z "$OWNER" ] && OWNER=root
+	    [ -z "$GROUP" ] && GROUP=root
+	fi
 	;;
 esac
 
-OWNERSHIP="-o $OWNER -g $GROUP"
-
 #
 # Determine where to install the firewall script
 #
@@ -276,7 +276,7 @@ case "$HOST" in
     apple)
 	echo "Installing Mac-specific configuration...";
 	;;
-    debian|gentoo|redhat|slackware|archlinux|linux|suse)
+    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt)
 	;;
     *)
 	echo "ERROR: Unknown HOST \"$HOST\"" >&2
@@ -305,7 +305,6 @@ if [ -n "$DESTDIR" ]; then
     if [ $BUILD != cygwin ]; then
 	if [ `id -u` != 0 ] ; then
 	    echo "Not setting file owner/group permissions, not running as root."
-	    OWNERSHIP=""
 	fi
     fi
 fi
@@ -407,9 +406,9 @@ fi
 if [ ${SHAREDIR} != /usr/share ]; then
     for f in lib.*; do
 	if [ $BUILD != apple ]; then
-	    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/shorewall/$f
+	    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
 	else
-	    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/shorewall/$f
+	    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
 	fi
     done
 fi

Shorewall-core/lib.base

@@ -75,6 +75,24 @@ elif [ -z "${VARDIR}" ]; then
     VARDIR="${VARLIB}/${PRODUCT}"
 fi
 
+#
+# Fatal Error
+#
+fatal_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 2
+}
+
+#
+# Not configured Error
+#
+not_configured_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 6
+}
+
 #
 # Conditionally produce message
 #

Shorewall-core/lib.cli

@@ -143,29 +143,63 @@ timed_read ()
 }
 
 #
-# Determine if 'syslog -C' is running
+# Determine if 'syslogd -C' or logd -S is running
 #
 syslog_circular_buffer() {
     local pid
     local tty
     local flags
-    local cputime
+    local time
     local path
     local args
     local arg
 
-    ps ax 2> /dev/null | while read pid tty flags cputime path args; do
-	case $path in
-	    syslogd|*/syslogd)
-		for arg in $args; do
-		    if [ x$arg = x-C ]; then
-			echo Yes
-			return
-		    fi
-		done
-		;;
-	esac
-    done
+    ps w 2> /dev/null | (
+	while read pid tty stat time path args; do
+	    case $path in
+		syslogd|*/syslogd)
+		    for arg in $args; do
+			case $arg in
+			    -C*)
+				return 0
+				;;
+			esac
+		    done
+		    ;;
+		logd|*/logd)
+		    for arg in $args; do
+			case $arg in
+			    -S*)
+				return 0
+				;;
+			esac
+		    done
+		    ;;
+	    esac
+	done
+
+	return 1 )
+}
+
+setup_logread() {
+    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
+
+    if syslog_circular_buffer; then
+	LOGFILE=logread
+	if qt mywhich tac; then
+	    g_logread="logread | tac"
+	else
+	    g_logread="logread"
+	fi
+    elif [ -r $LOGFILE ]; then
+	if qt mywhich tac; then
+	    g_logread="tac $LOGFILE"
+	else
+	    g_logread="cat $LOGFILE"
+	fi
+    else
+	fatal_error "LOGFILE ($LOGFILE) does not exist or is not readable!"
+    fi
 }
 
 #
@@ -173,31 +207,59 @@ syslog_circular_buffer() {
 #
 packet_log() # $1 = number of messages
 {
-    if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
-	if [ $g_family -eq 4 ]; then
-	    $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
+    if qt mywhich tac; then
+	if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
+	    if [ $g_family -eq 4 ]; then
+		$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
+	    else
+		$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
+	    fi
+	elif [ $g_family -eq 4 ]; then
+	    $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
 	else
-	    $g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
+	    $g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' |  head -n$1 | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
 	fi
-    elif [ $g_family -eq 4 ]; then
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
     else
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' |  head -n$1 | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
-    fi
+	if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
+	    if [ $g_family -eq 4 ]; then
+		$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | tail -n$1 | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
+	    else
+		$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | tail -n$1 | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
+	    fi
+	elif [ $g_family -eq 4 ]; then
+	    $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  tail -n$1 | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
+	else
+	    $g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' |  tail -n$1 | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
+	fi
+    fi	
 }
 
 search_log() # $1 = IP address to search for
 {
-    if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
-        if [ $g_family -eq 4 ]; then
-	    $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
+    if qt mywhich tac; then
+	if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
+            if [ $g_family -eq 4 ]; then
+		$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
+	    else
+		$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
+	    fi
+	elif [ $g_family -eq 4 ]; then
+	    $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
 	else
-	    $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
+	    $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
 	fi
-    elif [ $g_family -eq 4 ]; then
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
     else
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
+	if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
+            if [ $g_family -eq 4 ]; then
+		$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
+	    else
+		$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
+	    fi
+	elif [ $g_family -eq 4 ]; then
+	    $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
+	else
+	    $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
+	fi
     fi
 }
 
@@ -280,17 +342,7 @@ show_bl() {
 logwatch() # $1 = timeout -- if negative, prompt each time that
 	   #		     an 'interesting' packet count changes
 {
-    if [ -z "$LOGFILE" ]; then
-	LOGFILE=/var/log/messages
-
-	if [ -n "$(syslog_circular_buffer)" ]; then
-	    g_logread="logread | tac"
-	elif [ -r $LOGFILE ]; then
-	    g_logread="tac $LOGFILE"
-	else
-	    fatal_error "LOGFILE ($LOGFILE) does not exist!"
-	fi
-    fi
+    setup_logread
 
     host=$(echo $g_hostname | sed 's/\..*$//')
     oldrejects=$($g_tool -L -v -n | grep 'LOG')
@@ -1081,17 +1133,7 @@ show_command() {
 	log)
 	    [ $# -gt 2 ] && usage 1
 
-	    if [ -z "$LOGFILE" ]; then
-		LOGFILE=/var/log/messages
-
-		if [ -n "$(syslog_circular_buffer)" ]; then
-		    g_logread="logread | tac"
-		elif [ -r $LOGFILE ]; then
-		    g_logread="tac $LOGFILE"
-		else
-		    fatal_error "LOGFILE ($LOGFILE) does not exist!"
-		fi
-	    fi
+	    setup_logread
 
 	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
 	    echo
@@ -1470,17 +1512,7 @@ do_dump_command() {
 	esac
     done
 
-    if [ -z "$LOGFILE" ]; then
-	LOGFILE=/var/log/messages
-
-	if [ -n "$(syslog_circular_buffer)" ]; then
-	    g_logread="logread | tac"
-	elif [ -r $LOGFILE ]; then
-	    g_logread="tac $LOGFILE"
-	else
-	    fatal_error "LOGFILE ($LOGFILE) does not exist! - See http://www.shorewall.net/shorewall_logging.html"
-	fi
-    fi
+    setup_logread
 
     g_ipt_options="$g_ipt_options $g_ipt_options1"
 
@@ -1635,7 +1667,7 @@ do_dump_command() {
 
     echo
 
-    ss -${g_family}tunap
+    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netatat -tunap; }
 
     if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
@@ -3563,15 +3595,7 @@ get_config() {
 
     [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
-    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
-
-    if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
-	g_logread="logread | tac"
-    elif [ -r $LOGFILE ]; then
-	g_logread="tac $LOGFILE"
-    else
-	fatal_error "LOGFILE ($LOGFILE) does not exist!"
-    fi
+    setup_logread
     #
     # See if we have a real version of "tail" -- use separate redirection so
     # that ash (aka /bin/sh on LRP) doesn't crap
@@ -3633,7 +3657,13 @@ get_config() {
 	VERBOSITY=2
     fi
 
-    g_hostname=$(hostname 2> /dev/null)
+    if qt mywhich hostname; then
+	g_hostname=$(hostname 2> /dev/null)
+    elif qt mywhich uname; then
+	g_hostname=$(uname -n 2> /dev/null)
+    else
+	g_hostname=localhost
+    fi
 
     if [ -n "$IPSET" ]; then
 	case "$IPSET" in
@@ -3974,7 +4004,7 @@ usage() # $1 = exit status
     echo "   status [ -i ]"
     echo "   stop"
     ecko "   try <directory> [ <timeout> ]"
-    ecko "   update [ -a ] [ -b ] [ -r ] [ -T ]  [ -D ] [ -i ] [-t] [-A] [ <directory> ]"
+    ecko "   update [ -a ] [ -b ] [ -r ] [ -T ]  [ -D ] [ -i ] [-t] [-s] [-n] [-A] [ <directory> ]"
     echo "   version [ -a ]"
     echo
     exit $1
@@ -4027,6 +4057,8 @@ shorewall_cli() {
     g_counters=
     g_loopback=
     g_compiled=
+    g_routestopped=
+    g_notrack=
 
     VERBOSE=
     VERBOSITY=1

Shorewall-core/lib.common

@@ -33,7 +33,7 @@ startup_error() # $* = Error Message
     echo "   ERROR: $@: Firewall state not changed" >&2
 
     if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
+        timestamp="$(date +'%b %d %T') "
         echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
     fi
 
@@ -50,7 +50,7 @@ startup_error() # $* = Error Message
     esac
 
     if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
+        timestamp="$(date +'%b %d %T') "
 
 	case $COMMAND in
 	    start)
@@ -70,24 +70,6 @@ startup_error() # $* = Error Message
     exit 2
 }
 
-#
-# Fatal Error
-#
-fatal_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 2
-}
-
-#
-# Not configured Error
-#
-not_configured_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 6
-}
-
 #
 # Get the Shorewall version of the passed script
 #
@@ -590,9 +572,9 @@ in_network() # $1 = IP address, $2 = CIDR network
 #
 # Query NetFilter about the existence of a filter chain
 #
-chain_exists() # $1 = chain name
+chain_exists() # $1 = chain name, $2 = table name (optional)
 {
-    qt1 $g_tool -L $1 -n
+    qt1 $g_tool -t ${2:-filter} -L $1 -n
 }
 
 #
@@ -800,12 +782,15 @@ mutex_on()
     local lockf
     lockf=${LOCKFILE:=${VARDIR}/lock}
     local lockpid
+    local lockd
 
     MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
 
     if [ $MUTEX_TIMEOUT -gt 0 ]; then
 
-	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+	lockd=$(dirname $LOCKFILE)
+
+	[ -d "$lockd" ] || mkdir -p "$lockd"
 
 	if [ -f $lockf ]; then
 	    lockpid=`cat ${lockf} 2> /dev/null`
@@ -825,6 +810,11 @@ mutex_on()
 	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
+	elif qt mywhich lock; then
+            lock -${MUTEX_TIMEOUT} -r1 ${lockf}
+            chmod u+w ${lockf}
+            echo $$ > ${lockf}
+            chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1

Shorewall-core/shorewallrc.debian.systemd

@@ -0,0 +1,23 @@
+#
+# Debian Shorewall 4.5 rc file
+#
+BUILD=					#Default is to detect the build system
+HOST=debian
+PREFIX=/usr				#Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share		#Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share		#Directory for executable scripts.
+PERLLIBDIR=${PREFIX}/share/shorewall	#Directory to install Shorewall Perl module directory
+CONFDIR=/etc				#Directory where subsystem configurations are installed
+SBINDIR=/sbin				#Directory where system administration programs are installed
+MANDIR=${PREFIX}/share/man		#Directory where manpages are installed.
+INITDIR=				#Directory where SysV init scripts are installed.
+INITFILE=				#Name of the product's installed SysV init script
+INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
+ANNOTATED=				#If non-zero, annotated configuration files are installed
+SYSCONFFILE=default.debian		#Name of the distributed file to be installed in $SYSCONFDIR
+SERVICEFILE=$PRODUCT.service.debian	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
+SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)
+SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARLIB=/var/lib				#Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT		#Directory where product variable data is stored.

Shorewall-core/shorewallrc.debian.sysvinit

@@ -15,9 +15,9 @@ INITFILE=$PRODUCT                       #Name of the product's installed SysV in
 INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
 SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
-SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
-SERVICEDIR=                             #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=				#Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.

Shorewall-core/shorewallrc.openwrt

@@ -0,0 +1,26 @@
+#
+# Created by Shorewall Core version 5.0.2-RC1 configure -  Fri, Nov 06, 2015 10:02:03 AM
+#
+# Input: host=openwrt
+#
+HOST=openwrt
+PREFIX=/usr                             
+SHAREDIR=${PREFIX}/share                
+LIBEXECDIR=${PREFIX}/share              
+PERLLIBDIR=${PREFIX}/share/shorewall    
+CONFDIR=/etc                            
+SBINDIR=/sbin                           
+MANDIR=${PREFIX}/man                    
+INITDIR=/etc/init.d                     
+INITSOURCE=init.openwrt.sh
+INITFILE=$PRODUCT                       
+AUXINITSOURCE=
+AUXINITFILE=
+SERVICEDIR=                             
+SERVICEFILE=                            
+SYSCONFFILE=default.openwrt
+SYSCONFDIR=${CONFDIR}/sysconfig
+SPARSE=                                 
+ANNOTATED=                              
+VARLIB=/lib
+VARDIR=${VARLIB}/$PRODUCT               

Shorewall-init/install.sh

@@ -397,6 +397,7 @@ if [ $HOST = debian ]; then
 
 	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
 	install_file sysconfig ${DESTDIR}${ETC}/default/shorewall-init 0644
+	echo "sysconfig file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
     fi
 
     IFUPDOWN=ifupdown.debian.sh
@@ -490,7 +491,11 @@ esac
 if [ -z "$DESTDIR" ]; then
     if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
-	    if mywhich insserv; then
+	    if [ -n "$SERVICEDIR" ]; then
+		if systemctl enable ${PRODUCT}.service; then
+                    echo "Shorewall Init will start automatically at boot"
+		fi
+	    elif mywhich insserv; then
 		if insserv ${INITDIR}/shorewall-init; then
 		    echo "Shorewall Init will start automatically at boot"
 		else
@@ -554,7 +559,7 @@ fi
 
 [ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc .
 
-if [ -f ${DESTDIR}/etc/ppp ]; then
+if [ -d ${DESTDIR}/etc/ppp ]; then
     case $HOST in
 	debian|suse)
 	    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do

Shorewall-init/shorewall-init.service

@@ -6,7 +6,6 @@
 [Unit]
 Description=Shorewall firewall (bootup security)
 Before=network.target
-Conflicts=iptables.service ip6tables.service firewalld.service
 
 [Service]
 Type=oneshot

Shorewall-init/shorewall-init.service.214

@@ -7,7 +7,6 @@
 Description=Shorewall firewall (bootup security)
 Before=network-pre.target
 Wants=network-pre.target
-Conflicts=iptables.service firewalld.service
 
 [Service]
 Type=oneshot

Shorewall-init/shorewall-init.service.214.debian

@@ -0,0 +1,21 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
+#
+[Unit]
+Description=Shorewall firewall (bootup security)
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/default/shorewall-init
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-init start
+ExecStop=/sbin/shorewall-init stop
+
+[Install]
+WantedBy=basic.target

Shorewall-init/shorewall-init.service.debian

@@ -0,0 +1,20 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
+#
+[Unit]
+Description=Shorewall firewall (bootup security)
+Before=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/default/shorewall-init
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-init start
+ExecStop=/sbin/shorewall-init stop
+
+[Install]
+WantedBy=basic.target

Shorewall-init/uninstall.sh

@@ -174,9 +174,13 @@ if [ -f "$INITSCRIPT" ]; then
     remove_file $INITSCRIPT
 fi
 
-if [ -n "$SYSTEMD" ]; then
+if [ -z "${SERVICEDIR}" ]; then
+    SERVICEDIR="$SYSTEMD"
+fi
+
+if [ -n "$SERVICEDIR" ]; then
     [ $configure -eq 1 ] && systemctl disable shorewall-init.service
-    rm -f $SYSTEMD/shorewall-init.service
+    rm -f $SERVICEDIR/shorewall-init.service
 fi
 
 [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
@@ -202,8 +206,10 @@ if [ -d ${CONFDIR}/ppp ]; then
     done
 
     for file in if-up.local if-down.local; do
-	if grep -qF Shorewall-based ${CONFDIR}/ppp/$FILE; then
-	    remove_file ${CONFDIR}/ppp/$FILE
+	if [ -f ${CONFDIR}/ppp/$file ]; then
+	    if grep -qF Shorewall-based ${CONFDIR}/ppp/$FILE; then
+		remove_file ${CONFDIR}/ppp/$FILE
+	    fi
 	fi
     done
 fi

Shorewall-lite/install.sh

@@ -67,15 +67,6 @@ mywhich() {
     return 2
 }
 
-run_install()
-{
-    if ! install $*; then
-	echo
-	echo "ERROR: Failed to install $*" >&2
-	exit 1
-    fi
-}
-
 cant_autostart()
 {
     echo
@@ -89,7 +80,28 @@ delete_file() # $1 = file to delete
 
 install_file() # $1 = source $2 = target $3 = mode
 {
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
+    if cp -f $1 $2; then
+	if chmod $3 $2; then
+	    if [ -n "$OWNER" ]; then
+		if chown $OWNER:$GROUP $2; then
+		    return
+		fi
+	    else
+		return 0
+	    fi
+	fi
+    fi
+
+    echo "ERROR: Failed to install $2" >&2
+    exit 1
+}
+
+make_directory() # $1 = directory , $2 = mode
+{
+    mkdir -p $1
+    chmod 755 $1
+    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
+
 }
 
 require()
@@ -187,7 +199,7 @@ elif [ -z "${VARDIR}" ]; then
     VARDIR=${VARLIB}/${PRODUCT}
 fi
 
-for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARLIB VARDIR; do
+for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
     require $var
 done
 
@@ -201,8 +213,6 @@ PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}
 # Determine where to install the firewall script
 #
 cygwin=
-INSTALLD='-D'
-T='-T'
 
 if [ -z "$BUILD" ]; then
     case $(uname) in
@@ -245,6 +255,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=slackware
 	    elif [ -f ${CONFDIR}/arch-release ] ; then
 		BUILD=archlinux
+	    elif [ -f ${CONFDIR}/openwrt_release ]; then
+		BUILD=openwrt
 	    else
 		BUILD=linux
 	    fi
@@ -260,16 +272,16 @@ case $BUILD in
     apple)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=wheel
-	INSTALLD=
-	T=
 	;;
     *)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=root
+	if [ $(id -u) -eq 0 ]; then
+	    [ -z "$OWNER" ] && OWNER=root
+	    [ -z "$GROUP" ] && GROUP=root
+	fi
 	;;
 esac
 
-OWNERSHIP="-o $OWNER -g $GROUP"
+[ -n "$OWNER" ] && OWNERSHIP="$OWNER:$GROUP"
 
 [ -n "$HOST" ] || HOST=$BUILD
 
@@ -300,6 +312,9 @@ case "$HOST" in
     suse)
 	echo "Installing Suse-specific configuration..."
 	;;
+    openwrt)
+	echo "Installing OpenWRT-specific configuration..."
+	;;
     linux)
 	;;
     *)
@@ -316,8 +331,9 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
     fi
 
-    install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR}
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
+    make_directory ${DESTDIR}${SBINDIR} 755
+    make_directory ${DESTDIR}${INITDIR} 755
+
 else
     if [ ! -f ${SHAREDIR}/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
@@ -357,7 +373,7 @@ fi
 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
 
 install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
-[ -n "${INITFILE}" ] && install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
+[ -n "${INITFILE}" ] && make_directory ${DESTDIR}${INITDIR} 755
 
 echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 
@@ -399,7 +415,7 @@ fi
 if [ -n "$SERVICEDIR" ]; then
     mkdir -p ${DESTDIR}${SERVICEDIR}
     [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 644
     [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
     echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
 fi
@@ -421,9 +437,9 @@ fi
 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}${CONFDIR}/$PRODUCT
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${CONFDIR}/$PRODUCT/Makefile
-[ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}/${CONFDIR}/$PRODUCT/Makefile
+install_file Makefile ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile 0600
+[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
+[ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
 echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
 
 #
@@ -438,7 +454,7 @@ echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/confi
 for f in lib.* ; do
     if [ -f $f ]; then
 	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/${SHAREDIR}/$PRODUCT/$f"
+	echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
     fi
 done
 
@@ -451,7 +467,7 @@ echo "Common functions linked through ${DESTDIR}${SHAREDIR}/$PRODUCT/functions"
 #
 
 install_file shorecap ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap 0755
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${LIBEXECDIR}/$PRODUCT/shorecap
+[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap
 
 echo
 echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap"
@@ -461,17 +477,17 @@ echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shor
 #
 
 if [ -f modules ]; then
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}${SHAREDIR}/$PRODUCT
+    install_file modules ${DESTDIR}${SHAREDIR}/$PRODUCT/modules 0600
     echo "Modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/modules"
 fi
 
 if [ -f helpers ]; then
-    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}${SHAREDIR}/$PRODUCT
+    install_file helpers ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers 600
     echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
 fi
 
 for f in modules.*; do
-    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f
+    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 644
     echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
 done
 
@@ -482,17 +498,17 @@ done
 if [ -d manpages ]; then
     cd manpages
 
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
+    mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
 
     for f in *.5; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz
+	install_file $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz 644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
     done
 
     for f in *.8; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
+	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
     done
 
@@ -502,7 +518,7 @@ if [ -d manpages ]; then
 fi
 
 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
+    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 644
     echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
 fi
 
@@ -533,13 +549,13 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
 	chmod 755 ${DESTDIR}${SYSCONFDIR}
     fi
 
-    run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT}
+    install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
     echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
 
 if [ ${SHAREDIR} != /usr/share ]; then
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/${PRODUCT}/lib.base
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SBINDIR}/$PRODUCT
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
 fi
 
 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
@@ -587,6 +603,13 @@ if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${
 	else
 	    cant_autostart
 	fi
+    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
+	/etc/init.d/$PRODUCT enable
+	if /etc/init.d/$PRODUCT enabled; then
+            echo "$PRODUCT will start automatically at boot"
+	else
+            cant_autostart
+	fi
     elif [ "$INITFILE" != rc.${PRODUCT} ]; then #Slackware starts this automatically
 	cant_autostart
     fi

Shorewall-lite/shorewall-lite.service.debian

@@ -0,0 +1,22 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
+#
+[Unit]
+Description=Shorewall IPv4 firewall (lite)
+Wants=network-online.target
+After=network-online.target
+Conflicts=iptables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/default/shorewall-lite
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall-lite $OPTIONS stop
+
+[Install]
+WantedBy=basic.target

Shorewall-lite/uninstall.sh

@@ -168,7 +168,15 @@ if [ $configure -eq 1 ]; then
 fi
 
 if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
-    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
+    if [ $HOST = openwrt ]; then
+	if [ $configure -eq 1 ] && /etc/init.d/shorewall-lite enabled; then
+	    /etc/init.d/shorewall-lite disable
+	fi
+	
+	FIREWALL=$(readlink ${SHAREDIR}/shorewall-lite/init)
+    else
+	FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
+    fi
 elif [ -n "$INITFILE" ]; then
     FIREWALL=${INITDIR}/${INITFILE}
 fi
@@ -187,9 +195,11 @@ if [ -f "$FIREWALL" ]; then
     remove_file $FIREWALL
 fi
 
-if [ -n "$SYSTEMD" ]; then
+[ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"
+
+if [ -n "$SERVICEDIR" ]; then
     [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
-    rm -f $SYSTEMD/shorewall-lite.service
+    rm -f $SERVICEDIR/shorewall-lite.service
 fi
 
 rm -f ${SBINDIR}/shorewall-lite
@@ -199,6 +209,7 @@ rm -rf ${VARDIR}/shorewall-lite
 rm -rf ${SHAREDIR}/shorewall-lite
 rm -rf ${LIBEXECDIR}/shorewall-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
+rm -f  ${SYSCONFDIR}/shorewall-lite
 
 rm -f ${MANDIR}/man5/shorewall-lite*
 rm -f ${MANDIR}/man8/shorewall-lite*

Shorewall/Macros/macro.Tinc

@@ -9,3 +9,4 @@
 #ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
 #                               PORT(S) PORT(S) LIMIT   GROUP
 PARAM   -       -       udp     655
+PARAM   -       -       tcp     655

Shorewall/Perl/Shorewall/Accounting.pm

@@ -521,9 +521,9 @@ sub setup_accounting() {
 
 		while ( $chainswithjumps && $progress ) {
 		    $progress = 0;
-		    for my $chain1 (  keys %accountingjumps ) {
+		    for my $chain1 ( sort  keys %accountingjumps ) {
 			if ( keys %{$accountingjumps{$chain1}} ) {
-			    for my $chain2 ( keys %{$accountingjumps{$chain1}} ) {
+			    for my $chain2 ( sort keys %{$accountingjumps{$chain1}} ) {
 				delete $accountingjumps{$chain1}{$chain2}, $progress = 1 unless $accountingjumps{$chain2};
 			    }
 			} else {

Shorewall/Perl/Shorewall/Chains.pm

@@ -1162,7 +1162,7 @@ sub merge_rules( $$$ ) {
 	}
     }
 
-    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', keys %$fromref ) {
+    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', sort { $b cmp $a } keys %$fromref ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
     }
 
@@ -1178,7 +1178,7 @@ sub merge_rules( $$$ ) {
 
     set_rule_option( $toref, 'policy', $fromref->{policy} ) if exists $fromref->{policy};
 
-    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, keys %$fromref ) ) {
+    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, sort keys %$fromref ) ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
     }
 
@@ -3256,7 +3256,7 @@ sub optimize_level4( $$ ) {
 	$progress = 0;
 	$passes++;
 
-	my @chains  = grep $_->{referenced}, values %$tableref;
+	my @chains  = grep $_->{referenced}, sort { $a->{name} cmp $b->{name} } values %$tableref;
 	my $chains  = @chains;
 
 	progress_message "\n Table $table pass $passes, $chains referenced chains, level 4a...";
@@ -3577,7 +3577,7 @@ sub optimize_level8( $$$ ) {
 	}
 
 	if ( $progress ) {
-	    my @rename = keys %rename;
+	    my @rename = sort keys %rename;
 	    #
 	    # First create aliases for each renamed chain and change the {name} member.
 	    #
@@ -4855,7 +4855,7 @@ sub validate_mark( $ ) {
 
 sub verify_small_mark( $ ) {
     my $val = validate_mark ( (my $mark) = $_[0] );
-    fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > $globals{TC_MAX};
+    fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > $globals{SMALL_MASK};
     $val;
 }
 
@@ -6816,48 +6816,55 @@ sub set_global_variables( $$ ) {
     my ( $setall, $conditional ) = @_;
 
     if ( $conditional ) {
-	my ( $interface, $code );
+	my ( $interface, @interfaces );
 
-	while ( ( $interface, $code ) = each %interfaceaddr ) {
-	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $code) );
+	@interfaces = sort keys %interfaceaddr;
+
+	for $interface ( @interfaces ) {
+	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfaceaddr{$interface}) );
 	}
 
-	while ( ( $interface, $code ) = each %interfacegateways ) {
+	@interfaces = sort keys %interfacegateways;
+
+	for $interface ( @interfaces ) {
 	    emit( qq(if [ -z "\$interface" -o "\$interface" = "$interface" ]; then) );
 	    push_indent;
-	    emit( $code );
+	    emit( $interfacegateways{$interface} );
 	    pop_indent;
 	    emit( qq(fi\n) );
 	}
 
-	while ( ( $interface, $code ) = each %interfacemacs ) {
-	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $code) );
+	@interfaces = sort keys %interfacemacs;
+
+	for $interface ( @interfaces ) {
+	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfacemacs{$interface}) );
 	}
     } else {
-	emit $_     for values %interfaceaddr;
-	emit "$_\n" for values %interfacegateways;
-	emit $_     for values %interfacemacs;
+	emit $_     for sort values %interfaceaddr;
+	emit "$_\n" for sort values %interfacegateways;
+	emit $_     for sort values %interfacemacs;
     }
 
     if ( $setall ) {
-	emit $_ for values %interfaceaddrs;
-	emit $_ for values %interfacenets;
+	emit $_ for sort values %interfaceaddrs;
+	emit $_ for sort values %interfacenets;
 
 	unless ( have_capability( 'ADDRTYPE' ) ) {
 
 	    if ( $family == F_IPV4 ) {
 		emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
-		emit $_ for values %interfacebcasts;
+		emit $_ for sort values %interfacebcasts;
 	    } else {
 		emit 'ALL_ACASTS="$(get_all_acasts)"';
-		emit $_ for values %interfaceacasts;
+		emit $_ for sort values %interfaceacasts;
 	    }
 	}
     }
 }
 
 sub verify_address_variables() {
-    while ( my ( $variable, $type ) = ( each %address_variables ) ) {
+    for my $variable ( sort keys %address_variables ) {
+	my $type = $address_variables{$variable};
 	my $address = "\$$variable";
 
 	if ( $type eq '&' ) {
@@ -7022,7 +7029,7 @@ sub isolate_source_interface( $ ) {
 	    $inets  = $2;
 	} elsif ( $source =~ /^(.+?):\[(.+)\]\s*$/ ||
 		  $source =~ /^(.+?):(!?\+.+)$/    ||
-		  $source =~ /^(.+?):(!?[&%].+)$/  ||
+		  $source =~ /^(.+?):(!?[&%~].+)$/ ||
 		  $source =~ /^(.+?):(\[.+\]\/(?:\d+))\s*$/
 		) {
 	    $iiface = $1;
@@ -7697,7 +7704,7 @@ sub add_interface_options( $ ) {
 	#
 	# Generate a digest for each chain
 	#
-	for my $chainref ( values %input_chains, values %forward_chains ) {
+	for my $chainref ( sort { $a->{name} cmp $b->{name} } values %input_chains, values %forward_chains ) {
 	    my $digest = '';
 
 	    assert( $chainref );
@@ -7716,7 +7723,7 @@ sub add_interface_options( $ ) {
 	# Insert jumps to the interface chains into the rules chains
 	#
 	for my $zone1 ( off_firewall_zones ) {
-	    my @input_interfaces   = keys %{zone_interfaces( $zone1 )};
+	    my @input_interfaces   = sort keys %{zone_interfaces( $zone1 )};
 	    my @forward_interfaces = @input_interfaces;
 
 	    if ( @input_interfaces > 1 ) {
@@ -7798,7 +7805,7 @@ sub add_interface_options( $ ) {
 	for my $zone1 ( firewall_zone, vserver_zones ) {
 	    for my $zone2 ( off_firewall_zones ) {
 		my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
-		my @interfaces = keys %{zone_interfaces( $zone2 )};
+		my @interfaces = sort keys %{zone_interfaces( $zone2 )};
 		my $chain1ref;
 
 		for my $interface ( @interfaces ) {
@@ -8267,7 +8274,7 @@ sub load_ipsets() {
 #
 sub create_nfobjects() {
     
-    my @objects = ( keys %nfobjects );
+    my @objects = ( sort keys %nfobjects );
 
     if ( @objects ) {
 	if ( $config{NFACCT} ) {
@@ -8282,7 +8289,7 @@ sub create_nfobjects() {
 	}
     }
 
-    for ( keys %nfobjects ) {
+    for ( sort keys %nfobjects ) {
 	emit( qq(if ! qt \$NFACCT get $_; then),
 	      qq(    \$NFACCT add $_),
 	      qq(fi\n) );
@@ -8700,7 +8707,8 @@ sub initialize_switches() {
     if ( keys %switches ) {
 	emit( 'if [ $COMMAND = start ]; then' );
 	push_indent;
-	while ( my ( $switch, $setting ) = each %switches ) {
+	for my $switch ( sort keys %switches ) {
+	    my $setting = $switches{$switch};
 	    my $file = "/proc/net/nf_condition/$switch";
 	    emit "[ -f $file ] && echo $setting->{setting} > $file";
 	}

Shorewall/Perl/Shorewall/Compiler.pm

@@ -592,8 +592,8 @@ EOF
 #
 sub compiler {
 
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc                      , $shorewallrc1 , $directives, $inline, $tcrules ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 ,          0 ,      0 );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc                      , $shorewallrc1 , $directives, $inline, $tcrules, $routestopped , $notrack ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 ,          0 ,      0 ,       0 ,             0 );
 
     $export         = 0;
     $test           = 0;
@@ -634,6 +634,8 @@ sub compiler {
 		  inline        => { store => \$inline,        validate=> \&validate_boolean    } ,
 		  directives    => { store => \$directives,    validate=> \&validate_boolean    } ,
 		  tcrules       => { store => \$tcrules,       validate=> \&validate_boolean    } ,
+		  routestopped  => { store => \$routestopped,  validate=> \&validate_boolean    } ,
+		  notrack       => { store => \$notrack,       validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
 		  shorewallrc1  => { store => \$shorewallrc1 } ,
@@ -737,7 +739,7 @@ sub compiler {
     #
     # Do all of the zone-independent stuff (mostly /proc)
     #
-    add_common_rules( $convert, $tcrules );
+    add_common_rules( $convert, $tcrules , $routestopped );
     #
     # More /proc
     #
@@ -844,7 +846,7 @@ sub compiler {
     #
     # Process the conntrack file
     #
-    setup_conntrack;
+    setup_conntrack( $notrack );
     #
     # Add Tunnel rules.
     #
@@ -911,7 +913,7 @@ sub compiler {
 	#                           S T O P _ F I R E W A L L
 	#         (Writes the stop_firewall() function to the compiled script)
 	#
-	compile_stop_firewall( $test, $export , $have_arptables );
+	compile_stop_firewall( $test, $export , $have_arptables, $routestopped );
 	#
 	#                               U P D O W N
 	#               (Writes the updown() function to the compiled script)
@@ -976,14 +978,15 @@ sub compiler {
 	initialize_chain_table(0);
 
 	if ( $debug ) {
-	    compile_stop_firewall( $test, $export, $have_arptables );
+	    compile_stop_firewall( $test, $export, $have_arptables, $routestopped );
 	    disable_script;
 	} else {
 	    #
-	    # compile_stop_firewall() also validates the routestopped file. Since we don't
-	    # call that function during normal 'check', we must validate routestopped here.
+	    # compile_stop_firewall() also validates the stoppedrules file. Since we don't
+	    # call that function during normal 'check', we must validate stoppedrules here.
 	    #
-	    process_routestopped unless process_stoppedrules;
+	    convert_routestopped if $routestopped;
+	    process_stoppedrules;
 	}
 	#
 	# Report used/required capabilities

Shorewall/Perl/Shorewall/Config.pm

@@ -124,6 +124,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       set_shorewall_dir
 				       set_debug
 				       find_file
+				       find_writable_file
 				       split_list
 				       split_list1
 				       split_list2
@@ -618,6 +619,8 @@ our %deprecated = ( LOGRATE            => '' ,
 our %converted = ( WIDE_TC_MARKS => 1,
 		   HIGH_ROUTE_MARKS => 1,
 		   BLACKLISTNEWONLY => 1,
+		   LOGRATE => 1,
+		   LOGBURST => 1,
 		 );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -1867,6 +1870,20 @@ sub find_file($)
     "$config_path[0]$filename";
 }
 
+sub find_writable_file($) {
+    my ( $filename, $nosearch ) = @_;
+
+    return $filename if $filename =~ '/';
+
+    for my $directory ( @config_path ) {
+	next if $directory =~ m|^$globals{SHAREDIR}/configfiles/?$| || $directory =~ m|^$shorewallrc{SHAREDIR}/doc/default-config/?$|;
+	my $file = "$directory$filename";
+	return $file if -f $file && -w _;
+    }
+
+    "$config_path[0]$filename";
+}
+
 #
 # Split a comma-separated list into a Perl array
 #
@@ -2143,7 +2160,7 @@ sub split_line2( $$;$$$ ) {
 	    #
 	    # This file supports INLINE or IPTABLES
 	    #
-	    if ( $currentline =~ /^\s*INLINE(?:\(.*\)|:.*)?\s/ || $currentline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
+	    if ( $currentline =~ /^\s*INLINE(?:\(.*\)(:.*)?|:.*)?\s/ || $currentline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
 		$inline_matches = $pairs;
 
 		if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) {
@@ -4805,6 +4822,12 @@ sub conditional_quote( $ ) {
 #
 # Update the shorewall[6].conf file. Save the current file with a .bak suffix.
 #
+sub update_default($$) {
+    my ( $var, $val ) = @_;
+
+    $config{$var} = $val unless defined $config{$var};
+}
+
 sub update_config_file( $$ ) {
     my ( $annotate, $directives ) = @_;
 
@@ -4824,6 +4847,45 @@ sub update_config_file( $$ ) {
     $config{PROVIDER_OFFSET} = ( $high ? $wide ? 16 : 8 : 0 ) unless defined $config{PROVIDER_OFFSET};
     $config{PROVIDER_BITS}   = 8                              unless defined $config{PROVIDER_BITS};
 
+    unless ( supplied $config{LOGLIMIT} ) {
+	if ( $config{LOGRATE} || $config{LOGBURST} ) {
+	    my $limit;
+
+	    if ( supplied $config{LOGRATE} ) {
+		fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE}  =~ /^\d+\/(second|minute)$/;
+		$limit = $config{LOGRATE};
+	    }
+
+	    if ( supplied $config{LOGBURST} ) {
+		fatal_error"Invalid LOGBURST ($config{LOGBURST})" unless $config{LOGBURST} =~ /^\d+$/;
+		$limit .= ":$config{LOGBURST}";
+	    }
+
+	    $config{LOGLIMIT} = $limit;
+
+	    $config{LOGRATE} = $config{LOGBURST} = undef;
+	}
+    }
+
+    unless ( supplied $config{BLACKLIST} ) {
+	if ( $config{BLACKLISTNEWONLY} ) {
+	    default_yes_no 'BLACKLISTNEWONLY'           , '';
+
+	    if ( have_capability 'RAW_TABLE' ) {
+		$globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID,UNTRACKED' : 'NEW,ESTABLISHED,INVALID,UNTRACKED';
+	    } else {
+		$globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID' : 'NEW,ESTABLISHED,INVALID';
+	    }
+
+	    $config{BLACKLIST} = $globals{BLACKLIST_STATES};
+
+	    $config{BLACKLISTNEWONLY} = undef;
+	}
+    }
+
+    update_default( 'USE_DEFAULT_RT', 'No' );
+    update_default( 'EXPORTMODULES',  'No' );
+
     my $fn;
 
     unless ( -d "$globals{SHAREDIR}/configfiles/" ) {
@@ -4837,7 +4899,8 @@ sub update_config_file( $$ ) {
 	#
 	$fn = $annotate ? "$globals{SHAREDIR}/configfiles/${product}.conf.annotated" : "$globals{SHAREDIR}/configfiles/${product}.conf";
     }
-   if ( -f $fn ) {
+
+    if ( -f $fn ) {
 	my ( $template, $output );
 
 	open $template, '<' , $fn or fatal_error "Unable to open $fn: $!";
@@ -4925,8 +4988,12 @@ EOF
 	    }
 
 	    exit 0 unless ( $directives ||
-			    -f find_file 'blacklist' ||
-			    -f find_file 'tcrules' );
+			    -f find_file 'blacklist'    ||
+			    -f find_file 'tcrules'      ||
+			    -f find_file 'routestopped' ||
+			    -f find_file 'notrack'      ||
+			    -f find_file 'tos'
+			  );
 	}
     } else {
 	fatal_error "$fn does not exist";
@@ -5038,56 +5105,41 @@ sub read_capabilities() {
 }
 
 #
-# Get the system's capabilities, either by probing or by reading a capabilities file
+# Get the system's capabilities by probing
 #
-sub get_capabilities( $ ) 
+sub get_capabilities($) 
 {
-    my $export = $_[0];
+    $iptables = $config{$toolNAME};
 
-    if ( ! $export && $> == 0 ) { # $> == $EUID
-	$iptables = $config{$toolNAME};
-
-	if ( $iptables ) {
-	    fatal_error "$toolNAME=$iptables does not exist or is not executable" unless -x $iptables;
-	} else {
-	    fatal_error "Can't find $toolname executable" unless $iptables = which $toolname;
-	}
-	#
-	# Determine if iptables supports the -w option
-	#
-	$iptablesw = qt1( "$iptables -w -L -n") ? '-w' : '';
-
-	my $iptables_restore=$iptables . '-restore';
-
-	fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;
-
-	$tc = $config{TC} || which 'tc';
-
-	if ( $tc ) {
-	    fatal_error "TC=$tc does not exist or is not executable" unless -x $tc;
-	}
-
-	$ip = $config{IP} || which 'ip';
-
-	if ( $ip ) {
-	    fatal_error "IP=$ip does not exist or is not executable" unless -x $ip;
-	}
-
-	load_kernel_modules;
-
-	if ( open_file 'capabilities' ) {
-	    read_capabilities;
-	} else {
-	    determine_capabilities;
-	}
+    if ( $iptables ) {
+	fatal_error "$toolNAME=$iptables does not exist or is not executable" unless -x $iptables;
     } else {
-	unless ( open_file 'capabilities' ) {
-	    fatal_error "The -e compiler option requires a capabilities file" if $export;
-	    fatal_error "Compiling under non-root uid requires a capabilities file";
-	}
-
-	read_capabilities;
+	fatal_error "Can't find $toolname executable" unless $iptables = which $toolname;
     }
+    #
+    # Determine if iptables supports the -w option
+    #
+    $iptablesw = qt1( "$iptables -w -L -n") ? '-w' : '';
+
+    my $iptables_restore=$iptables . '-restore';
+
+    fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;
+
+    $tc = $config{TC} || which 'tc';
+
+    if ( $tc ) {
+	fatal_error "TC=$tc does not exist or is not executable" unless -x $tc;
+    }
+
+    $ip = $config{IP} || which 'ip';
+
+    if ( $ip ) {
+	fatal_error "IP=$ip does not exist or is not executable" unless -x $ip;
+    }
+
+    load_kernel_modules;
+
+    determine_capabilities unless $_[0];
 }
 
 #
@@ -5114,6 +5166,7 @@ sub unsupported_yes_no_warning( $ ) {
 #
 sub get_params( $ ) {
     my $export = $_[0];
+    my $cygwin = ( $shorewallrc{HOST} eq 'cygwin' );
 
     my $fn = find_file 'params';
 
@@ -5155,14 +5208,16 @@ sub get_params( $ ) {
 	    $shell = BASH;
 
 	    for ( @params ) {
-		if ( /^declare -x (.*?)="(.*[^\\])"$/ ) {
+		chomp;
+		if ( $cygwin && /^declare -x (.*?)="(.*)"$/ ) {
+		    $params{$1} = $2 unless $1 eq '_';
+		} elsif ( /^declare -x (.*?)="(.*[^\\])"$/ ) {
 		    $params{$1} = $2 unless $1 eq '_';
 		} elsif ( /^declare -x (.*?)="(.*)$/ ) {
 		    $params{$variable=$1} = $2 eq '"' ? '' : "${2}\n";
 		} elsif ( /^declare -x (.*)\s+$/ || /^declare -x (.*)=""$/ ) {
 		    $params{$1} = '';
 		} else {
-		    chomp;
 		    if ($variable) {
 			s/"$//;
 			$params{$variable} .= $_;
@@ -5183,14 +5238,16 @@ sub get_params( $ ) {
 	    $shell = OLDBASH;
 
 	    for ( @params ) {
-		if ( /^export (.*?)="(.*[^\\])"$/ ) {
+		chomp;
+		if ( $cygwin && /^export (.*?)="(.*)"$/ ) {
+		    $params{$1} = $2 unless $1 eq '_';
+		} elsif ( /^export (.*?)="(.*[^\\])"$/ ) {
 		    $params{$1} = $2 unless $1 eq '_';
 		} elsif ( /^export (.*?)="(.*)$/ ) {
 		    $params{$variable=$1} = $2 eq '"' ? '' : "${2}\n";
 		} elsif ( /^export ([^\s=]+)\s*$/ || /^export (.*)=""$/ ) {
 		    $params{$1} = '';
 		} else {
-		    chomp;
 		    if ($variable) {
 			s/"$//;
 			$params{$variable} .= $_;
@@ -5210,6 +5267,7 @@ sub get_params( $ ) {
 	    $shell = ASH;
 
 	    for ( @params ) {
+		chomp;
 		if ( /^export (.*?)='(.*'"'"')$/ ) {
 		    $params{$variable=$1}="${2}\n";
 		} elsif ( /^export (.*?)='(.*)'$/ ) {
@@ -5217,7 +5275,6 @@ sub get_params( $ ) {
 		} elsif ( /^export (.*?)='(.*)$/ ) {
 		    $params{$variable=$1}="${2}\n";
 		} else {
-		    chomp;
 		    if ($variable) {
 			s/'$//;
 			$params{$variable} .= $_;
@@ -5229,9 +5286,23 @@ sub get_params( $ ) {
 	}
 
 	for ( keys %params ) {
-	    unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' ) {
-		fatal_error "The variable name $_ is reserved and may not be set in the params file"
-		    if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_};
+	    if ( /[^\w]/ ) {
+		#
+		# Useless variable with special characters in its name
+		#
+		delete $params{$_};
+	    } elsif ( /^(?:SHLVL|OLDPWD)$/ ) {
+		#
+		# The shell running getparams generates those
+		#
+		delete $params{$_};
+	    } else {
+		unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' ) {
+		    fatal_error "The variable name $_ is reserved and may not be set in the params file"
+			if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_};
+		}
+
+		$params{$_} = '' unless defined $params{$_};
 	    }
 	}
 
@@ -5281,6 +5352,8 @@ sub export_params() {
 	next if exists $compiler_params{$param};
 
 	my $value = $params{$param};
+
+	chomp $value;
 	#
 	# Values in %params are generated from the output of 'export -p'.
 	# The different shells have different conventions for delimiting
@@ -5291,19 +5364,27 @@ sub export_params() {
 	    $value =~ s/\\"/"/g;
 	} elsif ( $shell == OLDBASH ) {
 	    $value =~ s/\\'/'/g;
+	    $value =~ s/\\"/"/g;
+	    $value =~ s/\\\\/\\/g;
 	} else {
 	    $value =~ s/'"'"'/'/g;
 	}
 	#
 	# Don't export pairs from %ENV
 	#
-	next if defined $ENV{$param} && $value eq $ENV{$param};
+	if ( defined $ENV{$param} ) {
+	    next if $value eq $ENV{$param};
+	} elsif ( exists $ENV{$param} ) {
+	    next unless supplied $value;
+	}
 
 	emit "#\n# From the params file\n#" unless $count++;
 	#
 	# We will use double quotes and escape embedded quotes with \.
 	#
-	if ( $value =~ /[\s()['"]/ ) {
+	if ( $value =~ /^"[^"]*"$/ ) {
+	    emit "$param=$value";
+	} elsif ( $value =~ /[\s()['"]/ ) {
 	    $value =~ s/"/\\"/g;
 	    emit "$param='$value'";
 	} else {
@@ -5326,7 +5407,7 @@ sub convert_to_directives() {
 
     my $dirtest = qr|^$sharedir/+shorewall6?(?:/.*)?$|;
 
-    progress_message3 "Converting 'FORMAT' and 'COMMENT' lines to compiler directives...";
+    progress_message3 "Converting 'FORMAT', 'SECTION' and 'COMMENT' lines to compiler directives...";
 
     for my $dir ( @path ) {
 	unless ( $dir =~ /$dirtest/ ) {
@@ -5361,6 +5442,7 @@ EOF
 				if ( system( "diff -q $file ${file}.bak > /dev/null" ) ) {
 				    progress_message3 "   File $file updated - old file renamed ${file}.bak";
 				} elsif ( rename "${file}.bak" , $file ) {
+				    progress_message "   File $file not updated -- no bare 'COMMENT', 'SECTION' or 'FORMAT' lines found";
 				    progress_message "   File $file not updated -- no bare 'COMMENT' or 'FORMAT' lines found";
 				} else {
 				    warning message "Unable to rename ${file}.bak to $file:$!";
@@ -5408,6 +5490,28 @@ sub get_configuration( $$$$$ ) {
 	$ENV{PATH} = $default_path;
     }
 
+    my $have_capabilities;
+
+    if ( $export || $> != 0 ) {
+	#
+	# Compiling for export or user not root -- must use a capabilties file
+	# We read it before processing the .conf file so that 'update' has
+	# the capabilities.
+	#
+	unless ( open_file 'capabilities' ) {
+	    fatal_error "The -e compiler option requires a capabilities file" if $export;
+	    fatal_error "Compiling under non-root uid requires a capabilities file";
+	}
+
+	read_capabilities;
+
+	$have_capabilities = 1;
+    } elsif ( open_file 'capabilities' ) {
+	read_capabilities;
+
+	$have_capabilities = 1;
+    }
+
     get_params( $export );
 
     process_shorewall_conf( $update, $annotate, $directives );
@@ -5424,7 +5528,9 @@ sub get_configuration( $$$$$ ) {
     default 'MODULE_PREFIX', 'ko ko.gz o o.gz gz';
     default_yes_no 'LOAD_HELPERS_ONLY'          , 'Yes';
 
-    get_capabilities( $export );
+    if ( ! $export && $> == 0 ) {
+	get_capabilities($have_capabilities);
+    }
 
     my ( $val, $all );
 
@@ -5504,13 +5610,13 @@ sub get_configuration( $$$$$ ) {
 	    my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
 	    my $units;
 
-	    if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
+	    if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|second|minute|hour|day))):(\d+)$/ ) {
 		fatal_error "Invalid rate ($1)" unless $2;
 		fatal_error "Invalid burst value ($5)" unless $5;
 
 		$limit .= "--$match $1 --hashlimit-burst $5 --hashlimit-name lograte --hashlimit-mode ";
 		$units = $4;
-	    } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))?)$/ ) {
+	    } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|second|minute|hour|day))?)$/ ) {
 		fatal_error "Invalid rate ($1)" unless $2;
 		$limit .= "--$match $1 --hashlimit-name lograte --hashlimit-mode ";
 		$units = $4;
@@ -5530,11 +5636,11 @@ sub get_configuration( $$$$$ ) {
 
 		$limit .= "--hashlimit-htable-expire $expire ";
 	    }
-	} elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
+	} elsif ( $rate =~ /^((\d+)(\/(sec|min|second|minute|hour|day))):(\d+)$/ ) {
 	    fatal_error "Invalid rate ($1)" unless $2;
 	    fatal_error "Invalid burst value ($5)" unless $5;
 	    $limit = "-m limit --limit $1 --limit-burst $5 ";
-	} elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
+	} elsif ( $rate =~ /^(\d+)(\/(sec|min|second|minute|hour|day))?$/ )  {
 	    fatal_error "Invalid rate (${1}${2})" unless $1;
 	    $limit = "-m limit --limit $rate ";
 	} else {
@@ -5600,7 +5706,9 @@ sub get_configuration( $$$$$ ) {
 	fatal_error "LOG_MARTIANS=On is not supported in IPv6" if $config{LOG_MARTIANS} eq 'on';
     }
 
-    default 'STARTUP_LOG'   , '';
+    default 'SHOREWALL_SHELL', '/bin/sh';
+
+    default 'STARTUP_LOG'    , '';
 
     if ( $config{STARTUP_LOG} ne '' ) {
 	if ( supplied $config{LOG_VERBOSITY} ) {
@@ -5823,6 +5931,10 @@ sub get_configuration( $$$$$ ) {
 	$globals{USER_MASK} = $globals{USER_BITS} = 0;
     }
 
+    $val = $config{PROVIDER_OFFSET};
+
+    $globals{SMALL_MASK} = $val ? make_mask( $val ) : $globals{TC_MASK}; 
+
     if ( supplied ( $val = $config{ZONE2ZONE} ) ) {
 	fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
     } else {

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -779,6 +779,18 @@ sub normalize_6addr( $ ) {
 sub validate_6range( $$ ) {
     my ( $low, $high ) = @_;
 
+    if ( $low =~ /^\[(.+)\]$/ ) {
+	$low = $1;
+    } elsif ( $low =~ /^\[(.+)\]\/(\d+)$/ ) {
+	$low = join( '/', $1, $2 );
+    }
+
+    if ( $high =~ /^\[(.+)\]$/ ) {
+	$high = $1;
+    } elsif ( $high =~ /^\[(.+)\]\/(\d+)$/ ) {
+	$high = join( '/', $1, $2 );
+    }
+
     validate_6address $low, 0;
     validate_6address $high, 0;
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -44,6 +44,7 @@ our @EXPORT = qw( process_tos
 		  setup_mac_lists
 		  process_routestopped
 		  process_stoppedrules
+		  convert_routestopped
 		  compile_stop_firewall
 		  generate_matrix
 		  );
@@ -76,7 +77,7 @@ sub process_tos() {
 	my ( $pretosref, $outtosref );
 
 	first_entry( sub { progress_message2 "$doing $fn...";
-			   warning_message "Use of the tos file is deprecated in favor of the TOS target in tcrules";
+			   warning_message "Use of the tos file is deprecated in favor of the TOS target in the 'mangle' file";
 			   $pretosref = ensure_chain 'mangle' , $chain;
 			   $outtosref = ensure_chain 'mangle' , 'outtos';
 		       }
@@ -176,7 +177,7 @@ sub setup_ecn()
 	}
 
 	if ( @hosts ) {
-	    my @interfaces = ( keys %interfaces );
+	    my @interfaces = ( sort { interface_number($a) <=> interface_number($b) } keys %interfaces );
 
 	    progress_message "$doing ECN control on @interfaces...";
 
@@ -360,14 +361,16 @@ sub remove_blacklist( $ ) {
     while ( read_a_line( EMBEDDED_ENABLED | EXPAND_VARIABLES ) ) {
 	my ( $rule, $comment ) = split '#', $currentline, 2;
 
-	if ( $rule =~ /blacklist/ ) {
+	if ( $rule && $rule =~ /blacklist/ ) {
 	    $changed = 1;
 
 	    if ( $comment ) {
-		$comment =~ s/^/          / while $rule =~ s/blacklist,//;
+		$comment =~ s/^/          / while $rule =~ s/blacklist,// || $rule =~ s/,blacklist//;
 		$rule =~ s/blacklist/         /g;
 		$currentline = join( '#', $rule, $comment );
 	    } else {
+		$currentline =~ s/blacklist,//g;
+		$currentline =~ s/,blacklist//g;
 		$currentline =~ s/blacklist/         /g;
 	    }
 	}
@@ -385,25 +388,33 @@ sub remove_blacklist( $ ) {
 }
 
 #
-# Convert a pre-4.4.25 blacklist to a 4.4.25 blacklist
+# Convert a pre-4.4.25 blacklist to a 4.4.25 blrules file
 #
 sub convert_blacklist() {
     my $zones  = find_zones_by_option 'blacklist', 'in';
     my $zones1 = find_zones_by_option 'blacklist', 'out';
     my ( $level, $disposition ) = @config{'BLACKLIST_LOG_LEVEL', 'BLACKLIST_DISPOSITION' };
     my $audit       = $disposition =~ /^A_/;
-    my $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
+    my $target      = $disposition;
     my $orig_target = $target;
     my @rules;
 
     if ( @$zones || @$zones1 ) {
-	if ( supplied $level ) {
-	    $target = 'blacklog';
-	} elsif ( $audit ) {
-	    $target = verify_audit( $disposition );
-	}
+	$target = "$target:$level" if supplied $level;
 
-	my $fn = open_file 'blacklist';
+	my $fn = open_file( 'blacklist' );
+
+	unless ( $fn ) {
+	    if ( -f ( $fn = find_file( 'blacklist' ) ) ) {
+		if ( unlink( $fn ) ) {
+		    warning_message "Empty blacklist file ($fn) removed";
+		} else {
+		    warning_message "Unable to remove empty blacklist file $fn: $!";
+		}
+	    }
+
+	    return 0;
+	}
 
 	first_entry "Converting $fn...";
 
@@ -439,8 +450,6 @@ sub convert_blacklist() {
 		} else {
 		    warning_message "Duplicate 'audit' option ignored" if $auditone > 1;
 		}
-
-		$tgt = verify_audit( 'A_' . $target, $orig_target, $target );
 	    }
 
 	    for ( @options ) {
@@ -471,7 +480,7 @@ sub convert_blacklist() {
 	}
 
 	if ( @rules ) {
-	    my $fn1 = find_file( 'blrules' );
+	    my $fn1 = find_writable_file( 'blrules' );
 	    my $blrules;
 	    my $date = localtime;
 
@@ -682,6 +691,163 @@ sub process_routestopped() {
     }
 }
 
+sub convert_routestopped() {
+
+    if ( my $fn = open_file 'routestopped' ) {
+	my ( @allhosts, %source, %dest , %notrack, @rule );
+
+	my $seq  = 0;
+	my $date = localtime;
+
+	my ( $stoppedrules, $fn1 );
+
+	if ( -f ( $fn1 = find_writable_file( 'stoppedrules' ) ) ) {
+	    open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
+	} else {
+	    open $stoppedrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
+	    print $stoppedrules <<'EOF';
+#
+# Shorewall version 4 - Stopped Rules File
+#
+# For information about entries in this file, type "man shorewall-stoppedrules"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-stoppedrules.html
+#
+# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
+# information.
+#
+###############################################################################
+#ACTION		SOURCE			DEST		PROTO	DEST	SOURCE
+#								PORT(S)	PORT(S)
+EOF
+	}
+
+	first_entry(
+		    sub {
+			my $date = localtime;
+			progress_message2 "$doing $fn...";
+			print( $stoppedrules
+			       "#\n" ,
+			       "# Rules generated from routestopped file $fn by Shorewall $globals{VERSION} - $date\n" ,
+			       "#\n" );
+		    }
+		   );
+
+	while ( read_a_line ( NORMAL_READ ) ) {
+
+	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
+		split_line( 'routestopped file',
+			    { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 } );
+
+	    my $interfaceref;
+
+	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
+	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
+	    $hosts = ALLIP unless $hosts && $hosts ne '-';
+
+	    my $routeback = 0;
+
+	    my @hosts;
+
+	    $seq++;
+
+	    my $rule = "$proto\t$ports\t$sports";
+
+	    $hosts = ALLIP if $hosts eq '-';
+
+	    for my $host ( split /,/, $hosts ) {
+		fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
+		validate_host $host, 1;
+		push @hosts, "$interface|$host|$seq";
+		push @rule, $rule;
+	    }
+
+
+	    unless ( $options eq '-' ) {
+		for my $option (split /,/, $options ) {
+		    if ( $option eq 'routeback' ) {
+			if ( $routeback ) {
+			    warning_message "Duplicate 'routeback' option ignored";
+			} else {
+			    $routeback = 1;
+			}
+		    } elsif ( $option eq 'source' ) {
+			for my $host ( split /,/, $hosts ) {
+			    $source{"$interface|$host|$seq"} = 1;
+			}
+		    } elsif ( $option eq 'dest' ) {
+			for my $host ( split /,/, $hosts ) {
+			    $dest{"$interface|$host|$seq"} = 1;
+			}
+		    } elsif ( $option eq 'notrack' ) {
+			for my $host ( split /,/, $hosts ) {
+			    $notrack{"$interface|$host|$seq"} = 1;
+			}
+		    } else {
+			warning_message "Unknown routestopped option ( $option ) ignored" unless $option eq 'critical';
+			warning_message "The 'critical' option is no longer supported (or needed)";
+		    }
+		}
+	    }
+
+	    if ( $routeback || $interfaceref->{options}{routeback} ) {
+		my $chainref = $filter_table->{FORWARD};
+
+		for my $host ( split /,/, $hosts ) {
+		    print $stoppedrules "ACCEPT\t$interface:$host\t$interface:$host\n";
+		}
+	    }
+
+	    push @allhosts, @hosts;
+	}
+
+	for my $host ( @allhosts ) {
+	    my ( $interface, $h, $seq ) = split /\|/, $host;
+	    my $rule = shift @rule;
+
+	    print $stoppedrules "ACCEPT\t$interface:$h\t\$FW\t$rule\n";
+	    print $stoppedrules "ACCEPT\t\$FW\t$interface:$h\t$rule\n" unless $config{ADMINISABSENTMINDED};
+
+	    my $matched = 0;
+
+	    if ( $source{$host} ) {
+		print $stoppedrules "ACCEPT\t$interface:$h\t-\t$rule\n";
+		$matched = 1;
+	    }
+
+	    if ( $dest{$host} ) {
+		print $stoppedrules "ACCEPT\t-\t$interface:$h\t$rule\n";
+		$matched = 1;
+	    }
+
+	    if ( $notrack{$host} ) {
+		print $stoppedrules "NOTRACK\t$interface:$h\t-\t$rule\n";
+		print $stoppedrules "NOTRACK\t\$FW\t$interface:$h\t$rule\n";
+	    }
+
+	    unless ( $matched ) {
+		for my $host1 ( @allhosts ) {
+		    unless ( $host eq $host1 ) {
+			my ( $interface1, $h1 , $seq1 ) = split /\|/, $host1;
+			print $stoppedrules "ACCEPT\t$interface:$h\t$interface1:$h1\t$rule\n";
+		    }
+		}
+	    }
+	}
+
+	rename $fn, "$fn.bak";
+	progress_message2 "Routestopped file $fn saved in $fn.bak";
+	close $stoppedrules;
+    } elsif ( -f ( my $fn1 = find_file( 'routestopped' ) ) ) {
+	if ( unlink( $fn1 ) ) {
+	    warning_message "Empty routestopped file ($fn1) removed";
+	} else {
+	    warning_message "Unable to remove empty routestopped file $fn1: $!";
+	}
+    }
+}
+
 #
 # Process the stoppedrules file. Returns true if the file was non-empty.
 #
@@ -774,8 +940,8 @@ sub process_stoppedrules() {
 
 sub setup_mss();
 
-sub add_common_rules ( $$ ) {
-    my ( $upgrade_blacklist, $upgrade_tcrules ) = @_;
+sub add_common_rules ( $$$ ) {
+    my ( $upgrade_blacklist, $upgrade_tcrules , $upgrade_routestopped ) = @_;
     my $interface;
     my $chainref;
     my $target;
@@ -946,7 +1112,7 @@ sub add_common_rules ( $$ ) {
     run_user_exit1 'initdone';
 
     if ( $upgrade_blacklist ) {
-	exit 0 unless convert_blacklist || $upgrade_tcrules;
+	exit 0 unless convert_blacklist || $upgrade_tcrules || $upgrade_routestopped;
     } else {
 	setup_blacklist;
     }
@@ -1535,7 +1701,7 @@ sub handle_loopback_traffic() {
 	    # Handle conntrack rules
 	    #
 	    if ( $notrackref->{referenced} ) {
-		for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
+		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $notrackref);
 		    my @ipsec_match = match_ipsec_in $z1 , $hostref;
 
@@ -1556,8 +1722,8 @@ sub handle_loopback_traffic() {
 	    #
 	    my $source_hosts_ref = defined_zone( $z1 )->{hosts};
 
-	    for my $typeref ( values %{$source_hosts_ref} ) {
-		for my $hostref ( @{$typeref->{'%vserver%'}} ) {
+	    for my $typeref ( sort { $a->{type} cmp $b->{type} } values %{$source_hosts_ref} ) {
+		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{$typeref->{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $natref);
 
 		    for my $net ( @{$hostref->{hosts}} ) {
@@ -1579,7 +1745,7 @@ sub add_interface_jumps {
     our %input_jump_added;
     our %output_jump_added;
     our %forward_jump_added;
-    my @interfaces = grep $_ ne '%vserver%', @_;
+    my @interfaces = sort grep $_ ne '%vserver%', @_;
     my $dummy;
     my $lo_jump_added = interface_zone( loopback_interface ) && ! get_interface_option( loopback_interface, 'destonly' );
     #
@@ -1826,7 +1992,7 @@ sub add_output_jumps( $$$$$$$ ) {
     our @vservers;
     our %output_jump_added;
 
-    my $chain1            = rules_target firewall_zone , $zone;
+    my $chain1            = rules_target( firewall_zone , $zone );
     my $chain1ref         = $filter_table->{$chain1};
     my $nextchain         = dest_exclusion( $exclusions, $chain1 );
     my $outputref;
@@ -2200,7 +2366,8 @@ sub generate_matrix() {
 	#
 	# Take care of PREROUTING, INPUT and OUTPUT jumps
 	#
-	for my $typeref ( values %$source_hosts_ref ) {
+	for my $type ( sort keys %$source_hosts_ref ) {
+	    my $typeref = $source_hosts_ref->{$type};
 	    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 		if ( get_physical( $interface ) eq '+' ) {
 		    #
@@ -2273,7 +2440,6 @@ sub generate_matrix() {
 		my $chain = rules_target $zone, $zone1;
 
 		next unless $chain; # CONTINUE policy with no rules
-
 		my $num_ifaces = 0;
 
 		if ( $zone eq $zone1 ) {
@@ -2285,8 +2451,9 @@ sub generate_matrix() {
 		}
 
 		my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT
-		
-		for my $typeref ( values %{$zone1ref->{hosts}} ) {
+
+		for my $type ( sort keys %{$zone1ref->{hosts}} ) {
+		    my $typeref = $zone1ref->{hosts}{$type};
 		    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{sourceonly};
@@ -2407,8 +2574,8 @@ sub setup_mss( ) {
 #
 # Compile the stop_firewall() function
 #
-sub compile_stop_firewall( $$$ ) {
-    my ( $test, $export, $have_arptables ) = @_;
+sub compile_stop_firewall( $$$$ ) {
+    my ( $test, $export, $have_arptables, $routestopped ) = @_;
 
     my $input   = $filter_table->{INPUT};
     my $output  = $filter_table->{OUTPUT};
@@ -2597,7 +2764,12 @@ EOF
 	}
     }
 
-    process_routestopped unless process_stoppedrules;
+    if ( $routestopped ) {
+	convert_routestopped;
+	process_stoppedrules;
+    } else {
+	process_routestopped unless process_stoppedrules;
+    }
 
     if ( have_capability 'IFACE_MATCH' ) {
 	add_ijump $input,  j => 'ACCEPT', iface => '--dev-in --loopback';

Shorewall/Perl/Shorewall/Nat.pm

@@ -80,7 +80,7 @@ sub process_one_masq1( $$$$$$$$$$ )
     if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) {
 	$interfacelist = $1;
 	$inlinematches = get_inline_matches(0);
-    } elsif ( $config{INLINE_MATCHES} ) {
+    } else {
 	$inlinematches = get_inline_matches(0);
     }	
     #

Shorewall/Perl/Shorewall/Providers.pm

@@ -60,7 +60,6 @@ our @routemarked_providers;
 our %routemarked_interfaces;
 our @routemarked_interfaces;
 our %provider_interfaces;
-our @load_providers;
 our @load_interfaces;
 
 our $balancing;
@@ -98,7 +97,6 @@ sub initialize( $ ) {
     %routemarked_interfaces = ();
     @routemarked_interfaces = ();
     %provider_interfaces    = ();
-    @load_providers         = ();
     @load_interfaces        = ();
     $balancing              = 0;
     $fallback               = 0;
@@ -374,7 +372,7 @@ sub start_provider( $$$$$ ) {
 
     emit "\n#\n# Add $what $table ($number)\n#";
 
-    if ( $number ) {
+    if ( $number >= 0 ) {
 	emit "start_provider_$table() {";
     } else {
 	emit "start_interface_$table() {";
@@ -384,7 +382,7 @@ sub start_provider( $$$$$ ) {
     emit $test;
     push_indent;
 
-    if ( $number ) {
+    if ( $number >= 0 ) {
 	emit "qt ip -$family route flush table $id";
 	emit "echo \"\$IP -$family route flush table $id > /dev/null 2>&1\" > \${VARDIR}/undo_${table}_routing";
     } else {
@@ -697,7 +695,7 @@ sub process_a_provider( $ ) {
     if ( $track ) {
 	if ( $routemarked_interfaces{$interface} ) {
 	    fatal_error "Interface $interface is tracked through an earlier provider" if $routemarked_interfaces{$interface} == ROUTEMARKED_UNSHARED;
-	    fatal_error "Multiple providers through the same interface must their IP address specified in the INTERFACES" unless $shared;
+	    fatal_error "Multiple providers through the same interface must have their IP address specified in the INTERFACES column" unless $shared;
 	} else {
 	    $routemarked_interfaces{$interface} = $shared ? ROUTEMARKED_SHARED : ROUTEMARKED_UNSHARED;
 	    push @routemarked_interfaces, $interface;
@@ -846,12 +844,12 @@ CEOF
 
 	if ( $hostroute ) {
 	    if ( $family == F_IPV4 ) {
-		emit "run_ip route replace $gateway src $address dev $physical ${mtu}";
-		emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm";
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
 	    } else {
-		emit "qt \$IP -6 route add $gateway src $address dev $physical ${mtu}";
-		emit "qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm";
-		emit "run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm";
+		emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
+		emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
+		emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
 	    }
 	}
 
@@ -1380,15 +1378,32 @@ sub finish_providers() {
 	emit(   'fi',
 		'' );
     } else {
+	if ( ( $fallback || @load_interfaces ) && $config{USE_DEFAULT_RT} ) {
+	    emit  ( q(#),
+		    q(# Delete any default routes in the 'main' table),
+		    q(#),
+		    "while qt \$IP -$family route del default table $main; do",
+		    '    true',
+		    'done',
+		    ''
+		  );
+	} else {
+	    emit ( q(#),
+		   q(# We don't have any 'balance'. 'load='  or 'fallback=' providers so we restore any default route that we've saved),
+		   q(#),
+		   qq(restore_default_route $config{USE_DEFAULT_RT}),
+		   ''
+		 );
+	}
+
 	emit ( '#',
-	       '# We don\'t have any \'balance\' providers so we restore any default route that we\'ve saved',
+	       '# Delete any routes in the \'balance\' table',
 	       '#',
-	       "restore_default_route $config{USE_DEFAULT_RT}" ,
-	       '#',
-	       '# And delete any routes in the \'balance\' table',
-	       '#',
-	       "qt \$IP -$family route del default table $balance",
-	       '' );
+	       "while qt \$IP -$family route del default table $balance; do",
+	       '    true',
+	       'done',
+	       ''
+	     );
     }
 
     if ( $fallback ) {
@@ -1442,10 +1457,13 @@ sub process_providers( $ ) {
     #
     # Treat optional interfaces as pseudo-providers
     #
+    my $num = -65536;
+
     for ( grep interface_is_optional( $_ ) && ! $provider_interfaces{ $_ }, all_real_interfaces ) {
+	$num++;
 	#
-	#               TABLE             NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
-	$currentline =  var_base($_) ." 0      -    -         $_        -       -       -";
+	#               TABLE             NUMBER            MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
+	$currentline =  var_base($_) .  " $num              -    -         $_        -       -       -";
 	#
 	$pseudoproviders += process_a_provider(1);
     }
@@ -1591,7 +1609,7 @@ sub map_provider_to_interface() {
 
     my $haveoptional;
 
-    for my $providerref ( values %providers ) {
+    for my $providerref ( sort { $a->{number} cmp $b->{number} } values %providers ) {
 	if ( $providerref->{optional} ) {
 	    unless ( $haveoptional++ ) {
 		emit( 'if [ -n "$interface" ]; then',
@@ -1618,6 +1636,7 @@ sub map_provider_to_interface() {
 
 sub setup_providers() {
     our $providers;
+    our $pseudoproviders;
 
     if ( $providers ) {
 	if ( $maxload ) {
@@ -1652,6 +1671,11 @@ sub setup_providers() {
 
 	push_indent;
 
+	if ( $pseudoproviders ) {
+	    emit '';
+	    emit "start_$providers{$_}->{what}_$_" for @providers;
+	}
+
 	emit "\nundo_routing";
 	emit "restore_default_route $config{USE_DEFAULT_RT}";
 

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -154,7 +154,7 @@ sub setup_proxy_arp() {
 
 	emit '';
 
-	for my $interface ( keys %reset ) {
+	for my $interface ( sort keys %reset ) {
 	    unless ( $set{interface} ) {
 		my $physical = get_physical $interface;
 		emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
@@ -163,7 +163,7 @@ sub setup_proxy_arp() {
 	    }
 	}
 
-	for my $interface ( keys %set ) {
+	for my $interface ( sort keys %set ) {
 	    my $physical = get_physical $interface;
 	    emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
 		    "    echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );

Shorewall/Perl/Shorewall/Raw.pm

@@ -275,11 +275,13 @@ sub process_format( $ ) {
     $file_format = $format;
 }
 
-sub setup_conntrack() {
+sub setup_conntrack($) {
+    my $convert = shift;
+    my $fn;
 
     for my $name ( qw/notrack conntrack/ ) {
 
-	my $fn = open_file( $name, 3 , 1 );
+	$fn = open_file( $name, 3 , 1 );
 
 	if ( $fn ) {
 
@@ -341,12 +343,76 @@ sub setup_conntrack() {
 		    } else {
 			warning_message "Unable to remove empty notrack file ($fn): $!";
 		    }
+		    $convert = undef;
+		}
+	    }
+	} elsif ( $name eq 'notrack' ) {
+	    $convert = undef;
+
+	    if ( -f ( my $fn1 = find_file( $name ) ) ) {
+		if ( unlink( $fn1 ) ) {
+		    warning_message "Empty notrack file ($fn1) removed";
 		} else {
-		    warning_message "Non-empty notrack file ($fn); please move its contents to the conntrack file";
+		    warning_message "Unable to remove empty notrack file ($fn1): $!";
 		}
 	    }
 	}
     }
+
+    if ( $convert ) {
+	my $conntrack;
+	my $empty  = 1;
+	my $date = localtime;
+
+	if ( $fn ) {
+	    open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
+	} else {
+	    open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!";
+
+	    print $conntrack <<'EOF';
+#
+# Shorewall version 5 - conntrack File
+#
+# For information about entries in this file, type "man shorewall-conntrack"
+#
+##############################################################################################################
+EOF
+	    print $conntrack '?' . "FORMAT 3\n";
+	    
+	    print $conntrack <<'EOF';
+#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
+#                                                               PORT(S)         PORT(S) GROUP
+EOF
+	}
+
+	print( $conntrack
+	       "#\n" ,
+	       "# Rules generated from notrack file $fn by Shorewall $globals{VERSION} - $date\n" ,
+	       "#\n" );
+
+	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
+
+	while ( read_a_line( PLAIN_READ ) ) {
+	    #
+	    # Don't copy the header comments from the old notrack file
+	    #
+	    next if $empty && ( $currentline =~ /^\s*#/ || $currentline =~ /^\s*$/ );
+
+	    if ( $empty ) {
+		#
+		# First non-commentary line
+		#
+		$empty = undef;
+
+		print $conntrack '?' . "FORMAT 1\n" unless $currentline =~ /^\s*\??FORMAT/i;
+	    }
+
+	    print $conntrack "$currentline\n";
+	}
+
+	rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
+	progress_message2 "notrack file $fn saved in $fn.bak"
+    }
 }
 
 1;

Shorewall/Perl/Shorewall/Rules.pm

@@ -455,13 +455,12 @@ sub process_default_action( $$$$ ) {
 	} elsif ( ( $targets{$def} || 0 ) == INLINE ) {
 	    $default = $def;
 	    $default = "$def($param)" if supplied $param;
+	    $default = join( ':', $default, $level ) if $level ne 'none';
 	} elsif ( $default_option ) {
 	    fatal_error "Unknown Action ($default) in $policy setting";
 	} else {
 	    fatal_error "Unknown Default Action ($default)";
 	}
-
-	$default = join( ':', $default, $level ) if $level ne 'none';
     } else {
 	$default = $default_actions{$policy} || 'none';
     }
@@ -2284,7 +2283,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
     if ( $basictarget eq 'INLINE' ) {
 	( $action, $basictarget, $param, $loglevel, $raw_matches ) = handle_inline( FILTER_TABLE, 'filter', $action, $basictarget, $param, $loglevel );
-    } elsif ( $config{INLINE_MATCHES} ) {
+    } else {
 	$raw_matches = get_inline_matches(0);
     }
     #

Shorewall/Perl/Shorewall/Tc.pm

@@ -27,7 +27,7 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-#   This module deals with Traffic Shaping and the tcrules file.
+#   This module deals with Traffic Shaping and the mangle file.
 #
 package Shorewall::Tc;
 require Exporter;
@@ -135,7 +135,7 @@ our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 
 our $family;
 
-our $tcrules;
+our $convert;
 
 our $mangle;
 
@@ -452,6 +452,16 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    },
 	},
 
+	DROP       => {
+	    defaultchain   => 0,
+	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
+	    minparams      => 0,
+	    maxparams      => 0,
+	    function       => sub() {
+		$target = 'DROP';
+	    }
+	},
+
 	DSCP       => {
 	    defaultchain   => 0,
 	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
@@ -749,7 +759,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 
     if ( $cmd eq 'INLINE' ) {
 	( $target, $cmd, $params, $junk, $raw_matches ) = handle_inline( MANGLE_TABLE, 'mangle', $action, $cmd, $params, '' );
-    } elsif ( $config{INLINE_MATCHES} ) {
+    } else {
 	$raw_matches = get_inline_matches(0);
     }
 
@@ -797,7 +807,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	if ( $commandref->{maxparams} == 1 ) {
 	    fatal_error "The $cmd requires a parameter";
 	} else {
-	    fatal_error "The $cmd ACTION only requires at least $commandref->{maxparams} parmeters";
+	    fatal_error "The $cmd ACTION requires at least $commandref->{maxparams} parmeters";
 	}
     }
     if ( $state ne '-' ) {
@@ -998,7 +1008,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 	}
     }
 	
-    if ( $tcrules ) {
+    if ( $convert ) {
 	$command = ( $command ? "$command($mark)" : $mark ) . $designator;
 	my $line = ( $family == F_IPV6 ?
 		     "$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$headers\t$probability\t$dscp\t$state" :
@@ -3161,11 +3171,129 @@ sub process_secmark_rule() {
     }
 }
 
+sub convert_tos($$) {
+    my ( $mangle, $fn1 ) = @_;
+
+    my $have_tos = 0;
+
+    sub unlink_tos( $ ) {
+	my $fn = shift;
+
+	if ( unlink $fn ) {
+	    warning_message "Empty tos file ($fn) removed";
+	} else {
+	    warning_message "Unable to remove empty tos file $fn: $!";
+	}
+    }
+
+    if ( my $fn = open_file 'tos' ) {
+	first_entry(
+		    sub {
+			my $date = localtime;
+			progress_message2 "Converting $fn...";
+			print( $mangle
+			       "#\n" ,
+			       "# Rules generated from tos file $fn by Shorewall $globals{VERSION} - $date\n" ,
+			       "#\n" );
+		    }
+		   );
+
+	while ( read_a_line( NORMAL_READ ) ) {
+
+	    $have_tos = 1;
+
+	    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
+		split_line( 'tos file entry',
+			    { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } );
+
+	    my $chain_designator = 'P';
+
+	    decode_tos($tos, 1);
+
+	    my ( $srczone , $source , $remainder );
+
+	    if ( $family == F_IPV4 ) {
+		( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
+		fatal_error 'Invalid SOURCE' if defined $remainder;
+	    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) {
+		$srczone = $1;
+		$source  = $2;
+	    } else {
+		$srczone = $src;
+	    }
+
+	    if ( $srczone eq firewall_zone ) {
+		$chain_designator = 'O';
+		$src         = $source || '-';
+	    } else {
+		$src =~ s/^all:?//;
+	    }
+
+	    $dst =~ s/^all:?//;
+
+	    $src    = '-' unless supplied $src;
+	    $dst    = '-' unless supplied $dst;
+	    $proto  = '-' unless supplied $proto;
+	    $ports  = '-' unless supplied $ports;
+	    $sports = '-' unless supplied $sports;
+	    $mark   = '-' unless supplied $mark;
+
+	    print $mangle "TOS($tos):$chain_designator\t$src\t$dst\t$proto\t$ports\t$sports\t-\t$mark\n"
+
+	}
+
+	if ( $have_tos ) {
+	    progress_message2 "Converted $fn to $fn1";
+	    if ( rename $fn, "$fn.bak" ) {
+		progress_message2 "$fn renamed $fn.bak";
+	    } else {
+		fatal_error "Cannot Rename $fn to $fn.bak: $!";
+	    }
+	} else {
+	    unlink_tos( $fn );
+	}
+    } elsif ( -f ( $fn = find_file( 'tos' ) ) ) {
+	if ( unlink $fn ) {
+	    warning_message "Empty tos file ($fn) removed";
+	} else {
+	    warning_message "Unable to remove empty tos file $fn: $!";
+	}
+    }
+}
+
+sub open_mangle_for_output() {
+    my ( $mangle, $fn1 );
+
+    if ( -f ( $fn1 = find_writable_file( 'mangle' ) ) ) {
+	open( $mangle , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
+    } else {
+	open( $mangle , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
+	print $mangle <<'EOF';
 #
-# Process the tcrules file and setup traffic shaping
+# Shorewall version 4 - Mangle File
+#
+# For information about entries in this file, type "man shorewall-mangle"
+#
+# See http://shorewall.net/traffic_shaping.htm for additional information.
+# For usage in selecting among multiple ISPs, see
+# http://shorewall.net/MultiISP.html
+#
+# See http://shorewall.net/PacketMarking.html for a detailed description of
+# the Netfilter/Shorewall packet marking mechanism.
+####################################################################################################################################################
+#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP
+#                                                       PORT(S) PORT(S)
+EOF
+    }
+
+    return ( $mangle, $fn1 );
+}
+
+#
+# Process the mangle file and setup traffic shaping
 #
 sub setup_tc( $ ) {
-    $tcrules = $_[0];
+    $convert = $_[0];
 
     if ( $config{MANGLE_ENABLED} ) {
 	ensure_mangle_chain 'tcpre';
@@ -3221,33 +3349,69 @@ sub setup_tc( $ ) {
 	if ( $fn = open_file( 'tcrules' , 2, 1 ) ) {
 	    my $fn1;
 
-	    if ( $tcrules ) {
+	    if ( $convert ) {
 		#
 		# We are going to convert this tcrules file to the equivalent mangle file
 		#
-		open( $mangle , '>>', $fn1 = find_file('mangle') ) || fatal_error "Unable to open $fn1:$!";
+		( $mangle, $fn1 ) = open_mangle_for_output;
 
 		directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
 	    }
 
-	    first_entry "$doing $fn...";
+	    first_entry(
+			sub {
+			    if ( $convert ) {
+				my $date = localtime;
+				progress_message2 "Converting $fn...";
+				print( $mangle
+				       "#\n" ,
+				       "# Rules generated from tcrules file $fn by Shorewall $globals{VERSION} - $date\n" ,
+				       "#\n" );
+			    } else {
+				progress_message2 "$doing $fn...";
+			    }
+			}
+		       );
 
 	    process_tc_rule, $have_tcrules++ while read_a_line( NORMAL_READ );
 
-	    if ( $have_tcrules ) {
-		if ( $mangle ) {
+	    if ( $convert ) {
+		if ( $have_tcrules ) {
 		    progress_message2 "Converted $fn to $fn1";
 		    if ( rename $fn, "$fn.bak" ) {
 			progress_message2 "$fn renamed $fn.bak";
 		    } else {
 			fatal_error "Cannot Rename $fn to $fn.bak: $!";
 		    }
+		} elsif ( -f ( my $fn = find_file( 'tcrules' ) ) ) {
+		    if ( unlink $fn ) {
+			warning_message "Empty tcrules file ($fn) removed";
+		    } else {
+			warning_message "Unable to remove empty tcrules file $fn: $!";
+		    }
+		}
+
+		convert_tos( $mangle, $fn1 );
+
+		close $mangle, directive_callback( 0 );
+	    }
+	} elsif ( $convert ) {
+	    if ( -f ( my $fn = find_file( 'tcrules' ) ) ) {
+		if ( unlink $fn ) {
+		    warning_message "Empty tcrules file ($fn) removed";
 		} else {
-		    warning_message "Non-empty tcrules file ($fn); consider running '$product update -t'";
+		    warning_message "Unable to remove empty tcrules file $fn: $!";
 		}
 	    }
 
-	    close $mangle, directive_callback( 0 ) if $tcrules;
+	    if ( -f ( my $fn = find_file( 'tos' ) ) ) {
+		#
+		# We are going to convert this tos file to the equivalent mangle file
+		#
+		( $mangle, my $fn1 ) = open_mangle_for_output;
+		convert_tos( $mangle, $fn1 );
+		close $mangle;
+	    }
 	}
 
 	if ( my $fn = open_file( 'mangle', 1, 1 ) ) {

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -137,6 +137,8 @@ sub setup_tunnels() {
 
 	add_tunnel_rule $inchainref,  p => 'udp --dport 655', @$source;
 	add_tunnel_rule $outchainref, p => 'udp --dport 655', @$dest;
+	add_tunnel_rule $inchainref,  p => 'tcp --dport 655', @$source;
+	add_tunnel_rule $outchainref, p => 'tcp --dport 655', @$dest;
     }
 
     sub setup_one_openvpn {

Shorewall/Perl/Shorewall/Zones.pm

@@ -1208,18 +1208,20 @@ sub process_interface( $$ ) {
 
 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};
 
-	    if ( $zone ) {
-		fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} & VSERVER && ! ( $type & IF_OPTION_VSERVER );
-	    } else {
-		fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
-	    }
-
 	    my $hostopt = $type & IF_OPTION_HOST;
 
-	    fatal_error "The \"$option\" option is not allowed on a bridge port" if $port && ! $hostopt;
-
 	    $type &= MASK_IF_OPTION;
 
+	    unless ( $type == BINARY_IF_OPTION && defined $value && $value eq '0' ) {
+		if ( $zone ) {
+		    fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} & VSERVER && ! ( $type & IF_OPTION_VSERVER );
+		} else {
+		    fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
+		}
+	    }
+
+	    fatal_error "The \"$option\" option is not allowed on a bridge port" if $port && ! $hostopt;
+
 	    if ( $type == SIMPLE_IF_OPTION ) {
 		fatal_error "Option $option does not take a value" if defined $value;
 		if ( $option eq 'blacklist' ) {
@@ -1549,10 +1551,16 @@ sub known_interface($)
     my $iface = $interface;
 
     if ( $minroot ) {
+	#
+	# We have wildcard interfaces -- see if this interface matches one of their roots
+	#
 	while ( length $iface > $minroot ) {
 	    chop $iface;
 
 	    if ( my $i = $roots{$iface} ) {
+		#
+		# Found one
+		#
 		$interfaceref = $interfaces{$i};
 
 		my $physical = map_physical( $interface, $interfaceref );
@@ -1682,9 +1690,8 @@ sub source_port_to_bridge( $ ) {
     return $portref ? $portref->{bridge} : '';
 }
 
-
 #
-# Returns a hash reference for the zones interface through the interface
+# Returns a hash reference for the zones interfaced through the interface
 #
 sub interface_zones( $ ) {
     my $interfaceref = known_interface( $_[0] );
@@ -1719,7 +1726,7 @@ sub interface_is_required($) {
 }
 
 #
-# Return true if the interface is 'plain'
+# Return true if the interface is 'plain' (not optional, required or ignored and not a bridge port).
 #
 sub interface_is_plain($) {
     my $interfaceref = $interfaces{$_[0]};
@@ -1800,7 +1807,7 @@ sub find_interfaces_by_option1( $ ) {
     my @ints = ();
     my $wild = 0;
 
-    for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} } keys %interfaces ) {
+    for my $interface ( @interfaces ) {
 	my $interfaceref = $interfaces{$interface};
 
 	next unless defined $interfaceref->{physical};
@@ -2170,8 +2177,10 @@ sub find_hosts_by_option( $ ) {
     }
 
     for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
-	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
-	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
+	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
+	    my $interfaceref = $zones{$zone}{hosts}->{$type};
+	    for my $interface ( sort keys %$interfaceref ) {
+		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    my $ipsec = $host->{ipsec};
 		    unless ( $done{$interface} ) { 
@@ -2197,8 +2206,10 @@ sub find_zone_hosts_by_option( $$ ) {
     my @hosts;
 
     unless ( $zones{$zone}{type} & FIREWALL ) {
-	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
-	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
+	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
+	    my $interfaceref = $zones{$zone}{hosts}->{$type};
+	    for my $interface ( sort keys %$interfaceref ) {
+		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    if ( my $value = $host->{options}{$option} ) {
 			for my $net ( @{$host->{hosts}} ) {
@@ -2210,7 +2221,7 @@ sub find_zone_hosts_by_option( $$ ) {
 	}
     }
 
-    \@hosts;
+    \@hosts
 }
 
 #

Shorewall/Perl/compiler.pl

@@ -42,6 +42,8 @@
 #         --config_path=<path-list>   # Search path for config files
 #         --inline                    # Update alternative column specifications
 #         --tcrules                   # Create mangle from tcrules
+#         --routestopped              # Create stoppedrules from routestopped
+#         --notrack                   # Create conntrack from notrack
 #
 use strict;
 use FindBin;
@@ -77,6 +79,8 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
     [ --config_path=<path-list> ]
     [ --inline ]
     [ --tcrules ]
+    [ --routestopped ]
+    [ --notrack ]
 _EOF_
 
 exit shift @_;
@@ -107,6 +111,8 @@ my $shorewallrc   = '';
 my $shorewallrc1  = '';
 my $inline        = 0;
 my $tcrules       = 0;
+my $routestopped  = 0;
+my $notrack       = 0;
 
 Getopt::Long::Configure ('bundling');
 
@@ -141,6 +147,8 @@ my $result = GetOptions('h'               => \$help,
 			'convert'         => \$convert,
 			'inline'          => \$inline,
 			'tcrules'         => \$tcrules,
+			'routestopped'    => \$routestopped,
+			'notrack'         => \$notrack,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
 			'shorewallrc1=s'  => \$shorewallrc1,
@@ -171,4 +179,6 @@ compiler( script          => $ARGV[0] || '',
 	  shorewallrc1    => $shorewallrc1,
 	  inline          => $inline,
 	  tcrules         => $tcrules,
+	  routestopped    => $routestopped,
+	  notrack         => $notrack,
 	);

Shorewall/Perl/prog.footer

@@ -267,7 +267,7 @@ case "$COMMAND" in
 		status=0
 		for chain in $@; do
 		    if chain_exists $chain; then
-			if qt $g_tool-Z $chain; then
+			if qt $g_tool -Z $chain; then
 			    progress_message3 "Filter $chain Counters Reset"
 			else
 			    error_message "ERROR: Reset of chain $chain failed"

Shorewall/action.AutoBL

@@ -33,7 +33,7 @@ fatal_error "Invalid successive interval ($succesive) passed to AutoBL" unless $
 fatal_error "Invalid packet count ($count) passed to AutoBL"            unless $count =~ /^\d+$/ && $count;
 fatal_error "Invalid blacklist time ($bltime) passed to AutoBL"         unless $bltime =~ /^\d+$/ && $bltime;
 validate_level( $level );
-
+1;
 ?end perl
 ###############################################################################
 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT

Shorewall/install.sh

@@ -389,7 +389,7 @@ if [ -z "${DESTDIR}" -a $PRODUCT = shorewall -a ! -f ${SHAREDIR}/$PRODUCT/coreve
 fi
 
 install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0755
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SBINDIR}/${PRODUCT}
+[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/${PRODUCT}
 echo "$PRODUCT control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 
 #
@@ -439,31 +439,33 @@ if [ -n "$SERVICEDIR" ]; then
     echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
 fi
 
-#
-# These use absolute path names since the files that they are removing existed
-# prior to the use of directory variables
-#
-delete_file ${DESTDIR}/usr/share/$PRODUCT/compiler
-delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.accounting
-delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.actions
-delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.dynamiczones
-delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.maclist
-delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.nat
-delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.providers
-delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.proxyarp
-delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.tc
-delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.tcrules
-delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.tunnels
+if [ -z "$first_install" ]; then
+    #
+    # These use absolute path names since the files that they are removing existed
+    # prior to the use of directory variables
+    #
+    delete_file ${DESTDIR}/usr/share/$PRODUCT/compiler
+    delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.accounting
+    delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.actions
+    delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.dynamiczones
+    delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.maclist
+    delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.nat
+    delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.providers
+    delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.proxyarp
+    delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.tc
+    delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.tcrules
+    delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.tunnels
 
-if [ $PRODUCT = shorewall6 ]; then
-    delete_file ${DESTDIR}/usr/share/shorewall6/lib.cli
-    delete_file ${DESTDIR}/usr/share/shorewall6/lib.common
-    delete_file ${DESTDIR}/usr/share/shorewall6/wait4ifup
+    if [ $PRODUCT = shorewall6 ]; then
+	delete_file ${DESTDIR}/usr/share/shorewall6/lib.cli
+	delete_file ${DESTDIR}/usr/share/shorewall6/lib.common
+	delete_file ${DESTDIR}/usr/share/shorewall6/wait4ifup
+    fi
+
+    delete_file ${DESTDIR}/usr/share/$PRODUCT/prog.header6
+    delete_file ${DESTDIR}/usr/share/$PRODUCT/prog.footer6
 fi
 
-delete_file ${DESTDIR}/usr/share/$PRODUCT/prog.header6
-delete_file ${DESTDIR}/usr/share/$PRODUCT/prog.footer6
-
 #
 # Install the Modules file
 #
@@ -507,7 +509,7 @@ run_install $OWNERSHIP -m 0644 $PRODUCT.conf           ${DESTDIR}${SHAREDIR}/$PR
 run_install $OWNERSHIP -m 0644 $PRODUCT.conf.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
 
 if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf ]; then
-    run_install $OWNERSHIP -m 0644 ${PRODUCT}.conf${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
+    run_install $OWNERSHIP -m 0600 ${PRODUCT}.conf${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
 
     if [ "$SHAREDIR" != /usr/share -o "$CONFDIR" != /etc ]; then
 	if [ $PRODUCT = shorewall ]; then
@@ -546,7 +548,7 @@ run_install $OWNERSHIP -m 0644 zones           ${DESTDIR}${SHAREDIR}/$PRODUCT/co
 run_install $OWNERSHIP -m 0644 zones.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/zones ]; then
-    run_install $OWNERSHIP -m 0644 zones${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/zones
+    run_install $OWNERSHIP -m 0600 zones${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/zones
     echo "Zones file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/zones"
 fi
 
@@ -624,7 +626,7 @@ run_install $OWNERSHIP -m 0644 params.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/c
 if [ -f ${DESTDIR}${CONFDIR}/$PRODUCT/params ]; then
     chmod 0644 ${DESTDIR}${CONFDIR}/$PRODUCT/params
 else
-    run_install $OWNERSHIP -m 0644 params${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/params
+    run_install $OWNERSHIP -m 0600 params${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/params
     echo "Parameter file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/params"
 fi
 
@@ -1018,7 +1020,7 @@ run_install $OWNERSHIP -m 0644 actions           ${DESTDIR}${SHAREDIR}/$PRODUCT/
 run_install $OWNERSHIP -m 0644 actions.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/actions ]; then
-    run_install $OWNERSHIP -m 0644 actions${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/actions
+    run_install $OWNERSHIP -m 0600 actions${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/actions
     echo "Actions file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/actions"
 fi
 
@@ -1029,7 +1031,7 @@ run_install $OWNERSHIP -m 0644 routes           ${DESTDIR}${SHAREDIR}/$PRODUCT/c
 run_install $OWNERSHIP -m 0644 routes.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/routes ]; then
-    run_install $OWNERSHIP -m 0644 routes${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/routes
+    run_install $OWNERSHIP -m 0600 routes${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/routes
     echo "Routes file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/routes"
 fi
 
@@ -1076,7 +1078,7 @@ if [ $PRODUCT = shorewall6 ]; then
     # Symbolically link 'functions' to lib.base
     #
     ln -sf lib.base ${DESTDIR}${SHAREDIR}/$PRODUCT/functions
-    [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/${PRODUCT}/lib.base
+    [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
 fi
 
 if [ -d Perl ]; then

Shorewall/lib.cli-std

@@ -70,15 +70,7 @@ get_config() {
 	# This block is avoided for compile for export and when the user isn't root
 	#
 	if [ "$3" = Yes ]; then
-	    if [ -n "$LOGFILE" ]; then
-		if [ -n "$(syslog_circular_buffer)" ]; then
-		    g_logread="logread | tac"
-		elif [ -r $LOGFILE ]; then
-		    g_logread="tac $LOGFILE"
-		else
-		    fatal_error "LOGFILE ($LOGFILE) does not exist!"
-		fi
-	    fi
+	    setup_logread
 	fi
 
 	if [ $g_family -eq 4 ]; then
@@ -414,7 +406,7 @@ compiler() {
 
     debugflags="-w"
     [ -n "$g_debug" ]   && debugflags='-wd'
-    [ -n "$g_profile" ] && debugflags='-wd:DProf'
+    [ -n "$g_profile" ] && debugflags='-wd:NYTProf'
 
     # Perl compiler only takes the output file as a argument
 
@@ -453,6 +445,8 @@ compiler() {
     [ -n "$g_directives" ] && options="$options --directives"
     [ -n "$g_tcrules" ] && options="$options --tcrules"
     [ -n "$g_inline" ] && options="$options --inline"
+    [ -n "$g_routestopped" ] && options="$options --routestopped"
+    [ -n "$g_notrack" ] && options="$options --notrack"
 
     if [ -n "$PERL" ]; then
 	if [ ! -x "$PERL" ]; then
@@ -463,7 +457,17 @@ compiler() {
 	PERL=/usr/bin/perl
     fi
 
-    [ -n "$g_doing" ] && progress_message3 "$g_doing..."
+    case "$g_doing" in
+	Compiling|Checking)
+	    progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
+	    ;;
+	Updating)
+	    progress_message3 "Updating $g_product configuration to $SHOREWALL_VERSION..."
+	    ;;
+	*)
+	    [ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
+	    ;;
+    esac
 
     if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
 	$PERL $debugflags $pc $options $@
@@ -874,11 +878,21 @@ update_command() {
 			    g_tcrules=Yes
 			    option=${option#t}
 			    ;;
+			s*)
+			    g_routestopped=Yes
+			    option=${option#s}
+			    ;;
+			n*)
+			    g_notrack=Yes
+			    option=${option#n}
+			    ;;
 			A*)
 			    g_inline=Yes
 			    g_convert=Yes
 			    g_directives=Yes
 			    g_tcrules=Yes
+			    g_routestopped=Yes
+			    g_notrack=Yes
 			    option=${option#A}
 			    ;;
 			*)
@@ -915,7 +929,7 @@ update_command() {
 	    ;;
     esac
 
-    g_doing="Updating..."
+    g_doing="Updating"
 
     compiler $g_debugging $nolock check
 }

Shorewall/manpages/shorewall-interfaces.xml

@@ -213,7 +213,7 @@ loc     eth2            -</programlisting>
                 changed; the value assigned to the setting will be the value
                 specified (if any) or 1 if no value is given.</para>
 
-                <para></para>
+                <para/>
 
                 <note>
                   <para>This option does not work with a wild-card
@@ -247,7 +247,7 @@ loc     eth2            -</programlisting>
 
                 <para>8 - do not reply for all local addresses</para>
 
-                <para></para>
+                <para/>
 
                 <note>
                   <para>This option does not work with a wild-card
@@ -255,7 +255,7 @@ loc     eth2            -</programlisting>
                   the INTERFACE column.</para>
                 </note>
 
-                <para></para>
+                <para/>
 
                 <warning>
                   <para>Do not specify <emphasis
@@ -425,7 +425,7 @@ loc     eth2            -</programlisting>
         1
         teastep@lists:~$ </programlisting>
 
-                <para></para>
+                <para/>
 
                 <note>
                   <para>This option does not work with a wild-card
@@ -760,7 +760,7 @@ loc     eth2            -</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term>unmanaged</term>
+              <term><emphasis role="bold">unmanaged</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.5.18. Causes all traffic between

Shorewall/manpages/shorewall-mangle.xml

@@ -351,18 +351,18 @@
 
                 <para>The following rules are equivalent:</para>
 
-                <programlisting>2:P             eth0              -         tcp 22
-INLINE(2):P     eth0              -         tcp 22
-INLINE(2):P     eth0              -                 ; -p tcp
-INLINE          eth0              -         tcp 22  ; -j MARK --set-mark 2
-INLINE          eth0              -                 ; -p tcp -j MARK --set-mark 2
+                <programlisting>2:P                   eth0              -         tcp 22
+INLINE(MARK(2)):P     eth0              -         tcp 22
+INLINE(MARK(2)):P     eth0              -                 ; -p tcp
+INLINE                eth0              -         tcp 22  ; -j MARK --set-mark 2
+INLINE                eth0              -                 ; -p tcp -j MARK --set-mark 2
 </programlisting>
 
                 <para>If INLINE_MATCHES=Yes in <ulink
                 url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
                 then the third rule above can be specified as follows:</para>
 
-                <programlisting>2:P             eth0              -                 ; -p tcp</programlisting>
+                <programlisting>MARK(2):P             eth0              -                 ; -p tcp</programlisting>
               </listitem>
             </varlistentry>
 
@@ -446,7 +446,7 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
 
                     <member>0xc0a80403 LAND 0xFF = 0x03</member>
 
-                    <member>0x03 LOR 0x0x10100 = 0x10103 or class ID
+                    <member>0x03 LOR 0x10100 = 0x10103 or class ID
                     1:103</member>
                   </simplelist>
                 </blockquote>
@@ -1283,12 +1283,12 @@ Normal-Service       =&gt; 0x00</programlisting>
 
           <programlisting>       #ACTION    SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
        #                                                       PORT(S)
-       1:T        0.0.0.0/0 0.0.0.0/0    icmp    echo-request
-       1:T        0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
+       MARK(1):T  0.0.0.0/0 0.0.0.0/0    icmp    echo-request
+       MARK(1):T  0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
        RESTORE:T  0.0.0.0/0 0.0.0.0/0    all     -             -       -       0
        CONTINUE:T 0.0.0.0/0 0.0.0.0/0    all     -             -       -       !0
-       4:T         0.0.0.0/0 0.0.0.0/0   ipp2p:all
-       SAVE:T      0.0.0.0/0 0.0.0.0/0   all     -             -       -       !0</programlisting>
+       MARK(4):T  0.0.0.0/0 0.0.0.0/0   ipp2p:all
+       SAVE:T     0.0.0.0/0 0.0.0.0/0   all     -             -       -       !0</programlisting>
 
           <para>If a packet hasn't been classified (packet mark is 0), copy
           the connection mark to the packet mark. If the packet mark is set,
@@ -1307,9 +1307,9 @@ Normal-Service       =&gt; 0x00</programlisting>
 
           <programlisting>/etc/shorewall/tcrules:
 
-       #ACTION   SOURCE         DEST         PROTO   PORT(S)       SOURCE  USER    TEST
-       #                                                           PORT(S)
-       1-3:CF    192.168.1.0/24 eth0 ; state=NEW
+       #ACTION            SOURCE         DEST         PROTO   PORT(S)       SOURCE  USER    TEST
+       #                                                                    PORT(S)
+       CONNMARK(1-3):F    192.168.1.0/24 eth0 ; state=NEW
 
 /etc/shorewall/masq:
 

Shorewall/manpages/shorewall-rules.xml

@@ -129,8 +129,10 @@
         <term><emphasis role="bold">NEW</emphasis></term>
 
         <listitem>
-          <para>Packets in the NEW, INVALID and UNTRACKED states are processed
-          by rules in this section.</para>
+          <para>Packets in the NEW state are processed by rules in this
+          section. If the INVALID and/or UNTRACKED sections are empty or not
+          included, then the packets in the corresponding state(s) are also
+          processed in this section.</para>
         </listitem>
       </varlistentry>
     </variablelist>
@@ -264,7 +266,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term>AUDIT[(accept|drop|reject)]</term>
+              <term><emphasis
+              role="bold">AUDIT</emphasis>[(accept|drop|reject)]</term>
 
               <listitem>
                 <para>Added in Shorewall 4.5.10. Audits the packet with the
@@ -275,7 +278,11 @@
             </varlistentry>
 
             <varlistentry>
-              <term>A_ACCEPT, A_ACCEPT+ and A_ACCEPT!</term>
+              <term><emphasis role="bold">A_ACCEPT</emphasis>, <emphasis
+              role="bold">A_ACCEPT</emphasis><emphasis
+              role="bold">+</emphasis> and <emphasis
+              role="bold">A_ACCEPT</emphasis><emphasis
+              role="bold">!</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.4.20. Audited versions of ACCEPT,
@@ -285,7 +292,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term>A_DROP and A_DROP!</term>
+              <term><emphasis role="bold">A_DROP</emphasis> and<emphasis
+              role="bold"> A_DROP!</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.4.20. Audited versions of DROP and
@@ -295,7 +303,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term>A_REJECT AND A_REJECT!</term>
+              <term><emphasis role="bold">A_REJECT</emphasis> AND <emphasis
+              role="bold">A_REJECT!</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.4.20. Audited versions of REJECT
@@ -422,7 +431,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term>HELPER</term>
+              <term><emphasis role="bold">HELPER</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.5.7. This action requires that the
@@ -476,7 +485,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term>IPTABLES({<replaceable>iptables-target</replaceable>
+              <term><emphasis
+              role="bold">IPTABLES</emphasis>({<replaceable>iptables-target</replaceable>
               [<replaceable>option</replaceable> ...])</term>
 
               <listitem>
@@ -583,12 +593,12 @@
 
             <varlistentry>
               <term><emphasis role="bold"><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
+              role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
 
               <listitem>
                 <para>like NFQUEUE but exempts the rule from being suppressed
                 by OPTIMIZE=1 in <ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+                url="/manpages6/shorewall6.conf.html">shorewall.conf</ulink>(5).</para>
               </listitem>
             </varlistentry>
 
@@ -665,8 +675,9 @@
             </varlistentry>
 
             <varlistentry>
-              <term>TARPIT [(<emphasis role="bold">tarpit</emphasis> |
-              <emphasis role="bold">honeypot</emphasis> | <emphasis
+              <term><emphasis role="bold">TARPIT</emphasis> [(<emphasis
+              role="bold">tarpit</emphasis> | <emphasis
+              role="bold">honeypot</emphasis> | <emphasis
               role="bold">reset</emphasis>)]</term>
 
               <listitem>

Shorewall/manpages/shorewall.conf.xml

@@ -1507,8 +1507,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         role="bold">d</emphasis>}:]<emphasis>rate</emphasis><emphasis
         role="bold">/</emphasis>{<emphasis
         role="bold">sec</emphasis>|<emphasis
-        role="bold">min</emphasis>|<emphasis
-        role="bold">hour</emphasis>|<emphasis
+        role="bold">second|min</emphasis>|<emphasis
+        role="bold">minute|hour</emphasis>|<emphasis
         role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]]</term>
 
         <listitem>
@@ -1522,6 +1522,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
 
           <para>If <replaceable>burst</replaceable> is not specified, then a
           value of 5 is assumed.</para>
+
+          <para>The keywords <emphasis role="bold">second</emphasis> and
+          <emphasis role="bold">minute</emphasis> are accepted beginning with
+          Shorewall 4.6.13.</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall.xml

@@ -825,6 +825,10 @@
 
       <arg><option>-t</option></arg>
 
+      <arg><option>-r</option></arg>
+
+      <arg><option>-n</option></arg>
+
       <arg><option>-A</option></arg>
 
       <arg><replaceable>directory</replaceable></arg>
@@ -2267,7 +2271,7 @@
         <term><emphasis role="bold">update </emphasis> [-<option>b</option>]
         [-<option>d</option>] [-<option>r</option>] [-<option>T</option>]
         [-<option>a</option>] [-<option>D</option>] [-<option>i</option>]
-        [-<option>t</option>] [-<option>A</option>] [
+        [-<option>t</option>] [-r] [-n][-<option>A</option>] [
         <replaceable>directory</replaceable> ]</term>
 
         <listitem>
@@ -2304,19 +2308,21 @@
           updated, the original is saved in a .bak file in the same
           directory.</para>
 
-          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the current line contains
-          alternative input specifications following a semicolon (";"). Such
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          <ulink
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          and causes a warning message to be issued if the current line
+          contains alternative input specifications following a semicolon
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
 
           <para>The <option>-t</option> option was added in Shorewall 4.6.0.
-          When specified, <option>-t</option> causes <ulink
-          url="shorewall-tcrules.html">shorewall-tcrules(5)</ulink> to be
-          converted to <ulink
+          When specified, <option>-t</option> causes the <emphasis
+          role="bold">tcrules</emphasis> file to be converted to <ulink
           url="shorewall-mangle.html">shorewall-mangle(5)</ulink>. The old
-          file is renamed with a .bak suffix.</para>
+          file is renamed with a .bak suffix. Beginning with Shorewall
+          4.6.12.2, this option also causes the <emphasis
+          role="bold">tos</emphasis> file to be converted to <ulink
+          url="shorewall-mangle.html">shorewall-mangle(5)</ulink>.</para>
 
           <important>
             <para>There are some notable restrictions with the
@@ -2350,9 +2356,24 @@
             </orderedlist>
           </important>
 
+          <para>The <option>-r</option> option was added in Shorewall 4.6.12.
+          When specified, <option>-r</option> causes <ulink
+          url="manpages/shorewall-routestopped.html">shorewall-routestopped(5)</ulink>
+          to be converted to <ulink
+          url="manpages/shorewall-stoppedrules.html">shorewall-stoppedrules(5)</ulink>.
+          The old file is renamed with a .bak suffix.</para>
+
+          <para>The <option>-n</option> option was added in Shorewall 4.6.12.
+          When specified, <option>-n</option> causes <ulink
+          url="manpages/shorewall-routestopped.html">shorewall-notrack(5)</ulink>
+          to be converted to <ulink
+          url="manpages/shorewall-conntrack.html">shorewall-conntrack(5)</ulink>.
+          The old file is renamed with a .bak suffix.</para>
+
           <para>The <option>-A</option> option was added in Shorewall 4.6.0
           and is equivalent to specifying the <option>-b</option>,
-          <option>-D</option> and the <option>-t</option> options.</para>
+          <option>-D</option>, <option>-t,</option> <option>-r</option> and
+          the <option>-n</option> options.</para>
 
           <para>For a description of the other options, see the <emphasis
           role="bold">check</emphasis> command above.</para>

Shorewall/shorewall.service.debian

@@ -0,0 +1,22 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
+#
+[Unit]
+Description=Shorewall IPv4 firewall
+Wants=network-online.target
+After=network-online.target
+Conflicts=iptables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/default/shorewall
+StandardOutput=syslog
+ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall $OPTIONS stop
+
+[Install]
+WantedBy=basic.target

Shorewall/uninstall.sh

@@ -168,8 +168,8 @@ fi
 
 rm -f ${SBINDIR}/shorewall
 
-if [ -L ${SHAREDIR}/shorewall6/init ]; then
-    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall6/init)
+if [ -L ${SHAREDIR}/shorewall/init ]; then
+    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall/init)
 elif [ -n "$INITFILE" ]; then
     FIREWALL=${INITDIR}/${INITFILE}
 fi
@@ -188,17 +188,19 @@ if [ -f "$FIREWALL" ]; then
     remove_file $FIREWALL
 fi
 
-if [ -n "$SYSTEMD" ]; then
+if [ -z "${SERVICEDIR}" ]; then
+    SERVICEDIR="$SYSTEMD"
+fi
+if [ -n "$SERVICEDIR" ]; then
     [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
-    rm -f $SYSTEMD/shorewall.service
+    rm -f $SERVICEDIR/shorewall.service
 fi
 
 rm -rf ${SHAREDIR}/shorewall/version
 rm -rf ${CONFDIR}/shorewall
 
 if [ -n "$SYSCONFDIR" ]; then
-    [ -n "$SYSCONFFILE" ] || SYSCONFFILE=${PRODUCT};
-    rm -f ${SYSCONFDIR}/${SYSCONFFILE}
+    [ -n "$SYSCONFFILE" ] && rm -f ${SYSCONFDIR}/${PRODUCT}
 fi
 
 rm -rf ${VARDIR}/shorewall

Shorewall6-lite/manpages/shorewall6-lite.xml

@@ -1024,14 +1024,6 @@
           except that it assumes that the firewall is already started.
           Existing connections are maintained.</para>
 
-          <caution>
-            <para>If your ip6tables ruleset depends on variables that are
-            detected at run-time, either in your params file or by
-            Shorewall-generated code, <command>restore</command> will use the
-            values that were current when the ruleset was saved, which may be
-            different from the current values.</para>
-          </caution>
-
           <para>The <option>-n</option> option causes shorewall6-lite to avoid
           updating the routing table(s).</para>
 
@@ -1064,6 +1056,14 @@
           in <ulink
           url="shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
 
+          <caution>
+            <para>If your ip6tables ruleset depends on variables that are
+            detected at run-time, either in your params file or by
+            Shorewall-generated code, <command>restore</command> will use the
+            values that were current when the ruleset was saved, which may be
+            different from the current values.</para>
+          </caution>
+
           <para>The <option>-C</option> option was added in Shorewall 4.6.5.
           If the <option>-C</option> option was specified during
           <command>shorewall7-lite save</command>, then the counters saved by

Shorewall6-lite/shorewall6-lite.service.debian

@@ -0,0 +1,21 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#
+[Unit]
+Description=Shorewall IPv6 firewall (lite)
+Wants=network-online.target
+After=network-online.target
+Conflicts=ip6tables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall6-lite
+StandardOutput=syslog
+ExecStart=/sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall6-lite $OPTIONS stop
+
+[Install]
+WantedBy=basic.target

Shorewall6-lite/uninstall.sh

@@ -144,16 +144,16 @@ fi
 if [ -f ${SHAREDIR}/shorewall6-lite/version ]; then
     INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall6-lite/version)"
     if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: Shorewall Lite Version $INSTALLED_VERSION is installed"
+	echo "WARNING: Shorewall6 Lite Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
     fi
 else
-    echo "WARNING: Shorewall Lite Version $VERSION is not installed"
+    echo "WARNING: Shorewall6 Lite Version $VERSION is not installed"
     VERSION=""
 fi
 
-echo "Uninstalling Shorewall Lite $VERSION"
+echo "Uninstalling Shorewall6 Lite $VERSION"
 
 [ -n "$SANDBOX" ] && configure=0
 
@@ -164,7 +164,15 @@ if [ $configure -eq 1 ]; then
 fi
 
 if [ -f ${SHAREDIR}/shorewall6-lite/init ]; then
-    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall6-lite/init)
+    if [ $HOST = openwrt ]; then
+	if [ $configure -eq 1 ] && /etc/init.d/shorewall6-lite enabled; then
+	    /etc/init.d/shorewall6-lite disable
+	fi
+	
+	FIREWALL=$(readlink ${SHAREDIR}/shorewall6-lite/init)
+    else
+	FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall6-lite/init)
+    fi
 elif [ -n "$INITFILE" ]; then
     FIREWALL=${INITDIR}/${INITFILE}
 fi
@@ -185,9 +193,11 @@ if [ -f "$FIREWALL" ]; then
     remove_file $FIREWALL
 fi
 
-if [ -n "$SYSTEMD" ]; then
+[ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"
+
+if [ -n "$SERVICEDIR" ]; then
     [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
-    rm -f $SYSTEMD/shorewall6-lite.service
+    rm -f $SERVICEDIR/shorewall6-lite.service
 fi
 
 rm -f ${SBINDIR}/shorewall6-lite
@@ -196,7 +206,7 @@ rm -rf ${VARDIR}/shorewall6-lite
 rm -rf ${SHAREDIR}/shorewall6-lite
 rm -rf ${LIBEXECDIR}/shorewall6-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall6-lite
-[ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall6-lite.service
+rm -f  ${SYSCONFDIR}/shorewall6-lite
 
 rm -f ${MANDIR}/man5/shorewall6-lite*
 rm -f ${MANDIR}/man8/shorewall6-lite*

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -159,7 +159,7 @@ INLINE_MATCHES=Yes
 
 IPSET_WARNINGS=Yes
 
-IP_FORWARDING=Off
+IP_FORWARDING=keep
 
 KEEP_RT_TABLES=Yes
 

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -159,7 +159,7 @@ INLINE_MATCHES=Yes
 
 IPSET_WARNINGS=Yes
 
-IP_FORWARDING=Off
+IP_FORWARDING=keep
 
 KEEP_RT_TABLES=Yes
 

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -159,7 +159,7 @@ INLINE_MATCHES=Yes
 
 IPSET_WARNINGS=Yes
 
-IP_FORWARDING=On
+IP_FORWARDING=keep
 
 KEEP_RT_TABLES=Yes
 

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -159,7 +159,7 @@ INLINE_MATCHES=Yes
 
 IPSET_WARNINGS=Yes
 
-IP_FORWARDING=On
+IP_FORWARDING=keep
 
 KEEP_RT_TABLES=Yes
 

Shorewall6/configfiles/shorewall6.conf

@@ -159,7 +159,7 @@ INLINE_MATCHES=No
 
 IPSET_WARNINGS=Yes
 
-IP_FORWARDING=Off
+IP_FORWARDING=keep
 
 KEEP_RT_TABLES=Yes
 

Shorewall6/manpages/shorewall6-hosts.xml

@@ -65,9 +65,7 @@
 
       <varlistentry>
         <term><emphasis role="bold">HOST(S)</emphasis> (hosts)-
-        <emphasis>interface</emphasis>:<option>[</option>{[{<emphasis>address-or-range</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...|<emphasis
-        role="bold">+</emphasis><emphasis>ipset</emphasis>}[<emphasis>exclusion</emphasis>]<option>]</option></term>
+        <emphasis>interface</emphasis>:{<replaceable>address-or-range</replaceable>[,<replaceable>address-or-range</replaceable>]...|+<replaceable>ipset</replaceable>|<option>dynamic</option>}[<replaceable>exclusion</replaceable>]</term>
 
         <listitem>
           <para>The name of an interface defined in the <ulink
@@ -87,7 +85,7 @@
 
             <listitem>
               <para>An IP address range of the form
-              <emphasis>low.address</emphasis>-<emphasis>high.address</emphasis>.
+              [<emphasis>low.address</emphasis>]-[<emphasis>high.address</emphasis>].
               Your kernel and ip6tables must have iprange match
               support.</para>
             </listitem>

Shorewall6/manpages/shorewall6-interfaces.xml

@@ -538,7 +538,7 @@ loc     eth2            -</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term>unmanaged</term>
+              <term><emphasis role="bold">unmanaged</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.5.18. Causes all traffic between

Shorewall6/manpages/shorewall6-mangle.xml

@@ -320,6 +320,28 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">HL</emphasis>([<emphasis
+              role="bold">-</emphasis>|<emphasis
+              role="bold">+</emphasis>]<replaceable>number</replaceable>)[:P]</term>
+
+              <listitem>
+                <para>If <emphasis role="bold">+</emphasis> is included,
+                packets matching the rule will have their hop limit
+                incremented by <replaceable>number</replaceable>. Similarly,
+                if <emphasis role="bold">-</emphasis> is included, matching
+                packets have their hop limit decremented by
+                <replaceable>number</replaceable>. If neither <emphasis
+                role="bold">+</emphasis> nor <emphasis
+                role="bold">-</emphasis> is given, the hop limit of matching
+                packets is set to <replaceable>number</replaceable>. The valid
+                range of values for <replaceable>number</replaceable> is
+                1-255. If :P is included, the rule is placed in the mangle
+                PREROUTING chain -- otherwise, it is placed in the FORWARD
+                chain.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis
               role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</term>
@@ -347,23 +369,23 @@
                 specified at the end of the rule. If the target is not one
                 known to Shorewall, then it must be defined as a builtin
                 action in <ulink
-                url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>
+                url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
                 (5).</para>
 
                 <para>The following rules are equivalent:</para>
 
-                <programlisting>2:P             eth0              -         tcp 22
-INLINE(2):P     eth0              -         tcp 22
-INLINE(2):P     eth0              -                 ; -p tcp
-INLINE          eth0              -         tcp 22  ; -j MARK --set-mark 2
-INLINE          eth0              -                 ; -p tcp -j MARK --set-mark 2
+                <programlisting>2:P                   eth0              -         tcp 22
+INLINE(MARK(2)):P     eth0              -         tcp 22
+INLINE(MARK(2)):P     eth0              -                 ; -p tcp
+INLINE                eth0              -         tcp 22  ; -j MARK --set-mark 2
+INLINE                eth0              -                 ; -p tcp -j MARK --set-mark 2
 </programlisting>
 
                 <para>If INLINE_MATCHES=Yes in <ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
+                url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
                 then the third rule above can be specified as follows:</para>
 
-                <programlisting>2:P             eth0              -                 ; -p tcp</programlisting>
+                <programlisting>MARK(2):P             eth0              -                 ; -p tcp</programlisting>
               </listitem>
             </varlistentry>
 
@@ -447,7 +469,7 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
 
                     <member>0xc0a80403 LAND 0xFF = 0x03</member>
 
-                    <member>0x03 LOR 0x0x10100 = 0x10103 or class ID
+                    <member>0x03 LOR 0x10100 = 0x10103 or class ID
                     1:103</member>
                   </simplelist>
                 </blockquote>
@@ -665,53 +687,7 @@ Normal-Service       =&gt; 0x00</programlisting>
                 </itemizedlist>
               </listitem>
             </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">TTL</emphasis>([<emphasis
-              role="bold">-</emphasis>|<emphasis
-              role="bold">+</emphasis>]<replaceable>number</replaceable>)</term>
-
-              <listitem>
-                <para>If <emphasis role="bold">+</emphasis> is included,
-                packets matching the rule will have their TTL incremented by
-                <replaceable>number</replaceable>. Similarly, if <emphasis
-                role="bold">-</emphasis> is included, matching packets have
-                their TTL decremented by <replaceable>number</replaceable>. If
-                neither <emphasis role="bold">+</emphasis> nor <emphasis
-                role="bold">-</emphasis> is given, the TTL of matching packets
-                is set to <replaceable>number</replaceable>. The valid range
-                of values for <replaceable>number</replaceable> is
-                1-255.</para>
-              </listitem>
-            </varlistentry>
           </variablelist>
-
-          <orderedlist numeration="arabic">
-            <listitem>
-              <para><emphasis role="bold">TTL</emphasis>([<emphasis
-              role="bold">-</emphasis>|<emphasis
-              role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
-
-              <para>Added in Shorewall 4.4.24.</para>
-
-              <para>Prior to Shorewall 4.5.7.2, may be optionally followed by
-              <emphasis role="bold">:F</emphasis> but the resulting rule is
-              always added to the FORWARD chain. Beginning with Shorewall
-              4.5.7.s, it may be optionally followed by <emphasis
-              role="bold">:P</emphasis>, in which case the rule is added to
-              the PREROUTING chain.</para>
-
-              <para>If <emphasis role="bold">+</emphasis> is included, packets
-              matching the rule will have their TTL incremented by
-              <replaceable>number</replaceable>. Similarly, if <emphasis
-              role="bold">-</emphasis> is included, matching packets have
-              their TTL decremented by <replaceable>number</replaceable>. If
-              neither <emphasis role="bold">+</emphasis> nor <emphasis
-              role="bold">-</emphasis> is given, the TTL of matching packets
-              is set to <replaceable>number</replaceable>. The valid range of
-              values for <replaceable>number</replaceable> is 1-255.</para>
-            </listitem>
-          </orderedlist>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6-rules.xml

@@ -122,8 +122,10 @@
         <term><emphasis role="bold">NEW</emphasis></term>
 
         <listitem>
-          <para>Packets in the NEW, INVALID and UNTRACKED states are processed
-          by rules in this section.</para>
+          <para>Packets in the NEW state are processed by rules in this
+          section. If the INVALID and/or UNTRACKED sections are empty or not
+          included, then the packets in the corresponding state(s) are also
+          processed in this section.</para>
         </listitem>
       </varlistentry>
     </variablelist>
@@ -237,7 +239,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term>AUDIT[(accept|drop|reject)]</term>
+              <term><emphasis
+              role="bold">AUDIT</emphasis>[(accept|drop|reject)]</term>
 
               <listitem>
                 <para>Added in Shorewall 4.5.10. Audits the packet with the
@@ -248,7 +251,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term>A_ACCEPT, and A_ACCEPT!</term>
+              <term><emphasis role="bold">A_ACCEPT</emphasis>, and <emphasis
+              role="bold">A_ACCEPT!</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.4.20. Audited versions of ACCEPT
@@ -258,7 +262,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term>A_DROP and A_DROP!</term>
+              <term><emphasis role="bold">A_DROP</emphasis> and <emphasis
+              role="bold">A_DROP!</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.4.20. Audited versions of DROP and
@@ -268,7 +273,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term>A_REJECT AND A_REJECT!</term>
+              <term><emphasis role="bold">A_REJECT</emphasis> AND<emphasis
+              role="bold"> A_REJECT!</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.4.20. Audited versions of REJECT
@@ -396,7 +402,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term>HELPER</term>
+              <term><emphasis role="bold">HELPER</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.5.7. This action requires that the
@@ -450,7 +456,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term>IP6TABLES({<replaceable>ip6tables-target</replaceable>
+              <term><emphasis
+              role="bold">IP6TABLES</emphasis>({<replaceable>ip6tables-target</replaceable>
               [<replaceable>option</replaceable> ...])</term>
 
               <listitem>
@@ -558,7 +565,7 @@
 
             <varlistentry>
               <term><emphasis role="bold"><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
+              role="bold">NFQUEUE</emphasis>![([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
 
               <listitem>
                 <para>like NFQUEUE but exempts the rule from being suppressed
@@ -642,8 +649,9 @@
             </varlistentry>
 
             <varlistentry>
-              <term>TARPIT [(<emphasis role="bold">tarpit</emphasis> |
-              <emphasis role="bold">honeypot</emphasis> | <emphasis
+              <term><emphasis role="bold">TARPIT</emphasis> [(<emphasis
+              role="bold">tarpit</emphasis> | <emphasis
+              role="bold">honeypot</emphasis> | <emphasis
               role="bold">reset</emphasis>)]</term>
 
               <listitem>

Shorewall6/manpages/shorewall6.conf.xml

@@ -1322,8 +1322,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         role="bold">d</emphasis>}:]<emphasis>rate</emphasis><emphasis
         role="bold">/</emphasis>{<emphasis
         role="bold">sec</emphasis>|<emphasis
-        role="bold">min</emphasis>|<emphasis
-        role="bold">hour</emphasis>|<emphasis
+        role="bold">second|min</emphasis>|<emphasis
+        role="bold">minute|hour</emphasis>|<emphasis
         role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]]</term>
 
         <listitem>
@@ -1337,6 +1337,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
 
           <para>If <replaceable>burst</replaceable> is not specified, then a
           value of 5 is assumed.</para>
+
+          <para>The keywords <emphasis role="bold">second</emphasis> and
+          <emphasis role="bold">minute</emphasis> are accepted beginning with
+          Shorewall 4.6.13.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6.xml

@@ -755,6 +755,10 @@
 
       <arg><option>-t</option></arg>
 
+      <arg><option>-r</option></arg>
+
+      <arg><option>-n</option></arg>
+
       <arg><option>-A</option></arg>
 
       <arg><replaceable>directory</replaceable></arg>
@@ -2133,24 +2137,24 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">update </emphasis>[-<option>b</option>]
+        <term><emphasis role="bold">update </emphasis> [-<option>b</option>]
         [-<option>d</option>] [-<option>r</option>] [-<option>T</option>]
         [-<option>a</option>] [-<option>D</option>] [-<option>i</option>]
-        [-<option>t</option>] [-<option>A</option>] [
+        [-<option>t</option>] [-r] [-n][-<option>A</option>] [
         <replaceable>directory</replaceable> ]</term>
 
         <listitem>
           <para>Added in Shorewall 4.4.21 and causes the compiler to update
-          <filename>/etc/shorewall6/shorewall6.conf</filename> then validate
-          the configuration. The update will add options not present in the
-          existing file with their default values, and will move deprecated
+          <filename>/etc/shorewall/shorewall.conf then validate the
+          configuration</filename>. The update will add options not present in
+          the old file with their default values, and will move deprecated
           options with non-defaults to a deprecated options section at the
           bottom of the file. Your existing
-          <filename>shorewall6.conf</filename> file is renamed
-          <filename>shorewall6.conf.bak</filename>.</para>
+          <filename>shorewall.conf</filename> file is renamed
+          <filename>shorewall.conf.bak.</filename></para>
 
           <para>The <option>-a</option> option causes the updated
-          <filename>shorewall6.conf</filename> file to be annotated with
+          <filename>shorewall.conf</filename> file to be annotated with
           documentation.</para>
 
           <para>The <option>-b</option> option was added in Shorewall 4.4.26
@@ -2169,7 +2173,7 @@
           <para>The <option>-D</option> option was added in Shorewall 4.5.11.
           When this option is specified, the compiler will walk through the
           directories in the CONFIG_PATH replacing FORMAT and COMMENT entries
-          to compiler directives (e.g., ?FORMAT and ?COMMENT). When a file is
+          to compiler directives (e.g., ?FORMAT and ?COMMENT. When a file is
           updated, the original is saved in a .bak file in the same
           directory.</para>
 
@@ -2178,14 +2182,16 @@
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
 
           <para>The <option>-t</option> option was added in Shorewall 4.6.0.
-          When specified, <option>-t</option> causes <ulink
-          url="shorewall6-tcrules.html">shorewall6-tcrules(5)</ulink> to be
-          converted to <ulink
+          When specified, <option>-t</option> causes the <emphasis
+          role="bold">tcrules</emphasis> file to be converted to <ulink
           url="shorewall6-mangle.html">shorewall6-mangle(5)</ulink>. The old
-          file is renamed with a .bak suffix.</para>
+          file is renamed with a .bak suffix. Beginning with Shorewall
+          4.6.12.2, this option also causes the <emphasis
+          role="bold">tos</emphasis> file to be converted to <ulink
+          url="shorewall6-mangle.html">shorewall6-mangle(5)</ulink>.</para>
 
           <important>
             <para>There are some notable restrictions with the
@@ -2197,7 +2203,7 @@
                 <filename>mangle</filename> file; if there is no
                 <filename>mangle</filename> file in the CONFIG_PATH, one will
                 be created in <filename
-                class="directory">/etc/shorewall6</filename>.</para>
+                class="directory">/etc/shorewall</filename>.</para>
               </listitem>
 
               <listitem>
@@ -2219,9 +2225,24 @@
             </orderedlist>
           </important>
 
+          <para>The <option>-r</option> option was added in Shorewall 4.6.12.
+          When specified, <option>-r</option> causes <ulink
+          url="manpages6/shorewall6-routestopped.html">shorewall6-routestopped(5)</ulink>
+          to be converted to <ulink
+          url="manpages6/shorewall6-stoppedrules.html">shorewall6-stoppedrules(5)</ulink>.
+          The old file is renamed with a .bak suffix.</para>
+
+          <para>The <option>-n</option> option was added in Shorewall 4.6.12.
+          When specified, <option>-n</option> causes <ulink
+          url="manpages6/shorewall6-routestopped.html">shorewall6-notrack(5)</ulink>
+          to be converted to <ulink
+          url="manpages6/shorewall6-conntrack.html">shorewall6-conntrack(5)</ulink>.
+          The old file is renamed with a .bak suffix.</para>
+
           <para>The <option>-A</option> option was added in Shorewall 4.6.0
           and is equivalent to specifying the <option>-b</option>,
-          <option>-D</option> and the <option>-t</option> options.</para>
+          <option>-D</option>, <option>-t,</option> <option>-r</option> and
+          the <option>-n</option> options.</para>
 
           <para>For a description of the other options, see the <emphasis
           role="bold">check</emphasis> command above.</para>

Shorewall6/shorewall6.service.debian

@@ -0,0 +1,22 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
+#
+[Unit]
+Description=Shorewall IPv6 firewall
+Wants=network-online.target
+After=network-online.target
+Conflicts=ip6tables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/default/shorewall6
+StandardOutput=syslog
+ExecStart=/sbin/shorewall6 $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall6 $OPTIONS stop
+
+[Install]
+WantedBy=basic.target

Shorewall6/uninstall.sh

@@ -184,9 +184,18 @@ if [ -f "$FIREWALL" ]; then
     remove_file $FIREWALL
 fi
 
-if [ -n "$SYSTEMD" ]; then
+[ -n "$SERVICEDIR" ] || SERVICEDIR=${SYSTEMD}
+
+if [ -n "$SERVICEDIR" ]; then
     [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
-    rm -f $SYSTEMD/shorewall6.service
+    rm -f $SERVICEDIR/shorewall6.service
+fi
+
+rm -rf ${SHAREDIR}/shorewall6/version
+rm -rf ${CONFDIR}/shorewall6
+
+if [ -n "$SYSCONFDIR" ]; then
+    [ -n "$SYSCONFFILE" ] && rm -f ${SYSCONFDIR}/${PRODUCT}
 fi
 
 rm -f ${SBINDIR}/shorewall6

docs/Documentation_Index.xml

@@ -74,7 +74,7 @@
   <section>
     <title>Documentation for Earlier Versions</title>
 
-    <para><ulink url="4.2/Documentation_Index.html">Shorewall 4.0/4.2
+    <para><ulink url="/4.2/Documentation_Index.html">Shorewall 4.0/4.2
     Documentation</ulink></para>
   </section>
 
@@ -327,7 +327,7 @@
             <entry><ulink url="PortKnocking.html">Port Knocking
             (deprecated)</ulink></entry>
 
-            <entry></entry>
+            <entry/>
           </row>
 
           <row>
@@ -337,7 +337,7 @@
             <entry><ulink url="Events.html">Port Knocking, Auto Blacklisting
             and Other Uses of the 'Recent Match'</ulink></entry>
 
-            <entry></entry>
+            <entry/>
           </row>
 
           <row>
@@ -345,7 +345,7 @@
 
             <entry><ulink url="PPTP.htm">PPTP</ulink></entry>
 
-            <entry></entry>
+            <entry/>
           </row>
 
           <row>
@@ -354,7 +354,7 @@
 
             <entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
 
-            <entry></entry>
+            <entry/>
           </row>
 
           <row>
@@ -364,7 +364,7 @@
             <entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
             Guides</ulink></entry>
 
-            <entry></entry>
+            <entry/>
           </row>
 
           <row>
@@ -373,7 +373,7 @@
 
             <entry><ulink url="NewRelease.html">Release Model</ulink></entry>
 
-            <entry></entry>
+            <entry/>
           </row>
 
           <row>
@@ -382,7 +382,7 @@
             <entry><ulink
             url="shorewall_prerequisites.htm">Requirements</ulink></entry>
 
-            <entry></entry>
+            <entry/>
           </row>
 
           <row>
@@ -391,7 +391,7 @@
             <entry><ulink url="Shorewall_and_Routing.html">Routing and
             Shorewall</ulink></entry>
 
-            <entry></entry>
+            <entry/>
           </row>
 
           <row>
@@ -400,7 +400,7 @@
             <entry><ulink url="Multiple_Zones.html">Routing on One
             Interface</ulink></entry>
 
-            <entry></entry>
+            <entry/>
           </row>
 
           <row>
@@ -408,7 +408,7 @@
 
             <entry><ulink url="samba.htm">Samba</ulink></entry>
 
-            <entry></entry>
+            <entry/>
           </row>
 
           <row>
@@ -417,7 +417,7 @@
 
             <entry><ulink url="Events.html">Shorewall Events</ulink></entry>
 
-            <entry></entry>
+            <entry/>
           </row>
 
           <row>
@@ -427,7 +427,7 @@
             <entry><ulink url="Shorewall-init.html">Shorewall
             Init</ulink></entry>
 
-            <entry></entry>
+            <entry/>
           </row>
 
           <row>
@@ -437,7 +437,7 @@
             <entry><ulink url="Shorewall-Lite.html">Shorewall
             Lite</ulink></entry>
 
-            <entry></entry>
+            <entry/>
           </row>
         </tbody>
       </tgroup>

docs/Introduction.xml

@@ -121,13 +121,12 @@
 
       <itemizedlist>
         <listitem>
-          <para><ulink
-          url="http://www.kmyfirewall.org/">kmyfirewall</ulink></para>
+          <para><ulink url="https://help.ubuntu.com/community/UFW">UFW
+          (Uncomplicated Firewall)</ulink></para>
         </listitem>
 
         <listitem>
-          <para><ulink
-          url="http://www.fs-security.com/">firestarter</ulink></para>
+          <para><ulink url="http://www.ipcop.org">ipcop</ulink></para>
         </listitem>
       </itemizedlist>
 

docs/MultiISP.xml

@@ -911,7 +911,7 @@ eth1             0.0.0.0/0         130.252.99.27</programlisting>
       <para>Now suppose that you want to route all outgoing SMTP traffic from
       your local network through ISP 2. If you are running Shorewall 4.6.0 or
       later, you would make this entry in <ulink
-      url="traffic_shaping.htm">/etc/shorewall/mangle</ulink>.</para>
+      url="manpages/shorewall-mangle.html">/etc/shorewall/mangle</ulink>.</para>
 
       <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
 #                                                               PORT(S)
@@ -1950,9 +1950,9 @@ ONBOOT=yes</programlisting>
       url="manpages/shorewall-providers.html">shorewall-providers</ulink> (5)
       is available in the form of a PROBABILITY column in <ulink
       url="manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) (<ulink
-      url="???">shorewall-tcrules</ulink>) (5). This feature requires the
-      <firstterm>Statistic Match</firstterm> capability in your iptables and
-      kernel.</para>
+      url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>) (5).
+      This feature requires the <firstterm>Statistic Match</firstterm>
+      capability in your iptables and kernel.</para>
 
       <para>This method works when there are multiple links to the same ISP
       where both links have the same default gateway.</para>
@@ -2579,7 +2579,9 @@ MARK(2)               $FW             0.0.0.0/0       tcp     21
 MARK(2)               $FW             0.0.0.0/0       tcp     -               -       -       -       -       -       -               ftp
 MARK(2)               $FW             0.0.0.0/0       tcp     119</programlisting></para>
 
-      <para>Here are the equivalent tcrules entries:</para>
+      <para>If you are still using a tcrules file, you should consider
+      switching to using a mangle file (<command>shorewall update -t</command>
+      will do that for you). Here are the equivalent tcrules entries:</para>
 
       <programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S)         CLIENT  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
 #                                                                       PORT(S) 

docs/Shorewall_Squid_Usage.xml

@@ -246,7 +246,10 @@ Squid   1       202     -               eth1            192.168.1.3     loose,no
 #                                                       PORT(S)
 MARK(202):P    eth1:!192.168.1.3   0.0.0.0/0   tcp      80</programlisting>
 
-            <para>Corresponding /etc/shorewall/tcrules entries are:</para>
+            <para>If you are still using a tcrules file, you should consider
+            switching to using a mangle file (<command>shorewall update
+            -t</command> will do that for you). Corresponding
+            /etc/shorewall/tcrules entries are:</para>
 
             <programlisting>#MARK    SOURCE              DEST        PROTO    DEST
 #                                                 PORT(S)

docs/shorewall_quickstart_guide.xml

@@ -71,29 +71,22 @@
       running quickly in the three most common Shorewall configurations. If
       you want to learn more about Shorewall than is explained in these simple
       guides then the <ulink url="shorewall_setup_guide.htm">Shorewall Setup
-      Guide</ulink> (<ulink url="shorewall_setup_guide_fr.htm">Version
-      Française</ulink>) is for you.<itemizedlist>
+      Guide</ulink> is for you.<itemizedlist>
           <listitem>
-            <para><ulink url="standalone.htm">Standalone</ulink> Linux System
-            (<ulink url="standalone_fr.html">Version Française</ulink>) <ulink
-            url="standalone_ru.html">(Russian Version)</ulink> <ulink
-            url="standalone_es.html">Version en Español</ulink></para>
+            <para><ulink url="standalone.htm">Standalone</ulink> Linux
+            System</para>
           </listitem>
 
           <listitem>
             <para><ulink url="two-interface.htm">Two-interface</ulink> Linux
-            System acting as a firewall/router for a small local network
-            (<ulink url="two-interface_fr.html">Version Française</ulink>)
-            (<ulink url="two-interface_ru.html">Russian
-            Version</ulink>)</para>
+            System acting as a firewall/router for a small local
+            network</para>
           </listitem>
 
           <listitem>
             <para><ulink url="three-interface.htm">Three-interface</ulink>
             Linux System acting as a firewall/router for a small local network
-            and a DMZ.. (<ulink url="three-interface_fr.html">Version
-            Française</ulink>) (<ulink url="three-interface_ru.html">Russian
-            Version</ulink>)</para>
+            and a DMZ</para>
           </listitem>
         </itemizedlist></para>
     </section>
@@ -103,11 +96,10 @@
       address</title>
 
       <para>The <ulink url="shorewall_setup_guide.htm">Shorewall Setup
-      Guide</ulink> (<ulink url="shorewall_setup_guide_fr.htm">Version
-      Française</ulink>) outlines the steps necessary to set up a firewall
-      where there are multiple public IP addresses involved or if you want to
-      learn more about Shorewall than is explained in the single-address
-      guides above.</para>
+      Guide</ulink> outlines the steps necessary to set up a firewall where
+      there are multiple public IP addresses involved or if you want to learn
+      more about Shorewall than is explained in the single-address guides
+      above.</para>
     </section>
   </section>
 </article>

docs/starting_and_stopping_shorewall.xml

@@ -204,78 +204,57 @@
   <section id="Trace">
     <title>Tracing Command Execution and other Debugging Aids</title>
 
-    <para>If you include the word <emphasis role="bold">trace</emphasis> as
-    the first parameter to an <filename>/sbin/shorewall</filename> command
-    that transfers control to
-    <filename>/usr/share/shorewall/firewall</filename>, execution of the
-    latter program will be traced to STDERR.</para>
+    <para>Shorewall includes features for tracing and debugging. Commands
+    involving the compiler can have the word <emphasis
+    role="bold">trace</emphasis> inserted immediately after the
+    command.</para>
 
-    <example id="trace">
-      <title>Tracing <command>shorewall start</command></title>
+    <para>Example:</para>
 
-      <para>To trace the execution of <command>shorewall start</command> and
-      write the trace to the file <filename>/tmp/trace</filename>, you would
-      enter:<programlisting><command>shorewall trace start 2&gt; /tmp/trace</command></programlisting><note>
-          <para>The <emphasis role="bold">trace</emphasis> keyword does not
-          result in a trace of the execution of the Shorewall rules compiler.
-          It rather causes additional diagnostic information to be included in
-          warning and error messages generated by the compiler.</para>
-        </note></para>
+    <programlisting>shorewall trace check -r</programlisting>
 
-      <para>You may also include the word <emphasis
-      role="bold">debug</emphasis> as the first argument to the
-      <filename>/sbin/shorewall</filename> and
-      <filename>/sbin/shorewall-lite</filename> commands.<programlisting><command>shorewall debug restart</command></programlisting>In
-      most cases, <emphasis role="bold">debug</emphasis> is a synonym for
-      <emphasis role="bold">trace</emphasis>. The exceptions are:</para>
+    <para>This produces a large amount of diagnostic output to standard out
+    during the compilation step. If entered on a command that doesn't invoke
+    the compiler, <emphasis role="bold">trace</emphasis> is ignored.</para>
+
+    <para>Commands that invoke a compiled fireawll script can have the word
+    debug inserted immediately after the command.</para>
+
+    <para>Example:</para>
+
+    <programlisting>shorewall debug restart</programlisting>
+
+    <para><emphasis role="bold">debug</emphasis> causes altered behavior of
+    scripts generated by the Shorewall compiler. These scripts normally use
+    ip[6]tables-restore to install the Netfilter ruleset, but with debug, the
+    commands normally passed to iptables-restore in its input file are passed
+    individually to ip[6]tables. This is a diagnostic aid which allows
+    identifying the individual command that is causing ip[6]tables-restore to
+    fail; it should be used when ip[6]tables-restore fails when executing a
+    COMMIT command.</para>
+
+    <warning>
+      <para>The debug feature is strictly for problem analysis. When debug is
+      used:</para>
 
       <itemizedlist>
         <listitem>
-          <para><emphasis role="bold">debug</emphasis> is ignored by the
-          Shorewall-perl compiler.</para>
+          <para>The firewall is made 'wide open' before the rules are
+          applied.</para>
         </listitem>
 
         <listitem>
-          <para><emphasis role="bold">debug</emphasis> causes altered behavior
-          of scripts generated by the Shorewall-perl compiler. These scripts
-          normally use<command> iptables-restore</command> to install the
-          Netfilter ruleset but with <emphasis role="bold">debug</emphasis>,
-          the commands normally passed to <command>iptables-restore</command>
-          in its input file are passed individually to
-          <command>iptables</command>. This is a diagnostic aid which allows
-          identifying the individual command that is causing
-          <command>iptables-restore</command> to fail; it should be used when
-          iptables-restore fails when executing a <command>COMMIT</command>
-          command.</para>
+          <para>The <filename>stoppedrules</filename> file is not
+          consulted.</para>
+        </listitem>
+
+        <listitem>
+          <para>The rules are applied in the canonical ip[6]tables-restore
+          order. So if you need critical hosts to be always available during
+          start/restart, you may not be able to use debug.</para>
         </listitem>
       </itemizedlist>
-
-      <para><warning>
-          <para>The <emphasis role="bold">debug</emphasis> feature is strictly
-          for problem analysis. When <emphasis role="bold">debug</emphasis> is
-          used:</para>
-
-          <orderedlist>
-            <listitem>
-              <para>The firewall is made 'wide open' before the rules are
-              applied.</para>
-            </listitem>
-
-            <listitem>
-              <para>The <filename>routestopped</filename> file is not
-              consulted.</para>
-            </listitem>
-
-            <listitem>
-              <para>The rules are applied in the canonical
-              <command>iptables-restore</command> order. So if you need
-              critical hosts to be always available during start/restart, you
-              may not be able to use <emphasis
-              role="bold">debug</emphasis>.</para>
-            </listitem>
-          </orderedlist>
-        </warning></para>
-    </example>
+    </warning>
   </section>
 
   <section id="Boot">
@@ -629,7 +608,7 @@
 
     <para>The Shorewall State Diagram is depicted below.</para>
 
-    <para><graphic align="center" fileref="images/State_Diagram.png" /></para>
+    <para><graphic align="center" fileref="images/State_Diagram.png"/></para>
 
     <informaltable>
       <tgroup cols="3">
@@ -725,7 +704,7 @@
             unsuccessful then firewall start (standard configuration) If
             timeout then firewall restart (standard configuration)</entry>
 
-            <entry></entry>
+            <entry/>
           </row>
         </tbody>
       </tgroup>