Delete main default routes when there are 'load=' or 'fallback=' interfaces

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -102,7 +102,7 @@ if [ -z "$vendor" ]; then
 		vendor=redhat
 		;;
 	    debian|ubuntu)
-		vendor=debian
+		ls -l /sbin/init |fgrep -q systemd | vendor=debian.systemd | vendor=debian.sysvinit
 		;;
 	    opensuse)
 		vendor=suse
@@ -130,7 +130,7 @@ if [ -z "$vendor" ]; then
 	*)
 	    if [ -f /etc/debian_version ]; then
 		params[HOST]=debian
-		rcfile=shorewallrc.debian
+		rcfile=shorewallrc.debian.sysvinit
 	    elif [ -f /etc/redhat-release ]; then
 		params[HOST]=redhat
 		rcfile=shorewallrc.redhat

Shorewall-core/configure.pl

@@ -68,14 +68,16 @@ unless ( defined $vendor ) {
 	    $vendor = 'redhat';
 	} elsif ( $id eq 'opensuse' ) {
 	    $vendor = 'suse';
-	} elsif ( $id eq 'ubuntu' ) {
-	    $vendor = 'debian';
+	} elsif ( $id eq 'ubuntu' || $id eq 'debian' ) {
+	    my $init = `ls -l /sbin/init`;
+	    $vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit';
 	} else {
 	    $vendor = $id;
 	}
     }
 
     $params{HOST} = $vendor;
+    $params{HOST} =~ s/\..*//;
 }
 
 if ( defined $vendor ) {
@@ -84,7 +86,7 @@ if ( defined $vendor ) {
 } else {
     if ( -f '/etc/debian_version' ) {
 	$vendor = 'debian';
-	$rcfilename = 'shorewallrc.debian';
+	$rcfilename = 'shorewallrc.debian.sysvinit';
     } elsif ( -f '/etc/redhat-release' ){
 	$vendor = 'redhat';
 	$rcfilename = 'shorewallrc.redhat';
@@ -117,7 +119,7 @@ my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
 if ( $vendor eq 'linux' ) {
     printf "INFO: Creating a generic Linux installation - %s %2d %04d %02d:%02d:%02d\n\n", $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
 } else {
-    printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $vendor, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
+    printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $params{HOST}, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
 }
 
 open $rcfile, '<', $rcfilename or die "Unable to open $rcfilename for input: $!";

Shorewall-core/lib.base

@@ -75,6 +75,24 @@ elif [ -z "${VARDIR}" ]; then
     VARDIR="${VARLIB}/${PRODUCT}"
 fi
 
+#
+# Fatal Error
+#
+fatal_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 2
+}
+
+#
+# Not configured Error
+#
+not_configured_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 6
+}
+
 #
 # Conditionally produce message
 #

Shorewall-core/lib.cli

@@ -3974,7 +3974,7 @@ usage() # $1 = exit status
     echo "   status [ -i ]"
     echo "   stop"
     ecko "   try <directory> [ <timeout> ]"
-    ecko "   update [ -a ] [ -b ] [ -r ] [ -T ]  [ -D ] [ -i ] [-t] [-A] [ <directory> ]"
+    ecko "   update [ -a ] [ -b ] [ -r ] [ -T ]  [ -D ] [ -i ] [-t] [-s] [-n] [-A] [ <directory> ]"
     echo "   version [ -a ]"
     echo
     exit $1
@@ -4027,6 +4027,8 @@ shorewall_cli() {
     g_counters=
     g_loopback=
     g_compiled=
+    g_routestopped=
+    g_notrack=
 
     VERBOSE=
     VERBOSITY=1

Shorewall-core/lib.common

@@ -70,24 +70,6 @@ startup_error() # $* = Error Message
     exit 2
 }
 
-#
-# Fatal Error
-#
-fatal_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 2
-}
-
-#
-# Not configured Error
-#
-not_configured_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 6
-}
-
 #
 # Get the Shorewall version of the passed script
 #

Shorewall-core/shorewallrc.debian.systemd

@@ -0,0 +1,23 @@
+#
+# Debian Shorewall 4.5 rc file
+#
+BUILD=					#Default is to detect the build system
+HOST=debian
+PREFIX=/usr				#Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share		#Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share		#Directory for executable scripts.
+PERLLIBDIR=${PREFIX}/share/shorewall	#Directory to install Shorewall Perl module directory
+CONFDIR=/etc				#Directory where subsystem configurations are installed
+SBINDIR=/sbin				#Directory where system administration programs are installed
+MANDIR=${PREFIX}/share/man		#Directory where manpages are installed.
+INITDIR=				#Directory where SysV init scripts are installed.
+INITFILE=				#Name of the product's installed SysV init script
+INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
+ANNOTATED=				#If non-zero, annotated configuration files are installed
+SYSCONFFILE=default.debian		#Name of the distributed file to be installed in $SYSCONFDIR
+SERVICEFILE=$PRODUCT.service.debian	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
+SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)
+SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARLIB=/var/lib				#Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT		#Directory where product variable data is stored.

Shorewall-core/shorewallrc.debian.sysvinit

@@ -15,9 +15,9 @@ INITFILE=$PRODUCT                       #Name of the product's installed SysV in
 INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
 SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
-SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
-SERVICEDIR=                             #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=				#Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.

Shorewall-init/shorewall-init.service

@@ -6,7 +6,6 @@
 [Unit]
 Description=Shorewall firewall (bootup security)
 Before=network.target
-Conflicts=iptables.service ip6tables.service firewalld.service
 
 [Service]
 Type=oneshot

Shorewall-init/shorewall-init.service.214

@@ -7,7 +7,6 @@
 Description=Shorewall firewall (bootup security)
 Before=network-pre.target
 Wants=network-pre.target
-Conflicts=iptables.service firewalld.service
 
 [Service]
 Type=oneshot

Shorewall-init/shorewall-init.service.214.debian

@@ -0,0 +1,21 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
+#
+[Unit]
+Description=Shorewall firewall (bootup security)
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/default/shorewall-init
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-init start
+ExecStop=/sbin/shorewall-init stop
+
+[Install]
+WantedBy=basic.target

Shorewall-init/shorewall-init.service.debian

@@ -0,0 +1,21 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
+#
+[Unit]
+Description=Shorewall firewall (bootup security)
+Wants=network.target
+Before=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/default/shorewall-init
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-init start
+ExecStop=/sbin/shorewall-init stop
+
+[Install]
+WantedBy=basic.target

Shorewall-lite/shorewall-lite.service.debian

@@ -0,0 +1,22 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
+#
+[Unit]
+Description=Shorewall IPv4 firewall (lite)
+Wants=network-online.target
+After=network-online.target
+Conflicts=iptables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/default/shorewall-lite
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall-lite $OPTIONS stop
+
+[Install]
+WantedBy=basic.target

Shorewall/Macros/macro.Tinc

@@ -9,3 +9,4 @@
 #ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
 #                               PORT(S) PORT(S) LIMIT   GROUP
 PARAM   -       -       udp     655
+PARAM   -       -       tcp     655

Shorewall/Perl/Shorewall/Accounting.pm

@@ -521,9 +521,9 @@ sub setup_accounting() {
 
 		while ( $chainswithjumps && $progress ) {
 		    $progress = 0;
-		    for my $chain1 (  keys %accountingjumps ) {
+		    for my $chain1 ( sort  keys %accountingjumps ) {
 			if ( keys %{$accountingjumps{$chain1}} ) {
-			    for my $chain2 ( keys %{$accountingjumps{$chain1}} ) {
+			    for my $chain2 ( sort keys %{$accountingjumps{$chain1}} ) {
 				delete $accountingjumps{$chain1}{$chain2}, $progress = 1 unless $accountingjumps{$chain2};
 			    }
 			} else {

Shorewall/Perl/Shorewall/Chains.pm

@@ -1162,7 +1162,7 @@ sub merge_rules( $$$ ) {
 	}
     }
 
-    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', keys %$fromref ) {
+    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', sort { $b cmp $a } keys %$fromref ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
     }
 
@@ -1178,7 +1178,7 @@ sub merge_rules( $$$ ) {
 
     set_rule_option( $toref, 'policy', $fromref->{policy} ) if exists $fromref->{policy};
 
-    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, keys %$fromref ) ) {
+    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, sort keys %$fromref ) ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
     }
 
@@ -3256,7 +3256,7 @@ sub optimize_level4( $$ ) {
 	$progress = 0;
 	$passes++;
 
-	my @chains  = grep $_->{referenced}, values %$tableref;
+	my @chains  = grep $_->{referenced}, sort { $a->{name} cmp $b->{name} } values %$tableref;
 	my $chains  = @chains;
 
 	progress_message "\n Table $table pass $passes, $chains referenced chains, level 4a...";
@@ -3577,7 +3577,7 @@ sub optimize_level8( $$$ ) {
 	}
 
 	if ( $progress ) {
-	    my @rename = keys %rename;
+	    my @rename = sort keys %rename;
 	    #
 	    # First create aliases for each renamed chain and change the {name} member.
 	    #
@@ -4855,7 +4855,7 @@ sub validate_mark( $ ) {
 
 sub verify_small_mark( $ ) {
     my $val = validate_mark ( (my $mark) = $_[0] );
-    fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > $globals{TC_MAX};
+    fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > $globals{SMALL_MASK};
     $val;
 }
 
@@ -6816,48 +6816,55 @@ sub set_global_variables( $$ ) {
     my ( $setall, $conditional ) = @_;
 
     if ( $conditional ) {
-	my ( $interface, $code );
+	my ( $interface, @interfaces );
 
-	while ( ( $interface, $code ) = each %interfaceaddr ) {
-	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $code) );
+	@interfaces = sort keys %interfaceaddr;
+
+	for $interface ( @interfaces ) {
+	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfaceaddr{$interface}) );
 	}
 
-	while ( ( $interface, $code ) = each %interfacegateways ) {
+	@interfaces = sort keys %interfacegateways;
+
+	for $interface ( @interfaces ) {
 	    emit( qq(if [ -z "\$interface" -o "\$interface" = "$interface" ]; then) );
 	    push_indent;
-	    emit( $code );
+	    emit( $interfacegateways{$interface} );
 	    pop_indent;
 	    emit( qq(fi\n) );
 	}
 
-	while ( ( $interface, $code ) = each %interfacemacs ) {
-	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $code) );
+	@interfaces = sort keys %interfacemacs;
+
+	for $interface ( @interfaces ) {
+	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfacemacs{$interface}) );
 	}
     } else {
-	emit $_     for values %interfaceaddr;
-	emit "$_\n" for values %interfacegateways;
-	emit $_     for values %interfacemacs;
+	emit $_     for sort values %interfaceaddr;
+	emit "$_\n" for sort values %interfacegateways;
+	emit $_     for sort values %interfacemacs;
     }
 
     if ( $setall ) {
-	emit $_ for values %interfaceaddrs;
-	emit $_ for values %interfacenets;
+	emit $_ for sort values %interfaceaddrs;
+	emit $_ for sort values %interfacenets;
 
 	unless ( have_capability( 'ADDRTYPE' ) ) {
 
 	    if ( $family == F_IPV4 ) {
 		emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
-		emit $_ for values %interfacebcasts;
+		emit $_ for sort values %interfacebcasts;
 	    } else {
 		emit 'ALL_ACASTS="$(get_all_acasts)"';
-		emit $_ for values %interfaceacasts;
+		emit $_ for sort values %interfaceacasts;
 	    }
 	}
     }
 }
 
 sub verify_address_variables() {
-    while ( my ( $variable, $type ) = ( each %address_variables ) ) {
+    for my $variable ( sort keys %address_variables ) {
+	my $type = $address_variables{$variable};
 	my $address = "\$$variable";
 
 	if ( $type eq '&' ) {
@@ -7697,7 +7704,7 @@ sub add_interface_options( $ ) {
 	#
 	# Generate a digest for each chain
 	#
-	for my $chainref ( values %input_chains, values %forward_chains ) {
+	for my $chainref ( sort { $a->{name} cmp $b->{name} } values %input_chains, values %forward_chains ) {
 	    my $digest = '';
 
 	    assert( $chainref );
@@ -7716,7 +7723,7 @@ sub add_interface_options( $ ) {
 	# Insert jumps to the interface chains into the rules chains
 	#
 	for my $zone1 ( off_firewall_zones ) {
-	    my @input_interfaces   = keys %{zone_interfaces( $zone1 )};
+	    my @input_interfaces   = sort keys %{zone_interfaces( $zone1 )};
 	    my @forward_interfaces = @input_interfaces;
 
 	    if ( @input_interfaces > 1 ) {
@@ -7798,7 +7805,7 @@ sub add_interface_options( $ ) {
 	for my $zone1 ( firewall_zone, vserver_zones ) {
 	    for my $zone2 ( off_firewall_zones ) {
 		my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
-		my @interfaces = keys %{zone_interfaces( $zone2 )};
+		my @interfaces = sort keys %{zone_interfaces( $zone2 )};
 		my $chain1ref;
 
 		for my $interface ( @interfaces ) {
@@ -8267,7 +8274,7 @@ sub load_ipsets() {
 #
 sub create_nfobjects() {
     
-    my @objects = ( keys %nfobjects );
+    my @objects = ( sort keys %nfobjects );
 
     if ( @objects ) {
 	if ( $config{NFACCT} ) {
@@ -8282,7 +8289,7 @@ sub create_nfobjects() {
 	}
     }
 
-    for ( keys %nfobjects ) {
+    for ( sort keys %nfobjects ) {
 	emit( qq(if ! qt \$NFACCT get $_; then),
 	      qq(    \$NFACCT add $_),
 	      qq(fi\n) );
@@ -8700,7 +8707,8 @@ sub initialize_switches() {
     if ( keys %switches ) {
 	emit( 'if [ $COMMAND = start ]; then' );
 	push_indent;
-	while ( my ( $switch, $setting ) = each %switches ) {
+	for my $switch ( sort keys %switches ) {
+	    my $setting = $switches{$switch};
 	    my $file = "/proc/net/nf_condition/$switch";
 	    emit "[ -f $file ] && echo $setting->{setting} > $file";
 	}

Shorewall/Perl/Shorewall/Compiler.pm

@@ -592,8 +592,8 @@ EOF
 #
 sub compiler {
 
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc                      , $shorewallrc1 , $directives, $inline, $tcrules ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 ,          0 ,      0 );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc                      , $shorewallrc1 , $directives, $inline, $tcrules, $routestopped , $notrack ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 ,          0 ,      0 ,       0 ,             0 );
 
     $export         = 0;
     $test           = 0;
@@ -634,6 +634,8 @@ sub compiler {
 		  inline        => { store => \$inline,        validate=> \&validate_boolean    } ,
 		  directives    => { store => \$directives,    validate=> \&validate_boolean    } ,
 		  tcrules       => { store => \$tcrules,       validate=> \&validate_boolean    } ,
+		  routestopped  => { store => \$routestopped,  validate=> \&validate_boolean    } ,
+		  notrack       => { store => \$notrack,       validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
 		  shorewallrc1  => { store => \$shorewallrc1 } ,
@@ -737,7 +739,7 @@ sub compiler {
     #
     # Do all of the zone-independent stuff (mostly /proc)
     #
-    add_common_rules( $convert, $tcrules );
+    add_common_rules( $convert, $tcrules , $routestopped );
     #
     # More /proc
     #
@@ -844,7 +846,7 @@ sub compiler {
     #
     # Process the conntrack file
     #
-    setup_conntrack;
+    setup_conntrack( $notrack );
     #
     # Add Tunnel rules.
     #
@@ -911,7 +913,7 @@ sub compiler {
 	#                           S T O P _ F I R E W A L L
 	#         (Writes the stop_firewall() function to the compiled script)
 	#
-	compile_stop_firewall( $test, $export , $have_arptables );
+	compile_stop_firewall( $test, $export , $have_arptables, $routestopped );
 	#
 	#                               U P D O W N
 	#               (Writes the updown() function to the compiled script)
@@ -976,14 +978,15 @@ sub compiler {
 	initialize_chain_table(0);
 
 	if ( $debug ) {
-	    compile_stop_firewall( $test, $export, $have_arptables );
+	    compile_stop_firewall( $test, $export, $have_arptables, $routestopped );
 	    disable_script;
 	} else {
 	    #
-	    # compile_stop_firewall() also validates the routestopped file. Since we don't
-	    # call that function during normal 'check', we must validate routestopped here.
+	    # compile_stop_firewall() also validates the stoppedrules file. Since we don't
+	    # call that function during normal 'check', we must validate stoppedrules here.
 	    #
-	    process_routestopped unless process_stoppedrules;
+	    convert_routestopped if $routestopped;
+	    process_stoppedrules;
 	}
 	#
 	# Report used/required capabilities

Shorewall/Perl/Shorewall/Config.pm

@@ -124,6 +124,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       set_shorewall_dir
 				       set_debug
 				       find_file
+				       find_writable_file
 				       split_list
 				       split_list1
 				       split_list2
@@ -618,6 +619,8 @@ our %deprecated = ( LOGRATE            => '' ,
 our %converted = ( WIDE_TC_MARKS => 1,
 		   HIGH_ROUTE_MARKS => 1,
 		   BLACKLISTNEWONLY => 1,
+		   LOGRATE => 1,
+		   LOGBURST => 1,
 		 );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -1867,6 +1870,20 @@ sub find_file($)
     "$config_path[0]$filename";
 }
 
+sub find_writable_file($) {
+    my ( $filename, $nosearch ) = @_;
+
+    return $filename if $filename =~ '/';
+
+    for my $directory ( @config_path ) {
+	next if $directory =~ m|^$globals{SHAREDIR}/configfiles/?$| || $directory =~ m|^$shorewallrc{SHAREDIR}/doc/default-config/?$|;
+	my $file = "$directory$filename";
+	return $file if -f $file && -w _;
+    }
+
+    "$config_path[0]$filename";
+}
+
 #
 # Split a comma-separated list into a Perl array
 #
@@ -2143,7 +2160,7 @@ sub split_line2( $$;$$$ ) {
 	    #
 	    # This file supports INLINE or IPTABLES
 	    #
-	    if ( $currentline =~ /^\s*INLINE(?:\(.*\)|:.*)?\s/ || $currentline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
+	    if ( $currentline =~ /^\s*INLINE(?:\(.*\)(:.*)?|:.*)?\s/ || $currentline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
 		$inline_matches = $pairs;
 
 		if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) {
@@ -4805,6 +4822,12 @@ sub conditional_quote( $ ) {
 #
 # Update the shorewall[6].conf file. Save the current file with a .bak suffix.
 #
+sub update_default($$) {
+    my ( $var, $val ) = @_;
+
+    $config{$var} = $val unless defined $config{$var};
+}
+
 sub update_config_file( $$ ) {
     my ( $annotate, $directives ) = @_;
 
@@ -4824,6 +4847,45 @@ sub update_config_file( $$ ) {
     $config{PROVIDER_OFFSET} = ( $high ? $wide ? 16 : 8 : 0 ) unless defined $config{PROVIDER_OFFSET};
     $config{PROVIDER_BITS}   = 8                              unless defined $config{PROVIDER_BITS};
 
+    unless ( supplied $config{LOGLIMIT} ) {
+	if ( $config{LOGRATE} || $config{LOGBURST} ) {
+	    my $limit;
+
+	    if ( supplied $config{LOGRATE} ) {
+		fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE}  =~ /^\d+\/(second|minute)$/;
+		$limit = $config{LOGRATE};
+	    }
+
+	    if ( supplied $config{LOGBURST} ) {
+		fatal_error"Invalid LOGBURST ($config{LOGBURST})" unless $config{LOGBURST} =~ /^\d+$/;
+		$limit .= ":$config{LOGBURST}";
+	    }
+
+	    $config{LOGLIMIT} = $limit;
+
+	    $config{LOGRATE} = $config{LOGBURST} = undef;
+	}
+    }
+
+    unless ( supplied $config{BLACKLIST} ) {
+	if ( $config{BLACKLISTNEWONLY} ) {
+	    default_yes_no 'BLACKLISTNEWONLY'           , '';
+
+	    if ( have_capability 'RAW_TABLE' ) {
+		$globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID,UNTRACKED' : 'NEW,ESTABLISHED,INVALID,UNTRACKED';
+	    } else {
+		$globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID' : 'NEW,ESTABLISHED,INVALID';
+	    }
+
+	    $config{BLACKLIST} = $globals{BLACKLIST_STATES};
+
+	    $config{BLACKLISTNEWONLY} = undef;
+	}
+    }
+
+    update_default( 'USE_DEFAULT_RT', 'No' );
+    update_default( 'EXPORTMODULES',  'No' );
+
     my $fn;
 
     unless ( -d "$globals{SHAREDIR}/configfiles/" ) {
@@ -4837,7 +4899,8 @@ sub update_config_file( $$ ) {
 	#
 	$fn = $annotate ? "$globals{SHAREDIR}/configfiles/${product}.conf.annotated" : "$globals{SHAREDIR}/configfiles/${product}.conf";
     }
-   if ( -f $fn ) {
+
+    if ( -f $fn ) {
 	my ( $template, $output );
 
 	open $template, '<' , $fn or fatal_error "Unable to open $fn: $!";
@@ -4925,8 +4988,12 @@ EOF
 	    }
 
 	    exit 0 unless ( $directives ||
-			    -f find_file 'blacklist' ||
-			    -f find_file 'tcrules' );
+			    -f find_file 'blacklist'    ||
+			    -f find_file 'tcrules'      ||
+			    -f find_file 'routestopped' ||
+			    -f find_file 'notrack'      ||
+			    -f find_file 'tos'
+			  );
 	}
     } else {
 	fatal_error "$fn does not exist";
@@ -5038,56 +5105,41 @@ sub read_capabilities() {
 }
 
 #
-# Get the system's capabilities, either by probing or by reading a capabilities file
+# Get the system's capabilities by probing
 #
-sub get_capabilities( $ ) 
+sub get_capabilities($) 
 {
-    my $export = $_[0];
+    $iptables = $config{$toolNAME};
 
-    if ( ! $export && $> == 0 ) { # $> == $EUID
-	$iptables = $config{$toolNAME};
-
-	if ( $iptables ) {
-	    fatal_error "$toolNAME=$iptables does not exist or is not executable" unless -x $iptables;
-	} else {
-	    fatal_error "Can't find $toolname executable" unless $iptables = which $toolname;
-	}
-	#
-	# Determine if iptables supports the -w option
-	#
-	$iptablesw = qt1( "$iptables -w -L -n") ? '-w' : '';
-
-	my $iptables_restore=$iptables . '-restore';
-
-	fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;
-
-	$tc = $config{TC} || which 'tc';
-
-	if ( $tc ) {
-	    fatal_error "TC=$tc does not exist or is not executable" unless -x $tc;
-	}
-
-	$ip = $config{IP} || which 'ip';
-
-	if ( $ip ) {
-	    fatal_error "IP=$ip does not exist or is not executable" unless -x $ip;
-	}
-
-	load_kernel_modules;
-
-	if ( open_file 'capabilities' ) {
-	    read_capabilities;
-	} else {
-	    determine_capabilities;
-	}
+    if ( $iptables ) {
+	fatal_error "$toolNAME=$iptables does not exist or is not executable" unless -x $iptables;
     } else {
-	unless ( open_file 'capabilities' ) {
-	    fatal_error "The -e compiler option requires a capabilities file" if $export;
-	    fatal_error "Compiling under non-root uid requires a capabilities file";
-	}
-
-	read_capabilities;
+	fatal_error "Can't find $toolname executable" unless $iptables = which $toolname;
     }
+    #
+    # Determine if iptables supports the -w option
+    #
+    $iptablesw = qt1( "$iptables -w -L -n") ? '-w' : '';
+
+    my $iptables_restore=$iptables . '-restore';
+
+    fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;
+
+    $tc = $config{TC} || which 'tc';
+
+    if ( $tc ) {
+	fatal_error "TC=$tc does not exist or is not executable" unless -x $tc;
+    }
+
+    $ip = $config{IP} || which 'ip';
+
+    if ( $ip ) {
+	fatal_error "IP=$ip does not exist or is not executable" unless -x $ip;
+    }
+
+    load_kernel_modules;
+
+    determine_capabilities unless $_[0];
 }
 
 #
@@ -5326,7 +5378,7 @@ sub convert_to_directives() {
 
     my $dirtest = qr|^$sharedir/+shorewall6?(?:/.*)?$|;
 
-    progress_message3 "Converting 'FORMAT' and 'COMMENT' lines to compiler directives...";
+    progress_message3 "Converting 'FORMAT', 'SECTION' and 'COMMENT' lines to compiler directives...";
 
     for my $dir ( @path ) {
 	unless ( $dir =~ /$dirtest/ ) {
@@ -5361,6 +5413,7 @@ EOF
 				if ( system( "diff -q $file ${file}.bak > /dev/null" ) ) {
 				    progress_message3 "   File $file updated - old file renamed ${file}.bak";
 				} elsif ( rename "${file}.bak" , $file ) {
+				    progress_message "   File $file not updated -- no bare 'COMMENT', 'SECTION' or 'FORMAT' lines found";
 				    progress_message "   File $file not updated -- no bare 'COMMENT' or 'FORMAT' lines found";
 				} else {
 				    warning message "Unable to rename ${file}.bak to $file:$!";
@@ -5408,6 +5461,28 @@ sub get_configuration( $$$$$ ) {
 	$ENV{PATH} = $default_path;
     }
 
+    my $have_capabilities;
+
+    if ( $export || $> != 0 ) {
+	#
+	# Compiling for export or user not root -- must use a capabilties file
+	# We read it before processing the .conf file so that 'update' has
+	# the capabilities.
+	#
+	unless ( open_file 'capabilities' ) {
+	    fatal_error "The -e compiler option requires a capabilities file" if $export;
+	    fatal_error "Compiling under non-root uid requires a capabilities file";
+	}
+
+	read_capabilities;
+
+	$have_capabilities = 1;
+    } elsif ( open_file 'capabilities' ) {
+	read_capabilities;
+
+	$have_capabilities = 1;
+    }
+
     get_params( $export );
 
     process_shorewall_conf( $update, $annotate, $directives );
@@ -5424,7 +5499,9 @@ sub get_configuration( $$$$$ ) {
     default 'MODULE_PREFIX', 'ko ko.gz o o.gz gz';
     default_yes_no 'LOAD_HELPERS_ONLY'          , 'Yes';
 
-    get_capabilities( $export );
+    if ( ! $export && $> == 0 ) {
+	get_capabilities($have_capabilities);
+    }
 
     my ( $val, $all );
 
@@ -5504,13 +5581,13 @@ sub get_configuration( $$$$$ ) {
 	    my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
 	    my $units;
 
-	    if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
+	    if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|second|minute|hour|day))):(\d+)$/ ) {
 		fatal_error "Invalid rate ($1)" unless $2;
 		fatal_error "Invalid burst value ($5)" unless $5;
 
 		$limit .= "--$match $1 --hashlimit-burst $5 --hashlimit-name lograte --hashlimit-mode ";
 		$units = $4;
-	    } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))?)$/ ) {
+	    } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|second|minute|hour|day))?)$/ ) {
 		fatal_error "Invalid rate ($1)" unless $2;
 		$limit .= "--$match $1 --hashlimit-name lograte --hashlimit-mode ";
 		$units = $4;
@@ -5530,11 +5607,11 @@ sub get_configuration( $$$$$ ) {
 
 		$limit .= "--hashlimit-htable-expire $expire ";
 	    }
-	} elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
+	} elsif ( $rate =~ /^((\d+)(\/(sec|min|second|minute|hour|day))):(\d+)$/ ) {
 	    fatal_error "Invalid rate ($1)" unless $2;
 	    fatal_error "Invalid burst value ($5)" unless $5;
 	    $limit = "-m limit --limit $1 --limit-burst $5 ";
-	} elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
+	} elsif ( $rate =~ /^(\d+)(\/(sec|min|second|minute|hour|day))?$/ )  {
 	    fatal_error "Invalid rate (${1}${2})" unless $1;
 	    $limit = "-m limit --limit $rate ";
 	} else {
@@ -5600,7 +5677,9 @@ sub get_configuration( $$$$$ ) {
 	fatal_error "LOG_MARTIANS=On is not supported in IPv6" if $config{LOG_MARTIANS} eq 'on';
     }
 
-    default 'STARTUP_LOG'   , '';
+    default 'SHOREWALL_SHELL', '/bin/sh';
+
+    default 'STARTUP_LOG'    , '';
 
     if ( $config{STARTUP_LOG} ne '' ) {
 	if ( supplied $config{LOG_VERBOSITY} ) {
@@ -5823,6 +5902,10 @@ sub get_configuration( $$$$$ ) {
 	$globals{USER_MASK} = $globals{USER_BITS} = 0;
     }
 
+    $val = $config{PROVIDER_OFFSET};
+
+    $globals{SMALL_MASK} = $val ? make_mask( $val ) : $globals{TC_MASK}; 
+
     if ( supplied ( $val = $config{ZONE2ZONE} ) ) {
 	fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
     } else {

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -779,6 +779,18 @@ sub normalize_6addr( $ ) {
 sub validate_6range( $$ ) {
     my ( $low, $high ) = @_;
 
+    if ( $low =~ /^\[(.+)\]$/ ) {
+	$low = $1;
+    } elsif ( $low =~ /^\[(.+)\]\/(\d+)$/ ) {
+	$low = join( '/', $1, $2 );
+    }
+
+    if ( $high =~ /^\[(.+)\]$/ ) {
+	$high = $1;
+    } elsif ( $high =~ /^\[(.+)\]\/(\d+)$/ ) {
+	$high = join( '/', $1, $2 );
+    }
+
     validate_6address $low, 0;
     validate_6address $high, 0;
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -44,6 +44,7 @@ our @EXPORT = qw( process_tos
 		  setup_mac_lists
 		  process_routestopped
 		  process_stoppedrules
+		  convert_routestopped
 		  compile_stop_firewall
 		  generate_matrix
 		  );
@@ -76,7 +77,7 @@ sub process_tos() {
 	my ( $pretosref, $outtosref );
 
 	first_entry( sub { progress_message2 "$doing $fn...";
-			   warning_message "Use of the tos file is deprecated in favor of the TOS target in tcrules";
+			   warning_message "Use of the tos file is deprecated in favor of the TOS target in the 'mangle' file";
 			   $pretosref = ensure_chain 'mangle' , $chain;
 			   $outtosref = ensure_chain 'mangle' , 'outtos';
 		       }
@@ -176,7 +177,7 @@ sub setup_ecn()
 	}
 
 	if ( @hosts ) {
-	    my @interfaces = ( keys %interfaces );
+	    my @interfaces = ( sort { interface_number($a) <=> interface_number($b) } keys %interfaces );
 
 	    progress_message "$doing ECN control on @interfaces...";
 
@@ -360,14 +361,16 @@ sub remove_blacklist( $ ) {
     while ( read_a_line( EMBEDDED_ENABLED | EXPAND_VARIABLES ) ) {
 	my ( $rule, $comment ) = split '#', $currentline, 2;
 
-	if ( $rule =~ /blacklist/ ) {
+	if ( $rule && $rule =~ /blacklist/ ) {
 	    $changed = 1;
 
 	    if ( $comment ) {
-		$comment =~ s/^/          / while $rule =~ s/blacklist,//;
+		$comment =~ s/^/          / while $rule =~ s/blacklist,// || $rule =~ s/,blacklist//;
 		$rule =~ s/blacklist/         /g;
 		$currentline = join( '#', $rule, $comment );
 	    } else {
+		$currentline =~ s/blacklist,//g;
+		$currentline =~ s/,blacklist//g;
 		$currentline =~ s/blacklist/         /g;
 	    }
 	}
@@ -385,25 +388,33 @@ sub remove_blacklist( $ ) {
 }
 
 #
-# Convert a pre-4.4.25 blacklist to a 4.4.25 blacklist
+# Convert a pre-4.4.25 blacklist to a 4.4.25 blrules file
 #
 sub convert_blacklist() {
     my $zones  = find_zones_by_option 'blacklist', 'in';
     my $zones1 = find_zones_by_option 'blacklist', 'out';
     my ( $level, $disposition ) = @config{'BLACKLIST_LOG_LEVEL', 'BLACKLIST_DISPOSITION' };
     my $audit       = $disposition =~ /^A_/;
-    my $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
+    my $target      = $disposition;
     my $orig_target = $target;
     my @rules;
 
     if ( @$zones || @$zones1 ) {
-	if ( supplied $level ) {
-	    $target = 'blacklog';
-	} elsif ( $audit ) {
-	    $target = verify_audit( $disposition );
-	}
+	$target = "$target:$level" if supplied $level;
 
-	my $fn = open_file 'blacklist';
+	my $fn = open_file( 'blacklist' );
+
+	unless ( $fn ) {
+	    if ( -f ( $fn = find_file( 'blacklist' ) ) ) {
+		if ( unlink( $fn ) ) {
+		    warning_message "Empty blacklist file ($fn) removed";
+		} else {
+		    warning_message "Unable to remove empty blacklist file $fn: $!";
+		}
+	    }
+
+	    return 0;
+	}
 
 	first_entry "Converting $fn...";
 
@@ -439,8 +450,6 @@ sub convert_blacklist() {
 		} else {
 		    warning_message "Duplicate 'audit' option ignored" if $auditone > 1;
 		}
-
-		$tgt = verify_audit( 'A_' . $target, $orig_target, $target );
 	    }
 
 	    for ( @options ) {
@@ -471,7 +480,7 @@ sub convert_blacklist() {
 	}
 
 	if ( @rules ) {
-	    my $fn1 = find_file( 'blrules' );
+	    my $fn1 = find_writable_file( 'blrules' );
 	    my $blrules;
 	    my $date = localtime;
 
@@ -682,6 +691,163 @@ sub process_routestopped() {
     }
 }
 
+sub convert_routestopped() {
+
+    if ( my $fn = open_file 'routestopped' ) {
+	my ( @allhosts, %source, %dest , %notrack, @rule );
+
+	my $seq  = 0;
+	my $date = localtime;
+
+	my ( $stoppedrules, $fn1 );
+
+	if ( -f ( $fn1 = find_writable_file( 'stoppedrules' ) ) ) {
+	    open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
+	} else {
+	    open $stoppedrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
+	    print $stoppedrules <<'EOF';
+#
+# Shorewall version 4 - Stopped Rules File
+#
+# For information about entries in this file, type "man shorewall-stoppedrules"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-stoppedrules.html
+#
+# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
+# information.
+#
+###############################################################################
+#ACTION		SOURCE			DEST		PROTO	DEST	SOURCE
+#								PORT(S)	PORT(S)
+EOF
+	}
+
+	first_entry(
+		    sub {
+			my $date = localtime;
+			progress_message2 "$doing $fn...";
+			print( $stoppedrules
+			       "#\n" ,
+			       "# Rules generated from routestopped file $fn by Shorewall $globals{VERSION} - $date\n" ,
+			       "#\n" );
+		    }
+		   );
+
+	while ( read_a_line ( NORMAL_READ ) ) {
+
+	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
+		split_line( 'routestopped file',
+			    { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 } );
+
+	    my $interfaceref;
+
+	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
+	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
+	    $hosts = ALLIP unless $hosts && $hosts ne '-';
+
+	    my $routeback = 0;
+
+	    my @hosts;
+
+	    $seq++;
+
+	    my $rule = "$proto\t$ports\t$sports";
+
+	    $hosts = ALLIP if $hosts eq '-';
+
+	    for my $host ( split /,/, $hosts ) {
+		fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
+		validate_host $host, 1;
+		push @hosts, "$interface|$host|$seq";
+		push @rule, $rule;
+	    }
+
+
+	    unless ( $options eq '-' ) {
+		for my $option (split /,/, $options ) {
+		    if ( $option eq 'routeback' ) {
+			if ( $routeback ) {
+			    warning_message "Duplicate 'routeback' option ignored";
+			} else {
+			    $routeback = 1;
+			}
+		    } elsif ( $option eq 'source' ) {
+			for my $host ( split /,/, $hosts ) {
+			    $source{"$interface|$host|$seq"} = 1;
+			}
+		    } elsif ( $option eq 'dest' ) {
+			for my $host ( split /,/, $hosts ) {
+			    $dest{"$interface|$host|$seq"} = 1;
+			}
+		    } elsif ( $option eq 'notrack' ) {
+			for my $host ( split /,/, $hosts ) {
+			    $notrack{"$interface|$host|$seq"} = 1;
+			}
+		    } else {
+			warning_message "Unknown routestopped option ( $option ) ignored" unless $option eq 'critical';
+			warning_message "The 'critical' option is no longer supported (or needed)";
+		    }
+		}
+	    }
+
+	    if ( $routeback || $interfaceref->{options}{routeback} ) {
+		my $chainref = $filter_table->{FORWARD};
+
+		for my $host ( split /,/, $hosts ) {
+		    print $stoppedrules "ACCEPT\t$interface:$host\t$interface:$host\n";
+		}
+	    }
+
+	    push @allhosts, @hosts;
+	}
+
+	for my $host ( @allhosts ) {
+	    my ( $interface, $h, $seq ) = split /\|/, $host;
+	    my $rule = shift @rule;
+
+	    print $stoppedrules "ACCEPT\t$interface:$h\t\$FW\t$rule\n";
+	    print $stoppedrules "ACCEPT\t\$FW\t$interface:$h\t$rule\n" unless $config{ADMINISABSENTMINDED};
+
+	    my $matched = 0;
+
+	    if ( $source{$host} ) {
+		print $stoppedrules "ACCEPT\t$interface:$h\t-\t$rule\n";
+		$matched = 1;
+	    }
+
+	    if ( $dest{$host} ) {
+		print $stoppedrules "ACCEPT\t-\t$interface:$h\t$rule\n";
+		$matched = 1;
+	    }
+
+	    if ( $notrack{$host} ) {
+		print $stoppedrules "NOTRACK\t$interface:$h\t-\t$rule\n";
+		print $stoppedrules "NOTRACK\t\$FW\t$interface:$h\t$rule\n";
+	    }
+
+	    unless ( $matched ) {
+		for my $host1 ( @allhosts ) {
+		    unless ( $host eq $host1 ) {
+			my ( $interface1, $h1 , $seq1 ) = split /\|/, $host1;
+			print $stoppedrules "ACCEPT\t$interface:$h\t$interface1:$h1\t$rule\n";
+		    }
+		}
+	    }
+	}
+
+	rename $fn, "$fn.bak";
+	progress_message2 "Routestopped file $fn saved in $fn.bak";
+	close $stoppedrules;
+    } elsif ( -f ( my $fn1 = find_file( 'routestopped' ) ) ) {
+	if ( unlink( $fn1 ) ) {
+	    warning_message "Empty routestopped file ($fn1) removed";
+	} else {
+	    warning_message "Unable to remove empty routestopped file $fn1: $!";
+	}
+    }
+}
+
 #
 # Process the stoppedrules file. Returns true if the file was non-empty.
 #
@@ -774,8 +940,8 @@ sub process_stoppedrules() {
 
 sub setup_mss();
 
-sub add_common_rules ( $$ ) {
-    my ( $upgrade_blacklist, $upgrade_tcrules ) = @_;
+sub add_common_rules ( $$$ ) {
+    my ( $upgrade_blacklist, $upgrade_tcrules , $upgrade_routestopped ) = @_;
     my $interface;
     my $chainref;
     my $target;
@@ -946,7 +1112,7 @@ sub add_common_rules ( $$ ) {
     run_user_exit1 'initdone';
 
     if ( $upgrade_blacklist ) {
-	exit 0 unless convert_blacklist || $upgrade_tcrules;
+	exit 0 unless convert_blacklist || $upgrade_tcrules || $upgrade_routestopped;
     } else {
 	setup_blacklist;
     }
@@ -1535,7 +1701,7 @@ sub handle_loopback_traffic() {
 	    # Handle conntrack rules
 	    #
 	    if ( $notrackref->{referenced} ) {
-		for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
+		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $notrackref);
 		    my @ipsec_match = match_ipsec_in $z1 , $hostref;
 
@@ -1556,8 +1722,8 @@ sub handle_loopback_traffic() {
 	    #
 	    my $source_hosts_ref = defined_zone( $z1 )->{hosts};
 
-	    for my $typeref ( values %{$source_hosts_ref} ) {
-		for my $hostref ( @{$typeref->{'%vserver%'}} ) {
+	    for my $typeref ( sort { $a->{type} cmp $b->{type} } values %{$source_hosts_ref} ) {
+		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{$typeref->{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $natref);
 
 		    for my $net ( @{$hostref->{hosts}} ) {
@@ -1579,7 +1745,7 @@ sub add_interface_jumps {
     our %input_jump_added;
     our %output_jump_added;
     our %forward_jump_added;
-    my @interfaces = grep $_ ne '%vserver%', @_;
+    my @interfaces = sort grep $_ ne '%vserver%', @_;
     my $dummy;
     my $lo_jump_added = interface_zone( loopback_interface ) && ! get_interface_option( loopback_interface, 'destonly' );
     #
@@ -1826,7 +1992,7 @@ sub add_output_jumps( $$$$$$$ ) {
     our @vservers;
     our %output_jump_added;
 
-    my $chain1            = rules_target firewall_zone , $zone;
+    my $chain1            = rules_target( firewall_zone , $zone );
     my $chain1ref         = $filter_table->{$chain1};
     my $nextchain         = dest_exclusion( $exclusions, $chain1 );
     my $outputref;
@@ -2200,7 +2366,8 @@ sub generate_matrix() {
 	#
 	# Take care of PREROUTING, INPUT and OUTPUT jumps
 	#
-	for my $typeref ( values %$source_hosts_ref ) {
+	for my $type ( sort keys %$source_hosts_ref ) {
+	    my $typeref = $source_hosts_ref->{$type};
 	    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 		if ( get_physical( $interface ) eq '+' ) {
 		    #
@@ -2273,7 +2440,6 @@ sub generate_matrix() {
 		my $chain = rules_target $zone, $zone1;
 
 		next unless $chain; # CONTINUE policy with no rules
-
 		my $num_ifaces = 0;
 
 		if ( $zone eq $zone1 ) {
@@ -2285,8 +2451,9 @@ sub generate_matrix() {
 		}
 
 		my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT
-		
-		for my $typeref ( values %{$zone1ref->{hosts}} ) {
+
+		for my $type ( sort keys %{$zone1ref->{hosts}} ) {
+		    my $typeref = $zone1ref->{hosts}{$type};
 		    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{sourceonly};
@@ -2407,8 +2574,8 @@ sub setup_mss( ) {
 #
 # Compile the stop_firewall() function
 #
-sub compile_stop_firewall( $$$ ) {
-    my ( $test, $export, $have_arptables ) = @_;
+sub compile_stop_firewall( $$$$ ) {
+    my ( $test, $export, $have_arptables, $routestopped ) = @_;
 
     my $input   = $filter_table->{INPUT};
     my $output  = $filter_table->{OUTPUT};
@@ -2597,7 +2764,12 @@ EOF
 	}
     }
 
-    process_routestopped unless process_stoppedrules;
+    if ( $routestopped ) {
+	convert_routestopped;
+	process_stoppedrules;
+    } else {
+	process_routestopped unless process_stoppedrules;
+    }
 
     if ( have_capability 'IFACE_MATCH' ) {
 	add_ijump $input,  j => 'ACCEPT', iface => '--dev-in --loopback';

Shorewall/Perl/Shorewall/Nat.pm

@@ -80,7 +80,7 @@ sub process_one_masq1( $$$$$$$$$$ )
     if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) {
 	$interfacelist = $1;
 	$inlinematches = get_inline_matches(0);
-    } elsif ( $config{INLINE_MATCHES} ) {
+    } else {
 	$inlinematches = get_inline_matches(0);
     }	
     #

Shorewall/Perl/Shorewall/Providers.pm

@@ -60,7 +60,6 @@ our @routemarked_providers;
 our %routemarked_interfaces;
 our @routemarked_interfaces;
 our %provider_interfaces;
-our @load_providers;
 our @load_interfaces;
 
 our $balancing;
@@ -98,7 +97,6 @@ sub initialize( $ ) {
     %routemarked_interfaces = ();
     @routemarked_interfaces = ();
     %provider_interfaces    = ();
-    @load_providers         = ();
     @load_interfaces        = ();
     $balancing              = 0;
     $fallback               = 0;
@@ -374,7 +372,7 @@ sub start_provider( $$$$$ ) {
 
     emit "\n#\n# Add $what $table ($number)\n#";
 
-    if ( $number ) {
+    if ( $number >= 0 ) {
 	emit "start_provider_$table() {";
     } else {
 	emit "start_interface_$table() {";
@@ -384,7 +382,7 @@ sub start_provider( $$$$$ ) {
     emit $test;
     push_indent;
 
-    if ( $number ) {
+    if ( $number >= 0 ) {
 	emit "qt ip -$family route flush table $id";
 	emit "echo \"\$IP -$family route flush table $id > /dev/null 2>&1\" > \${VARDIR}/undo_${table}_routing";
     } else {
@@ -846,12 +844,12 @@ CEOF
 
 	if ( $hostroute ) {
 	    if ( $family == F_IPV4 ) {
-		emit "run_ip route replace $gateway src $address dev $physical ${mtu}";
-		emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm";
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
 	    } else {
-		emit "qt \$IP -6 route add $gateway src $address dev $physical ${mtu}";
-		emit "qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm";
-		emit "run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm";
+		emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
+		emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
+		emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
 	    }
 	}
 
@@ -1380,15 +1378,32 @@ sub finish_providers() {
 	emit(   'fi',
 		'' );
     } else {
+	if ( ( $fallback || @load_interfaces ) && $config{USE_DEFAULT_RT} ) {
+	    emit  ( q(#),
+		    q(# Delete any default routes in the 'main' table),
+		    q(#),
+		    "while qt \$IP -$family route del default table $main; do",
+		    '    true',
+		    'done',
+		    ''
+		  );
+	} else {
+	    emit ( q(#),
+		   q(# We don't have any 'balance'. 'load='  or 'fallback=' providers so we restore any default route that we've saved),
+		   q(#),
+		   qq(restore_default_route $config{USE_DEFAULT_RT}),
+		   ''
+		 );
+	}
+
 	emit ( '#',
-	       '# We don\'t have any \'balance\' providers so we restore any default route that we\'ve saved',
+	       '# Delete any routes in the \'balance\' table',
 	       '#',
-	       "restore_default_route $config{USE_DEFAULT_RT}" ,
-	       '#',
-	       '# And delete any routes in the \'balance\' table',
-	       '#',
-	       "qt \$IP -$family route del default table $balance",
-	       '' );
+	       "while qt \$IP -$family route del default table $balance; do",
+	       '    true',
+	       'done',
+	       ''
+	     );
     }
 
     if ( $fallback ) {
@@ -1442,10 +1457,13 @@ sub process_providers( $ ) {
     #
     # Treat optional interfaces as pseudo-providers
     #
+    my $num = -65536;
+
     for ( grep interface_is_optional( $_ ) && ! $provider_interfaces{ $_ }, all_real_interfaces ) {
+	$num++;
 	#
-	#               TABLE             NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
-	$currentline =  var_base($_) ." 0      -    -         $_        -       -       -";
+	#               TABLE             NUMBER            MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
+	$currentline =  var_base($_) .  " $num              -    -         $_        -       -       -";
 	#
 	$pseudoproviders += process_a_provider(1);
     }
@@ -1591,7 +1609,7 @@ sub map_provider_to_interface() {
 
     my $haveoptional;
 
-    for my $providerref ( values %providers ) {
+    for my $providerref ( sort { $a->{number} cmp $b->{number} } values %providers ) {
 	if ( $providerref->{optional} ) {
 	    unless ( $haveoptional++ ) {
 		emit( 'if [ -n "$interface" ]; then',

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -154,7 +154,7 @@ sub setup_proxy_arp() {
 
 	emit '';
 
-	for my $interface ( keys %reset ) {
+	for my $interface ( sort keys %reset ) {
 	    unless ( $set{interface} ) {
 		my $physical = get_physical $interface;
 		emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
@@ -163,7 +163,7 @@ sub setup_proxy_arp() {
 	    }
 	}
 
-	for my $interface ( keys %set ) {
+	for my $interface ( sort keys %set ) {
 	    my $physical = get_physical $interface;
 	    emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
 		    "    echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );

Shorewall/Perl/Shorewall/Raw.pm

@@ -275,11 +275,13 @@ sub process_format( $ ) {
     $file_format = $format;
 }
 
-sub setup_conntrack() {
+sub setup_conntrack($) {
+    my $convert = shift;
+    my $fn;
 
     for my $name ( qw/notrack conntrack/ ) {
 
-	my $fn = open_file( $name, 3 , 1 );
+	$fn = open_file( $name, 3 , 1 );
 
 	if ( $fn ) {
 
@@ -341,12 +343,76 @@ sub setup_conntrack() {
 		    } else {
 			warning_message "Unable to remove empty notrack file ($fn): $!";
 		    }
+		    $convert = undef;
+		}
+	    }
+	} elsif ( $name eq 'notrack' ) {
+	    $convert = undef;
+
+	    if ( -f ( my $fn1 = find_file( $name ) ) ) {
+		if ( unlink( $fn1 ) ) {
+		    warning_message "Empty notrack file ($fn1) removed";
 		} else {
-		    warning_message "Non-empty notrack file ($fn); please move its contents to the conntrack file";
+		    warning_message "Unable to remove empty notrack file ($fn1): $!";
 		}
 	    }
 	}
     }
+
+    if ( $convert ) {
+	my $conntrack;
+	my $empty  = 1;
+	my $date = localtime;
+
+	if ( $fn ) {
+	    open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
+	} else {
+	    open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!";
+
+	    print $conntrack <<'EOF';
+#
+# Shorewall version 5 - conntrack File
+#
+# For information about entries in this file, type "man shorewall-conntrack"
+#
+##############################################################################################################
+EOF
+	    print $conntrack '?' . "FORMAT 3\n";
+	    
+	    print $conntrack <<'EOF';
+#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
+#                                                               PORT(S)         PORT(S) GROUP
+EOF
+	}
+
+	print( $conntrack
+	       "#\n" ,
+	       "# Rules generated from notrack file $fn by Shorewall $globals{VERSION} - $date\n" ,
+	       "#\n" );
+
+	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
+
+	while ( read_a_line( PLAIN_READ ) ) {
+	    #
+	    # Don't copy the header comments from the old notrack file
+	    #
+	    next if $empty && ( $currentline =~ /^\s*#/ || $currentline =~ /^\s*$/ );
+
+	    if ( $empty ) {
+		#
+		# First non-commentary line
+		#
+		$empty = undef;
+
+		print $conntrack '?' . "FORMAT 1\n" unless $currentline =~ /^\s*\??FORMAT/i;
+	    }
+
+	    print $conntrack "$currentline\n";
+	}
+
+	rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
+	progress_message2 "notrack file $fn saved in $fn.bak"
+    }
 }
 
 1;

Shorewall/Perl/Shorewall/Rules.pm

@@ -455,13 +455,12 @@ sub process_default_action( $$$$ ) {
 	} elsif ( ( $targets{$def} || 0 ) == INLINE ) {
 	    $default = $def;
 	    $default = "$def($param)" if supplied $param;
+	    $default = join( ':', $default, $level ) if $level ne 'none';
 	} elsif ( $default_option ) {
 	    fatal_error "Unknown Action ($default) in $policy setting";
 	} else {
 	    fatal_error "Unknown Default Action ($default)";
 	}
-
-	$default = join( ':', $default, $level ) if $level ne 'none';
     } else {
 	$default = $default_actions{$policy} || 'none';
     }
@@ -2284,7 +2283,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
     if ( $basictarget eq 'INLINE' ) {
 	( $action, $basictarget, $param, $loglevel, $raw_matches ) = handle_inline( FILTER_TABLE, 'filter', $action, $basictarget, $param, $loglevel );
-    } elsif ( $config{INLINE_MATCHES} ) {
+    } else {
 	$raw_matches = get_inline_matches(0);
     }
     #

Shorewall/Perl/Shorewall/Tc.pm

@@ -27,7 +27,7 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-#   This module deals with Traffic Shaping and the tcrules file.
+#   This module deals with Traffic Shaping and the mangle file.
 #
 package Shorewall::Tc;
 require Exporter;
@@ -135,7 +135,7 @@ our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 
 our $family;
 
-our $tcrules;
+our $convert;
 
 our $mangle;
 
@@ -749,7 +749,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 
     if ( $cmd eq 'INLINE' ) {
 	( $target, $cmd, $params, $junk, $raw_matches ) = handle_inline( MANGLE_TABLE, 'mangle', $action, $cmd, $params, '' );
-    } elsif ( $config{INLINE_MATCHES} ) {
+    } else {
 	$raw_matches = get_inline_matches(0);
     }
 
@@ -797,7 +797,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	if ( $commandref->{maxparams} == 1 ) {
 	    fatal_error "The $cmd requires a parameter";
 	} else {
-	    fatal_error "The $cmd ACTION only requires at least $commandref->{maxparams} parmeters";
+	    fatal_error "The $cmd ACTION requires at least $commandref->{maxparams} parmeters";
 	}
     }
     if ( $state ne '-' ) {
@@ -998,7 +998,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 	}
     }
 	
-    if ( $tcrules ) {
+    if ( $convert ) {
 	$command = ( $command ? "$command($mark)" : $mark ) . $designator;
 	my $line = ( $family == F_IPV6 ?
 		     "$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$headers\t$probability\t$dscp\t$state" :
@@ -3161,11 +3161,129 @@ sub process_secmark_rule() {
     }
 }
 
+sub convert_tos($$) {
+    my ( $mangle, $fn1 ) = @_;
+
+    my $have_tos = 0;
+
+    sub unlink_tos( $ ) {
+	my $fn = shift;
+
+	if ( unlink $fn ) {
+	    warning_message "Empty tos file ($fn) removed";
+	} else {
+	    warning_message "Unable to remove empty tos file $fn: $!";
+	}
+    }
+
+    if ( my $fn = open_file 'tos' ) {
+	first_entry(
+		    sub {
+			my $date = localtime;
+			progress_message2 "Converting $fn...";
+			print( $mangle
+			       "#\n" ,
+			       "# Rules generated from tos file $fn by Shorewall $globals{VERSION} - $date\n" ,
+			       "#\n" );
+		    }
+		   );
+
+	while ( read_a_line( NORMAL_READ ) ) {
+
+	    $have_tos = 1;
+
+	    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
+		split_line( 'tos file entry',
+			    { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } );
+
+	    my $chain_designator = 'P';
+
+	    decode_tos($tos, 1);
+
+	    my ( $srczone , $source , $remainder );
+
+	    if ( $family == F_IPV4 ) {
+		( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
+		fatal_error 'Invalid SOURCE' if defined $remainder;
+	    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) {
+		$srczone = $1;
+		$source  = $2;
+	    } else {
+		$srczone = $src;
+	    }
+
+	    if ( $srczone eq firewall_zone ) {
+		$chain_designator = 'O';
+		$src         = $source || '-';
+	    } else {
+		$src =~ s/^all:?//;
+	    }
+
+	    $dst =~ s/^all:?//;
+
+	    $src    = '-' unless supplied $src;
+	    $dst    = '-' unless supplied $dst;
+	    $proto  = '-' unless supplied $proto;
+	    $ports  = '-' unless supplied $ports;
+	    $sports = '-' unless supplied $sports;
+	    $mark   = '-' unless supplied $mark;
+
+	    print $mangle "TOS($tos):$chain_designator\t$src\t$dst\t$proto\t$ports\t$sports\t-\t$mark\n"
+
+	}
+
+	if ( $have_tos ) {
+	    progress_message2 "Converted $fn to $fn1";
+	    if ( rename $fn, "$fn.bak" ) {
+		progress_message2 "$fn renamed $fn.bak";
+	    } else {
+		fatal_error "Cannot Rename $fn to $fn.bak: $!";
+	    }
+	} else {
+	    unlink_tos( $fn );
+	}
+    } elsif ( -f ( $fn = find_file( 'tos' ) ) ) {
+	if ( unlink $fn ) {
+	    warning_message "Empty tos file ($fn) removed";
+	} else {
+	    warning_message "Unable to remove empty tos file $fn: $!";
+	}
+    }
+}
+
+sub open_mangle_for_output() {
+    my ( $mangle, $fn1 );
+
+    if ( -f ( $fn1 = find_writable_file( 'mangle' ) ) ) {
+	open( $mangle , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
+    } else {
+	open( $mangle , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
+	print $mangle <<'EOF';
 #
-# Process the tcrules file and setup traffic shaping
+# Shorewall version 4 - Mangle File
+#
+# For information about entries in this file, type "man shorewall-mangle"
+#
+# See http://shorewall.net/traffic_shaping.htm for additional information.
+# For usage in selecting among multiple ISPs, see
+# http://shorewall.net/MultiISP.html
+#
+# See http://shorewall.net/PacketMarking.html for a detailed description of
+# the Netfilter/Shorewall packet marking mechanism.
+####################################################################################################################################################
+#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP
+#                                                       PORT(S) PORT(S)
+EOF
+    }
+
+    return ( $mangle, $fn1 );
+}
+
+#
+# Process the mangle file and setup traffic shaping
 #
 sub setup_tc( $ ) {
-    $tcrules = $_[0];
+    $convert = $_[0];
 
     if ( $config{MANGLE_ENABLED} ) {
 	ensure_mangle_chain 'tcpre';
@@ -3221,33 +3339,69 @@ sub setup_tc( $ ) {
 	if ( $fn = open_file( 'tcrules' , 2, 1 ) ) {
 	    my $fn1;
 
-	    if ( $tcrules ) {
+	    if ( $convert ) {
 		#
 		# We are going to convert this tcrules file to the equivalent mangle file
 		#
-		open( $mangle , '>>', $fn1 = find_file('mangle') ) || fatal_error "Unable to open $fn1:$!";
+		( $mangle, $fn1 ) = open_mangle_for_output;
 
 		directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
 	    }
 
-	    first_entry "$doing $fn...";
+	    first_entry(
+			sub {
+			    if ( $convert ) {
+				my $date = localtime;
+				progress_message2 "Converting $fn...";
+				print( $mangle
+				       "#\n" ,
+				       "# Rules generated from tcrules file $fn by Shorewall $globals{VERSION} - $date\n" ,
+				       "#\n" );
+			    } else {
+				progress_message2 "$doing $fn...";
+			    }
+			}
+		       );
 
 	    process_tc_rule, $have_tcrules++ while read_a_line( NORMAL_READ );
 
-	    if ( $have_tcrules ) {
-		if ( $mangle ) {
+	    if ( $convert ) {
+		if ( $have_tcrules ) {
 		    progress_message2 "Converted $fn to $fn1";
 		    if ( rename $fn, "$fn.bak" ) {
 			progress_message2 "$fn renamed $fn.bak";
 		    } else {
 			fatal_error "Cannot Rename $fn to $fn.bak: $!";
 		    }
+		} elsif ( -f ( my $fn = find_file( 'tcrules' ) ) ) {
+		    if ( unlink $fn ) {
+			warning_message "Empty tcrules file ($fn) removed";
+		    } else {
+			warning_message "Unable to remove empty tcrules file $fn: $!";
+		    }
+		}
+
+		convert_tos( $mangle, $fn1 );
+
+		close $mangle, directive_callback( 0 );
+	    }
+	} elsif ( $convert ) {
+	    if ( -f ( my $fn = find_file( 'tcrules' ) ) ) {
+		if ( unlink $fn ) {
+		    warning_message "Empty tcrules file ($fn) removed";
 		} else {
-		    warning_message "Non-empty tcrules file ($fn); consider running '$product update -t'";
+		    warning_message "Unable to remove empty tcrules file $fn: $!";
 		}
 	    }
 
-	    close $mangle, directive_callback( 0 ) if $tcrules;
+	    if ( -f ( my $fn = find_file( 'tos' ) ) ) {
+		#
+		# We are going to convert this tos file to the equivalent mangle file
+		#
+		( $mangle, my $fn1 ) = open_mangle_for_output;
+		convert_tos( $mangle, $fn1 );
+		close $mangle;
+	    }
 	}
 
 	if ( my $fn = open_file( 'mangle', 1, 1 ) ) {

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -137,6 +137,8 @@ sub setup_tunnels() {
 
 	add_tunnel_rule $inchainref,  p => 'udp --dport 655', @$source;
 	add_tunnel_rule $outchainref, p => 'udp --dport 655', @$dest;
+	add_tunnel_rule $inchainref,  p => 'tcp --dport 655', @$source;
+	add_tunnel_rule $outchainref, p => 'tcp --dport 655', @$dest;
     }
 
     sub setup_one_openvpn {

Shorewall/Perl/Shorewall/Zones.pm

@@ -1208,18 +1208,20 @@ sub process_interface( $$ ) {
 
 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};
 
-	    if ( $zone ) {
-		fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} & VSERVER && ! ( $type & IF_OPTION_VSERVER );
-	    } else {
-		fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
-	    }
-
 	    my $hostopt = $type & IF_OPTION_HOST;
 
-	    fatal_error "The \"$option\" option is not allowed on a bridge port" if $port && ! $hostopt;
-
 	    $type &= MASK_IF_OPTION;
 
+	    unless ( $type == BINARY_IF_OPTION && defined $value && $value eq '0' ) {
+		if ( $zone ) {
+		    fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} & VSERVER && ! ( $type & IF_OPTION_VSERVER );
+		} else {
+		    fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
+		}
+	    }
+
+	    fatal_error "The \"$option\" option is not allowed on a bridge port" if $port && ! $hostopt;
+
 	    if ( $type == SIMPLE_IF_OPTION ) {
 		fatal_error "Option $option does not take a value" if defined $value;
 		if ( $option eq 'blacklist' ) {
@@ -1549,10 +1551,16 @@ sub known_interface($)
     my $iface = $interface;
 
     if ( $minroot ) {
+	#
+	# We have wildcard interfaces -- see if this interface matches one of their roots
+	#
 	while ( length $iface > $minroot ) {
 	    chop $iface;
 
 	    if ( my $i = $roots{$iface} ) {
+		#
+		# Found one
+		#
 		$interfaceref = $interfaces{$i};
 
 		my $physical = map_physical( $interface, $interfaceref );
@@ -1682,9 +1690,8 @@ sub source_port_to_bridge( $ ) {
     return $portref ? $portref->{bridge} : '';
 }
 
-
 #
-# Returns a hash reference for the zones interface through the interface
+# Returns a hash reference for the zones interfaced through the interface
 #
 sub interface_zones( $ ) {
     my $interfaceref = known_interface( $_[0] );
@@ -1719,7 +1726,7 @@ sub interface_is_required($) {
 }
 
 #
-# Return true if the interface is 'plain'
+# Return true if the interface is 'plain' (not optional, required or ignored and not a bridge port).
 #
 sub interface_is_plain($) {
     my $interfaceref = $interfaces{$_[0]};
@@ -1800,7 +1807,7 @@ sub find_interfaces_by_option1( $ ) {
     my @ints = ();
     my $wild = 0;
 
-    for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} } keys %interfaces ) {
+    for my $interface ( @interfaces ) {
 	my $interfaceref = $interfaces{$interface};
 
 	next unless defined $interfaceref->{physical};
@@ -2170,8 +2177,10 @@ sub find_hosts_by_option( $ ) {
     }
 
     for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
-	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
-	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
+	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
+	    my $interfaceref = $zones{$zone}{hosts}->{$type};
+	    for my $interface ( sort keys %$interfaceref ) {
+		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    my $ipsec = $host->{ipsec};
 		    unless ( $done{$interface} ) { 
@@ -2197,8 +2206,10 @@ sub find_zone_hosts_by_option( $$ ) {
     my @hosts;
 
     unless ( $zones{$zone}{type} & FIREWALL ) {
-	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
-	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
+	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
+	    my $interfaceref = $zones{$zone}{hosts}->{$type};
+	    for my $interface ( sort keys %$interfaceref ) {
+		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    if ( my $value = $host->{options}{$option} ) {
 			for my $net ( @{$host->{hosts}} ) {
@@ -2210,7 +2221,7 @@ sub find_zone_hosts_by_option( $$ ) {
 	}
     }
 
-    \@hosts;
+    \@hosts
 }
 
 #

Shorewall/Perl/compiler.pl

@@ -42,6 +42,8 @@
 #         --config_path=<path-list>   # Search path for config files
 #         --inline                    # Update alternative column specifications
 #         --tcrules                   # Create mangle from tcrules
+#         --routestopped              # Create stoppedrules from routestopped
+#         --notrack                   # Create conntrack from notrack
 #
 use strict;
 use FindBin;
@@ -77,6 +79,8 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
     [ --config_path=<path-list> ]
     [ --inline ]
     [ --tcrules ]
+    [ --routestopped ]
+    [ --notrack ]
 _EOF_
 
 exit shift @_;
@@ -107,6 +111,8 @@ my $shorewallrc   = '';
 my $shorewallrc1  = '';
 my $inline        = 0;
 my $tcrules       = 0;
+my $routestopped  = 0;
+my $notrack       = 0;
 
 Getopt::Long::Configure ('bundling');
 
@@ -141,6 +147,8 @@ my $result = GetOptions('h'               => \$help,
 			'convert'         => \$convert,
 			'inline'          => \$inline,
 			'tcrules'         => \$tcrules,
+			'routestopped'    => \$routestopped,
+			'notrack'         => \$notrack,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
 			'shorewallrc1=s'  => \$shorewallrc1,
@@ -171,4 +179,6 @@ compiler( script          => $ARGV[0] || '',
 	  shorewallrc1    => $shorewallrc1,
 	  inline          => $inline,
 	  tcrules         => $tcrules,
+	  routestopped    => $routestopped,
+	  notrack         => $notrack,
 	);

Shorewall/Perl/prog.footer

@@ -267,7 +267,7 @@ case "$COMMAND" in
 		status=0
 		for chain in $@; do
 		    if chain_exists $chain; then
-			if qt $g_tool-Z $chain; then
+			if qt $g_tool -Z $chain; then
 			    progress_message3 "Filter $chain Counters Reset"
 			else
 			    error_message "ERROR: Reset of chain $chain failed"

Shorewall/action.AutoBL

@@ -33,7 +33,7 @@ fatal_error "Invalid successive interval ($succesive) passed to AutoBL" unless $
 fatal_error "Invalid packet count ($count) passed to AutoBL"            unless $count =~ /^\d+$/ && $count;
 fatal_error "Invalid blacklist time ($bltime) passed to AutoBL"         unless $bltime =~ /^\d+$/ && $bltime;
 validate_level( $level );
-
+1;
 ?end perl
 ###############################################################################
 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT

Shorewall/lib.cli-std

@@ -414,7 +414,7 @@ compiler() {
 
     debugflags="-w"
     [ -n "$g_debug" ]   && debugflags='-wd'
-    [ -n "$g_profile" ] && debugflags='-wd:DProf'
+    [ -n "$g_profile" ] && debugflags='-wd:NYTProf'
 
     # Perl compiler only takes the output file as a argument
 
@@ -453,6 +453,8 @@ compiler() {
     [ -n "$g_directives" ] && options="$options --directives"
     [ -n "$g_tcrules" ] && options="$options --tcrules"
     [ -n "$g_inline" ] && options="$options --inline"
+    [ -n "$g_routestopped" ] && options="$options --routestopped"
+    [ -n "$g_notrack" ] && options="$options --notrack"
 
     if [ -n "$PERL" ]; then
 	if [ ! -x "$PERL" ]; then
@@ -463,7 +465,17 @@ compiler() {
 	PERL=/usr/bin/perl
     fi
 
-    [ -n "$g_doing" ] && progress_message3 "$g_doing..."
+    case "$g_doing" in
+	Compiling|Checking)
+	    progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
+	    ;;
+	Updating)
+	    progress_message3 "Updating $g_product configuration to $SHOREWALL_VERSION..."
+	    ;;
+	*)
+	    [ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
+	    ;;
+    esac
 
     if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
 	$PERL $debugflags $pc $options $@
@@ -874,11 +886,21 @@ update_command() {
 			    g_tcrules=Yes
 			    option=${option#t}
 			    ;;
+			s*)
+			    g_routestopped=Yes
+			    option=${option#s}
+			    ;;
+			n*)
+			    g_notrack=Yes
+			    option=${option#n}
+			    ;;
 			A*)
 			    g_inline=Yes
 			    g_convert=Yes
 			    g_directives=Yes
 			    g_tcrules=Yes
+			    g_routestopped=Yes
+			    g_notrack=Yes
 			    option=${option#A}
 			    ;;
 			*)
@@ -915,7 +937,7 @@ update_command() {
 	    ;;
     esac
 
-    g_doing="Updating..."
+    g_doing="Updating"
 
     compiler $g_debugging $nolock check
 }

Shorewall/manpages/shorewall-interfaces.xml

@@ -213,7 +213,7 @@ loc     eth2            -</programlisting>
                 changed; the value assigned to the setting will be the value
                 specified (if any) or 1 if no value is given.</para>
 
-                <para></para>
+                <para/>
 
                 <note>
                   <para>This option does not work with a wild-card
@@ -247,7 +247,7 @@ loc     eth2            -</programlisting>
 
                 <para>8 - do not reply for all local addresses</para>
 
-                <para></para>
+                <para/>
 
                 <note>
                   <para>This option does not work with a wild-card
@@ -255,7 +255,7 @@ loc     eth2            -</programlisting>
                   the INTERFACE column.</para>
                 </note>
 
-                <para></para>
+                <para/>
 
                 <warning>
                   <para>Do not specify <emphasis
@@ -425,7 +425,7 @@ loc     eth2            -</programlisting>
         1
         teastep@lists:~$ </programlisting>
 
-                <para></para>
+                <para/>
 
                 <note>
                   <para>This option does not work with a wild-card
@@ -760,7 +760,7 @@ loc     eth2            -</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term>unmanaged</term>
+              <term><emphasis role="bold">unmanaged</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.5.18. Causes all traffic between

Shorewall/manpages/shorewall-mangle.xml

@@ -351,18 +351,18 @@
 
                 <para>The following rules are equivalent:</para>
 
-                <programlisting>2:P             eth0              -         tcp 22
-INLINE(2):P     eth0              -         tcp 22
-INLINE(2):P     eth0              -                 ; -p tcp
-INLINE          eth0              -         tcp 22  ; -j MARK --set-mark 2
-INLINE          eth0              -                 ; -p tcp -j MARK --set-mark 2
+                <programlisting>2:P                   eth0              -         tcp 22
+INLINE(MARK(2)):P     eth0              -         tcp 22
+INLINE(MARK(2)):P     eth0              -                 ; -p tcp
+INLINE                eth0              -         tcp 22  ; -j MARK --set-mark 2
+INLINE                eth0              -                 ; -p tcp -j MARK --set-mark 2
 </programlisting>
 
                 <para>If INLINE_MATCHES=Yes in <ulink
                 url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
                 then the third rule above can be specified as follows:</para>
 
-                <programlisting>2:P             eth0              -                 ; -p tcp</programlisting>
+                <programlisting>MARK(2):P             eth0              -                 ; -p tcp</programlisting>
               </listitem>
             </varlistentry>
 
@@ -1283,12 +1283,12 @@ Normal-Service       =&gt; 0x00</programlisting>
 
           <programlisting>       #ACTION    SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
        #                                                       PORT(S)
-       1:T        0.0.0.0/0 0.0.0.0/0    icmp    echo-request
-       1:T        0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
+       MARK(1):T  0.0.0.0/0 0.0.0.0/0    icmp    echo-request
+       MARK(1):T  0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
        RESTORE:T  0.0.0.0/0 0.0.0.0/0    all     -             -       -       0
        CONTINUE:T 0.0.0.0/0 0.0.0.0/0    all     -             -       -       !0
-       4:T         0.0.0.0/0 0.0.0.0/0   ipp2p:all
-       SAVE:T      0.0.0.0/0 0.0.0.0/0   all     -             -       -       !0</programlisting>
+       MARK(4):T  0.0.0.0/0 0.0.0.0/0   ipp2p:all
+       SAVE:T     0.0.0.0/0 0.0.0.0/0   all     -             -       -       !0</programlisting>
 
           <para>If a packet hasn't been classified (packet mark is 0), copy
           the connection mark to the packet mark. If the packet mark is set,
@@ -1307,9 +1307,9 @@ Normal-Service       =&gt; 0x00</programlisting>
 
           <programlisting>/etc/shorewall/tcrules:
 
-       #ACTION   SOURCE         DEST         PROTO   PORT(S)       SOURCE  USER    TEST
-       #                                                           PORT(S)
-       1-3:CF    192.168.1.0/24 eth0 ; state=NEW
+       #ACTION            SOURCE         DEST         PROTO   PORT(S)       SOURCE  USER    TEST
+       #                                                                    PORT(S)
+       CONNMARK(1-3):F    192.168.1.0/24 eth0 ; state=NEW
 
 /etc/shorewall/masq:
 

Shorewall/manpages/shorewall-rules.xml

@@ -129,8 +129,10 @@
         <term><emphasis role="bold">NEW</emphasis></term>
 
         <listitem>
-          <para>Packets in the NEW, INVALID and UNTRACKED states are processed
-          by rules in this section.</para>
+          <para>Packets in the NEW state are processed by rules in this
+          section. If the INVALID and/or UNTRACKED sections are empty or not
+          included, then the packets in the corresponding state(s) are also
+          processed in this section.</para>
         </listitem>
       </varlistentry>
     </variablelist>
@@ -264,7 +266,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term>AUDIT[(accept|drop|reject)]</term>
+              <term><emphasis
+              role="bold">AUDIT</emphasis>[(accept|drop|reject)]</term>
 
               <listitem>
                 <para>Added in Shorewall 4.5.10. Audits the packet with the
@@ -275,7 +278,11 @@
             </varlistentry>
 
             <varlistentry>
-              <term>A_ACCEPT, A_ACCEPT+ and A_ACCEPT!</term>
+              <term><emphasis role="bold">A_ACCEPT</emphasis>, <emphasis
+              role="bold">A_ACCEPT</emphasis><emphasis
+              role="bold">+</emphasis> and <emphasis
+              role="bold">A_ACCEPT</emphasis><emphasis
+              role="bold">!</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.4.20. Audited versions of ACCEPT,
@@ -285,7 +292,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term>A_DROP and A_DROP!</term>
+              <term><emphasis role="bold">A_DROP</emphasis> and<emphasis
+              role="bold"> A_DROP!</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.4.20. Audited versions of DROP and
@@ -295,7 +303,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term>A_REJECT AND A_REJECT!</term>
+              <term><emphasis role="bold">A_REJECT</emphasis> AND <emphasis
+              role="bold">A_REJECT!</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.4.20. Audited versions of REJECT
@@ -422,7 +431,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term>HELPER</term>
+              <term><emphasis role="bold">HELPER</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.5.7. This action requires that the
@@ -476,7 +485,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term>IPTABLES({<replaceable>iptables-target</replaceable>
+              <term><emphasis
+              role="bold">IPTABLES</emphasis>({<replaceable>iptables-target</replaceable>
               [<replaceable>option</replaceable> ...])</term>
 
               <listitem>
@@ -665,8 +675,9 @@
             </varlistentry>
 
             <varlistentry>
-              <term>TARPIT [(<emphasis role="bold">tarpit</emphasis> |
-              <emphasis role="bold">honeypot</emphasis> | <emphasis
+              <term><emphasis role="bold">TARPIT</emphasis> [(<emphasis
+              role="bold">tarpit</emphasis> | <emphasis
+              role="bold">honeypot</emphasis> | <emphasis
               role="bold">reset</emphasis>)]</term>
 
               <listitem>

Shorewall/manpages/shorewall.conf.xml

@@ -1507,8 +1507,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         role="bold">d</emphasis>}:]<emphasis>rate</emphasis><emphasis
         role="bold">/</emphasis>{<emphasis
         role="bold">sec</emphasis>|<emphasis
-        role="bold">min</emphasis>|<emphasis
-        role="bold">hour</emphasis>|<emphasis
+        role="bold">second|min</emphasis>|<emphasis
+        role="bold">minute|hour</emphasis>|<emphasis
         role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]]</term>
 
         <listitem>
@@ -1522,6 +1522,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
 
           <para>If <replaceable>burst</replaceable> is not specified, then a
           value of 5 is assumed.</para>
+
+          <para>The keywords <emphasis role="bold">second</emphasis> and
+          <emphasis role="bold">minute</emphasis> are accepted beginning with
+          Shorewall 4.6.13.</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall.xml

@@ -825,6 +825,10 @@
 
       <arg><option>-t</option></arg>
 
+      <arg><option>-r</option></arg>
+
+      <arg><option>-n</option></arg>
+
       <arg><option>-A</option></arg>
 
       <arg><replaceable>directory</replaceable></arg>
@@ -2267,7 +2271,7 @@
         <term><emphasis role="bold">update </emphasis> [-<option>b</option>]
         [-<option>d</option>] [-<option>r</option>] [-<option>T</option>]
         [-<option>a</option>] [-<option>D</option>] [-<option>i</option>]
-        [-<option>t</option>] [-<option>A</option>] [
+        [-<option>t</option>] [-r] [-n][-<option>A</option>] [
         <replaceable>directory</replaceable> ]</term>
 
         <listitem>
@@ -2304,19 +2308,21 @@
           updated, the original is saved in a .bak file in the same
           directory.</para>
 
-          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the current line contains
-          alternative input specifications following a semicolon (";"). Such
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          <ulink
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          and causes a warning message to be issued if the current line
+          contains alternative input specifications following a semicolon
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
 
           <para>The <option>-t</option> option was added in Shorewall 4.6.0.
-          When specified, <option>-t</option> causes <ulink
-          url="shorewall-tcrules.html">shorewall-tcrules(5)</ulink> to be
-          converted to <ulink
+          When specified, <option>-t</option> causes the <emphasis
+          role="bold">tcrules</emphasis> file to be converted to <ulink
           url="shorewall-mangle.html">shorewall-mangle(5)</ulink>. The old
-          file is renamed with a .bak suffix.</para>
+          file is renamed with a .bak suffix. Beginning with Shorewall
+          4.6.12.2, this option also causes the <emphasis
+          role="bold">tos</emphasis> file to be converted to <ulink
+          url="shorewall-mangle.html">shorewall-mangle(5)</ulink>.</para>
 
           <important>
             <para>There are some notable restrictions with the
@@ -2350,9 +2356,24 @@
             </orderedlist>
           </important>
 
+          <para>The <option>-r</option> option was added in Shorewall 4.6.12.
+          When specified, <option>-r</option> causes <ulink
+          url="manpages/shorewall-routestopped.html">shorewall-routestopped(5)</ulink>
+          to be converted to <ulink
+          url="manpages/shorewall-stoppedrules.html">shorewall-stoppedrules(5)</ulink>.
+          The old file is renamed with a .bak suffix.</para>
+
+          <para>The <option>-n</option> option was added in Shorewall 4.6.12.
+          When specified, <option>-n</option> causes <ulink
+          url="manpages/shorewall-routestopped.html">shorewall-notrack(5)</ulink>
+          to be converted to <ulink
+          url="manpages/shorewall-conntrack.html">shorewall-conntrack(5)</ulink>.
+          The old file is renamed with a .bak suffix.</para>
+
           <para>The <option>-A</option> option was added in Shorewall 4.6.0
           and is equivalent to specifying the <option>-b</option>,
-          <option>-D</option> and the <option>-t</option> options.</para>
+          <option>-D</option>, <option>-t,</option> <option>-r</option> and
+          the <option>-n</option> options.</para>
 
           <para>For a description of the other options, see the <emphasis
           role="bold">check</emphasis> command above.</para>

Shorewall/shorewall.service.debian

@@ -0,0 +1,22 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
+#
+[Unit]
+Description=Shorewall IPv4 firewall
+Wants=network-online.target
+After=network-online.target
+Conflicts=iptables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/default/shorewall
+StandardOutput=syslog
+ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall $OPTIONS stop
+
+[Install]
+WantedBy=basic.target

Shorewall6-lite/manpages/shorewall6-lite.xml

@@ -1024,14 +1024,6 @@
           except that it assumes that the firewall is already started.
           Existing connections are maintained.</para>
 
-          <caution>
-            <para>If your ip6tables ruleset depends on variables that are
-            detected at run-time, either in your params file or by
-            Shorewall-generated code, <command>restore</command> will use the
-            values that were current when the ruleset was saved, which may be
-            different from the current values.</para>
-          </caution>
-
           <para>The <option>-n</option> option causes shorewall6-lite to avoid
           updating the routing table(s).</para>
 
@@ -1064,6 +1056,14 @@
           in <ulink
           url="shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
 
+          <caution>
+            <para>If your ip6tables ruleset depends on variables that are
+            detected at run-time, either in your params file or by
+            Shorewall-generated code, <command>restore</command> will use the
+            values that were current when the ruleset was saved, which may be
+            different from the current values.</para>
+          </caution>
+
           <para>The <option>-C</option> option was added in Shorewall 4.6.5.
           If the <option>-C</option> option was specified during
           <command>shorewall7-lite save</command>, then the counters saved by

Shorewall6-lite/shorewall6-lite.service.debian

@@ -0,0 +1,21 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#
+[Unit]
+Description=Shorewall IPv6 firewall (lite)
+Wants=network-online.target
+After=network-online.target
+Conflicts=ip6tables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall6-lite
+StandardOutput=syslog
+ExecStart=/sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall6-lite $OPTIONS stop
+
+[Install]
+WantedBy=basic.target

Shorewall6/manpages/shorewall6-hosts.xml

@@ -65,9 +65,7 @@
 
       <varlistentry>
         <term><emphasis role="bold">HOST(S)</emphasis> (hosts)-
-        <emphasis>interface</emphasis>:<option>[</option>{[{<emphasis>address-or-range</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...|<emphasis
-        role="bold">+</emphasis><emphasis>ipset</emphasis>}[<emphasis>exclusion</emphasis>]<option>]</option></term>
+        <emphasis>interface</emphasis>:{<replaceable>address-or-range</replaceable>[,<replaceable>address-or-range</replaceable>]...|+<replaceable>ipset</replaceable>|<option>dynamic</option>}[<replaceable>exclusion</replaceable>]</term>
 
         <listitem>
           <para>The name of an interface defined in the <ulink
@@ -87,7 +85,7 @@
 
             <listitem>
               <para>An IP address range of the form
-              <emphasis>low.address</emphasis>-<emphasis>high.address</emphasis>.
+              [<emphasis>low.address</emphasis>]-[<emphasis>high.address</emphasis>].
               Your kernel and ip6tables must have iprange match
               support.</para>
             </listitem>

Shorewall6/manpages/shorewall6-interfaces.xml

@@ -538,7 +538,7 @@ loc     eth2            -</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term>unmanaged</term>
+              <term><emphasis role="bold">unmanaged</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.5.18. Causes all traffic between

Shorewall6/manpages/shorewall6-mangle.xml

@@ -320,6 +320,28 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">HL</emphasis>([<emphasis
+              role="bold">-</emphasis>|<emphasis
+              role="bold">+</emphasis>]<replaceable>number</replaceable>)[:P]</term>
+
+              <listitem>
+                <para>If <emphasis role="bold">+</emphasis> is included,
+                packets matching the rule will have their hop limit
+                incremented by <replaceable>number</replaceable>. Similarly,
+                if <emphasis role="bold">-</emphasis> is included, matching
+                packets have their hop limit decremented by
+                <replaceable>number</replaceable>. If neither <emphasis
+                role="bold">+</emphasis> nor <emphasis
+                role="bold">-</emphasis> is given, the hop limit of matching
+                packets is set to <replaceable>number</replaceable>. The valid
+                range of values for <replaceable>number</replaceable> is
+                1-255. If :P is included, the rule is placed in the mangle
+                PREROUTING chain -- otherwise, it is placed in the FORWARD
+                chain.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis
               role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</term>
@@ -347,23 +369,23 @@
                 specified at the end of the rule. If the target is not one
                 known to Shorewall, then it must be defined as a builtin
                 action in <ulink
-                url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>
+                url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
                 (5).</para>
 
                 <para>The following rules are equivalent:</para>
 
-                <programlisting>2:P             eth0              -         tcp 22
-INLINE(2):P     eth0              -         tcp 22
-INLINE(2):P     eth0              -                 ; -p tcp
-INLINE          eth0              -         tcp 22  ; -j MARK --set-mark 2
-INLINE          eth0              -                 ; -p tcp -j MARK --set-mark 2
+                <programlisting>2:P                   eth0              -         tcp 22
+INLINE(MARK(2)):P     eth0              -         tcp 22
+INLINE(MARK(2)):P     eth0              -                 ; -p tcp
+INLINE                eth0              -         tcp 22  ; -j MARK --set-mark 2
+INLINE                eth0              -                 ; -p tcp -j MARK --set-mark 2
 </programlisting>
 
                 <para>If INLINE_MATCHES=Yes in <ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
+                url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
                 then the third rule above can be specified as follows:</para>
 
-                <programlisting>2:P             eth0              -                 ; -p tcp</programlisting>
+                <programlisting>MARK(2):P             eth0              -                 ; -p tcp</programlisting>
               </listitem>
             </varlistentry>
 
@@ -665,53 +687,7 @@ Normal-Service       =&gt; 0x00</programlisting>
                 </itemizedlist>
               </listitem>
             </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">TTL</emphasis>([<emphasis
-              role="bold">-</emphasis>|<emphasis
-              role="bold">+</emphasis>]<replaceable>number</replaceable>)</term>
-
-              <listitem>
-                <para>If <emphasis role="bold">+</emphasis> is included,
-                packets matching the rule will have their TTL incremented by
-                <replaceable>number</replaceable>. Similarly, if <emphasis
-                role="bold">-</emphasis> is included, matching packets have
-                their TTL decremented by <replaceable>number</replaceable>. If
-                neither <emphasis role="bold">+</emphasis> nor <emphasis
-                role="bold">-</emphasis> is given, the TTL of matching packets
-                is set to <replaceable>number</replaceable>. The valid range
-                of values for <replaceable>number</replaceable> is
-                1-255.</para>
-              </listitem>
-            </varlistentry>
           </variablelist>
-
-          <orderedlist numeration="arabic">
-            <listitem>
-              <para><emphasis role="bold">TTL</emphasis>([<emphasis
-              role="bold">-</emphasis>|<emphasis
-              role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
-
-              <para>Added in Shorewall 4.4.24.</para>
-
-              <para>Prior to Shorewall 4.5.7.2, may be optionally followed by
-              <emphasis role="bold">:F</emphasis> but the resulting rule is
-              always added to the FORWARD chain. Beginning with Shorewall
-              4.5.7.s, it may be optionally followed by <emphasis
-              role="bold">:P</emphasis>, in which case the rule is added to
-              the PREROUTING chain.</para>
-
-              <para>If <emphasis role="bold">+</emphasis> is included, packets
-              matching the rule will have their TTL incremented by
-              <replaceable>number</replaceable>. Similarly, if <emphasis
-              role="bold">-</emphasis> is included, matching packets have
-              their TTL decremented by <replaceable>number</replaceable>. If
-              neither <emphasis role="bold">+</emphasis> nor <emphasis
-              role="bold">-</emphasis> is given, the TTL of matching packets
-              is set to <replaceable>number</replaceable>. The valid range of
-              values for <replaceable>number</replaceable> is 1-255.</para>
-            </listitem>
-          </orderedlist>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6-rules.xml

@@ -122,8 +122,10 @@
         <term><emphasis role="bold">NEW</emphasis></term>
 
         <listitem>
-          <para>Packets in the NEW, INVALID and UNTRACKED states are processed
-          by rules in this section.</para>
+          <para>Packets in the NEW state are processed by rules in this
+          section. If the INVALID and/or UNTRACKED sections are empty or not
+          included, then the packets in the corresponding state(s) are also
+          processed in this section.</para>
         </listitem>
       </varlistentry>
     </variablelist>
@@ -237,7 +239,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term>AUDIT[(accept|drop|reject)]</term>
+              <term><emphasis
+              role="bold">AUDIT</emphasis>[(accept|drop|reject)]</term>
 
               <listitem>
                 <para>Added in Shorewall 4.5.10. Audits the packet with the
@@ -248,7 +251,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term>A_ACCEPT, and A_ACCEPT!</term>
+              <term><emphasis role="bold">A_ACCEPT</emphasis>, and <emphasis
+              role="bold">A_ACCEPT!</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.4.20. Audited versions of ACCEPT
@@ -258,7 +262,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term>A_DROP and A_DROP!</term>
+              <term><emphasis role="bold">A_DROP</emphasis> and <emphasis
+              role="bold">A_DROP!</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.4.20. Audited versions of DROP and
@@ -268,7 +273,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term>A_REJECT AND A_REJECT!</term>
+              <term><emphasis role="bold">A_REJECT</emphasis> AND<emphasis
+              role="bold"> A_REJECT!</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.4.20. Audited versions of REJECT
@@ -396,7 +402,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term>HELPER</term>
+              <term><emphasis role="bold">HELPER</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.5.7. This action requires that the
@@ -450,7 +456,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term>IP6TABLES({<replaceable>ip6tables-target</replaceable>
+              <term><emphasis
+              role="bold">IP6TABLES</emphasis>({<replaceable>ip6tables-target</replaceable>
               [<replaceable>option</replaceable> ...])</term>
 
               <listitem>
@@ -642,8 +649,9 @@
             </varlistentry>
 
             <varlistentry>
-              <term>TARPIT [(<emphasis role="bold">tarpit</emphasis> |
-              <emphasis role="bold">honeypot</emphasis> | <emphasis
+              <term><emphasis role="bold">TARPIT</emphasis> [(<emphasis
+              role="bold">tarpit</emphasis> | <emphasis
+              role="bold">honeypot</emphasis> | <emphasis
               role="bold">reset</emphasis>)]</term>
 
               <listitem>

Shorewall6/manpages/shorewall6.conf.xml

@@ -1322,8 +1322,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         role="bold">d</emphasis>}:]<emphasis>rate</emphasis><emphasis
         role="bold">/</emphasis>{<emphasis
         role="bold">sec</emphasis>|<emphasis
-        role="bold">min</emphasis>|<emphasis
-        role="bold">hour</emphasis>|<emphasis
+        role="bold">second|min</emphasis>|<emphasis
+        role="bold">minute|hour</emphasis>|<emphasis
         role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]]</term>
 
         <listitem>
@@ -1337,6 +1337,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
 
           <para>If <replaceable>burst</replaceable> is not specified, then a
           value of 5 is assumed.</para>
+
+          <para>The keywords <emphasis role="bold">second</emphasis> and
+          <emphasis role="bold">minute</emphasis> are accepted beginning with
+          Shorewall 4.6.13.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6.xml

@@ -755,6 +755,10 @@
 
       <arg><option>-t</option></arg>
 
+      <arg><option>-r</option></arg>
+
+      <arg><option>-n</option></arg>
+
       <arg><option>-A</option></arg>
 
       <arg><replaceable>directory</replaceable></arg>
@@ -2133,24 +2137,24 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">update </emphasis>[-<option>b</option>]
+        <term><emphasis role="bold">update </emphasis> [-<option>b</option>]
         [-<option>d</option>] [-<option>r</option>] [-<option>T</option>]
         [-<option>a</option>] [-<option>D</option>] [-<option>i</option>]
-        [-<option>t</option>] [-<option>A</option>] [
+        [-<option>t</option>] [-r] [-n][-<option>A</option>] [
         <replaceable>directory</replaceable> ]</term>
 
         <listitem>
           <para>Added in Shorewall 4.4.21 and causes the compiler to update
-          <filename>/etc/shorewall6/shorewall6.conf</filename> then validate
-          the configuration. The update will add options not present in the
-          existing file with their default values, and will move deprecated
+          <filename>/etc/shorewall/shorewall.conf then validate the
+          configuration</filename>. The update will add options not present in
+          the old file with their default values, and will move deprecated
           options with non-defaults to a deprecated options section at the
           bottom of the file. Your existing
-          <filename>shorewall6.conf</filename> file is renamed
-          <filename>shorewall6.conf.bak</filename>.</para>
+          <filename>shorewall.conf</filename> file is renamed
+          <filename>shorewall.conf.bak.</filename></para>
 
           <para>The <option>-a</option> option causes the updated
-          <filename>shorewall6.conf</filename> file to be annotated with
+          <filename>shorewall.conf</filename> file to be annotated with
           documentation.</para>
 
           <para>The <option>-b</option> option was added in Shorewall 4.4.26
@@ -2169,7 +2173,7 @@
           <para>The <option>-D</option> option was added in Shorewall 4.5.11.
           When this option is specified, the compiler will walk through the
           directories in the CONFIG_PATH replacing FORMAT and COMMENT entries
-          to compiler directives (e.g., ?FORMAT and ?COMMENT). When a file is
+          to compiler directives (e.g., ?FORMAT and ?COMMENT. When a file is
           updated, the original is saved in a .bak file in the same
           directory.</para>
 
@@ -2178,14 +2182,16 @@
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
 
           <para>The <option>-t</option> option was added in Shorewall 4.6.0.
-          When specified, <option>-t</option> causes <ulink
-          url="shorewall6-tcrules.html">shorewall6-tcrules(5)</ulink> to be
-          converted to <ulink
+          When specified, <option>-t</option> causes the <emphasis
+          role="bold">tcrules</emphasis> file to be converted to <ulink
           url="shorewall6-mangle.html">shorewall6-mangle(5)</ulink>. The old
-          file is renamed with a .bak suffix.</para>
+          file is renamed with a .bak suffix. Beginning with Shorewall
+          4.6.12.2, this option also causes the <emphasis
+          role="bold">tos</emphasis> file to be converted to <ulink
+          url="shorewall6-mangle.html">shorewall6-mangle(5)</ulink>.</para>
 
           <important>
             <para>There are some notable restrictions with the
@@ -2197,7 +2203,7 @@
                 <filename>mangle</filename> file; if there is no
                 <filename>mangle</filename> file in the CONFIG_PATH, one will
                 be created in <filename
-                class="directory">/etc/shorewall6</filename>.</para>
+                class="directory">/etc/shorewall</filename>.</para>
               </listitem>
 
               <listitem>
@@ -2219,9 +2225,24 @@
             </orderedlist>
           </important>
 
+          <para>The <option>-r</option> option was added in Shorewall 4.6.12.
+          When specified, <option>-r</option> causes <ulink
+          url="manpages6/shorewall6-routestopped.html">shorewall6-routestopped(5)</ulink>
+          to be converted to <ulink
+          url="manpages6/shorewall6-stoppedrules.html">shorewall6-stoppedrules(5)</ulink>.
+          The old file is renamed with a .bak suffix.</para>
+
+          <para>The <option>-n</option> option was added in Shorewall 4.6.12.
+          When specified, <option>-n</option> causes <ulink
+          url="manpages6/shorewall6-routestopped.html">shorewall6-notrack(5)</ulink>
+          to be converted to <ulink
+          url="manpages6/shorewall6-conntrack.html">shorewall6-conntrack(5)</ulink>.
+          The old file is renamed with a .bak suffix.</para>
+
           <para>The <option>-A</option> option was added in Shorewall 4.6.0
           and is equivalent to specifying the <option>-b</option>,
-          <option>-D</option> and the <option>-t</option> options.</para>
+          <option>-D</option>, <option>-t,</option> <option>-r</option> and
+          the <option>-n</option> options.</para>
 
           <para>For a description of the other options, see the <emphasis
           role="bold">check</emphasis> command above.</para>

Shorewall6/shorewall6.service.debian

@@ -0,0 +1,22 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
+#
+[Unit]
+Description=Shorewall IPv6 firewall
+Wants=network-online.target
+After=network-online.target
+Conflicts=ip6tables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/default/shorewall6
+StandardOutput=syslog
+ExecStart=/sbin/shorewall6 $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall6 $OPTIONS stop
+
+[Install]
+WantedBy=basic.target

docs/Introduction.xml

@@ -121,13 +121,12 @@
 
       <itemizedlist>
         <listitem>
-          <para><ulink
-          url="http://www.kmyfirewall.org/">kmyfirewall</ulink></para>
+          <para><ulink url="https://help.ubuntu.com/community/UFW">UFW
+          (Uncomplicated Firewall)</ulink></para>
         </listitem>
 
         <listitem>
-          <para><ulink
-          url="http://www.fs-security.com/">firestarter</ulink></para>
+          <para><ulink url="http://www.ipcop.org">ipcop</ulink></para>
         </listitem>
       </itemizedlist>
 

docs/MultiISP.xml

@@ -911,7 +911,7 @@ eth1             0.0.0.0/0         130.252.99.27</programlisting>
       <para>Now suppose that you want to route all outgoing SMTP traffic from
       your local network through ISP 2. If you are running Shorewall 4.6.0 or
       later, you would make this entry in <ulink
-      url="traffic_shaping.htm">/etc/shorewall/mangle</ulink>.</para>
+      url="manpages/shorewall-mangle.html">/etc/shorewall/mangle</ulink>.</para>
 
       <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
 #                                                               PORT(S)
@@ -1950,9 +1950,9 @@ ONBOOT=yes</programlisting>
       url="manpages/shorewall-providers.html">shorewall-providers</ulink> (5)
       is available in the form of a PROBABILITY column in <ulink
       url="manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) (<ulink
-      url="???">shorewall-tcrules</ulink>) (5). This feature requires the
-      <firstterm>Statistic Match</firstterm> capability in your iptables and
-      kernel.</para>
+      url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>) (5).
+      This feature requires the <firstterm>Statistic Match</firstterm>
+      capability in your iptables and kernel.</para>
 
       <para>This method works when there are multiple links to the same ISP
       where both links have the same default gateway.</para>
@@ -2579,7 +2579,9 @@ MARK(2)               $FW             0.0.0.0/0       tcp     21
 MARK(2)               $FW             0.0.0.0/0       tcp     -               -       -       -       -       -       -               ftp
 MARK(2)               $FW             0.0.0.0/0       tcp     119</programlisting></para>
 
-      <para>Here are the equivalent tcrules entries:</para>
+      <para>If you are still using a tcrules file, you should consider
+      switching to using a mangle file (<command>shorewall update -t</command>
+      will do that for you). Here are the equivalent tcrules entries:</para>
 
       <programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S)         CLIENT  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER
 #                                                                       PORT(S) 

docs/Shorewall_Squid_Usage.xml

@@ -246,7 +246,10 @@ Squid   1       202     -               eth1            192.168.1.3     loose,no
 #                                                       PORT(S)
 MARK(202):P    eth1:!192.168.1.3   0.0.0.0/0   tcp      80</programlisting>
 
-            <para>Corresponding /etc/shorewall/tcrules entries are:</para>
+            <para>If you are still using a tcrules file, you should consider
+            switching to using a mangle file (<command>shorewall update
+            -t</command> will do that for you). Corresponding
+            /etc/shorewall/tcrules entries are:</para>
 
             <programlisting>#MARK    SOURCE              DEST        PROTO    DEST
 #                                                 PORT(S)

docs/shorewall_quickstart_guide.xml

@@ -71,29 +71,22 @@
       running quickly in the three most common Shorewall configurations. If
       you want to learn more about Shorewall than is explained in these simple
       guides then the <ulink url="shorewall_setup_guide.htm">Shorewall Setup
-      Guide</ulink> (<ulink url="shorewall_setup_guide_fr.htm">Version
-      Française</ulink>) is for you.<itemizedlist>
+      Guide</ulink> is for you.<itemizedlist>
           <listitem>
-            <para><ulink url="standalone.htm">Standalone</ulink> Linux System
-            (<ulink url="standalone_fr.html">Version Française</ulink>) <ulink
-            url="standalone_ru.html">(Russian Version)</ulink> <ulink
-            url="standalone_es.html">Version en Español</ulink></para>
+            <para><ulink url="standalone.htm">Standalone</ulink> Linux
+            System</para>
           </listitem>
 
           <listitem>
             <para><ulink url="two-interface.htm">Two-interface</ulink> Linux
-            System acting as a firewall/router for a small local network
-            (<ulink url="two-interface_fr.html">Version Française</ulink>)
-            (<ulink url="two-interface_ru.html">Russian
-            Version</ulink>)</para>
+            System acting as a firewall/router for a small local
+            network</para>
           </listitem>
 
           <listitem>
             <para><ulink url="three-interface.htm">Three-interface</ulink>
             Linux System acting as a firewall/router for a small local network
-            and a DMZ.. (<ulink url="three-interface_fr.html">Version
-            Française</ulink>) (<ulink url="three-interface_ru.html">Russian
-            Version</ulink>)</para>
+            and a DMZ</para>
           </listitem>
         </itemizedlist></para>
     </section>
@@ -103,11 +96,10 @@
       address</title>
 
       <para>The <ulink url="shorewall_setup_guide.htm">Shorewall Setup
-      Guide</ulink> (<ulink url="shorewall_setup_guide_fr.htm">Version
-      Française</ulink>) outlines the steps necessary to set up a firewall
-      where there are multiple public IP addresses involved or if you want to
-      learn more about Shorewall than is explained in the single-address
-      guides above.</para>
+      Guide</ulink> outlines the steps necessary to set up a firewall where
+      there are multiple public IP addresses involved or if you want to learn
+      more about Shorewall than is explained in the single-address guides
+      above.</para>
     </section>
   </section>
 </article>

docs/starting_and_stopping_shorewall.xml

@@ -204,78 +204,57 @@
   <section id="Trace">
     <title>Tracing Command Execution and other Debugging Aids</title>
 
-    <para>If you include the word <emphasis role="bold">trace</emphasis> as
-    the first parameter to an <filename>/sbin/shorewall</filename> command
-    that transfers control to
-    <filename>/usr/share/shorewall/firewall</filename>, execution of the
-    latter program will be traced to STDERR.</para>
+    <para>Shorewall includes features for tracing and debugging. Commands
+    involving the compiler can have the word <emphasis
+    role="bold">trace</emphasis> inserted immediately after the
+    command.</para>
 
-    <example id="trace">
-      <title>Tracing <command>shorewall start</command></title>
+    <para>Example:</para>
 
-      <para>To trace the execution of <command>shorewall start</command> and
-      write the trace to the file <filename>/tmp/trace</filename>, you would
-      enter:<programlisting><command>shorewall trace start 2&gt; /tmp/trace</command></programlisting><note>
-          <para>The <emphasis role="bold">trace</emphasis> keyword does not
-          result in a trace of the execution of the Shorewall rules compiler.
-          It rather causes additional diagnostic information to be included in
-          warning and error messages generated by the compiler.</para>
-        </note></para>
+    <programlisting>shorewall trace check -r</programlisting>
 
-      <para>You may also include the word <emphasis
-      role="bold">debug</emphasis> as the first argument to the
-      <filename>/sbin/shorewall</filename> and
-      <filename>/sbin/shorewall-lite</filename> commands.<programlisting><command>shorewall debug restart</command></programlisting>In
-      most cases, <emphasis role="bold">debug</emphasis> is a synonym for
-      <emphasis role="bold">trace</emphasis>. The exceptions are:</para>
+    <para>This produces a large amount of diagnostic output to standard out
+    during the compilation step. If entered on a command that doesn't invoke
+    the compiler, <emphasis role="bold">trace</emphasis> is ignored.</para>
+
+    <para>Commands that invoke a compiled fireawll script can have the word
+    debug inserted immediately after the command.</para>
+
+    <para>Example:</para>
+
+    <programlisting>shorewall debug restart</programlisting>
+
+    <para><emphasis role="bold">debug</emphasis> causes altered behavior of
+    scripts generated by the Shorewall compiler. These scripts normally use
+    ip[6]tables-restore to install the Netfilter ruleset, but with debug, the
+    commands normally passed to iptables-restore in its input file are passed
+    individually to ip[6]tables. This is a diagnostic aid which allows
+    identifying the individual command that is causing ip[6]tables-restore to
+    fail; it should be used when ip[6]tables-restore fails when executing a
+    COMMIT command.</para>
+
+    <warning>
+      <para>The debug feature is strictly for problem analysis. When debug is
+      used:</para>
 
       <itemizedlist>
         <listitem>
-          <para><emphasis role="bold">debug</emphasis> is ignored by the
-          Shorewall-perl compiler.</para>
+          <para>The firewall is made 'wide open' before the rules are
+          applied.</para>
         </listitem>
 
         <listitem>
-          <para><emphasis role="bold">debug</emphasis> causes altered behavior
-          of scripts generated by the Shorewall-perl compiler. These scripts
-          normally use<command> iptables-restore</command> to install the
-          Netfilter ruleset but with <emphasis role="bold">debug</emphasis>,
-          the commands normally passed to <command>iptables-restore</command>
-          in its input file are passed individually to
-          <command>iptables</command>. This is a diagnostic aid which allows
-          identifying the individual command that is causing
-          <command>iptables-restore</command> to fail; it should be used when
-          iptables-restore fails when executing a <command>COMMIT</command>
-          command.</para>
+          <para>The <filename>stoppedrules</filename> file is not
+          consulted.</para>
+        </listitem>
+
+        <listitem>
+          <para>The rules are applied in the canonical ip[6]tables-restore
+          order. So if you need critical hosts to be always available during
+          start/restart, you may not be able to use debug.</para>
         </listitem>
       </itemizedlist>
-
-      <para><warning>
-          <para>The <emphasis role="bold">debug</emphasis> feature is strictly
-          for problem analysis. When <emphasis role="bold">debug</emphasis> is
-          used:</para>
-
-          <orderedlist>
-            <listitem>
-              <para>The firewall is made 'wide open' before the rules are
-              applied.</para>
-            </listitem>
-
-            <listitem>
-              <para>The <filename>routestopped</filename> file is not
-              consulted.</para>
-            </listitem>
-
-            <listitem>
-              <para>The rules are applied in the canonical
-              <command>iptables-restore</command> order. So if you need
-              critical hosts to be always available during start/restart, you
-              may not be able to use <emphasis
-              role="bold">debug</emphasis>.</para>
-            </listitem>
-          </orderedlist>
-        </warning></para>
-    </example>
+    </warning>
   </section>
 
   <section id="Boot">
@@ -629,7 +608,7 @@
 
     <para>The Shorewall State Diagram is depicted below.</para>
 
-    <para><graphic align="center" fileref="images/State_Diagram.png" /></para>
+    <para><graphic align="center" fileref="images/State_Diagram.png"/></para>
 
     <informaltable>
       <tgroup cols="3">
@@ -725,7 +704,7 @@
             unsuccessful then firewall start (standard configuration) If
             timeout then firewall restart (standard configuration)</entry>
 
-            <entry></entry>
+            <entry/>
           </row>
         </tbody>
       </tgroup>