Clarify DEST column in DNAT rules.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure.pl

@@ -100,7 +100,7 @@ if ( defined $vendor ) {
     } elsif ( `uname` =~ '^Darwin' ) {
 	$vendor = 'apple';
 	$rcfilename = 'shorewallrc.apple';
-    } elsif ( `uname` =~ /^Cygwin/i ) {
+    } elsif ( `uname` =~ '^Cygwin' ) {
 	$vendor = 'cygwin';
 	$rcfilename = 'shorewallrc.cygwin';
     } else {

Shorewall-core/install.sh

@@ -187,7 +187,7 @@ INSTALLD='-D'
 
 if [ -z "$BUILD" ]; then
     case $(uname) in
-	cygwin*|CYGWIN*)
+	cygwin*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)

Shorewall-core/lib.cli

@@ -271,19 +271,6 @@ show_classifiers() {
 
 }
 
-#
-# Display blacklist chains
-#
-show_bl() {
-    $g_tool -L $g_ipt_options | \
-	awk 'BEGIN           {prnt=0; };
-            /^$/             {if (prnt == 1) print ""; prnt=0; };
-            /Chain .*~ /     {prnt=1; };
-            /Chain dynamic / {prnt=1; };
-            {if (prnt == 1)  print; };
-            END {if (prnt == 1 ) print "" };'
-}
-
 #
 # Watch the Firewall Log
 #
@@ -1202,13 +1189,7 @@ show_command() {
 	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
 	    echo
 	    show_events
-	    ;;
-	bl|blacklists)
-	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
-	    echo
-	    show_bl;
-	    ;;
+	    ;;	    
 	*)
 	    case "$g_program" in
 		*-lite)
@@ -1470,22 +1451,10 @@ do_dump_command() {
 	$g_tool -t rawpost -L $g_ipt_options
     fi
 
-    local count
-    local max
+    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 
-    if [ -f /proc/sys/net/netfilter/nf_conntrack_count ]; then
-	count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-	max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-
-	heading "Conntrack Table ($count out of $max)"
-    elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_count ]; then
-	count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count)
-	max=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max)
-
-	heading "Conntrack Table ($count out of $max)"
-    else
-	heading "Conntrack Table"
-    fi
+    heading "Conntrack Table ($count out of $max)"
 
     if [ $g_family -eq 4 ]; then
     	[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
@@ -2983,74 +2952,9 @@ show_status() {
 
 }
 
-interface_status() {
-    case $(cat $1) in
-	0)
-	    echo Enabled
-	    ;;
-	1)
-	    echo Disabled
-	    ;;
-	*)
-	    echo Unknown
-	    ;;
-    esac
-}
-
-show_interfaces() {
-    local f
-    local interface
-    local printed
-
-    for f in ${VARDIR}/*.status; do
-	interface=$(basename $f)
-	echo "   Interface ${interface%.status} is $(interface_status $f)"
-	printed=Yes
-    done
-
-    [ -n "$printed" ] && echo
-}
-
 status_command() {
-     local finished
-    finished=0
-    local option
-    local interfaces
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			i*)
-			    interfaces=Yes
-			    option=${option#i}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    [ $# -eq 0 ] || usage 1
-
     [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
     show_status
-    [ -n "$interfaces" ] && show_interfaces
     exit $status
 }
 
@@ -3562,7 +3466,6 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
     echo "   [ show | list | ls ] [ -f ] capabilities"
     echo "   [ show | list | ls ] arptables"
-    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
     echo "   [ show | list | ls ] classifiers"
     echo "   [ show | list | ls ] config"
     echo "   [ show | list | ls ] connections"
@@ -3585,7 +3488,7 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] zones"
     echo "   start [ -f ] [ -p ] [ <directory> ]"
     echo "   stop"
-    echo "   status [ -i ]"
+    echo "   status"
     echo "   version [ -a ]"
     echo
     exit $1
@@ -3836,10 +3739,10 @@ shorewall_cli() {
     	    show_command $@
 	    ;;
 	status)
+	    [ $# -eq 1 ] || usage 1
 	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	    get_config
-	    shift
-	    status_command $@
+	    status_command
 	    ;;
 	dump)
 	    get_config Yes No Yes

Shorewall-init/init.debian.sh

@@ -105,19 +105,19 @@ shorewall_start () {
   for PRODUCT in $PRODUCTS; do
       setstatedir
 
-      if [ -x ${STATEDIR}/firewall ]; then
+      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
           #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
-	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/firewall ${OPTIONS} stop || echo_notdone
+	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
+		  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || echo_notdone
 	      else
 		  echo_notdone
 	      fi
 	  )
       else
-	  echo_notdone
+	  echo echo_notdone
       fi
   done
 
@@ -135,8 +135,8 @@ shorewall_stop () {
   for PRODUCT in $PRODUCTS; do
       setstatedir
 
-      if [ -x ${STATEDIR}/firewall ]; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear || echo_notdone
+      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+	  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || echo_notdone
       fi
   done
 

Shorewall-init/shorewall-init

@@ -63,19 +63,18 @@ shorewall_start () {
   for PRODUCT in $PRODUCTS; do
       setstatedir
 
-      if [ -x ${STATEDIR}/firewall ]; then
+      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
           #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  (
-	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/firewall ${OPTIONS} stop || exit 1
+	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
+		  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || exit 1
 	      else
 		  exit 1
 	      fi
 	  )
       else
-          echo ERROR:  ${STATEDIR}/firewall does not exist or is not executable!
 	  exit 1
       fi
   done
@@ -96,8 +95,8 @@ shorewall_stop () {
   for PRODUCT in $PRODUCTS; do
       setstatedir
 
-      if [ -x ${STATEDIR}/firewall ]; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear || exit 1
+      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+	  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || exit 1
       fi
   done
 

Shorewall-lite/install.sh

@@ -195,7 +195,7 @@ T='-T'
 
 if [ -z "$BUILD" ]; then
     case $(uname) in
-	cygwin*|CYGWIN*)
+	cygwin*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -242,7 +242,7 @@ if [ -z "$BUILD" ]; then
 fi
 
 case $BUILD in
-    cygwin*|CYGWIN*)
+    cygwin*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;

Shorewall-lite/manpages/shorewall-lite.xml

@@ -352,20 +352,6 @@
       rep="repeat"><replaceable>chain</replaceable></arg></arg>
     </cmdsynopsis>
 
-    <cmdsynopsis>
-      <command>shorewall-lite</command>
-
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="opt"><option>show | list | ls </option></arg>
-
-      <arg><option>-x</option></arg>
-
-      <arg choice="plain"><option>{bl|blacklists}</option></arg>
-    </cmdsynopsis>
-
     <cmdsynopsis>
       <command>shorewall-lite</command>
 
@@ -479,8 +465,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><arg
-      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
+      <arg choice="plain"><option>status</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -844,19 +829,6 @@
           arguments:</para>
 
           <variablelist>
-            <varlistentry>
-              <term><emphasis role="bold">bl|blacklists</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
-                along with any chains produced by entries in
-                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
-                option is passed directly through to iptables and causes
-                actual packet and byte counts to be displayed. Without this
-                option, those counts are abbreviated.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">capabilities</emphasis></term>
 
@@ -1101,10 +1073,6 @@
         <listitem>
           <para>Produces a short report about the state of the
           Shorewall-configured firewall.</para>
-
-          <para>The <option>-i </option>option was added in Shorewall 4.6.2
-          and causes the status of each optional or provider interface to be
-          displayed.</para>
         </listitem>
       </varlistentry>
 

Shorewall/Macros/macro.Amanda

@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
- PARAM	-	-	udp	10080 { helper=amanda }
+ PARAM	-	-	udp	10080 ; helper=amanda
 ?else
  PARAM	-	-	udp	10080
 ?endif

Shorewall/Macros/macro.FTP

@@ -11,7 +11,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
- PARAM	-	-	tcp	21 { helper=ftp }
+ PARAM	-	-	tcp	21 ; helper=ftp
 ?else
  PARAM	-	-	tcp	21
 ?endif

Shorewall/Macros/macro.ILO

@@ -1,23 +0,0 @@
-#
-# Shorewall version 4 - ILO Macro
-#
-# /usr/share/shorewall/macro.ILO
-#
-#	This macro handles console redirection with HP ILO 2+,
-#	Use this macro to open access to your ILO interface from management
-#	workstations.
-#
-###############################################################################
-?FORMAT 2
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
-PARAM	-	-	tcp	3002		# Raw serial data
-PARAM	-	-	tcp	9300		# Shared Remote Console
-PARAM	-	-	tcp	17988		# Virtual Media
-PARAM	-	-	tcp	17990		# Console Replay
-HTTP
-HTTPS
-RDP
-SSH
-Telnet						# Remote Console/Telnet

Shorewall/Macros/macro.IPMI

@@ -3,10 +3,7 @@
 #
 # /usr/share/shorewall/macro.IPMI
 #
-#	This macro handles IPMI console redirection with Asus (AMI),
-#	Dell DRAC5+ (Avocent), and Supermicro (Aten or AMI).
-#	Use this macro to open access to your IPMI interface from management
-#	workstations.
+#	This macro handles IPMI used by Asus, Dell, MSI, and Supermicro.
 #
 ###############################################################################
 ?FORMAT 2
@@ -14,13 +11,9 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	623		# RMCP
-PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
-PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
-PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
-PARAM	-	-	tcp	7578		# Remote Console (AMI)
+PARAM	-	-	tcp	5900,5901	# Remote Console
+PARAM	-	-	tcp	8889		# WS-MAN
 PARAM	-	-	udp	623		# RMCP
+SSH
 HTTP
 HTTPS
-SNMP
-SSH						# Serial over Lan
-Telnet

Shorewall/Macros/macro.IRC

@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
- PARAM	-	-	tcp	6667 { helper=irc }
+ PARAM	-	-	tcp	6667 ; helper=irc
 ?else
  PARAM	-	-	tcp	6667
 ?endif

Shorewall/Macros/macro.PPtP

@@ -14,7 +14,7 @@ PARAM	-	-	47
 PARAM	DEST	SOURCE	47
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
- PARAM	-	-	tcp	1723 { helper=pptp }
+ PARAM	-	-	tcp	1723 ; helper=pptp
 ?else
  PARAM	-	-	tcp	1723
 ?endif

Shorewall/Macros/macro.SANE

@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
- PARAM	-	-	tcp	6566 { helper=sane }
+ PARAM	-	-	tcp	6566 ; helper=sane
 ?else
  PARAM	-	-	tcp	6566
 ?endif

Shorewall/Macros/macro.SIP

@@ -12,7 +12,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER  )
- PARAM	-	-	udp	5060 { helper=sip }
+ PARAM	-	-	udp	5060 ; helper=sip
 ?else
  PARAM	-	-	udp	5060
 ?endif

Shorewall/Macros/macro.SMB

@@ -17,7 +17,7 @@
 PARAM	-	-	udp	135,445
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	-	-	udp	137 { helper=netbios-ns }
+ PARAM	-	-	udp	137 ; helper=netbios-ns
  PARAM	-	-	udp	138:139
 ?else
  PARAM	-	-	udp	137:139

Shorewall/Macros/macro.SMBBI

@@ -17,7 +17,7 @@
 PARAM	-	-	udp	135,445
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	-	-	udp	137 { helper=netbios-ns }
+ PARAM	-	-	udp	137 ; helper=netbios-ns
  PARAM	-	-	udp	138:139
 ?else
  PARAM	-	-	udp	137:139
@@ -28,7 +28,7 @@ PARAM	-	-	tcp	135,139,445
 PARAM	DEST	SOURCE	udp	135,445
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	DEST	SOURCE	udp	137 { helper=netbios-ns }
+ PARAM	DEST	SOURCE	udp	137 ; helper=netbios-ns
  PARAM	DEST	SOURCE	udp	138:139
 ?else
  PARAM	DEST	SOURCE	udp	137:139

Shorewall/Macros/macro.SNMP

@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
- PARAM	-	-  	udp     161 { helper=snmp }
+ PARAM	-	-  	udp     161 ; helper=snmp
 ?else
  PARAM	-	-	udp	161
 ?endif

Shorewall/Macros/macro.TFTP

@@ -14,7 +14,7 @@
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
- PARAM	-	-	udp	69 { helper=tftp }
+ PARAM	-	-	udp	69 ; helper=tftp
 ?else
  PARAM	-	-	udp	69
 ?endif

Shorewall/Perl/Shorewall/Chains.pm

@@ -3503,7 +3503,7 @@ sub optimize_level8( $$$ ) {
     %renamed = ();
 
     while ( $progress ) {
-	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} ) );
+	my @chains   = ( sort level8_compare grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} );
 	my @chains1  = @chains;
 	my $chains   = @chains;
 	my %rename;
@@ -6723,25 +6723,20 @@ sub interface_mac( $$ ) {
 #
 # Record the fact that the ruleset requires MAC address of the passed gateway IP routed out of the passed interface for the passed provider number
 #
-sub get_interface_mac( $$$$ ) {
-    my ( $ipaddr, $logical , $table, $mac ) = @_;
+sub get_interface_mac( $$$ ) {
+    my ( $ipaddr, $logical , $table ) = @_;
 
     my $interface = get_physical( $logical );
     my $variable = interface_mac( $interface , $table );
 
     $global_variables |= NOT_RESTORE;
-    
-    if ( $mac ) {
-	$interfacemacs{$table} = qq($variable=$mac);
+
+    if ( interface_is_optional $logical ) {
+	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
     } else {
-	if ( interface_is_optional $logical ) {
-	    $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
-	} else {
-	    $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
+	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
 [ -n "\$$variable" ] || startup_error "Unable to determine the MAC address of $ipaddr through interface \\"$interface\\""
 );
-
-       }
     }
 
     "\$$variable";

Shorewall/Perl/Shorewall/Config.pm

@@ -4118,7 +4118,7 @@ sub IPSet_Match() {
     if ( $ipset && -x $ipset ) {
 	qt( "$ipset -X $sillyname" );
 
-	if ( qt( "$ipset -N $sillyname hash:ip family $fam" ) || qt( "$ipset -N $sillyname iphash" ) ) {
+	if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) {
 	    if ( qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
 		$capabilities{IPSET_MATCH_NOMATCH}  = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --return-nomatch -j ACCEPT" );
 		$capabilities{IPSET_MATCH_COUNTERS} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --packets-lt 100 -j ACCEPT" );
@@ -4140,7 +4140,7 @@ sub IPSet_Match_Nomatch() {
 }
 
 sub IPSet_Match_Counters() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTERS};
+    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTGERS};
 }
 
 sub IPSET_V5() {
@@ -4615,7 +4615,6 @@ sub determine_capabilities() {
 	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
 	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );
 	$capabilities{ACCOUNT_TARGET}  = detect_capability( 'ACCOUNT_TARGET' );
-	$capabilities{HEADER_MATCH}    = detect_capability( 'HEADER_MATCH' );
 	$capabilities{AUDIT_TARGET}    = detect_capability( 'AUDIT_TARGET' );
 	$capabilities{IPSET_V5}        = detect_capability( 'IPSET_V5' );
 	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
@@ -4631,7 +4630,6 @@ sub determine_capabilities() {
 	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
 	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
 	$capabilities{CHECKSUM_TARGET} = detect_capability( 'CHECKSUM_TARGET' );
-	$capabilities{ARPTABLESJF}     = detect_capability( 'ARPTABLESJF' );
 	$capabilities{MASQUERADE_TGT}  = detect_capability( 'MASQUERADE_TGT' );
 	$capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' );
 	$capabilities{NEW_TOS_MATCH}   = detect_capability( 'NEW_TOS_MATCH' );

Shorewall/Perl/Shorewall/Nat.pm

@@ -633,7 +633,7 @@ sub setup_netmap() {
 }
 
 #
-# Called from process_rule to add a rule to the NAT table
+# Called from process_rule1 to add a rule to the NAT table
 #
 sub handle_nat_rule( $$$$$$$$$$$$$ ) {
     my ( $dest,           # <server>[:port]
@@ -687,11 +687,6 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	#
 	$server = $dest;
     }
-
-    #
-    # Check for list in $server
-    #
-    fatal_error "An address list ($server) is not allowed in the DEST column of a $action RULE" if $server =~ /,/;
     #
     # Generate the target
     #

Shorewall/Perl/Shorewall/Providers.pm

@@ -258,7 +258,7 @@ sub copy_and_edit_table( $$$$$ ) {
     emit '';
 
     if ( $realm ) {
-	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | ${filter}while read net route; do" )
+	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | ${filter}while read net route; do" )
     } else {
 	emit  ( "\$IP -$family -o route show table $duplicate | ${filter}while read net route; do" )
     }
@@ -442,11 +442,10 @@ sub process_a_provider( $ ) {
 
     fatal_error 'INTERFACE must be specified' if $interface eq '-';
 
-    ( $interface, my $address ) = split /:/, $interface, 2;
+    ( $interface, my $address ) = split /:/, $interface;
 
     my $shared = 0;
     my $noautosrc = 0;
-    my $mac = '';
 
     if ( defined $address ) {
 	validate_address $address, 0;
@@ -454,33 +453,10 @@ sub process_a_provider( $ ) {
 	require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
     }
 
-    my $interfaceref = known_interface( $interface );
-
-    fatal_error "Unknown Interface ($interface)" unless $interfaceref;
-
+    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface );
     fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
 
-    #
-    # Switch to the logical name if a physical name was passed
-    #
-    my $physical;
-
-    if ( $interface eq $interfaceref->{name} ) {
-	#
-	# The logical interface name was specified
-	#
-	$physical = $interfaceref->{physical};
-    } else {
-	#
-	# A Physical name was specified
-	#
-	$physical = $interface;
-	#
-	# Switch to the logical name unless it is a wildcard
-	#
-	$interface = $interfaceref->{name} unless $interfaceref->{wildcard};
-    } 
-
+    my $physical    = get_physical $interface;
     my $gatewaycase = '';
 
     if ( $physical =~ /\+$/ ) {
@@ -493,17 +469,7 @@ sub process_a_provider( $ ) {
 	$gateway = get_interface_gateway $interface;
 	$gatewaycase = 'detect';
     } elsif ( $gateway && $gateway ne '-' ) {
-	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
-
-	if ( defined $mac ) {
-	    $mac =~ tr/-/:/;
-	    $mac =~ s/^~//;
-	    fatal_error "Invalid MAC address ($mac)" unless $mac =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
-	} else {
-	    $mac = '';
-	}
-
 	$gatewaycase = 'specified';
     } else {
 	$gatewaycase = 'none';
@@ -678,7 +644,6 @@ sub process_a_provider( $ ) {
 			   loose       => $loose ,
 			   duplicate   => $duplicate ,
 			   address     => $address ,
-			   mac         => $mac ,
 			   local       => $local ,
 			   tproxy      => $tproxy ,
 			   load        => $load ,
@@ -755,7 +720,6 @@ sub add_a_provider( $$ ) {
     my $loose       = $providerref->{loose};
     my $duplicate   = $providerref->{duplicate};
     my $address     = $providerref->{address};
-    my $mac         = $providerref->{mac};
     my $local       = $providerref->{local};
     my $tproxy      = $providerref->{tproxy};
     my $load        = $providerref->{load};
@@ -769,7 +733,7 @@ sub add_a_provider( $$ ) {
     my $realm = '';
 
     if ( $shared ) {
-	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table, $mac );
+	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
 	$realm = "realm $number";
 	start_provider( $label , $table, $number, $id, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
     } elsif ( $pseudo ) {

Shorewall/Perl/Shorewall/Rules.pm

@@ -1673,11 +1673,9 @@ sub process_action($$) {
 	    $origdest = $connlimit = $time = $headers = $condition = $helper = '-';
 	} else {
 	    ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
-		= split_line2( 'action file',
+		= split_line1( 'action file',
 			       \%rulecolumns,
-			       $action_commands,
-			       undef,
-			       1 );
+			       $action_commands );
 	}
 
 	fatal_error 'TARGET must be specified' if $target eq '-';
@@ -2952,7 +2950,7 @@ sub perl_action_helper($$;$) {
 
     $matches .= ' ' unless $matches =~ /^(?:.+\s)?$/;
 
-    set_inline_matches( $target =~ /^INLINE(?::.*)?$/ ? $matches : '' );
+    set_inline_matches $matches if $target =~ /^INLINE(?::.*)?$/;
 
     if ( $isstatematch ) {
 	if ( $statematch ) {
@@ -3025,8 +3023,6 @@ sub perl_action_tcp_helper($$) {
 
     $proto .= ' ' unless $proto =~ /^(?:.+\s)?$/;
 
-    set_inline_matches( '' ) if $config{INLINE_MATCHES};
-
     if ( $passedproto eq '-' || $passedproto eq 'tcp' || $passedproto eq '6' ) {
 	#
 	# For other protos, a 'no rule generated' warning will be issued

Shorewall/Perl/Shorewall/Tc.pm

@@ -174,8 +174,8 @@ sub initialize( $ ) {
 #
 # Process a rule from the tcrules or mangle file
 #
-sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
-    our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time ) = @_;
+sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
+    our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_;
 
     use constant {
 	PREROUTING     => 1,        #Actually tcpre
@@ -229,7 +229,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 
     sub handle_mark_param( $$ ) {
 	my ( $option, $marktype ) = @_;
-	my $and_or = $params =~ s/^([|&])// ? $1 : '';
+	my $and_or = $1 if $params =~ s/^([|&])//;
 
 	if ( $params =~ /-/ ) {
 	    #
@@ -423,7 +423,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    function       => sub () {
 		require_capability 'DSCP_TARGET', 'The DSCP action', 's';
 		my $dscp = numeric_value( $params );
-		$dscp = $dscpmap{$params} unless defined $dscp;
+		$dscp = $dscpmap{$1} unless defined $dscp;
 		fatal_error( "Invalid DSCP ($params)" ) unless defined $dscp && $dscp <= 0x38 && ! ( $dscp & 1 );
 		$target = 'DSCP --set-dscp ' . in_hex( $dscp );
 	    },
@@ -556,13 +556,13 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    mask           => in_hex( $globals{TC_MASK} ),
 	    function       => sub () {
 		$target = 'MARK';
-		handle_mark_param('', , HIGHMARK );
+		handle_mark_param('--set-mark', , HIGHMARK );
 	    },
 	},
 
 	RESTORE    => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
+	    allowedchains  => PREROUTING | FORWARD | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -591,7 +591,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 
 	SAVE       => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
+	    allowedchains  => PREROUTING | FORWARD | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -798,7 +798,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 					 do_probability( $probability ) .
 					 do_dscp( $dscp ) .
 					 state_match( $state ) .
-					 do_time( $time ) .
 					 $raw_matches ,
 					 $source ,
 					 $dest ,
@@ -927,22 +926,21 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 	$designator = '';
     }
 
+    my ( $cmd, $rest );
+
+    if ( $mark =~ /^TOS/ ) {
+	$cmd = $mark;
+	$rest = '';
+    } else {
+	($cmd, $rest) = split( '/', $mark, 2 );
+    }
+
     unless ( $command ) {
 	{
-	    my ( $cmd, $rest ) = split( '/', $mark, 2 );
-
-	    if ( $cmd =~ /^([A-Z]+)(?:\((.+)\))?/ ) {
+	    if ( $cmd =~ /^([A-Z]+)/ ) {
 		if ( my $tccmd = $tccmd{$1} ) {
 		    fatal_error "Invalid $1 ACTION ($originalmark)" unless $tccmd->{match}($cmd); 
-		    $command = $1;
-		    if ( supplied $rest ) {
-			fatal_error "Invalid $1 ACTION ($originalmark)" if supplied $2;
-			$mark = $rest;
-		    } elsif ( supplied $2 ) {
-			$mark = $2;
-		    } else {
-			$mark = '';
-		    }
+		    $command = $tccmd->{command} if $tccmd->{command};
 		}
 	    } else {
 		$command = 'MARK';
@@ -988,9 +986,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 			      $headers,
 			      $probability,
 			      $dscp,
-			      $state,
-			      '-',
-	    );
+			      $state );
     }
 }
 
@@ -1050,9 +1046,9 @@ sub process_tc_rule( ) {
 }    
 
 sub process_mangle_rule( ) {
-    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
+    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
     if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
 	    split_line2( 'tcrules file',
 			 { mark => 0,
 			   action => 0,
@@ -1069,15 +1065,13 @@ sub process_mangle_rule( ) {
 			   helper => 11,
 			   probability => 12 , 
 			   scp => 13,
-			   state => 14,
-			   time => 15,
-			 },
+			   state => 14 },
 			 {},
-			 16,
+			 15,
 	                 1 );
 	$headers = '-';
     } else {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
 	    split_line2( 'tcrules file',
 			 { mark => 0,
 			   action => 0,
@@ -1095,16 +1089,14 @@ sub process_mangle_rule( ) {
 			   headers => 12,
 			   probability => 13,
 			   dscp => 14,
-			   state => 15,
-			   time => 16,
-			 },
+			   state => 15 },
 			 {},
-			 17,
+			 16,
 	                 1 );
     }
 
     for my $proto (split_list( $protos, 'Protocol' ) ) {
-	process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
+	process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
     }
 }
  

Shorewall/Perl/Shorewall/Zones.pm

@@ -193,7 +193,6 @@ our %reservedName = ( all => 1,
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
 #                                     provider    => <Provider Name, if interface is associated with a provider>
-#                                     wildcard    => undef|1 # Wildcard Name
 #                                     zones       => { zone1 => 1, ... }
 #                                   }
 #                 }
@@ -1376,7 +1375,6 @@ sub process_interface( $$ ) {
 						       base       => var_base( $physical ),
 						       zones      => {},
 						       origin     => shortlineinfo(''),
-						       wildcard   => $wildcard,
 						     };
 
     if ( $zone ) {
@@ -1533,7 +1531,6 @@ sub known_interface($)
 						   number   => $interfaceref->{number} ,
 						   physical => $physical ,
 						   base     => var_base( $physical ) ,
-						   wildcard => $interfaceref->{wildcard} ,
 						   zones    => $interfaceref->{zones} ,
 						 };
 	    }
@@ -1771,7 +1768,7 @@ sub find_interfaces_by_option1( $ ) {
 	my $optionsref = $interfaceref->{options};
 
 	if ( $optionsref && defined $optionsref->{$option} ) {
-	    $wild ||= $interfaceref->{wildcard};
+	    $wild ||= ( $interfaceref->{physical} =~ /\+$/ );
 	    push @ints , $interface
 	}
     }

Shorewall/Samples/one-interface/README.txt

@@ -3,7 +3,7 @@ For instructions on using this sample configuration, please see
 http://www.shorewall.net/standalone.htm
 
     Shorewall Samples
-    Copyright (C) 2006-2014 by the following authors:
+    Copyright (C) 2006 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall/Samples/one-interface/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/one-interface/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Policy File for one-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/one-interface/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for one-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/one-interface/shorewall.conf

@@ -2,7 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for one-interface
 #                         configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/one-interface/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for one-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/README.txt

@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/three-interface.htm
 
     Shorewall Samples
-    Copyright (C) 2006-2014 by the following authors:
+    Copyright (C) 2006 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall/Samples/three-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/masq

@@ -1,6 +1,6 @@
 #
 # Shorewall version 3.4 - Sample Masq file for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2007 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall version 3.4 - Sample Policy File for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2007 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -2,7 +2,8 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for three-interface
 #                         configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
+#               2011 by Thomas M. Eastep
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/README.txt

@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/two-interface.htm
 
     Shorewall Samples
-    Copyright (C) 2006-2014 by the following authors:
+    Copyright (C) 2006 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall/Samples/two-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/masq

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Masq file for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Policy File for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for two-interface configuration.
-# Copyright (C) 2006-2014,2007 by the Shorewall Team
+# Copyright (C) 2006,2007 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -2,7 +2,8 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for two-interface
 #                         configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2007 by the Shorewall Team
+#               2011 by Thomas M. Eastep
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/configfiles/initdone

@@ -5,7 +5,7 @@
 #
 #	Add commands below that you want to be executed during
 #	"shorewall start" or "shorewall restart" commands at the point where
-#	Shorewall has not yet added any permanent rules to the builtin chains.
+#	Shorewall has not yet added any perminent rules to the builtin chains.
 #
 # For additional information, see
 # http://shorewall.net/shorewall_extension_scripts.htm

Shorewall/install.sh

@@ -205,7 +205,7 @@ done
 
 if [ -z "$BUILD" ]; then
     case $(uname) in
-	cygwin*|CYGWIN*)
+	cygwin*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -399,7 +399,7 @@ fi
 #
 # Create /etc/$PRODUCT and other directories
 #
-mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
+mkdir -p ${DESTDIR}/${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles

Shorewall/lib.cli-std

@@ -1671,7 +1671,6 @@ usage() # $1 = exit status
     echo "   save [ <file name> ]"
     echo "   [ show | list | ls ] [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
     echo "   [ show | list | ls ] actions"
-    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
     echo "   [ show | list | ls ] [ -f ] capabilities"
     echo "   [ show | list | ls ] classifiers"
     echo "   [ show | list | ls ] config"
@@ -1696,7 +1695,7 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] vardir"
     echo "   [ show | list | ls ] zones"
     echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
-    echo "   status [ -i ]"
+    echo "   status"
     echo "   stop"
     echo "   try <directory> [ <timeout> ]"
     echo "   update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [-t] [-A] [ <directory> ]"

Shorewall/manpages/shorewall-mangle.xml

@@ -27,7 +27,7 @@
 
     <para>This file was introduced in Shorewall 4.6.0 and is intended to
     replace <ulink
-    url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5)</ulink>. This
+    url="/manpages/shorewall-mangle.html">shorewall-rules(5)</ulink>. This
     file is only processed by the compiler if:</para>
 
     <orderedlist numeration="loweralpha">
@@ -1109,104 +1109,6 @@ Normal-Service       =&gt; 0x00</programlisting>
           of the listed states.</para>
         </listitem>
       </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">TIME</emphasis> -
-        <emphasis>timeelement</emphasis>[&amp;<emphasis>timeelement</emphasis>...]</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.2.</para>
-
-          <para>May be used to limit the rule to a particular time period each
-          day, to particular days of the week or month, or to a range defined
-          by dates and times. Requires time match support in your kernel and
-          ip6tables.</para>
-
-          <para><replaceable>timeelement</replaceable> may be:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
-
-              <listitem>
-                <para>Defines the starting time of day.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
-
-              <listitem>
-                <para>Defines the ending time of day.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>utc</term>
-
-              <listitem>
-                <para>Times are expressed in Greenwich Mean Time.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>localtz</term>
-
-              <listitem>
-                <para>Deprecated by the Netfilter team in favor of <emphasis
-                role="bold">kerneltz</emphasis>. Times are expressed in Local
-                Civil Time (default).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>kerneltz</term>
-
-              <listitem>
-                <para>Added in Shorewall 4.5.2. Times are expressed in Local
-                Kernel Time (requires iptables 1.4.12 or later).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>weekdays=ddd[,ddd]...</term>
-
-              <listitem>
-                <para>where <replaceable>ddd</replaceable> is one of
-                <option>Mon</option>, <option>Tue</option>,
-                <option>Wed</option>, <option>Thu</option>,
-                <option>Fri</option>, <option>Sat</option> or
-                <option>Sun</option></para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>monthdays=dd[,dd],...</term>
-
-              <listitem>
-                <para>where <replaceable>dd</replaceable> is an ordinal day of
-                the month</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
-
-              <listitem>
-                <para>Defines the starting date and time.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
-
-              <listitem>
-                <para>Defines the ending date and time.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-        </listitem>
-      </varlistentry>
     </variablelist>
   </refsect1>
 

Shorewall/manpages/shorewall-masq.xml

@@ -143,10 +143,10 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET
-        - Optional) -
-        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
+        <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET)
+        -
+        {<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>
 
         <listitem>
           <para>Set of hosts that you wish to masquerade. You can specify this

Shorewall/manpages/shorewall-providers.xml

@@ -129,15 +129,11 @@
 
       <varlistentry>
         <term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
-        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>mac</emphasis>]|<emphasis
+        role="bold">-</emphasis>|<emphasis>address</emphasis>|<emphasis
         role="bold">detect</emphasis>}</term>
 
         <listitem>
-          <para>The IP address of the provider's gateway router. Beginning
-          with Shorewall 4.6.2, you may also specify the MAC address of the
-          gateway when there are multiple providers serviced through the same
-          interface. When the MAC is not specified, Shorewall will detect the
-          MAC during firewall start or restart.</para>
+          <para>The IP address of the provider's gateway router.</para>
 
           <para>You can enter "detect" here and Shorewall will attempt to
           detect the gateway automatically.</para>

Shorewall/manpages/shorewall-rules.xml

@@ -991,7 +991,10 @@
           When the <emphasis role="bold">ACTION</emphasis> is <emphasis
           role="bold">DNAT</emphasis> or <emphasis
           role="bold">DNAT-</emphasis>, the connections will be assigned to
-          addresses in the range in a round-robin fashion.</para>
+          addresses in the range in a round-robin fashion. <emphasis
+          role="bold">DNAT</emphasis> and <emphasis
+          role="bold">DNAT-</emphasis> do not allow a list of addresses and/or
+          ranges.</para>
 
           <para>If you kernel and iptables have ipset match support then you
           may give the name of an ipset prefaced by "+". The ipset name may be

Shorewall/manpages/shorewall-tcfilters.xml

@@ -88,11 +88,9 @@
           <replaceable>address</replaceable>. DNS names are not allowed.
           Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
           may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          <ulink url="shorewall.conf.html">shorewall.conf (5)</ulink>. The
-          ipset name may optionally be followed by a number or a comma
-          separated list of src and/or dst enclosed in square brackets
-          ([...]). See <ulink
+          Ematch</firstterm>capability. The ipset name may optionally be
+          followed by a number or a comma separated list of src and/or dst
+          enclosed in square brackets ([...]). See <ulink
           url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
           details.</para>
         </listitem>
@@ -107,11 +105,9 @@
           <replaceable>address</replaceable>. DNS names are not allowed.
           Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
           may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          <ulink url="shorewall.conf.html">shorewall.conf (5)</ulink>. The
-          ipset name may optionally be followed by a number or a comma
-          separated list of src and/or dst enclosed in square brackets
-          ([...]). See <ulink
+          Ematch</firstterm>capability. The ipset name may optionally be
+          followed by a number or a comma separated list of src and/or dst
+          enclosed in square brackets ([...]). See <ulink
           url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
           details.</para>
 

Shorewall/manpages/shorewall-tcrules.xml

@@ -6,8 +6,6 @@
     <refentrytitle>shorewall-mangle</refentrytitle>
 
     <manvolnum>5</manvolnum>
-
-    <refmiscinfo>Configuration Files</refmiscinfo>
   </refmeta>
 
   <refnamediv>
@@ -30,10 +28,10 @@
 
     <important>
       <para>Unlike rules in the <ulink
-      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file,
-      evaluation of rules in this file will continue after a match. So the
-      final mark for each packet will be the one assigned by the LAST tcrule
-      that matches.</para>
+      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
+      of rules in this file will continue after a match. So the final mark for
+      each packet will be the one assigned by the LAST tcrule that
+      matches.</para>
 
       <para>If you use multiple internet providers with the 'track' option, in
       /etc/shorewall/providers be sure to read the restrictions at <ulink
@@ -313,8 +311,8 @@
               <para>When using Shorewall's built-in traffic shaping tool, the
               <emphasis>major</emphasis> class is the device number (the first
               device in <ulink
-              url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
-              is major class 1, the second device is major class 2, and so on)
+              url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5) is
+              major class 1, the second device is major class 2, and so on)
               and the <emphasis>minor</emphasis> class is the class's MARK
               value in <ulink
               url="/manpages/shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5)
@@ -489,8 +487,7 @@
               [<replaceable>option</replaceable>] ...") after any matches
               specified at the end of the rule. If the target is not one known
               to Shorewall, then it must be defined as a builtin action in
-              <ulink
-              url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
+              <ulink url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
               (5).</para>
 
               <para>The following rules are equivalent:</para>
@@ -503,8 +500,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
 </programlisting>
 
               <para>If INLINE_MATCHES=Yes in <ulink
-              url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>
-              then the third rule above can be specified as follows:</para>
+              url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink> then the
+              third rule above can be specified as follows:</para>
 
               <programlisting>2:P             eth0              -                 ; -p tcp</programlisting>
             </listitem>

Shorewall/manpages/shorewall.xml

@@ -507,20 +507,6 @@
       <arg choice="opt"><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
-    <cmdsynopsis>
-      <command>shorewall</command>
-
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="opt"><option>show | list | ls </option></arg>
-
-      <arg><option>-x</option></arg>
-
-      <arg choice="plain"><option>{bl|blacklists}</option></arg>
-    </cmdsynopsis>
-
     <cmdsynopsis>
       <command>shorewall</command>
 
@@ -678,8 +664,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><arg
-      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
+      <arg choice="plain"><option>status</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -1488,19 +1473,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis role="bold">bl|blacklists</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
-                along with any chains produced by entries in
-                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
-                option is passed directly through to iptables and causes
-                actual packet and byte counts to be displayed. Without this
-                option, those counts are abbreviated.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">capabilities</emphasis></term>
 
@@ -1803,10 +1775,6 @@
         <listitem>
           <para>Produces a short report about the state of the
           Shorewall-configured firewall.</para>
-
-          <para>The <option>-i </option>option was added in Shorewall 4.6.2
-          and causes the status of each optional or provider interface to be
-          displayed.</para>
         </listitem>
       </varlistentry>
 

Shorewall6-lite/manpages/shorewall6-lite.xml

@@ -366,20 +366,6 @@
       <arg choice="plain"><option>capabilities</option></arg>
     </cmdsynopsis>
 
-    <cmdsynopsis>
-      <command>shorewall6-lite</command>
-
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="opt"><option>show | list | ls </option></arg>
-
-      <arg><option>-x</option></arg>
-
-      <arg choice="plain"><option>{bl|blacklists}</option></arg>
-    </cmdsynopsis>
-
     <cmdsynopsis>
       <command>shorewall6-lite</command>
 
@@ -479,8 +465,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><arg
-      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
+      <arg choice="plain"><option>status</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -842,19 +827,6 @@
           arguments:</para>
 
           <variablelist>
-            <varlistentry>
-              <term><emphasis role="bold">bl|blacklists</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
-                along with any chains produced by entries in
-                shorewall6-blrules(5).The <emphasis role="bold">-x</emphasis>
-                option is passed directly through to ip6tables and causes
-                actual packet and byte counts to be displayed. Without this
-                option, those counts are abbreviated.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">capabilities</emphasis></term>
 
@@ -1099,10 +1071,6 @@
         <listitem>
           <para>Produces a short report about the state of the
           Shorewall-configured firewall.</para>
-
-          <para>The <option>-i </option>option was added in Shorewall 4.6.2
-          and causes the status of each optional or provider interface to be
-          displayed.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/Samples6/one-interface/README.txt

@@ -3,7 +3,7 @@ For instructions on using this sample configuration, please see
 http://www.shorewall.net/standalone.htm
 
     Shorewall Samples
-    Copyright (C) 2006-2014 by the following authors:
+    Copyright (C) 2006 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall6/Samples6/one-interface/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2008 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/one-interface/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Policy File for one-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2008 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/one-interface/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Rules File for one-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2008 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/one-interface/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Zones File for one-interface IPv6 configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2008 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/three-interfaces/README.txt

@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/three-interface.htm
 
     Shorewall Samples
-    Copyright (C) 2006-2014 by the following authors:
+    Copyright (C) 2006 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall6/Samples6/three-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006-2014by the Shorewall Team
+# Copyright (C) 2006,2008 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/three-interfaces/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall6 Version 4 - Sample Policy File for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2008 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/three-interfaces/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.0 - Sample Rules File for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2007,2008 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/three-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.5 Sample Stoppedrules File for three-interface configuration.
-# Copyright (C) 2012-2014 by the Shorewall Team
+# Copyright (C) 2012 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/three-interfaces/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Zones File for three-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2008 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/two-interfaces/README.txt

@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/two-interface.htm
 
     Shorewall Samples
-    Copyright (C) 2006-2014 by the following authors:
+    Copyright (C) 2006 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall6/Samples6/two-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.0 - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2008 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/two-interfaces/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Policy File for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2008 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/two-interfaces/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.0 - Sample Rules File for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006-2008 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/two-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.5 Sample Stoppedrules File for two-interface configuration.
-# Copyright (C) 2012-2014 by the Shorewall Team
+# Copyright (C) 2012 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/two-interfaces/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.0 - Sample Zones File for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Copyright (C) 2006,2008 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/manpages/shorewall6-mangle.xml

@@ -1194,104 +1194,6 @@ Normal-Service       =&gt; 0x00</programlisting>
           of the listed states.</para>
         </listitem>
       </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">TIME</emphasis> -
-        <emphasis>timeelement</emphasis>[&amp;<emphasis>timeelement</emphasis>...]</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.6.2.</para>
-
-          <para>May be used to limit the rule to a particular time period each
-          day, to particular days of the week or month, or to a range defined
-          by dates and times. Requires time match support in your kernel and
-          ip6tables.</para>
-
-          <para><replaceable>timeelement</replaceable> may be:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
-
-              <listitem>
-                <para>Defines the starting time of day.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
-
-              <listitem>
-                <para>Defines the ending time of day.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>utc</term>
-
-              <listitem>
-                <para>Times are expressed in Greenwich Mean Time.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>localtz</term>
-
-              <listitem>
-                <para>Deprecated by the Netfilter team in favor of <emphasis
-                role="bold">kerneltz</emphasis>. Times are expressed in Local
-                Civil Time (default).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>kerneltz</term>
-
-              <listitem>
-                <para>Added in Shorewall 4.5.2. Times are expressed in Local
-                Kernel Time (requires iptables 1.4.12 or later).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>weekdays=ddd[,ddd]...</term>
-
-              <listitem>
-                <para>where <replaceable>ddd</replaceable> is one of
-                <option>Mon</option>, <option>Tue</option>,
-                <option>Wed</option>, <option>Thu</option>,
-                <option>Fri</option>, <option>Sat</option> or
-                <option>Sun</option></para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>monthdays=dd[,dd],...</term>
-
-              <listitem>
-                <para>where <replaceable>dd</replaceable> is an ordinal day of
-                the month</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
-
-              <listitem>
-                <para>Defines the starting date and time.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
-
-              <listitem>
-                <para>Defines the ending date and time.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-        </listitem>
-      </varlistentry>
     </variablelist>
   </refsect1>
 

Shorewall6/manpages/shorewall6-masq.xml

@@ -116,9 +116,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE</emphasis> (Optional) -
-        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
+        <term><emphasis role="bold">SOURCE</emphasis> -
+        {<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>
 
         <listitem>
           <para>Set of hosts that you wish to SNAT; one or more host or

Shorewall6/manpages/shorewall6-rules.xml

@@ -934,6 +934,17 @@
           <para>Restriction: MAC addresses are not allowed (this is a
           Netfilter restriction).</para>
 
+          <para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
+          you may specify a range of IP addresses using the syntax
+          <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
+          When the <emphasis role="bold">ACTION</emphasis> is <emphasis
+          role="bold">DNAT</emphasis> or <emphasis
+          role="bold">DNAT-</emphasis>, the connections will be assigned to
+          addresses in the range in a round-robin fashion. <emphasis
+          role="bold">DNAT</emphasis> and <emphasis
+          role="bold">DNAT-</emphasis> do not allow a list of addresses and/or
+          ranges.</para>
+
           <para>If you kernel and ip6tables have ipset match support then you
           may give the name of an ipset prefaced by "+". The ipset name may be
           optionally followed by a number from 1 to 6 enclosed in square

Shorewall6/manpages/shorewall6-tcfilters.xml

@@ -88,11 +88,9 @@
           <replaceable>address</replaceable>. DNS names are not allowed.
           Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
           may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch </firstterm>capability and you set BASIC_FILTERS=Yes in
-          <ulink url="shorewall6.conf.html">shorewall6.conf (5)</ulink>. The
-          ipset name may optionally be followed by a number or a comma
-          separated list of src and/or dst enclosed in square brackets
-          ([...]). See <ulink
+          Ematch </firstterm>capability. The ipset name may optionally be
+          followed by a number or a comma separated list of src and/or dst
+          enclosed in square brackets ([...]). See <ulink
           url="shorewall6-ipsets.html">shorewall6-ipsets(5)</ulink> for
           details.</para>
         </listitem>
@@ -107,11 +105,9 @@
           <replaceable>address</replaceable>. DNS names are not allowed.
           Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
           may be used if your kernel and ip6tables have the <firstterm>Basic
-          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          <ulink url="shorewall6.conf.html">shorewall6.conf (5)</ulink>. The
-          ipset name may optionally be followed by a number or a comma
-          separated list of src and/or dst enclosed in square brackets
-          ([...]). See <ulink
+          Ematch</firstterm>capability. The ipset name may optionally be
+          followed by a number or a comma separated list of src and/or dst
+          enclosed in square brackets ([...]). See <ulink
           url="shorewall6-ipsets.html">shorewall6-ipsets(5)</ulink> for
           details.</para>
         </listitem>

Shorewall6/manpages/shorewall6.xml

@@ -123,7 +123,7 @@
     </cmdsynopsis>
 
     <cmdsynopsis>
-      <command>shorewall6</command>
+      <command>shorewall</command>
 
       <arg
       choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@@ -166,7 +166,7 @@
     </cmdsynopsis>
 
     <cmdsynopsis>
-      <command>shorewall6</command>
+      <command>shorewall</command>
 
       <arg
       choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@@ -452,20 +452,6 @@
       <arg choice="opt"><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
-    <cmdsynopsis>
-      <command>shorewall6</command>
-
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>-<replaceable>options</replaceable></arg>
-
-      <arg choice="opt"><option>show | list | ls </option></arg>
-
-      <arg><option>-x</option></arg>
-
-      <arg choice="plain"><option>{bl|blacklists}</option></arg>
-    </cmdsynopsis>
-
     <cmdsynopsis>
       <command>shorewall6</command>
 
@@ -595,8 +581,7 @@
 
       <arg>-<replaceable>options</replaceable></arg>
 
-      <arg choice="plain"><arg
-      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
+      <arg choice="plain"><option>status</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -1369,19 +1354,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis role="bold">bl|blacklists</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
-                along with any chains produced by entries in
-                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
-                option is passed directly through to ip6tables and causes
-                actual packet and byte counts to be displayed. Without this
-                option, those counts are abbreviated.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">capabilities</emphasis></term>
 
@@ -1639,10 +1611,6 @@
         <listitem>
           <para>Produces a short report about the state of the
           Shorewall6-configured firewall.</para>
-
-          <para>The <option>-i </option>option was added in Shorewall 4.6.2
-          and causes the status of each optional or provider interface to be
-          displayed.</para>
         </listitem>
       </varlistentry>
 

docs/Anatomy.xml

@@ -504,7 +504,7 @@
     <section id="sbin-lite">
       <title>/sbin</title>
 
-      <para>The <filename>/sbin/shorewall-lite</filename> shell program is used
+      <para>The <filename>/sbin/shorewall-lite</filename> shell program is use
       to interact with Shorewall lite. See <ulink
       url="manpages/shorewall-lite.html">shorewall-lite</ulink>(8).</para>
     </section>

docs/Build.xml

@@ -134,7 +134,7 @@
       <para>Added in Shorewall 4.4.22, this directory contains the files that
       contain release-dependent information (change.txt, releasenotes.txt,
       .spec files, etc). This is actually a symbolic link to ../release which
-      has its own Git repository.</para>
+      has it's own Git repository.</para>
     </section>
   </section>
 

docs/ConnectionRate.xml

@@ -67,7 +67,7 @@
     by 1 but is not allowed to exceed its initial setting (5).</para>
 
     <para>By default, the aggregate connection rate is limited. If the
-    specification is preceded by "<option>s:</option>" or
+    specification is preceeded by "<option>s:</option>" or
     "<option>d:</option>", then the rate is limited per SOURCE or per
     DESTINATION IP address respectively.</para>
 

docs/Dynamic.xml

@@ -49,8 +49,7 @@
     support is based on <ulink
     url="http://ipset.netfilter.org/">ipset</ulink>. Most current
     distributions have ipset, but you may need to install the <ulink
-    url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.
-    </para>
+    url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.</para>
   </section>
 
   <section id="xtables-addons">
@@ -211,9 +210,9 @@
 net          ipv4
 rsyncok:loc  ipv4             <emphasis role="bold">dynamic_shared</emphasis></programlisting><filename>/etc/shorewall/interfaces</filename>:</para>
 
-      <programlisting>#ZONE       INTERFACE      BROADCAST        OPTIONS
-loc         eth0           -                …
-loc         eth1           -                …</programlisting>
+      <programlisting>#ZONE       INTERFACE      OPTIONS
+loc         eth0           …
+loc         eth1           …</programlisting>
 
       <para><filename>/etc/shorewall/hosts</filename>:</para>
 
@@ -308,9 +307,8 @@ rsyncok:
 loc          ipv4
 webok:loc    ipv4</programlisting><filename>/etc/shorewall/interfaces</filename>:</para>
 
-        <programlisting>#ZONE       INTERFACE      BROADCAST        OPTIONS
-loc         eth0           -                …
-</programlisting>
+        <programlisting>#ZONE       INTERFACE      OPTIONS
+loc         eth0           …</programlisting>
 
         <para><filename>/etc/shorewall/hosts</filename>:</para>
 

docs/Events.xml

@@ -35,7 +35,7 @@
   </articleinfo>
 
   <caution>
-    <para>This article applies to Shorewall 4.5.19 and later and supersedes
+    <para>This article applies to Shorewall 4.5.19 and later and supercedes
     <ulink url="PortKnocking.html">this article.</ulink></para>
   </caution>
 
@@ -477,7 +477,7 @@ root@gateway:~# </programlisting>
 
       <para>This example is taken from <ulink
       url="http://www.briandowney.net/blog/2009/08/20/firewalling-brute-force-attempts-with-iptables/">this
-      article</ulink> which explains the nice benefits of this approach. This
+      article</ulink> which explains the nice benifits of this approach. This
       example is for ssh, but it can be adapted for any application.</para>
 
       <para>The name SSH has been changed to SSHLIMIT so as not to override
@@ -701,87 +701,5 @@ ResetEvent(SSH,DROP:info)        </programlisting>
 #                                                         PORT(S)
 Knock                 net            $FW       tcp        22,1599-1601          </programlisting>
     </section>
-
-    <section id="Stateful">
-      <title>Stateful Port Knocking (knock with a sequence of ports)</title>
-
-      <para>Gerhard Wiesinger has contributed a Perl module that allows you to
-      define portknocking sequences. Download <ulink
-      url="pub/shorewall/contrib/PortKnocking/KnockEnhanced.pm">the
-      module</ulink> and copy it into your site_perl directory.</para>
-
-      <para>Using Gerhard's module, a port-knocking rule is defined via a
-      '?PERL' statement. This example opens the SSH port from net-&gt;fw using
-      the knock sequence 52245, 15623, 19845:</para>
-
-      <programlisting>?BEGIN PERL
-use KnockEnhanced;
-KnockEnhanced 'net', '$FW', {name =&gt; 'SSH1', log_level =&gt; 3, proto =&gt; 'tcp', target =&gt; 'ssh', knocker =&gt; [52245,15623,19845]};
-?END PERL</programlisting>
-
-      <para>A few notes on the parameters:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>The first parameter is the rule SOURCE</para>
-        </listitem>
-
-        <listitem>
-          <para>The second parameter is the rule DEST</para>
-        </listitem>
-
-        <listitem>
-          <para>The third parameter is a Perl hash reference that defines the
-          remaining parameters. Each parameter is specified via
-          <replaceable>param</replaceable> =&gt;
-          <replaceable>value</replaceable>.</para>
-
-          <itemizedlist>
-            <listitem>
-              <para><emphasis role="bold">proto</emphasis> is the protocol --
-              if not specified, the default is tcp</para>
-            </listitem>
-
-            <listitem>
-              <para><emphasis role="bold">seconds</emphasis> is the timeout
-              between successive events -- default is 60 seconds.</para>
-            </listitem>
-
-            <listitem>
-              <para><emphasis role="bold">original_dest</emphasis> is the rule
-              ORIGINAL DEST</para>
-            </listitem>
-
-            <listitem>
-              <para><emphasis role="bold">target</emphasis> is the port(s)
-              that you are trying to open. May either be a single name or
-              number, or it may be a list of names and/or numbers separated by
-              commas and enclosed in square brackets ("[...]").</para>
-            </listitem>
-
-            <listitem>
-              <para><emphasis role="bold">name</emphasis> is a name used as
-              the base for event and chain names. If not supplied, the first
-              <emphasis role="bold">target</emphasis> is used, in which case
-              the first target must be a port name.</para>
-            </listitem>
-
-            <listitem>
-              <para><emphasis role="bold">log_level </emphasis>specifies
-              logging for the generated rules</para>
-            </listitem>
-          </itemizedlist>
-
-          <note>
-            <para>Port names and numbers may be optionally followed by a colon
-            (":") and a protocol name or number to override the specified
-            protocol.</para>
-          </note>
-        </listitem>
-      </itemizedlist>
-
-      <para>The module itself contains additional examples of its
-      usage.</para>
-    </section>
   </section>
 </article>

docs/FAQ.xml

@@ -20,7 +20,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2014</year>
+      <year>2001-2013</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -516,8 +516,8 @@ DNAT       net           net:66.249.93.111:993  tcp      80          -         2
 
         <para>In <filename>/etc/shorewall/interfaces</filename>, specify the
         <emphasis role="bold">routeback</emphasis> option on
-        eth0:<programlisting>#ZONE      INTERFACE     BROADCAST            OPTIONS
-net        eth0          detect               <emphasis role="bold">routeback</emphasis></programlisting></para>
+        eth0:<programlisting>#ZONE      INTERFACE     OPTIONS
+net        eth0          <emphasis role="bold">routeback</emphasis></programlisting></para>
 
         <para><filename>/etc/shorewall/masq</filename>;<programlisting>#INTERFACE          SOURCE      ADDRESS          PROTO        PORT
 eth0:66.249.93.111  0.0.0.0/0   206.124.146.176  tcp          993</programlisting></para>
@@ -700,8 +700,8 @@ DNAT       net           net:192.168.4.22       tcp      80,443      -         <
         <listitem>
           <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
 
-          <programlisting>#ZONE    INTERFACE    BROADCAST    OPTIONS
-loc      eth1         detect       <emphasis role="bold">routeback</emphasis>    </programlisting>
+          <programlisting>#ZONE    INTERFACE    OPTIONS
+loc      eth1         <emphasis role="bold">routeback</emphasis>    </programlisting>
         </listitem>
 
         <listitem>
@@ -821,8 +821,8 @@ DNAT       loc           loc:192.168.1.5    tcp      www         -         <emph
 
           <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
 
-          <programlisting>#ZONE    INTERFACE    BROADCAST       OPTIONS
-dmz      eth2         192.168.2.255   <emphasis role="bold">routeback</emphasis> </programlisting>
+          <programlisting>#ZONE    INTERFACE    OPTIONS
+dmz      eth2         <emphasis role="bold">routeback</emphasis> </programlisting>
 
           <para>In <filename>/etc/shorewall/masq</filename>:</para>
 
@@ -2304,15 +2304,6 @@ gateway:~# </programlisting>
         </listitem>
       </orderedlist>
     </section>
-
-    <section id="faq103">
-      <title>(FAQ 103) Shorewall fails to start at boot but will start
-      immediately after</title>
-
-      <para>Answer: This is usually associated with SELinux. <ulink
-      url="https://lists.fedoraproject.org/pipermail/selinux/2010-June/012680.html">Here</ulink>
-      is an example.</para>
-    </section>
   </section>
 
   <section id="MultiISP">

docs/FTP.xml

@@ -294,164 +294,9 @@ xt_tcpudp               3328  0
     /etc/shorewall/shorewall.conf to point to that directory.</para>
   </section>
 
-  <section>
-    <title>FTP with Kernel 3.5 and Later</title>
-
-    <para>Because of the potential for attackers to subvert Netfilter helpers
-    like the one for FTP, the Netfilter team are in the process of eliminating
-    the automatic association of helpers to connections. In the 3.5 kernel, it
-    is possible to disable this automatic association, and the team have
-    announced that automatic association will eventually be eliminated. While
-    it is certainly more secure to add explicit rules that create these
-    associations, for Shorewall to require users to add those rules would
-    present a gross inconvenience during a Shorewall upgrade. To make
-    Shorewall and kernel upgrades as smooth as possible, several new features
-    were added to the Shorewall 4.5.7:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>Shorewall automatically disables the kernel's automatic
-        association of helpers to connections on kernel 3.5 and later.</para>
-      </listitem>
-
-      <listitem>
-        <para>An automatic association of helpers with connections that
-        performs the same function as in the pre-3.5 kernels has been added.
-        This automatic association is controlled by the AUTOHELPERS
-        shorewall.conf option which is set to 'Yes' by default.</para>
-      </listitem>
-
-      <listitem>
-        <para>A HELPERS column has been added to the /etc/shorewall/rules In
-        the NEW section: When the ACTION is ACCEPT, DNAT or REDIRECT, the
-        specified helper is automatically associated with the
-        connection.</para>
-      </listitem>
-
-      <listitem>
-        <para>HELPERS may be specified in action files, macros and in the
-        rules file itself. In the RELATED section: The rule will only match
-        related connections that have the named helper attached. - The
-        standard Macros for applications requiring a helper (FTP, IRC, etc)
-        have been modified to automatically specify the correct helper in the
-        HELPER column.</para>
-      </listitem>
-
-      <listitem>
-        <para>HELPER is now a valid action in /etc/shorewall/rules. This
-        action requires that a helper be present in the HELPER column and
-        causes the specified helper to be associated with connections matching
-        the rule. No destination zone should be specified in HELPER rules.
-        HELPER rules allow specification of a helper for connections that are
-        ACCEPTed by the applicable policy.</para>
-
-        <para> Example (loc-&gt;net policy is ACCEPT) - In
-        /etc/shorewall/rules:</para>
-
-        <programlisting>#ACTION     SOURCE       DEST
-FTP(HELPER) loc          - </programlisting>
-
-        <para>or equivalently </para>
-
-        <programlisting>#ACTION     SOURCE       DEST    PROTO  DEST
-#                                       PORT(S)
-HELPER      loc          -       tcp    21   { helper=ftp }</programlisting>
-      </listitem>
-
-      <listitem>
-        <para> The set of enabled helpers (either by AUTOHELPERS=Yes or by the
-        HELPERS column) can be taylored using the new HELPERS option in
-        shorewall.conf. </para>
-      </listitem>
-    </itemizedlist>
-
-    <para>By making AUTOHELPERS=Yes the default, users can upgrade their
-    systems to a 3.5+ kernel without disrupting the operation of their
-    firewalls. Beyond such upgrades, we suggest setting AUTOHELPERS=No and
-    follow one of two strategies:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>Use the HELPERS column in the rules file to enable helpers as
-        needed (preferred); or</para>
-      </listitem>
-
-      <listitem>
-        <para>Taylor the conntrack file to enable helpers on only those
-        connections that are required.</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>With either of these approaches, the list if available helpers can
-    be trimmed using the HELPERS option and rules can be added to the RELATED
-    section of the rules file to further restrict the effect of helpers. The
-    implementation of these new function places conditional rules in the
-    /etc/shorewall[6]/conntrack file. These rules are included conditionally
-    based in the setting of AUTOHELPERS.</para>
-
-    <para> Example:</para>
-
-    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
-#                                                               PORT(S)         PORT(S) GROUP
-?if $AUTOHELPERS &amp;&amp; __CT_TARGET
-?if __FTP_HELPER
-CT:helper:ftp           all             -               tcp     21
-?endif
-...
-?endif</programlisting>
-
-    <para> __FTP_HELPER evaluates to false if the HELPERS setting is non-empty
-    and 'ftp' is not listed in that setting. For example, if you only need FTP
-    access from your 'loc' zone, then add this rule outside of the outer-most
-    ?if....?endif shown above.</para>
-
-    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
-#                                                               PORT(S)         PORT(S) GROUP
-...
-CT:helper:ftp           loc             -               tcp     21</programlisting>
-
-    <para> For an overview of Netfilter Helpers and Shorewall's support for
-    dealing with them, see <ulink
-    url="Helpers.html">http://www.shorewall.net/Helpers.html</ulink>.</para>
-
-    <para>See <ulink
-    url="https://home.regit.org/netfilter-en/secure-use-of-helpers/">https://home.regit.org/netfilter-en/secure-use-of-helpers/</ulink>
-    for additional information. </para>
-  </section>
-
   <section id="Ports">
     <title>FTP on Non-standard Ports</title>
 
-    <para>If you are running kernel 3.5 or later and Shorewall 4.5.7 or later,
-    then please read the preceding section. You can add appropriate entries
-    into <ulink url="manpages/shorewall-rules.html">shorewall-rules(5)</ulink>
-    or <ulink
-    url="manpages/shorewall-conntrack.html">shorewall-conntrack(5)</ulink> to
-    associate the FTP helpers with a nonstandard port.</para>
-
-    <para>Examples using port 12345:</para>
-
-    <para><filename>/etc/shorewall/rules:</filename></para>
-
-    <programlisting>#ACTION         SOURCE         DEST                 PROTO     DEST
-#                                                             PORT(S)
-DNAT            net            loc:192.168.1.2:21   tcp       12345  { helper=ftp }the</programlisting>
-
-    <para>That entry will accept ftp connections on port 12345 from the net
-    and forward them to host 192.168.1..2 and port 21 in the loc zone.</para>
-
-    <para><filename>/etc/shorewall/conntrack:</filename></para>
-
-    <programlisting>#ACTION                 SOURCE          DESTINATION     PROTO   DEST            SOURCE  USER/           SWITCH
-#                                                               PORT(S)         PORT(S) GROUP
-...
-CT:helper:ftp           loc             -               tcp     12345</programlisting>
-
-    <para>That rule automatically associates the ftp helper with TCP port
-    12345 from the 'loc' zone.</para>
-
-    <para>Otherwise, read on.</para>
-
     <note>
       <para>If you are running <emphasis role="bold">kernel 2.6.19 or
       earlier</emphasis>, replace <emphasis

docs/GenericTunnels.xml

@@ -86,8 +86,8 @@ vpn          ipv4</programlisting>
     <para>On system A, the 10.0.0.0/8 will comprise the <emphasis
     role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
 
-    <programlisting>#ZONE      INTERFACE       BROADCAST        OPTIONS
-vpn        tun0            10.255.255.255</programlisting>
+    <programlisting>#ZONE      INTERFACE       OPTIONS
+vpn        tun0</programlisting>
 
     <para>In /etc/shorewall/tunnels on system A, we need the following:</para>
 
@@ -99,8 +99,8 @@ generic:47       net            134.28.54.2</programlisting>
     TCP port 1071 and the Generalized Routing Encapsulation Protocol (47) will
     be accepted to/from the remote gateway.</para>
 
-    <programlisting>#ZONE        INTERFACE        BROADCAST         OPTIONS
-vpn          tun0             192.168.1.255</programlisting>
+    <programlisting>#ZONE        INTERFACE        OPTIONS
+vpn          tun0</programlisting>
 
     <para>In /etc/shorewall/tunnels on system B, we have:</para>
 

docs/IPIP.xml

@@ -103,8 +103,8 @@ vpn          ipv4</programlisting>
     <para>On system A, the 10.0.0.0/8 will comprise the <emphasis
     role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
 
-    <programlisting>#ZONE        INTERFACE      BROADCAST        OPTIONS
-vpn          tosysb         10.255.255.255</programlisting>
+    <programlisting>#ZONE        INTERFACE      OPTIONS
+vpn          tosysb</programlisting>
 
     <para>In /etc/shorewall/tunnels on system A, we need the following:</para>
 

docs/IPSEC-2.6.xml

@@ -59,7 +59,7 @@
 
   <important>
     <para><emphasis role="bold">Shorewall does not configure IPSEC for
-    you</emphasis> -- it rather configures netfilter to accommodate your IPSEC
+    you</emphasis> -- it rather configures netfilter to accomodate your IPSEC
     configuration.</para>
   </important>
 
@@ -139,7 +139,7 @@
     and zones was made easy by the presence of IPSEC pseudo-interfaces with
     names of the form <filename class="devicefile">ipsecN</filename> (e.g.
     <filename class="devicefile">ipsec0</filename>). Outgoing unencrypted
-    traffic (case 1.) was sent through an <filename
+    traffic (case 1.) was send through an <filename
     class="devicefile">ipsecN</filename> device while incoming unencrypted
     traffic (case 2) arrived from an <filename
     class="devicefile">ipsecN</filename> device. The 2.6 kernel-based
@@ -238,7 +238,7 @@
 
     <para>Suppose that we have the following situation:</para>
 
-    <graphic fileref="images/TwoNets1.png"/>
+    <graphic fileref="images/TwoNets1.png" />
 
     <para>We want systems in the 192.168.1.0/24 sub-network to be able to
     communicate with systems in the 10.0.0.0/8 network. We assume that on both
@@ -481,7 +481,7 @@ sec     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis
     when you travel and you want to be able to establish a secure connection
     back to your local network.</para>
 
-    <graphic fileref="images/Mobile.png"/>
+    <graphic fileref="images/Mobile.png" />
 
     <example id="roadWarrior">
       <title>Road Warrior VPN</title>
@@ -734,9 +734,9 @@ loc            ipv4
     <blockquote>
       <para><filename>/etc/shorewall/interfaces</filename>:</para>
 
-      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
-net     eth0            detect          routefilter
-loc     eth1            192.168.1.255
+      <programlisting>#ZONE   INTERFACE       OPTIONS
+net     eth0            routefilter
+loc     eth1            -
 l2tp    ppp+            -
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
     </blockquote>
@@ -827,9 +827,9 @@ HTTPS(ACCEPT)   l2tp    $FW
     hosts in that network. In that case, IPSEC transport mode is an
     appropriate solution.</para>
 
-    <para><graphic fileref="images/TransportMode.png"/>Here's an example using
-    the ipsec-tools package. The files shown are from host 192.168.20.10; the
-    configuration of the other nodes is similar.</para>
+    <para><graphic fileref="images/TransportMode.png" />Here's an example
+    using the ipsec-tools package. The files shown are from host
+    192.168.20.10; the configuration of the other nodes is similar.</para>
 
     <blockquote>
       <para><filename>/etc/racoon/racoon.conf</filename>:</para>
@@ -889,8 +889,8 @@ spdadd 192.168.20.40/32 192.168.20.10/32 any -P in  ipsec esp/transport/192.168.
     <blockquote>
       <para><filename>/etc/shorewall/interfaces</filename>:</para>
 
-      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
-net     eth0            detect          routefilter,dhcp,tcpflags
+      <programlisting>#ZONE   INTERFACE       OPTIONS
+net     eth0            routefilter,dhcp,tcpflags
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
 
       <para><filename>/etc/shorewall/tunnels</filename>:</para>

docs/Install.xml

@@ -147,7 +147,7 @@
       <emphasis role="bold">Shorewall-core</emphasis> 4.5.2 or later, a
       shorewallrc file named ${HOME}/.shorewallrc will be installed. That file
       will provide the default parameters for installing other Shorewall
-      components of the same or later version.</para>
+      components of the same or later verion.</para>
 
       <para>Note that <emphasis role="bold">you must install Shorewall-core
       before installing any other Shorewall package</emphasis>.</para>
@@ -730,7 +730,7 @@
 
           <programlisting><command>./install.sh -s</command></programlisting>
 
-          <para>The <emphasis role="bold">-s</emphasis> option suppresses
+          <para>The <emphasis role="bold">-s</emphasis> option supresses
           installation of all files in <filename
           class="directory">/etc/shorewall</filename> except
           <filename>shorewall.conf</filename>. You can copy any other files

docs/Introduction.xml

@@ -181,10 +181,10 @@ dmz     ipv4</programlisting>
     file. In the three-interface sample, the three zones are defined using
     that file as follows:</para>
 
-    <programlisting>#ZONE      INTERFACE     BROADCAST     OPTIONS
-net        eth0          detect        dhcp,routefilter
-loc        eth1          detect
-dmz        eth2          detect</programlisting>
+    <programlisting>#ZONE      INTERFACE     OPTIONS
+net        eth0          dhcp,routefilter
+loc        eth1
+dmz        eth2</programlisting>
 
     <para>The above file defines the <emphasis>net</emphasis> zone as all IPv4
     hosts interfacing to the firewall through eth0, the
@@ -201,10 +201,10 @@ dmz        eth2          detect</programlisting>
     file or you may use the nets= option in
     <filename>/etc/shorewall/interfaces</filename>:</para>
 
-    <programlisting>#ZONE      INTERFACE     BROADCAST     OPTIONS
-net        eth0          detect        dhcp,routefilter,nets=(!192.168.0.0/23)
-loc        eth1          detect        nets=(192.168.0.0/24)
-dmz        eth2          detect        nets=(192.168.1.0/24)</programlisting>
+    <programlisting>#ZONE      INTERFACE     OPTIONS
+net        eth0          dhcp,routefilter,nets=(!192.168.0.0/23)
+loc        eth1          nets=(192.168.0.0/24)
+dmz        eth2          nets=(192.168.1.0/24)</programlisting>
 
     <para>The above file defines the <emphasis>net</emphasis> zone as all IPv4
     hosts interfacing to the firewall through eth0 <emphasis>except</emphasis>

docs/KVM.xml

@@ -66,7 +66,7 @@
   <section>
     <title>Networking Configuration</title>
 
-    <para>I use a network configuration where each VM has its own VNET and
+    <para>I use a network configuration where each VM has it's own VNET and
     tap device and the tap devices are all configured as ports on a Linux
     Bridge. For clarity, I've only shown four of the virtual machines
     available on the system.</para>

docs/Laptop.xml

@@ -68,10 +68,10 @@
     optional interfaces for the 'net' zone in
     <filename>/etc/shorewall/interfaces</filename>.</para>
 
-    <programlisting>#ZONE          INTERFACE      BROADCAST           OPTIONS
-net            eth0           detect              optional,…
-net            wlan0          detect              optional,…
-net            ppp0           -                   optional,…</programlisting>
+    <programlisting>#ZONE          INTERFACE      OPTIONS
+net            eth0           optional,…
+net            wlan0          optional,…
+net            ppp0           optional,…</programlisting>
 
     <para>With this configuration, access to the 'net' zone is possible
     regardless of which of the interfaces is being used.</para>

docs/MAC_Validation.xml

@@ -172,12 +172,12 @@ MACLIST_LOG_LEVEL=info</programlisting>
 
       <para>/etc/shorewall/interfaces:</para>
 
-      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
-net     $EXT_IF         206.124.146.255 dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
-loc     $INT_IF         192.168.1.255   dhcp
+      <programlisting>#ZONE   INTERFACE       OPTIONS
+net     $EXT_IF         dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
+loc     $INT_IF         dhcp
 dmz     $DMZ_IF         -
 vpn     tun+            -
-Wifi    $WIFI_IF        -               maclist,dhcp
+Wifi    $WIFI_IF        maclist,dhcp
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
 
       <para>/etc/shorewall/maclist:</para>

docs/Manpages.xml

@@ -89,7 +89,7 @@
         Define MAC verification.</member>
 
         <member><ulink url="manpages/shorewall-mangle.html">mangle</ulink> -
-        Supersedes tcrules and describes packet/connection marking.</member>
+        Supercedes tcrules and describes packet/connection marking.</member>
 
         <member><ulink url="manpages/shorewall-masq.html">masq</ulink> -
         Define Masquerade/SNAT</member>
@@ -168,7 +168,7 @@
         state (added in Shorewall 4.5.8).</member>
 
         <member><ulink url="manpages/shorewall-tcrules.html">tcrules</ulink> -
-        Define packet marking rules, usually for traffic shaping. Superseded
+        Define packet marking rules, usually for traffic shaping. Superceded
         by mangle (above) in Shorewall 4.6.0.</member>
 
         <member><ulink url="manpages/shorewall-tos.html">tos</ulink> - Define

docs/Manpages6.xml

@@ -79,7 +79,7 @@
         - Define MAC verification.</member>
 
         <member><ulink url="manpages6/shorewall6-mangle.html">mangle</ulink> -
-        Supersedes tcrules and describes packet/connection marking.</member>
+        Supercedes tcrules and describes packet/connection marking.</member>
 
         <member><ulink url="manpages6/shorewall6-masq.html">masq</ulink> -
         Define Masquerade/SNAT</member>
@@ -149,7 +149,7 @@
         Classify traffic for simplified traffic shaping.</member>
 
         <member><ulink url="manpages6/shorewall6-tcrules.html">tcrules</ulink>
-        - Define packet marking rules, usually for traffic shaping. Superseded
+        - Define packet marking rules, usually for traffic shaping. Superceded
         by mangle (above) in Shorewall 4.6.0.</member>
 
         <member><ulink url="manpages6/shorewall6-tos.html">tos</ulink> -

docs/ManualChains.xml

@@ -201,11 +201,11 @@ SSHKnock         net               $FW            tcp         22,1599,1600,1601
 
     <para>becomes:<programlisting>PERL Knock 'net', '$FW', {target =&gt; 22, knocker =&gt; 1600, trap =&gt; [1599, 1601]};</programlisting>Similarly<programlisting>#ACTION          SOURCE            DEST            PROTO       DEST PORT(S)  SOURCE      ORIGINAL
 #                                                                            PORT(S)     DEST
-DNAT-            net               192.168.1.5 tcp             22            -           206.124.146.178
+DNAT-            net               loc:192.168.1.5 tcp         22            -           206.124.146.178
 SSHKnock         net               $FW             tcp         1599,1600,1601
 SSHKnock         net               loc:192.168.1.5 tcp         22            -           206.124.146.178</programlisting>becomes:<programlisting>#ACTION          SOURCE            DEST            PROTO       DEST PORT(S)  SOURCE      ORIGINAL
 #                                                                            PORT(S)     DEST
-DNAT-            net               192.168.1.5 tcp             22            -           206.124.146.178
+DNAT-            net               loc:192.168.1.5 tcp         22            -           206.124.146.178
 
 PERL Knock 'net', '$FW', {name =&gt; 'SSH', knocker =&gt; 1600, trap =&gt; [1599, 1601]};
 PERL Knock 'net', 'loc:192.168.1.5', {name =&gt; 'SSH', target =&gt; 22, original_dest =&gt; '206.124.136.178'};</programlisting></para>

docs/MultiISP.xml

@@ -155,7 +155,7 @@
       Shorewall can set up the correct marking rules for you.</para>
 
       <important>
-        <para><filename>/etc/shorewall/mangle</filename> superseded
+        <para><filename>/etc/shorewall/mangle</filename> superceded
         <filename>/etc/shorewall/tcrules</filename> in Shorewall 4.6.0.</para>
       </important>
 
@@ -750,10 +750,8 @@ eth1             0.0.0.0/0            130.252.99.27</programlisting>
       <title>Martians</title>
 
       <para>One problem that often arises with Multi-ISP configuration is
-      'Martians'. If you set ROUTE_FILTER=Yes in
-      <filename>/etc/shorewall/shorewall.conf</filename> or if your Internet
-      interfaces are configured with the <emphasis
-      role="bold">routefilter</emphasis> option in
+      'Martians'. If your Internet interfaces are configured with the
+      <emphasis role="bold">routefilter</emphasis> option in
       <filename>/etc/shorewall/interfaces</filename> (remember that if you set
       that option, you should also select <emphasis
       role="bold">logmartians</emphasis>), then things may not work correctly
@@ -812,18 +810,6 @@ DROP:info        net:192.168.1.0/24         all</programlisting>
 
       <para>Be sure the above rule is added before any other rules with
       <emphasis>net</emphasis> in the SOURCE column.</para>
-
-      <important>
-        <para>If you set ROUTE_FILTER=Yes in
-        <filename>/etc/shorewall/shorewall.conf</filename>, then setting
-        <emphasis role="bold">routefilter</emphasis>=0 in <ulink
-        url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
-        (5) will not disable route filtering on a given interface. You must
-        set ROUTE_FILTER=No in <ulink
-        url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5), then
-        set the <emphasis role="bold">routefilter</emphasis> option on those
-        interfaces on which you want route filtering.</para>
-      </important>
     </section>
 
     <section id="Example1">
@@ -846,9 +832,9 @@ ISP2    2       2       main            eth1            130.252.99.254  track,ba
 
       <para><filename>/etc/shorewall/interfaces</filename>:</para>
 
-      <programlisting>#ZONE    INTERFACE    BROADCAST       OPTIONS
-net      eth0         detect          …          
-net      eth1         detect          …</programlisting>
+      <programlisting>#ZONE    INTERFACE    OPTIONS
+net      eth0         …          
+net      eth1         …</programlisting>
 
       <para><filename>/etc/shorewall/policy</filename>:</para>
 
@@ -2005,9 +1991,9 @@ ComcastC 2      -    -          eth0      detect        loose,fallback,load=0.33
       <para>You specify the <option>optional</option> option in
       <filename>/etc/shorewall/interfaces</filename>:</para>
 
-      <programlisting>#ZONE    INTERFACE    BROADCAST       OPTIONS
-net      eth0         detect          <emphasis role="bold">optional</emphasis>         
-net      eth1         detect          <emphasis role="bold">optional</emphasis></programlisting>
+      <programlisting>#ZONE    INTERFACE    OPTIONS
+net      eth0         <emphasis role="bold">optional</emphasis>         
+net      eth1         <emphasis role="bold">optional</emphasis></programlisting>
 
       <section id="lsm">
         <title>Link Status Monitor (LSM)</title>
@@ -2576,11 +2562,11 @@ kvm             all             ACCEPT
 net             all             DROP            info
 all             all             REJECT          info</programlisting></para>
 
-      <para>interfaces:<programlisting>#ZONE    INTERFACE      BROADCAST       OPTIONS                 GATEWAY
+      <para>interfaces:<programlisting>#ZONE    INTERFACE      PTIONS                 GATEWAY
 #
-net     eth0            detect          dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
-net     wlan0           detect          dhcp,tcpflags,routefilter,blacklist,logmartians,optional
-kvm     br0             detect          routeback       #Virtual Machines</programlisting><note>
+net     eth0            dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
+net     wlan0           dhcp,tcpflags,routefilter,blacklist,logmartians,optional
+kvm     br0             routeback       #Virtual Machines</programlisting><note>
           <para><filename class="devicefile">wlan0</filename> is the wireless
           adapter in the notebook. Used when the laptop is in our home but not
           connected to the wired network.</para>

docs/Multiple_Zones.xml

@@ -209,7 +209,7 @@ loc1:loc    ipv4</programlisting>
 
         <para><filename>/etc/shorewall/interfaces</filename></para>
 
-        <programlisting>#ZONE               INTERFACE           BROADCAST               OPTIONS
+        <programlisting>#ZONE               INTERFACE           OPTIONS
 loc                 eth1                -</programlisting>
 
         <para><filename>/etc/shorewall/hosts</filename></para>
@@ -247,8 +247,8 @@ loc2        ipv4</programlisting>
 
         <para><filename>/etc/shorewall/interfaces</filename></para>
 
-        <programlisting>#ZONE               INTERFACE           BROADCAST
--                   eth1                192.168.1.255
+        <programlisting>#ZONE               INTERFACE
+-                   eth1
 </programlisting>
 
         <para><filename>/etc/shorewall/hosts</filename></para>
@@ -287,8 +287,8 @@ loc1:loc    ipv4</programlisting>
 
     <para><filename>/etc/shorewall/interfaces</filename></para>
 
-    <programlisting>#ZONE               INTERFACE           BROADCAST
-loc                 eth1                -</programlisting>
+    <programlisting>#ZONE               INTERFACE
+loc                 eth1</programlisting>
 
     <para><filename>/etc/shorewall/hosts</filename><programlisting>#ZONE               HOSTS                  OPTIONS
 loc1                eth1:192.168.1.8/29    broadcast</programlisting></para>

docs/MyNetwork.xml

@@ -171,7 +171,7 @@
   <section>
     <title>Shorewall Configuration</title>
 
-    <para>This section contains excerpts from the Shorewall
+    <para>This section contains exerpts from the Shorewall
     configuration.</para>
 
     <para>It is important to keep in mind that parts of my configuration are