Add /etc/shorewall/params to the multi-ISP LSM example

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -1470,22 +1470,10 @@ do_dump_command() {
 	$g_tool -t rawpost -L $g_ipt_options
     fi
 
-    local count
+    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-    local max
+    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 
-    if [ -f /proc/sys/net/netfilter/nf_conntrack_count ]; then
+    heading "Conntrack Table ($count out of $max)"
-	count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-	max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-
-	heading "Conntrack Table ($count out of $max)"
-    elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_count ]; then
-	count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count)
-	max=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max)
-
-	heading "Conntrack Table ($count out of $max)"
-    else
-	heading "Conntrack Table"
-    fi
 
     if [ $g_family -eq 4 ]; then
     	[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
@@ -3527,6 +3515,14 @@ restart_command() {
     return $rc
 }
 
+run_command() {
+    if [ -x ${VARDIR}/firewall ] ; then
+	run_it ${VARDIR}/firewall $g_debugging $@
+    else
+	fatal_error "${VARDIR}/firewall does not exist or is not executable"
+    fi
+}
+
 #
 # Give Usage Information
 #
@@ -3558,6 +3554,7 @@ usage() # $1 = exit status
     echo "   reset [ <chain> ... ]"
     echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
     echo "   restore [ -n ] [ <file name> ]"
+    echo "   run <command> [ <parameter> ... ]"
     echo "   save [ <file name> ]"
     echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
     echo "   [ show | list | ls ] [ -f ] capabilities"
@@ -3830,6 +3827,11 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
+	run)
+	    [ $# -gt 1 ] || fatal_error "Missing function name"
+	    get_config Yes
+	    run_command $@
+	    ;;
 	show|list|ls)
 	    get_config Yes No Yes
     	    shift

Shorewall-core/lib.common

@@ -172,6 +172,7 @@ run_it() {
 error_message() # $* = Error Message
 {
    echo "   $@" >&2
+   return 1
 }
 
 #

Shorewall-init/init.debian.sh

@@ -123,6 +123,17 @@ shorewall_start () {
 
   echo "done."
 
+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+
+      echo -n "Restoring ipsets: "
+
+      if ! ipset -R < "$SAVE_IPSETS"; then
+	  echo_notdone
+      fi
+
+      echo "done."
+  fi
+
   return 0
 }
 
@@ -142,6 +153,20 @@ shorewall_stop () {
 
   echo "done."
 
+  if [ -n "$SAVE_IPSETS" ]; then
+
+      echo "Saving ipsets: "
+
+      mkdir -p $(dirname "$SAVE_IPSETS")
+      if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+      else
+	  echo_notdone
+      fi
+
+      echo "done."
+  fi
+
   return 0
 }
 

Shorewall-init/shorewall-init

@@ -63,19 +63,18 @@ shorewall_start () {
   for PRODUCT in $PRODUCTS; do
       setstatedir
 
-      if [ -x ${STATEDIR}/firewall ]; then
+      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
           #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  (
-	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/firewall ${OPTIONS} stop || exit 1
+		  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || exit 1
 	      else
 		  exit 1
 	      fi
 	  )
       else
-          echo ERROR:  ${STATEDIR}/firewall does not exist or is not executable!
 	  exit 1
       fi
   done
@@ -96,8 +95,8 @@ shorewall_stop () {
   for PRODUCT in $PRODUCTS; do
       setstatedir
 
-      if [ -x ${STATEDIR}/firewall ]; then
+      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear || exit 1
+	  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || exit 1
       fi
   done
 

Shorewall-lite/manpages/shorewall-lite.xml

@@ -317,6 +317,21 @@
       <arg><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>run</option></arg>
+
+      <arg choice="plain">function</arg>
+
+      <arg><replaceable>parameter ...</replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall-lite</command>
 
@@ -822,6 +837,23 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">run</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.3. Executes
+          <replaceable>command</replaceable> in the context of the generated
+          script passing the supplied <replaceable>parameter</replaceable>s.
+          Normally, the <replaceable>command</replaceable> will be a function
+          declared in <filename>lib.private</filename>.</para>
+
+          <para>Before executing the <replaceable>command</replaceable>, the
+          script will detect the configuration, setting all SW_* variables and
+          will run your <filename>init</filename> extension script with
+          $COMMAND = 'run'.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">save</emphasis></term>
 

Shorewall/Macros/macro.Goto-Meeting

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - Citrix/Goto Meeting macro
+#
+# /usr/share/shorewall/macro.Goto-Meeting
+#          by Eric Teeter
+#       This macro handles Citrix/Goto Meeting
+#       Assumes that ports 80 and 443 are already open
+#       If needed, use the macros that open Http and Https to reduce redundancy
+####################################################################################
+#ACTION	   SOURCE	DEST    PROTO   DEST    SOURCE  RATE    USER/
+#                                       PORT(S) PORT(S) LIMIT   GROUP
+PARAM      -         	-       tcp     8200    # Goto Meeting only needed (TCP outbound)

Shorewall/Perl/Shorewall/Chains.pm

@@ -7570,7 +7570,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
 						     $exceptionrule,
 						     $actparms{disposition} || $disposition,
 						     $target ),
-					   $terminating{$basictarget} || ( $targetref || $targetref->{complete} ),
+					   $terminating{$basictarget} || ( $targetref && $targetref->{complete} ),
 					   $matches );
 		    }
 

Shorewall/Perl/Shorewall/Compiler.pm

@@ -280,42 +280,42 @@ sub generate_script_2() {
 
     if ( $global_variables ) {
 
-	emit( 'case $COMMAND in' );
-
-	push_indent;
-
 	if ( $global_variables & NOT_RESTORE ) {
-	    emit( 'start|restart|refresh|disable|enable)' );
-	} else {
-	    emit( 'start|restart|refresh|disable|enable|restore)' );
-	}
 
-	push_indent;
+	    emit( 'case $COMMAND in' );
 
-	set_global_variables(1);
+	    push_indent;
-
-	handle_optional_interfaces(0);
-
-	emit ';;';
-
-	if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
-	    pop_indent;
 
 	    emit 'restore)';
 
 	    push_indent;
 
-	    set_global_variables(0);
+	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
 
-	    handle_optional_interfaces(0);
+		set_global_variables(0);
+
+		handle_optional_interfaces(0);
+	    }
 
 	    emit ';;';
+
+	    pop_indent;
+
+	    emit '*)';
+
+	    push_indent;
 	}
 
-	pop_indent;
+	set_global_variables(1);
-	pop_indent;
 
-	emit ( 'esac' ) ,
+	handle_optional_interfaces(0);
+
+	if ( $global_variables & NOT_RESTORE ) {
+	    emit ';;';
+	    pop_indent;
+	    pop_indent;
+	    emit ( 'esac' );
+	}
     } else {
 	emit( 'true' ) unless handle_optional_interfaces(1);
     }

Shorewall/Perl/Shorewall/Config.pm

@@ -3259,7 +3259,11 @@ sub expand_variables( \$ ) {
 	fatal_error "Variable Expansion Loop" if ++$count > 100;
     }
 
-    if ( $actparms{0} ) {
+    if ( $chain ) {
+	#
+	# We're in an action body -- allow escaping at signs (@) for u32
+	#
+	$$lineref =~ s/\\@/??/g;
 	#                         $1      $2   $3                     -     $4
 	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
@@ -3268,6 +3272,8 @@ sub expand_variables( \$ ) {
 	    $$lineref = join( '', $first , $val , $rest );
 	    fatal_error "Variable Expansion Loop" if ++$count > 100;
 	}
+
+	$$lineref =~ s/\?\?/@/g;
     }
 }
 

Shorewall/Perl/Shorewall/Providers.pm

@@ -460,9 +460,6 @@ sub process_a_provider( $ ) {
 
     fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
 
-    #
-    # Switch to the logical name if a physical name was passed
-    #
     my $physical;
 
     if ( $interface eq $interfaceref->{name} ) {
@@ -1296,9 +1293,11 @@ sub start_providers() {
 	    emit_unindented "$providers{$_}{number}\t$_" unless $providers{$_}{pseudo};
 	}
 
-	emit_unindented "EOF\n";
+	emit_unindented 'EOF';
 
-	emit "fi\n";
+	emit( 'else',
+	      '    error_message "WARNING: /etc/iproute2/rt_tables is missing or is not writeable"',
+	      "fi\n" );
     }
 
     emit  ( '#',

Shorewall/Perl/Shorewall/Rules.pm

@@ -818,9 +818,7 @@ sub apply_policy_rules() {
     progress_message2 'Applying Policies...';
 
     for my $chainref ( @policy_chains ) {
-	my $policy      = $chainref->{policy};
+	unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) {
-
-	unless ( $policy eq 'NONE' ) {
 	    my $loglevel    = $chainref->{loglevel};
 	    my $provisional = $chainref->{provisional};
 	    my $default     = $chainref->{default};
@@ -2376,7 +2374,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		      my ( $tgt, $options ) = split / /, $param;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
-		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
+		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';
@@ -2389,7 +2387,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		      my ( $tgt, $options ) = split / /, $param;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
-		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
+		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';

Shorewall/Perl/Shorewall/Zones.pm

@@ -1499,7 +1499,7 @@ sub map_physical( $$ ) {
 
     $physical =~ s/\+$//;
 
-    $physical . substr( $name, length  $interfaceref->{root} );
+    $physical . substr( $name, length( $interfaceref->{root} ) );
 }
 
 #

Shorewall/Perl/prog.footer

@@ -17,6 +17,7 @@ usage() {
     echo "   reset"
     echo "   refresh"
     echo "   restart"
+    echo "   run <command> [ <parameter> ... ]"
     echo "   status"
     echo "   up <interface>"
     echo "   version"
@@ -371,6 +372,17 @@ case "$COMMAND" in
 	fi
 	status=0
 	;;
+    run)
+	if [ $# -gt 1 ]; then
+	    shift
+	    detect_configuration
+	    run_init_exit
+	    eval $@
+	    status=$?
+	else
+	    error_message "ERROR: Missing command"
+	fi
+	;;
     version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION

Shorewall/action.DNSAmp

@@ -0,0 +1,34 @@
+#
+# Shorewall 4 - DNS Amplification Action
+#
+#    /usr/share/shorewall/action.DNSAmp
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   DNSAmp[([<action>])]
+#
+#       Default action is DROP
+#
+##########################################################################################
+?format 2
+
+DEFAULTS DROP
+
+IPTABLES(@1)	-	-	udp	53	; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"

Shorewall/actions.std

@@ -31,6 +31,7 @@ allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
 Broadcast    noinline           # Handles Broadcast/Multicast/Anycast
+DNSAmp                          # Matches one-question recursive DNS queries
 Drop		                # Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline           # Drop smurf packets

Shorewall/default.debian

@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=
 
 #
-# Global start/restart/stop options
+# Global start/restart options
 #
 OPTIONS=""
 

Shorewall/lib.cli-std

@@ -1615,6 +1615,15 @@ export_command() # $* = original arguments less the command.
     fi
 }
 
+run_command() {
+    if [ -x ${VARDIR}/firewall ] ; then
+	uptodate ${VARDIR}/firewall || echo "   WARNING: ${VARDIR}/firewall is not up to date" >&2
+	run_it ${VARDIR}/firewall $g_debugging $@
+    else
+	fatal_error "${VARDIR}/firewall does not exist or is not executable"
+    fi
+}
+
 #
 # Give Usage Information
 #
@@ -1666,6 +1675,7 @@ usage() # $1 = exit status
     echo "   reset [ <chain> ... ]"
     echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
     echo "   restore [ -n ] [ <file name> ]"
+    echo "   run <command> [ <parameter> ... ]"
     echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
     echo "   safe-start [ -t <timeout> ] [ <directory> ]"
     echo "   save [ <file name> ]"

Shorewall/manpages/shorewall-actions.xml

@@ -71,8 +71,8 @@
                 role="bold">raw</emphasis>. If no table name(s) are given,
                 then <emphasis role="bold">filter</emphasis> is assumed. The
                 table names follow <emphasis role="bold">builtin</emphasis>
-                and are separated by commas; for example,
+                and are separated by commas; for example, "FOOBAR
-                "FOOBAR,filter,mangle" would specify FOOBAR as a builtin
+                builtin,filter,mangle" would specify FOOBAR as a builtin
                 target that can be used in the filter and mangle
                 tables.</para>
               </listitem>

Shorewall/manpages/shorewall-rules.xml

@@ -476,24 +476,32 @@
             </varlistentry>
 
             <varlistentry>
-              <term>IPTABLES({<replaceable>target</replaceable>
+              <term>IPTABLES({<replaceable>iptables-target</replaceable>
               [<replaceable>option</replaceable> ...])</term>
 
               <listitem>
                 <para>This action allows you to specify an iptables target
                 with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
-                the target is not one recognized by Shorewall, the following
+                the <replaceable>iptables-target</replaceable> is not one
-                error message will be issued:</para>
+                recognized by Shorewall, the following error message will be
+                issued:</para>
 
-                <simplelist>
+                <programlisting>    ERROR: Unknown target (<replaceable>iptables-target</replaceable>)</programlisting>
-                  <member>ERROR: Unknown target
-                  (<replaceable>target</replaceable>)</member>
-                </simplelist>
 
                 <para>This error message may be eliminated by adding the
-                <replaceable>target</replaceable> as a builtin action in
+                <replaceable>iptables-</replaceable><replaceable>target</replaceable>
-                <ulink
+                as a builtin action in <ulink
                 url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
+
+                <important>
+                  <para>If you specify REJECT as the
+                  <replaceable>iptables-target</replaceable>, the target of
+                  the rule will be the iptables REJECT target and not
+                  Shorewall's builtin 'reject' chain which is used when REJECT
+                  (see below) is specified as the
+                  <replaceable>target</replaceable> in the ACTION
+                  column.</para>
+                </important>
               </listitem>
             </varlistentry>
 

Shorewall/manpages/shorewall.xml

@@ -457,6 +457,21 @@
       <arg><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>run</option></arg>
+
+      <arg choice="plain"><replaceable>command</replaceable></arg>
+
+      <arg><replaceable>parameter ...</replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall</command>
 
@@ -1409,6 +1424,32 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">run</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.3. Executes
+          <replaceable>command</replaceable> in the context of the generated
+          script passing the supplied <replaceable>parameter</replaceable>s.
+          Normally, the <replaceable>command</replaceable> will be a function
+          declared in <filename>lib.private</filename>.</para>
+
+          <para>Before executing the <replaceable>command</replaceable>, the
+          script will detect the configuration, setting all SW_* variables and
+          will run your <filename>init</filename> extension script with
+          $COMMAND = 'run'.</para>
+
+          <para>If there are files in the CONFIG_PATH that were modified after
+          the current firewall script was generated, the following warning
+          message is issued:</para>
+
+          <simplelist>
+            <member>WARNING: /var/lib/shorewall/firewall is not up to
+            date</member>
+          </simplelist>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">safe-restart</emphasis></term>
 

Shorewall6-lite/manpages/shorewall6-lite.xml

@@ -317,6 +317,21 @@
       <arg><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>run</option></arg>
+
+      <arg choice="plain">command</arg>
+
+      <arg><replaceable>parameter ...</replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6-lite</command>
 
@@ -820,6 +835,23 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">run</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.3. Executes
+          <replaceable>command</replaceable> in the context of the generated
+          script passing the supplied <replaceable>parameter</replaceable>s.
+          Normally, the <replaceable>command</replaceable> will be a function
+          declared in <filename>lib.private</filename>.</para>
+
+          <para>Before executing the command, the script will detect the
+          configuration, setting all SW_* variables and will run your
+          <filename>init</filename> extension script with $COMMAND =
+          'run'.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">save</emphasis></term>
 

Shorewall6/manpages/shorewall6-actions.xml

@@ -71,9 +71,10 @@
                 role="bold">mangle</emphasis> and <emphasis
                 role="bold">raw</emphasis>. If no table name(s) are given,
                 then <emphasis role="bold">filter</emphasis> is assumed. The
-                table names follow builtin and are separated by commas; for
+                table names follow <emphasis role="bold">builtin</emphasis>
-                example, "FOOBAR,filter,mangle" would specify FOOBAR as a
+                and are separated by commas; for example, "FOOBAR
-                builtin target that can be used in the filter and mangle
+                builtin,filter,mangle" would specify FOOBAR as a builtin
+                target that can be used in the filter and mangle
                 tables.</para>
               </listitem>
             </varlistentry>

Shorewall6/manpages/shorewall6-rules.xml

@@ -450,24 +450,33 @@
             </varlistentry>
 
             <varlistentry>
-              <term>IP6TABLES({<replaceable>target</replaceable>
+              <term>IP6TABLES({<replaceable>ip6tables-target</replaceable>
               [<replaceable>option</replaceable> ...])</term>
 
               <listitem>
-                <para>This action allows you to specify an iptables target
+                <para>This action allows you to specify an ip6tables target
-                with options (e.g., 'IP6TABLES(MARK --set-xmark 0x01/0xff)'.
+                with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
-                If the target is not one recognized by Shorewall, the
+                the <replaceable>ip6tables-target</replaceable> is not one
-                following error message will be issued:</para>
+                recognized by Shorewall, the following error message will be
+                issued:</para>
 
-                <simplelist>
+                <programlisting>    ERROR: Unknown target (<replaceable>ip6tables-target</replaceable>)</programlisting>
-                  <member>ERROR: Unknown target
-                  (<replaceable>target</replaceable>)</member>
-                </simplelist>
 
-                <para>This error message may be eliminated by adding the
+                <para>This error message may be eliminated by adding
-                <replaceable>target</replaceable> as a builtin action in
+                the<replaceable>
-                <ulink
+                ip6tables-</replaceable><replaceable>target</replaceable> as a
-                url="/manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.</para>
+                builtin action in <ulink
+                url="shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
+
+                <important>
+                  <para>If you specify REJECT as the
+                  <replaceable>ip6tables-target</replaceable>, the target of
+                  the rule will be the i6ptables REJECT target and not
+                  Shorewall's builtin 'reject' chain which is used when REJECT
+                  (see below) is specified as the
+                  <replaceable>target</replaceable> in the ACTION
+                  column.</para>
+                </important>
               </listitem>
             </varlistentry>
 

Shorewall6/manpages/shorewall6.xml

@@ -406,6 +406,21 @@
       <arg><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>run</option></arg>
+
+      <arg choice="plain"><replaceable>command</replaceable></arg>
+
+      <arg><replaceable>parameter ...</replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6</command>
 
@@ -1290,6 +1305,33 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">run</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.3. Executes
+          <replaceable>command</replaceable> in the context of the generated
+          script passing the supplied <replaceable>parameter</replaceable>s.
+          Normally, the <replaceable>command</replaceable> will be a function
+          declared in <filename>lib.private</filename>.</para>
+
+          <para>Before executing the <replaceable>command</replaceable>, the
+          script will detect the configuration, setting all SW_* variables and
+          will run your <filename>init</filename> extension script with
+          $COMMAND = 'run'.</para>
+
+          <para>If there are files in the CONFIG_PATH that were modified after
+          the current firewall script was generated, the following warning
+          message is issued before the script's run command is
+          executed:</para>
+
+          <simplelist>
+            <member>WARNING: /var/lib/shorewall6/firewall is not up to
+            date</member>
+          </simplelist>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">safe-restart</emphasis></term>
 

docs/Build.xml

@@ -164,7 +164,7 @@
     <section>
       <title>build</title>
 
-      <para>This is the script that builds Shorewall 4.4 packages from
+      <para>This is the script that builds Shorewall 4.6 packages from
       Git.</para>
 
       <para>The script copies content from Git using the <command>git
@@ -220,7 +220,7 @@
       <para>You should ensure that you have the latest scripts. The scripts
       change periodically as we move through the release cycles.</para>
 
-      <para>The build44 script may need to be modified to fit your particular
+      <para>The build46 script may need to be modified to fit your particular
       environment. There are a number of variables that are set near the top
       of the file:</para>
 
@@ -270,10 +270,12 @@
       </variablelist>
 
       <para>The scripts assume that there will be a separate <firstterm>build
-      directory</firstterm> per major release. To build a release, you cd to
+      directory</firstterm> per major release.</para>
-      the appropriate directory and run the build script.</para>
 
-      <para>The general form of the build command is:</para>
+      <para>To build a release, you cd to the appropriate directory and run
+      the build46 script.</para>
+
+      <para>The general form of the build46 command is:</para>
 
       <blockquote>
         <para><command>build</command> [ -<replaceable>options</replaceable> ]
@@ -401,13 +403,13 @@
     </section>
 
     <section>
-      <title>build45</title>
+      <title>build45 and build46</title>
 
-      <para>This is the script that builds Shorewall 4.5 packages from
+      <para>These are the scripts that respectively build Shorewall 4.5 and
-      Git.</para>
+      Shorewall 4.6 packages from Git.</para>
 
-      <para>The script copies content from Git using the <command>git
+      <para>The scripts copy content from Git using the <command>git
-      archive</command> command. It then uses that content to build the
+      archive</command> command. They then use that content to build the
       packages. In addition to the usual Gnu utilities, the following software
       is required:</para>
 
@@ -451,7 +453,7 @@
 
           <listitem>
             <para>Required to convert the XML manpages to manpages. Be sure
-            that you have a recent version; I use 0.0.23.</para>
+            that you have a recent version; I use 0.0.25.</para>
           </listitem>
         </varlistentry>
       </variablelist>
@@ -459,7 +461,7 @@
       <para>You should ensure that you have the latest scripts. The scripts
       change periodically as we move through the release cycles.</para>
 
-      <para>The build44 script may need to be modified to fit your particular
+      <para>The scripts may need to be modified to fit your particular
       environment. There are a number of variables that are set near the top
       of the file:</para>
 
@@ -509,14 +511,17 @@
       </variablelist>
 
       <para>The scripts assume that there will be a separate <firstterm>build
-      directory</firstterm> per major release. To build a release, you cd to
+      directory</firstterm> per major release. Each build directory should
-      the appropriate directory and run the build script.</para>
+      contain the empty file <filename>shorewall-pkg.config</filename>; that
+      file is no longer used but has been retained just as a guard against
+      initiating a build in an unintended directory. To build a release, you
+      cd to the appropriate directory and run the build script.</para>
 
       <para>The general form of the build command is:</para>
 
       <blockquote>
-        <para><command>build</command> [ -<replaceable>options</replaceable> ]
+        <para><command>build</command>4x [ -<replaceable>options</replaceable>
-        <replaceable>release</replaceable> [ <replaceable>prior
+        ] <replaceable>release</replaceable> [ <replaceable>prior
         release</replaceable> ]</para>
       </blockquote>
 
@@ -632,8 +637,8 @@
         </varlistentry>
       </variablelist>
 
-      <para>Example 1 - Build Shorewall 4.3.7 and generate patches against
+      <para>Example 1 - Build Shorewall 4.5.7 and generate patches against
-      4.3.6:</para>
+      4.5.6:</para>
 
       <blockquote>
         <para><command>build45 4.5.7 4.5.6</command></para>

docs/MultiISP.xml

@@ -710,7 +710,7 @@
       up.</para>
     </section>
 
-    <section>
+    <section id="masq">
       <title>./etc/shorewall/masq and Multi-ISP</title>
 
       <para>If you masquerade a local network, you will need to add masquerade
@@ -976,51 +976,6 @@ eth1             0.0.0.0/0         130.252.99.27
 eth3             0.0.0.0/0         16.105.78.4</programlisting></para>
     </section>
 
-    <section id="Local">
-      <title>Applications running on the Firewall -making them use a
-      particular provider</title>
-
-      <para>As <link linkend="Applications">noted above</link>, separate
-      entries in <filename>/etc/shorewall/mangle</filename> are required for
-      traffic originating from the firewall.</para>
-
-      <para>Experience has shown that in some cases, problems occur with
-      applications running on the firewall itself. This is especially true
-      when you have specified <emphasis role="bold">routefilter</emphasis> on
-      your external interfaces in /etc/shorewall/interfaces (see <link
-      linkend="Martians">above</link>). When this happens, it is suggested
-      that you have the application use specific local IP addresses rather
-      than 0.</para>
-
-      <para>Examples:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>Squid: In <filename>squid.conf</filename>, set <emphasis
-          role="bold">tcp_outgoing_address</emphasis> to the IP address of the
-          interface that you want Squid to use.</para>
-        </listitem>
-
-        <listitem>
-          <para>In OpenVPN, set <emphasis role="bold">local
-          </emphasis>(<emphasis role="bold">--local</emphasis> on the command
-          line) to the IP address that you want the server to receive
-          connections on.</para>
-        </listitem>
-      </itemizedlist>
-
-      <para>Note that some traffic originating on the firewall doesn't have a
-      SOURCE IP address before routing. At least one Shorewall user reports
-      that an entry in <filename>/etc/shorewall/rtrules</filename> with 'lo'
-      in the SOURCE column seems to be the most reliable way to direct such
-      traffic to a particular ISP.</para>
-
-      <para>Example:</para>
-
-      <programlisting>#SOURCE     DEST      PROVIDER        PRIORITY
-lo          -         shorewall       1000</programlisting>
-    </section>
-
     <section id="rtrules">
       <title>/etc/shorewall/rtrules (formerly
       /etc/shorewall/route_rules)</title>
@@ -1186,6 +1141,51 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
       </section>
     </section>
 
+    <section id="Local">
+      <title>Applications running on the Firewall - making them use a
+      particular provider</title>
+
+      <para>As <link linkend="Applications">noted above</link>, separate
+      entries in <filename>/etc/shorewall/mangle</filename> are required for
+      traffic originating from the firewall.</para>
+
+      <para>Experience has shown that in some cases, problems occur with
+      applications running on the firewall itself. This is especially true
+      when you have specified <emphasis role="bold">routefilter</emphasis> on
+      your external interfaces in /etc/shorewall/interfaces (see <link
+      linkend="Martians">above</link>). When this happens, it is suggested
+      that you have the application use specific local IP addresses rather
+      than 0.</para>
+
+      <para>Examples:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para>Squid: In <filename>squid.conf</filename>, set <emphasis
+          role="bold">tcp_outgoing_address</emphasis> to the IP address of the
+          interface that you want Squid to use.</para>
+        </listitem>
+
+        <listitem>
+          <para>In OpenVPN, set <emphasis role="bold">local
+          </emphasis>(<emphasis role="bold">--local</emphasis> on the command
+          line) to the IP address that you want the server to receive
+          connections on.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>Note that some traffic originating on the firewall doesn't have a
+      SOURCE IP address before routing. At least one Shorewall user reports
+      that an entry in <filename>/etc/shorewall/rtrules</filename> with 'lo'
+      in the SOURCE column seems to be the most reliable way to direct such
+      traffic to a particular ISP.</para>
+
+      <para>Example:</para>
+
+      <programlisting>#SOURCE     DEST      PROVIDER        PRIORITY
+lo          -         shorewall       1000</programlisting>
+    </section>
+
     <section id="routes">
       <title>/etc/shorewall/routes File</title>
 
@@ -2123,6 +2123,11 @@ net      eth1         detect          <emphasis role="bold">optional</emphasis><
           later.</para>
         </warning>
 
+        <para><filename>/etc/shorewall/params:</filename></para>
+
+        <programlisting>EXT_IF=eth0
+COM_IF=eth1</programlisting>
+
         <para><filename>/etc/shorewall/isusable</filename>:</para>
 
         <programlisting>local status=0

docs/configuration_file_basics.xml

@@ -388,122 +388,31 @@ ACCEPT  net     $FW      tcp     www     #This is an end-of-line comment</progra
     details.</para>
   </section>
 
-  <section id="COMMENT">
+  <section id="capabilities">
-    <title>Attach Comment to Netfilter Rules</title>
+    <title>Capabilities</title>
 
-    <para>If you kernel and iptables contain comment match support (see the
+    <para>Shorewall probes your system to determine the features that it
-    output of <command>shorewall show capabilities</command>), then you can
+    supports. The result of this probing is a set of
-    attach comments to Netfilter rules. This feature is available in the
+    <firstterm>capabilities</firstterm>. This probing is normally done each
-    following files:</para>
+    time that the compiler is run but can also be done by executing the
+    <command>shorewall show capabilities</command> command. Regardless of
+    whether the compiler or the command does the probing, this probing may
+    produce error messages in your system log. These log messages are to be
+    expected and do not represent a problem; they merely indicate that
+    capabilities that are being probed are not supported on your
+    system.</para>
 
-    <itemizedlist>
+    <para>Probing may be suppressed by using a <firstterm>capabilities
-      <listitem>
+    file</firstterm>. A capabilities file may be generated using this
-        <para><filename>/etc/shorewall/conntrack</filename> (formerly
+    command:</para>
-        <filename>/etc/shorewall/notrack</filename>)</para>
-      </listitem>
 
-      <listitem>
+    <programlisting><command>shorewall show -f capabilities &gt; /etc/shorewall/capabilities</command></programlisting>
-        <para><filename>/etc/shorewall/accounting</filename></para>
-      </listitem>
 
-      <listitem>
+    <important>
-        <para><filename>/etc/shorewall/masq</filename></para>
+      <para>If you use a capabilities file, be sure to regenerate it after you
-      </listitem>
+      have performed a Shorewall upgrade to ensure that all current
-
+      capabilities have been recorded in your file.</para>
-      <listitem>
+    </important>
-        <para><filename>/etc/shorewall/nat</filename></para>
-      </listitem>
-
-      <listitem>
-        <para><filename>/etc/shorewall/rules</filename></para>
-      </listitem>
-
-      <listitem>
-        <para><filename>/etc/shorewall/secmarks</filename></para>
-      </listitem>
-
-      <listitem>
-        <para><filename>/etc/shorewall/tcrules</filename></para>
-      </listitem>
-
-      <listitem>
-        <para><filename>/etc/shorewall/tunnels</filename></para>
-      </listitem>
-
-      <listitem>
-        <para>Action definition files
-        (<filename>/etc/shorewall/action.*</filename>)</para>
-      </listitem>
-
-      <listitem>
-        <para>Macro definition files (/etc/shorewall/macro.*)</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>To attach a comment to one or more rules, insert a record above the
-    rules that begins with the word ?COMMENT (must be in all caps). The
-    remainder of the line is treated as a comment -- that comment will appear
-    delimited by "/* ... */" in the output of the <command>shorewall[-lite]
-    show</command> and <command>shorewall[-lite] dump</command> commands. The
-    comment will be attached to each generated rule until another ?COMMENT
-    line appears. To stop attaching comments to rules, simply insert a line
-    that contains the single word ?COMMENT.</para>
-
-    <para>Example (<filename>/etc/shorewall/rules</filename>):</para>
-
-    <programlisting>?COMMENT Stop NETBIOS noise
-
-REJECT          loc                             net                     tcp     137,445
-REJECT          loc                             net                     udp     137:139
-
-?COMMENT Stop my idiotic work laptop from sending to the net with an HP source/dest IP address
-
-DROP            loc:!192.168.0.0/22             net
-
-?COMMENT</programlisting>
-
-    <para>Here's the corresponding output from
-    <filename>/sbin/shorewall-lite</filename>:</para>
-
-    <programlisting>gateway:~ # <command>shorewall-lite show loc-net</command>
-Shorewall Lite 4.3.3 Chains loc2net at gateway - Mon Oct 16 15:04:52 PDT 2008
-
-Counters reset Mon Oct 16 14:52:17 PDT 2006
-
-Chain loc-net (1 references)
- pkts bytes target     prot opt in     out     source               destination
-    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:'
-    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25
-    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:1025:1031 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:'
-    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:1025:1031
-    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 137,445 <emphasis
-        role="bold">/* Stop NETBIOS noise */</emphasis>
-    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:137:139 <emphasis
-        role="bold">/* Stop NETBIOS noise */</emphasis>
-    0     0 DROP       all  --  *      *      !192.168.0.0/22       0.0.0.0/0           <emphasis
-        role="bold">/* Stop my idiotic work laptop from sending to the net with an HP source/dest IP address */</emphasis>
-    5   316 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
-gateway:~ #
-
-</programlisting>
-
-    <para>?COMMENT lines in macro files work somewhat differently from other
-    files. ?COMMENT lines in macros are ignored if COMMENT support is not
-    available or if there was a COMMENT in use when the top-level macro was
-    invoked. This allows the following:</para>
-
-    <para><filename>/usr/share/shorewall/macro.SSH</filename>:</para>
-
-    <para><programlisting>#ACTION SOURCE DEST  PROTO DEST    SOURCE  RATE  USER/
-#                          PORT(S) PORT(S) LIMIT GROUP
-?COMMENT SSH
-PARAM   -      -     tcp   22 </programlisting>
-    <filename>/etc/shorewall/rules</filename>:<programlisting>?COMMENT Allow SSH from home
-SSH(ACCEPT)    net:$MYIP      $FW
-?COMMENT</programlisting>The comment line in macro.SSH will not override the
-    ?COMMENT line in the rules file and the generated rule will show <emphasis
-    role="bold">/* Allow SSH from home */</emphasis> when displayed through
-    the Shorewall show and dump commands.</para>
   </section>
 
   <section id="BlankColumn">
@@ -626,9 +535,11 @@ ACCEPT      net:\
           port:1024</emphasis></member>
         </simplelist>
 
-        <para>That usage is deprecated beginning with Shorewall 4.6.0. See the
+        <important>
-        INLINE_MATCHES option in <ulink
+          <para>That usage is deprecated beginning with Shorewall 4.6.0. See
-        url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+          the INLINE_MATCHES option in <ulink
+          url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+        </important>
       </listitem>
     </itemizedlist>
 
@@ -1180,7 +1091,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
   <section>
     <title>?FORMAT Directive</title>
 
-    <para>A number of different files support multiple formats. Prior to
+    <para>A number of configuration files support multiple formats. Prior to
     Shorewall 4.5.11, the format was specified by a line having 'FORMAT' as
     the first token. This requires each of the file processors to handle
     FORMAT separately.</para>
@@ -1284,11 +1195,16 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
     centralize processing of COMMENT directives. The old entries, while still
     supported, are now deprecated.</para>
 
+    <para>Use of this directive requires Comment support in your kernel and
+    iptables - see the output of <command><link
+    linkend="capabilities">shorewall show
+    capabilities</link></command>.</para>
+
     <para>The ?COMMENT directive is as follows:</para>
 
     <variablelist>
       <varlistentry>
-        <term>COMMENT [ <replaceable>comment</replaceable> ]</term>
+        <term>[?]COMMENT [ <replaceable>comment</replaceable> ]</term>
 
         <listitem>
           <para>If <replaceable>comment</replaceable> is present, it will
@@ -1299,13 +1215,69 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
         </listitem>
       </varlistentry>
     </variablelist>
+
+    <para>Example (<filename>/etc/shorewall/rules</filename>):</para>
+
+    <programlisting>?COMMENT Stop NETBIOS noise
+
+REJECT          loc                             net                     tcp     137,445
+REJECT          loc                             net                     udp     137:139
+
+?COMMENT Stop my idiotic work laptop from sending to the net with an HP source/dest IP address
+
+DROP            loc:!192.168.0.0/22             net
+
+?COMMENT</programlisting>
+
+    <para>Here's the corresponding output from
+    <filename>/sbin/shorewall-lite</filename>:</para>
+
+    <programlisting>gateway:~ # <command>shorewall-lite show loc-net</command>
+Shorewall Lite 4.3.3 Chains loc2net at gateway - Mon Oct 16 15:04:52 PDT 2008
+
+Counters reset Mon Oct 16 14:52:17 PDT 2006
+
+Chain loc-net (1 references)
+ pkts bytes target     prot opt in     out     source               destination
+    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:'
+    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25
+    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:1025:1031 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:'
+    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:1025:1031
+    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 137,445 <emphasis
+        role="bold">/* Stop NETBIOS noise */</emphasis>
+    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:137:139 <emphasis
+        role="bold">/* Stop NETBIOS noise */</emphasis>
+    0     0 DROP       all  --  *      *      !192.168.0.0/22       0.0.0.0/0           <emphasis
+        role="bold">/* Stop my idiotic work laptop from sending to the net with an HP source/dest IP address */</emphasis>
+    5   316 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
+gateway:~ #
+
+</programlisting>
+
+    <para>?COMMENT lines in macro files work somewhat differently from other
+    files. ?COMMENT lines in macros are ignored if COMMENT support is not
+    available or if there was a COMMENT in use when the top-level macro was
+    invoked. This allows the following:</para>
+
+    <para><filename>/usr/share/shorewall/macro.SSH</filename>:</para>
+
+    <para><programlisting>#ACTION SOURCE DEST  PROTO DEST    SOURCE  RATE  USER/
+#                          PORT(S) PORT(S) LIMIT GROUP
+?COMMENT SSH
+PARAM   -      -     tcp   22 </programlisting>
+    <filename>/etc/shorewall/rules</filename>:<programlisting>?COMMENT Allow SSH from home
+SSH(ACCEPT)    net:$MYIP      $FW
+?COMMENT</programlisting>The comment line in macro.SSH will not override the
+    ?COMMENT line in the rules file and the generated rule will show <emphasis
+    role="bold">/* Allow SSH from home */</emphasis> when displayed through
+    the Shorewall show and dump commands.</para>
   </section>
 
   <section id="CONFIG_PATH">
     <title>CONFIG_PATH</title>
 
     <para>The CONFIG_PATH option in shorewall.conf determines where the
-    compiler searches for files. The default setting is
+    compiler searches for configuration files. The default setting is
     CONFIG_PATH=/etc/shorewall:/usr/share/shorewall which means that the
     compiler first looks in /etc/shorewall and if it doesn't find the file, it
     then looks in /usr/share/shorewall.</para>
@@ -2150,8 +2122,8 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
 ACCEPT loc fw tcp 22
 ACCEPT dmz fw tcp 22</programlisting></para>
 
-    <para>Perl scripts run in the context of the compiler process using
+    <para>Perl scripts run in the context of the compiler process using Perl's
-    Perl's eval() function. Perl scripts are implicitly prefixed by the
+    eval() function. Perl scripts are implicitly prefixed by the
     following:</para>
 
     <programlisting>package Shorewall::User;

docs/shorewall_extension_scripts.xml

@@ -466,6 +466,12 @@ cat -</programlisting>
           </listitem>
         </itemizedlist>
       </listitem>
+
+      <listitem>
+        <para>Shell variables used in extension scripts must follow the same
+        rules as those in<filename> /etc/shorewall/params</filename>. See
+        <ulink url="???">this article</ulink>.</para>
+      </listitem>
     </itemizedlist>
 
     <para></para>